isaca privacy open forum - gdpr: how to prepare for the implementation
TRANSCRIPT
Click to edit Master title stylePrivacy Open Forum
Tuesday, 19th of October 2016
Brussels, 19 October 2016 2
Close
Brussels, 19 October 2016
GDPR: HOW TO PREPARE
FOR THE
IMPLEMENTATIONJOHAN VANDENDRIESSCHE
3
Brussels, 19 October 2016 4
Agenda
1. 18:30 Introduction
2. 18:45 GDPR
3. 19:30 Break
4. 19:50 GDPR
5. 20:45 Close
Brussels, 19 October 2016
GENERAL OVERVIEW
5
Brussels, 19 October 2016
GDPR Status Update
• Regulation: uniform legislation within
the EU
• Approved by EP on 14 April 2016
• Applies as of 25 May 2018
• No specific transition measures
• Simplification?
• No obligation to declare processing
activities
• One-stop shop mechanism
• Enforcement
6
Brussels, 19 October 2016
GDPR: Accountability
• Different approach compared with
Directive 1995/46/EC
• Accountability
• Risk based approach
• Directive
• enforcement initiative with regulatory
authority and data subjects
• GDPR: record keeping obligation and
ability to demonstrate compliance
• Burden of proof
7
Brussels, 19 October 2016
GDPR: Accountability
• Proactive compliance
• Ability to demonstrate compliance
• DPO
• Record keeping obligation
• Data breach notification obligation
• Enforcement
• Build and maintain compliance controls
• Audit controls
• Proactive compliance may serve to limit risks
and liability
8
Brussels, 19 October 2016
GDPR: Accountability
• Risk based approach
• Risk vs high risk
• Assessment of risk
• Likelihood
• Severity
• Criteria: nature, extent, context and
purpose of the processing
• Role of pseudonymising
9
Brussels, 19 October 2016
GDPR: accountability
• Risk based approach
• Impact: specific obligations only apply in
case of high risk
• DPIA
• Data breach notification (notification to data
subjects)
• Prior consultation of the DPO in case of DPIAs
10
Brussels, 19 October 2016
GDPR: scope
• Material scope
• Automated processing of personal data
• Other processing of personal data forming
part (or intended to form part) of a filing
system
• Exceptions
• Personal or household exception
• Other exceptions
11
Brussels, 19 October 2016
GDPR: scope
• Territorial scope
• EU establishment of controller or
processor
• Location of processing is irrelevant
• Establishment of controller or processor
Outside EU
• Offering of goods or services to data subjects
in the EU
• Monitoring of behaviour taking place within the
EU
12
Brussels, 19 October 2016
GDPR: consent
• Definition of consent
• Stricter approach than Directive 1995/46
• Implicit vs explicit consent
• Mere silence is no longer sufficient
• Separate consent per purpose
• Burden of proof
• If written consent
• Clear
• Separate from other consents
13
Brussels, 19 October 2016
GDPR: consent
• No transition measures
• Earlier consent must comply with the new
requirements to be valid
• Underage data subjects
• At least 16 years (may be reduced to 13)
• If younger: representative’s consent
• Reasonable effort to verify the consent of
the representative
• General right to withdraw consent
• No motivation
• As easy as giving consent14
Brussels, 19 October 2016
GDPR: legitimate interest
• Legitimate interest
• Data controller
• Third party
• Balance of interests
• Specific case: underage data subjects
• Documentation of assessment
• Examples in preamble GDPR
15
Brussels, 19 October 2016
GDPR: data subjects’ rights
• Overview
• Right to information and access to data
• Right to rectification and erasure (“RTBF”)
• Right to restriction of processing
• Right to data portability
• Right to object
• Rights in relation to automated individual
decision making, including profiling
16
Brussels, 19 October 2016
GDPR: data subjects’ rights
• Transparency
• Identity and contact details (including
DPO)
• Purposes of processing, including legal
basis for processing
• Legitimate interest if applicable
• Recipients of personal data
• International data transfers
• Storage period
• Specific data subject rights
17
Brussels, 19 October 2016
GDPR: data subjects’ rights
• Right to be forgotten
• No longer necessary
• Withdrawal for consent and no other legal
ground
• Objection
• Unlawful processing
• Erasure is required for compliance with a
legal obligation
• Personal data of children (conditional)
18
Brussels, 19 October 2016
GDPR: data subjects’ rights
• Consequences
• Erasure of personal data
• If made public, take reasonable steps to
inform other controllers processing such
data
• Exceptions
• Freedom of expression and information
• Compliance with a legal obligation
• Public interest in the area of public health
• Archiving
• Legal claims
19
Brussels, 19 October 2016
GDPR: data subjects’ rights
• Right to data portability
• Processing based on consent or
contractual necessity
• Right to receive a copy of his personal
data
• Structured, commonly used and machine
readable format
• Right to transmit personal data to another
controller without hindrance
• If technically possible: direct transmission
between controllers
20
Brussels, 19 October 2016
GDPR: data subjects’ rights
• Automated individual decision making
• Right not to be subjected thereto
• Legal effect concerning him
• Significantly affects him
• Exceptions
• Contractual necessity (not for special
categories of personal data)
• Authorized by law
• Based on explicit consent
• Additional safeguards
21
Brussels, 19 October 2016
DP by Design
• Data controller
• Appropriate technical and
organisational measures
• State of the art and cost of implementation
• Nature, scope, purposes and risk
• Integrate necessary safeguards to
ensure compliance
• Further guidance is expected
22
Brussels, 19 October 2016
DP by default
• Technical and organisational measures
• Ensure only necessary data are
processed
• Amount
• Extent of processing
• Storage period
• Accessibility
23
Brussels, 19 October 2016
Personal Data Breach Notification
• Personal data breach notification
• Personal data breach
• Notification to supervisory authority
• Deadline: without undue delay, but not
later than 72 hours after having become
aware
• Exception: no risk
• Data processor must inform data
controller without undue delay
24
Brussels, 19 October 2016
Personal Data Breach Notification
• Personal data breach notification
• What?
