SlideShare ist ein Scribd-Unternehmen logo

General Data Protection Regulation: what do you need to do to get prepared? - Helena Wootton

•
•
IISPEastMids
IISPEastMids

At our Spring East Midlands Cyber Security event on the Impact of the General Data Protection Regulation, Helena Wootton looks at the things you need to do to get prepared for the new data protection regulation. http://qonex.com/east-midlands-cyber-security-forum/

Technologie
1 von 22
Downloaden Sie, um offline zu lesen
General Data Protection Regulation What do you need to do to get prepared? May 2016
Agenda • Scope and new concepts • Data Processor Data controller relationship • Children’s data • Grounds for processing • Transparency • Rights for individuals • Demonstrate data governance • Transfers of personal data • Brexit
Introduction • The General Data Protection Regulations received political approval • The Regulation has set a 2 year implementation period • The Regulation will come into force in May 2018
Scope and new concepts
In brief… • Scope: EU based data controllers and processors in the context of its activities in the EU. • Where no EU presence, the GDPR will still apply whenever an EU resident’s personal data is processed in connection with goods/services offered to them or the behaviour of individuals within the EU is “monitored”. • The GDPR allows Member States to legislate in many areas. • The data protection principles are revised but are broadly similar: fairness, lawfulness and transparency; purpose limitation; data minimisation; data quality; security, integrity and confidentiality. • New concepts: Transparency and consent, Children and consent • Expanded definitions of ‘personal data’ and ‘sensitive data’ • Pseudonymisation, Data breach notification • Data protection by design and new accountability principle • Enhanced rights – to be forgotten, data portability and to object • Supervisory Authorities
Controller Processor Relationship Controller retains overall accountability for its processing activities, including the decision to appoint and manage a Processor GDPR introduces direct obligations on, and regulation of, Processors e.g Processor will conduct PIA in its service offering (which Controller will have to check and monitor) Controller and Processor may assign roles and responsibilities (on a "best-placed" basis) in the contract in relation to all the required matters, subject always to the Controller's overall accountability if they do not. Unless respective responsibilities and liabilities are clearly laid out in the written arrangement, there can be joint and several liability for the entire damage caused to any person who suffers as result of unlawful processing or an action incompatible with the GDPR. If Processor goes outside the instructions of the Controller, Processor becomes directly liable under the GDPR to the Regulator and Data Subjects (does not negate Controller's "control" obligations over the Processor)
Controller Processor Relationship Key constituent Controller obligations: • due diligence and appointment: ensure Processor is able to, and does, process securely, ensure compliance with the GDPR as a whole, and ensure the protection of rights of the data subject • monitoring/auditing: ensure Processor complies with instructions and all measures in place to satisfy the above • written contract or other legal act binding the parties must be put in place. The GDPR sets out a list of 8 matters to be addressed - but essentially, these cover all aspects of the GDPR
Appointing Processors: Key business impacts • Procurement processes: training of team; update of documentation, due diligence practices, and results analysis • Contracts: review and rewrite of all relevant contracts. Terms will be far more specific. Standard phrases unlikely to be sufficient, including those that relate to subcontracting or involving further Processors. • Post-contract auditing processes will need to be built it • Would be also prudent to seek appropriate indemnities and warranties from the Processor about its processing and compliance and build in more reporting and MI obligations on the Processor so that the Controller is given much more visibility and transparency on a regular basis and not just at annual review or specific check- points or audits or changes • CRM issues as previously indicated
Additional Processor obligations • Appointment of Data Protection Officers • Data Protection Impact Assessments • Data Security • Breach Notification
Joint Controllers Accountability of Joint Controllers A Controller retains overall accountability, and liability, for its own processing activities. However, where there are Joint Controllers they:  must have an arrangement in place which determines who is effectively responsible for GDPR compliance  must give particular attention to how subjects can best exercise their rights  must make information about this arrangement available to subjects Joint Controllers will have joint and several liability for all joint processing unless the arrangements are very clear on the point. Each Controller is fully and independently responsible for complying with the DPA for its own processing activities, and for managing its data subjects. There is no specific legal obligation to enter into formal arrangements (although it is good practice and highly recommended to satisfy DPA Principles). Sharing of liability is an optional, commercial matter covered in any contract or data sharing agreement. There is no concept of joint and several liability under the DPA.  procurement:due diligence; relationship structures; contract negotiations & drafting  future-proof any current relationships which extend beyond GDPR implementation by addressing new compulsory requirements to the extent not already done.  group contracting policies/precedents  SAR process  customer relationship management: control of communications and standards; complaints handling; banking confidentiality (and FCA issues)  TCF initiatives  litigation policies
Children’s data
In brief… • Under 16 • Children are “vulnerable individuals” and deserve “specific protection” • Additional rules for online services provided to children under 16 – online, parental prior consent required for use of an under 13 year old’s data. • Member States are free to set their own rules for those aged 13 – 15. If not, parental consent required for children under 16
What are the grounds for processing personal data? • Similar to current rules, except for consent • Restrictions and clarifications around the ability to rely on “legitimate interests” • Consent subject to additional conditions • Effective prohibition on “bundled” consents and offering of services contingent on consent. • Consent must be separable from other written agreements, clearly presented and as easily revoked as given. • Further restrictions may be imposed by codes of conduct.
In brief… • Genetic data and biometric data • Sensitive personal data • New conditions regarding the processing of genetic, biometric or health data
Transparency In brief… • Controllers must provide information notices to ensure transparency of processing • Specified information must be provided • There is also a general transparency obligation • Much of the additional information will not be difficult to supply – although it may be hard for organisations to provide retention periods • There is an emphasis on clear, concise notices
Rights for individuals In brief… • Rights to object • Subject access rights • Data portability • Right to erasure and right to restriction of processing
Demonstrate data governance In brief… • Implement measures to reduce the breach risk • Take governance seriously • Privacy Impact Assessments, audits, policy reviews, activity records and appointing a Data Protection Officer
Transfers of Personal Data In brief… • Transfers outside the EEA continue to be regulated and restricted • Remains a significant issue • Non-compliance proceedings can be brought against controllers and/or processors • Safe Harbor and Privacy Shield
Remedies and liabilities for breach In brief… • Higher of €20,000,000 or, in the case of undertakings, 4% of global turnover • Compensation claims
Impact of a Brexit • UK would be outside EEA • Would need to offer “adequate level of protection” • Commission views UK as inadequate due to defective implementation of 1995 Directive • Commission’s infraction proceedings against UK are still live • If UK doesn’t meet 1995 Directive it will not meet GDPR • UK would need to implement “essentially equivalent” measures or non-UK businesses would need to rely on derogations/exemptions
Thank you Helena Wootton (Partner) • Tel: 0115 976 6532 • Mobile: 07795400719 • Email: helena.wootton@brownejacobson.com

Empfohlen

New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
Nordic APIs
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...
IISPEastMids
 
ESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection RegulationESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection Regulation
ESET
 
EU General Data Protection Regulation
EU General Data Protection RegulationEU General Data Protection Regulation
EU General Data Protection Regulation
Ramiro Cid
 
The EU Data Protection Regulation - what you need to know
The EU Data Protection Regulation - what you need to knowThe EU Data Protection Regulation - what you need to know
The EU Data Protection Regulation - what you need to know
Sophos Benelux
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
Jake DiMare
 
GDPR-Overview
GDPR-OverviewGDPR-Overview
GDPR-Overview
Erica Walker
 
EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017
Cliff Ashcroft
 

Empfohlen

New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
Nordic APIs
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...
IISPEastMids
 
ESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection RegulationESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection Regulation
ESET
 
EU General Data Protection Regulation
EU General Data Protection RegulationEU General Data Protection Regulation
EU General Data Protection Regulation
Ramiro Cid
 
The EU Data Protection Regulation - what you need to know
The EU Data Protection Regulation - what you need to knowThe EU Data Protection Regulation - what you need to know
The EU Data Protection Regulation - what you need to know
Sophos Benelux
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
Jake DiMare
 
GDPR-Overview
GDPR-OverviewGDPR-Overview
GDPR-Overview
Erica Walker
 
EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017
Cliff Ashcroft
 
GDPRR: The Key Changes
GDPRR: The Key ChangesGDPRR: The Key Changes
GDPRR: The Key Changes
Craig Clark ITIL, CIS LI,EU GDPR P
 
EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?
VYTIS MALECKAS
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for Techies
Lilian Edwards
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New Regulations
PECB
 
UK GDPR: What New Direction?
UK GDPR: What New Direction?UK GDPR: What New Direction?
UK GDPR: What New Direction?
David Erdos
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
Tim Hyman LLB
 
What does the Proposed EU General Data Protection Regulation (GDPR) mean for ...
What does the Proposed EU General Data Protection Regulation (GDPR) mean for ...What does the Proposed EU General Data Protection Regulation (GDPR) mean for ...
What does the Proposed EU General Data Protection Regulation (GDPR) mean for ...
TrustArc
 
EU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart MeteringEU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart Metering
nuances
 
Gdpr brexit presentation for brighton seo
Gdpr brexit presentation for brighton seoGdpr brexit presentation for brighton seo
Gdpr brexit presentation for brighton seo
KeithBudden3
 
GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?
Frederick Penaud
 
What is GDPR?
What is GDPR?What is GDPR?
What is GDPR?
Faidepro
 
Modelling the General Data Protection Regulation
Modelling the General Data Protection RegulationModelling the General Data Protection Regulation
Modelling the General Data Protection Regulation
Sabrina Kirrane
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPR
Jessvin Thomas
 
The Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection RegulationThe Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection Regulation
Ghostery, Inc.
 
GDPR - a view for the non experts
GDPR - a view for the non expertsGDPR - a view for the non experts
GDPR - a view for the non experts
Claudio Bolla, CISM
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketing
IT Governance Ltd
 
Brexit Data Protection Update: The EU, US and UK Perspective
Brexit Data Protection Update: The EU, US and UK PerspectiveBrexit Data Protection Update: The EU, US and UK Perspective
Brexit Data Protection Update: The EU, US and UK Perspective
TrustArc
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.
Matthias Dobbelaere-Welvaert
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)
RAKESH S
 
DPA and GDPR
DPA and GDPRDPA and GDPR
DPA and GDPR
SabahtHussein
 
The Impact of the General Data Protection Regulation - 10th May 2016
The Impact of the General Data Protection Regulation - 10th May 2016The Impact of the General Data Protection Regulation - 10th May 2016
The Impact of the General Data Protection Regulation - 10th May 2016
IISPEastMids
 
Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?
Lumension
 

Weitere ähnliche Inhalte

Was ist angesagt?

EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?
VYTIS MALECKAS
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New Regulations
PECB
 
UK GDPR: What New Direction?
UK GDPR: What New Direction?UK GDPR: What New Direction?
UK GDPR: What New Direction?
David Erdos
 
The Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection RegulationThe Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection Regulation
Ghostery, Inc.
 
Brexit Data Protection Update: The EU, US and UK Perspective
Brexit Data Protection Update: The EU, US and UK PerspectiveBrexit Data Protection Update: The EU, US and UK Perspective
Brexit Data Protection Update: The EU, US and UK Perspective
TrustArc
 

Was ist angesagt? (20)

GDPRR: The Key Changes
GDPRR: The Key ChangesGDPRR: The Key Changes
GDPRR: The Key Changes
 
EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for Techies
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New Regulations
 
UK GDPR: What New Direction?
UK GDPR: What New Direction?UK GDPR: What New Direction?
UK GDPR: What New Direction?
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
What does the Proposed EU General Data Protection Regulation (GDPR) mean for ...
What does the Proposed EU General Data Protection Regulation (GDPR) mean for ...What does the Proposed EU General Data Protection Regulation (GDPR) mean for ...
What does the Proposed EU General Data Protection Regulation (GDPR) mean for ...
 
EU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart MeteringEU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart Metering
 
Gdpr brexit presentation for brighton seo
Gdpr brexit presentation for brighton seoGdpr brexit presentation for brighton seo
Gdpr brexit presentation for brighton seo
 
GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?
 
What is GDPR?
What is GDPR?What is GDPR?
What is GDPR?
 
Modelling the General Data Protection Regulation
Modelling the General Data Protection RegulationModelling the General Data Protection Regulation
Modelling the General Data Protection Regulation
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPR
 
The Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection RegulationThe Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection Regulation
 
GDPR - a view for the non experts
GDPR - a view for the non expertsGDPR - a view for the non experts
GDPR - a view for the non experts
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketing
 
Brexit Data Protection Update: The EU, US and UK Perspective
Brexit Data Protection Update: The EU, US and UK PerspectiveBrexit Data Protection Update: The EU, US and UK Perspective
Brexit Data Protection Update: The EU, US and UK Perspective
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)
 
