GDPR General Awareness Slides

THE GENERAL DATA PROTECTIONREGULATION (GDPR)Faysal Boukayoua

2

Overview

Introduction

GDPR deep dive

Historical context

Data Protection Principles

Rights of the Data Subject

Records of processing activities

Designation of a Data Protection Officer

International data transfers

Supplier relationships

Data breach notification

Useful references

Q&A

3

Introduction

4

Why privacy?

As a human and societal need

As a fundamental human right

As a way to safeguard otherrights and freedoms: Freedom of thought

Freedom of association

Consumer protection

As a precondition for ademocratic state of law

As a competitive advantagefor companies

5

Why should we care?

6

Introducing today’s extended enterprise

Business functions

Suppliers

Suppliers Regulators Other factors

Raw materials

Information Processes

PeopleTechnology

Goods & services

Enterprise

Extended enterprise

Support functionse.g. IT, HR, Finance, Project Management Office, Communication, GRC (Governance, Risk & Compliance)

7

Data Protection & Privacy: where does it fit?

Data Protection & Privacy

Information Management

IT

Information security

Risk & Process

Management

Supplier management

8

Common misconceptions about the GDPR

You always need consent to process personal data

You can implement the GDPR by buying an IT system

You always need to erase data when a data subject asks you to

You’re not accountable anymore if you outsource an activity

... (and many more)

9

GDPR deep dive

10

Historical context

Regulation Origin Binding?Publicationdate

In force as of:

Universal Declaration of Human Rights

United Nations No 1948 n/a

European Convention on Human Rights

Council of Europe Yes, for all 47 members 1950 1953

Treaty of Rome EEC Yes, for signatories 1957 1958

Recommendation 509 Council of Europe No 1968 n/a

OECD Privacy Guidelines OECD No 1980 n/a

Convention 108 Council of Europe Yes, for signatories 1981 1985

Directive 95/46/EC, basis forpre-GDPR privacy regulation

EUYes, to be implementedby EU member states

1995Implementby Oct. 1998

GDPR EU Yes, directly enforceable 2016 May 2018

11

GDPR: facts and figures

In effect on May 25th 2018

Worldwide territorial scope for

processing of EU residents’ data

Adaptation of Directive 95/46/EC to the changing

technology landscape

One-stop shop mechanism fordata subjects and controllers

Obligation to document processing instead of

notifying DPA

More powers for DPAs, e.g. unexpected audits

Harmonisation: 1 directly enforceable

regulation for all 28 EU member states

Strict rules for “special categories of personal data”, incl. genetic, biometric and

health data

Sanctions up to 4% of worldwide revenue or

€20M

GDPR

12

Stakeholders

Data subject: natural person to whom the data relates

Data controller: determines the means and the purposes of the processing E.g. your doctor, your social network site, your web shop, your

university

Data processor: Processes personal data on behalf of the data controller

E.g. most cloud providers

Data Protection Authority (DPA): e.g. Privacycommissie (BE), ICO (UK), CNIL (FR)

European Data Protection Board: EU body of DPAs for (1) cooperation (2) consistency

13

What is personal data?

Everything that relates directly or indirectly to a natural person, e.g.

Identifiers like database IDs, IP addresses, location data

Contact and identity info

Inferred or derived data like consumption habits, social media profile

Sensitive data (art. 9 and 10): everything related to ethnicity, political, philosophical or religious views, union membership, genetic and biometric data for unique identification, sexual life and orientation, health data, criminal convictions and offences

14

Processing personal data: how?


Lawfulness, fairness and transparency

Purpose limitation

Data minimisation

Accuracy

Storage limitation

Integrity and confidentiality

Accountability

15


Transparency: inform the data subject

Fairness: process according to what the datasubject might reasonably expect

Lawfulness: every processing purpose must have a corresponding legal ground, e.g.

Processing purpose Legal ground

Direct marketing Consent of the data subject

Recruiting a new employee Performance or preparation of a contract

Storing session identifiers on a web server for security purposes

Legitimate interest


Lawfulness, fairness andtransparency

Purpose limitation

Data minimisation

Accuracy

Storage limitation


Accountability

16


Which legal grounds are available underthe GDPR?

