SPRING CONFERENCE 2016 BUDAPEST GDPR what next? PRACTICAL IMPLICATIONS FOR NATIONAL LEGISLATORS, DPAs AND DATA CONTROLLERS GDPR and the NORDIC ACTIONS Mr Reijo Aarnio Data Protection Ombudsman OFFICE OF THE DATA PROTECTION OMBUDSMAN / Finland 1
Nordic countries https://fi.wikipedia.org/wiki/pohjoismaat#/media/file:location_nordic_council.svg The Nordic countries are a geographical and cultural region in Northern Europe and the North Atlantic, where they are most commonly known as Norden (lit., "The North"). They consist of Denmark, Finland, Iceland, Norway and Sweden, including their associated territories (Greenland, the Faroe Islands, and the Åland Islands). FINLAND SWEDEN DENMARK ICELAND NORWAY OFFICE OF THE DATA PROTECTION OMBUDSMAN 2
GDPR: PRACTICAL IMPLICATIONS FOR DPAs NOTHING BUT: 1) NEW LEGAL FRAMEWORK 2) NEW TASKS 3) NEW COMPETENCIES 4) NEW NETWORK DPOs 5) NEW CUSTOMERS (+ 500 MILLION) 6) NEW WORKING METHODS 7) NEW IT-PLATFORM 8) NEW DECISSION MAKING SYSTEM 9) NEW ORGANISATIONS (?!) 10) NEW JOB-DESCRIPTIONS 11) NEW AUTHORITY? AND ALL THIS WHILE STILL TAKING CARE OF CURRENT DAILY WORK OFFICE OF THE DATA PROTECTION OMBUDSMAN / Finland 3
FUTURE STRUCTURE OF - One man s office? THE DPO? - Independent Deputy Modell? (State auditing authority) - Multimember organization? - BOARD? OFFICE OF THE DATA PROTECTION OMBUDSMAN / Finland 4
FINNISH DATA PROTECTION PLAYERS DATA PROTECTION BOARD FINNISH COMMUNICATIONS REGULATORY AUTHORITY (Ficora) NATIONAL SUPERVISORY AUTHORITY FOR WELFARE AND HEALTH (Valvira) OFFICE OF THE DATA PROTECTION OMBUDSMAN THE CONSUMER OMBUDSMAN NATIONAL ARCHIVE OCCUPATIONAL HEALTH AND SAFETY AUTHORITY WHO? OFFICE OF THE DATA PROTECTION OMBUDSMAN / Finland
OR JUST. OFFICE OF THE DATA PROTECTION OMBUDSMAN Or other individual authority OFFICE OF THE DATA PROTECTION OMBUDSMAN / Finland 6
NORDIC CO-OPERATION: CORNERSTONES 1) COMMON JUDICIAL TRADITION 2) TRANSPARENCY AND BENCHMARKING 3) Mr GÖRAN GRÄSLUND: 4) LEARNING BY DOING; INSPECTIONS 5) COMMITTED CHIEFS 80 % OF CROSSBORDER CASES ARE LOCAL OFFICE OF THE DATA PROTECTION OMBUDSMAN / Finland 7
NORDIC MEETINGS; TOPICS: FINLAND 2011: 1) EFFICIENCY 2) PLANNING SYSTEM 3) BUDGETING 4) INFORMATION MANAGEMENT 5) STRATEGICAL CO-OPERATION 6) VISI0NS, BUSINESS IDEA, STRATEGIES AND VALUES OFFICE OF THE DATA PROTECTION OMBUDSMAN / Finland 8
NORDIC MEETINGS; TOPICS: NORWAY 2012: 1) STRENGHTEN CO-OPERATION 2) CROSS BORDER CASES 3) CROSS BORDER & JOINT INSPECTIONS 4) INTERNATIONAL CO-OPERATION ------------------------------------------------------------------- EXTRA MEETING ALSO IN SWEDEN 2012 - case examples OFFICE OF THE DATA PROTECTION OMBUDSMAN / Finland 9
NORDIC MEETINGS; TOPICS: SWEDEN 2014: 1) LESSONS LEARNED FROM INSPECTIONS 2) EFFECTIVENESS 3) KNOWLEDGE MANAGEMENT - internal databases - staff - external 4) DPA S INFLUENCE IN GOVERNMENTAL PROPOSALS OFFICE OF THE DATA PROTECTION OMBUDSMAN / Finland 10
HOW TO MAKE A GOOD STATEMENT ON GOVERNMENTAL PROPOSAL E) Go carefully through all different processing phases and estimate their legality D) Evaluate if the proposal has influence on other basic rights - DUTY OF CARE - DEFINED PURPOSE OF PROCESSING - EXCLUSIVITY OF PURPOSE - NECESSITY REQUIREMENT - ACCURACY REQUIREMENT And also: - PROPORTIONALITY - FINALITY - QUALITY - sensitive data - liability - disclosure E D C B A C) Evaluate that the proposal meets: a) Article 10 in the Constitution b) resolutions of Constitutional Committee and the Administration Committee c) essential issues shall not be regulated by a Degree. B) Evaluate the need for a special law and estimate if the relation of Personal Data Act and the proposal in question is clear. It has to be evident, whether the proposal in question replaces the corresponding regulation of the Personal Data Act (which is general provision) or not. A) Evaluate in the beginning if the proposal has influence on data processing, does it change, supplement, overrule or clarifiy the principles of Personal Data Act. Analyse and specify which phases of the processing the proposal concerns. OFFICE OF THE DATA PROTECTION OMBUDSMAN / Finland 11
OFFICE OF THE DATA PROTECTION OMBUDSMAN / Finland 1. Strategic human resource planning, personnel strategy COULD BE IMPROVED REGARDING THE PRACTICES No strategy at all, only calculation/estimation of the number of persons by units for budgeting. The personnel is not informed about personnel strategy, it s not planned how to spread the information enough. (Unofficial translation) GOOD PRACTISE The management group deals with both the personnel strategy and the personnel plan in connection of making annual planning and budgeting. The leaders of every unit are informed about personnel strategy. PROGRESSIVE, FORWARD- LOOKING PRACTICE Personnel strategy is also strategy for competence. It s one of the 3 most important issues and dealed with throughout the whole year both by the management group and administration. The management group has created and decided with the help of experts an exact view about strategic competence and the information has been given to all managers/directors and staff. Self-evaluation tool is created by Finnish Institute of Occupational Health. In finnish it s found on the Internet. 12
13
14
6.5.2015 15
6.5.2015 16
SWOT The Reform and its influence on ICT-functions
STRENGHTS WEAKNESSES Homogenious internal market Overall efficiency Easier international operations Data protection becomes more important One-stop-shop from any DPA Disruption of national law Foreign administrative culture Conflicts between DPR and national law One-stop-shop from any DPA OPPORTUNITIES THREATS Prestige and power Virtualresources, outsourcing, sharingof experts Distribution of super-cases Additional resources Diminished independence Competition between DPAs Lack of competence Lack of resources Lack of good leadership
19
OFFICE OF THE DATA PROTECTION OMBUDSMAN REFORM AND DIRECTIVE * Check points: - Situation - Need for updating - Achievements - risk assessments - book keeping, estimated costs - internal information / staff - how has the reform taken into consideration nationally and in EUlevel The projectis called TSAU START 18.11 2015 Risk assessment **** Approval of the project plan -Introduction - Appointments - Distribution of tasks ** CURRENT PROCESSES: 1. Public counsel, ombudsman 2. Inspector 3. Consult 4. Educator 5. Political adviser 6. Negotiant 7. Executor 8. International emissary *** NEW PROCESSES: 1. Consistency mechanism 2. Administrative sanctions 3. Prior checking auditing 4. Data transfers to third countries 5. Data Breach Notifications 6. Inspections 7. Electronic platform for handling and conducting issues 8. National legislation Version 27.11.2015 Internal information A. Knowledge management B. Organization C. Raising Awareness * March2016 Check point 1 D. New Processes E. Other projects F. International Co-operation G. IT-platform A.1.a Internal A.2.a External B.1.a Resources C.1.a Project plan D.1.a Legal Framework A.1.b - Staff plan 2016-2019 - Training plan 2016-2019 -Help desk A.2.b Choosing co-operation partners B.1.b Check point C.1.b Check point Nordic meeting, Island * May2016 Check point 2 (International) E.1.a Ministryof Justice task force F.1.a. EDPB F.2.a. Substantial issues F.3.a. Administrative issues G.2.a. National Convertions D.1.a.a Updating current processes** G.1.a. International complaints D.1.a.b Work Flows (8 new processes***) E.1.b Sub task forces A.2.c -Website -SOME -Education B.1.c Organization plan * September 2016 Check point 3 F.1.b Check point D.1.b.1 Testing E.1.c Check point F.2.b. WP 29 roadmap F.3.b. WP 29 roadmap G.1.b. Joint operations G.2.b. - Raising awereness -Knowhow management - Quality control A.1.c Quality of Internal data base A.2.d DPO s (DP Officers) B.1.d -Job descriptions -Salaries * December 2016 Check point 4 D.1.b.2 Implementation F.2.c Check point F.3.c Check point A.1.d Execution & reporting A.2.e Check point B.1.e -Appointments G.1.c. Consistency Mechanism G.2.c Check point D.1.b.3 Check point A.1.e Check point B.1.f Check point * June2017 Check point 5 G.1.d Check point 20 FOLLOW UP END 2018 H. Overall CHECK POINT I. SAUNA EVENING J. IMPLE- MENTA- TION
21
11.5.2016 22
12.5.2016 23
12.5.2016 24
12.5.2016 25
DATA PROTECTION REFORM AND ITS EFFECTS ON NATIONAL LEGISLATION -a working group by the finnish Ministry of Justice TASKS: - to evaluate the need for national legal actions presumed in the Reform, especially if there is a need for a common national data protection legislation such as the Data Protection Act at the moment, and to prepare a proposition for such a possible regulation -to evaluate, if there is a need to amend the national legislation concerning the national data protection authority and to prepare a proposition for such an authority and its organization, duties and competencies -to evaluate the possibilities of the latitude that the Reform allows to national legislation of a member country and to present the principles for to use it in an appropriate and functional way -to co-ordinate and assist the work which will and has to be done for to evaluate national special legislation OFFICE OF THE DATA PROTECTION OMBUDSMAN / Finland 26
THANK YOU FOR LISTENING Mr Reijo Aarnio Data Protection Ombudsman OFFICE OF THE DATA PROTECTION OMBUDSMAN / FINLAND 27