Date post: | 13-Jan-2016 |
Category: |
Documents |
Upload: | agatha-daniels |
View: | 218 times |
Download: | 1 times |
.
Hugh JonesSytorus
‘EU Data Protection RegulationsFuture Challenges’
New Definitions• Pseudonymised Data
• Profile
• Encryption
• Data Recipient
• Third Party
• Data Subject Consent
• Breach
• Genetic/Biometric Data
• Health Data
• Establishment
• Nominated Representative
• Child
Key Principles
• Selection (“One-stop Shop”)
• Accountability and Liability
• Data Processing must be:• Fair and Justifiable• Security• Portability and Accessibility• Specified and Lawful• Transparent and Explicit• Adequate and Relevant
• Specific Categories of Processing
Selection of Jurisdiction
• Referred-to as ‘The One-Stop Shop’
• Data Controller reports to the Statutory Authority where the Controller is established / operational
• Where Controller is active in several EU jurisdictions, they can indicate a preferred jurisdiction
• That authority will then be responsible for the Controller’s compliance
Accountability
• Role of Data Controller• Primary point of compliance
• Role of Data Processor• Mandatory contract in place
• Role of Data Protection Officer• Dedicated role within the organisation• Not necessarily an employee
• Individual accountability of Board members
Revision of Key Roles
• Must be able to demonstrate compliance processing
• Evidence of Privacy by Design or by Default
• Possibility of being a ‘Joint Controller’
• Obligations for non-EU based Data Controller
• Required clauses for Data Processor Contract
• Control over sub-contracting
Individual Liability under the Acts• “Where an offence under this Act has been committed....
• by a body corporate
• and is proven to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of a person,
• being a director, manager, secretary or other officer of that body corporate,
• or a person who was purporting to act in any such capacity...
• that person, as well as the body corporate,
• shall be guilty of that offence and be liable to be proceeded against and punished accordingly”
Data Protection Officer (DPO)The Controller or Processor must designate a Data Protection Officer under certain criteria:
• to monitor internal compliance with the Regulations • where the processing is carried out in the public sector or• in the private sector by a large enterprise, or• where the core activities of the controller require regular and systematic
monitoring of Data Subjects, e.g. CCTV• Governance of organisation’s data management• Drafting of compliant with data policies• Influencing system and functional changes• Currently an optional role • May be mandatory in certain circumstances
Privacy Impact Assessment• Where processing is likely to give rise to risk
to the data
• Where relevant, involve the DPO
• Systematic evaluation of proposed processing
• Identification of risk
• Outline of the measures being taken to mitigate those risks
• Outline of structures and measures planned to achieve compliance
• Where substantial risk is identified, must check with Supervisor Authority
Privacy Impact Assessment
1. Stakeholders, Entities & Systems
2. Identify Processess
3. Work flow analysis
4. Privacy Impact
Assessment
5. Risk Analysis
6. Implementation
Fair and Justifiable• Fair Processing Notice
• Reference to Lawful Processing Conditions
• Additional considerations for Sensitive Personal Data
• Burden of Justification rests with Data Controller
• Not about the data the Subject is willing to disclose
• Assumption that consent is necessary
• Distinction between Mandatory and Optional fields
• Reminder of Data Subject Rights
• To opt out from marketing• To object to processing• To have data rectified or removed• “Right to be Forgotten”
Retention ConsiderationsKnowing the useful life of your data
The point of minimum economic value
Appropriate and cost-effective storage
Appropriate and verifiable destruction
Business need v. regulatory obligation
Operational v. Historical value
Proportional storage solutions
Efficient retrieval procedures
Appropriate data catalogues
Secure Processing• Prevention of unauthorised access or modification
• Prevention of unlawful disclosure or loss
• Proportional solutions based on ‘nature, scope, context and purpose’
• Overseas Transfer• ‘Second’ Countries (30 currently)• ‘Safe’ Countries (10 currently)• ‘Safe Harbor’ – currently under fire!• Adequacy Criteria• Binding Corporate Rules• Model Contracts
Data Security Considerations• Data Security Policy
• Organisation of Information Security