• Nature of breach, data involved and approx.
number of data subjects
• Contact details of DPO
• Likely consequences
• Mitigation action
• Document personal data breaches
25
Brussels, 19 October 2016
Personal Data Breach Notification
• Notification of data subjects
• High risk
• Not applicable if
• Appropriate measures, e.g. encryption
• Subsequent measures that reduce risk (no
longer high risk)
• Disproportionate effort
• May be imposed by supervisory
authority
26
Brussels, 19 October 2016
Sanctions
• Complaint procedure
• Right to compensation and liability
• Criminal liability
• Administrative fines
• 2% of global annual turnover or 10MEUR,
whichever is higher: organisational issues
• 4% of global annual turnover or 20MEUR,
whichever is higher: principles, data
subject rights
27
Brussels, 19 October 2016
IMPLEMENTATION STEPS
28
Brussels, 19 October 2016
Summary
• Document and assess existing data
processing activities
• Review the existing agreements
• Standard documents and disclaimers
• Ad hoc agreements (data processing
agreements)
• Provide training to employees
• Amend the existing data processing
activities to the extent necessary or
desirable
29
Brussels, 19 October 2016
Record keeping
• Record keeping obligation (register of
processing activities)
• Who?
• Data controller
• Data processor
• Which information
• Contact details (including DPO)
• Categories of data subjects and personal data
• Categories of recipients
• International data transfers
• Time limits
• Security measures30
Brussels, 19 October 2016
Record keeping
• Register of processing activities
• How?
• Existing notifications with the Belgian DPA
• Gives a first idea
• Not a match with the requirements of the Regulation
• Audit of all data processing activities
• Include items to be notified in your register,
even if not required by the GDPR
• Results are the basis for further analysis
31
Brussels, 19 October 2016
Analysis of the register
• Analysis for each data processing
activity: focus on changes compared
with Directive
• Purpose
• Risk / high risk processing?
• Legal basis for processing
• Consent
• Change to other legal basis if possible
• If not, review compliance with new requirements
• Legitimate interest
• Identify and assess the legitimate interest
32
Brussels, 19 October 2016
Analysis of the register
• Analysis
• Notification to data subject, if any
• Adapt where necessary and include versioning
information in the register
• Data retention
• Re-analyse the data retention policy
• Assess the security for each data
processing activity
• Identify recipients (data processors?)
33
Brussels, 19 October 2016
Data Protection Impact Assessment
• Impact assessment in relation to
protection of personal data
• High risk
• Systemic and extensive profiling
• Processing on a large scale of special
categories of data
• Systematic monitoring of publicly accessible
areas on a large scale
• …
• Guidance from supervisory authority
34
Brussels, 19 October 2016
Data Protection Impact Assessment
• DPIA contents
• Description of processing
• Assessment of necessity and
proportionality of processing
• Assessment of risks
• Measures to address risk
• If appropriate: implicate data subjects
or their representatives
35
Brussels, 19 October 2016
Prior consultation
• DPIA concludes that high risk is
present
• Prior consultation of supervisory authority
• Advice within 8 weeks if supervisory
authority believes processing to be non-
compliant
36
Brussels, 19 October 2016
DPO
• Mandatory DPO?
• Public authority or body
• Core activity requiring regular and
systematic monitoring of data subjects
• Core activities consisting of processing
on a large scale of special categories of
personal data
• Required by member state law
• Groups may designate a single DPO
37
Brussels, 19 October 2016
DPO
• Who?
• Expert in data protection law
• Employee or service provider
• Tasks
• Inform and advise
• Monitor compliance
• Provide advice on DPIAs
• Cooperate with supervisory authorities
• SPOC for supervisory authorities
• Direct reporting link to highest
management level38
Brussels, 19 October 2016
Data processors
• Legal requirements for use of data
processors are stricter
• Assess standard contracts / clauses and
adapt where necessary
• Implement new clauses by 25 May 2018 for
contract that expiry after that date
• No need to review each contract individually
• General addendum that replaces existing
clauses may suffice
39
Brussels, 19 October 2016
Data Processors
• What is required?
• Written agreement
• Subject-matter, duration, nature, purpose, type
of personal data, categories of data subjects
and obligations and rights of the parties
• Appropriate security measures
• Only process in accordance with
instructions
• Confidentiality obligation
• Data breach notification obligation?
40
Brussels, 19 October 2016
Data Processors
• What is additionally required?
• Appointment of sub-data processors
• Assistance in meeting data controller
requirements
• Retransition measures
• Audit and cooperation duty in relation to
demonstration of compliance
• Inform data controller if instruction
infringes the GDPR (information duty)
• Forward obligations to sub-data
processors41
Brussels, 19 October 2016
Incident Policy
• Draft / review the incident policy
• Include data breach notification
obligations
• Identify high risk processing and high risk
incidents
• Notification obligation to data subjects
• Identify potential mitigation measures
• DPO?
42
Brussels, 19 October 2016 43
Contact details
Johan Vandendriessche
Partner - Crosslaw
Visiting Professor ICT Law – UGent
Visiting Professor ICT Law – HoWest
Mobile Phone +32 486 36 62 34
E-mail [email protected]
Website www.crosslaw.be
Brussels, 19 October 2016 44
ISACA BELGIUM