1. Consent of the data subject

2. Performance or preparation of a contract

3. Compliance with a legal obligation

4. Protecting the vital interests of a natural person

5. Task in the public interest

6. Legitimate interests of the controller



Purpose limitation

Data minimisation

Accuracy

Storage limitation


Accountability

17


Purpose limitation

Every new processing must either:

be compatible with the initial purpose

… or have a new legal ground

Art 6 defines criteria for “compatibility”:

Link between the initial and the new purpose

The existence of safeguards like encryption andpseudonymisation

… and others



Purpose limitation

Data minimisation

Accuracy

Storage limitation


Accountability

18


Data minimisation

Part of Data Protection by Design and by Default

(art. 25)



Purpose limitation

Data minimisation

Accuracy

Storage limitation


Accountability

Image source: Hoepman et al., 2009

19


Data Protection by Design and by Default



Purpose limitation

Data minimisation

Accuracy

Storage limitation


Accountability

Creation

Collection or retrieval from other sources

Transformation

Analysis and reporting

Consultation

Storage

Transmission

Publication

Destruction

Design Realisation OperationEncryption

20


Data Protection Impact Assessment (DPIA) Evaluation of the worst-case impact of processing and

storage on the dat subject

Best practice, but mandatory in case of “high risk to the rights andfreedoms of the data subject”, f.i.: Evaluation, scoring and binding automated decision-making

Systematic monitoring

Sensitive data according to art. 9 and 10

Large-scale data processing

Matching or combining datasets

Use of new, innovative technologies

Vulnerable data subjects

Data transfers outside the EU

Mandatory DPA consultation in case of high residual risk

See also: DPIA guidelines of Article 29 Working Party



Purpose limitation

Data minimisation

Accuracy

Storage limitation


Accountability

21


Accuracy

Concern: avoid or mitigate risks to datasubjects due to inaccurate data Art 5: […] ensure that personal data that are inaccurate, […] are erased

or rectified without delay.

Art 16: right to rectification

Art 18: right to restriction of processing until accuracy of data is verified

Structural approach: data governance and information management How is the data obtained?

What is its “level of assurance”?

How often is it updated? According to which process?

Who is responsible?

…



Purpose limitation

Data minimisation

Accuracy

Storage limitation


Accountability

22


Storage limitation (art 5 and 30)

Don’t keep information for longer than needed

Sometimes there are multiple legal grounds, f.i. Performance or preparation of a contract

Legal obligation

Legitimate interest

Only delete personal data when there is no legal ground leftfor having it



Purpose limitation

Data minimisation

Accuracy

Storage limitation


Accountability

Static phaseDynamic phase

Operational use Archiving (e.g. for legal obligations)

23


Integrity and confidentiality (art. 32)

technical and organisational measures to ensurea level of security appropriate to the risk

confidentiality, integrity, availability and resilience of […] systems and services

ability to restore the availability and access in a timely manner after an incident

a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures

Security level based on the risks presented by the processing



Purpose limitation

Data minimisation

Accuracy

Storage limitation


Accountability

24


Accountability

Document compliance with theprevious Data Protection Principles (art 5)

Previously [Directive 95/46/EC]: notify DPA of processing activities

Now [GDPR]: document everything internally

DPA has stronger mandate for (unannounced) audits

Accountability to whom? Data Subjects

Data Protection Authority

Management

No documentation = non-compliant



Purpose limitation

Data minimisation

Accuracy

Storage limitation


Accountability

25



Right to Information

Right to Access

Right to Rectification

Right to Erasure

Right to Data Portability

Automated Decision-making and Profiling

Right to Restriction of Processing

Right to Object

26

Rights of the Data SubjectRights of the Data Subject


Right to Access


Right to Erasure


Automated Decision-making andProfiling


Right to Object

Some remarks

“Reasonable” steps to safeguardrights of the data subject, notat all cost

Reply through same channel as initial request

Free, except in case of repetitive or excessiverequests

Except “Right to Information”, the Rights of theData Subject do not apply if: Personal data do not allow identification

Data Subject is not able to prove his/her identity

27


Information to provide to the data subject(art 12, 13, 14)

Contact info of the data controller

Purpose and legal ground of the processing

Recipients of the data who are not controllers or processors (f.i. government, social security,…)

International data transfers and safeguards

Retention time and justification

Listing of the rights of the data subject

The right to lodge a complaint at DPA

In case of automated decision-making or profiling: meaningfulinformation about the logic behind it



Right to Access


Right to Erasure




Right to Object

28


Information to provide to the data subject(art 12, 13, 14) – ct’d

When using consent as the legal ground: the rightto withdraw it at any time

And lastly, depending on the how the data is obtained:



Right to Access


Right to Erasure




Right to Object

Giving consent

Time

Withdrawing consentGiving consent

Information to be provided if personal data is obtained via the data subject

Information to be provided if personal data is obtained via a third party

• Is collection of the data a statutory or a contractual requirement?

• Why is the collection needed?• What are the consequences if the

data is not provided?

• Which categories of data?• From which third party?• Did the data come from publicly

available sources?

