Post on 16-Apr-2017
THE GDPR:FAIL TO PREPARE, PREPARE TO FAIL!
Fintan SwantonCygnus Consulting
15 December 2016
WHAT IS THE GDPR? The General Data Protection Regulation
is the most extensive change to EU data protection law since the 1995 directive.
In 1995, Mark Zuckerberg was eleven years old . . .
GDPR passed by European Parliament in April 2016.
To come into effect on25 May, 2018 in all member states.
WHAT IS THE GDPR?
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
THE EIGHT RULES REMAIN THE SAME:
Personal data must:1. Be fairly obtained & processed2. For specified, explicit &
legitimate purpose(s)3. Not be processed in a manner
incompatible with those purpose(s)
4. Be kept safe & secure5. Be kept accurate, complete & up-
to-date6. Be adequate, relevant & not
excessive7. Not be retained for longer than is
necessary8. Be provided on request to the
data subject
SO WHAT’S CHANGING?
Definition of personal data
Accountability Consent Access requests Joint data controllership Controller / Processor
relationship
Breach notification Data Protection Impact
Assessments Mandatory Data
Protection Officers Right to compensation
and liability Financial penalties
PERSONAL DATACurrent definition:
Data relating to a living individual who is or can be identifiedeither from the data or from the data in conjunction with other information that is in, or is likely to come into the possession of the Data Controller.S.1 Data Protection Act, 1988
GDPR redefinition:
any information relating to ... an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person... Art. 4(1), GDPR
ACCOUNTABILITY
The controller shall be responsible for and be able to demonstrate compliance ...Art. 5.2
CONSENT“any freely given, specific, informed and unambiguous indication of… wishes…”
Must be given “by a statement or by a clear affirmative action signifying agreement”Art. 4(11)
SUBJECT ACCESS REQUESTS No fee unless request “manifestly
unfounded or excessive” Requests can be made and must,
where appropriate, be responded to electronically
Standard time limit 1 month May take up to 3 months, but must
notify data subject within 1 month, giving reasoned justification for delay
As well as personal data, other info. such as sources, processing purposes & right to complain to DPA must be provided.
Art. 12 & 15 Janet McKnight
JOINT DATA CONTROLLERS
Where two or more controllers jointly determine the purposes and means of the processing of personal data, they are joint controllers.
They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation.Art. 26
CONTROLLER / PROCESSORThe carrying out of processing by a processor shall be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects.
The processor and any person acting under the authority of the controller or of the processor who has access to personal data shall not process them except on instructions from the controller, unless required to do so by Union or Member State law.
Art. 2811
MANDATORY BREACH NOTIFICATIONIn the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 72 hours.
When the personal data breach is likely to result in a high risk for the rights and freedoms of individuals the controller shall communicate the personal data breach to the data subject without undue delay.Art. 33
DATA PROTECTION IMPACT ASSESSMENT DPIA is mandatory “where processing is likely to
result in a high risk”. DPIA must include at least:
systematic description of envisaged processing and the purposes of the processing, including where applicable the legitimate interest pursued;
assessment of necessity and proportionality of processing;
assessment of the risks to the rights and freedoms of data subjects;
measures envisaged to address the risks. Controller must consult DPA where processing would
result in high risk in absence of mitigating measures.Art. 35
GDPR – MANDATORY DPOThe controller or processor must designate a data protection officer in any case where: the processing is carried out by a public authority or body; orthe core activities of the controller or processor consist of processing operations which because of their nature, scope or their purposes, require regular and systematic monitoring of data subjects on a large scale; orthe core activities of the controller or the processor consist of processing on a large scale of sensitive personal data.A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishmentWhere the controller or processor is a public authority or body, a single data protection officer may be designated for several of them, taking account of their organisational structure and size.
Art. 37, 38 & 39
THE ROLE OF THE DATA PROTECTION OFFICER
DPOs must have “expert” knowledge, training and experience.
DPOs must report directly to the highest level of management.
DPOs must be completely independent in the performance of their duties.
DPOs may be directly employed staff or external service providers.
DPOs must be involved in a proper and timely manner in all organisational personal data protection matters.Office of the Privacy Commissioner Canada
THE ROLE OF THE DATA PROTECTION OFFICER (CONT.)
DPOs shall have at least these tasks: Informing and advising the
organisation and its staff on compliance.
Monitoring organisational data protection compliance.
Advising on data protection impact assessments.
Acting as the contact point for and cooperating with the DPC.
Acting as the contact point for data subjects.
May have other duties, provided they aren’t incompatible with DPO role.
Office of the Privacy Commissioner Canada
RIGHT TO COMPENSATIONCurrent situation:
Collins v FBD Insurance (Ireland)
Google v Vidal-Hall (UK)
In the GDPR:Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. Art 82.1
LIABILITYWhere more than one controller or processor or a controller and a processor are involved in the same processing and, where they are responsible for any damage caused by the processing ... each controller or processor shall be held liable for the entire damage, in order to ensure effective compensation of the data subject.Art 82.4
FINANCIAL PENALTIESTwo tier structure:
Greater of €10m or 2% of turnover Greater of €20m or 4% of turnover
Each supervisory authority shall ensure that the imposition of administrative fines . . . shall in each individual case be effective, proportionate and dissuasive.Art. 83
Most infringements in principle subject to fines
Cygnus Consulting LimitedData Protection Consultancy & Traininginfo@cygnus.ie www.cygnus.ie01 6854474 / 086 8271273