Our agenda. The basics

Transcription

1

2 GDPR - AVG - RGPD.

3 Our agenda The basics Key actions Responsibilities

4 The basics Key actions Responsibilities

5 Who cares? Why?

6 From directive to regulation 24 Oct 1995: a Directive 95/46/EC is adopted partially by some EU member states 25 May 2018: the General Data Protection Regulation is national law in every EU member state Fines up to 4% of the annual turnover or 20M EUR

7 It s about Personal data and its movement Processing of personal data Lawful processing Accountability of your lawfulness

8 Some definitions Personal data: any information relating to an identified or identifiable natural person ( data subject ) Processing: any operation or set of operations which is performed on personal data or on sets of personal data, Controller: a party that determines the purposes and means of the processing of personal data (from the data subjects) Processor: a party which processes personal data on behalf of the controller a party: natural or legal person, public authority, agency or other body

9 Roles and relations Data subject CONTROLLER PROCESSOR

10 It goes beyond the European Union The controller s or processor s office is based in the European Union OR Provide services to a data subject in the European Union

11 The 1 slide summary

12 The principles imposed on Controller Lawfulness, fairness and transparency Purpose limitation Data minimisation Accuracy Storage limitation Integrity and confidentiality Responsibility/Accountability

13 Lawful processing imposed on Controller OR Consent OR Contract OR Compliance OR Vital interests OR Legitimate interests OR tasks of public interest

14 Rights of the data subject towards the controller Transparent information Right of access Right to rectification Right to erasure (right to be forgotten) Right to restriction of processing Right to data portability Right to object Profiling

15 The basics Key actions Responsibilities

16 Responsibilities of the Controller Use the nature, scope and purpose of processing to implement appropriate technical and organisational measures only use processors providing sufficient guarantees Notification of a personal data breach to supervisory authority within 72 hours after detection Data protection by design and by default Data protection impact assessment if required [covered by iguards]

17 Responsibilities of the Processor Implement appropriate technical and organisational measures as applicable to scope and agreed to with the Controller Notification of a personal data breach to Controller asap Use a contract with the Controller which describes [covered by Crosslaw]: subject-matter and duration the nature and purpose the type of personal data obligations and rights of the controller use/change sub-processors after written approval only accessed by confidential employees assistance of the controller to determine appropriate measures and ensure compliance the use of appropriate technical and organisational measures data retention policy availability to the controller of all information necessary to demonstrate compliance

18 Mutual responsibilities Security of processing: use the nature, scope, purpose and potential risks of processing to implement appropriate technical and organisational measures such as pseudonymisation and encryption [covered by Netapp and Gemalto] ensure confidentiality, integrity, availability and resilience [covered by Fox-IT] regularly testing the effectiveness Optional adherence to an approved sector code of conduct [ covered by Scope Europe] Optional certification against GDPR Maintain a register/record of processing activities if required Data Protection Officer if required

19 Shared responsibility model Appropriate measures define the type of services SERVICE PERSONAL DATA SCOPE Customer (Application) Service Provider (Infrastructure) Contract DATA PROCESSING BY CONTROLLER BY PROCESSOR Data subject

20 An example Online shop shopaholic.be requests outsourcing services Requirements: 24/24, max 1h downtime and no loss of data 1 month of backup retention Database that includes Name and contact details of their customers Purchase history Invoices are stored in object based storage

21 Shared responsibility model SERVICE SCOPE Contract Customer / Data subject Shopaholic (Application) Service Provider (Infrastructure) Contract Contract Secure Application Design & Dev IAAS Services dual datacenter Amazon PAAS S3 services Application Lifecycle Mgmt Backup Services Secure data transfer Advanced DDOS Services & WAF Sector specific Certification (be commerce) Compliance (ISO 27001, GDPR, CoC, )

22

23 The basics Key actions Responsibilities

24 We as a Processor Contracting Review existing contracts Standard Data Processing terms List default organizational and technical security measures Update workflows Merge GDPR updates with existing ISO processes Create Processor specific register Adherence and certification Certification against GDPR Adherence to IT Cloud Services Code of Conduct [covered by Scope Europe] Security portfolio Design additional security services

25 You as a Controller Review existing Processing contracts Define scope Define appropriate technical and organizational measures Define data flows per department Determine processing of personal data Verify if processing activities are lawful Create Controller specific register Data protection by design and by default Enable execution of the data subject s rights Inform data subject Right of access, rectification, erasure,

26 Lessons learned so far Start now Use a risk based approach It s not only about security & technology Involve the broader organization, not only legal & compliance Use a project based approach Evangelize data privacy by design Automate the personal data lifecycle where appropriate Involve the right experts

27 Wrap-up Responsibilities Controller Processor

28 Useful material GDPR articles with links to related Recitals DLA Piper Explore GDPR mobile app (IOS & Android) NYMITY s GDPR compliance toolkit & webinar European Cloud Code of Conduct

29 Thank you Jannick Fabel