with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA Consulting

Similar documents
General Personal Data Protection Policy

GENERAL DATA PROTECTION REGULATION Guidance Notes

GDPR: What Every MSP Needs to Know

CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR. Legal02# v1[RXD02]

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents

Preparing for the GDPR

December 28, 2018, New Delhi, INDIA

Data Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents

RSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company )

#RSAC TEN PITFALLS TO AVOID IN GDPR

closer look at Definitions The General Data Protection Regulation

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

General Data Privacy Regulation: It s Coming Are You Ready?

Training Manual. DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Data Protection Officer is Mike Bandurak

GDPR-CERTIFIED ASSURANCE REPORT BASED PROCESSING ACTIVITIES

Whitepaper. What are the changes regarding data protection. in the future. General Data Protection Regulation? eprivacy GmbH, Hamburg, April 2017

P Drive_GDPR_Data Protection Policy_May18_V1. Skills Direct Ltd ( the Company ) Data protection. Date: 21 st May Version: Version 1.

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT

GDPR: Are You Ready? Mapping the Road to GDPR Compliance. March 2018

Tourettes Action Data Protection Policy

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

SAP and SAP Ariba Solution Support for GDPR Compliance

GENERAL DATA PROTECTION REGULATION.

Nissa Consultancy Ltd Data Protection Policy

GDPR factsheet Key provisions and steps for compliance

DATA PROTECTION POLICY

Preparing Your Vendor Agreements for the General Data Protection Regulation

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

The (Scheme) Actuary as a Data Controller

GDPR Factsheet - Key Provisions and steps for Compliance

What you need to know. about GDPR. as a Financial Broker. Sponsored by

General Data Protection Regulation (GDPR)

Data Protection Policy Approved by: COG Approved: 9 August 2017 Review date: August 2019 Version: Statement of Intent

General Data Protection Regulation Philippe Roggeband. Business Development, Manager, GSSO EMEAR

Getting Ready for the. General Data Protection Regulation GDPR. A Guide by Mason Hayes & Curran. Dublin, London, New York & San Francisco. MHC.

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

A PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018

GDPR for whom it may concern

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

Data Protection Policy

The General Data Protection Regulation An Overview

GDPR Webinar 1: Overview of Preparing for the GDPR. T-Minus 441 Days (March 9, 2017) Presenter: Peter Blenkinsop.

GDPR Impacts on Digital Transformation

Brasenose College Data Protection Policy Statement v1.2

Introduction to basic principles of Regulation (EC) 45/2001. Sophie Louveaux María Verónica Pérez Asinari

b. by a controller not established in EU, but in a place where Member State law applies by virtue of public international law.

Accountability under the GDPR: What does it mean for Boards & Senior Management?

SCHOOLS DATA PROTECTION POLICY. Guidance Notes for Schools

EU GENERAL DATA PROTECTION REGULATION

LAST UPDATED June 11, 2018 DATA PROTECTION POLICY. International Foundation for Electoral Systems

DATA PROTECTION POLICY 2018

Personal data: By Personal data we understand all information about identified or identifiable natural ( data subject ) according to GDPR

GDPR POLICY. This policy complies with the requirements set out in the GDPR, which will come into effect on

Privacy Policy. To invest significant resources in order to respect your rights in connection with Personal Data about you:

GDPR & SMART PIA. Wageningen University Feb 2017

New General Data Protection Regulation - an introduction

SAFFRON WALDEN COMMUNITY CHURCH DATA PROTECTION POLICY. Adopted: [ ]

CELESTYAL CRUISES LIMITED SUBJECT ACCESS REQUEST POLICY

Customer Data Protection. Temenos module for the General Data Protection Regulation (GDPR)

Genera Data Protection Regulation and the Public Sector

GDPR readiness for start-ups, technology businesses and professional practices Martin Cassey

Privacy Notice. Stanton Chase Bucharest

The GDPR and its requirements for implementing data protection impact assessments (DPIAs)

FPSS GDPR Data Protection Policy

1 Privacy by Design: The Impact of the new European Regulation on Data protection. Introduction

What is GDPR and Should You Care?

ARTICLE 29 DATA PROTECTION WORKING PARTY

More information at cventconnect.com/europe/mobileapp

Policy Document for: Data Protection (GDPR) Approved by Directors: September Due for Review: September Statement of intent

Getting Ready for the GDPR

DATA PROTECTION POLICY VERSION 1.0

EU General Data Protection Regulation in the digital age: Are you ready?

