GDPR & SMART PIA. Wageningen University Feb 2017

Size: px

Start display at page:

Download "GDPR & SMART PIA. Wageningen University Feb 2017"

Howard Walters
5 years ago
Views:

1 GDPR & SMART PIA Wageningen University Feb 2017

Tips for Action: Anticipate on the new EU General Data Protection Regulation (GDPR) to determine the privacy standards GDPR has been adopted by EU Parliament on April 14, 2016.

Also if you have no physical presence in the EU, assess whether your company falls within scope of the GDPR.

Review current databases, records, and archives to see what is in place and what is missing to meet recordkeeping and data retention requirements.

5 Ensure a Data Protection Officer is appointed to meet international privacy standards and regulations.

2 Tips for Action: Anticipate on the new EU General Data Protection Regulation (GDPR) to determine the privacy standards GDPR has been adopted by EU Parliament on April 14, Member States have two years to implement in national legislation and start to enforcement Fines up to 4M EUR or 4% of worldwide annual turnover. Also if you have no physical presence in the EU, assess whether your company falls within scope of the GDPR. Review internal processes to meet requirements on individuals rights (e.g. consent giving, how to grant access to data) and data breach notification requirements. Review current databases, records, and archives to see what is in place and what is missing to meet recordkeeping and data retention requirements. 4 Set up or revise privacy impact assessment procedures and privacy-by-design methods and ensure they are fit for purpose. 5 Ensure a Data Protection Officer is appointed to meet international privacy standards and regulations. 6 Review customer-facing materials to comply with new consent and transparency requirements. 7 Pay particular attention to data analytics, profiling, free services, and digital offerings to children given strengthened conditions on consent. 8 Review and amend agreements and templates with data processors (suppliers, partners, etc.) Privacy legislations are becoming tightened globally, with Europe having the most advanced regime. 2

3 Q2:Data breach notification; you must report every data breach? Under the GDPR, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. Notice must be provided without undue delay and, where feasible, not later than 72 hours after having become aware of it. If notification is not made within 72 hours, the controller must provide a reasoned justification for the delay. Notice is not required if the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, Develop a data breach notification process in line with the GDPR requirements which is fitting within the already existing procedures within your organization. Remember that there a three types of notification: 1. The data controller to the relevant data privacy authority 2. The data processor to the data controller 3. To the data subject 3

Q3:Controllers and processors will only have to answer to a single data protection authority The first draft of the GDPR (2012) had this intent but the final version stated

While it s true that organizations will have a lead supervisory authority, in The Netherlands this is the AP, but other supervisory authorities can intervene if an issue relates

Customers with subsidiaries in different countries need to have a contact person in these countries, but with PIA and data register the notification to the DPA will be only

4 Q3:Controllers and processors will only have to answer to a single data protection authority The first draft of the GDPR (2012) had this intent but the final version stated something different. While it s true that organizations will have a lead supervisory authority, in The Netherlands this is the AP, but other supervisory authorities can intervene if an issue relates to a controller or processor established in their Member State or if data subjects in their Member State are otherwise substantially affected (Art. 56). Customers with subsidiaries in different countries need to have a contact person in these countries, but with PIA and data register the notification to the DPA will be only necessary in case of high risk processing and not able to perform the mitigating actions yourself..prior notification is necessary at that point. Clients focus on: 1. Getting grip on their personal data usually using data mapping 2. Build a register of personal data (article 30) 3. Perform a PIA to determine mitigating actions for high risk processing activities 4

Q4: When relying on consent to process personal data, consent must be explicit The final text requires that consent must be unambiguous, not explicit (Art 4(11)).

5 Q4: When relying on consent to process personal data, consent must be explicit The final text requires that consent must be unambiguous, not explicit (Art 4(11)). Explicit consent is required only for processing sensitive personal data - in this context, nothing short of opt in will suffice (Art 9(2)). But for non-sensitive data, unambiguous consent will do - and this allows the possibility of implied consent if an individual s actions are sufficiently indicative of their agreement to processing. We see that consent is in most cases still ambiguous e.g. hidden in a large statement on the service or hidden by using a very extensive privacy policy this is not helping when it comes to explicit consent used for special data for a new service or innovation! Remember that it must be possible to withdrawal consent as easy as giving it. 1. Transparency; use layered privacy notices 2. Develop relevant services based on consent (risky!) 3. Develop database for keeping the consent provided by the client 5

