GDPR Webinar : Overview & practical compliance steps. 23 October 2017

Transcription

1 GDPR Webinar : Overview & practical compliance steps 23 October

2 Dr Michelle Goddard Director Policy & Communication, EFAMRO Mattias Strandberg Skribent, dagensanalys.se copyright efamro

3 About EFAMRO Represents interests of market, social and opinion research in Europe Members are national trade associations for research businesses Support members especially in data protection and self-regulatory activities Lobby EU institutions on behalf of sector copyright efamro

4 General Data Protection Regulation (GDPR): Overview Extra-territorial Scope Strong Individual Rights Greater Business Accountability Robust enforcement regime

5 GDPR: Extraterritorial Effect Other data processors and controllers offering goods or services to individuals in the EU EU data controllers and processors processing data of EU residents Other data processors and controllers monitoring behaviour of individuals in the EU

6 GDPR: Wider scope of data categories Personal Data Sensitive Personal Data Any information relating to identified or identifiable natural person Special categories of data including health data Wider than PII expanded to include online identifiers Expanded to include biometric and genetic data Can use standard processing grounds Requires explicit consent unless falls within limited exemptions

7 GDPR: Strengthened individual rights New Strengthened Right to data portability Right to erasure/ be forgotten Right to restrict processing Right to access data Right to information in notices Right to withdraw consent Right to object to processing incl. DM Right not to be evaluated by automated processing Right to rectification (of inaccurate data) Need to promote all these rights to individuals

8 GDPR: Higher standard of consent Freely given, specific, informed and unambiguous Needs to be verifiable so keep records Historic consents only valid if meet GDPR requirements if not need to refresh Remember other legal grounds for processing data are available

9 GDPR: Greater business accountability Increased obligations Demonstrate compliance Privacy by design and default Detailed internal records Privacy Impact Assessments Data Protection Officers Reduced burden No notifications to DPA

10 GDPR : Direct obligations on data processors Data Controller (DC) New mandatory contract terms (include security measures, right of audit of DP, subprocessor approvals) Full statutory liability and shared liability Joint Data Controller Explicit recognition of joint DC New mandatory contract terms (include security of measures, right of audit of DP etc and how data subjects can exercise rights and who provides information) Full statutory liability but shared liability Data Processor (DP) New mandatory contract terms (include seek approval of DC for appointment of sub-processor and data transfers out of EEA) Direct liability now includes full range of enforcement action in addition to liability for breach of contract

11 GDPR: Higher penalties Heavy monetary sanctions Increased powers Claims by data subject claims for non-compliance up to 20m or 4% turnover for supervisory authorities and liaison with European Data Protection Board for compensation for breaches Class actions by consumer associations 11

12 GDPR: Compliance Tips 12

13 #1. Understand your data use Audit, understand and map data used and collected by business - What data exists? - How is it being stored? Where is it being stored? E.g. cloud providers - How is it being used? - Who has access and who needs access? - How is it being secured? 13

14 #2. Limit data collection and deidentify data sets as soon as feasible e.g. Name e.g. Health information e.g. Postcode De-identified Personal Dataset Unique identifier Nonidentifiable dataset Personal Dataset Pseudonymised Dataset Anonymised Dataset 14

15 #3. Be accountable - update internal records Written record-keeping of processing activities Over 250 employees (mandatory for all records) Under 250 employees (only high risk activities) Different types of records for data controllers and data processors Consider whether kept up to date and who is responsible 15

16 #4. Be transparent - Rewrite policies and consent forms Revise internal and external data protection policies Update privacy notices and consent forms use plain language cover off all intended purposes layering blending 16

17 #5. Be proactive - Review contracts with clients and other research suppliers Examine inventory of contracts with other research suppliers Determine if data processor or data controller Review and revise legacy contracts Include contracts with freelancers and make clear requirements to follow GDPR 17

18 #6. Focus on technical and security IT procedures and systems Do they allow new rights to be exercised e.g. data portability; right to erasure; timely subject access requests? reflect requirements for timely data breach identification and notification? provide sufficient technical safeguards for protection of personal data e.g. encryption; pseudonymisation? Would signing up to a digital security standard/ ISO technical standard help? 18

19 #7. Embed accountability and privacy centric approach in staff Put in place demonstrable processes on accountability Train staff Consider appointment of data protection officer Shared employee role? Outsourced role? 19

20 #8. Embed privacy principles across all data-projects Set-up/Scoping Storage & Data Disposal Data Collection Reporting & Publication Data Analysis & Data Re-use 20

21 #9. Understand and follow national position in Sweden Are any differences (looser or tighter requirements) likely in Sweden? Understand the approach of legislators and regulators? Follow any timetable for Swedish DPA (datainspektionen) and EU guidance 21

22 . and remember the proposal for eprivacy Regulation may impact research and marketing Increased sanctions in line with GDPR Changes for use of analytics cookies Other impacts on marketing 22

23 But GDPR is here: It s time to get ready! Review and take stock of existing policies and procedures Commit to data protection by design and default in projects and processes Embed the shift to proprivacy organisatio nal culture GDPR May 25 th 23