A summary of the implications of the General Data Protection Regulations (GDPR)

GDPR in SAP. June, Igor Gregurec

THE GENERAL DATA PROTECTION REGULATION (GDPR) A GUIDE FOR CONGREGATIONS

Privacy Policy & Data Protection

HEAVERS FARM PRIMARY SCHOOL. GDPR Data Protection Policy

GDPR is coming soon. Are you ready. Steven Ringelberg.

Pensions Authority Data Protection Considerations for Trustees of Occupational Pension Schemes

ACADEMIC AFFAIRS COUNCIL ******************************************************************************

Scottish Charity Number SC Dingwall Baptist Church DATA PROTECTION POLICY

DATA PROTECTION POLICY

EU General Data Protection Regulation: are you ready?

Get ready. A Guide to the General Data Protection Regulation (GDPR) elavon.ie

DATA PROTECTION POLICY

KYC & Data Protection: Friends or Foes?

SAP Innovation Forum Portugal GDPR Compliance Program Focus Use Cases

What do companies need to do?

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

What does the GDPR mean for recruitment?

The GDPR enforcement deadline is looming are you ready?

Dealing with the EU Data Protection Regulation in Practice. William Long, Partner Sidley Austin LLP February 11, 2016

LEICESTER HIGH SCHOOL DATA PROTECTION POLICY

A GDPR Primer For U.S.-Based Cos. Handling EU Data: Part 1

Preparing for the General Data Protection Regulation (GDPR)

GENERAL DATA PROTECTION REGULATION (GDPR)

CNPD Training: Data Protection Basics

Data Protection Policy

The European Union s General Data

The General Data Protection Regulation in health & social care. 6 October 2016 Leeds

Transcription:

with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA Consulting xada@gedapre.eu tel 0475-41.03.22 xavier.darmstaedter@dacota.eu Gent, 3 October 2017

4 facts 1. We are not really in control of our personal data 2. Our personal data are not properly and securely protected 3. In 2009, Mr Barroso launched the EU Agenda DIGITAL 2020 : to make Europe the center of excellence of Inmation Technologies in 2020. This plan requires an efficient and effective control of the personal data. 4. Our society has considerably evolved since the Data Protection Directive (1995)!

AS IS TO BE DPD 95/46 In 1995, the EU Dataissued the Data Protection Directive 95/46 (DPD) Protection Directive (1995) of excellence of Inmation Technologies (Agenda DIGITAL 2020). This implies an efficient and effective control of the personal data.

Processing Request Request Advice Supervisory Authority GDPR Basic Components and Interactions Data Subject Data Controller Data Processor Personal Data Processing Data (sub)processor

Personal Data Article 4 - Definitions (1) personal data means any inmation relating to an identified or identifiable natural person ('data subject ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data Controller Article 4 - Definitions (7) Data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data...

Processing Article 4 - Definitions (2) processing means any operation or set of operations which is permed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Controller Data Processor Article 4 - Definitions (7) Data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (8) Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Processing Request Request Advice Supervisory Authority GDPR Basic Components and Interactions Data Subject Data Controller Data Processor Personal Data Processing Data (sub)processor

Processing Request Request Advice Supervisory Authority GDPR Basic Components and Interactions Data Subject Data Controller Breach Breach Data Processor Breach Breach Breach Personal Data Processing Breach Data (sub)processor

https://www.itgovernance.co.uk IT Governance Ltd

NO The GDPR does not apply Does one of the exemptions from EU law apply? Does the processing relate to criminal investigation or relate to EU eign and security policy? Is it purely personal or household activity? Are you established in the EU, and is data processed in the context of that establishment? Are you offering goods or services in the EU? Are you monitoring behaviour of EU residents? Does EU law apply under public international law? YES The GDPR applies From A Guide by Mason Hayes & Curran www.mhc.ie

Breach Sanctions, Remedies, Liabilities Administrative fines 10M or 2% 20M or 4% Conditions obtaining a child's consent Processing which does not require identification Data Protection by design and default obligations Designating a representative in the State where the controller is not established in the EU Obligations of processors Instructions of a controller or processor Records of processing Cooperation with the supervisory authority Security measures Notification of a personal data breach to the supervisory authority Communication of a personal data breach to the data subject Conducting PIAs and prior consultation Designation, position and tasks of the DPO Monitoring of approved codes of conduct Certification mechanisms The core Data Protection principles The lawful processing conditions The conditions consent The sensitive personal data processing conditions Data subjects' rights (including inmation, access, rectification, erasure, restriction of processing, data portability, objection, profiling) Transfer of data to third countries Failure to provide access to premises of a controller or processor Compliance with a specific order or limitation on processing or the suspension of data flows by the supervisory authority Obligations adopted under Member State law in regard to specific processing situations

Personal Data Article 4 - Definitions (1) personal data means any inmation relating to an identified or identifiable natural person ('data subject ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal Rights to Personal Data Stored in Repository Article 17 - Right to erasure ('right to be gotten') 1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: a. the personal data is no longer necessary in relation to the purpose which it was originally collected/processed b. the individual withdraws consent and there is no other legal ground the processing c. the individual objects to the processing and there is no overriding legitimate interest continuing the processing d. the personal data was unlawfully processed Etc...