DPA and GDPR
DPA and GDPRDPA and GDPR
DPA and GDPR
 

Andere mochten auch

Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?
Lumension
 
GDPR - Den nya dataskyddsfĂśrordningen
GDPR - Den nya dataskyddsfĂśrordningenGDPR - Den nya dataskyddsfĂśrordningen
GDPR - Den nya dataskyddsfĂśrordningen
Information Resource Management
 

Andere mochten auch (20)

The Impact of the General Data Protection Regulation - 10th May 2016
The Impact of the General Data Protection Regulation - 10th May 2016The Impact of the General Data Protection Regulation - 10th May 2016
The Impact of the General Data Protection Regulation - 10th May 2016
 
Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?
 
EU Data Protection, Legislation and Certification
EU Data Protection, Legislation and Certification EU Data Protection, Legislation and Certification
EU Data Protection, Legislation and Certification
 
Internet of Things - how secure is it?
Internet of Things - how secure is it?Internet of Things - how secure is it?
Internet of Things - how secure is it?
 
IISP Sept 2014 presentation
IISP Sept 2014 presentationIISP Sept 2014 presentation
IISP Sept 2014 presentation
 
IISP East Midlands Sept 2014 - Jim Shields presentation
IISP East Midlands Sept 2014 - Jim Shields presentationIISP East Midlands Sept 2014 - Jim Shields presentation
IISP East Midlands Sept 2014 - Jim Shields presentation
 
Managing and insuring cyber risk - a risk perspective
Managing and insuring cyber risk - a risk perspectiveManaging and insuring cyber risk - a risk perspective
Managing and insuring cyber risk - a risk perspective
 
Econocom - identifying funding for success
Econocom - identifying funding for successEconocom - identifying funding for success
Econocom - identifying funding for success
 
Governance - the Role of the Board
Governance - the Role of the BoardGovernance - the Role of the Board
Governance - the Role of the Board
 
Mike Gillespie - The Internet of Everything
Mike Gillespie - The Internet of Everything Mike Gillespie - The Internet of Everything
Mike Gillespie - The Internet of Everything
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
Redscan - Insider threat case study
Redscan - Insider threat case studyRedscan - Insider threat case study
Redscan - Insider threat case study
 
Horizon introduction
Horizon introductionHorizon introduction
Horizon introduction
 
Qonex - Securing the IoT
Qonex - Securing the IoTQonex - Securing the IoT
Qonex - Securing the IoT
 
Webroot - self-defending IoT devices & gateways
Webroot - self-defending IoT devices & gateways Webroot - self-defending IoT devices & gateways
Webroot - self-defending IoT devices & gateways
 
Achieving Cyber Essentials
Achieving Cyber Essentials Achieving Cyber Essentials
Achieving Cyber Essentials
 
GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!
 
GDPR - Den nya dataskyddsfĂśrordningen
GDPR - Den nya dataskyddsfĂśrordningenGDPR - Den nya dataskyddsfĂśrordningen
GDPR - Den nya dataskyddsfĂśrordningen
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policies
 
Trustworthy Software
Trustworthy SoftwareTrustworthy Software
Trustworthy Software
 

Ähnlich wie General Data Protection Regulation: what do you need to do to get prepared? - Helena Wootton

GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaper
Jim Wilson
 
GDPR - 5 Months On!
GDPR - 5 Months On!GDPR - 5 Months On!
GDPR - 5 Months On!
BrightPay Payroll and Auto Enrolment Software
 
Understanding Binding Corporate Rules
Understanding Binding Corporate RulesUnderstanding Binding Corporate Rules
Understanding Binding Corporate Rules
Jan Dhont
 
MRS Code of Conduct 2019 - Changes to Fair Data
MRS Code of Conduct 2019 - Changes to Fair DataMRS Code of Conduct 2019 - Changes to Fair Data
MRS Code of Conduct 2019 - Changes to Fair Data
MRS
 
Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?
BrightPay Payroll and Auto Enrolment Software
 

Ähnlich wie General Data Protection Regulation: what do you need to do to get prepared? - Helena Wootton (20)

Prepare Your Firm for GDPR
Prepare Your Firm for GDPRPrepare Your Firm for GDPR
Prepare Your Firm for GDPR
 
GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaper
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
 
The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
The General Data Protection Regulation (GDPR) in Ireland-What You Should KnowThe General Data Protection Regulation (GDPR) in Ireland-What You Should Know
The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
 
General Data Protection Regulation (GDPR) Implications for Canadian Firms
General Data Protection Regulation (GDPR) Implications for Canadian FirmsGeneral Data Protection Regulation (GDPR) Implications for Canadian Firms
General Data Protection Regulation (GDPR) Implications for Canadian Firms
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentation
 
The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")
 
GDPR: Key Article Overview
GDPR: Key Article OverviewGDPR: Key Article Overview
GDPR: Key Article Overview
 
GDPR - 5 Months On!
GDPR - 5 Months On!GDPR - 5 Months On!
GDPR - 5 Months On!
 
