New EU-GDPR: Challenges for Universities and Research Organisations

Similar documents
General Data Protection Regulation (GDPR)

EU General Data Protection Regulation ( GDPR ) FAQs External Version - 16 March 2018

GDPR: What Every MSP Needs to Know

Preparing for the General Data Protection Regulation (GDPR)

1 Privacy by Design: The Impact of the new European Regulation on Data protection. Introduction

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

The General Data Protection Regulation (GDPR)

Get ready. A Guide to the General Data Protection Regulation (GDPR) elavon.ie

EU General Data Protection Regulation in the digital age: Are you ready?

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

GDPR is coming soon. Are you ready. Steven Ringelberg.

The General Data Protection Regulation (GDPR)

The New EU General Data Protection Regulation 1

New General Data Protection Regulation - an introduction

The General Data Protection Regulation (GDPR)

Preparing for the GDPR

Data Privacy, Protection and Compliance From the U.S. to Europe and Beyond

With financial penalties of up to 4 percent of global annual turnover, are you up-to-date on the General Data Protection Regulation?

The GDPR enforcement deadline is looming are you ready?

EU GENERAL DATA PROTECTION REGULATION

Paul Jordan Thursday 12 October,

b. by a controller not established in EU, but in a place where Member State law applies by virtue of public international law.

December 28, 2018, New Delhi, INDIA

SAP and SAP Ariba Solution Support for GDPR Compliance

NEWSFLASH GDPR N 10 - New Data Protection Obligations

EU General Data Protection Regulation: are you ready?

KYC & Data Protection: Friends or Foes?

Whitepaper. What are the changes regarding data protection. in the future. General Data Protection Regulation? eprivacy GmbH, Hamburg, April 2017

EU General Data Protection Regulation (GDPR)

EU General Data Protection Regulation: What Impact for Businesses Established Outside the EU and EEA Francoise Gilbert 1

GDPR Readiness: Role of the DPO

GENERAL DATA PROTECTION REGULATION REPORT

DATA PROTECTION OFFICER (DPO) Maria Maxim Partner Bucharest October 25, 2017

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT

General Data Protection Regulation Philippe Roggeband. Business Development, Manager, GSSO EMEAR

GENERAL DATA PROTECTION REGULATION Guidance Notes

What you need to know. about GDPR. as a Financial Broker. Sponsored by

Dealing with the EU Data Protection Regulation in Practice. William Long, Partner Sidley Austin LLP February 11, 2016

European Union General Data Protection Regulation 25 th May 2018

EU General Data Protection Regulation: Are you ready?

The General Data Protection Regulation: What does it mean for you?

CNPD Training: Data Protection Basics

General Data Protection Regulation (GDPR) Business Guide

Training Manual. DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Data Protection Officer is Mike Bandurak

WHITE PAPER EU General Data Protection Regulation Compliance

GDPR: Are You Ready? Mapping the Road to GDPR Compliance. March 2018

Genera Data Protection Regulation and the Public Sector

General Personal Data Protection Policy

ARTICLE 29 DATA PROTECTION WORKING PARTY

with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA Consulting

GDPR readiness for start-ups, technology businesses and professional practices Martin Cassey

GDPR Webinar 1: Overview of Preparing for the GDPR. T-Minus 441 Days (March 9, 2017) Presenter: Peter Blenkinsop.

General Data Protection Regulation (GDPR) New regulation for the protection of data

General Data Protection Regulation Guide

What do companies need to do?

The Data Protection Regulation for Europe

Getting ready for GDPR. A guide to General Data Protection Regulations

Summary of General Data Regulation & Actions. Nationwide Coverage.

Summary of General Data Regulation & Actions. Nationwide Coverage.

What is GDPR and Should You Care?

Guidance on the General Data Protection Regulation: (1) Getting started

A COMPANION DOCUMENT TO THE GDPR READINESS DECISION TREE QUESTIONS AND ANALYSIS. April 19, 2017

Vendor Agreements and the New EU GDPR Steps to Take Now

Briefing No. 2 GDPR. 1 mccann fitzgerald

GDPR journey: from ready to compliant GDPR survey results

General Data Privacy Regulation: It s Coming Are You Ready?

Customer Data Protection. Temenos module for the General Data Protection Regulation (GDPR)

Agenda. What is the GDPR? Who does GDPR apply to? Implications of Non-Compliance The Road to GDPR Compliance

GDPR is coming in 108 days: Are you ready?

