Implementing the new GDPR: what does it mean for Universities?

Similar documents
General Data Protection Regulation (GDPR) Key Facts & FAQ s

Technical Requirements of the GDPR

EU GDPR: The General Data Protection Regulation

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Data Processing Clauses

EU General Data Protection Regulation (GDPR) Achieving compliance

General Data Protection Regulation (GDPR) NEW RULES

Privacy by Design, Security by Design

General Data Protection Regulation (GDPR)

Rights of Individuals under the General Data Protection Regulation

Data Protection Policy

GDPR compliance: some basics & practical to do list

This guide is for informational purposes only. Please do not treat it as a substitute of a professional legal

GDPR is coming in less than 2 months Are you ready?

Element Finance Solutions Ltd Data Protection Policy

General Data Protection Regulation (GDPR) The impact of doing business in Asia

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

Impacts of the GDPR in Afnic - Registrar relations: FAQ

Privacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Islam21c.com Data Protection and Privacy Policy

THE NEW EU DATA PROTECTION REGULATION: WHAT IS IT AND WHAT DO WE NEED TO DO? KALLIOPI SPYRIDAKI CHIEF PRIVACY STRATEGIST, EUROPE

Creative Funding Solutions Limited Data Protection Policy

GDPR Data Protection Policy

1. Right of access. Last Approval Date: May 2018

Preparing for the GDPR

Motorola Mobility Binding Corporate Rules (BCRs)

BHBIA New Data Protection Rules. Pharma Company Perspective. Guy Murray Director, Market Research & Analytics, GC&BI MR Operations and Compliance, MSD

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

GDPR AND WHAT IT MEANS FOR CRM AND CUSTOMER ENGAGEMENT MAY. A 7-step practical guide to achieving and maintaining GDPR compliance by 25 May 2018

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

General Data Protection Regulation (GDPR)

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

GDPR - Are you ready?

GDPR effects on Gift Aid. Presented by Keren Caird Business Development Gift Aid Manager Sue Ryder

How the GDPR will impact your software delivery processes

What is GDPR? Editorial: The Guardian: August 7th, EU Charter of Fundamental Rights, 2000

Data Processing Agreement

Our agenda. The basics

GDPR: A QUICK OVERVIEW

General Data Protection Regulation BT s amendments to the proposed Regulation on the protection of individuals with regard to the processing of

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

GDPR data subject rights

DISCLOSURE ON THE PROCESSING OF PERSONAL DATA LAST REVISION DATE: 25 MAY 2018

Royal Mail Consultation: Changes to Postal Schemes to reflect new data protection legislation

- GDPR (General Data Protection Regulation) is the new Data Protection Regulation of the European Union;

You will see lots of references in the Checklist to the GDPR Pack if you would like to purchase this, go to

Contract Services Europe

Data Subject Access Request Form

Latest version, please translate and adapt accordingly!

PROJECT BACKGROUND AND RATIONALE

Privacy Notice and Consent Form

Knowing and Implementing the GDPR Part 3

BIOEVENTS PRIVACY POLICY

GDPR compliance. GDPR preparedness with OpenText InfoArchive. White paper

the processing of personal data relating to him or her.

Requirements for a Managed System

Data Protection Policy

Data Protection Policy

SCHOOL SUPPLIERS. What schools should be asking!

FAQ about the General Data Protection Regulation (GDPR)

DATA PROTECTION ISACA MALTA CHAPTER BIENNIAL CONFERENCE Saviour Cachia Commissioner for Information and Data Protection

Privacy Policy Hafliger Films SpA

Our Privacy Statement

Membership Privacy Notice. 31 August 2018

The GDPR Are you ready?

Breach Notification in the GDPR Era. Speakers: Sam Pfeifle, IAPP Dennis Holmes, PwC

M T BUCKLEY & Co Chartered Accountants

PREPARING FOR THE GDPR AT THE UNIVERSITY OF HELSINKI

GDPR Compliance. Clauses

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

More detailed information, including the information about your rights is available below.

Cybersecurity Considerations for GDPR

MOBILE.NET PRIVACY POLICY

1. Type of personal data that we collect and process?

Data subject ( Customer or Data subject ): individual to whom personal data relates.

