GDPR: Opportunities and Challenges for Swiss Companies · All data breaches reported immediately?...
Transcript of GDPR: Opportunities and Challenges for Swiss Companies · All data breaches reported immediately?...
Version 1.01 Version 1.01
GDPR: Opportunities and Challenges for Swiss Companies
David Rosenthal
RSA SecurID Suite and GDPR Roadshow
January 16-18, 2018
Version 1.01
Are we facing a Tsunami?
2January 16-18, 2018
Version 1.01
Three new regulations …
EU General Data Protection Regulation (GDPR)
In force as of May 25, 2018
Provides for fines for companies of 2% (or EUR 10 Mio.) and 4% (or EUR 20 Mio.) of the
worldwide turnover, respectively
Intended to apply also outside the EU (and EEA)
Will soon be followed by the revised EU ePrivacy Regulation
Applies outside the EU, too, and provides for the same fines as the GDPR
Swiss Data Protection Act (DPA)
Overall revision along the same lines as the GDPR, hopefully without "Swiss Finishes"
Deliberations in parliament already underway (see: https://goo.gl/QMZxu9)
Likely to become law in 2019, with a transitional period of two years
Provides for fines for responsible individuals of up to CHF 250'000
3January 16-18, 2018
Version 1.01
How well prepared are you?
Some questions for companies …
State-of-the-art data security?
All data processing activities on record?
Data protection compliance fully documented?
Unused data is deleted and all other processing
principles are complied with, as well?
Data protection responsibilities are defined?
Data protection is clearly regulated?
All employees are trained, regular audits take place?
Data agreements with providers, partners, etc.?
Data subjects are provided with full information?
Procedures for all data subject rights, privacy impact
assessments, data breach notifications?
Some questions for service providers …
State-of-the-art data security?
All data breaches reported immediately?
Transfers to "unsafe" countries and to subcontractors
governed by contracts?
There are data protection contract with all clients?
All customers are supported in connection with data
subject requests and privacy impact assessments?
There is a record of data processing of all clients?
All customers can veto on subprocessors?
You have a data protection officer?
Who complies with everything? Nobody!
4January 16-18, 2018
Version 1.01
Who has which obligations?
Obligation pursuant to the GDPR (as of May 2018) and DPA (as of 2019-2021) Controller Processor
Transparency, information of data subjects, purpose of use limitation
Proportionality (including data minimization, length of record retention)
Legal basis pursuant to GDPR, sufficient justification pursuant to DPA
Correctness of data
Data security
Accountability re compliance with requirements
Preprequisites for transfers abroad
Compliance with data subject rights (right of access, deletion, objection, etc.) Support
Privacy by Default, Privacy by Design
Performance of data protection impact assessments Support
Obligations concerning delegation of data processing (contract, etc.)
Data breach notifications
Data protection officer pursuant to the GDPR
Records of data processing activities
Cooperation with supervisory authorities
Controller = the party
in charge of controlling
the processing of the
data; the data "owner"
Processor = the party
processing data for a
controller under a
mandate of such
controller (e.g., an
outsourcing provider)
5January 16-18, 2018
Version 1.01
GDPR: Applicable to whom?
Companies with an establishment
(also) in the EU
GDPR directly applicable
Also applies to Swiss companies
(e.g., with a EU branch office)
Companies in Switzerland that clearly
intend to offer products or services to
individuals in the EU
GDPR directly applicable
Companies in Switzerland that monitor
the behavior of individuals in the EU
GDPR directly applicable
Companies in Switzerland that have
their data processed by a provider in
the EU (e.g., cloud)
Companies are not subject to the
GDPR but will have to be obliged by
a contract to comply (unclear)
GDPR directly applicable to the
provider
Providers in Switzerland that process
data for companies in the EU
Swiss providers will only be
contractually obliged to comply with
the GDPR (unclear)
6January 16-18, 2018
Version 1.01
GDPR: What will change?
It is no longer sufficient to be transparent when collecting data, it now becomes necessary to
provide data subjects with a whole list of mandatory information
Each and any data processing activity of a company must be recorded in an inventory
Obligation to perform data protection impact assessments that in part have to be notified
Obligation to notify data breaches to supervisory authorities and data subjects
Rules for default data processing settings ("Privacy by Default")
Right to human intervention with automated individual decisions that have significant effects
Supervisory authorities with new powers to sanction and intervene and obligations to investigate
Consent has to be obtained separately, not as part of general terms and conditions and without
pre-ticked boxed, but with clear information on the right to withdraw at any time
Service users have a right to get a copy of all data established about them ("data portability")
Obligation to nominate a data protection officer and a representative within the EU
GDPR and DPA
GDPR only
7January 16-18, 2018
Version 1.01
GDPR: What will not change?
A lot will in principle remain as it is
What is in scope, which is personal data, i.e. any
information that relates to an identified or identifiable
individual
How personal data may be processed, e.g., the
principle of data minimization, transparency, purpose
of use limitation and correctness of data
Requirements in terms of data security
Requirement of a legal basis such as a contract,
consent, legal obligation or legitimate interests
Data subject rights, such as the right of access,
right to correct and object, right to be forgotten
Provisions on the transfer abroad, in particular into
countries without an adequate level of data protection
But:
Violations are sanctioned tougher
Burden of proof is (more clearly) upon the controller
of a data processing activity ("accountability")
Requirements in terms of documentation and other
aspects of governance have increased massively
Expections of the supervisory authorities on the rise
Example
Data has to be pseudonymized as soon as possible
and later on also deleted or anonymized
Many companies do not manage disposal of data
Pseudonymization is even less common
8January 16-18, 2018
Version 1.01
New buzzword "Privacy by Design"
All clear?Simpler: Art. 7 para. 1 DPA (today)
Art. 25 GDPR
9January 16-18, 2018
Version 1.01
New requirements for contracts with processors
Data processing only for the purposes of the customer
Data processing only upon instruction of the customer
Provider has to ensure adequate data security
No subprocessing without veto right for, or other consent by, the customer
No data exports without instruction or consent by the customer
Employees must be bound to confidentiality
Return and deletion of data following the end of the mandate
Support of the customer when complying with data subject rights
Support of the customer when complying with his obligation to notify data
breaches and undertaking data protection impact assessments
Evidence on compliance with requirements, support of audits by customer
Warnings if provider can't comply due to own legal obligations
Under the GDPR, this
now has to be included in
the provider contract, too
10January 16-18, 2018
Version 1.01
New obligation to notify "data breaches"
Data breaches that impact the ability to control data or its integrity have to be recorded and – if
consequences are possible for data subjects – notified to the supervisory authority within 72
hours
What has happened? Who is affected? Consequences? Measures? Contact?
Hacking, data loss, misdirected e-mails, access by unauthorized employees, etc., but not an
excessive processing of personal data
Intangigble consequences are sufficient (e.g., loss of control over data)
If there is a high risk of consequences, there is also an obligation to inform the data subjects
Not necessary in case of measures that prevent access by third parties (e.g., encryption of
data) or have in all likelihood eliminated the risk
If informing the data subjects involves disproportionate efforts: A public communication or
similar measure provided data subjects are informed in an "equally effective" manner
Switzerland: Similar, but less strict notification obligations are planned; they have no sanctions
11January 16-18, 2018
Version 1.01
What companies should do
Set up a data protection compliance organization
An official data protection officer is often not needed
Clarify your strategy in relation to the GDPR
Will the company be subject to the GDPR? Does it
make sense to comply with it voluntarily?
Analyse data processing activities, take record of them,
assess and document compliance
Describe data processing activities, collect contracts,
etc. also applies to mere data processors
Compliance Check: Are the requirements of the
GDPR complied with? Which measures are
necessary? Priorities? Document compliance
Assess the processing of data as a whole ("how to
slice the elephant"), risk-based approach
Develop mandatory information for data subjects
Adapt consent declarations and terms & conditions
Verify or enter into GDPR-compliant contracts with third
parties
Groups: Intra Group Data Transfer Agreement
Customers, processors, suppliers, other partners
Adapt internal procedures and, where necessary,
internal systems
For data security, anonymization and disposal of
data, data subject rights, automated decisions, data
breach notifications, data protection impact
assessments
Have in place guidelines, trainings and audits
12January 16-18, 2018
Version 1.01
Conclusion
GDPR means more documentation, more bureaucracy and more pressure to do it right
The principles of how to process personal data do not really change
Outsourcing, including to the cloud, remains possible without any unsolvable problems
Systems have to be adapted to comply with data protection (information obligations, right to
give selective consent, right to object and correction, disposal of data no longer needed, etc.)
Chances are that what the GDPR requires you to do you will have to do also under Swiss law
Sanctions provide for management attention, but should not be at the focus
At least in Switzerland they will be the exception
Companies in Switzerland will primarily focus on the Swiss supervisory authority
Nobody fully complies with data protection; therefore, act in a "risk based" manner
Providers: Approach your customers, adapt your contracts, explain them how you will comply
with the requirements of the GDPR and the revised Swiss DPA
Do your homework in terms of documentation
13January 16-18, 2018
Version 1.01
And the opportunities?
Opportunity to sell more products and services
Information security, data tools, management and legal advice, project management, etc.
Opportunity to create new, interesting and safe job positions
Data protection officer
Opportunity to get management attention
Data protection has become a board level topic
Opportunity to better understand the data universe of a company, to better manage and in the
end also to better exploit it
Far beyond data protection
Opportunity for a company to better market itself
Being an attractive provider due to a high level of data protection compliance
14January 16-18, 2018
Version 1.01 Version 1.01
I am looking forward to May 25, 2018 …
lic. iur. David Rosenthal
T +41 43 222 16 69
www.homburger.ch
Homburger AG │ Prime Tower │ Hardstrasse 201 │ CH-8005 Zürich