Personal Data Breach Article 4 - Definitions (12) 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; Recitals (86) The controller should communicate to the data subject a personal data breach, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions. (87) It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data breach has taken place and to inm promptly the supervisory authority and the data subject.

DPO - Data Protection Officer Article 39 Tasks of the data protection officer From A Guide by Mason Hayes & Curran www.mhc.ie 1. The data protection officer shall have at least the following tasks: (a) to inm and advise the controller or the processor and the employees who carry out processing of their obligations (b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits (c) to provide advice where requested as regards the data protection impact assessment and monitor its permance (d) to cooperate with the supervisory authority (e) to act as the contact point the supervisory authority on issues relating to processing,, and to consult, where appropriate, with regard to any other matter.

Privacy Impact Analysis (PIA/DPIA) Article 35 Data protection impact assessment 1. Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. 2. The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.

Personal Data Processing Principles Article 25 Data protection by design and by default Privacy by Design requires organisations to consider privacy measures during product design processes, while Privacy by Default requires controllers to ensure that, by default, only necessary data is processed. 1. the controller shall, both at the time of the determination of the means processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing 2. The controller shall implement appropriate technical and organisational measures ensuring that, by default, only personal data which are necessary each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.

GDPR Agenda AGENDA Introduction and Scope The GDPR 0. Personal Data 1. Personal Rights to Personal data 2. Processing Personal Data 3. Organization, principles & Rules 4. Supervisory Authority Workgroup sessions

GDPR Agenda AGENDA Introduction The GDPR 0. Personal Data 1. Personal Rights to Personal data 2. Processing Personal Data 3. Organization, principles & Rules 4. Supervisory Authority Workgroup sessions

Data Controller Controllers have specific responsibility : carrying out data protection impact assessments when the type of processing is likely to result in a high risk to the rights and freedoms of natural persons and implementing appropriate technical safeguards assuring the protection of data subject rights, such as erasure, reporting and notice requirements, and maintaining records of processing activities duties to the supervisory authority, such as data breach notification and consultation prior to processing documenting personal data breaches, including the facts of the breach, its effects, and remedial actions demonstrating their compliance with the Regulation by adhering to codes of conduct and certifications that were approved by DPAs consider carrying out a data protection impact assessment prior to selecting a processor.

Data Processor Processors have specific responsibility (primarily to controllers) : processing data only as instructed by controllers using appropriate technical and organisational measures to comply with the GDPR deleting or returning data to the controller once processing is complete submitting to specific conditions engaging other processors

GDPR Agenda AGENDA Introduction The GDPR 0. Personal Data 1. Personal Rights to Personal data 2. Processing Personal Data 3. Organization, principles & Rules 4. Supervisory Authority Workgroup sessions

GDPR Agenda AGENDA Introduction and Scope The GDPR 0. Personal Data 1. Personal Rights to Personal data 2. Processing Personal Data 3. Organization, principles & Rules 4. Supervisory Authority Workgroup sessions

Which Way to GDPR? Follow the Guide! To the workshops GDPR General Website ://www.eugdpr.org/eugdpr.org.html Text (in all languages All rights reserved quick 2017 access) - DACOTA : Consulting https://www.privacy-regulation.eu/ - Commercial in Confidence 33

Some GDPR Issues Business Analysts 1. What Personal Data do we have and where is it located? Who has access, when and how? Can / Do we track these accesses? Keep up-to-date? 2. Categorization of the Personal Data : basic, transactional, sensitive, audio, video, etc. 3. Monitor, Control and Manage the user access to Personal Data (IAM) 4. Consent acquisition, recording, and limiting Data storage providing Personal Data (in portable mat) 5. Erasure : What? When? How? Where? 6. Understanding and following nothing but the «Documented Instructions» of the Data Controller 7. Keeping «Records of (Categories of) Processing Activities» 8. Protection by Design / Default : with what Method? 9. Risk Impact Assessment : what is at risk? What are the threats, the risks? How to assess the risks? For each area, what is an acceptable level of risk? 10. Breach : Detection / Qualification (incident or breach?) / Notification / bee-during-after 11. Internal Organization : New Teams and revised Policies and Processes 12. «Appropriate technical and organizational measures» : what are they? How to apply them? How to provide evidence? 13. Cross-border transfers

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback