data protection reform
play

Data Protection Reform preparing for the General Data Protection - PowerPoint PPT Presentation

Data Protection Reform preparing for the General Data Protection Regulation By Philip Brining Data Protection People 18 th April 2016 Agenda Introduction Current Rules (DPA 98 & PECR) Overview of GDPR Business-wide impact Practical


  1. Data Protection Reform … preparing for the General Data Protection Regulation By Philip Brining Data Protection People 18 th April 2016

  2. Agenda Introduction Current Rules (DPA 98 & PECR) Overview of GDPR Business-wide impact Practical Preparation

  3. http://ec.europa.eu/avservices/video/player.cfm?sitelang=en&ref=I119067

  4. Introduction – Data Protection People Specialists DP company based in Leeds. Aim = to make data protection easy and understandable; to ease DP pain points. Services: Audits, reviews, DP projects Managed Service Compliance Management tools

  5. Data Protection Act 1998 Derived from Directive Requirement to register 95/46/EC 8 x DP Principles 28 variations across Europe 1. Fair and lawful 2. For specific purposes Drive for harmony of DP law 3. Relevant and not excessive Directive’s Aim = facilitate the 4. Maintained accurate/up-to-date free movement of data across 5. Limited retention the EU and uphold citizens’ right 6. Data Subjects’ Rights to privacy. 7. Sufficient security arrangements 8. No processing outside of EEA http://www.information-age.com/technology/security/1687058/uk-ranks-21st-in-europe-for-privacy-protection http://ec.europa.eu/unitedkingdom/press/press_releases/2010/pr1097_en.htm http://amberhawk.typepad.com/amberhawk/2011/02/european-commission-explains-why-uks-data-protection-act-is-deficient.html

  6. “Approved Countries” Andorra Argentina Canada Switzerland Faroe Islands Guernsey Isle of Man Jersey State of Israel New Zealand Eastern Republic of Uruguay USA via “Privacy Shield”

  7. Privacy and Electronic Communications Regulations 2015 Implements Directive Regulates marketing activities: 2002/58/EC Telephone/SMS Mail Concerning the processing of Email personal data and the protection Cookies, Pixels etc. of privacy in the electronic communications sector. Regulates network providers: Ofcom Breach notification

  8. General Data Protection Regulation Replaces DPA98 Enacted Spring 2016 A European Regulation Two cornerstones: Data is “theirs” and not “ours” We need to be more responsible Also More comprehensive definitive “dos” and “don’ts” More interaction with the Regulator Larger fines and greater Regulatory powers Data is not ours: we simply process it on Aim is still free movement of data behalf of data subjects in order to across the EU and right to privacy provide services that they have requested and on their instruction .

  9. http://audiovisual.europarl.europa.eu/Assetdetail.aspx?id=a25be131-dce9-4e2e-89f1-a5e700ebd088 http://www.vieuws.eu/live-panel-debate/debate-can-the-next-eu-regulation-guarantee-data-protection-for-all/

  10. Concepts • “Their” data not “ours” • We are simply temporary custodians of their data for as long as they want us to be. • We need to take greater account of their rights. • The data acquisition land-grab is over. If you cannot demonstrate a legitimate right to be processing an individuals’ data then it is a toxic liability – a time bomb in your organisation.

  11. GDPR : business-wide paradigm shift 6 Principles Some Key Points 1. Fair, lawful & transparent New definitions of “Personal Data” 2. Specific, explicit & legitimate No more implied consent purposes More transparency needed 3. Limited to what is necessary Balance DS rights with DC rights 4. Accurate Anonymise data asap 5. Anonymised ASAP Need to keep records / audit 6. Processed securely with integrity Greater control of data processes and confidentiality Mandatory breach reporting Responsible for being able to Profiling demonstrate compliance DPO & privacy by design Data processors Reform of ICO powers and fines

  12. Why is it a paradigm shift? CURRENTLY GDPR ICO has few powers and small Still some wriggle room BUT: fines You need to evidence more You need to justify more Law has plenty of wriggle room You need to control processing Who has a DPO? Who has DP In-house whistle blower audits? Who has a PIA process? Due consideration of DS rights Processors will influence you New powers and bigger fines Consistency of application Passive compliance through lack of Active compliance through risk management and breaches and minimum standards. balancing of rights. Big Stick too!