29


Right to Access and to Rectification (art 15 and 16)

To be provided:

Access to the precise data values

Purpose and legal ground

(Categories of) recipients who are not controllers or processors

Retention time and justification

Listing of the rights of the data subject, including rectification

The right to lodge a complaint at DPA

The source of the data: either data subject or info of thirdparty where it was obtained

In case of automated decision-making or profiling: meaningfulinformation about the logic behind it



Right to Access


Right to Erasure




Right to Object

30


Right to erasure or “Right to be forgotten”

Erasure when there is no legal ground anymoreto have or use the data anymore

If personal data have been made public: take reasonable steps to inform other controllers of a request to erasure (f.i. withdrawal of consent)

This right is overridden by: The right to freedom of expression and information

Compliance with a legal obligation

Preventive and occupational medicine and public health, under Union or Member state law

Archiving in the public interest

Scientific, historical or statistical purposes

Exercise of legal claims



Right to Access


Right to Erasure




Right to Object

31


Right to Data Portability (art 20)

Concerns data with following legal grounds Performance of preparation of a contract

Consent of the data subject

To whom? The data subject

A third party, upon request of the data subject

How? “Structured, machine-readable data”

Why? Support the flow of data in the EU’s Digital Single Market strategy



Right to Access


Right to Erasure




Right to Object

32

Automated individual decision-making

and profiling (art 21)

Why? Increased importance of AI and machine learning

What? The right not to be subject to a decision based solely on automated processing or profiling

In practice, the controller must at least provide: The possibility for human intervention

Transparency on the decision logic



Right to Access


Right to Erasure




Right to Object

33

Right to right to restriction of processing (art 18)

Temporary restriction:

If accuracy of data is disputed

Data no longer processed, but data subject needs information for exercise of legal claims

Permanent: as alternative to erasure, upon request of the data subject

Right to object to processing (art 21)

Direct marketing: cease immediately (absolute right)

Scientific, historical, and statistical purposes: weigh data subject’s specific situation against legitimate interests of controller

Not applicable if: Processing for a task in the public interest

Processing is a legal obligation



Right to Access


Right to Erasure




Right to Object

34

Processing inventory

Records with all processing activities that use personal data

Mandatory, but also contains info to: Provide the rights of the data subject

Demonstrable compliance towards DPA

Format described in GDPR article 30, i.a.mong others: Security measures

Recipients and international data transfers

Data retention time

…

Large overlap with Data Protection Impact Assessment

35

Data Protection Officer (art 37-39)

Required for: government entities

systematic monitoring of data subjects

large-scale processing of sensitive personal data

Required skills and knowledge: IT, privacy law, business activities and risk management

Should be independent from business or support function

Typical tasks: Liason with DPA

Internal awareness

Guidance in privacy implementation

Enforcement

36

International data transfers (art 44-50)

What? Routine (!) transfers to data processors andother third parties need adequate protection

How?

Transfer within the European Economic Area

Adequacy decision of European Commission

Appropriate safeguards Standard Contract Clauses

Binding Corporate Rules: useful for multinationals

Certification or code of conduct

Agreements between authorities

Other, f.i. explicit consent of the data subjects

37

International data transfers (art 44-50)

What? Routine (!) transfers to data processors andother third parties need adequate protection

How?

Transfer within the European Economic Area

Aqequacy decision of European Commission

Appropriate safeguards Standard Contract Clauses

Binding Corporate Rules: useful for multinationals

Certification or code of conduct

Agreements between authorities

Other, f.i. explicit consent of the data subjects

• EU member states can imposeadditional requirements

• Cf. Vlaamse Toezichtscommissie andGerman DPAs

• Uncertainty about Privacy Shield andStandard Contract Clauses

38

Supplier management

Art 27-31, 44-50 + WP 29 Guidelines

Pre- and post-contractual due diligence

Roles and responsibilities

International data transfer mechanism

Confidentiality Non-disclosure agreement or similar

Employee screening and secrecy obligation

Limitations on subcontracting

Security measures

Assistance in complying with the GDPR

Required service levels

Exit strategy and destruction of data

39

Data breach notification

What?

Categories of data and data subjects

(worst-case) impact on data subjects

Measures taken to mitigate the effects

Contact info of the data controller

To whom When? Deadline

DPAIn case of “risk” to rights andfreedoms of the data subjects First contact within 72

hours of becomingawareDPA and data

subjectIn case of “high” risk to rightsand freedoms of data subjects

40

Use case: building a privacy-friendly chess app

Whitepaper by Jason Cronk: https://iapp.org/media/pdf/resource_center/PbD-Whitepaper_09-2017.pdf

https://iapp.org/media/pdf/resource_center/PbD-Whitepaper_09-2017.pdf

41

Closing remarks

Data Protection & Privacy is a largely a process effort

Tools are useful to automate a process

You can’t automate what doesn’t exista.k.a: Garbage in garbage out

Data Protection & Privacy is a transversal effort throughout the organisation:

[People, Process, Technology]

Change management!

Efforts can only succeed with management commitment and support

Budget friction between commercial interests and(GDPR) compliance

42

Useful references

Guidelines of Article 29 Working Partyhttp://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083

Structured, formatted text of the GDPRhttps://www.privacy-regulation.eu/en/index.htm

http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083

https://www.privacy-regulation.eu/en/index.htm

43

Q & A