isaca privacy open forum - gdpr

Click to edit Master title stylePrivacy Open Forum

Tuesday, 23th

of February 2016

Brussels, 23 February 2016 2

Agenda

1. 18:30 Introduction

2. 18:45 GDPR

3. 19:30 Break

4. 19:50 GDPR

5. 20:45 Close


Close

Brussels, 23 February 2016

GDPR: AN OVERVIEW OF

CHANGES COMPARED TO

CURRENT LEGISLATION

JOHAN VANDENDRIESSCHE

4


GDPR Status Update

• GDPR Timeline

• 15 Dec 2015: agreement reach in trilogue

• Jan-Feb 2016: technical/legal review and

translation

• March-April 2016: official adoption

• By June 2016: publication & entry into

effect

• By June 2018: application

5


GDPR Status Update

• GDPR Guidance

• Article 29 WP 2016 Action Plan

• Creating European Data Protection Board

(EDPB)

• Preparing “one stop shop” and “consistency

mechanism”

• Issuing guidance

• New portability right

• Notion of risk

• DPIA guidance

• Certification

• DPO

• Communication concerning EDPB and the

GDPR6


GDPR Status Update

• Safe Harbor & EU/US Privacy Shield

• 2 Feb 2016: political agreement on new

framework

• By Feb 2016: text for agreement

• By March 2016: analysis by Art. 29 WP

• By April 2016: opinion from Art. 29 WP on

new agreement and on BCR and model

clauses

• Legal uncertainty for the moment

7


GDPR: scope

• Material scope

• Automated processing of personal data

• Other processing of personal data forming

part (or intended to form part) of a filing

system

• Exceptions

• Personal or household exception

• Other exceptions

8


GDPR: scope

• Territorial scope

• EU establishment of controller or

processor

• Location of processing is irrelevant

• Establishment of controller or processor

Outside EU

• Offering of goods or services to data subjects

in the EU

• Monitoring of behaviour taking place within the

EU

9


GDPR: lawfulness of processing

• Consent

• Statement or clear affirmative action

• Mere silence is not sufficient

• Explicit consent is not generally required

• Required for processing of special categories

of personal data

• Right to retract consent

• “in a manner as easy as consent was given”

10


GDPR: lawfulness of processing

• Consent

• Written declaration: formal requirements

impacting validity of consent

• Consent by children

• Parental consent

• Reasonable means to verify parental consent

• Controller has burden of proof

11


GDPR: data subjects’ rights

• Overview

• Right to information and access to data

• Right to rectification and erasure (“RTBF”)

• Right to restriction of processing

• Right to data portability

• Right to object

• Rights in relation to automated individual

decision making, including profiling

12



• Transparency

• Identity and contact details (including

DPO)

• Purposes of processing, including legal

basis for processing

• Recipients of personal data

• International data transfers

• Storage period

• Specific data subject rights

13



• Right to be forgotten

• No longer necessary

• Withdrawal for consent and no other legal

ground

• Objection

• Unlawful processing

• Erasure is required for compliance with a

legal obligation

• Personal data of children (conditional)

14



• Consequences

• Erasure of personal data

• If made public, take reasonable steps to

inform other controllers processing such

data

• Exceptions

• Freedom of expression and information

• Compliance with a legal obligation

• Public interest in the area of public health

• Archiving

• Legal claims

15



• Right to data portability

• Processing based on consent, contract or

• Right to receive a copy of his personal

data

• Structured, commonly used and machine

readable format

• Right to transmit personal data to another

controller without hindrance

• Right to require direct transmission

between controllers

16



• Automated individual decision making

• Right not to be subjected thereto

• Legal effect concerning him

• Significantly affects him

• Exceptions

• Contractual necessity

• Authorized by law

• Based on explicit consent

• Additional safeguards

17


DP by Design

• Data controller

• Appropriate technical and

organisational measures

• State of the art and cost of implementation

• Nature, scope, purposes and risk

• Integrate necessary safeguards to

ensure compliance

18


DP by default

• Technical and organisational measures

• Ensure only necessary data are

processed

• Amount

• Extent of processing

• Storage period

• Accessibility

19


GDPR: Accountability

• Main principle of GDPR

• Implement measures to ensure

compliance and to be able to demonstrate

compliance

• Burden of proof (!)

