New General Data Protection Regulation - an introduction

Similar documents
Preparing for the GDPR

GDPR: What Every MSP Needs to Know

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents

RSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company )

Data Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR. Legal02# v1[RXD02]

1 Privacy by Design: The Impact of the new European Regulation on Data protection. Introduction

EU General Data Protection Regulation (GDPR)

December 28, 2018, New Delhi, INDIA

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

EU GENERAL DATA PROTECTION REGULATION

Data Protection Policy

P Drive_GDPR_Data Protection Policy_May18_V1. Skills Direct Ltd ( the Company ) Data protection. Date: 21 st May Version: Version 1.

EU General Data Protection Regulation ( GDPR ) FAQs External Version - 16 March 2018

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT

GDPR is coming soon. Are you ready. Steven Ringelberg.

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

General Data Protection Regulation. What should community energy organisations be doing to prepare?

Training Manual. DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Data Protection Officer is Mike Bandurak

General Personal Data Protection Policy

GDPR Checklist. O - Organisation. P - Processing. T - Technology. I - Information. N - Next OVERVIEW. Your Personal Data

ARTICLE 29 DATA PROTECTION WORKING PARTY

BROOKS PERSONAL TRAINING

GDPR is coming in 108 days: Are you ready?

Pensions Authority Data Protection Considerations for Trustees of Occupational Pension Schemes

Data Protection Policy

A PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018

Guidance on the General Data Protection Regulation: (1) Getting started

GDPR Podbriefing Audio Transcript

What do companies need to do?

GENERAL DATA PROTECTION REGULATION.

What you need to know. about GDPR. as a Financial Broker. Sponsored by

Genera Data Protection Regulation and the Public Sector

General Data Protection Regulation (GDPR) Business Guide

b. by a controller not established in EU, but in a place where Member State law applies by virtue of public international law.

The GDPR: What does it mean for executive search?

Brasenose College Data Protection Policy Statement v1.2

The GDPR enforcement deadline is looming are you ready?

A summary of the implications of the General Data Protection Regulations (GDPR)

with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA Consulting

SAFFRON WALDEN COMMUNITY CHURCH DATA PROTECTION POLICY. Adopted: [ ]

General Data Protection Regulation (GDPR) A brief guide

Brexit and the Future of Data Protection

GDPR readiness for start-ups, technology businesses and professional practices Martin Cassey

What is GDPR and Should You Care?

THE GENERAL DATA PROTECTION REGULATION (GDPR) A GUIDE FOR CONGREGATIONS

Data Privacy, Protection and Compliance From the U.S. to Europe and Beyond

SAP and SAP Ariba Solution Support for GDPR Compliance

Technical factsheet: General Data Protection Regulation (GDPR) April 2018

GDPR Service Information Sheet

Privacy Policy & Data Protection

European Union General Data Protection Regulation 25 th May 2018

UK Research and Innovation (UKRI) Data Protection Policy

KYC & Data Protection: Friends or Foes?

DATA PROTECTION POLICY

Get ready. A Guide to the General Data Protection Regulation (GDPR) elavon.ie

The Sage quick start guide for businesses

EU General Data Protection Regulation: What Impact for Businesses Established Outside the EU and EEA Francoise Gilbert 1

Nissa Consultancy Ltd Data Protection Policy

Preparing for the General Data Protection Regulation (GDPR)

An Introduction to GDPR and How To Prepare

DATA PROTECTION POLICY VERSION 1.0

DATA PROTECTION POLICY 2018

CNPD Training: Data Protection Basics

#RSAC TEN PITFALLS TO AVOID IN GDPR

What does the GDPR mean for recruitment?

Whitepaper. What are the changes regarding data protection. in the future. General Data Protection Regulation? eprivacy GmbH, Hamburg, April 2017

General Data Protection Regulation Philippe Roggeband. Business Development, Manager, GSSO EMEAR

Sample Data Management Policy Structure

GDPR for Charities. Tuesday 17 October 2017

ACCENTURE BINDING CORPORATE RULES ( BCR )

Tourettes Action Data Protection Policy

General Data Protection Regulation (GDPR)

KEMBLE PRIMARY & SIDDINGTON CE PRIMARY SCHOOLS DATA PROTECTION & THE GENERAL DATA PROTECTION REGULATION (GDPR) POLICY

The ecommerce Guide to GDPR. How to Ensure Compliance and a Competitive Edge

Accountability under the GDPR: What does it mean for Boards & Senior Management?

