New General Data Protection Regulation - an introduction

Transcription

1 New General Data Protection Regulation - an introduction Netnod spring meeting 2017 Johan Hübner, Partner, Advokat Erika Hammar, Associate

2 Agenda Background Why you need to care about the new data privacy regulation (GDPR) New sanctions What to consider in relation to the cloud What to do to be compliant? New Data Protection Regulation - why do I have to care? 2

3 Background - So what s new?

4 Today: The Personal Data Act (PDA) and the Data Protection Directive Protection of privacy In practice few sanctions for breaching the legislation common with violations National law based on the Data Protection Directive (95/46) Other legislation precedes the PDA Goodwill New Data Protection Regulation - why do I have to care? 4

5 New EU Regulation (GDPR) Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data Direct applicable regulation replacing the PDA and corresponding laws throughout the EU Objective: Ensure a high level of protection of personal data Freedom of trade within the EU The new rules will apply from May 2018 Detailed guidelines yet to be issued New Data Protection Regulation - why do I have to care? 5

6 The Regulation in short One Regulation to rule them all The principles are based on current law, but also a large number of news There are some possibilities for discrepancies in national law, but only from certain rules Uniform interpretation throughout the EU One Stop Shop - One supervisory authority - in the country with the main establishment Applies to all processing of data New Data Protection Regulation - why do I have to care? 6

7 Whatis personal data? Personal data Any information relating to an identified or identifiable natural person who could be identified directly or indirectly (note: sensitive data) Is this personal data? (an IPv4 address) A picture: New Data Protection Regulation - why do I have to care? 7

8 Definition of processing The definition of processing is wide and includes any operation performed on personal data Examples Collection Registration Storage Processing Disclosure by transfer, dissemination or other provision of data Compilations or joint processing New Data Protection Regulation - why do I have to care? 8

9 Fundamental principles basic requirements on the services used Lawfulness, fairness and transparency Data may only be processed with regard to specified, explicit and legitimate purposes Data minimisation Accuracy Storage limitation Integrity and confidentiality New Data Protection Regulation - why do I have to care? 9

10 When is processing permitted? Processing is lawful only when 1. Informed consent 2. Necessary for the performance of a contract to which the data subject is party 3. Necessary for compliance with a legal obligation 4. Necessary in order to protect the vital interests of the data subject 5. Necessary for the performance of a task carried out in the public interest or 6. Legitimate interests when not overridden by the interests of the individual New Data Protection Regulation - why do I have to care? 10

11 Consent Freely given, specific, informed and unambiguous indication May be verbally or in writing Request for written consent shall be: presented in a manner which is clearly distinguishable from the other matters in an intelligible and easily accessible form using clear and plain language Separate consent given to different personal data processing purposes? Freely given? Consideration of an agreement conditional upon consent, even though this is not necessary for the implementation of the agreement Note: new rules for consent for persons years old New Data Protection Regulation - why do I have to care? 11

12 Ok, but why do I have to care? Because it may be very expensive to break the rules

13 Administrative fines 1: Up to EUR, or up to 2 % of the total worldwide annual turnover Age requirement Security requirement, privacy by design A great many other rules 2: Up to EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover Breach of fundamental principles, such as storing data for too long Handling data without legal ground Incorrect consent Breach of rules regarding sensitive data, etc. Rights of the registered, such as information Illegal transfer of data outside the EU New Data Protection Regulation - why do I have to care? 13

14 Other sanctions The right for individuals to claim damages and penalties will be stipulated by each member state Warning, reprimand or order Restriction or prohibition Member states shall establish sanctions for infringements which are not subject to fines and ensure that they are implemented New Data Protection Regulation - why do I have to care? 14

15 Ok now you got my attention What do I need to consider?

16 Controller The person who alone or together with others determines the purposes and means of the processing of personal data Is always the responsible for compliance with the law Thus, you are the one responsible for e.g. that the IT systems you use (including any cloud services) meet the legal requirements (not the supplier) New Data Protection Regulation - why do I have to care? 16

17 Processor A natural or legal person which processes personal data on behalf of the controller For example if a cloud service provider is granted access to or otherwise processes your personal data New Data Protection Regulation - why do I have to care? 17

18 Requirements for data processor agreements Identify controller + processor In some cases both parties are each other s controller and processor Increased requirements (such as audit) - must be fulfilled in your agreement! Data processor agreement Controller Processor Individual New Data Protection Regulation - why do I have to care? 18

19 EU you said, but I have a global approach what applies to me? The legislation may not be circumvented by transferring data outside EU Knowledge on where processing is carried out Does a certain service transfer data to countries which are not permitted (backup, redundancy etc)? New Data Protection Regulation - why do I have to care? 19

20 Information requirements Information Privacy policy/information to customers and employees More extensive information - update privacy policies Different requirements depending on whether the data collected from the data subject itself or not Access to personal data Upon request, provide information (abstract from a register) within one month New Data Protection Regulation - why do I have to care? 20

21 Security requirements Companies shall implement appropriate technical and organisational measures to ensure an appropriate level of security May involve: encryption of personal data continuous control of the systems that process the data and a system for testing the effectiveness of measures for ensuring the security of the processing Where proportionate in relation to processing activities, the measures shall include appropriate data protection policies Explicit requirement to ensure appropriate security of the personal data against unauthorised or unlawful processing and against accidental loss New Data Protection Regulation - why do I have to care? 21

22 Privacy by design Ensure that the period for which the personal data are stored is limited to a strict minimum ( storage limitation ) Transparency facilitate information to data subjects privacy by default Use of personal data should be limited to what is necessary for the purposes for which they are processed Infrastructure to enable access to, correction and deletion of personal data New Data Protection Regulation - why do I have to care? 22

23 Right to be forgotten Maximising the volume of stored personal data Requirement for deletion - if no legitimate basis for continued processing exists Delete my data NO Legitimate basis to keep the data? YES DELETE KEEP New Data Protection Regulation - why do I have to care? 23

24 Act fast if there s a data breach Inform about personal data breach without undue delay Notify the supervisory authority General rule: no later than 72 hours after having become aware of the breach Notify every data subject If it is likely to result in a high risk to the rights and freedoms of natural persons Exception, e.g. if there is a system to prove that the lost data has been made unintelligible to unauthorised, such as encryption Disproportionate effort: public communication instead Organisations need to strengthen their security measures New Data Protection Regulation - why do I have to care? 24

25 OK, I care what to do?

26 Practical changes Privacy is a question for top management More important to comply with the law Not just bad will but also a greater risk of fines/damages and risk having to erase data Increased focus on preventive actions Compliance program is required Systems and databases may be illegal Data must be deleted Budget for privacy is necessary New Data Protection Regulation - why do I have to care? 26

27 How can we prepare? Learn! Apply! Comply! Compliance project Review of records, registers, etc. Updating of documents, consents, information documentation, processor agreements contracts, etc. Start applying Privacy by design Impose requirements on cloud suppliers when entering into new cloud agreements Review and if necessary adjust current cloud agreements New Data Protection Regulation - why do I have to care? 27

28 Johan Hübner Partner/Advokat Mobil +46 (0) Erika Hammar Associate Mobil +46 (0) Advokatfirman Delphi Mäster Samuelsgatan 17 / Box 1432 / Stockholm / Sweden Tel: / New Data Protection Regulation - why do I have to care? 28

29