GDPR compliance: some basics & practical to do list Philippe LAURENT independent full service business law firm located in Brussels May 2017
Personal data processing = any operation or set of operations which is performed on any information relating to an identified or identifiable natural person
Controller = determines the purposesand means of the processing of personal data Processor = processes personal data on behalf of the controller (= means )
NOW: Data protectiondirective EU: Directive 95/46/EC BE: Act of 8 December 1992 + Royal Decrees + Specific laws GDPR : 25 MAY 2018 EU: Regulation 2016/679 BE: Specific laws
Main principles remain unchanged Conditions of lawfulness Fair, lawful & transparent processing Specified + explicit + legitimate purposes & compatible use Adequate, relevant, not excessive data Accurate and updated data Kept no longer than necessary Adequately protected LAWFULNESS PURPOSE MINIMISATION PROPORTIONALITY INTEGRITY MINIMAL RETENTION SECURITY
Main obligations of the controller : NOW Legitimacy & lawfulness of the processing (see above) Notification to the DPA Information to be provided to data subjects Respecting the data subjects rights (access, rectification, objection?) Confidentiality and Security of the processing => Measures / controlling processors
Main obligations of the controller : GDPR Legitimacy & lawfulness of the processing (see above) Notification to the DPA Governance & Accountability (documentation!) Information to be provided to data subjects ext.! Respecting the data subjects rights (access, rectification, objection?) + portability, limitation, Confidentiality and Security of the processing => Measures / controlling processors Privacy by design & Privacy by default DPO Impact assessment notif. data security breaches + obligations of the PROCESSOR!
To do list Compliance program + Governance structure Document processing activities / data flows / legal grounds Identify competent supervisory authority Check necessity to maintain a formal record of processing activities Consider appointing Data Protection Officer Conduct IT security / information audit Adapt internal privacy policies + HR training Review contracts with processors/ subcontractors Update information to data subjects Review consent forms Consider adherence to code of conduct/ certification Adopt processes to respect data subjects rights Consider Impact Assessment before each new processing Implement privacy by design & by default in developments Adopt crisis plan (data security breach) + Monitoring : new local laws guidelines of authorities Avoid exposure to penalties up to 20M EUR /4% annual turnover
NEW + obligations of the PROCESSOR! Processor = natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller e.g.: IT providers, cloud services, hosting, web agencies,!!! situations where processors become controllers (2 processings=> 2 controllers)
+ obligations of the PROCESSOR! Directive 95/46 Only contractual obligations GDPR Direct statutory obligations - compliance& accountability - direct liability - exposure to penalties Understand responsabilities under GDPR Processing requirements Data security& confidentiality requirements Cooperation& consultation requirements
Processing requirements + obligations of the PROCESSOR! Processing on documented instructions from the controller» inform controller if instructions infringe GDPR or other laws (!)» if processor processes for its own purposes : becomes controller (accountability, obligations, penalties, )(!) Appointment of sub-processors» Subject to controller s approval» The processor remains liable of sub-processors Record of all categories of processing activities» (Professional Processor => processing not occasional? / sensitive data? / intrusive processing?) Consider appointment of a DPO Respect rules on data transfers
+ obligations of the PROCESSOR! Data security & confidentiality requirements Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk Encryption, on-goingreview of security measures, back up facilities etc. etc. etc. Consider adherence to approved code of conduct / certification mechanism Confidentiality clauses Data breaches reporting to the controller without undue delay End of service : data reversibility / deletion
+ obligations of the PROCESSOR! Cooperation and consultation requirements Provide controller with all information necessary to demonstrate compliance with GDPR (audit!) Implementmeasurestoassist controller in complyingwiththe rightsof data subjects Assist controller in data protection impact assessment Cooperate in case of data breach Subject to supervision / orders of the Supervisory Authority + cooperate with SA
NB : in case of non-compliance, where do the threats come from? Supervisory authority Clients Competitors Data subjects (! class-action)
Philippe LAURENT philippe.laurent@mvvp.be Lawyer at the Brussels Bar Marx Van RanstVermeersch& Partners (MVVP) Professional Trainer www.legalict.be DPO AS A SERVICE Intellectual Property (copyright, trademarks, models & designs, patents, trade names, domain names, data bases, confidentiality, trade secrets, ) : protection, management, strategy, advising, clearing, contracts, licensing, litigation, ICT Law : E-commerce, Internet & cyberlaw, cloud computing, outsourcing, software, open source, services, SLAs, terms of use, liabilities & warranties, supply chains management, telecom, competition law Commercial & Distribution law : contracts, litigation, e-commerce, distributorships, franchises, agencies, trade practices, consumer protection, advertisement, marketing, promotion, games, gambling, regulatory, Data Protection & Privacy : strategy, advising, compliance, litigation, critical & management of sensitive & medical data, complex processing, «whistleblowers», cyber surveillance, outsourcing, data transfers, privacy policies,