New EU-GDPR: Challenges for Universities and Research Organisations Prof. Dr. Ing. Ramin Yahyapour CIO Georg-August-Universität Göttingen and University Medical Centre Director GWDG EUNIS workshop for Data Protection and IT Security Berlin, 21. April 2017
About GWDG Joint compute and research centre by the University of Göttingen and the Max Planck Society Serving over 80.000 customers scientists and students external researchers Göttingen Campus University 200 institutes and 13 faculties Number of employees: 14,000 Research scientists: 3,000 Professors: 400 Students: 34,000 Academic Medical Centre (UMG) 1500 beds 7000 staff Göttingen Campus Partners 5 Max Planck Institutes, Leibnitz Institute DPZ, Academy of Science, 2
GDPR a relevant topic to science German Council for Scientific Information Infrastructures (RfII) appointed by the Joint Science Conference of the Federal States and the Federal Government of Germany Organized workshops and just issued recommendation for DPR and research data managament March 2017: http://www.rfii.de/?wpdmdl=2249 3
How do the New EU-DGPR affect universities? Roles to be separated: The university as user of external services (third party processor) The university as a data processing entity and in-house service provider (controller and processor in-house) Data-related science Majority of research is data-driven, data is collected, analyzed, and new insights gained The expectations and requirements differ: enabling science/teaching, being compliant, being efficient 4
New EU-GDPR as user of external services GDPR will only be one aspect of selecting a business partner or outsourcing a service More often a major mismatch of GDPR rules, the actual privacy statement/terms of use by companies, and the expectations of customer. Universities often not in the situation to impose terms on companies offers. In general, There are many projects/data without minor requirements on DPR There are projects/data with critical requirements on DPR 5
Data Privacy at a University In general most universities/research organizations in Germany run best practice standards Data privacy officer in place Established processes to document relevant data processing Maintaining an asset register of relevant data processing Common technical and organizational measures in place All well? Depends 6
Challenges before the new EU-GDPR What to do to be legally compliant? Guidelines often not specific and leave room for interpretation Leads to risk assessment whether processes are compliant What rules apply when? Different legal environment; e.g. Germany in its federal structure had different law for states Who is responsible? Universities and research organizations are not homogenous entities Typically no top down structure; leading to incomplete application of guidelines. 7
Taxonomy of data processing at an university Central administrative services Not research Centrally funded Run on central infrastructure On data protection Mostly well documented processes Mostly well managed DPO involved, also ethics committee, worker representation, student council etc. Large collaborative projects research Many scientists involved External funding Increasingly considering data management plans, security concepts, sometimes required by funding agency Data privacy sometimes a topic depending on discipline Often run on central infrastructure Normal research projects long-tail of science Often only 1-2 scientists involved Sometimes including use of personal or sensitive data Often no data management plan Infrastructure can be central, decentral or external Limited central insight Often no consideration of data privacy, data management plans, security requirements. 50-200 10-30 > 1000 8
New EU-GDPR It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-european companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover Reasonable objectives Simplifications but new obligations Consequences to scientific research to be assessed 9
Assessment of new EU-GDPR Scope of GDRP: Applies to Universities and Research Organisation Above national law But many aspects up to national interpretation = weakening the objective of harmonizing regulations Science research mentioned as special case details unclear Will only apply to scientific projects and not all data collected at research organizations = Mix of requirements at research organisations 10
Assessment of new EU-GDPR Art. 1 - Consent Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. For scientific projects, consent management is getting increasingly complex and practially non maintainable (informing, revoking) Open: Informed versus broad consent. = No real help from EU-GDPR 11
Assessment of new EU-GDPR Art. 83 Penalties and Sanctions Infringements shall be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: Does it apply to research organizations? Would it be enforced? How is turn-over calculated? = probably universities and research organizations not in focus = however, subject to compliant risk management 12
Assessment of new EU-GDPR Art. 33/34 Notification of data breaches the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority personal data breach is likely to result in a high risk to natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The required notification actions need to be analyzed and established No major problem to be expected But additional effort Requires additional teaching and training of scientists to raise awareness 13
Assessment of new EU-GDPR Art. 4 (1) Definition of personal data personal data means any information relating to an identified or identifiable natural person ( data subject ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; The GDPR gives many aspects and hints on what personal data is. However, there is still plenty of room for interpretation to local authorities. = Different interpretations will lead to varying requirements. No common standard guidelines. 14
Assessment of new EU-GDPR Art. 18 - Processing through a Third Party Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller The regulations towards a third party processor are very similar to prior German regulations. Simplifications in terms of how the contract can be assured (not necessarily written, one-sided etc). No requirement to check compliance of processor. = Easier to use external third parties 15
Assessment of new EU-GDPR Art. 32 - Security of processing implement appropriate technical and organisational measures Recurring term with significant impact on daily work in research organizations What are the appropriate TOM? Who defines them? How are they compared/selected/compliance shown? = Little interest to be innovative in these definitions = Common, acceptable standards needed 16
Assessment of new EU-GDPR Art. 32 - Security of processing (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. There are no clear definitions given. The major work (and cost) lies in adopting and maintaining such measures: ISO2700x, German BSI, Conflicting objectives in cost/effort versus level of security. All strongly dependent on the stance of the supervisory authorities. 17
Assessment of new EU-GDPR Art 40 - Code of Conduct Associations and other bodies representing categories of controllers or processors may prepare codes of conduct for the purpose of specifying the application of this Regulation shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance Possibility of Code of Conduct (CoC) for research organizations? One CoC or many? Who should define it? Only reasonable if they are accepted by supervisory authority. Mandatory monitoring of compliance is new. First discussion showed a CoC could be useful but authorities are not yet prepared. Major risk that CoC/TOM are required in a non manageble way. 18
Role of authorities The GDPR leaves many aspects still up to national regulatory authorities or the supervising authorities The goal of harmonization seems valid and achieved in some aspects. but in practice, the attitude to data protection by the responsible authorities will remain different and lead to very different procedures. As science is increasingly collaborative beyond borders, this will lead to shopping and selection of friendly jurisdictions. 19
Disparity business versus research The GDPR is obviously written with businesses in mind and not universities/research organizations. The processes for public bodies like universities and research organizations seems increasingly more complex. While there are special consideration for science, the real life situation for companies seems more flexible. There is a valid risk that certain research will only take place at companies and not at public research institutions. 20
Summary The EU-GDPR simplifies some aspects and makes reasonable steps towards harmonization. It does not yet reach its goals and requires further specification. Many aspects of the GDPR are very similar to existing German national privacy laws. Nevertheless, there are still several new requirements which will take time and effort. Plenty of aspects remain vague or undefined which makes the practical adoption difficult, slow and expensive. The attitude of national supervising authorities will be essential whether the goals can be reached. Requirements of science are not yet well covered. 21
Thank you! Questions? Contact Prof. Dr. Ing. Ramin Yahyapour mailto:ramin.yahyapour@gwdg.de phone: +49-551-201-1510 Gesellschaft für wissenschaftliche Datenverarbeitung mbh Göttingen Am Fassberg 11 37077 Göttingen 22