• Approved certification mechanisms may

be applied

• Risk based approach for some obligations

• Risk vs high risk

20


GDPR: record keeping

• Record keeping obligation

• Who?

• Data controller

• Data processor

• Which information

• Contact details (including DPO)

• Categories of data subjects and personal data

• Categories of recipients

• International data transfers

• Time limits

• Security measures

21


Data Protection Impact Assessment

• Impact assessment in relation to

protection of personal data

• High risk

• Systemic and extensive profiling

• Processing on a large scale of special

categories of data

• Systematic monitoring of publicly accessible

areas on a large scale

• …

• Guidance from supervisory authority

22


Data Protection Impact Assessment

• DPIA contents

• Description of processing

• Assessment of necessity and

proportionality of processing

• Assessement of risks

• Measures to address risk

• If appropriate: implicate data subjects

or their representatives

23


Prior consultation

• DPIA concludes that high risk is

present

• Prior consultation of supervisory authority

• Advice within 8 weeks if supervisory

authority believes processing to be non-

compliant

24


DPO

• Mandatory DPO?

• Public authority or body

• Core activity requiring regular and

systematic monitoring of data subjects

• Core activities consisting of processing

on a large scale of special categories of

personal data

• Required by member state law

• Groups may designate a single DPO

25


DPO

• Who?

• Expert in data protection law

• Employee or service provider

• Tasks

• Inform and advise

• Monitor compliance

• Provide advice on DPIAs

• Cooperate with supervisory authorities

• SPOC for supervisory authorities

• Direct reporting link to highest

management level26


Personal Data Breach Notification

• Personal data breach notification

• Personal data breach

• Notification to supervisory authority

• Deadline: without undue delay, but not

later than 72 hours after having become

aware

• Exception: no risk

• Data processor must inform data

controller without undue delay

27



• Personal data breach notification

• What?

• Nature of breach, data involved and approx.

number of data subjects

• Contact details of DPO

• Likely consequences

• Mitigation action

• Document personal data breaches

28



• Notification of data subjects

• High risk

• Not applicable if

• Appropriate measures, e.g. encryption

• Subsequent measures that reduce risk (no

longer high risk)

• Disproportionate effort

• May be imposed by supervisory

authority

29


Codes of Conduct

• Mechanism for drafting and approving

codes of conduct

• Approval for compliance

• Mechanism for international data transfers

• Certification mechanisms

30


International data transfers

• Prohibition to transfer personal data to

third countries

• Adequacy decision is regulated more

strictly

• Onward transfers are restricted

31


International data transfers

• Legally binding instrument between

public authorities

• BCR

• Standard data protection clauses

• Approved code of conduct

• Approved certification mechanism

• Ad hoc solution

• Exceptions

32


One Stop Shop

• Competence mechanism

• Main establishment

• Data controller

• Place of central administration except if

data protection decisions are taken

elsewhere

• Data processor

• Place of central administration except, if

none, place of main processing activities

33


One Stop Shop

• Complaint mechanism

• Lead supervisory

• Supervisory authority (subject to

information duty and priority mechanism)

• Relates only to establishment in Member State

• Substantially affects data subjects only in

Member State

34


Sanctions

• Complaint procedure

• Right to compensation and liability

• Criminal liability

• Administrative fines

• 2% of global annual turnover or 10MEUR,

whichever is higher: organisational issues

• 4% of global annual turnover or 20MEUR,

whichever is higher: principles, data

subject rights

35


Contact details

Johan Vandendriessche

Partner - Crosslaw CVBA

Visiting Professor ICT Law - UGent

Mobile Phone +32 486 36 62 34

E-mail [email protected]

Website www.crosslaw.be

mailto:[email protected]

http://www.crosslaw.be/


ISACA BELGIUM