• Human Resources Security
• Physical and Environmental Security
• Communications and Operations Management
• Appropriate Access Controls
• Information Security Incident Management
• Business Continuity Management
• Compliance
Data Portability & Accessibility• Data Subject has the right of access to their data
• Data to be managed in a way that allows collation
• On request, data to be ‘packaged’ for transport
• May be sent to a competitor or alternative service provider
• Data Controller cannot object to the request
• Manage the data in a way to enable efficient collation
• Data can be retained by the original Controller, if justified
Specified and Lawful• Appropriate notification
• Identification of Controller• Outline of intended processing• Identification of Processors• Any other information to make the
processing fair
• Profiling
• Automated Processing
• Segmentation
• Big Data opportunities
Transparent and Explicit• No obligation to register as DC or DP
• Proactive assessment of processing
• Logging and recording of incidents
• Notification of processing in some circumstances• Controller obligation to maintain log of processing• Processor obligation to maintain log of processing• Identification of categories of data being processed• Identification of categories of processors to be engaged• Envisaged time limit for retention
• Breach Notification• Within 72 hours of becoming known• Describe implications, measures taken to prevent
recurrence• Outline stems taken to minimise impact on Data Subject
Adequate and RelevantAdequacy Criteria include:
• Rule of Law – is the processing legitimate?
• Necessity – is the processing necessary?
• Security – what security measures are in place?
• Appropriateness – is the processing compatible with the purpose?
• Alignment – will the processing enable the stated objective?
• Adequate – will the processing achieve the objective on its own?
• Alternatives – could the same objective be achieved by other means?
Offences under the GDPR Failure to meet time-line for response to Subject Access Request
Provision of false or inadequate information to the Statutory Authority
Fails to respect individual Rights – rectification, erasure, opt out, etc.
Failure to comply with a formal Notice from the Statutory Authority
Failure to notify the Statutory Authority of a Data Breach
Failure to appoint a Data Protection Officer, if required
Failure to carry out a Privacy Impact Assessment
Failure to maintain appropriate logs and documentation (PIA, etc.)
Inability to adequately demonstrate the compliance of data processing
Disclosure of personal data which was obtained without authority
Inappropriate engagement of a Data Processor (e.g. no contract in place)
Enforcement of legislation• Formal notices
• Information• Enforcement• Prohibition
• Evidence of compliance effort?
• Negotiated Resolution v Prosecution
• Reputational damage of a breach
• Cost of recovery of market share, good will, trust
Specific Situations of Data Processing
• Reconciliation of conflict between GDPR and national legislation
• Publication of data in public files
• Re-Use of public sector information
• Use of PPSN
• Health and Genetic data – awaiting clarification
• Processing for Employment – e.g. Danish guidelines (Jan 2015)
• Processing for Social Protection
• Processing for Statistics, Archives, Historical records
• Processing for Church and Religious organisations
• Secrecy Obligations due to other legislative commitments
Timeline for Deployment (anticipated)
• Mid-September to mid-October 2013: Orientation vote in LIBE Committee
• Autumn 2013 (depending on progress in the Council of Ministers)
• Negotiations between European Parliament, Council and Commission (the Trilogue)
• Finalisation of new wording – end-2015 (Luxembourg EU Presidency)
• Expected formal adoption by Trilogue in early 2016
• Deployment and enforcement end-2017 / early-2018.
So why comply with the GDPR?• ‘It’s the law of the EEA’
• Protection of brand from negative publicity
• Avoid risk to reputation from prosecution
• Protection of trust• Employees• Suppliers• Customers
• Enables better decision-making
• Makes good business sense
• Delivers business value
Sytorus Ltd. – who we are• Data Protection Consultancy and Advice
• Training for DPO’s
• Privacy Impact Assessments
• DP Executive Assessments
• Interim Data Protection Officer
• Liaison with Office of the DP Statutory Authority
• Free, 30-day trial of our online Knowledge Base!
• www.PrivacyEngine.io
Questions