.

Hugh JonesSytorus

‘EU Data Protection RegulationsFuture Challenges’

New Definitions• Pseudonymised Data

• Profile

• Encryption

• Data Recipient

• Third Party

• Data Subject Consent

• Breach

• Genetic/Biometric Data

• Health Data

• Establishment

• Nominated Representative

• Child

Key Principles

• Selection (“One-stop Shop”)

• Accountability and Liability

• Data Processing must be:• Fair and Justifiable• Security• Portability and Accessibility• Specified and Lawful• Transparent and Explicit• Adequate and Relevant

• Specific Categories of Processing

Selection of Jurisdiction

• Referred-to as ‘The One-Stop Shop’

• Data Controller reports to the Statutory Authority where the Controller is established / operational

• Where Controller is active in several EU jurisdictions, they can indicate a preferred jurisdiction

• That authority will then be responsible for the Controller’s compliance

Accountability

• Role of Data Controller• Primary point of compliance

• Role of Data Processor• Mandatory contract in place

• Role of Data Protection Officer• Dedicated role within the organisation• Not necessarily an employee

• Individual accountability of Board members

Revision of Key Roles

• Must be able to demonstrate compliance processing

• Evidence of Privacy by Design or by Default

• Possibility of being a ‘Joint Controller’

• Obligations for non-EU based Data Controller

• Required clauses for Data Processor Contract

• Control over sub-contracting

Individual Liability under the Acts• “Where an offence under this Act has been committed....

• by a body corporate

• and is proven to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of a person,

• being a director, manager, secretary or other officer of that body corporate,

• or a person who was purporting to act in any such capacity...

• that person, as well as the body corporate,

• shall be guilty of that offence and be liable to be proceeded against and punished accordingly”

Data Protection Officer (DPO)The Controller or Processor must designate a Data Protection Officer under certain criteria:

• to monitor internal compliance with the Regulations • where the processing is carried out in the public sector or• in the private sector by a large enterprise, or• where the core activities of the controller require regular and systematic

monitoring of Data Subjects, e.g. CCTV• Governance of organisation’s data management• Drafting of compliant with data policies• Influencing system and functional changes• Currently an optional role • May be mandatory in certain circumstances

Privacy Impact Assessment• Where processing is likely to give rise to risk

to the data

• Where relevant, involve the DPO

• Systematic evaluation of proposed processing

• Identification of risk

• Outline of the measures being taken to mitigate those risks

• Outline of structures and measures planned to achieve compliance

• Where substantial risk is identified, must check with Supervisor Authority

Privacy Impact Assessment

1. Stakeholders, Entities & Systems

2. Identify Processess

3. Work flow analysis

4. Privacy Impact

Assessment

5. Risk Analysis

6. Implementation

Fair and Justifiable• Fair Processing Notice

• Reference to Lawful Processing Conditions

• Additional considerations for Sensitive Personal Data

• Burden of Justification rests with Data Controller

• Not about the data the Subject is willing to disclose

• Assumption that consent is necessary

• Distinction between Mandatory and Optional fields

• Reminder of Data Subject Rights

• To opt out from marketing• To object to processing• To have data rectified or removed• “Right to be Forgotten”

Retention ConsiderationsKnowing the useful life of your data

The point of minimum economic value

Appropriate and cost-effective storage

Appropriate and verifiable destruction

Business need v. regulatory obligation

Operational v. Historical value

Proportional storage solutions

Efficient retrieval procedures

Appropriate data catalogues

Secure Processing• Prevention of unauthorised access or modification

• Prevention of unlawful disclosure or loss

• Proportional solutions based on ‘nature, scope, context and purpose’

• Overseas Transfer• ‘Second’ Countries (30 currently)• ‘Safe’ Countries (10 currently)• ‘Safe Harbor’ – currently under fire!• Adequacy Criteria• Binding Corporate Rules• Model Contracts

