Upload
faysal-boukayoua
View
49
Download
0
Embed Size (px)
Citation preview
2
Overview
Introduction
GDPR deep dive
Historical context
Data Protection Principles
Rights of the Data Subject
Records of processing activities
Designation of a Data Protection Officer
International data transfers
Supplier relationships
Data breach notification
Useful references
Q&A
4
Why privacy?
As a human and societal need
As a fundamental human right
As a way to safeguard otherrights and freedoms: Freedom of thought
Freedom of association
Consumer protection
As a precondition for ademocratic state of law
As a competitive advantagefor companies
6
Introducing today’s extended enterprise
Business functions
Suppliers
Suppliers Regulators Other factors
Raw materials
Information Processes
PeopleTechnology
Goods & services
Enterprise
Extended enterprise
Support functionse.g. IT, HR, Finance, Project Management Office, Communication, GRC (Governance, Risk & Compliance)
7
Data Protection & Privacy: where does it fit?
Data Protection & Privacy
Information Management
IT
Information security
Risk & Process
Management
Supplier management
8
Common misconceptions about the GDPR
You always need consent to process personal data
You can implement the GDPR by buying an IT system
You always need to erase data when a data subject asks you to
You’re not accountable anymore if you outsource an activity
... (and many more)
10
Historical context
Regulation Origin Binding?Publicationdate
In force as of:
Universal Declaration of Human Rights
United Nations No 1948 n/a
European Convention on Human Rights
Council of Europe Yes, for all 47 members 1950 1953
Treaty of Rome EEC Yes, for signatories 1957 1958
Recommendation 509 Council of Europe No 1968 n/a
OECD Privacy Guidelines OECD No 1980 n/a
Convention 108 Council of Europe Yes, for signatories 1981 1985
Directive 95/46/EC, basis forpre-GDPR privacy regulation
EUYes, to be implementedby EU member states
1995Implementby Oct. 1998
GDPR EU Yes, directly enforceable 2016 May 2018
11
GDPR: facts and figures
In effect on May 25th 2018
Worldwide territorial scope for
processing of EU residents’ data
Adaptation of Directive 95/46/EC to the changing
technology landscape
One-stop shop mechanism fordata subjects and controllers
Obligation to document processing instead of
notifying DPA
More powers for DPAs, e.g. unexpected audits
Harmonisation: 1 directly enforceable
regulation for all 28 EU member states
Strict rules for “special categories of personal data”, incl. genetic, biometric and
health data
Sanctions up to 4% of worldwide revenue or
€20M
GDPR
12
Stakeholders
Data subject: natural person to whom the data relates
Data controller: determines the means and the purposes of the processing E.g. your doctor, your social network site, your web shop, your
university
Data processor: Processes personal data on behalf of the data controller
E.g. most cloud providers
Data Protection Authority (DPA): e.g. Privacycommissie (BE), ICO (UK), CNIL (FR)
European Data Protection Board: EU body of DPAs for (1) cooperation (2) consistency
13
What is personal data?
Everything that relates directly or indirectly to a natural person, e.g.
Identifiers like database IDs, IP addresses, location data
Contact and identity info
Inferred or derived data like consumption habits, social media profile
Sensitive data (art. 9 and 10): everything related to ethnicity, political, philosophical or religious views, union membership, genetic and biometric data for unique identification, sexual life and orientation, health data, criminal convictions and offences
14
Processing personal data: how?
Data Protection Principles
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Accountability
15
Data Protection Principles
Transparency: inform the data subject
Fairness: process according to what the datasubject might reasonably expect
Lawfulness: every processing purpose must have a corresponding legal ground, e.g.
Processing purpose Legal ground
Direct marketing Consent of the data subject
Recruiting a new employee Performance or preparation of a contract
Storing session identifiers on a web server for security purposes
Legitimate interest
Data Protection Principles
Lawfulness, fairness andtransparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Accountability
16
Data Protection Principles
Which legal grounds are available underthe GDPR?
1. Consent of the data subject
2. Performance or preparation of a contract
3. Compliance with a legal obligation
4. Protecting the vital interests of a natural person
5. Task in the public interest
6. Legitimate interests of the controller
Data Protection Principles
Lawfulness, fairness andtransparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Accountability
17
Data Protection Principles
Purpose limitation
Every new processing must either:
be compatible with the initial purpose
… or have a new legal ground
Art 6 defines criteria for “compatibility”:
Link between the initial and the new purpose
The existence of safeguards like encryption andpseudonymisation
… and others
Data Protection Principles
Lawfulness, fairness andtransparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Accountability
18
Data Protection Principles
Data minimisation
Part of Data Protection by Design and by Default
(art. 25)
Data Protection Principles
Lawfulness, fairness andtransparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Accountability
Image source: Hoepman et al., 2009
19
Data Protection Principles
Data Protection by Design and by Default
Data Protection Principles
Lawfulness, fairness andtransparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Accountability
Creation
Collection or retrieval from other sources
Transformation
Analysis and reporting
Consultation
Storage
Transmission
Publication
Destruction
Design Realisation OperationEncryption
20
Data Protection Principles
Data Protection Impact Assessment (DPIA) Evaluation of the worst-case impact of processing and
storage on the dat subject
Best practice, but mandatory in case of “high risk to the rights andfreedoms of the data subject”, f.i.: Evaluation, scoring and binding automated decision-making
Systematic monitoring
Sensitive data according to art. 9 and 10
Large-scale data processing
Matching or combining datasets
Use of new, innovative technologies
Vulnerable data subjects
Data transfers outside the EU
Mandatory DPA consultation in case of high residual risk
See also: DPIA guidelines of Article 29 Working Party
Data Protection Principles
Lawfulness, fairness andtransparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Accountability
21
Data Protection Principles
Accuracy
Concern: avoid or mitigate risks to datasubjects due to inaccurate data Art 5: […] ensure that personal data that are inaccurate, […] are erased
or rectified without delay.
Art 16: right to rectification
Art 18: right to restriction of processing until accuracy of data is verified
Structural approach: data governance and information management How is the data obtained?
What is its “level of assurance”?
How often is it updated? According to which process?
Who is responsible?
…
Data Protection Principles
Lawfulness, fairness andtransparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Accountability
22
Data Protection Principles
Storage limitation (art 5 and 30)
Don’t keep information for longer than needed
Sometimes there are multiple legal grounds, f.i. Performance or preparation of a contract
Legal obligation
Legitimate interest
Only delete personal data when there is no legal ground leftfor having it
Data Protection Principles
Lawfulness, fairness andtransparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Accountability
Static phaseDynamic phase
Operational use Archiving (e.g. for legal obligations)
23
Data Protection Principles
Integrity and confidentiality (art. 32)
technical and organisational measures to ensurea level of security appropriate to the risk
confidentiality, integrity, availability and resilience of […] systems and services
ability to restore the availability and access in a timely manner after an incident
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures
Security level based on the risks presented by the processing
Data Protection Principles
Lawfulness, fairness andtransparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Accountability
24
Data Protection Principles
Accountability
Document compliance with theprevious Data Protection Principles (art 5)
Previously [Directive 95/46/EC]: notify DPA of processing activities
Now [GDPR]: document everything internally
DPA has stronger mandate for (unannounced) audits
Accountability to whom? Data Subjects
Data Protection Authority
Management
No documentation = non-compliant
Data Protection Principles
Lawfulness, fairness andtransparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Accountability
25
Rights of the Data Subject
Rights of the Data Subject
Right to Information
Right to Access
Right to Rectification
Right to Erasure
Right to Data Portability
Automated Decision-making and Profiling
