with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA Consulting

Transcription

1 with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA Consulting tel Gent, 3 October 2017

2 4 facts 1. We are not really in control of our personal data 2. Our personal data are not properly and securely protected 3. In 2009, Mr Barroso launched the EU Agenda DIGITAL 2020 : to make Europe the center of excellence of Inmation Technologies in This plan requires an efficient and effective control of the personal data. 4. Our society has considerably evolved since the Data Protection Directive (1995)!

3 AS IS TO BE DPD 95/46 In 1995, the EU Dataissued the Data Protection Directive 95/46 (DPD) Protection Directive (1995) of excellence of Inmation Technologies (Agenda DIGITAL 2020). This implies an efficient and effective control of the personal data.

4 Processing Request Request Advice Supervisory Authority GDPR Basic Components and Interactions Data Subject Data Controller Data Processor Personal Data Processing Data (sub)processor

5 Personal Data Article 4 - Definitions (1) personal data means any inmation relating to an identified or identifiable natural person ('data subject ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

6 Data Controller Article 4 - Definitions (7) Data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data...

7 Processing Article 4 - Definitions (2) processing means any operation or set of operations which is permed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

8 Data Controller Data Processor Article 4 - Definitions (7) Data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (8) Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

9 Processing Request Request Advice Supervisory Authority GDPR Basic Components and Interactions Data Subject Data Controller Data Processor Personal Data Processing Data (sub)processor

10 Processing Request Request Advice Supervisory Authority GDPR Basic Components and Interactions Data Subject Data Controller Breach Breach Data Processor Breach Breach Breach Personal Data Processing Breach Data (sub)processor

11 IT Governance Ltd

12 NO The GDPR does not apply Does one of the exemptions from EU law apply? Does the processing relate to criminal investigation or relate to EU eign and security policy? Is it purely personal or household activity? Are you established in the EU, and is data processed in the context of that establishment? Are you offering goods or services in the EU? Are you monitoring behaviour of EU residents? Does EU law apply under public international law? YES The GDPR applies From A Guide by Mason Hayes & Curran

13 Breach Sanctions, Remedies, Liabilities Administrative fines 10M or 2% 20M or 4% Conditions obtaining a child's consent Processing which does not require identification Data Protection by design and default obligations Designating a representative in the State where the controller is not established in the EU Obligations of processors Instructions of a controller or processor Records of processing Cooperation with the supervisory authority Security measures Notification of a personal data breach to the supervisory authority Communication of a personal data breach to the data subject Conducting PIAs and prior consultation Designation, position and tasks of the DPO Monitoring of approved codes of conduct Certification mechanisms The core Data Protection principles The lawful processing conditions The conditions consent The sensitive personal data processing conditions Data subjects' rights (including inmation, access, rectification, erasure, restriction of processing, data portability, objection, profiling) Transfer of data to third countries Failure to provide access to premises of a controller or processor Compliance with a specific order or limitation on processing or the suspension of data flows by the supervisory authority Obligations adopted under Member State law in regard to specific processing situations

14 Personal Data Article 4 - Definitions (1) personal data means any inmation relating to an identified or identifiable natural person ('data subject ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

15

16 Personal Rights to Personal Data Stored in Repository Article 17 - Right to erasure ('right to be gotten') 1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: a. the personal data is no longer necessary in relation to the purpose which it was originally collected/processed b. the individual withdraws consent and there is no other legal ground the processing c. the individual objects to the processing and there is no overriding legitimate interest continuing the processing d. the personal data was unlawfully processed Etc...

17 Personal Data Breach Article 4 - Definitions (12) 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; Recitals (86) The controller should communicate to the data subject a personal data breach, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions. (87) It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data breach has taken place and to inm promptly the supervisory authority and the data subject.

18 DPO - Data Protection Officer Article 39 Tasks of the data protection officer From A Guide by Mason Hayes & Curran 1. The data protection officer shall have at least the following tasks: (a) to inm and advise the controller or the processor and the employees who carry out processing of their obligations (b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits (c) to provide advice where requested as regards the data protection impact assessment and monitor its permance (d) to cooperate with the supervisory authority (e) to act as the contact point the supervisory authority on issues relating to processing,, and to consult, where appropriate, with regard to any other matter.

19 Privacy Impact Analysis (PIA/DPIA) Article 35 Data protection impact assessment 1. Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. 2. The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.

20

21 Personal Data Processing Principles Article 25 Data protection by design and by default Privacy by Design requires organisations to consider privacy measures during product design processes, while Privacy by Default requires controllers to ensure that, by default, only necessary data is processed. 1. the controller shall, both at the time of the determination of the means processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing 2. The controller shall implement appropriate technical and organisational measures ensuring that, by default, only personal data which are necessary each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.

22 GDPR Agenda AGENDA Introduction and Scope The GDPR 0. Personal Data 1. Personal Rights to Personal data 2. Processing Personal Data 3. Organization, principles & Rules 4. Supervisory Authority Workgroup sessions

23 GDPR Agenda AGENDA Introduction The GDPR 0. Personal Data 1. Personal Rights to Personal data 2. Processing Personal Data 3. Organization, principles & Rules 4. Supervisory Authority Workgroup sessions

24

25 Data Controller Controllers have specific responsibility : carrying out data protection impact assessments when the type of processing is likely to result in a high risk to the rights and freedoms of natural persons and implementing appropriate technical safeguards assuring the protection of data subject rights, such as erasure, reporting and notice requirements, and maintaining records of processing activities duties to the supervisory authority, such as data breach notification and consultation prior to processing documenting personal data breaches, including the facts of the breach, its effects, and remedial actions demonstrating their compliance with the Regulation by adhering to codes of conduct and certifications that were approved by DPAs consider carrying out a data protection impact assessment prior to selecting a processor.

26 Data Processor Processors have specific responsibility (primarily to controllers) : processing data only as instructed by controllers using appropriate technical and organisational measures to comply with the GDPR deleting or returning data to the controller once processing is complete submitting to specific conditions engaging other processors

27

28 GDPR Agenda AGENDA Introduction The GDPR 0. Personal Data 1. Personal Rights to Personal data 2. Processing Personal Data 3. Organization, principles & Rules 4. Supervisory Authority Workgroup sessions

29

30

31 GDPR Agenda AGENDA Introduction and Scope The GDPR 0. Personal Data 1. Personal Rights to Personal data 2. Processing Personal Data 3. Organization, principles & Rules 4. Supervisory Authority Workgroup sessions

32

33 Which Way to GDPR? Follow the Guide! To the workshops GDPR General Website :// Text (in all languages All rights reserved quick 2017 access) - DACOTA : Consulting - Commercial in Confidence 33

34 Some GDPR Issues Business Analysts 1. What Personal Data do we have and where is it located? Who has access, when and how? Can / Do we track these accesses? Keep up-to-date? 2. Categorization of the Personal Data : basic, transactional, sensitive, audio, video, etc. 3. Monitor, Control and Manage the user access to Personal Data (IAM) 4. Consent acquisition, recording, and limiting Data storage providing Personal Data (in portable mat) 5. Erasure : What? When? How? Where? 6. Understanding and following nothing but the «Documented Instructions» of the Data Controller 7. Keeping «Records of (Categories of) Processing Activities» 8. Protection by Design / Default : with what Method? 9. Risk Impact Assessment : what is at risk? What are the threats, the risks? How to assess the risks? For each area, what is an acceptable level of risk? 10. Breach : Detection / Qualification (incident or breach?) / Notification / bee-during-after 11. Internal Organization : New Teams and revised Policies and Processes 12. «Appropriate technical and organizational measures» : what are they? How to apply them? How to provide evidence? 13. Cross-border transfers