THE NEW EU DATA PROTECTION REGULATION: WHAT IS IT AND WHAT DO WE NEED TO DO? KALLIOPI SPYRIDAKI CHIEF PRIVACY STRATEGIST, EUROPE
EU DATA PROTECTION REGULATION Kalliopi Spyridaki Chief Privacy Strategist, SAS Kalliopi provides thought-leadership within the SAS organization and to SAS customers on European data protection and privacy issues. Kalliopi strives to bridge the gap between public policy, legal and business considerations relating to privacy to ensure that both SAS and its customers remain at the forefront of the rapidly evolving European privacy landscape. She holds a law degree from the National and Kapodestrian University of Athens, Greece. Kalliopi also has a master s degree from the Eberhard-Karls-Universität Tübingen, Germany.
THE NEW EU DATA PROTECTION REGULATION: WHAT IS IT AND WHAT DO WE NEED TO DO? KALLIOPI SPYRIDAKI CHIEF PRIVACY STRATEGIST, EUROPE
CONTENT Scope & general principles New elements: fines, accountability & consumer empowerment SAS tools from perspective of GDPR compliance What to expect next
ONE OF THE MOST PROMINENT EU LAWS EVER General EU Data Protection Regulation (GDPR) Negotiated over four years Applicable in all EU countries from May 2018 Reflects a transitional era for society Privacy becomes a core business issue
WHAT IS IT ABOUT Only covers personal data Rules on how to collect & process personal data Main objective: enable individuals to protect their privacy
DATA PROTECTION & PRIVACY Used interchangeably but the protection of personal data is the means to protect privacy
PERSONAL DATA DATA OWNERSHIP
CONSUMER EMPOWERMENT TRANSPARENCY INFORMATION Customer Trust CONSENT SECURITY
NEW ELEMENTS Fines & Enforcement Up to 4% annual global turnover New powers to data protection authorities in each EU country New European Data Protection Board
NEW ELEMENTS Organisations need to review structures, policies, processes around collection and processing of personal data.
Map and review data flows Review security measures/data breach notification obligations Document & maintain detailed records of processing activities Review internal privacy policies & training material
Conduct Privacy Impact Assessments/ Implement Privacy by design & Privacy by default Appoint Data Protection Officer (DPO) Review contracts for third party processing contracts Ensure lawfulness of personal data transfers outside the EU
Put in place mechanisms to respond to individual s right to: Access, rectify, delete data ( right to be forgotten ); Provide & withdraw consent; Obtain information on processing Data portability
BIG DATA ANALYTICS A number of provisions have a direct impact on the big data analytics market: Collection & processing of personal data (only with specific legal bases & under certain conditions) Further processing of personal data for purposes other than collected Profiling of individuals with personal data De-identification of personal data: anonymisation, pseudonymisation, encryption
SAS AND OUR CUSTOMERS SAS delivers software and services to our customers. Responsibility to comply with GDPR remains with our customers. SAS can help our customers explore ways to configure SAS solutions in a manner that meets customers business needs AND at the same time fulfills customers compliance requirements.
SAS AND OUR CUSTOMERS SAS solutions can be customized to meet customer compliance requirements & policies Example SAS CUSTOMER INTELLIGENCE 360 Should personal data be collected? What types of personal data are required to be collected? How should they be stored (de-identification)? Consent: opt-in / opt-out
A NEW SAS SOLUTION FOR GDPR COMPLIANCE Addressing data management and data quality issues for GDPR compliance with SAS analytics
WHAT S NEXT More GDPR.! Guidelines, guidances, codes of conduct by EU bodies & national authorities Review of e-privacy Directive (including cookies provision) New EU laws on free flow of data inluding data localisation data ownership, access and re-use liability in IoT context
THANK YOU! KALLIOPI.SPYRIDAKI@SAS.COM