GDPR compliance: some basics & practical to do list

Similar documents
Our agenda. The basics

EU General Data Protection Regulation (GDPR) Achieving compliance

Disruptive Technologies Legal and Regulatory Aspects. 16 May 2017 Investment Summit - Swiss Gobal Enterprise

Data Processing Clauses

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

DATA PROCESSING TERMS

BHBIA New Data Protection Rules. Pharma Company Perspective. Guy Murray Director, Market Research & Analytics, GC&BI MR Operations and Compliance, MSD

General Data Protection Regulation (GDPR) NEW RULES

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

The GDPR Are you ready?

The Role of the Data Protection Officer

Motorola Mobility Binding Corporate Rules (BCRs)

Implementing the new GDPR: what does it mean for Universities?

Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

GDPR: A QUICK OVERVIEW

GDPR Data Protection Policy

GDPR - Are you ready?

Islam21c.com Data Protection and Privacy Policy

This guide is for informational purposes only. Please do not treat it as a substitute of a professional legal

Arkadin Data protection & privacy white paper. Version May 2018

Data Protection Policy

General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

Creative Funding Solutions Limited Data Protection Policy

PRIVACY NOTICE (TIER 4)

Element Finance Solutions Ltd Data Protection Policy

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

Cisco Spark and GDPR. Thomas Flambeaux. Collaboration Consulting Solution Engineer, Security and Compliance. Cisco Connect 2018 Copenhagen April 12th

Technology's role in General Data Protection Regulation Dr. Prokopios Drogkaris Officer in NIS SECPRE 2017 Oslo

Adtech and GDPR What to consider when choosing your partner

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

GDPR: A technical perspective from Arkivum

How the GDPR will impact your software delivery processes

Changing times in Swiss Data Privacy: new opportunities? Microsoft Security Day 27 April 2017 Clara-Ann Gordon

Data Processing Agreement

G DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know

PS Mailing Services Ltd Data Protection Policy May 2018

Data Processor Agreement

Eco Web Hosting Security and Data Processing Agreement

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

ICT Legal Consulting on GDPR: the possible value of certification in data protection compliance and accountability

GDPR is coming in less than 2 months Are you ready?

GDPR AND GRC: GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE FOR DATA PROTECTION

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Introductory guide to data sharing. lewissilkin.com

SCHOOL SUPPLIERS. What schools should be asking!

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

Data Protection Policy

Toucan Telemarketing Ltd.

Data Protection Policy

Website Privacy Policy

Data Processing Agreement for Oracle Cloud Services

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

Cyber Security Law --- Are you ready?

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

Knowing and Implementing the GDPR Part 3

DATA PROTECTION ISACA MALTA CHAPTER BIENNIAL CONFERENCE Saviour Cachia Commissioner for Information and Data Protection

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

Data Protection policy

Preparing for the GDPR

PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

Google Cloud & the General Data Protection Regulation (GDPR)

EU data security and privacy trends

Vistra International Expansion Limited PRIVACY NOTICE

Spring Mobile Mini UK Ltd. Privacy Policy Spring 2018

THE NEW EU DATA PROTECTION REGULATION: WHAT IS IT AND WHAT DO WE NEED TO DO? KALLIOPI SPYRIDAKI CHIEF PRIVACY STRATEGIST, EUROPE

EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS

Impacts of the GDPR in Afnic - Registrar relations: FAQ

Data Protection Policy

This Privacy Policy applies if you're a customer, employee or use any of our services, visit our website, , call or write to us.

SCCE ECEI 2014 EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS. Monica Salgado JANINE REGAN CIPP/E

Privacy Notice for Business Partners

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

RVC DATA PROTECTION POLICY

Accelerate GDPR compliance with the Microsoft Cloud

DATA PROTECTION POLICY THE HOLST GROUP

GDPR and the Privacy Shield

Wonde may collect personal information directly from You when You:

DISCLOSURE ON THE PROCESSING OF PERSONAL DATA LAST REVISION DATE: 25 MAY 2018

I GOT ROBBED! HOW NYS AND THE US SHOULD PROTECT YOUR DATA ONLINE

DATA PROTECTION POLICY

Developments in Global Data Protection & Transfer: How They Impact Third-Party Contracts

Embedding GDPR into the SDLC

HPE DATA PRIVACY AND SECURITY

Talenom Plc. Description of Data Protection and Descriptions of Registers

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

Cybersecurity Considerations for GDPR

VISTRA (CYPRUS) LTD. PRIVACY NOTICE

WHITE PAPER. Meeting GDPR Challenges with Delphix. KuppingerCole Report

Data Processing Agreement

EU GDPR: The General Data Protection Regulation

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

Link Exhibitions Privacy Policy

Transcription:

GDPR compliance: some basics & practical to do list Philippe LAURENT independent full service business law firm located in Brussels May 2017

Personal data processing = any operation or set of operations which is performed on any information relating to an identified or identifiable natural person

Controller = determines the purposesand means of the processing of personal data Processor = processes personal data on behalf of the controller (= means )

NOW: Data protectiondirective EU: Directive 95/46/EC BE: Act of 8 December 1992 + Royal Decrees + Specific laws GDPR : 25 MAY 2018 EU: Regulation 2016/679 BE: Specific laws

Main principles remain unchanged Conditions of lawfulness Fair, lawful & transparent processing Specified + explicit + legitimate purposes & compatible use Adequate, relevant, not excessive data Accurate and updated data Kept no longer than necessary Adequately protected LAWFULNESS PURPOSE MINIMISATION PROPORTIONALITY INTEGRITY MINIMAL RETENTION SECURITY

Main obligations of the controller : NOW Legitimacy & lawfulness of the processing (see above) Notification to the DPA Information to be provided to data subjects Respecting the data subjects rights (access, rectification, objection?) Confidentiality and Security of the processing => Measures / controlling processors

Main obligations of the controller : GDPR Legitimacy & lawfulness of the processing (see above) Notification to the DPA Governance & Accountability (documentation!) Information to be provided to data subjects ext.! Respecting the data subjects rights (access, rectification, objection?) + portability, limitation, Confidentiality and Security of the processing => Measures / controlling processors Privacy by design & Privacy by default DPO Impact assessment notif. data security breaches + obligations of the PROCESSOR!

To do list Compliance program + Governance structure Document processing activities / data flows / legal grounds Identify competent supervisory authority Check necessity to maintain a formal record of processing activities Consider appointing Data Protection Officer Conduct IT security / information audit Adapt internal privacy policies + HR training Review contracts with processors/ subcontractors Update information to data subjects Review consent forms Consider adherence to code of conduct/ certification Adopt processes to respect data subjects rights Consider Impact Assessment before each new processing Implement privacy by design & by default in developments Adopt crisis plan (data security breach) + Monitoring : new local laws guidelines of authorities Avoid exposure to penalties up to 20M EUR /4% annual turnover

NEW + obligations of the PROCESSOR! Processor = natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller e.g.: IT providers, cloud services, hosting, web agencies,!!! situations where processors become controllers (2 processings=> 2 controllers)

+ obligations of the PROCESSOR! Directive 95/46 Only contractual obligations GDPR Direct statutory obligations - compliance& accountability - direct liability - exposure to penalties Understand responsabilities under GDPR Processing requirements Data security& confidentiality requirements Cooperation& consultation requirements

Processing requirements + obligations of the PROCESSOR! Processing on documented instructions from the controller» inform controller if instructions infringe GDPR or other laws (!)» if processor processes for its own purposes : becomes controller (accountability, obligations, penalties, )(!) Appointment of sub-processors» Subject to controller s approval» The processor remains liable of sub-processors Record of all categories of processing activities» (Professional Processor => processing not occasional? / sensitive data? / intrusive processing?) Consider appointment of a DPO Respect rules on data transfers

+ obligations of the PROCESSOR! Data security & confidentiality requirements Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk Encryption, on-goingreview of security measures, back up facilities etc. etc. etc. Consider adherence to approved code of conduct / certification mechanism Confidentiality clauses Data breaches reporting to the controller without undue delay End of service : data reversibility / deletion

+ obligations of the PROCESSOR! Cooperation and consultation requirements Provide controller with all information necessary to demonstrate compliance with GDPR (audit!) Implementmeasurestoassist controller in complyingwiththe rightsof data subjects Assist controller in data protection impact assessment Cooperate in case of data breach Subject to supervision / orders of the Supervisory Authority + cooperate with SA

NB : in case of non-compliance, where do the threats come from? Supervisory authority Clients Competitors Data subjects (! class-action)

Philippe LAURENT philippe.laurent@mvvp.be Lawyer at the Brussels Bar Marx Van RanstVermeersch& Partners (MVVP) Professional Trainer www.legalict.be DPO AS A SERVICE Intellectual Property (copyright, trademarks, models & designs, patents, trade names, domain names, data bases, confidentiality, trade secrets, ) : protection, management, strategy, advising, clearing, contracts, licensing, litigation, ICT Law : E-commerce, Internet & cyberlaw, cloud computing, outsourcing, software, open source, services, SLAs, terms of use, liabilities & warranties, supply chains management, telecom, competition law Commercial & Distribution law : contracts, litigation, e-commerce, distributorships, franchises, agencies, trade practices, consumer protection, advertisement, marketing, promotion, games, gambling, regulatory, Data Protection & Privacy : strategy, advising, compliance, litigation, critical & management of sensitive & medical data, complex processing, «whistleblowers», cyber surveillance, outsourcing, data transfers, privacy policies,

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback