Agenda. What is the GDPR? Who does GDPR apply to? Implications of Non-Compliance The Road to GDPR Compliance

Transcription

1

2 Agenda What is the GDPR? Who does GDPR apply to? Implications of Non-Compliance The Road to GDPR Compliance

3 What is the GDPR? The General Data Protection Regulation(GDPR) is a European-wide regulation that was approved by the European Commission in May of 2016 and goes into full effect on May 25 th, Currently we are in the transition period the 2 year window to make necessary changes to achieve compliancy. As of May 25, 2018 the regulation becomes law (full effect) and any organization not in full compliancy with the Regulation by this date faces heavy fines and sanctions.

4 Who does the GDPR apply to? The GDPR applies to both companies based in the EU as well as companies worldwide offering goods and services to people based in the EU or monitor the behavior of individuals within it.

5 What are the implications of not being compliant with the GDPR? Failure to be in compliancy can result in fines which are the GREATER OF 20million or 4% of an undertakings worldwide turnover.

6 The Road to GDPR Compliance Review & Document Data Processing Activities and Security Measures Create and Execute a GDPR Compliance Roadmap Create Data Protection Impact Assessments Review and Amend Existing Vendor Contracts & Privacy Policies Do you need Data Protection Officer (DPO)? DPO responsibilities One-Stop-Shop Inform, Stay Informed & Enforce

7 Review & Document Data Processing Activities A review and documentation of ALL data processing activities identifying the what, where, when and why (this includes the processing of client and employee data). Review and documentation of expected consequences of the process conduct a risk analysis for each process. Tip: Bring together different departments of your company to ensure all data processing activities are covered.

8 Review & Document Data Processing Activities Questions to help in this process: What information is given before the collecting and processing of data? Whose data are you processing, what is it, where is it processed, when is it processed, why is it processed? Do you have a legal basis for processing data and is it in accordance with the data processing principles? What data is anonymized, what data is pseudonymised? How long are you storing the data? Who do you share the data with? What is the risk level for each process? In which cases is your business a controller, a processor or joint controller? Are you processing what ANY member state would consider personal data (ex: IP address, UDID, cookie, any online identifier)? Is the processing of data for security reasons? (document specifics) Are you currently receiving or sending consent signals along to your processors and other third parties? Note: Consider any personal data stored or sent outside of the EU needs to follow Cross Border Transfer Rules (Chapter 13, GDPR)

9 Controllers, Joint Controllers, Processors, Sub Processors GDPR compliance requires the management of both providers and recipients of Data within your identified Data Flows. Complexities arise from the correct assessment and Identification of the Data roles played by your business partners and affiliates. Further difficulties can be presented in the assessment of your own Data Role within the data Flow chain. Be conscious of the changes in your Data Role: -Do you create new Data Products, - Do You enrich Data? Identify a recognized and accepted compliance model to assess Data processing partners, infrastructure and service providers.

10 Controllers, Joint Controllers, Processors, Sub Processors Assess and Document your relationships within the Ad-Tech Ecosystem. Control the Relationships and their associated data: Contractual Controls/Technical Controls Document the controls implemented and a methodology to provide assurance for their implementation. Create an Auditable trail of your assessment, controls, assurance, and continual improvement. NOTE: Compliance is likely to be a measure of your progress towards Privacy by Design and Privacy by Default.

11 Review & Document Security Measures Review and document security processes How do you and any company that acts as a processor, subprocessor or joint controller for your data keep the data secure? Note: As per GDPR data breaches must be reported to the DPA within 72 hours of the breach. Consider creating a template in advance for sending this information.

12 Review & Document Security Measures Develop a Privacy Management Framework Implement Data Protection Policies: including Data classification, retention and governance. Collate your Privacy Notices Document and Illustrate Data Flows. Establish a continual Assessment Model Provide a reporting mechanism, and a repeatable Audit trail.

13 Create & Execute a GDPR Compliance Roadmap Data processing and security reviews and assessments should help identify activities which (in part or as a whole) could create conflicts with the GDPR and therefore require changes. We advise that you create and execute a GDPR compliance roadmap.

14 Create & Execute a GDPR Compliance Roadmap Some questions to ask during the creation/execution phase of the GDPR Compliance Roadmap: In what way do your current processs conflict with the GDPR, and are there changes you can introduce to solve this? How long will it take to make necessary changes? Do you process data on the basis of users consent? Do you use a standardized method to receive and pass on consent to third parties and processors? Do you need to build additional logs? Example: if data is processed on the basis of users consent, to record with a timestamp when consent was given, not given, or revoked (connected to an IP address, cookie, UDID or other online identifier) How will you handle a user s right to access and other data subject rights (Chapter III of GDPR, Articles 12-22) and maintain your proof of compliance? Work with your processors and sub-processors to create documented instructions on the handling of data (Data Processor Agreements)

15 Create Data Protection Impact Assessments GDPR requires data controllers to carry out Impact Assessments prior to any new data processing activity in the following cases: Where a new technology is used; When the processing is likely to have high risk for data subjects. You can use a single Impact Assessment for multiple processing operations as long as they present similar risks; When it involves a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; When you process a large scale of sensitive personal data; When you systematically monitor a publicly accessible area on a larger scale

16 Create Data Protection Impact Assessments Pay close attention to the work of supervisory authorities they are tasked with establishing a public list of processing activities which require a data protection impact assessment. They may also choose to publish a whitelist of processing activities which do not require a data protection impact assessment.

17 Review and Amend: Existing Vendor Contracts At the very least, companies must review already existing vendor contracts and their own privacy policy. IAB Europe recommends that you: Review all vendor contracts, and amend where necessary When dealing with multiple data processors, an arrangement between the joint processors must be created to assign data protection compliance responsibilities amongst themselves. Review your Terms and Conditions

18 Review and Amend: Privacy Policies & Privacy Notices Review your Privacy Notices(external disclosure) & Privacy Policies(internal rules) You should have rules and procedures in place for employees who work with personal data and document them in privacy policies Data subjects must be provided with certain information about the collection and further processing of their personal data. This information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language usually in the form of a privacy notice. A summary of the arrangement of joint controllers needs to be made available for data subjects.

19 Appointing a Data Protection Officer(DPO) The GDPR requires companies to designate a Data Protection Officer: If the law of the Member State requires it; If the company s core activities consist of processing which requires regular and systematic monitoring of data subjects on a large scale; If the data processed is sensitive information (revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data or biometric data, and data concerning health or a natural person s sex life or sexual orientation).

20 Tasks of a Data Protection Officer(DPO) DPOs should have expert knowledge of data protection law and practice and should be able to perform the following functions: Informing and advising the relevant controller or processor (and any employees who process personal data) about their obligation under the GDPR; Monitoring compliance with the GDPR by a controller or processor; Advising on impact assessments and engaging in prior consultations with Data Protection Authorities (DPAs); Cooperating with DPAs and acting as the point of contact; Dealing with all data protection matters affecting the controller or processor properly in a timely manner. The controller or processor must provide the DPO with the necessary resources and support to do this.

21 Establish a One Stop Shop with your DPA Organizations that operate in multiple member states will need to carefully consider their options in relation to establishment of the One Stop Shop If an organization has establishments in multiple Member States, and have established the One Stop Shop, the DPA for its main establishment will be its lead authority. This lead authority has the power to regulate that organization across all Member States In order to qualify for the One-Stop-Shop the organization will need to have a place of main establishment (headquarters) in the EU Having a One Stop Shop and a lead DPA as single point of contact (as opposed to dealing with DPAs in multiple member states) will allow for a more uniform application of compliancy and authorization on compliancy of the EU Data Protection. Link for all DPA s across member states:

22 Inform, Stay Informed & Enforce - Employees You should inform and train your employees about the implications of the GDPR and your new privacy policies on their work and make sure that respecting your policies is enforced through appropriate disciplinary actions where necessary

23 Inform, Stay Informed and Enforce Industry Initiatives Stay on top of industry initiatives and standards by joining and engaging with IAB Europe and IABs in your respective markets; Follow the work of Article 29 Working Party (the future European Data Protection Board) Follow the work of data protection authorities in markets in which you are active

24 Inform, Stay Informed & Enforce Business Partners Inform Employees, Processors, Users, Clients (well ahead of May ) of changes to your terms and conditions and privacy policies. Inform Vendors, Processors, Sub-processors, Joint Controllers of necessary contract changes.

25 Click Here:

26 Thank You