Arkadin Data protection & privacy white paper. Version May 2018

Contributed by Djingov, Gouginski, Kyutchukov & Velichkov

G DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know

Privacy Policy CARGOWAYS Logistik & Transport GmbH

GDPR and the Privacy Shield

Data Protection in Switzerland Update Following the Safe Harbor Decision. 21 October 2015 / 6 February 2016 Christian Wyss

GDPR Privacy Webinar. Prioritizing Your Path towards GDPR Compliance Annika Sponselee and Nicole Vreeman 28 February 2018

What You Need to Know About Addressing GDPR Data Subject Rights in Pivot

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

We may change the privacy notice from time to time by amending this page.

GDPR Privacy Policy. The data protection policy of AlphaMed Press is based on the terms found in the GDPR.

GDPR: A technical perspective from Arkivum

Privacy Policy Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH 1. Definitions

Data Protection Policy

WE ARE COMMITTED TO PROTECTING YOUR PERSONAL DATA

Talenom Plc. Description of Data Protection and Descriptions of Registers

Website Privacy Notice

This article will explain how your club can lawfully process personal data and show steps you can take to ensure that your club is GDPR compliant.

Forms. GDPR for Zoho Forms

A Homeopath Registered Homeopath

The isalon GDPR Guide Helping you understand and prepare for the legislation

1 Who is this guide designed for?

EXAM PREPARATION GUIDE

Transcription:

Implementing the new GDPR: what does it mean for Universities? Case study Alumni Portal Cosimo Monda Director - European Centre on Privacy and Cybersecurity Maastricht University Twitter: @ecpcmaastricht

European Centre on Privacy and Cybersecurity (ECPC) Focus: Research & Professional Training and Education in the fields of privacy, cybersecurity, data protection, fundamental rights, transparency and confidentiality, IT, data security, and more

Training & Professional Education @ ECPC ECPC-A Jump and Start Certificate ECPC-B DPO Certificate Professional University Diploma Professional Master Degree

SPECIAL OFFER SURF CONFERENCE SPECIAL OFFER SURF CONFERENCE REGISTER BEFORE 17 FEBRUARY TO BENEFIT FROM AN ADDITIONAL 50 EUR DISCOUNT Reduction code: UM92739

SPECIAL OFFER SURF CONFERENCE REGISTER BEFORE 1 MARCH TO BENEFIT FROM AN ADDITIONAL 75 EUR DISCOUNT Reduction code: UM92739

The Reform of the EU data protection framework: Key changes and what to expect

General Data Protection Regulation (GDPR) 2012 April 2016 4 May 2016 25 May 2018 Start of reform process to replace Directive 95/46/EC GDPR negotiations are finalized GDPR is published in the Official Journal of the EU start of countdown GDPR enters into force (after 2 years + 20 days of publication) applicable in 2018 the GDPR is set to replace the Wet bescherming persoonsgegevens (Wbp), which implemented Directive 95/46/EC in The Netherlands

Applicable Law Rules Broader territorial reach than the current regime - GDPR applies where processing takes place in the context of the activities of an establishment of a controller or processor in the EU - GDPR applies to controllers outside the EU when processing activities relate to: - offering goods or services to data subjects in the EU - monitoring the behavior of data subjects in the EU - No longer apply making use of equipment 9

E-Privacy Regulation 14 December 2016 10 January 2017 2017/2018 25 May 2018 (?) Leak of the Commission draft for the e-priv. Reg. to replace e-priv. Directive Official publication of the Commission draft for the e-priv. Reg. (differs from previous leak) Trilogues/ formal reading by EP/Council e-priv. Reg. applies (Art. 29(2) official COM draft) The E-Priv. Reg. will replace the Telecommunicatiewet, which implemented the e-priv. Dir. in The Netherlands

What will change with the GDPR?

Key terms & concepts in the GDPR Term Controller Processor Consent Main establishment of the Controller Personal data Data subject Special/sensitive data Pseudonymization Definition in GDPR retained retained amended new retained new amended new

Substantive Principles Lawfulness, fairness, and transparency Purpose limitation - incompatible further processing still prohibited - criteria for assessing compatibility identified - further non-consensual uses allowed in certain cases - where required by law; or - scientific or historical research or statistical purposes Data minimization Accuracy - including erasure and rectification without delay Storage limitation

Lawfulness of processing Legitimate interest - still a valid legal basis to process non-sensitive data - balanced against the interests and fundamental rights and freedoms of the individual extra protection for children - reasonable expectations of the individual concerned - no legal basis for public authorities

Lawfulness of processing Valid CONSENT - specific and informed, - Unambiguous, statement or clear affirmative action opt-in - freely given; Other available grounds for lawfulness

Profiling Restrictions where profiling has: - legal consequences; or - significantly affects the individual Only allowed in exceptional cases - necessary for the performance of a contract - authorized by EU or Member State law - explicit consent Profiling with special data prohibited unless explicit consent or substantial public interest backed by EU or Member State law

Accountability (I) Responsibility of controllers Ability to demonstrate GDPR compliance Implement data protection by design and by default - restrictive privacy settings: e.g. data must not be made public by default Appointment of DPO with significant powers and independence - mandatory for public bodies - national law may specify more situations for mandatory DPO appointment

Accountability (II) Data protection impact assessment prior to processing - mandatory for controllers for high risk processing Data Security - enhanced obligations for controllers and processors Data Breach Notification to the competent SA without undue delay

Data Subjects Rights General points Controllers must facilitate the exercise of rights No undue costs for data subjects Set time to respond to data subjects requests Right to fair processing of information Right to access Right to rectify Right to restrict processing Right to object to processing Right to erasure ( right to be forgotten ) Right to data portability

Enforcement Substantially higher fines Supervisory Authorities have more powers - investigative powers (audits, access to data, and premises) - authorization and advisory powers (Codes of Conduct, BCRs) - corrective powers (order to comply, ban on processing, suspension of data flows, fines)

Case Study: Alumni Database Christopher Mondschein Twitter: @ecpcmaastricht

Frequently Asked Questions 1. Is the university allowed to keep the data of its alumni in a database without having gathered their consent? 2. Is the university allowed to contact alumni via electronic means to inform them of activities, news, etc.? 3. Is the university allowed to create an Alumni Portal with the data it has on its alumni? What is the applicable legal basis for the processing of this data? 4. Must the university remove the alumni s personal data form the database/alumni Portal after a certain period of time?

1. Storing Alumni Data Legitimate interest: - Art. 8(f) Wet bescherming persoonsgegevens - Art. 29 WP Opinion 6/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC - In future: Article 6(1)(f) GDPR & Recital 47 GDPR Balancing Test

1. Storing Alumni Data Balancing Test: processing is necessary for the purposes of legitimate interest of the controller or third party unless these interests are overridden by the interests or fundamental rights and freedoms of the data subject (esp. right to privacy)

1. Storing Alumni Data Reasoning: - University should know who its former students are, when they graduated, etc. - Part of public task to maintain records of graduates - The data is not publicly accessible Remember: data subject rights applicable

2. Communication with Alumni Communication via electronic means (e.g. email) falls under Telecommunicatiewet and Wbp sending emails requires prior specific consent; opt-in + clear and specific consent cannot be assumed by failure to act consent can be withdrawn at any time GDPR and e-priv. Reg. applicable in future

3. Alumni Portal Legal basis: - unambiguous consent - Legitimate interest Opt-in In practice: - Alumni enter the portal and receive the terms & conditions and the privacy policy; they must tick a box to agree (box is not pre-ticked) - Alumni agree and then publish the information they wish to be available on them in the portal only this information is available (privacy by default) - Periodic reminder to check if data is accurate

4. Removal of Personal Data from the Database/Alumni Portal Database - Legal requirement to store minimum information regarding the graduation assess what the minimum data is (in line with data minimization principle) - Remove from mailing list upon request Alumni Portal - Remove all personal data upon request

Do s When contacting alumni, clearly identify the university, provide a contact point and provide information how to opt out in every mailing Gather consent - Consent must be recorded - Opt-in consent, e.g. via unchecked box along with all relevant information Keep up-to-date records Respond to objections by updating the database; unsubscribe individuals if they request it Respond within 30 days to requests by data subjects

Don ts X Do not send emails without having obtained specific prior consent X Do not send emails asking for consent X Do not ignore data subjects requests to be removed from the mailing list X Do not ignore data subjects requests to access their information

Be Prepared Allocate sufficient budget to tackle the data protection reform in your organization Appoint a DPO Review your governance structure Review privacy policies Prepare response mechanism for data subject requests Start implementing privacy by design and by default Revise informed consent form & have up-to-date information for data subjects requests for information

Accountability Rights of the data subject Data protection by design & by default Simplified Data Processing Cycle Legitimate basis Data protection impact assessment Information to the data subject

Thank You! EUROPEAN CENTRE ON PRIVACY AND CYBERSECURITY Website: www.maastrichtuniversity.nl/ecpc Cosimo Monda Director Email: Cosimo.monda@maastrichtuniversity.nl Christopher Mondschein Email: Cosimo. c.mondschein@maastrichtuniversity.nl Twitter: @ecpcmaastricht

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback