Knowing and Implementing the GDPR Part 3 11 a.m. ET, 16:00 GMT March 29, 2017
Welcome & Introductions Panelists Your Host Dave Cohen IAPP Knowledge Manager Omer Tene Vice President Research & Education IAPP Ruth Boardman Partner Bird and Bird LLP London Office 2
What we covered in Part 1 Current EU privacy regime, and what s changing GDPR s scope Definition of personal data, pseudonymity, anonymity Rights of data subjects Types of consent Definition of legitimate interests New rules for Trans-border data flow 3
What we covered in Part 2 Mandatory DPO, when required, role and responsibilities Documentation requirements Operationalizing consent Children and getting parental consent 4
What we ll cover in Part 3 Security Breach notification Accountability Data Protection by Design and by Default Data Protection Impact Assessments Complaints, the One-Stop Shop, and the enforcement process 5
GDPR security principle applies to processors & controllers. The key elements (below) are the same as under the Directive 6
GDPR calls out some 'new' examples of points to consider (Art. 32) Pseudonymisation and encryption Confidentiality, integrity, availability and resilience Timely restoration Testing & evaluating effectiveness of t.o.m.s 7
Must protect personal data against these risks Data destruction Loss Alteration Disclosure Access 8
Controllers must report data breaches to DPAs and individuals; processors report to controllers To supervisory authorities To individuals Notify within 72 hours High (and unmitigated) risk to individuals Exemption if not likely to result in prejudice to individuals Not required if data effectively encrypted Separate reporting obligations under the N.I.S. Directive for: - Essential service providers (= significant) impact on services - Digital service provider (= substantial) impact on services May also be other breach reporting obligations (e.g. to the F.C.A. in the UK) 9
Breach Notification What s in the notification? - Nature of the breach, including how many records and data subjects - DPO s contact information - Likely consequences of the breach - How the controller will address the breach, including mitigation efforts If breach is likely to result in a high risk to data subjects, notify them as well, unless: - Controller implements tech controls to make data unintelligible - Controller makes high risk unlikely - Notification would require disproportionate effort (use public statement instead) Must also keep an internal record of data breaches (see sample on next slide) 10
11
Actions Review: - Information security policy(ies) all areas of data risk covered? - Third party information security assessment procedures - Employee & contract staff on-boarding process - Breach reporting policy check threshold for reporting 12
Accountability: a risk-based approach, but compliance by accident will not work Must be able to demonstrate compliance with the Regulation: - Lawfulness, fairness, transparency - Purpose limitation - Data quality (incl. storage limitation) - Integrity and confidentiality (Security) - Data transfers Can include policies, codes and certification. Must be effective to ensure compliance and be able to demonstrate this (e.g. internal audit) 13
Accountability includes some of the measures considered earlier Record of Processing Activities (Art.30) Privacy by design & by default (Art. 25) Privacy Impact Assessment (Art.33) Independent Data Protection Officer (Art. 37) For each purpose: What the purpose is Data subjects Data categories Recipients Countries Retention periods T.O.M.s Design systems to be compliant Design systems to process the minimum data (for the minimum period) reasonably necessary to achieve the purpose Privacybydesign.ca For 'risky' processing CNIL PIA manual Required by Member States Core activities require regular and systematic monitoring of individuals on a large scale Core activities include processing of special data or offence data on a large scale 14
Privacy by design and by default requires technical and organisational measures "to integrate the requirements of this Regulation" into processing (A.25) PRIVACY BY DESIGN t.o.m.s. to integrate GDPR safeguards into processing PRIVACY BY DEFAULT Privacy settings to be set to the minimum PRIVACY BY (friends, DESIGN not friends of friends or public) Pseudonymisation & data minimisation Least privilege access principle, self-serve access rights or portability rights, minimum necessary authentication rules Applied to amount of data, extent of processing, retention, access 15
Ways of embedding privacy by design Technical measures Policies Reviews (process and peer) Training Certification 16
Data Protection Impact Assessments required for "high risk" processing as below (can also be required by supervisory authorities) Significant decisions using entirely automated processing, involving systematic & extensive evaluation of personal aspects Systematic description of processing Assessment of proportionality Risk assessment and mitigation Unmitigated risk see D.P.A. Large scale processing of sensitive or offence data Systematic and large scale monitoring of a publicly accessible area 17
Actions System review process DPIA process if needed Data protection training for IS professionals and business system owner 18
19
Actions by supervisory authorities National only matter Local DPA OR More than 1 Member State affected & EU main establishment "lead" authority based on "main establishment" Concerned authorities Local courts (may refer to CJEU if relevant tests met) Decision remitted to local DPAs EDPB as arbiter CJEU review 20
Actions Procedures for dealing with individuals and training on these Know your lead data protection authority(ies) 21
Questions & Answers Contact: Omer Tene Vice President Research & Education IAPP otene@iapp.org Ruth Boardman Partner Bird and Bird LLP London Office ruth.boardman@twobirds.com 22
THANK YOU! To our speakers, and to all of you in the virtual audience. 23
Knowing and Implementing the GDPR Three Part Series Recent Programs: Part 1: Aired on 21 February, 2017 View here: Knowing and Implementing the GDPR: Part 1 Part 2: Aired on 9 March, 2017 View here: Knowing and Implementing the GDPR: Part 2 24
Web Conference Participant Feedback Survey Please take this quick (2 minute) survey to let us know how satisfied you were with this program and to provide us with suggestions for future improvement. Click here: http://www.questionpro.com/t/al2crzykiq Thank you in advance! For more information: 25
Attention IAPP Certified Professionals: This IAPP web conference may be applied toward the continuing privacy education (CPE) requirements of your CIPP/US, CIPP/E, CIPP/G, CIPP/C, CIPT or CIPM credential worth 1.0 credit hours. IAPP-certified professionals who are the named participant of the registration will automatically receive credit. If another certified professional has participated in the program but is not the named participant then the individual may submit for credit by submitting the continuing education application form at https://my.iapp.org/prog submitceu. Continuing Legal Education Credits: The IAPP provides certificates of attendance to web conference attendees. Certificates must be self-submitted to the appropriate jurisdiction for continuing education credits. Please consult your specific governing body s rules and regulations to confirm if a web conference is an eligible format for attaining credits. Each IAPP web conference offers either 60 or 90 minutes of programming. 26
A recording of this program will be posted on the IAPP website approximately 48 hours following the live broadcast. For questions on this or other IAPP Web Conferences or recordings or to obtain a copy of the slide presentation please contact: Dave Cohen, CIPP/E, CIPP/US Knowledge Manager International Association of Privacy Professionals (IAPP) dave@iapp.org 603.427.9221 27