Robert Bond Partner 3/13/2015. EU Data Protection Officer: Roles and responsibilities

A GDPR Primer For U.S.-Based Cos. Handling EU Data: Part 1

GDPR Service Information Sheet

GDPR for Charities. Tuesday 17 October 2017

ARTICLE 29 DATA PROTECTION WORKING PARTY

Accelerate Your Response to the EU General Data Protection Regulation (GDPR) with Oracle Cloud Applications

The Sage quick start guide for businesses

WHAT DOES THE GDPR MEAN FOR HR PROFESSIONALS?

The GDPR Are you ready?

EU data protection reform

Data Protection (internal) Audit prior to May (In preparation for that date)

Preparing Your Vendor Agreements for the General Data Protection Regulation

Breaking the myth How your marketing activities can benefit from the GDPR December 2017

Achieving GDPR Compliance with Avature

#RSAC TEN PITFALLS TO AVOID IN GDPR

General Data Protection Regulation

GDPR. Guidance on Employee Personal Data

The GDPR: What does it mean for executive search?

ARTICLE 29 Data Protection Working Party

The General Data Protection Regulation (GDPR): Getting in good shape for the deadline Copenhagen, 19 September 2017 Janus Friis Bindslev Partner,

CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR. Legal02# v1[RXD02]

More information at cventconnect.com/europe/mobileapp

General Data Protection Regulation - Explained

GDPR for Employers DUBLIN / BELFAST / LONDON / NEW YORK / SAN FRANCISCO / PALO ALTO

IMPACT OF THE NEW GDPR DIRECTIVE ON OUTSOURCING ARRANGEMENTS

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

Presenting a live 90-minute webinar with interactive Q&A. Today s faculty features:

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents

closer look at Definitions The General Data Protection Regulation

A guide to GDPR the effect on all UK organisations

Brace for Impact: Why the GDPR Should Remain at the Top of Directors Agendas

Transcription:

New EU-GDPR: Challenges for Universities and Research Organisations Prof. Dr. Ing. Ramin Yahyapour CIO Georg-August-Universität Göttingen and University Medical Centre Director GWDG EUNIS workshop for Data Protection and IT Security Berlin, 21. April 2017

About GWDG Joint compute and research centre by the University of Göttingen and the Max Planck Society Serving over 80.000 customers scientists and students external researchers Göttingen Campus University 200 institutes and 13 faculties Number of employees: 14,000 Research scientists: 3,000 Professors: 400 Students: 34,000 Academic Medical Centre (UMG) 1500 beds 7000 staff Göttingen Campus Partners 5 Max Planck Institutes, Leibnitz Institute DPZ, Academy of Science, 2

GDPR a relevant topic to science German Council for Scientific Information Infrastructures (RfII) appointed by the Joint Science Conference of the Federal States and the Federal Government of Germany Organized workshops and just issued recommendation for DPR and research data managament March 2017: http://www.rfii.de/?wpdmdl=2249 3

How do the New EU-DGPR affect universities? Roles to be separated: The university as user of external services (third party processor) The university as a data processing entity and in-house service provider (controller and processor in-house) Data-related science Majority of research is data-driven, data is collected, analyzed, and new insights gained The expectations and requirements differ: enabling science/teaching, being compliant, being efficient 4

New EU-GDPR as user of external services GDPR will only be one aspect of selecting a business partner or outsourcing a service More often a major mismatch of GDPR rules, the actual privacy statement/terms of use by companies, and the expectations of customer. Universities often not in the situation to impose terms on companies offers. In general, There are many projects/data without minor requirements on DPR There are projects/data with critical requirements on DPR 5

Data Privacy at a University In general most universities/research organizations in Germany run best practice standards Data privacy officer in place Established processes to document relevant data processing Maintaining an asset register of relevant data processing Common technical and organizational measures in place All well? Depends 6

Challenges before the new EU-GDPR What to do to be legally compliant? Guidelines often not specific and leave room for interpretation Leads to risk assessment whether processes are compliant What rules apply when? Different legal environment; e.g. Germany in its federal structure had different law for states Who is responsible? Universities and research organizations are not homogenous entities Typically no top down structure; leading to incomplete application of guidelines. 7

Taxonomy of data processing at an university Central administrative services Not research Centrally funded Run on central infrastructure On data protection Mostly well documented processes Mostly well managed DPO involved, also ethics committee, worker representation, student council etc. Large collaborative projects research Many scientists involved External funding Increasingly considering data management plans, security concepts, sometimes required by funding agency Data privacy sometimes a topic depending on discipline Often run on central infrastructure Normal research projects long-tail of science Often only 1-2 scientists involved Sometimes including use of personal or sensitive data Often no data management plan Infrastructure can be central, decentral or external Limited central insight Often no consideration of data privacy, data management plans, security requirements. 50-200 10-30 > 1000 8

