Advocaten

General Data ProtectionRegulation

To fear or not to fear: that is the question?

Prof. Dr. Ingrid DE POORTER

Content

Impact: howto prepare?

Background Legal structure Scope Key changes andprinciples

Background

Data Protection Directive 95/46/EC Applies

1995 2012 2015

Data Protection Directive 95/46/EC

European Commission publishes the legislative proposal

Separate negotiations

within council and

European parliament

EP Reaches agreement

Negotiations & approval among the three

institutions

Regulation 2016/679

published in the official

journal

Two years implementatio

n phase

Regulations 2016/679

applies from

Council Agreement

Spring

20144 May 2016

2016 2017

25 May 2018

GDPR Applies

Legal Structure

Current: Data Protection Directive 95/46/EC

• Directive = implementation by the EU Member States through national law

• Significant variation and fragmentation

Future: General Data Protection Regulation

2016/679

• Goal: harmonise current legal framework

• Regulation = directly applicable

• Consistent effectIncrease legal certainty, reduce administrative burden and cost of compliance for organisations, enhance consumer confidence

ScopeMATERIAL SCOPE

What is personal data?

Information relating to an identified or identifiable natural person (‘data subject’)

F.e. name, identification number, location data, online identifier or factors specific to physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

The processing of personal data wholly or partly by automated means and to manual processing if the personal data form part of a filing system or are intended to form part of a filing

system

What is processing?

Any (set of) operation(s) which is performed on (sets of) personal dataF.e. collection, recording, organization, structuring, storage, adaption,…

ScopeTERRITORIAL SCOPE

Key change GDPR:Extra-territorial Applicability

• Regardless of the company’s location

• All companies processing the personal data of data subjects in the EU/EEA

Overview

• Controllers/processors established in the EU/EEA

• Controllers/processors not established in the EU/EEA I. when offering goods or

services to data subjects in the EU/EEA or

II.when monitoring their behavior

• Non-EU/EEA controllers established in a place where EU/EEA law applies by virtue of public international law

Key Changes & Principles

• Adequate, relevant and limited to what is necessary for purposes

• More restrictive obligation in GDPR

• Design data protection into development of business processes and new systems

• Privacy settings are set at a high level by default

Data minimization Privacy by design

Key Changes & Principles

• Freely given ‘consent’ or ‘explicit consent’ (for sensitive data)

• Specific and unambiguous• Informed (right to withdraw or object)

• The right to be forgotten• Google v. Spain case • Affect on social networks

• The right to data portability

• The right to object to profiling

Consent Data subject’s rigths

Key Changes & Principles

• Retention of data for no longer than is necessary for purposes

• Two new factors in GDPR1. Longer retention period

possible: historical, statistical or scientific purposes

2. Shorter retention period possible: “right to be forgotten”

• Obligation to undertake PIA when conducting risky or large scale processing of personal data

Data retention periodsPrivacy impact assessments

(“pia”)

• Record keeping of processing activities

Data register

Key Changes & Principles

• Data Controller • Data breach notification

• Data Processor• New direct obligations – an officially regulated entity

• Data Protection Officer (“DPO”)

Responsabilities

• Obligation to appoint in somecircumstances

Key Changes & Principles

Supervisory Authority (SA)

• Investigative power • Carry out data protection audits, review

certifications, notify controller/processor of any alleged infringement of the GDPR, obtain from accesses to all personal data and all information necessary to perform tasks, obtain access to any premises of controller and processor including data processing equipment

• Corrective power • Issue warnings and reprimands, order

compliance, impose a temporary or definitive limitation including a ban on processing, order rectification, restriction or erasure of data or order a certification body not to issue a certificate, impose administrative fines, order suspension of data flow to a recipient in a third country or to an international organisation

• Fines: Up to 4 % of annual worldwide turnover or €20,000,000

• Indemnities towards individuals

• Reputation loss

AND

• Less business

Enforcement Sanctions

The end of big data?

• large amounts of (personal) data;

• these data are analyzed and combined; and

• Used to categorize them and/or to predict their behavior

• Behavioral advertising• Credit risk analysis• Insurance risk analyses

1. anonymize personal data;2. be transparent;3. embed a privacy impact

assessment process into big data projects;

4. adopt a privacy by design approach;

5. appoint a DPO6. develop ethical

principles; and7. implement audits of

machine learning algorithms

Source: ico.org.uk

AVANTAGES of BIG DATA? RECOMMENDATIONS

How to prepare & comply?

DATA MINIMIZATION

1. • AWARENESS

2.• DEFINE THE PROCES TO BE REVIEWED

3. • GAP ANALYSIS – IT & LEGAL

4.• REMEDIATION

5.• TRAINING/WORKSHOPS FOR STAFF

6.• REPEAT/”BREATH” PRIVACY

•Operations•Management

• Legal• IT

Security/ privacy by

defaultContracts

Policies andprocedures

Accounta-

bility

Heernislaan 919000 Gent

+32 9 277 44 17Ingrid.DePoorter@degroote-deman.be

Contact me for more information!