What is the GDPR and how do we get compliant?

Transcription

1 What is the GDPR and how do we get compliant?

2 Agenda What is the GDPR Key Principles Mapping Data Flows GDPR GAP Assessment Compliance Issues: Legal, Technical, Management

3 GLOBALSTRAT GDPR Services Your Facilitator

4 What is the GDPR? The General Data Protec3on Regula3on, referred to simply as the GDPR, is Regula3on (EU) 2016/679 of the European Parliament and of the Council dated 27 April Following a two-year implementa3on period, the GDPR will be applicable from 25 May It concerns the protec3on of natural persons regarding the processing of personal data and on the free movement of this data. The GDPR covers the processing of personal data that relates to data subjects by or on behalf of a data controller in the European Union (EU).

5 List of EU Countries per 2018 EU Countries Austria Belgium Bulgaria Croatia Cyprus Czech Republic Denmark Estonia Finland France Germany Greece Hungary Ireland Italy Latvia Lithuania Luxembourg Malta Netherlands Poland Portugal Romania Slovakia Slovenia Spain Sweden United Kingdom* * The United Kingdom is currently nego3a3ng its exit from the European Union. The date is not firm but is currently set for March 2019.

6 What is the GDPR? The GDPR Regula3on (EU) 2016/679 consists of 88 pages describing; the scope of the regula3on, the responsibili3es of a data controller and data processor the roles and responsibili3es of Data Protec3on Authori3es the rights of Data Subjects the penal3es and other remedies available for viola3ons.

7 What is Personal Data? Note: Personal Data and Personally Iden3fying Informa3on or PII are not the same thing and are oaen confused. Personal data is defined as any informa3on that relates to an iden3fied or iden3fiable natural person (the data subject ). An iden3fiable natural person is anyone that can be iden3fied, either directly or indirectly, by reference to anything that can ul3mately iden3fy them. This includes a name, an iden3fica3on number, loca3on data, an online iden3fier or to data that relates to the physical, physiological, gene3c, mental, economic, cultural or social iden3ty of that natural person.

8 Data Controller or Data Processor? What is the difference between a Data Controller and a Data Processor? The data controller is the party that collects and manipulates (processes) data for its own purposes. It is also usually the party to whom the Data Subject believes they have given their informa3on, or data. A Data Controller may use a number of Data Processors (typically IT services companies) to manipulate or process the data on their behalf or as part of a contractual rela3onship. Many third party service provider(s) would be considered a data processor if they have access to the underlying data through the provision of their IT services.

9 Key Principles Lawfulness, fairness and transparency: Personal data must be processed lawfully, fairly and in a transparent manner. Purpose limitagon: Personal data must be collected for specific, explicit and legi3mate purposes and not further processed in a manner that is incompa3ble with those purposes. Data minimizagon: Personal data must be adequate, relevant and limited to what is necessary in rela3on to the purposes for which it is processed. Accuracy: Personal data must be accurate and, where necessary, kept up to date. Personal data that is known to be inaccurate is to be erased or rec3fied without delay.

10 Key Principles Storage limitagon: Personal data must not be kept in a form which permits iden3fica3on of data subjects for longer than is necessary. Integrity and confidengality: Personal data must be processed in an appropriately secure manner including protec3on against unauthorized or unlawful processing and against accidental loss, destruc3on or damage, by the use of appropriate technical or organiza3onal measures. NOTE: This is where associa3ons must have confidence that the third party services they use to manage data are properly secured. If your third party provider causes a breach, the associa3on will remain liable. Accountability: The data controller is responsible for, and has to be able to demonstrate compliance with, the principles stated above.

11 Grounds for Data Collection Consent: The data subject gives clear and free consent. Performance of a contract: Data processing is necessary for the performance of a contract with or on behalf of the data subject. Compliance with a legal obligagon: Data processing is necessary for compliance with a legal obliga3on to which the data controller is subject. Vital interests: Data processing is necessary in order to protect the vital interests of the data subject or of another natural person. Public interest: Data processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority. LegiGmate interests: necessary for the purposes of the legi3mate interests of the data controller or by a third party, except where such interests are overridden by the interests of the data subject.

12 Penalties A supervisory authority has the ability to: Issue warnings. Order the data controller or the data processor to comply with a data subject s requests to exercise his or her rights under the GDPR. Order the data controller to communicate a personal data breach to the data subject(s). Impose a temporary or defini3ve limita3on including a ban on processing. Order the correc3on or erasure of personal data or restric3on of processing pursuant to a data subject s rights. Impose an administra3ve fine*. Order the suspension of data flows to a recipient in a third country or to an interna3onal organiza3on.