New EU-GDPR It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-european companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover Reasonable objectives Simplifications but new obligations Consequences to scientific research to be assessed 9

Assessment of new EU-GDPR Scope of GDRP: Applies to Universities and Research Organisation Above national law But many aspects up to national interpretation = weakening the objective of harmonizing regulations Science research mentioned as special case details unclear Will only apply to scientific projects and not all data collected at research organizations = Mix of requirements at research organisations 10

Assessment of new EU-GDPR Art. 1 - Consent Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. For scientific projects, consent management is getting increasingly complex and practially non maintainable (informing, revoking) Open: Informed versus broad consent. = No real help from EU-GDPR 11

Assessment of new EU-GDPR Art. 83 Penalties and Sanctions Infringements shall be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: Does it apply to research organizations? Would it be enforced? How is turn-over calculated? = probably universities and research organizations not in focus = however, subject to compliant risk management 12

Assessment of new EU-GDPR Art. 33/34 Notification of data breaches the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority personal data breach is likely to result in a high risk to natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The required notification actions need to be analyzed and established No major problem to be expected But additional effort Requires additional teaching and training of scientists to raise awareness 13

Assessment of new EU-GDPR Art. 4 (1) Definition of personal data personal data means any information relating to an identified or identifiable natural person ( data subject ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; The GDPR gives many aspects and hints on what personal data is. However, there is still plenty of room for interpretation to local authorities. = Different interpretations will lead to varying requirements. No common standard guidelines. 14

Assessment of new EU-GDPR Art. 18 - Processing through a Third Party Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller The regulations towards a third party processor are very similar to prior German regulations. Simplifications in terms of how the contract can be assured (not necessarily written, one-sided etc). No requirement to check compliance of processor. = Easier to use external third parties 15

Assessment of new EU-GDPR Art. 32 - Security of processing implement appropriate technical and organisational measures Recurring term with significant impact on daily work in research organizations What are the appropriate TOM? Who defines them? How are they compared/selected/compliance shown? = Little interest to be innovative in these definitions = Common, acceptable standards needed 16

Assessment of new EU-GDPR Art. 32 - Security of processing (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. There are no clear definitions given. The major work (and cost) lies in adopting and maintaining such measures: ISO2700x, German BSI, Conflicting objectives in cost/effort versus level of security. All strongly dependent on the stance of the supervisory authorities. 17

Assessment of new EU-GDPR Art 40 - Code of Conduct Associations and other bodies representing categories of controllers or processors may prepare codes of conduct for the purpose of specifying the application of this Regulation shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance Possibility of Code of Conduct (CoC) for research organizations? One CoC or many? Who should define it? Only reasonable if they are accepted by supervisory authority. Mandatory monitoring of compliance is new. First discussion showed a CoC could be useful but authorities are not yet prepared. Major risk that CoC/TOM are required in a non manageble way. 18

Role of authorities The GDPR leaves many aspects still up to national regulatory authorities or the supervising authorities The goal of harmonization seems valid and achieved in some aspects. but in practice, the attitude to data protection by the responsible authorities will remain different and lead to very different procedures. As science is increasingly collaborative beyond borders, this will lead to shopping and selection of friendly jurisdictions. 19

Disparity business versus research The GDPR is obviously written with businesses in mind and not universities/research organizations. The processes for public bodies like universities and research organizations seems increasingly more complex. While there are special consideration for science, the real life situation for companies seems more flexible. There is a valid risk that certain research will only take place at companies and not at public research institutions. 20

Summary The EU-GDPR simplifies some aspects and makes reasonable steps towards harmonization. It does not yet reach its goals and requires further specification. Many aspects of the GDPR are very similar to existing German national privacy laws. Nevertheless, there are still several new requirements which will take time and effort. Plenty of aspects remain vague or undefined which makes the practical adoption difficult, slow and expensive. The attitude of national supervising authorities will be essential whether the goals can be reached. Requirements of science are not yet well covered. 21

Thank you! Questions? Contact Prof. Dr. Ing. Ramin Yahyapour mailto:ramin.yahyapour@gwdg.de phone: +49-551-201-1510 Gesellschaft für wissenschaftliche Datenverarbeitung mbh Göttingen Am Fassberg 11 37077 Göttingen 22

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback