GDPR for whom it may concern

Transcription

1 GDPR for whom it may concern Margarita Dubovik 12-Oct-17

2 GENERAL REGULATION - BACKGROUND GDPR will replace national data protection laws of all 28 EU member states in May GDPR also has international reach applying to any organization that processes data of EU data subjects. Fines for non-compliance will increase substantially up to a maximum fine of 20 million or 4% of global annual sales, whichever is higher GDPR will fundamentally change the way companies must manage personal data *Article 30 of Regulation declares that for the organizations with fewer than 250 employees GDPR has limited application 18-Oct-17 <Place footer here> 2

3 GDPR DEFINITIONS Article 4(1) - Any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Examples: Name Age Address IP address WHAT S CHANGED? While the definition looks to have been simplified, the effect is to make it more detailed by reference to a series of identifiers including name, online identifiers (such as an IP address) and location data.

4 GDPR DEFINITIONS SENSITIVE Article 9(1) - "Sensitive Personal Data" are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; CONCERNING HEALTH(Art.4(15)) or sex life and sexual orientation; GENETIC (Art.4(13)) or BIOMETRIC (Art.4(14)). Data relating to criminal offences and convictions are addressed separately (as criminal law lies outside the EU's legislative competence). Examples: Religion Political sympathies Race DNA data History of illnesses WHAT S CHANGED? The inclusion of genetic and biometric data is new. The definition previously included information about criminal convictions this is now treated separately and subject to even tighter controls.

5 GDPR WHAT CAUSED THIS CHANGE? No single set of rules in EU Uncontrolled collection and storage of personal data Inability to withdraw from direct marketing No control over provided consent Lack of procedures for data accuracy GDPR IS ABOUT GETTING CONTROL OVER BACK TO PEOPLE

6 OFFICER JOINT LIABILITY RIGHT TO BE CONSENT ON AND USAGE PORTABILITY FINES FOR NON-COMPLIANCE INCREASE 72 HOURS

7 OFFICER DPO main tasks LIABILITY FINES FOR NON-COMPLIANCE INCREASE RIGHT TO BE To inform and advise the controller or the processor and the employees who are processing personal data of their obligations pursuant to this Regulation; To monitor compliance with this Regulation, including the assignment of responsibilities, awareness- raising and training of staff involved in the JOINT processing operations, CONSENT and the related ON audits; To provide advice where requested AND as USAGE regards the data protection impact PORTABILITY assessment and monitor its performance pursuant to Article 35; To cooperate with the supervisory authority (the ICO in the UK); To act as the contact point for the supervisory authority on issues related to the processing of personal data 72 HOURS

8 OFFICER JOINT RIGHT TO BE PORTABILITY CONSENT ON AND USAGE LIABILITYA person has a right to ask for the erasure of the personal data from the controller and controller has obligation to comply with this request 72 HOURS If the data requested to be deleted has already been made public, the FINES controller FOR shall NON-COMPLIANCE take reasonable steps, including technical measures, to inform other INCREASE controllers of such request

9 OFFICER RIGHT TO BE Data controller has to report a breach in personal data to the supervisory authority within 72 hours after having JOINT become aware of it CONSENT ON AND USAGE LIABILITY PORTABILITY FINES FOR NON-COMPLIANCE INCREASE 72 HOURS

10 OFFICER JOINT LIABILITY FINES FOR NON-COMPLIANCE INCREASE RIGHT TO BE Data controllers are defined as organizations who acquire EU residents data Data processors identified as those that manage, modify, store or analyze the data collected on behalf of the CONSENT controllers ON AND USAGE Under the new regulations, PORTABILITY both the controllers and processors will be held jointly liable for a data breach 72 HOURS

11 OFFICER JOINT LIABILITY RIGHT TO BE Data controller has to implement and always use appropriate technical and organizational measures to meet GDPR requirements Examples: Pseudonymization Data minimization CONSENT ON AND USAGE PORTABILITY FINES FOR NON-COMPLIANCE INCREASE 72 HOURS

12 OFFICER JOINT Data controller has to implement appropriate CONSENT technical ON and organizational measures to ensure that, by default, only AND USAGE personal data which LIABILITY are necessary for each specific purpose of the processing are processed FINES FOR NON-COMPLIANCE INCREASE RIGHT TO BE PORTABILITY 72 HOURS

13 FINES FOR NON-COMPLIANCE INCREASE RIGHT TO BE There should be always an explanation why data is collected OFFICER Consent is a must It is necessary for performance JOINT of a contractconsent ON It is necessary for compliance with legal obligations AND USAGE It is necessary for LIABILITY protection of vital interests of this person It is necessary to perform a task in public interests PORTABILITY 72 HOURS

14 OFFICER JOINT LIABILITY Consent needs to be provided for all types of action performed with personal data Data controller needs RIGHT to be able to TO demonstrate BE availability of consent A person has a right to withdraw consent CONSENT ON AND USAGE PORTABILITY FINES FOR NON-COMPLIANCE INCREASE 72 HOURS

15 OFFICER RIGHT TO BE The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services JOINT CONSENT ON It applies to situations where personal data was provided AND USAGE to a data controller LIABILITY and consent was given PORTABILITY Data controller has to extract personal data and pass it over to the individual in machine readable format (CSV) FINES FOR NON-COMPLIANCE INCREASE 72 HOURS

16 GDPR TO WHOM IT CONCERN DO YOU HAVE GOVERNANCE? Do you have a DPO role in your company? Do you classify your data? Do you monitor data breaches? IS STORED SECURELY? Can you map all the locations where data is stored? Do you move personal data outside EU? Do you manage data access? IF YES, CAN YOU PROVE IT? IS PRIVACY BY DESIGN IMPLEMENTED? <Place footer here> Do you seek to minimize data collection? Is there a data deletion process? Is stored data portable?

17 STEPS TO GDPR COMPLIANCE DPO translation of GDPR articles into internal policies and guidelines Business initiation of projects and programs to implement Legal policies and guidelines Data investigation GAP analysis identification of non-compliance areas Planning and implementation of projects to close the gaps 12-OCT-17 #Anchormen #GDPR #meetup #Groningen

18 GDPR COMPLIANCE OUTCOME CONSUMER 360 ACTIVATION TO CREATE VALUE -CENTRIC THINKING ADVANCED ANALYTICS UNIFIED MANAGEMENT APPROACH VALUE CHAIN TRANSPARENCY 12-OCT-17 #Anchormen #GDPR #meetup #Groningen

19 12-OCT-17 #Anchormen #GDPR #meetup #Groningen THANK YOU!