Your Obligations under the General Data Protection Regulation
Your Obligations under the General Data Protection Regulation (GDPR) Julie Austin - Partner, Mc. Dowell Purcell Solicitors
Overview 1. What is the GDPR 2. Key Definitions 3. Why is it important? 4. Key Obligations 5. Key Actions 2
What is the GDPR § Previous Regime: § Directive 95/46/EC § Data Protection Acts 1988 -2003 § New Regime (May 2018): § § General Data Protection Regulation 2016 Data Protection Act 2018 Data Protection Commissioner Guidelines Article 29 Working Group Opinions 3
Definitions: “Personal Data” “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” 4
Definitions: “Special Category Data” • • racial or ethnic origin political opinions religious or philosophical beliefs trade union membership genetic data biometric data concerning health data concerning a natural person's sex life or sexual orientation 5
Definitions: “Data Controller”/ “Data Processor” § Data Controller: Determines the purposes and means of processing personal data § Data Processor: Processespersonaldataonbehalf of the controller § Processing: Collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation use, disclosure by transmission, dissemination 6
Why does it matter? § Administrative fines § Claims for compensation 7
Administrative Fines § Old Regime: No power to impose fines in Ireland § New Regime: Administrative fines § Two tier structure – Up to € 10 million or 2% turnover – Up to € 20 million or 4% turnover 8
Considerations to be taken into account when determining level of fines Effective, Proportionate, Dissuasive Cooperation Nature, gravity and duration of the infringement Categories of personal data affected The intentional or negligent character Who notified the infringement Mitigating actions Compliance with previous orders Degree of responsibility (technical or organisational measures implemented) Adherence to codes of conduct Previous infringements Aggravating or mitigating factors 9
Right to Compensation § Right to sue for damage suffered as a result of a breach of GDPR rights § Material or non-material damage § Provides for collective claims § New breed of litigation 10
Key Obligations 1. Must have a Legal Basis to Process Data 2. Must Keep Data Secure 3. Must Report Data Breaches 4. Must Retain Data for only as Long as Required 5. Must Respond to Data Access Requests 11
Obligation 1 Must have a Legal Basis to Process Data 12
Grounds for Processing Personal Data i. iii. iv. v. vi. Consent Performance of a contract Compliance with a legal obligation To protect the vital interests of the data subject or of another natural person Task carried out in the public interest or in the exercise of official authority vested in the controller Legitimate interests (subject to fundamental rights of data subject) 13
Conditions for Consent § “freely given, specific, informed and unambiguous” § Conditions for valid consent: 1. Must be verifiable 2. Consent must be clearly distinguishable 3. Right to withdraw § Must be opt in: pre-ticked boxes no longer sufficient § Fine: € 20 m / 4% turnover 14
Grounds for Processing Special Category Data i. Explicit consent ii. Legal obligation related to employment iii. Vital Interests iv. Not for profit bodies v. Public information vi. Legal claims vii. Substantial public interest viii. Healthcare purposes ix. Public health (subject to conditions) x. Scientific research purposes (subject to conditions) xi. Where necessary for carrying out obligations and exercising rights in the field of employment (Bill) 15
Obligation 1: Key Action Point for Mediators – Ensure consent is given prior to taking any papers – Include Data Protection Clause in Agreement to Mediate – Introduce Data Protection Policy to include matters identified in Art 13 of GDPR 16
Obligation 2 Must Keep Data Secure 17
Data Security Examples: – – – – Password protection Finger print recognition on phones Encryption, particularly for special category data Enable remote destruction of data on handheld devices Don’t leave papers in meeting rooms Don’t leave papers in cars overnight Wipe whiteboards/flip charts once finished Secure shredding 18
Obligation 3 Must Report Data Breaches 19
Data Breaches § Old Regime: No obligation to report data breaches § New Regime: Mandatory obligation on DC to report breaches § Mandatory information to be included in notifications § Log of data breaches must be maintained § DP must also report breaches to DC § Fine: € 10 m / 2% turnover 20
21
Data Breaches “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” 22
STATISTICS Posted/Faxed to incorrect recipient 448 incidents recorded by the Information Commissioners Office* (“ICO”) Loss/Theft of paperwork Emailed to the wrong recipient 74 Unencrypted devices being lost/stolen 128 Unsecure disposal of paperwork 74 39 19 42 28 24 20 *Between the beginning of January and end of March 2016 Failed to correctly redact personal data Information uploaded to a webpage/verbally disclosed/insecure disposal of hardware Insecure websites eg. hacking Recorded by the ICO but uncategorised 23
STATISTICS 44 77 14 2, 301 incidents reported to the Data Protection Commissioner of Ireland in 2016 103 Theft of IT Equipment 570 Website Security Unauthorised Disclosure - Postal 1117 Unauthorised Disclosure - Electronic Unauthorised Disclosure - Other 376 Security related issues Non Breach
Data Breaches 1. HSE: 19 February 2017 2. Grant Thornton: 23 May 2017 3. Department of Social Protection: 13 June 2016 25
Obligation 4 Must Respond to Data Access Requests 26
Data Access Requests (SARs) § Allows data subjects to verify lawfulness of processing § 1 month to comply (possible extension of further 2 months) § Mandatory information must be provided by DC to requestor § Some exemptions apply including: § Manifestly unfounded or excessive requests § Third party data § Where it would adversely affect the rights and freedoms of individuals § Expressions of opinions given in confidence § Fines: € 20 million / 4% turnover 27
Obligation 5 Must Keep Data for no Longer than Reasonably Required 28
Data Retention § Destroy personal data once no longer required § Reasonableness and proportionality tests § No “one size fits all” approach 29
Key Action Points 1. Insert Data Protection Clause in Agreement to Mediate 2. Introduce a Data Protection Policy 3. Set a data retention period for records and inform parties to the mediation 4. Introduce security measures 30
Questions? 31
Thank you! Julie Austin Partner E: jaustin@mcdowellpurcell. ie DD: 01 8280656 Follow Mc. Dowell Purcell across our social networks:
- Slides: 32