1. From red-tape to rocket
fuel
Ruth Boardman, Co-head International
Data Privacy Practice
April 2016
2. Page 2
4 areas for discussion
• Personal data or not personal data…
• Individual rights
• Data management considerations
• Codes of conduct and certification
4. Page 4
GDPR attempts to 'move-on' the debate about click-
stream data
Personal data:
Identified or identifiable, living person
Location data, online identifiers such as
device IDs, cookie IDs, IP addresses,
RFID tags
Special categories:
Racial, ethnic origin, political
opinions, religious or
philosophical belief, trade
union membership, sexual
orientation, genetic data,
biometric data used uniquely to
identify
Criminal
convictions
and
offences
5. A new concept of pseudonymisation is
introduced
PERSONAL PSEUDONYMISATION ANONYMOUS
Identifiable; all means
reasonably likely to be
used,…either by the
controller or by any
other person to identify
Data can no longer be
attributed to data subject;
additional information (to
identify) is kept separate
Information rendered
anonymous, such that
the data subject is no
longer identifiable
Cost
State of the art
Page 5
6. Pseudonymisation is not a free pass, but it
can help meet multiple elements of GDPR,
Page 6
Hold
separate
Data protection by
design and by default
(Art. 25)
Factor in purpose
limitation (Art. 6(4))
Security (Art. 32)
Threshold condition for
archival, scientific or
historical research or
statistical purposes
processing (Art. 89)
8. Access and Rectification
Page 8
Right to information
• Confirmation
whether data are
being processed
• Associated
information about
the personal data
processing
Right to the data
• A copy of the data
undergoing
processing
• Free of charge
(initially)
• Electronic requests
= data in a
commonly used
electronic form
(portability)
Rectification
• Rectify inaccurate
personal data
• Supplementary
statement if data is
incomplete
9. Portability (Art.20)
Page 9
Portability
•Automated data; provided
by the data subject;
processing based on
consent or contract
•Structured and machine
readable
•Transmitted direct to
another controller
Access
•All data
•Commonly used,
electronic format (if
request is made
electronically)
10. Google Spain (3 May 2014)
Page 10
• ‘[These articles] are to be interpreted as meaning that … the operator of a
search engine is obliged to remove from the list of results displayed
following a search made on the basis of a person's name links to the web pages,
published by third parties and containing information relating to that person,
also in a case where that name or information is not erased
beforehand or simultaneously from those webpages, and even, as
the case may be, when its publication in itself on those pages is
lawful…’
• ‘ … [the controller should carry out this assessment] … at this point in time,
… without it being necessary … to find .. [that] that list causes prejudice to
the data subject….. [the interests of the data subject] override, as a rule, not
only the economic interest of the operator of the search engine but also the
interest of the general public in having access to that information upon a search
relating to the data subject's name… that would not be the case if it appeared,
for particular reasons, such as the rule played by the data subject in public life,
that the interference with his fundamental rights is justified by the
preponderant interest of the general public in having, on account of its
inclusion in the list of results, access to the information in question.’
11. How do you erase data and ensure others
know about the erasure?
Page 11
Right to erasure
for unlawful
processing
(Art. 17)
• No longer necessary;
• Consent withdrawn; children's online data; objection to
processing; law requires erasure
Third party
follow up
• Communicate erasure to each recipient to whom disclosed;
• Where published, take reasonable steps to inform controllers
processing the data
• Reasonable steps, taking account of available technology and
cost of implementation
14. Embracing privacy by design: may be a
competitive advantage for start-ups
use t.o.m.s designed to implement data protection compliance
use t.o.m.s to ensure that , by default, only necessary data
are collected, stored and accessed (especially 'public'
privacy settings)
Records of processing; ongoing review of design and default
measures
Page 14
By
design
(A.25)
By default
(A.25(2))
Managing
data (A.30
records)
16. Page 16
GDPR creates incentives for more creative
compliance
Codes of
conduct
Specifies the
application of the
GDPR (for example,
an industry approach
to data protection
notices
Needs bodies to
promulgate and
enforce
Certification
Demonstrates
compliance – to the
public, to
supervisory
authorities, to other
organisations
Needs certification
agents
18. ruth.boardman@twobirds.com
Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses.
Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC340318 and is authorised and regulated by the
Solicitors Regulation Authority. Its registered office and principal place of business is at 15 Fetter Lane, London EC4A 1JP. A list of members of Bird & Bird LLP and
of any non-members who are designated as partners, and of their respective professional qualifications, is open to inspection at that address.
twobirds.com
Thank you