Getting ready for GDPR. A guide to General Data Protection Regulations

The General Data Protection Regulation (GDPR)

GDPR for Employers DUBLIN / BELFAST / LONDON / NEW YORK / SAN FRANCISCO / PALO ALTO

The General Data Protection Regulation (GDPR)

Data Protection Policy

Dealing with the EU Data Protection Regulation in Practice. William Long, Partner Sidley Austin LLP February 11, 2016

Introduction to the General Data Protection Regulation (GDPR)

LAST UPDATED June 11, 2018 DATA PROTECTION POLICY. International Foundation for Electoral Systems

NEWSFLASH GDPR N 10 - New Data Protection Obligations

The General Data Protection Regulation: What does it mean for you?

GENERAL DATA PROTECTION REGULATION Guidance Notes

A Practical Guide to Data Protection for Information Professionals

GDPR Factsheet - Key Provisions and steps for Compliance

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

GENERAL DATA PROTECTION REGULATION REPORT

More information at cventconnect.com/europe/mobileapp

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

The European Union s General Data

GDPR Impacts on Digital Transformation

Personal data: By Personal data we understand all information about identified or identifiable natural ( data subject ) according to GDPR

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

TEL: +44 (0)

Getting Ready for the GDPR

Transcription:

New General Data Protection Regulation - an introduction Netnod spring meeting 2017 Johan Hübner, Partner, Advokat Erika Hammar, Associate

Agenda Background Why you need to care about the new data privacy regulation (GDPR) New sanctions What to consider in relation to the cloud What to do to be compliant? 2017-03-28 New Data Protection Regulation - why do I have to care? 2

Background - So what s new?

Today: The Personal Data Act (PDA) and the Data Protection Directive Protection of privacy In practice few sanctions for breaching the legislation common with violations National law based on the Data Protection Directive (95/46) Other legislation precedes the PDA Goodwill 2017-03-28 New Data Protection Regulation - why do I have to care? 4

New EU Regulation (GDPR) Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data Direct applicable regulation replacing the PDA and corresponding laws throughout the EU Objective: Ensure a high level of protection of personal data Freedom of trade within the EU The new rules will apply from May 2018 Detailed guidelines yet to be issued 2017-03-28 New Data Protection Regulation - why do I have to care? 5

The Regulation in short One Regulation to rule them all The principles are based on current law, but also a large number of news There are some possibilities for discrepancies in national law, but only from certain rules Uniform interpretation throughout the EU One Stop Shop - One supervisory authority - in the country with the main establishment Applies to all processing of data 2017-03-28 New Data Protection Regulation - why do I have to care? 6

Whatis personal data? Personal data Any information relating to an identified or identifiable natural person who could be identified directly or indirectly (note: sensitive data) Is this personal data? name.lastname@delphi.se 83.248.106.125 (an IPv4 address) A picture: 2017-03-28 New Data Protection Regulation - why do I have to care? 7

Definition of processing The definition of processing is wide and includes any operation performed on personal data Examples Collection Registration Storage Processing Disclosure by transfer, dissemination or other provision of data Compilations or joint processing 2017-03-28 New Data Protection Regulation - why do I have to care? 8

Fundamental principles basic requirements on the services used Lawfulness, fairness and transparency Data may only be processed with regard to specified, explicit and legitimate purposes Data minimisation Accuracy Storage limitation Integrity and confidentiality 2017-03-28 New Data Protection Regulation - why do I have to care? 9

When is processing permitted? Processing is lawful only when 1. Informed consent 2. Necessary for the performance of a contract to which the data subject is party 3. Necessary for compliance with a legal obligation 4. Necessary in order to protect the vital interests of the data subject 5. Necessary for the performance of a task carried out in the public interest or 6. Legitimate interests when not overridden by the interests of the individual 2017-03-28 New Data Protection Regulation - why do I have to care? 10

Consent Freely given, specific, informed and unambiguous indication May be verbally or in writing Request for written consent shall be: presented in a manner which is clearly distinguishable from the other matters in an intelligible and easily accessible form using clear and plain language Separate consent given to different personal data processing purposes? Freely given? Consideration of an agreement conditional upon consent, even though this is not necessary for the implementation of the agreement Note: new rules for consent for persons 13-16 years old 2017-03-28 New Data Protection Regulation - why do I have to care? 11

Ok, but why do I have to care? Because it may be very expensive to break the rules

Administrative fines 1: Up to 10 000 000 EUR, or up to 2 % of the total worldwide annual turnover Age requirement Security requirement, privacy by design A great many other rules 2: Up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover Breach of fundamental principles, such as storing data for too long Handling data without legal ground Incorrect consent Breach of rules regarding sensitive data, etc. Rights of the registered, such as information Illegal transfer of data outside the EU 2017-03-28 New Data Protection Regulation - why do I have to care? 13

Other sanctions The right for individuals to claim damages and penalties will be stipulated by each member state Warning, reprimand or order Restriction or prohibition Member states shall establish sanctions for infringements which are not subject to fines and ensure that they are implemented 2017-03-28 New Data Protection Regulation - why do I have to care? 14

Ok now you got my attention What do I need to consider?