13 Penalties Regarding fines, they can be as much as: a fine of up to 10,000,000, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. a fine of up to 20,000,000, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year for the most severe forms of a breach, including viola3ons of; the basic principles for processing, including condi3ons for consent the data subjects rights the transfers of personal data to a recipient in a third country or an interna3onal organiza3on, or non-compliance with an order or a temporary or defini3ve limita3on on processing or the suspension

14 Data Mapping

15 Data Mapping

16 Data Mapping SOURCES: Hard Copy Electronic

17 Data Mapping SOURCES: Hard Copy Electronic PURPOSE: Consent Contractual

18 Data Mapping SOURCES: Hard Copy Electronic PURPOSE: Consent Contractual TYPE: Personal or SensiGve*? *special categories of personal data include; 1. Racial or ethnic origin 2. Political or religious beliefs 3. Trade-union membership 4. Physical or mental health or condition 5. Sexual life, or 6. Data relating to criminal convictions and offences

19 Data Mapping SOURCES: Hard Copy Electronic PURPOSE: Consent Contractual DATA PROCESSORS: 3rd Party, further? TYPE: Personal or SensiGve*? *special categories of personal data include; 1. Racial or ethnic origin 2. Political or religious beliefs 3. Trade-union membership 4. Physical or mental health or condition 5. Sexual life, or 6. Data relating to criminal convictions and offences

20 GDPR Assessment Has your company appointed an EU Data ProtecGon Officer? Has your company provided awareness training on EU GDPR to all its staff? Have you briefed senior management and your Board of Directors on GDPR? Has your organizagon designed, documented and communicated your processes to deal with individuals' requests to access, amend or delete their personal data within the new Gmeframes (e.g. within 1 month for subject access requests)?

21 GDPR Assessment Has your company reviewed its vendor contracts to check that you can respond within the new Gme limits? Has your company put in place a data breach nogficagon procedure to detect, report and invesggate a personal data breach, together with a response plan? Does your company have a Data ProtecGon Impact Assessment [Privacy Impact Assessment] process in place? Have you reviewed your policies and procedures to make sure you get consent properly from employees, members, customers and others whom you deal with?

22 GDPR Assessment Does your organizagon set up and undertake regular compliance audits or reviews in order to idengfy and recgfy issues? Has your organizagon reviewed all key pracgcal aspects such as data retengon and destrucgon through all means of collecgng data used by your organizagon (e.g. data collected online and offline, data stored in filing cabinets)? When did you last review your main website privacy policy? Have you idengfied who your EU data protecgon regulator(s) will be?

23 GDPR Assessment List every database, system or applicagon (including paper or hard copy formats) where your organizagon directly collects, manipulates, displays or shares idengfiable informagon on an individual with an EU address. Does your organizagon collect, retain or use any of the following types of sensigve informagon for any of the data records you maintain? 1. Racial or ethnic origin 2. Political or religious beliefs 3. Trade-union membership 4. Physical or mental health or condition 5. Sexual life, or 6. Data relating to criminal convictions and offences

24 Intake Assessment Form What are the reason(s) you are collecgng personal data? Consent - the data subject has consented to provide the data. Contractual - data is collected in order to perform a contractual obligation. Legal - data is collected in order to comply with a legally mandated requirement. Legitimate interest - is there a purpose for which you are collecting data that the data subject is aware of or should be reasonably aware of.

25 Compliance Actions The types of correcgve acgons needed to gain GDPR compliance will generally fall into one of the following three categories; Legal (such as notices, contracts, policies and terms of use) Technology (consent forms, validation, database systems, security) Management and Processes (risk tolerance, type of data collected, staff training, process and procedures, data governance)

26 Next Steps Understand how and why GDPR applies to your organizagon. Make sure that senior management and your volunteer leaders (Board) understand as well. Inventory and map your data flows; a.) How data is acquired, b.) why and how it is used, c.) the type of data collected, d.) all third parges that have access and e.) how third parges are using your data. Have a GDPR GAP Assessment performed to idengfy your risk exposure and to understand what correcgve acgons are required. Make the necessary changes (Legal, Technology, Management).

27 GDPR GAP ASSESSMENT Terrance Barkan CAE, Chief Strategist & CEO