De groote de man Ingrid de Poorter
-
Upload
bigdataexpo -
Category
Data & Analytics
-
view
254 -
download
1
Transcript of De groote de man Ingrid de Poorter
Advocaten
General Data ProtectionRegulation
To fear or not to fear: that is the question?
Prof. Dr. Ingrid DE POORTER
Content
Impact: howto prepare?
Background Legal structure Scope Key changes andprinciples
Background
Data Protection Directive 95/46/EC Applies
1995 2012 2015
Data Protection Directive 95/46/EC
European Commission publishes the legislative proposal
Separate negotiations
within council and
European parliament
EP Reaches agreement
Negotiations & approval among the three
institutions
Regulation 2016/679
published in the official
journal
Two years implementatio
n phase
Regulations 2016/679
applies from
Council Agreement
Spring
20144 May 2016
2016 2017
25 May 2018
GDPR Applies
Legal Structure
Current: Data Protection Directive 95/46/EC
• Directive = implementation by the EU Member States through national law
• Significant variation and fragmentation
Future: General Data Protection Regulation
2016/679
• Goal: harmonise current legal framework
• Regulation = directly applicable
• Consistent effectIncrease legal certainty, reduce administrative burden and cost of compliance for organisations, enhance consumer confidence
ScopeMATERIAL SCOPE
What is personal data?
Information relating to an identified or identifiable natural person (‘data subject’)
F.e. name, identification number, location data, online identifier or factors specific to physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
The processing of personal data wholly or partly by automated means and to manual processing if the personal data form part of a filing system or are intended to form part of a filing
system
What is processing?
Any (set of) operation(s) which is performed on (sets of) personal dataF.e. collection, recording, organization, structuring, storage, adaption,…
ScopeTERRITORIAL SCOPE
Key change GDPR:Extra-territorial Applicability
• Regardless of the company’s location
• All companies processing the personal data of data subjects in the EU/EEA
Overview
• Controllers/processors established in the EU/EEA
• Controllers/processors not established in the EU/EEA I. when offering goods or
services to data subjects in the EU/EEA or
II.when monitoring their behavior
• Non-EU/EEA controllers established in a place where EU/EEA law applies by virtue of public international law
Key Changes & Principles
• Adequate, relevant and limited to what is necessary for purposes
• More restrictive obligation in GDPR
• Design data protection into development of business processes and new systems
• Privacy settings are set at a high level by default
Data minimization Privacy by design
Key Changes & Principles
• Freely given ‘consent’ or ‘explicit consent’ (for sensitive data)
• Specific and unambiguous• Informed (right to withdraw or object)
• The right to be forgotten• Google v. Spain case • Affect on social networks
• The right to data portability
• The right to object to profiling
Consent Data subject’s rigths
Key Changes & Principles
• Retention of data for no longer than is necessary for purposes
• Two new factors in GDPR1. Longer retention period
possible: historical, statistical or scientific purposes
2. Shorter retention period possible: “right to be forgotten”
• Obligation to undertake PIA when conducting risky or large scale processing of personal data
Data retention periodsPrivacy impact assessments
(“pia”)
• Record keeping of processing activities
Data register
Key Changes & Principles
• Data Controller • Data breach notification
• Data Processor• New direct obligations – an officially regulated entity
• Data Protection Officer (“DPO”)
Responsabilities
• Obligation to appoint in somecircumstances
Key Changes & Principles
Supervisory Authority (SA)
• Investigative power • Carry out data protection audits, review
certifications, notify controller/processor of any alleged infringement of the GDPR, obtain from accesses to all personal data and all information necessary to perform tasks, obtain access to any premises of controller and processor including data processing equipment
• Corrective power • Issue warnings and reprimands, order
compliance, impose a temporary or definitive limitation including a ban on processing, order rectification, restriction or erasure of data or order a certification body not to issue a certificate, impose administrative fines, order suspension of data flow to a recipient in a third country or to an international organisation
• Fines: Up to 4 % of annual worldwide turnover or €20,000,000
• Indemnities towards individuals
• Reputation loss
AND
• Less business
Enforcement Sanctions
The end of big data?
• large amounts of (personal) data;
• these data are analyzed and combined; and
• Used to categorize them and/or to predict their behavior
• Behavioral advertising• Credit risk analysis• Insurance risk analyses
1. anonymize personal data;2. be transparent;3. embed a privacy impact
assessment process into big data projects;
4. adopt a privacy by design approach;
5. appoint a DPO6. develop ethical
principles; and7. implement audits of
machine learning algorithms
Source: ico.org.uk
AVANTAGES of BIG DATA? RECOMMENDATIONS
How to prepare & comply?
DATA MINIMIZATION
1. • AWARENESS
2.• DEFINE THE PROCES TO BE REVIEWED
3. • GAP ANALYSIS – IT & LEGAL
4.• REMEDIATION
5.• TRAINING/WORKSHOPS FOR STAFF
6.• REPEAT/”BREATH” PRIVACY
•Operations•Management
• Legal• IT
Security/ privacy by
defaultContracts
Policies andprocedures
Accounta-
bility