GDPR and DPO. DPO and DPM. Michel Gerdes DPO DFN-CERT Services GmbH DFN-CERT Services GmbH GDPR and DPO: Slide 1

Transcription

1 GDPR and DPO DPO and DPM Michel Gerdes DPO DFN-CERT Services GmbH DFN-CERT Services GmbH GDPR and DPO: Slide 1

2 ToC The DPO Role according to GDPR Data Protection at research institutions and universities Remaining challenges 2017 DFN-CERT Services GmbH GDPR and DPO: ToC Slide 2

3 GDPR and DPO The DPO Role according to GDPR 2017 DFN-CERT Services GmbH GDPR and DPO: The DPO Role according to GDPR Slide 3

4 GDPR and National Adjustments No national adaption required Member States may adjust and define within certain boundaries National law for public bodies 2017 DFN-CERT Services GmbH GDPR and DPO: The DPO Role according to GDPR Slide 4

5 DPO by GDPR, legal grounds Article 37 DPO 5. Professional qualities, expert knowledge of data protection law and practices and the ability to fulfill the tasks 7. Controller shall publish contact details to supervisory authority Article 38 Position 1. involved, properly and in a timely manner, in all issues which relate to the protection of personal data 2. support by controller, 3. no instructions regarding DPO related tasks by controller 2017 DFN-CERT Services GmbH GDPR and DPO: The DPO Role according to GDPR Slide 5

6 Accountability Article 5 (2) Article 24 (1) requires Data Protection Management 2017 DFN-CERT Services GmbH GDPR and DPO: The DPO Role according to GDPR Slide 6

7 Data Protection at DFN-CERT DFN-CERT 50 employees, 5 teams, backoffice various topics, all focus information security awareness separation of duties DPO Since July 2015, part time (20 %, real 15 %) Trainings Preparations for GDPR Register of processing activities and Getting it done Issues brought up by colleagues Identifying issues and check with persons in charge 2017 DFN-CERT Services GmbH GDPR and DPO: The DPO Role according to GDPR Slide 7

8 Selecting a DPO Personal suitability No conflict of interests Speak the language of the employees Time slot Skill set Collaboration Question superiors and seniors Scrutinize every data processing activity Dedication to the role Self organization Tasks may not be handled straight forward 2017 DFN-CERT Services GmbH GDPR and DPO: The DPO Role according to GDPR Slide 8

9 Challenges & Achievements Challenges Getting persons in charge getting things done It s about the time they have to dedicate to the tasks or teaching them how to do it (fast but accurately) Achievements Birthdays of employees in calendar application Access to account for invoice during vacation of the employee Login timestamps in world-readable log file 2017 DFN-CERT Services GmbH GDPR and DPO: The DPO Role according to GDPR Slide 9

10 Framework for Data Protection Management Responsibilities Awareness Policies Processes Ressources 2017 DFN-CERT Services GmbH GDPR and DPO: The DPO Role according to GDPR Slide 10

11 Responsibilities Controller implement Data Protection Management define responsibilities raise awareness define policies define processes provide ressources fulfill Article 38 (Position of DPO) Records of processing activities Consider data protection in contractual aggreements/contracts Data protection impact assessment (Article 35) Information systems security DPO (Art. 39) inform and advise controller monitor compliance cooperation with supervisory authority contact point for supervisory authority obviously not limited to these report directly to board 2017 DFN-CERT Services GmbH GDPR and DPO: The DPO Role according to GDPR Slide 11

12 Awareness periodic trainings for employees regular communication campaigns on data protection data protection coordinator per team/faculty/... project initiation should/may require consultation of DPO/DPM highlight compliance to data protection principles (Article 5) 2017 DFN-CERT Services GmbH GDPR and DPO: The DPO Role according to GDPR Slide 12

13 Policies commitment of top level management define responsibilities define processes sharing responsibilies if joint controller 2017 DFN-CERT Services GmbH GDPR and DPO: The DPO Role according to GDPR Slide 13

14 Processes Ensure data subjects rights Article 12 clause 3 Notification of data breach Communication of data breach Re-assessment of DPM changemanagement access to data on DPO s computer 2017 DFN-CERT Services GmbH GDPR and DPO: The DPO Role according to GDPR Slide 14

15 Ressources further training and networking for DPO and DPM officials projects: documentation overhead and adjustments for data protection compliance appropriate technical and organisational measures to ensure security of processing, data protection by design and by default, data processing system security 2017 DFN-CERT Services GmbH GDPR and DPO: The DPO Role according to GDPR Slide 15

16 Links DataProtection-Framework pdf data-protection-governance-data-protection-governance-enterpriseorganisation Danish vs. English version of GDPR R0679&from=EN 2017 DFN-CERT Services GmbH GDPR and DPO: The DPO Role according to GDPR Slide 16

17 GDPR and DPO Data Protection at research institutions and universities 2017 DFN-CERT Services GmbH GDPR and DPO: Data Protection at research institutions and universities Slide 17

18 Scientific research legal grounds for processing Art. 5 (1) b Art. 89 beware of special law e.g. telecommunication law 2017 DFN-CERT Services GmbH GDPR and DPO: Data Protection at research institutions and universities Slide 18

19 Different set of challenges Administration centralized employment local DP coordinator standardized data processing activities may be based on state/national law (public body) Teaching Freedom of teaching (Art. 5 German Grundgesetz) elearning Data Protection! evaluations consent awareness may be based on state/national law as well Guideline: If and only if required for evaluation Research decentralized time-constraints data protection measures conflict with research progress/interests local DP coordinator awareness enforce policy cooperation with other bodies 2017 DFN-CERT Services GmbH GDPR and DPO: Data Protection at research institutions and universities Slide 19

20 GDPR and DPO Remaining challenges 2017 DFN-CERT Services GmbH GDPR and DPO: Remaining challenges Slide 20

21 Interpretation of laws Court decisions affecting interpretations commented printed versions 2017 DFN-CERT Services GmbH GDPR and DPO: Remaining challenges Slide 21

22 Dealing with older or other laws data protection sections may not be applied anymore e.g. private bodies or section is regulated by Union law contrary public bodies or section not regulated by Union law 2017 DFN-CERT Services GmbH GDPR and DPO: Remaining challenges Slide 22

23 eprivacy Regulation 2018 into force May still in draft extends GDPR with regards to information security specify legal situation for electronic communication data refers to GDPR principles and regulations 2017 DFN-CERT Services GmbH GDPR and DPO: Remaining challenges Slide 23

24 Adequacy Decisions EU-US-Privacy-Shield In evaluation after first year New US administration disagrees with privacy regulations for EU citizens Brexit UK government plans to adapt the GDPR after the Brexit Allows an adequacy decision Ruling of ECJ? 2017 DFN-CERT Services GmbH GDPR and DPO: Remaining challenges Slide 24

25 Further trainings Certification GDDcert.EU Certification as data protection officer, focus on data protection organisation and data protection management (in German) TÜV.IT Certification as data protection officer with technical focus (in German) DFN-CERT Conference veranstaltungen/ Datenschutzkonferenz. html Conference organised by DFN-CERT for DFN with focus on data protection (in German) Tutorials veranstaltungen/ EU-Datenschutzgrundvero html Tutorial highlighting Differences between BDSG and GDPR (in German) 2017 DFN-CERT Services GmbH GDPR and DPO: Remaining challenges Slide 25

26 Person of contact Michel Gerdes DPO DFN-CERT Services GmbH DFN-CERT Services GmbH GDPR and DPO: Remaining challenges Slide 26