Controller The person who alone or together with others determines the purposes and means of the processing of personal data Is always the responsible for compliance with the law Thus, you are the one responsible for e.g. that the IT systems you use (including any cloud services) meet the legal requirements (not the supplier) 2017-03-28 New Data Protection Regulation - why do I have to care? 16

Processor A natural or legal person which processes personal data on behalf of the controller For example if a cloud service provider is granted access to or otherwise processes your personal data 2017-03-28 New Data Protection Regulation - why do I have to care? 17

Requirements for data processor agreements Identify controller + processor In some cases both parties are each other s controller and processor Increased requirements (such as audit) - must be fulfilled in your agreement! Data processor agreement Controller Processor Individual 2017-03-28 New Data Protection Regulation - why do I have to care? 18

EU you said, but I have a global approach what applies to me? The legislation may not be circumvented by transferring data outside EU Knowledge on where processing is carried out Does a certain service transfer data to countries which are not permitted (backup, redundancy etc)? 2017-03-28 New Data Protection Regulation - why do I have to care? 19

Information requirements Information Privacy policy/information to customers and employees More extensive information - update privacy policies Different requirements depending on whether the data collected from the data subject itself or not Access to personal data Upon request, provide information (abstract from a register) within one month 2017-03-28 New Data Protection Regulation - why do I have to care? 20

Security requirements Companies shall implement appropriate technical and organisational measures to ensure an appropriate level of security May involve: encryption of personal data continuous control of the systems that process the data and a system for testing the effectiveness of measures for ensuring the security of the processing Where proportionate in relation to processing activities, the measures shall include appropriate data protection policies Explicit requirement to ensure appropriate security of the personal data against unauthorised or unlawful processing and against accidental loss 2017-03-28 New Data Protection Regulation - why do I have to care? 21

Privacy by design Ensure that the period for which the personal data are stored is limited to a strict minimum ( storage limitation ) Transparency facilitate information to data subjects privacy by default Use of personal data should be limited to what is necessary for the purposes for which they are processed Infrastructure to enable access to, correction and deletion of personal data. 2017-03-28 New Data Protection Regulation - why do I have to care? 22

Right to be forgotten Maximising the volume of stored personal data Requirement for deletion - if no legitimate basis for continued processing exists Delete my data NO Legitimate basis to keep the data? YES DELETE KEEP 2017-03-28 New Data Protection Regulation - why do I have to care? 23

Act fast if there s a data breach Inform about personal data breach without undue delay Notify the supervisory authority General rule: no later than 72 hours after having become aware of the breach Notify every data subject If it is likely to result in a high risk to the rights and freedoms of natural persons Exception, e.g. if there is a system to prove that the lost data has been made unintelligible to unauthorised, such as encryption Disproportionate effort: public communication instead Organisations need to strengthen their security measures 2017-03-28 New Data Protection Regulation - why do I have to care? 24

OK, I care what to do?

Practical changes Privacy is a question for top management More important to comply with the law Not just bad will but also a greater risk of fines/damages and risk having to erase data Increased focus on preventive actions Compliance program is required Systems and databases may be illegal Data must be deleted Budget for privacy is necessary 2017-03-28 New Data Protection Regulation - why do I have to care? 26

How can we prepare? Learn! Apply! Comply! Compliance project Review of records, registers, etc. Updating of documents, consents, information documentation, processor agreements contracts, etc. Start applying Privacy by design Impose requirements on cloud suppliers when entering into new cloud agreements Review and if necessary adjust current cloud agreements 2017-03-28 New Data Protection Regulation - why do I have to care? 27

Johan Hübner Partner/Advokat Mobil +46 (0)709-25 25 04 johan.hubner@delphi.se Erika Hammar Associate Mobil +46 (0)76-772 00 17 erika.hammar@delphi.se Advokatfirman Delphi Mäster Samuelsgatan 17 / Box 1432 / 111 84 Stockholm / Sweden Tel: +46 8 677 54 00 / www.delphi.se 2017-03-28 New Data Protection Regulation - why do I have to care? 28

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback