isaca privacy open forum - gdpr
TRANSCRIPT
Click to edit Master title stylePrivacy Open Forum
Tuesday, 23th
of February 2016
Brussels, 23 February 2016 2
Agenda
1. 18:30 Introduction
2. 18:45 GDPR
3. 19:30 Break
4. 19:50 GDPR
5. 20:45 Close
Brussels, 23 February 2016 3
Close
Brussels, 23 February 2016
GDPR: AN OVERVIEW OF
CHANGES COMPARED TO
CURRENT LEGISLATION
JOHAN VANDENDRIESSCHE
4
Brussels, 23 February 2016
GDPR Status Update
• GDPR Timeline
• 15 Dec 2015: agreement reach in trilogue
• Jan-Feb 2016: technical/legal review and
translation
• March-April 2016: official adoption
• By June 2016: publication & entry into
effect
• By June 2018: application
5
Brussels, 23 February 2016
GDPR Status Update
• GDPR Guidance
• Article 29 WP 2016 Action Plan
• Creating European Data Protection Board
(EDPB)
• Preparing “one stop shop” and “consistency
mechanism”
• Issuing guidance
• New portability right
• Notion of risk
• DPIA guidance
• Certification
• DPO
• Communication concerning EDPB and the
GDPR6
Brussels, 23 February 2016
GDPR Status Update
• Safe Harbor & EU/US Privacy Shield
• 2 Feb 2016: political agreement on new
framework
• By Feb 2016: text for agreement
• By March 2016: analysis by Art. 29 WP
• By April 2016: opinion from Art. 29 WP on
new agreement and on BCR and model
clauses
• Legal uncertainty for the moment
7
Brussels, 23 February 2016
GDPR: scope
• Material scope
• Automated processing of personal data
• Other processing of personal data forming
part (or intended to form part) of a filing
system
• Exceptions
• Personal or household exception
• Other exceptions
8
Brussels, 23 February 2016
GDPR: scope
• Territorial scope
• EU establishment of controller or
processor
• Location of processing is irrelevant
• Establishment of controller or processor
Outside EU
• Offering of goods or services to data subjects
in the EU
• Monitoring of behaviour taking place within the
EU
9
Brussels, 23 February 2016
GDPR: lawfulness of processing
• Consent
• Statement or clear affirmative action
• Mere silence is not sufficient
• Explicit consent is not generally required
• Required for processing of special categories
of personal data
• Right to retract consent
• “in a manner as easy as consent was given”
10
Brussels, 23 February 2016
GDPR: lawfulness of processing
• Consent
• Written declaration: formal requirements
impacting validity of consent
• Consent by children
• Parental consent
• Reasonable means to verify parental consent
• Controller has burden of proof
11
Brussels, 23 February 2016
GDPR: data subjects’ rights
• Overview
• Right to information and access to data
• Right to rectification and erasure (“RTBF”)
• Right to restriction of processing
• Right to data portability
• Right to object
• Rights in relation to automated individual
decision making, including profiling
12
Brussels, 23 February 2016
GDPR: data subjects’ rights
• Transparency
• Identity and contact details (including
DPO)
• Purposes of processing, including legal
basis for processing
• Recipients of personal data
• International data transfers
• Storage period
• Specific data subject rights
13
Brussels, 23 February 2016
GDPR: data subjects’ rights
• Right to be forgotten
• No longer necessary
• Withdrawal for consent and no other legal
ground
• Objection
• Unlawful processing
• Erasure is required for compliance with a
legal obligation
• Personal data of children (conditional)
14
Brussels, 23 February 2016
GDPR: data subjects’ rights
• Consequences
• Erasure of personal data
• If made public, take reasonable steps to
inform other controllers processing such
data
• Exceptions
• Freedom of expression and information
• Compliance with a legal obligation
• Public interest in the area of public health
• Archiving
• Legal claims
15
Brussels, 23 February 2016
GDPR: data subjects’ rights
• Right to data portability
• Processing based on consent, contract or
• Right to receive a copy of his personal
data
• Structured, commonly used and machine
readable format
• Right to transmit personal data to another
controller without hindrance
• Right to require direct transmission
between controllers
16
Brussels, 23 February 2016
GDPR: data subjects’ rights
• Automated individual decision making
• Right not to be subjected thereto
• Legal effect concerning him
• Significantly affects him
• Exceptions
• Contractual necessity
• Authorized by law
• Based on explicit consent
• Additional safeguards
17
Brussels, 23 February 2016
DP by Design
• Data controller
• Appropriate technical and
organisational measures
• State of the art and cost of implementation
• Nature, scope, purposes and risk
• Integrate necessary safeguards to
ensure compliance
18
Brussels, 23 February 2016
DP by default
• Technical and organisational measures
• Ensure only necessary data are
processed
• Amount
• Extent of processing
• Storage period
• Accessibility
19
Brussels, 23 February 2016
GDPR: Accountability
• Main principle of GDPR
• Implement measures to ensure
compliance and to be able to demonstrate
compliance
• Burden of proof (!)