Members evening - data protection
Members evening - data protectionMembers evening - data protection
Members evening - data protection
 
Domain management and brand protection in the era of the EU's GDPR
Domain management and brand protection in the era of the EU's GDPRDomain management and brand protection in the era of the EU's GDPR
Domain management and brand protection in the era of the EU's GDPR
 
Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)
 
Understanding Binding Corporate Rules
Understanding Binding Corporate RulesUnderstanding Binding Corporate Rules
Understanding Binding Corporate Rules
 
A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
 
MRS Code of Conduct 2019 - Changes to Fair Data
MRS Code of Conduct 2019 - Changes to Fair DataMRS Code of Conduct 2019 - Changes to Fair Data
MRS Code of Conduct 2019 - Changes to Fair Data
 
GDPR Quick Reference for American Accountants (CPA Seminar)
GDPR Quick Reference for American Accountants (CPA Seminar)GDPR Quick Reference for American Accountants (CPA Seminar)
GDPR Quick Reference for American Accountants (CPA Seminar)
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationHow IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity Legislation
 
Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?
 
GDPR master class accountable research organisations (january 2018)
GDPR master class accountable research organisations (january 2018)GDPR master class accountable research organisations (january 2018)
GDPR master class accountable research organisations (january 2018)
 

KĂźrzlich hochgeladen

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

KĂźrzlich hochgeladen (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

General Data Protection Regulation: what do you need to do to get prepared? - Helena Wootton

