isaca privacy open forum - gdpr: how to prepare for the implementation

44
Privacy Open Forum Tuesday, 19 th of October 2016

Upload: johan-vandendriessche

Post on 07-Jan-2017

237 views

Category:

Law


0 download

TRANSCRIPT

Page 1: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Click to edit Master title stylePrivacy Open Forum

Tuesday, 19th of October 2016

Page 2: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016 2

Close

Page 3: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

GDPR: HOW TO PREPARE

FOR THE

IMPLEMENTATIONJOHAN VANDENDRIESSCHE

3

Page 4: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016 4

Agenda

1. 18:30 Introduction

2. 18:45 GDPR

3. 19:30 Break

4. 19:50 GDPR

5. 20:45 Close

Page 5: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

GENERAL OVERVIEW

5

Page 6: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

GDPR Status Update

• Regulation: uniform legislation within

the EU

• Approved by EP on 14 April 2016

• Applies as of 25 May 2018

• No specific transition measures

• Simplification?

• No obligation to declare processing

activities

• One-stop shop mechanism

• Enforcement

6

Page 7: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

GDPR: Accountability

• Different approach compared with

Directive 1995/46/EC

• Accountability

• Risk based approach

• Directive

• enforcement initiative with regulatory

authority and data subjects

• GDPR: record keeping obligation and

ability to demonstrate compliance

• Burden of proof

7

Page 8: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

GDPR: Accountability

• Proactive compliance

• Ability to demonstrate compliance

• DPO

• Record keeping obligation

• Data breach notification obligation

• Enforcement

• Build and maintain compliance controls

• Audit controls

• Proactive compliance may serve to limit risks

and liability

8

Page 9: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

GDPR: Accountability

• Risk based approach

• Risk vs high risk

• Assessment of risk

• Likelihood

• Severity

• Criteria: nature, extent, context and

purpose of the processing

• Role of pseudonymising

9

Page 10: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

GDPR: accountability

• Risk based approach

• Impact: specific obligations only apply in

case of high risk

• DPIA

• Data breach notification (notification to data

subjects)

• Prior consultation of the DPO in case of DPIAs

10

Page 11: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

GDPR: scope

• Material scope

• Automated processing of personal data

• Other processing of personal data forming

part (or intended to form part) of a filing

system

• Exceptions

• Personal or household exception

• Other exceptions

11

Page 12: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

GDPR: scope

• Territorial scope

• EU establishment of controller or

processor

• Location of processing is irrelevant

• Establishment of controller or processor

Outside EU

• Offering of goods or services to data subjects

in the EU

• Monitoring of behaviour taking place within the

EU

12

Page 13: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

GDPR: consent

• Definition of consent

• Stricter approach than Directive 1995/46

• Implicit vs explicit consent

• Mere silence is no longer sufficient

• Separate consent per purpose

• Burden of proof

• If written consent

• Clear

• Separate from other consents

13

Page 14: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

GDPR: consent

• No transition measures

• Earlier consent must comply with the new

requirements to be valid

• Underage data subjects

• At least 16 years (may be reduced to 13)

• If younger: representative’s consent

• Reasonable effort to verify the consent of

the representative

• General right to withdraw consent

• No motivation

• As easy as giving consent14

Page 15: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

GDPR: legitimate interest

• Legitimate interest

• Data controller

• Third party

• Balance of interests

• Specific case: underage data subjects

• Documentation of assessment

• Examples in preamble GDPR

15

Page 16: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

GDPR: data subjects’ rights

• Overview

• Right to information and access to data

• Right to rectification and erasure (“RTBF”)

• Right to restriction of processing

• Right to data portability

• Right to object

• Rights in relation to automated individual

decision making, including profiling

16

Page 17: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

GDPR: data subjects’ rights

• Transparency

• Identity and contact details (including

DPO)

• Purposes of processing, including legal

basis for processing

• Legitimate interest if applicable

• Recipients of personal data

• International data transfers

• Storage period

• Specific data subject rights

17

Page 18: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

GDPR: data subjects’ rights

• Right to be forgotten

• No longer necessary

• Withdrawal for consent and no other legal

ground

• Objection

• Unlawful processing

• Erasure is required for compliance with a

legal obligation

• Personal data of children (conditional)

18

Page 19: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

GDPR: data subjects’ rights

• Consequences

• Erasure of personal data

• If made public, take reasonable steps to

inform other controllers processing such

data

• Exceptions

• Freedom of expression and information

• Compliance with a legal obligation

• Public interest in the area of public health

• Archiving

• Legal claims

19

Page 20: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

GDPR: data subjects’ rights

• Right to data portability

• Processing based on consent or

contractual necessity

• Right to receive a copy of his personal

data

• Structured, commonly used and machine

readable format

• Right to transmit personal data to another

controller without hindrance

• If technically possible: direct transmission

between controllers

20

Page 21: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

GDPR: data subjects’ rights

• Automated individual decision making

• Right not to be subjected thereto

• Legal effect concerning him

• Significantly affects him

• Exceptions

• Contractual necessity (not for special

categories of personal data)

• Authorized by law

• Based on explicit consent

• Additional safeguards

21

Page 22: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

DP by Design

• Data controller

• Appropriate technical and

organisational measures

• State of the art and cost of implementation

• Nature, scope, purposes and risk

• Integrate necessary safeguards to

ensure compliance

• Further guidance is expected

22

Page 23: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

DP by default

• Technical and organisational measures

• Ensure only necessary data are

processed

• Amount

• Extent of processing

• Storage period

• Accessibility

23

Page 24: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

Personal Data Breach Notification

• Personal data breach notification

• Personal data breach

• Notification to supervisory authority

• Deadline: without undue delay, but not

later than 72 hours after having become

aware

• Exception: no risk

• Data processor must inform data

controller without undue delay

24

Page 25: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

Personal Data Breach Notification

• Personal data breach notification

• What?

• Nature of breach, data involved and approx.

number of data subjects

• Contact details of DPO

• Likely consequences

• Mitigation action

• Document personal data breaches

25

Page 26: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

Personal Data Breach Notification

• Notification of data subjects

• High risk

• Not applicable if

• Appropriate measures, e.g. encryption

• Subsequent measures that reduce risk (no

longer high risk)

• Disproportionate effort

• May be imposed by supervisory

authority

26

Page 27: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

Sanctions

• Complaint procedure

• Right to compensation and liability

• Criminal liability

• Administrative fines

• 2% of global annual turnover or 10MEUR,

whichever is higher: organisational issues

• 4% of global annual turnover or 20MEUR,

whichever is higher: principles, data

subject rights

27

Page 28: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

IMPLEMENTATION STEPS

28

Page 29: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

Summary

• Document and assess existing data

processing activities

• Review the existing agreements

• Standard documents and disclaimers

• Ad hoc agreements (data processing

agreements)

• Provide training to employees

• Amend the existing data processing

activities to the extent necessary or

desirable

29

Page 30: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

Record keeping

• Record keeping obligation (register of

processing activities)

• Who?

• Data controller

• Data processor

• Which information

• Contact details (including DPO)

• Categories of data subjects and personal data

• Categories of recipients

• International data transfers

• Time limits

• Security measures30

Page 31: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

Record keeping

• Register of processing activities

• How?

• Existing notifications with the Belgian DPA

• Gives a first idea

• Not a match with the requirements of the Regulation

• Audit of all data processing activities

• Include items to be notified in your register,

even if not required by the GDPR

• Results are the basis for further analysis

31

Page 32: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

Analysis of the register

• Analysis for each data processing

activity: focus on changes compared

with Directive

• Purpose

• Risk / high risk processing?

• Legal basis for processing

• Consent

• Change to other legal basis if possible

• If not, review compliance with new requirements

• Legitimate interest

• Identify and assess the legitimate interest

32

Page 33: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

Analysis of the register

• Analysis

• Notification to data subject, if any

• Adapt where necessary and include versioning

information in the register

• Data retention

• Re-analyse the data retention policy

• Assess the security for each data

processing activity

• Identify recipients (data processors?)

33

Page 34: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

Data Protection Impact Assessment

• Impact assessment in relation to

protection of personal data

• High risk

• Systemic and extensive profiling

• Processing on a large scale of special

categories of data

• Systematic monitoring of publicly accessible

areas on a large scale

• …

• Guidance from supervisory authority

34

Page 35: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

Data Protection Impact Assessment

• DPIA contents

• Description of processing

• Assessment of necessity and

proportionality of processing

• Assessment of risks

• Measures to address risk

• If appropriate: implicate data subjects

or their representatives

35

Page 36: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

Prior consultation

• DPIA concludes that high risk is

present

• Prior consultation of supervisory authority

• Advice within 8 weeks if supervisory

authority believes processing to be non-

compliant

36

Page 37: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

DPO

• Mandatory DPO?

• Public authority or body

• Core activity requiring regular and

systematic monitoring of data subjects

• Core activities consisting of processing

on a large scale of special categories of

personal data

• Required by member state law

• Groups may designate a single DPO

37

Page 38: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

DPO

• Who?

• Expert in data protection law

• Employee or service provider

• Tasks

• Inform and advise

• Monitor compliance

• Provide advice on DPIAs

• Cooperate with supervisory authorities

• SPOC for supervisory authorities

• Direct reporting link to highest

management level38

Page 39: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

Data processors

• Legal requirements for use of data

processors are stricter

• Assess standard contracts / clauses and

adapt where necessary

• Implement new clauses by 25 May 2018 for

contract that expiry after that date

• No need to review each contract individually

• General addendum that replaces existing

clauses may suffice

39

Page 40: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

Data Processors

• What is required?

• Written agreement

• Subject-matter, duration, nature, purpose, type

of personal data, categories of data subjects

and obligations and rights of the parties

• Appropriate security measures

• Only process in accordance with

instructions

• Confidentiality obligation

• Data breach notification obligation?

40

Page 41: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

Data Processors

• What is additionally required?

• Appointment of sub-data processors

• Assistance in meeting data controller

requirements

• Retransition measures

• Audit and cooperation duty in relation to

demonstration of compliance

• Inform data controller if instruction

infringes the GDPR (information duty)

• Forward obligations to sub-data

processors41

Page 42: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016

Incident Policy

• Draft / review the incident policy

• Include data breach notification

obligations

• Identify high risk processing and high risk

incidents

• Notification obligation to data subjects

• Identify potential mitigation measures

• DPO?

42

Page 43: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016 43

Contact details

Johan Vandendriessche

Partner - Crosslaw

Visiting Professor ICT Law – UGent

Visiting Professor ICT Law – HoWest

Mobile Phone +32 486 36 62 34

E-mail [email protected]

Website www.crosslaw.be

Page 44: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation

Brussels, 19 October 2016 44

ISACA BELGIUM