Right to Restriction of Processing
Right to Object
26
Rights of the Data SubjectRights of the Data Subject
Right to Information
Right to Access
Right to Rectification
Right to Erasure
Right to Data Portability
Automated Decision-making andProfiling
Right to Restriction of Processing
Right to Object
Some remarks
“Reasonable” steps to safeguardrights of the data subject, notat all cost
Reply through same channel as initial request
Free, except in case of repetitive or excessiverequests
Except “Right to Information”, the Rights of theData Subject do not apply if: Personal data do not allow identification
Data Subject is not able to prove his/her identity
27
Rights of the Data Subject
Information to provide to the data subject(art 12, 13, 14)
Contact info of the data controller
Purpose and legal ground of the processing
Recipients of the data who are not controllers or processors (f.i. government, social security,…)
International data transfers and safeguards
Retention time and justification
Listing of the rights of the data subject
The right to lodge a complaint at DPA
In case of automated decision-making or profiling: meaningfulinformation about the logic behind it
Rights of the Data Subject
Right to Information
Right to Access
Right to Rectification
Right to Erasure
Right to Data Portability
Automated Decision-making andProfiling
Right to Restriction of Processing
Right to Object
28
Rights of the Data Subject
Information to provide to the data subject(art 12, 13, 14) – ct’d
When using consent as the legal ground: the rightto withdraw it at any time
And lastly, depending on the how the data is obtained:
Rights of the Data Subject
Right to Information
Right to Access
Right to Rectification
Right to Erasure
Right to Data Portability
Automated Decision-making andProfiling
Right to Restriction of Processing
Right to Object
Giving consent
Time
Withdrawing consentGiving consent
Information to be provided if personal data is obtained via the data subject
Information to be provided if personal data is obtained via a third party
• Is collection of the data a statutory or a contractual requirement?
• Why is the collection needed?• What are the consequences if the
data is not provided?
• Which categories of data?• From which third party?• Did the data come from publicly
available sources?
29
Rights of the Data Subject
Right to Access and to Rectification (art 15 and 16)
To be provided:
Access to the precise data values
Purpose and legal ground
(Categories of) recipients who are not controllers or processors
Retention time and justification
Listing of the rights of the data subject, including rectification
The right to lodge a complaint at DPA
The source of the data: either data subject or info of thirdparty where it was obtained
In case of automated decision-making or profiling: meaningfulinformation about the logic behind it
Rights of the Data Subject
Right to Information
Right to Access
Right to Rectification
Right to Erasure
Right to Data Portability
Automated Decision-making andProfiling
Right to Restriction of Processing
Right to Object
30
Rights of the Data Subject
Right to erasure or “Right to be forgotten”
Erasure when there is no legal ground anymoreto have or use the data anymore
If personal data have been made public: take reasonable steps to inform other controllers of a request to erasure (f.i. withdrawal of consent)
This right is overridden by: The right to freedom of expression and information
Compliance with a legal obligation
Preventive and occupational medicine and public health, under Union or Member state law
Archiving in the public interest
Scientific, historical or statistical purposes
Exercise of legal claims
Rights of the Data Subject
Right to Information
Right to Access
Right to Rectification
Right to Erasure
Right to Data Portability
Automated Decision-making andProfiling
Right to Restriction of Processing
Right to Object
31
Rights of the Data Subject
Right to Data Portability (art 20)
Concerns data with following legal grounds Performance of preparation of a contract
Consent of the data subject
To whom? The data subject
A third party, upon request of the data subject
How? “Structured, machine-readable data”
Why? Support the flow of data in the EU’s Digital Single Market strategy
Rights of the Data Subject
Right to Information
Right to Access
Right to Rectification
Right to Erasure
Right to Data Portability
Automated Decision-making andProfiling
Right to Restriction of Processing
Right to Object
32
Automated individual decision-making
and profiling (art 21)
Why? Increased importance of AI and machine learning
What? The right not to be subject to a decision based solely on automated processing or profiling
In practice, the controller must at least provide: The possibility for human intervention
Transparency on the decision logic
Rights of the Data SubjectRights of the Data Subject
Right to Information
Right to Access
Right to Rectification
Right to Erasure
Right to Data Portability
Automated Decision-making andProfiling
Right to Restriction of Processing
Right to Object
33
Right to right to restriction of processing (art 18)
Temporary restriction:
If accuracy of data is disputed
Data no longer processed, but data subject needs information for exercise of legal claims
Permanent: as alternative to erasure, upon request of the data subject
Right to object to processing (art 21)
Direct marketing: cease immediately (absolute right)
Scientific, historical, and statistical purposes: weigh data subject’s specific situation against legitimate interests of controller
Not applicable if: Processing for a task in the public interest
Processing is a legal obligation
Rights of the Data SubjectRights of the Data Subject
Right to Information
Right to Access
Right to Rectification
Right to Erasure
Right to Data Portability
Automated Decision-making andProfiling
Right to Restriction of Processing
Right to Object
34
Processing inventory
Records with all processing activities that use personal data
Mandatory, but also contains info to: Provide the rights of the data subject
Demonstrable compliance towards DPA
Format described in GDPR article 30, i.a.mong others: Security measures
Recipients and international data transfers
Data retention time
…
Large overlap with Data Protection Impact Assessment
35
Data Protection Officer (art 37-39)
Required for: government entities
systematic monitoring of data subjects
large-scale processing of sensitive personal data
Required skills and knowledge: IT, privacy law, business activities and risk management
Should be independent from business or support function
Typical tasks: Liason with DPA
Internal awareness
Guidance in privacy implementation
Enforcement
36
International data transfers (art 44-50)
What? Routine (!) transfers to data processors andother third parties need adequate protection
How?
Transfer within the European Economic Area
Adequacy decision of European Commission
Appropriate safeguards Standard Contract Clauses
Binding Corporate Rules: useful for multinationals
Certification or code of conduct
Agreements between authorities
Other, f.i. explicit consent of the data subjects
37
International data transfers (art 44-50)
What? Routine (!) transfers to data processors andother third parties need adequate protection
How?
Transfer within the European Economic Area
Aqequacy decision of European Commission
Appropriate safeguards Standard Contract Clauses
Binding Corporate Rules: useful for multinationals
Certification or code of conduct
Agreements between authorities
Other, f.i. explicit consent of the data subjects
• EU member states can imposeadditional requirements
• Cf. Vlaamse Toezichtscommissie andGerman DPAs
• Uncertainty about Privacy Shield andStandard Contract Clauses
38
Supplier management
Art 27-31, 44-50 + WP 29 Guidelines
Pre- and post-contractual due diligence
Roles and responsibilities
International data transfer mechanism
Confidentiality Non-disclosure agreement or similar
Employee screening and secrecy obligation
Limitations on subcontracting
Security measures
Assistance in complying with the GDPR
Required service levels
Exit strategy and destruction of data
39
Data breach notification
What?
Categories of data and data subjects
(worst-case) impact on data subjects
Measures taken to mitigate the effects
Contact info of the data controller
To whom When? Deadline
DPAIn case of “risk” to rights andfreedoms of the data subjects First contact within 72
hours of becomingawareDPA and data
subjectIn case of “high” risk to rightsand freedoms of data subjects
40
Use case: building a privacy-friendly chess app
Whitepaper by Jason Cronk: https://iapp.org/media/pdf/resource_center/PbD-Whitepaper_09-2017.pdf
41
Closing remarks
Data Protection & Privacy is a largely a process effort
Tools are useful to automate a process
You can’t automate what doesn’t exista.k.a: Garbage in garbage out
Data Protection & Privacy is a transversal effort throughout the organisation:
[People, Process, Technology]
Change management!
Efforts can only succeed with management commitment and support
Budget friction between commercial interests and(GDPR) compliance
42
Useful references
Guidelines of Article 29 Working Partyhttp://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083
Structured, formatted text of the GDPRhttps://www.privacy-regulation.eu/en/index.htm