  13. € 20,000,000 Or 4% of Global Annual Turnover

  14. Data Lifecycle and GDPR interventions Sharing Transfer Disclosure Data Data Processing Capture Activities Anonymisation Destruction Influences

  15. Data Lifecycle and GDPR interventions Sharing Transfer Disclosure Data Data Processing Capture Activities Anonymisation GDPR Considerations: Destruction • Privacy by Design/PIA • Privacy Notices • Consent • Grounds for processing • 6# DP Principles Influences

  16. Data Lifecycle and GDPR interventions GDPR Considerations: Sharing • PROCESS CONTROL Transfer • Transparancy Disclosure Data • Data Subject rights Data Processing Capture • ID verification Activities • Record-keeping & policies Anonymisation • Processes acting on data Destruction • Protecting data in transit • Protecting data at rest • Retention • Profiling • Work Instructions • Training Influences • Security breach/incident • Special Considerations

  17. Data Lifecycle and GDPR interventions Sharing Transfer Disclosure Data Data Processing Capture GDPR Considerations: Activities Register of 3 rd parties • Anonymisation • Register of transfers Destruction T/F to 3 rd countries • • Subject Access Requests • Ad-Hoc data sharing • Data Portability • Prior Authorisation Influences

  18. Data Lifecycle and GDPR interventions Sharing Transfer Disclosure Data Data Processing Capture Activities Anonymisation Destruction GDPR Considerations: • Default retention periods • Retention exceptions • Anonymisation • Data subject rights (R2BF) Influences

  19. Data Lifecycle and GDPR interventions Sharing Transfer Disclosure Data Data Processing Capture Activities Anonymisation GDPR Considerations: Destruction • Supervisory Authorty • Consistency Mechanism • Powers • Fines • Compensation • DS Rights/awareness • In-house DPO Influences • Certification/Codes of Practice

  20. Compensation • The Claimants’ claim was based on the distress suffered from learning that their personal characteristics formed the basis for Defendant’s targeted advertisements, or from having learnt that such matters might have come to the knowledge of third parties who had used or seen their devices. The Cs’ claims were exclusively for distress and anxiety, not financial damage. • The Cs used Apple’s Safari browser, which was set to block Third Party Cookies which would enable the tracking and collation of browser activity. The Cs pleaded that a Safari workaround operated by D allowed it to obtain and record information about their internet use and use it for the purposes of its AdSense advertising service. They pleaded that D collated their private and personal information and used it to serve adverts to them via Adsense. • The Cs’ claims were in misuse of private information, breach of confidence, and under the Data Protection Act 1998 (DPA). The Cs claimed general and aggravated damages, an account of profits, an injunction and other relief.

  21. GDPR Considerations Data Processing • PROCESS CONTROL • Transparency • Data Subject rights • ID verification • Record-keeping & policies • Processes acting on data • Protecting data in transit Transfer Sharing Disclosure • Register of 3 rd parties Protecting data at rest • Data Collection • Retention • Register of transfers • Privacy by Design/PIA • T/F to 3 rd countries Profiling • Destruction • Privacy Notices • • Work Instructions • Default retention periods Subject Access Requests • Consent • • Training • Retention exceptions Ad-Hoc data sharing • Grounds for processing • • Security breach/incident • Anonymisation Data Portability • 6# DP Principles • • Special Considerations • Data subject rights (R2BF) Prior Authorisation External Influences: Supervisory Authorty, Consistency Mechanism, Powers, Fines, Compensation, DS Rights/awareness, In- house DPO, Certification/Codes of Practice

  22. Powers and Penalties Powers Fines Warnings €10m or 2% (A8, 10, 23-39) Enter Premises/seize equipment €20m or 4% (A5, 6, 7, 9, 12-20, 40-44, 53) Stop NOW! Fines Penalties Compensation Fines

  23. GDPR Impact IT – PIAs, policy and documentation, breach reporting, data sharing, retention, portability. HR – training and awareness, policy. Risk – risk assessment/PIA, audit, record keeping, retention. DPA/FOI DPO tasks/role, independence, SARs, ICO/EDPB, ICO powers. Brand/Image/Reputation - consent, profiling, right to be forgotten, privacy notices, bought-in data, retention. Contact Centre – ID verification, consent, privacy notices Operations – regulation and monitoring conformance to procedures Exec/Board – DPO, record keeping, fines, compensation, change in emphasis, management and control Customers – data portability, SARs, privacy notices, consent.

Recommend


More recommend