Q5: Not everyone needs a Data Protection Officer Under Article 37, data protection officers must be appointed for all public authorities, and where the core

processing of special categories of data (such as that revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and the like,

Even if organisations do not fall in the categories mentioned above they still appoint a DPO; because they want someone to be responsible for this topic and

6 Q5: Not everyone needs a Data Protection Officer Under Article 37, data protection officers must be appointed for all public authorities, and where the core activities of the controller or the processor involve regular and systematic monitoring of data subjects on a large scale or where the entity conducts large scale processing of special categories of data (such as that revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and the like, defined in Article 9).. Under the Regulation, moreover, data protection officers have many rights in addition to their responsibilities. Even if organisations do not fall in the categories mentioned above they still appoint a DPO; because they want someone to be responsible for this topic and keeping it alive without external help. 1. Roles & responsibilities of the DPO 2. Profile of a DPO; what is the perfect profile for a DPO? 3. Certification / training for DPO or related privacy staffmembers 6

Q6: Biometric data is sensitive data under the GDPR Biometric data can be sensitive data under the GDPR - but only if used for the purpose of uniquely identifying someone (Art. 9(1)).

7 Q6: Biometric data is sensitive data under the GDPR Biometric data can be sensitive data under the GDPR - but only if used for the purpose of uniquely identifying someone (Art. 9(1)). Photographs uploaded onto a cloud service would not be considered sensitive data, for example, unless used for identification purposes - think, for instance, of airport security barriers that recognize you from your passport photograph. The use of biometric data is increasing for the purpose of singling out the proper person; e.g. a cleaning company used biometric data for fraud protection and administrative purposes. The purpose is important but since it is a new technique the reaction of a regulator is sometimes very reserved. (Tempo Team case) 1. Proper use of biometric data 2. Using PET (Privacy Enhancing Techniques) when building products using biometric data 3. Make staff members aware of the use of biometric data 7

8 Q7: Individuals have an absolute right to be forgotten The GDPR refers to the right to be forgotten as the right of erasure (Art. 17). However, unlike the right to opt-out of direct marketing, it s not an absolute right. Organizations may continue to process data if the data remains necessary for the purposes for which it was originally collected, and the organization still has a legal ground for processing the data under Art. 6 (and, if sensitive data is concerned, Art. 9 too). Right to be forgotten or erasure is in the top 10 of challenges that organizations face when looking at the GDPR, since it challenges the data management which is often not very well taken care of. Questions like what exactly is relevant data to be erased? How can we indentify this client data? 1. Interpreting right of erasure for there own organization 2. Upgrading there data management standard 3. Design a process to facilitate customer questions 8

Q9: Not every business will be subject to the new data portability rules Data portability requirements are mandated only when processing is based on consent or contractual necessity (Art 20(1)).

9 Q9: Not every business will be subject to the new data portability rules Data portability requirements are mandated only when processing is based on consent or contractual necessity (Art 20(1)). It does not apply when, for example, processing is based on legitimate interests. This is an important strategic point for businesses to consider when deciding upon the lawful grounds on which they will process personal data. Big data analytics based on consent is very weak since the consent can be withdrawn just as easy as it has been given. But the client data used for this analytics based on consent must be portable as well meaning that the data has an limited durability 1. Portability requirements what is machine readable? 2. Starting of initiatives that already take into account the portability of data (Analytics platforms) 3. Trying to stretch the term legitimate interest 9

Q10: Not all profiling activities require consent Consent is only required if the profiling activities in question produces legal effects or significantly affects a data subject (Art 22(1)).

10 Q10: Not all profiling activities require consent Consent is only required if the profiling activities in question produces legal effects or significantly affects a data subject (Art 22(1)). The targeted advertising industry; can we really say that data processing for the purpose of serving targeted ads has these consequences? Put another way, the GDPR does not generally mandate consent for the profiling activities of ad tech companies. Profiling is regarded as a high risk for processing and often treated as such, often based on reputational damage. While direct marketing actions are allowed for existing customers and pursued! 1. How to interpret profiling as opposed to automated decision making 2. How to deal with profiling in a positive to the customer, not harming his / her privacy 3. Automate link between consent given and data set allowed to use 10

11 Q11: What is the Dutch word for Privacy Impact Assessment Gegevensbeschermingseffectbeoordeling! The monstrous translation of the GDPR into the Algemene Verordening has caused some issues on interpretation and understanding! The green book is a must read for everyone trying to make sense of the AVG. 11