What in the World is GDPR? Imran Ahmad, Partner Miller Thomson LLP

Transcription

1 What in the World is GDPR? Imran Ahmad, Partner Miller Thomson LLP

2 Imran Ahmad Imran Ahmad is a partner at Miller Thomson LLP and specializes in the areas of cybersecurity, technology and privacy law. Works closely with clients to develop and implement practical and informed strategies related to cyber threats and data breaches. Adjunct Professor of Cybersecurity Law at University of Toronto Author of Canada s first legal incident preparation and response handbook titled A Handbook to Cyber Law in Canada (published in August 2017 by LexisNexis).

3 Glossary Data Controller: A person or body, alone or jointly, which determines the purposes and means of processing personal data. Data Processor: An entity which processes the data on behalf of the controller. Data Subject: Natural person who can be identified or is identifiable, directly or indirectly. DPO: Data Protection Officer. Personal Data: Any information relating to an identified / identifiable natural person, a data subject. Supervisory Authority. National data protection authorities, empowered to enforce the GDPR in their own member state.

4 Roles Controller vs Processor Controller says how and why personal data is processed Collects personal data Overall control of personal data Required to ensure that contracts with processors comply with GDPR Retains overall accountability for processing activities Processor acts on controller s behalf Required to maintain records of personal data and processing activities Conduct PIA in its service offering (which will be reviewed and monitored by Controller

5 Enforcement Individuals Lodge complaint against Controller or Processor for non-compliance Right to judicial remedy which Supervisory Authority fails to deal with complaint Right to compensation from relevant Controller or Processor for damages Potential for claim for non-pecuniary loss (e.g., distress) Potential class action exposure Administrative fines Tiered approach: Fines of up to 10,000,000 (or 2% of global turnover, whichever is higher); and Fines of up to 20,000,000 (or 4% of global turnover, whichever is higher). Other Supervisory Authority have other enforcement powers Demand information from Controller or Processor Conduct data protection audits Issuing of warnings, compliance orders, temporary bans on processing, etc.

6 GDPR In a Nutshell

7 GDPR Extra-Territorial EU established Non-EU establish if: - Offering goods and services within the EU; or - Monitoring behavior of EU data subjects Transfers of data outside the EU - EU approved adequacy list - EU-US Privacy Shield Key is to know exactly where your data is collected, transferred and stored Source: AdProfs, availailable online at: <

8 Operational Considerations 1.Accountability 2.Privacy Structure Data Protection Officer 3.Registers and Records 4.Legal Basis, Consent and Re-consenting* 5.Transparency 6.Information Rights Management 7.Third Party Risk Management* 8.Maintaining Business Effectiveness 9.Cross Border Data Transfers 10.Programme Delivery

9 Consent Legal Requirements Six (6) lawful bases for processing: 1. Consent 2. Performance of a contract 3. Compliance with a legal obligation 4. Vital interests of the data subject or another person 5. Performance of a task in the public interest or official authority of the controller (not open to most private companies) 6. Legitimate interests of the controller or a third party (not open to public authorities)

10 Consent Legal Basis Selection of an appropriate legal basis is a critical business decision - If the decision is found to be incorrect then the organisation may have to suspend processing or destroy data if a valid legal basis cannot be established Consent is invalid if there is an overriding legal basis - e.g. If a contract exists between controller and subject for the purpose of processing, then there's no point in asking for consent - "Please can we have your consent to process your data to send you your goods? Consent is also invalid if asked for and withheld no second attempts! Try to find another legal basis first (and if it exists, it may negate the use of consent)

11 Accountability Governance Awareness / Assessment Data Security Compliance Commitment Leadership Committee Roles/Responsibility Confirm DPO Needs Governance Document* Educate Training Assess PII Locate Data Map Assess the Gaps Data Control Data Preservation Data Destruction Policies/Procedures Document * GOAL is data minimisation Data Subject Access Requests (DSAR) Update Privacy Notices Data Breach Response Plan Establish deliverables (quarterly) & ongoing evaluations/audit

12 Questions?