Auditing your EU entities for data protection compliance

Robert Bond

Head of Data Protection & Information Law

James Castro-Edwards

Senior Solicitor in Data Protection & Information Law

Our team

• We are a full service law firm providing local and international services to a diverse range of clients

• Our three Client Divisions are Business Services, Real Estate Engineering & Construction and Private Client

• Our Data Protection & Information Law team provide a range of expertise on data privacy audit, compliance, risk management, information security and data breaches

• We are listed in Chambers 2009 as a leading law firm for Data Protection and have advised on this area of law since 1983

Topics

• Overview of the Directive (95/46/EC)

• Notification/registration procedures

• Key definitions

• The eight data protection principles

• What should the audit achieve?

• Analysing entities and their roles as controller or processor

• Auditing data and data flows –what and where

• Auditing online and offline data processing

• Auditing policies and procedures

• Auditing contracts

Polling questions

• Has your company appointed a CPO or DPO?

• Has your company carried out an EU data protection compliance audit in the past year?

• Does your company plan to carry out such an audit in 2011?

The Directive

EU Data Protection Directive (also known as Directive 95/46/EC) is a directive adopted by the European Union designed to protect the privacy and protection of all personal data collected for or about citizens of the EU, especially as it relates to processing, using, or exchanging such data. Directive 95/46/EC encompasses all key elements from article 8 of the European Convention on Human Rights, which states its intention to respect the rights of privacy in personal and family life, as well as in the home and in personal correspondence.

Notification with the EU DPA’s

• Some countries do not require notification if you have a DPO (Germany)

• Some require it in limited circumstances (UK)

• Most require it before personal data can be processed at all (France, Italy, Poland and Spain)

• Some require annual notifications and audits (Italy, UK)

• Some countries have sophisticated online procedures (UK)

• Some countries charge a fee (UK, Belgium, Ireland)

• Some DPA’s have searchable websites to check on notifications (UK)

Personal data

• Data which relate to a living individual who can be identified from such data from such data and other information which is or is likely be in the

possession of the data controller and which are in electronic form or held manually in a relevant

filing system

Sensitive personal data

• Personal data consisting of information on: racial or ethnic origin political opinions religious or similar beliefs trade union details health data sexual life data offences or alleged offences court proceedings

Controller or Processor?

• A “data controller” is a person or organization that (alone or with others) determines the purposes for which and the manner in which personal data will be processed

• A “data processor” any person or organization (other than an employee of the data controller) who processes personal data on behalf of the data controller

The Eight Data Protection Principles

• Data must be fairly and lawfully processed with the consent of the individual

• Data may only be obtained for specified lawful purposes, and may not be further processed in any manner incompatible with that purpose

• Data must be adequate, relevant, and not excessive in relation to the purpose(s) for which it is collected

• Data must be accurate and, where necessary, kept up to date

• Data must not be kept longer than necessary

• Data must be processed in accordance with rights of data subjects under the Directive (right to inspect and correct data)

• Security measures must be taken against unauthorized or unlawful processing, and against accidental loss, destruction, or damage of data

• Data must not be transferred outside EEA unless recipient country provides adequate data protection

Data Protection

• Consent (but not always)• Explicit consent (always) for sensitive personal data

To get their data you have to give them information!

Personal data shall be processed fairly and lawfully

Data Protection

Data may only be obtained for specified lawful purposes, and may not be further processed in any manner incompatible with that purpose

• “Fair processing” statement is needed• Needs to be clear and readily available• Layered transparent policies are preferred• Should be kept up to date

Data Protection

• Data must be adequate, relevant, and not excessive in relation to the purpose(s) for which it is collected

• Data must be accurate and, where necessary, kept up to date

• Data must not be kept longer than necessary

– Several DPAs have ruled whistleblower systems breach these– Several DPAs have ruled that search engines and monitoring policies

breach these– Regular audits are necessary– Data retention and destruction policies are required

Data Protection

Data must be processed in accordance with rights of data subjects under the Directive (right to inspect and correct data)

• Subject access requests• How “personal” does data have to be?• Does all personal data have to be “disclosed”?• Right to be forgotten

The Seventh Principle

Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Consider:

Sensitivity of informationConsequences of breach Remote accessOutsourcing

Personal data may not be transferred from a blue or green country to a red country without “adequate protection”

EU Restrictions on International Data Transfers

Does the “third country” ensure an adequate level of protection?

• Only Switzerland, Canada, Argentina, Isle of Man, Jersey, Faroe Islands, Guernsey and recently Andorra and Israel have adopted “adequate” data protection laws in the opinion of the EU

• The U.S. Safe Harbor also provides an “adequate” level of protection

Have the Parties Themselves Assured Adequate Protection?

• There are contractual solutions that are deemed “adequate” under European data protection laws: The parties must enter into a “trans border data flow agreement” that incorporates either model clauses promulgated by the European Commission or proposed by the ICC and approved by the European Commission.

• A second solution, Binding Corporate Rules (BCR) has been approved by up to 14 member states in the EU.

What should the audit achieve?

• “ A systematic and independent examination to determine whether activities involving the processing of personal data are carried out in accordance with an organisation’s data protection policies and procedures, and whether this processing meets the requirements of the [law].” UK Information Commissioner’s Office

• Assess compliance with the law

• Assess compliance with entities’ own policies and procedures

• Assess gaps and weaknesses

• Provide information to ensure compliance

• Ensure awareness

• Minimise risk

Analysing entities and their roles

• Establish names and locations of all entities

• Establish whether they are controllers or processors

• Establish types of data and systems used

• Establish data subjects and data recipients

• Establish points of collection of data

• Audit notifications/registrations

Analysing fair processing and policies

• Audit methods of data collection and consents

• Audit websites and terms of use

• Audit business codes of conduct and policies

• Audit contracts of employment and staff manuals

• Audit staff knowledge and training

• Audit appointments of CPO/DPO

Contracts and Codes

• Audit trans border data flow solutions

• Audit 3rd party processor contracts

• Audit permissions from DPA

• Ensure all policies and procedures comply with local laws

• Monitor ongoing changes to company structures, data handling practices and notifications

Benefits of a compliance audit

• Facilitates compliance with the law

• Measures and helps improve compliance with policies

• Increases awareness amongst staff and management

• Elevates data protection to a key part of corporate governance

• Minimises risk

• Satisfies insurance requirements

• Improves trust and customer satisfaction

•Construction & Engineering•1 November 2006

Further Information

For more information on our services,

please contact:

Robert Bond

Partner

IP, Technology & Commercial

+44 (0)20 7427 6660

robert.bond@speechlys.com

www.speechlys.com