What in the World is GDPR?

Imran Ahmad, Partner

Miller Thomson LLPEmail: iahmad@millerthomson.com

Imran Ahmad• Imran Ahmad is a partner at Miller Thomson LLP and specializes

in the areas of cybersecurity, technology and privacy law.

• Works closely with clients to develop and implement practical and informed strategies related to cyber threats and data breaches.

• Adjunct Professor of Cybersecurity Law at University of Toronto

• Author of Canada’s first legal incident preparation and response handbook titled A Handbook to Cyber Law in Canada (published in August 2017 by LexisNexis).

Glossary• Data Controller: A person or body, alone or jointly, which

determines the purposes and means of processing personal data.

• Data Processor: An entity which processes the data on behalf of the controller.

• Data Subject: Natural person who can be identified or is identifiable, directly or indirectly.

• DPO: Data Protection Officer.

• Personal Data: Any information relating to an identified / identifiable natural person, a “data subject”.

• Supervisory Authority. National data protection authorities, empowered to enforce the GDPR in their own member state.

Roles – Controller vs ProcessorController says how and why personal data is processed

Collects personal dataOverall control of personal dataRequired to ensure that contracts with processors comply with GDPRRetains overall accountability for processing activities

Processor acts on controller’s behalfRequired to maintain records of personal data and processing activitiesConduct PIA in its service offering (which will be reviewed and monitored by Controller

EnforcementIndividuals

Lodge complaint against Controller or Processor for non-compliance

Right to judicial remedy which Supervisory Authority fails to deal with complaint

Right to compensation from relevant Controller or Processor for damages

Potential for claim for non-pecuniary loss (e.g., distress)

Potential class action exposure

Administrative fines

Tiered approach:

Fines of up to €10,000,000 (or 2% of global turnover, whichever is higher); and

Fines of up to €20,000,000 (or 4% of global turnover, whichever is higher).

Other

Supervisory Authority have other enforcement powers

Demand information from Controller or Processor

Conduct data protection audits

Issuing of warnings, compliance orders, temporary bans on processing, etc.

GDPR – In a Nutshell

GDPR – Extra-Territorial• EU established

• Non-EU establish if:

- Offering goods and services within the EU; or

- Monitoring behavior of EU data subjects

• Transfers of data outside the EU

- EU approved “adequacy” list

- EU-US Privacy Shield

• Key is to know exactly where your data is collected, transferred and stored

Source: AdProfs, availailable online at: <http://adprofs.co/beginners-guide-to-gdpr/>

Operational Considerations1.Accountability

2.Privacy Structure – Data Protection Officer

3.Registers and Records

4.Legal Basis, Consent and Re-consenting*

5.Transparency

6.Information Rights Management

7.Third Party Risk Management*

8.Maintaining Business Effectiveness

9.Cross Border Data Transfers

10.Programme Delivery

Consent – Legal RequirementsSix (6) lawful bases for processing:

1. Consent2. Performance of a contract3. Compliance with a legal obligation4. Vital interests of the data subject or another person5. Performance of a task in the public interest or official authority of

the controller (not open to most private companies)6. Legitimate interests of the controller or a third party (not open to

public authorities)

Consent – Legal Basis• Selection of an appropriate legal basis is a critical business decision

- If the decision is found to be incorrect then the organisation may have to suspend processing or destroy data if a valid legal basis cannot be established

• Consent is invalid if there is an overriding legal basis

- e.g. If a contract exists between controller and subject for the purpose of processing, then there's no point in asking for consent

- "Please can we have your consent to process your data to send you your goods?”

• Consent is also invalid if asked for and withheld – no second attempts!

• Try to find another legal basis first (and if it exists, it may negatethe use of consent)

Accountability Governance

Data SecurityAwareness / Assessment

Compliance

✓ Commitment✓ Leadership ✓ Committee

Roles/Responsibility✓ Confirm DPO Needs✓ Governance✓ Document*

✓ Educate✓ Training✓ Assess PII✓ Locate✓ Data Map✓ Assess the Gaps

✓ Data Control✓ Data Preservation✓ Data Destruction✓ Policies/Procedures✓ Document *GOAL is data minimisation

✓ Data Subject Access Requests (DSAR)

✓ Update Privacy Notices✓ Data Breach Response

Plan✓ Establish deliverables

(quarterly) & ongoing evaluations/audit

Questions?