ISACA Privacy Open Forum - GDPR: how to prepare for the implementation
-
Upload
johan-vandendriessche -
Category
Law
-
view
239 -
download
0
Transcript of ISACA Privacy Open Forum - GDPR: how to prepare for the implementation
![Page 1: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/1.jpg)
Click to edit Master title stylePrivacy Open Forum
Tuesday, 19th of October 2016
![Page 2: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/2.jpg)
Brussels, 19 October 2016 2
Close
![Page 3: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/3.jpg)
Brussels, 19 October 2016
GDPR: HOW TO PREPARE
FOR THE
IMPLEMENTATIONJOHAN VANDENDRIESSCHE
3
![Page 4: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/4.jpg)
Brussels, 19 October 2016 4
Agenda
1. 18:30 Introduction
2. 18:45 GDPR
3. 19:30 Break
4. 19:50 GDPR
5. 20:45 Close
![Page 5: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/5.jpg)
Brussels, 19 October 2016
GENERAL OVERVIEW
5
![Page 6: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/6.jpg)
Brussels, 19 October 2016
GDPR Status Update
• Regulation: uniform legislation within
the EU
• Approved by EP on 14 April 2016
• Applies as of 25 May 2018
• No specific transition measures
• Simplification?
• No obligation to declare processing
activities
• One-stop shop mechanism
• Enforcement
6
![Page 7: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/7.jpg)
Brussels, 19 October 2016
GDPR: Accountability
• Different approach compared with
Directive 1995/46/EC
• Accountability
• Risk based approach
• Directive
• enforcement initiative with regulatory
authority and data subjects
• GDPR: record keeping obligation and
ability to demonstrate compliance
• Burden of proof
7
![Page 8: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/8.jpg)
Brussels, 19 October 2016
GDPR: Accountability
• Proactive compliance
• Ability to demonstrate compliance
• DPO
• Record keeping obligation
• Data breach notification obligation
• Enforcement
• Build and maintain compliance controls
• Audit controls
• Proactive compliance may serve to limit risks
and liability
8
![Page 9: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/9.jpg)
Brussels, 19 October 2016
GDPR: Accountability
• Risk based approach
• Risk vs high risk
• Assessment of risk
• Likelihood
• Severity
• Criteria: nature, extent, context and
purpose of the processing
• Role of pseudonymising
9
![Page 10: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/10.jpg)
Brussels, 19 October 2016
GDPR: accountability
• Risk based approach
• Impact: specific obligations only apply in
case of high risk
• DPIA
• Data breach notification (notification to data
subjects)
• Prior consultation of the DPO in case of DPIAs
10
![Page 11: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/11.jpg)
Brussels, 19 October 2016
GDPR: scope
• Material scope
• Automated processing of personal data
• Other processing of personal data forming
part (or intended to form part) of a filing
system
• Exceptions
• Personal or household exception
• Other exceptions
11
![Page 12: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/12.jpg)
Brussels, 19 October 2016
GDPR: scope
• Territorial scope
• EU establishment of controller or
processor
• Location of processing is irrelevant
• Establishment of controller or processor
Outside EU
• Offering of goods or services to data subjects
in the EU
• Monitoring of behaviour taking place within the
EU
12
![Page 13: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/13.jpg)
Brussels, 19 October 2016
GDPR: consent
• Definition of consent
• Stricter approach than Directive 1995/46
• Implicit vs explicit consent
• Mere silence is no longer sufficient
• Separate consent per purpose
• Burden of proof
• If written consent
• Clear
• Separate from other consents
13
![Page 14: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/14.jpg)
Brussels, 19 October 2016
GDPR: consent
• No transition measures
• Earlier consent must comply with the new
requirements to be valid
• Underage data subjects
• At least 16 years (may be reduced to 13)
• If younger: representative’s consent
• Reasonable effort to verify the consent of
the representative
• General right to withdraw consent
• No motivation
• As easy as giving consent14
![Page 15: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/15.jpg)
Brussels, 19 October 2016
GDPR: legitimate interest
• Legitimate interest
• Data controller
• Third party
• Balance of interests
• Specific case: underage data subjects
• Documentation of assessment
• Examples in preamble GDPR
15
![Page 16: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/16.jpg)
Brussels, 19 October 2016
GDPR: data subjects’ rights
• Overview
• Right to information and access to data
• Right to rectification and erasure (“RTBF”)
• Right to restriction of processing
• Right to data portability
• Right to object
• Rights in relation to automated individual
decision making, including profiling
16
![Page 17: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/17.jpg)
Brussels, 19 October 2016
GDPR: data subjects’ rights
• Transparency
• Identity and contact details (including
DPO)
• Purposes of processing, including legal
basis for processing
• Legitimate interest if applicable
• Recipients of personal data
• International data transfers
• Storage period
• Specific data subject rights
17
![Page 18: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/18.jpg)
Brussels, 19 October 2016
GDPR: data subjects’ rights
• Right to be forgotten
• No longer necessary
• Withdrawal for consent and no other legal
ground
• Objection
• Unlawful processing
• Erasure is required for compliance with a
legal obligation
• Personal data of children (conditional)
18
![Page 19: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/19.jpg)
Brussels, 19 October 2016
GDPR: data subjects’ rights
• Consequences
• Erasure of personal data
• If made public, take reasonable steps to
inform other controllers processing such
data
• Exceptions
• Freedom of expression and information
• Compliance with a legal obligation
• Public interest in the area of public health
• Archiving
• Legal claims
19
![Page 20: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/20.jpg)
Brussels, 19 October 2016
GDPR: data subjects’ rights
• Right to data portability
• Processing based on consent or
contractual necessity
• Right to receive a copy of his personal
data
• Structured, commonly used and machine
readable format
• Right to transmit personal data to another
controller without hindrance
• If technically possible: direct transmission
between controllers
20
![Page 21: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/21.jpg)
Brussels, 19 October 2016
GDPR: data subjects’ rights
• Automated individual decision making
• Right not to be subjected thereto
• Legal effect concerning him
• Significantly affects him
• Exceptions
• Contractual necessity (not for special
categories of personal data)
• Authorized by law
• Based on explicit consent
• Additional safeguards
21
![Page 22: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/22.jpg)
Brussels, 19 October 2016
DP by Design
• Data controller
• Appropriate technical and
organisational measures
• State of the art and cost of implementation
• Nature, scope, purposes and risk
• Integrate necessary safeguards to
ensure compliance
• Further guidance is expected
22
![Page 23: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/23.jpg)
Brussels, 19 October 2016
DP by default
• Technical and organisational measures
• Ensure only necessary data are
processed
• Amount
• Extent of processing
• Storage period
• Accessibility
23
![Page 24: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/24.jpg)
Brussels, 19 October 2016
Personal Data Breach Notification
• Personal data breach notification
• Personal data breach
• Notification to supervisory authority
• Deadline: without undue delay, but not
later than 72 hours after having become
aware
• Exception: no risk
• Data processor must inform data
controller without undue delay
24
![Page 25: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/25.jpg)
Brussels, 19 October 2016
Personal Data Breach Notification
• Personal data breach notification
• What?
• Nature of breach, data involved and approx.
number of data subjects
• Contact details of DPO
• Likely consequences
• Mitigation action
• Document personal data breaches
25
![Page 26: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/26.jpg)
Brussels, 19 October 2016
Personal Data Breach Notification
• Notification of data subjects
• High risk
• Not applicable if
• Appropriate measures, e.g. encryption
• Subsequent measures that reduce risk (no
longer high risk)
• Disproportionate effort
• May be imposed by supervisory
authority
26
![Page 27: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/27.jpg)
Brussels, 19 October 2016
Sanctions
• Complaint procedure
• Right to compensation and liability
• Criminal liability
• Administrative fines
• 2% of global annual turnover or 10MEUR,
whichever is higher: organisational issues
• 4% of global annual turnover or 20MEUR,
whichever is higher: principles, data
subject rights
27
![Page 28: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/28.jpg)
Brussels, 19 October 2016
IMPLEMENTATION STEPS
28
![Page 29: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/29.jpg)
Brussels, 19 October 2016
Summary
• Document and assess existing data
processing activities
• Review the existing agreements
• Standard documents and disclaimers
• Ad hoc agreements (data processing
agreements)
• Provide training to employees
• Amend the existing data processing
activities to the extent necessary or
desirable
29
![Page 30: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/30.jpg)
Brussels, 19 October 2016
Record keeping
• Record keeping obligation (register of
processing activities)
• Who?
• Data controller
• Data processor
• Which information
• Contact details (including DPO)
• Categories of data subjects and personal data
• Categories of recipients
• International data transfers
• Time limits
• Security measures30
![Page 31: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/31.jpg)
Brussels, 19 October 2016
Record keeping
• Register of processing activities
• How?