• Approved certification mechanisms may
be applied
• Risk based approach for some obligations
• Risk vs high risk
20
Brussels, 23 February 2016
GDPR: record keeping
• Record keeping obligation
• Who?
• Data controller
• Data processor
• Which information
• Contact details (including DPO)
• Categories of data subjects and personal data
• Categories of recipients
• International data transfers
• Time limits
• Security measures
21
Brussels, 23 February 2016
Data Protection Impact Assessment
• Impact assessment in relation to
protection of personal data
• High risk
• Systemic and extensive profiling
• Processing on a large scale of special
categories of data
• Systematic monitoring of publicly accessible
areas on a large scale
• …
• Guidance from supervisory authority
22
Brussels, 23 February 2016
Data Protection Impact Assessment
• DPIA contents
• Description of processing
• Assessment of necessity and
proportionality of processing
• Assessement of risks
• Measures to address risk
• If appropriate: implicate data subjects
or their representatives
23
Brussels, 23 February 2016
Prior consultation
• DPIA concludes that high risk is
present
• Prior consultation of supervisory authority
• Advice within 8 weeks if supervisory
authority believes processing to be non-
compliant
24
Brussels, 23 February 2016
DPO
• Mandatory DPO?
• Public authority or body
• Core activity requiring regular and
systematic monitoring of data subjects
• Core activities consisting of processing
on a large scale of special categories of
personal data
• Required by member state law
• Groups may designate a single DPO
25
Brussels, 23 February 2016
DPO
• Who?
• Expert in data protection law
• Employee or service provider
• Tasks
• Inform and advise
• Monitor compliance
• Provide advice on DPIAs
• Cooperate with supervisory authorities
• SPOC for supervisory authorities
• Direct reporting link to highest
management level26
Brussels, 23 February 2016
Personal Data Breach Notification
• Personal data breach notification
• Personal data breach
• Notification to supervisory authority
• Deadline: without undue delay, but not
later than 72 hours after having become
aware
• Exception: no risk
• Data processor must inform data
controller without undue delay
27
Brussels, 23 February 2016
Personal Data Breach Notification
• Personal data breach notification
• What?
• Nature of breach, data involved and approx.
number of data subjects
• Contact details of DPO
• Likely consequences
• Mitigation action
• Document personal data breaches
28
Brussels, 23 February 2016
Personal Data Breach Notification
• Notification of data subjects
• High risk
• Not applicable if
• Appropriate measures, e.g. encryption
• Subsequent measures that reduce risk (no
longer high risk)
• Disproportionate effort
• May be imposed by supervisory
authority
29
Brussels, 23 February 2016
Codes of Conduct
• Mechanism for drafting and approving
codes of conduct
• Approval for compliance
• Mechanism for international data transfers
• Certification mechanisms
30
Brussels, 23 February 2016
International data transfers
• Prohibition to transfer personal data to
third countries
• Adequacy decision is regulated more
strictly
• Onward transfers are restricted
31
Brussels, 23 February 2016
International data transfers
• Legally binding instrument between
public authorities
• BCR
• Standard data protection clauses
• Approved code of conduct
• Approved certification mechanism
• Ad hoc solution
• Exceptions
32
Brussels, 23 February 2016
One Stop Shop
• Competence mechanism
• Main establishment
• Data controller
• Place of central administration except if
data protection decisions are taken
elsewhere
• Data processor
• Place of central administration except, if
none, place of main processing activities
33
Brussels, 23 February 2016
One Stop Shop
• Complaint mechanism
• Lead supervisory
• Supervisory authority (subject to
information duty and priority mechanism)
• Relates only to establishment in Member State
• Substantially affects data subjects only in
Member State
34
Brussels, 23 February 2016
Sanctions
• Complaint procedure
• Right to compensation and liability
• Criminal liability
• Administrative fines
• 2% of global annual turnover or 10MEUR,
whichever is higher: organisational issues
• 4% of global annual turnover or 20MEUR,
whichever is higher: principles, data
subject rights
35
Brussels, 23 February 2016 36
Contact details
Johan Vandendriessche
Partner - Crosslaw CVBA
Visiting Professor ICT Law - UGent
Mobile Phone +32 486 36 62 34
E-mail [email protected]
Website www.crosslaw.be
Brussels, 23 February 2016 37
ISACA BELGIUM