Demystifying the General Data Protection Regulation GDPR John
- Slides: 29
“Demystifying the General Data Protection Regulation (GDPR)” John Keyes LLB, BL Assistant Commissioner - Investigations Office of the Data Protection Commissioner @DPCIreland Private Security Authority (PSA) Green Isle Hotel, Dublin – 12 th March 2018
GDPR q 173 Recitals (not having force of law) q 11 Chapters q 99 Articles (having full force of law)
Irish SME Association (ISME) GDPR Survey q Action to date on GDPR compliance by 507 SMEs q Only 7% have completed GDPR plan q 76% are concerned about GDPR q 62% couldn’t name any change GDPR will bring q 70% have not identified steps/actions needed q 59% have no staff member responsible for overseeing compliance and preparing for GDPR
European Data Protection Legal Framework • General Data Protection Regulation (GDPR) effective in law from 25 th May 2018 • Data Protection Bill 2018 published by Government on 01 February 2018 – an important piece of the jigsaw • Draft e-Privacy Regulation still under negotiation. Council, Parliament and Commission positions appear to have some ongoing distance between them. Unlikely to be implemented this year
Focus of the GDPR • Giving Data Subjects more control • Making Data Controllers/Processors more accountable • Making personal data processing more transparent • Reducing personal data security vulnerabilities • Co-operation between Supervisory Authorities on cross-border processing
What’s largely unchanged in GDPR q Concept of Personal Data q Acts of Processing q Data Protection Principles q Definitions of Data Controller/Processor
GDPR Definition of Personal Data (Article 4. 1) § any information § relating to § an identified or identifiable § natural person
Scope of Personal Data o Article 29 Working Party Opinion 4/2007 on the concept of personal data o “data relates to an individual if it refers to the identity, characteristics or behaviour of an individual or if such information is used to determine or influence the way in which that person is treated or evaluated”
Definition of Processing (Article 4. 2) § § § § Collecting Recording Organising Structuring Storing Adapting Altering Retrieving § § § § Consulting Using Disclosing Disseminating Aligning or combining Restricting Erasing Destroying
Data Protection Principles – Article 5(1) a) b) c) d) e) Processed lawfully, fairly and in a transparent manner… Collected for specified, explicit and legitimate purposes. . Adequate, relevant and limited to what is necessary… Accurate and, where necessary, kept up to date…. Kept in a form which permits identification for no longer than is necessary… f) Processed in a manner which ensures appropriate security…
Definition of Data Controller (Article 4. 7) “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
Are you a Data Controller/Processor? Are you an organisation of any kind? Do you interact with living individuals? Do you acquire information about them? Do you use that information for any purpose? If you are an organisation that acquires and uses any information about living individuals (personal data), for any purpose, you are a data controller/processor
You must have a legal basis under Article 6(1) GDPR to process personal data q Consent q Contractual necessity q Legal obligation q Performance of a task in the public interest q Legitimate interest of the data controller (balanced against the rights and freedoms of the individual)
Consent under GDPR (Article 4 “Definitions”) ’Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
What’s new in GDPR q Accountability – demonstrating compliance q Transparency – providing information pre-processing q Risk-based mandatory data breach reporting (72 hours) q New and enhanced Data Subject rights q Administrative Fines q Data Protection Officer (DPO) for certain organisations
Accountability Article 24. 1 “…. the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation” Article 24. 3 “Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller”
Transparency Requirements At the time when personal data is obtained, provide the data subject with information in a concise, transparent, intelligible and easily accessible form, including; q q q Identity of controller and DPO Purpose of processing and legal basis Source of the data Specific legitimate interest pursued, if applicable Recipients of the data Data transfer arrangements Retention period Right of access, rectification, erasure, objection Right to withdraw consent Right to lodge complaint with SA Details of the contractual or statutory basis Details of automated decision-making
Transparency • 250 hours or 30 full working days would be required to read the privacy notices of the websites we typically visit each year (Source: Lorrie Cranor of the Federal Trade Commission) • 30 hours would be required to read the 900 pages of user terms and conditions of the 33 apps typically found on a Norwegian smartphone (Source: The Norwegian Readathon)
Transparency • “Growing up Digital” taskforce of the Children’s Commissioner for England • Social networking platform long privacy policy deemed ‘boring’ and not understood by group of teenagers • “Officially you own any original pictures and videos you post but we are allowed to use them and we can let others see them as well, anywhere around the world. Other people might pay us to use them and we will not pay you for that. We can share with other companies any personal information about you such as your birthday or who you are chatting with, including in private messages” • ‘Shocked’, less likely to engage and more likely to delete their accounts
Breach Notification to Supervising Authority • Notification to Supervising Authority within 72 hours • Unless “unlikely to result in a risk to the rights and freedoms of natural persons” • ‘Risk’ might include, for example, a risk of identity theft or anything likely to lead to a financial loss for the data subject
Breach Communication to Data Subject ü “when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons” ü “the data controller shall communicate the personal data breach to the data subject without undue delay” ü ‘High Risk’ – higher threshold than report to SA
Personal data breach risk evaluation Recital 75 GDPR “The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorized reversal of pseudonymisation, or any other significant economic or social disadvantage”
Sources of Data Security Threats Internal Threats; q Social engineering q Physical theft q Privilege abuse q Copying to personal accounts or drives q Unintentional data leaks q Loss of company property External Threats; q Social engineering q Hacking q Malware/Ransomware q Malicious USB drops q Physical theft
New and Enhanced Data Subject Rights q Right to data portability q Right to be informed q Right to rectification q Right of access q Right of erasure q Right to restrict processing q Right to object to processing
Administrative Fines § Article 83 § Up to € 20 m or § 4% of global turnover for the preceding financial year
Data Protection Officer (Articles 37, 38 & 39) § Public Authority or Body § Core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale § Processing on a large scale of special categories of data (Articles 9 and 10)
Article 29 Working Party Guidelines • • Data Portability Consent Transparency Personal Data Breach notification Profiling and Automated Decision Making Data Protection Officer (DPO) Lead Supervisory Authority Data Protection Impact Assessment (DPIA)
www. dataprotection. ie @DPCIreland info@dataprotection. ie Thank You
Demystifying healthcare data governance
Software estimation demystifying the black art
North carolina digital government summit
Software estimation demystifying the black art
Paul hrycewicz
Contact unifida
General safety regulation
General safety regulation
Five levels of prevention
Asset protection for general contractors
General industry subpart for fire protection
1910 subpart l
Asset protection for general contractors
Gdpr ssl decryption
Navigating gdpr compliance on aws
Gdpr implementation timeline
Gdpr refresher training
Eu-gdpr-p
Codeigniter gdpr
Gdpr denetim
Varonis gdpr patterns
Gdpr privacy
Gdpr privacy
Arkivera personalhandlingar
Gdpr principles
Acerta gdpr
Idiots guide to gdpr
Gdpr public sector
Nis gdpr
Edpo gdpr