• Existing notifications with the Belgian DPA
• Gives a first idea
• Not a match with the requirements of the Regulation
• Audit of all data processing activities
• Include items to be notified in your register,
even if not required by the GDPR
• Results are the basis for further analysis
31
![Page 32: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/32.jpg)
Brussels, 19 October 2016
Analysis of the register
• Analysis for each data processing
activity: focus on changes compared
with Directive
• Purpose
• Risk / high risk processing?
• Legal basis for processing
• Consent
• Change to other legal basis if possible
• If not, review compliance with new requirements
• Legitimate interest
• Identify and assess the legitimate interest
32
![Page 33: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/33.jpg)
Brussels, 19 October 2016
Analysis of the register
• Analysis
• Notification to data subject, if any
• Adapt where necessary and include versioning
information in the register
• Data retention
• Re-analyse the data retention policy
• Assess the security for each data
processing activity
• Identify recipients (data processors?)
33
![Page 34: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/34.jpg)
Brussels, 19 October 2016
Data Protection Impact Assessment
• Impact assessment in relation to
protection of personal data
• High risk
• Systemic and extensive profiling
• Processing on a large scale of special
categories of data
• Systematic monitoring of publicly accessible
areas on a large scale
• …
• Guidance from supervisory authority
34
![Page 35: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/35.jpg)
Brussels, 19 October 2016
Data Protection Impact Assessment
• DPIA contents
• Description of processing
• Assessment of necessity and
proportionality of processing
• Assessment of risks
• Measures to address risk
• If appropriate: implicate data subjects
or their representatives
35
![Page 36: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/36.jpg)
Brussels, 19 October 2016
Prior consultation
• DPIA concludes that high risk is
present
• Prior consultation of supervisory authority
• Advice within 8 weeks if supervisory
authority believes processing to be non-
compliant
36
![Page 37: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/37.jpg)
Brussels, 19 October 2016
DPO
• Mandatory DPO?
• Public authority or body
• Core activity requiring regular and
systematic monitoring of data subjects
• Core activities consisting of processing
on a large scale of special categories of
personal data
• Required by member state law
• Groups may designate a single DPO
37
![Page 38: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/38.jpg)
Brussels, 19 October 2016
DPO
• Who?
• Expert in data protection law
• Employee or service provider
• Tasks
• Inform and advise
• Monitor compliance
• Provide advice on DPIAs
• Cooperate with supervisory authorities
• SPOC for supervisory authorities
• Direct reporting link to highest
management level38
![Page 39: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/39.jpg)
Brussels, 19 October 2016
Data processors
• Legal requirements for use of data
processors are stricter
• Assess standard contracts / clauses and
adapt where necessary
• Implement new clauses by 25 May 2018 for
contract that expiry after that date
• No need to review each contract individually
• General addendum that replaces existing
clauses may suffice
39
![Page 40: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/40.jpg)
Brussels, 19 October 2016
Data Processors
• What is required?
• Written agreement
• Subject-matter, duration, nature, purpose, type
of personal data, categories of data subjects
and obligations and rights of the parties
• Appropriate security measures
• Only process in accordance with
instructions
• Confidentiality obligation
• Data breach notification obligation?
40
![Page 41: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/41.jpg)
Brussels, 19 October 2016
Data Processors
• What is additionally required?
• Appointment of sub-data processors
• Assistance in meeting data controller
requirements
• Retransition measures
• Audit and cooperation duty in relation to
demonstration of compliance
• Inform data controller if instruction
infringes the GDPR (information duty)
• Forward obligations to sub-data
processors41
![Page 42: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/42.jpg)
Brussels, 19 October 2016
Incident Policy
• Draft / review the incident policy
• Include data breach notification
obligations
• Identify high risk processing and high risk
incidents
• Notification obligation to data subjects
• Identify potential mitigation measures
• DPO?
42
![Page 43: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/43.jpg)
Brussels, 19 October 2016 43
Contact details
Johan Vandendriessche
Partner - Crosslaw
Visiting Professor ICT Law – UGent
Visiting Professor ICT Law – HoWest
Mobile Phone +32 486 36 62 34
E-mail [email protected]
Website www.crosslaw.be
![Page 44: ISACA Privacy Open Forum - GDPR: how to prepare for the implementation](https://reader034.fdocuments.us/reader034/viewer/2022042619/586fe3d11a28ab18428b80ef/html5/thumbnails/44.jpg)
Brussels, 19 October 2016 44
ISACA BELGIUM