Data Security Considerations• Data Security Policy

• Organisation of Information Security

• Human Resources Security

• Physical and Environmental Security

• Communications and Operations Management

• Appropriate Access Controls

• Information Security Incident Management

• Business Continuity Management

• Compliance

Data Portability & Accessibility• Data Subject has the right of access to their data

• Data to be managed in a way that allows collation

• On request, data to be ‘packaged’ for transport

• May be sent to a competitor or alternative service provider

• Data Controller cannot object to the request

• Manage the data in a way to enable efficient collation

• Data can be retained by the original Controller, if justified

Specified and Lawful• Appropriate notification

• Identification of Controller• Outline of intended processing• Identification of Processors• Any other information to make the

processing fair

• Profiling

• Automated Processing

• Segmentation

• Big Data opportunities

Transparent and Explicit• No obligation to register as DC or DP

• Proactive assessment of processing

• Logging and recording of incidents

• Notification of processing in some circumstances• Controller obligation to maintain log of processing• Processor obligation to maintain log of processing• Identification of categories of data being processed• Identification of categories of processors to be engaged• Envisaged time limit for retention

• Breach Notification• Within 72 hours of becoming known• Describe implications, measures taken to prevent

recurrence• Outline stems taken to minimise impact on Data Subject

Adequate and RelevantAdequacy Criteria include:

• Rule of Law – is the processing legitimate?

• Necessity – is the processing necessary?

• Security – what security measures are in place?

• Appropriateness – is the processing compatible with the purpose?

• Alignment – will the processing enable the stated objective?

• Adequate – will the processing achieve the objective on its own?

• Alternatives – could the same objective be achieved by other means?

Offences under the GDPR Failure to meet time-line for response to Subject Access Request

Provision of false or inadequate information to the Statutory Authority

Fails to respect individual Rights – rectification, erasure, opt out, etc.

Failure to comply with a formal Notice from the Statutory Authority

Failure to notify the Statutory Authority of a Data Breach

Failure to appoint a Data Protection Officer, if required

Failure to carry out a Privacy Impact Assessment

Failure to maintain appropriate logs and documentation (PIA, etc.)

Inability to adequately demonstrate the compliance of data processing

Disclosure of personal data which was obtained without authority

Inappropriate engagement of a Data Processor (e.g. no contract in place)

Enforcement of legislation• Formal notices

• Information• Enforcement• Prohibition

• Evidence of compliance effort?

• Negotiated Resolution v Prosecution

• Reputational damage of a breach

• Cost of recovery of market share, good will, trust

Specific Situations of Data Processing

• Reconciliation of conflict between GDPR and national legislation

• Publication of data in public files

• Re-Use of public sector information

• Use of PPSN

• Health and Genetic data – awaiting clarification

• Processing for Employment – e.g. Danish guidelines (Jan 2015)

• Processing for Social Protection

• Processing for Statistics, Archives, Historical records

• Processing for Church and Religious organisations

• Secrecy Obligations due to other legislative commitments

Timeline for Deployment (anticipated)

• Mid-September to mid-October 2013: Orientation vote in LIBE Committee

• Autumn 2013 (depending on progress in the Council of Ministers)

• Negotiations between European Parliament, Council and Commission (the Trilogue)

• Finalisation of new wording – end-2015 (Luxembourg EU Presidency)

• Expected formal adoption by Trilogue in early 2016

• Deployment and enforcement end-2017 / early-2018.

So why comply with the GDPR?• ‘It’s the law of the EEA’

• Protection of brand from negative publicity

• Avoid risk to reputation from prosecution

• Protection of trust• Employees• Suppliers• Customers

• Enables better decision-making

• Makes good business sense

• Delivers business value

Sytorus Ltd. – who we are• Data Protection Consultancy and Advice

• Training for DPO’s

• Privacy Impact Assessments

• DP Executive Assessments

• Interim Data Protection Officer

• Liaison with Office of the DP Statutory Authority

• Free, 30-day trial of our online Knowledge Base!

• www.PrivacyEngine.io

Questions