General Data Protection Regulation

Size: px

Start display at page:

Download "General Data Protection Regulation"

Marylou Brooks
5 years ago
Views:

1 General Data Protection Regulation Sofie van der Meulen Axon seminar 21 February 2018 Why and when GDPR Essentials Guidance Data Protection Officer Lead Authority Data Portability Data Protection Impact Assessment Prepare for the GDPR 1

the GDPR take effect EC 2012 First proposal GDPR 2012 4 May, 2016 GDPR

2 Reasons for a new Privacy Regulation Digital society 1 European law 1995 European data protection directive Autoriteit Persoonsgegevens 4 When does the GDPR take effect EC 2012 First proposal GDPR May, 2016 GDPR announcement May, 2018 GDPR takes effect 2018 Dutch Implementation Act on GDPR 2

3 GDPR Essentials Privacy Rights Responsibilities Data Protection Authorities EPDB Impact GDPR for citizens Enhancement and expansion of privacy rights Consent Complaint at DPA Autoriteit Persoonsgegevens 8 3

Rights of data subjects Transparent information in order to exercise rights

erasure Right to restriction of processing Notification obligation after

9 GDPR & personal data from children Special section Parental consent for

4 Rights of data subjects Transparent information in order to exercise rights Information prior to collection Right to access Right to rectification Right to erasure Right to restriction of processing Notification obligation after rectification, erasure, or restriction Data transfers Autoriteit Persoonsgegevens 9 GDPR & personal data from children Special section Parental consent for children under 16 Already required by the Data Protection Act Information Autoriteit Persoonsgegevens 10 4

5 What the law means for organisations 1 law for the entire EU Responsibility and accountability Maintaining records of processing activities Data Protection impact assessment (DPIA) Data Protection Officer Tools Autoriteit Persoonsgegevens 11 What the law means for the DPA Supervision and enforcement of the privacy laws Stronger competence to issue fines International cooperation Promote public awareness Inform organisations Autoriteit Persoonsgegevens 12 5

21-02-18 100% Tekst Customer Contact Centre Every person who has a question or a complaint about the processing of personal

Handle complaints on a large scale Better availability for (small) industries and companies (Additional) stimulus for data

6 % Tekst Customer Contact Centre Every person who has a question or a complaint about the processing of personal data can adress the Data Protection Authority. Handle complaints on a large scale Better availability for (small) industries and companies (Additional) stimulus for data controllers to comply with the law Autoriteit Persoonsgegevens 33% Afbeelding 3x International cooperation DPAs 1 set of rules for the entire EU Autoriteit Persoonsgegevens One-stop-shop, lead authority EDPB 14 6

7 Enforcement & fines Max. 10 million or 2% of worldwide annual revenue OBLIGATIONS RESPONSIBILITIES PRINCIPLES, LEGAL GROUNDS, RIGHTS Max. 20 million or 4% of worldwide annual revenue Autoriteit Persoonsgegevens 15 Data Protection Officer Mandatory in 3 situations Government and public organisations Special categories of personal data Monitoring Autoriteit Persoonsgegevens 7

21-02-18 100% Tekst Data Protection Officer Not mandatory, still a DPO? Alternative for a DPO? Multiple organisations, 1 DPO? Required knowledge and capacities for a DPO? What is your responsibility?

8 % Tekst Data Protection Officer Not mandatory, still a DPO? Alternative for a DPO? Multiple organisations, 1 DPO? Required knowledge and capacities for a DPO? What is your responsibility? How does a DPO work independently? Autoriteit Persoonsgegevens % Afbeelding Lead authority One-stop-shop Autoriteit Persoonsgegevens Multiple establishments? Decisions on purpose and means for data processing are Country of lead establishment determines determined by lead lead authority establishment Cooperation with other DPAs 20 8

9 Data portability Right to portability of personal data Right to request your personal data Store your own data or transfer them to another organisation What data? Which format? Autoriteit Persoonsgegevens 22 Data Protection Impact Assessement Mandatory for processes that result in a high privacy risk Systematic and extensive evaluation of personal aspects Special categories of personal data on a large scale Systematic monitoring of publicly accessible area on a large scale Autoriteit Persoonsgegevens 24 9

10 Data Protection Impact Assessement When? Who s involved? How? Publish? Prior consultation? Autoriteit Persoonsgegevens 25 When to execute a DPIA Evaluation of personal aspects relating to natural persons Decisions based on automated processing Systematic monitoring on a large scale Special categories of personal data Data processing on a large scale Linked databases Data on vulnerable persons Use of new technologies Transfers of personal data outside the EU Obstruction of a right, service or contract Autoriteit Persoonsgegevens 26 10

11 When not to execute a DPIA High privacy risk unlikely Prior DPIA done for same process DPIA done with introduction of law Autoriteit Persoonsgegevens 27 How can organisations prepare themselves Awareness DPO Rights of data subjects Obligation to report data breaches Record your data processing activities Contracts with processors DPIA Lead Authority Privacy by design & default Consent Autoriteit Persoonsgegevens 29 11

12 12