At our Spring East Midlands Cyber Security event on the Impact of the General Data Protection Regulation, Helena Wootton looks at the things you need to do to get prepared for the new data protection regulation.
http://qonex.com/east-midlands-cyber-security-forum/
2. Agenda
⢠Scope and new concepts
⢠Data Processor Data controller relationship
⢠Childrenâs data
⢠Grounds for processing
⢠Transparency
⢠Rights for individuals
⢠Demonstrate data governance
⢠Transfers of personal data
⢠Brexit
3. Introduction
⢠The General Data Protection Regulations received
political approval
⢠The Regulation has set a 2 year implementation
period
⢠The Regulation will come into force in May 2018
5. In briefâŚ
⢠Scope: EU based data controllers and processors in the context of its activities
in the EU.
⢠Where no EU presence, the GDPR will still apply whenever an EU residentâs
personal data is processed in connection with goods/services offered to them or
the behaviour of individuals within the EU is âmonitoredâ.
⢠The GDPR allows Member States to legislate in many areas.
⢠The data protection principles are revised but are broadly similar: fairness,
lawfulness and transparency; purpose limitation; data minimisation; data
quality; security, integrity and confidentiality.
⢠New concepts: Transparency and consent, Children and consent
⢠Expanded definitions of âpersonal dataâ and âsensitive dataâ
⢠Pseudonymisation, Data breach notification
⢠Data protection by design and new accountability principle
⢠Enhanced rights â to be forgotten, data portability and to object
⢠Supervisory Authorities
6.
7. Controller Processor Relationship
Controller retains overall accountability
for its processing activities, including the
decision to appoint and manage a
Processor
GDPR introduces direct obligations on,
and regulation of, Processors e.g
Processor will conduct PIA in its service
offering (which Controller will have to
check and monitor)
Controller and Processor may assign roles and
responsibilities (on a "best-placed" basis) in the
contract in relation to all the required matters,
subject always to the Controller's overall
accountability if they do not.
Unless respective responsibilities and liabilities
are clearly laid out in the written arrangement,
there can be joint and several liability for the
entire damage caused to any person who suffers
as result of unlawful processing or an action
incompatible with the GDPR.
If Processor goes outside the instructions of the
Controller, Processor becomes directly liable
under the GDPR to the Regulator and Data
Subjects (does not negate Controller's "control"
obligations over the Processor)
8. Controller Processor Relationship
Key constituent Controller obligations:
⢠due diligence and appointment: ensure
Processor is able to, and does, process
securely, ensure compliance with the GDPR
as a whole, and ensure the protection of
rights of the data subject
⢠monitoring/auditing: ensure Processor
complies with instructions and all measures
in place to satisfy the above
⢠written contract or other legal act binding
the parties must be put in place. The GDPR
sets out a list of 8 matters to be addressed
- but essentially, these cover all aspects of
the GDPR
9. Appointing Processors:
Key business impacts
⢠Procurement processes: training of team; update of documentation, due diligence
practices, and results analysis
⢠Contracts: review and rewrite of all relevant contracts. Terms will be far more
specific. Standard phrases unlikely to be sufficient, including those that relate to
subcontracting or involving further Processors.
⢠Post-contract auditing processes will need to be built it
⢠Would be also prudent to seek appropriate indemnities and warranties from the
Processor about its processing and compliance and build in more reporting and MI
obligations on the Processor so that the Controller is given much more visibility and
transparency on a regular basis and not just at annual review or specific check-
points or audits or changes
⢠CRM issues as previously indicated
10. Additional Processor obligations
⢠Appointment of Data Protection Officers
⢠Data Protection Impact Assessments
⢠Data Security
⢠Breach Notification
11. Joint Controllers
Accountability of
Joint Controllers
A Controller retains overall accountability, and
liability, for its own processing activities.
However, where there are Joint Controllers they:
ďˇ must have an arrangement in place which
determines who is effectively responsible
for GDPR compliance
ďˇ must give particular attention to how
subjects can best exercise their rights
ďˇ must make information about this
arrangement available to subjects
Joint Controllers will have joint and several liability
for all joint processing unless the arrangements are
very clear on the point.
Each Controller is fully and independently
responsible for complying with the DPA for its own
processing activities, and for managing its data
subjects.
There is no specific legal obligation to enter into
formal arrangements (although it is good practice
and highly recommended to satisfy DPA Principles).
Sharing of liability is an optional, commercial
matter covered in any contract or data sharing
agreement. There is no concept of joint and several
liability under the DPA.
ďˇ procurement:due
diligence; relationship
structures; contract
negotiations & drafting
ďˇ future-proof any current
relationships which
extend beyond GDPR
implementation by
addressing new
compulsory requirements
to the extent not already
done.
ďˇ group contracting
policies/precedents
ďˇ SAR process
ďˇ customer relationship
management: control of
communications and
standards; complaints
handling; banking
confidentiality (and FCA
issues)
ďˇ TCF initiatives
ďˇ litigation policies
13. In briefâŚ
⢠Under 16
⢠Children are âvulnerable individualsâ and deserve âspecific protectionâ
⢠Additional rules for online services provided to children under 16 â online, parental
prior consent required for use of an under 13 year oldâs data.
⢠Member States are free to set their own rules for those aged 13 â 15. If not, parental
consent required for children under 16
14. What are the grounds for processing personal data?
⢠Similar to current rules, except for consent
⢠Restrictions and clarifications around the ability to rely on âlegitimate interestsâ
⢠Consent subject to additional conditions
⢠Effective prohibition on âbundledâ consents and offering of services contingent on
consent.
⢠Consent must be separable from other written agreements, clearly presented and as
easily revoked as given.
⢠Further restrictions may be imposed by codes of conduct.
15. In briefâŚ
⢠Genetic data and biometric data
⢠Sensitive personal data
⢠New conditions regarding the processing of genetic, biometric or
health data
16. Transparency
In briefâŚ
⢠Controllers must provide information notices to ensure transparency
of processing
⢠Specified information must be provided
⢠There is also a general transparency obligation
⢠Much of the additional information will not be difficult to supply â
although it may be hard for organisations to provide retention
periods
⢠There is an emphasis on clear, concise notices
17. Rights for individuals
In briefâŚ
⢠Rights to object
⢠Subject access rights
⢠Data portability
⢠Right to erasure and right to restriction of
processing
18. Demonstrate data governance
In briefâŚ
⢠Implement measures to reduce the breach risk
⢠Take governance seriously
⢠Privacy Impact Assessments, audits, policy reviews,
activity records and appointing a Data Protection
Officer
19. Transfers of Personal Data
In briefâŚ
⢠Transfers outside the EEA continue to be regulated and
restricted
⢠Remains a significant issue
⢠Non-compliance proceedings can be brought against
controllers and/or processors
⢠Safe Harbor and Privacy Shield
20. Remedies and liabilities for breach
In briefâŚ
⢠Higher of âŹ20,000,000 or, in the case of
undertakings, 4% of global turnover
⢠Compensation claims
21. Impact of a Brexit
⢠UK would be outside EEA
⢠Would need to offer âadequate level of protectionâ
⢠Commission views UK as inadequate due to defective
implementation of 1995 Directive
⢠Commissionâs infraction proceedings against UK are still
live
⢠If UK doesnât meet 1995 Directive it will not meet GDPR
⢠UK would need to implement âessentially equivalentâ
measures or non-UK businesses would need to rely on
derogations/exemptions
22. Thank you
Helena Wootton (Partner)
⢠Tel: 0115 976 6532
⢠Mobile: 07795400719
⢠Email: helena.wootton@brownejacobson.com