  • 1. General Data Protection Regulation What do you need to do to get prepared? May 2016
  • 2. Agenda • Scope and new concepts • Data Processor Data controller relationship • Children’s data • Grounds for processing • Transparency • Rights for individuals • Demonstrate data governance • Transfers of personal data • Brexit
  • 3. Introduction • The General Data Protection Regulations received political approval • The Regulation has set a 2 year implementation period • The Regulation will come into force in May 2018
  • 4. Scope and new concepts
  • 5. In brief… • Scope: EU based data controllers and processors in the context of its activities in the EU. • Where no EU presence, the GDPR will still apply whenever an EU resident’s personal data is processed in connection with goods/services offered to them or the behaviour of individuals within the EU is “monitored”. • The GDPR allows Member States to legislate in many areas. • The data protection principles are revised but are broadly similar: fairness, lawfulness and transparency; purpose limitation; data minimisation; data quality; security, integrity and confidentiality. • New concepts: Transparency and consent, Children and consent • Expanded definitions of ‘personal data’ and ‘sensitive data’ • Pseudonymisation, Data breach notification • Data protection by design and new accountability principle • Enhanced rights – to be forgotten, data portability and to object • Supervisory Authorities
  • 6.
  • 7. Controller Processor Relationship Controller retains overall accountability for its processing activities, including the decision to appoint and manage a Processor GDPR introduces direct obligations on, and regulation of, Processors e.g Processor will conduct PIA in its service offering (which Controller will have to check and monitor) Controller and Processor may assign roles and responsibilities (on a "best-placed" basis) in the contract in relation to all the required matters, subject always to the Controller's overall accountability if they do not. Unless respective responsibilities and liabilities are clearly laid out in the written arrangement, there can be joint and several liability for the entire damage caused to any person who suffers as result of unlawful processing or an action incompatible with the GDPR. If Processor goes outside the instructions of the Controller, Processor becomes directly liable under the GDPR to the Regulator and Data Subjects (does not negate Controller's "control" obligations over the Processor)
  • 8. Controller Processor Relationship Key constituent Controller obligations: • due diligence and appointment: ensure Processor is able to, and does, process securely, ensure compliance with the GDPR as a whole, and ensure the protection of rights of the data subject • monitoring/auditing: ensure Processor complies with instructions and all measures in place to satisfy the above • written contract or other legal act binding the parties must be put in place. The GDPR sets out a list of 8 matters to be addressed - but essentially, these cover all aspects of the GDPR
  • 9. Appointing Processors: Key business impacts • Procurement processes: training of team; update of documentation, due diligence practices, and results analysis • Contracts: review and rewrite of all relevant contracts. Terms will be far more specific. Standard phrases unlikely to be sufficient, including those that relate to subcontracting or involving further Processors. • Post-contract auditing processes will need to be built it • Would be also prudent to seek appropriate indemnities and warranties from the Processor about its processing and compliance and build in more reporting and MI obligations on the Processor so that the Controller is given much more visibility and transparency on a regular basis and not just at annual review or specific check- points or audits or changes • CRM issues as previously indicated
  • 10. Additional Processor obligations • Appointment of Data Protection Officers • Data Protection Impact Assessments • Data Security • Breach Notification
  • 11. Joint Controllers Accountability of Joint Controllers A Controller retains overall accountability, and liability, for its own processing activities. However, where there are Joint Controllers they:  must have an arrangement in place which determines who is effectively responsible for GDPR compliance  must give particular attention to how subjects can best exercise their rights  must make information about this arrangement available to subjects Joint Controllers will have joint and several liability for all joint processing unless the arrangements are very clear on the point. Each Controller is fully and independently responsible for complying with the DPA for its own processing activities, and for managing its data subjects. There is no specific legal obligation to enter into formal arrangements (although it is good practice and highly recommended to satisfy DPA Principles). Sharing of liability is an optional, commercial matter covered in any contract or data sharing agreement. There is no concept of joint and several liability under the DPA.  procurement:due diligence; relationship structures; contract negotiations & drafting  future-proof any current relationships which extend beyond GDPR implementation by addressing new compulsory requirements to the extent not already done.  group contracting policies/precedents  SAR process  customer relationship management: control of communications and standards; complaints handling; banking confidentiality (and FCA issues)  TCF initiatives  litigation policies
  • 13. In brief… • Under 16 • Children are “vulnerable individuals” and deserve “specific protection” • Additional rules for online services provided to children under 16 – online, parental prior consent required for use of an under 13 year old’s data. • Member States are free to set their own rules for those aged 13 – 15. If not, parental consent required for children under 16
  • 14. What are the grounds for processing personal data? • Similar to current rules, except for consent • Restrictions and clarifications around the ability to rely on “legitimate interests” • Consent subject to additional conditions • Effective prohibition on “bundled” consents and offering of services contingent on consent. • Consent must be separable from other written agreements, clearly presented and as easily revoked as given. • Further restrictions may be imposed by codes of conduct.
  • 15. In brief… • Genetic data and biometric data • Sensitive personal data • New conditions regarding the processing of genetic, biometric or health data
  • 16. Transparency In brief… • Controllers must provide information notices to ensure transparency of processing • Specified information must be provided • There is also a general transparency obligation • Much of the additional information will not be difficult to supply – although it may be hard for organisations to provide retention periods • There is an emphasis on clear, concise notices
  • 17. Rights for individuals In brief… • Rights to object • Subject access rights • Data portability • Right to erasure and right to restriction of processing
  • 18. Demonstrate data governance In brief… • Implement measures to reduce the breach risk • Take governance seriously • Privacy Impact Assessments, audits, policy reviews, activity records and appointing a Data Protection Officer
  • 19. Transfers of Personal Data In brief… • Transfers outside the EEA continue to be regulated and restricted • Remains a significant issue • Non-compliance proceedings can be brought against controllers and/or processors • Safe Harbor and Privacy Shield
  • 20. Remedies and liabilities for breach In brief… • Higher of €20,000,000 or, in the case of undertakings, 4% of global turnover • Compensation claims
  • 21. Impact of a Brexit • UK would be outside EEA • Would need to offer “adequate level of protection” • Commission views UK as inadequate due to defective implementation of 1995 Directive • Commission’s infraction proceedings against UK are still live • If UK doesn’t meet 1995 Directive it will not meet GDPR • UK would need to implement “essentially equivalent” measures or non-UK businesses would need to rely on derogations/exemptions
  • 22. Thank you Helena Wootton (Partner) • Tel: 0115 976 6532 • Mobile: 07795400719 • Email: helena.wootton@brownejacobson.com