GDPR and DPODPO and DPM

Michel Gerdes – DPO

DFN-CERT Services GmbH

27.09.2017

© 2017 DFN-CERT Services GmbH | GDPR and DPO: Slide 1

ToC

The DPO Role according to GDPR

Data Protection at research institutions and universities

Remaining challenges

© 2017 DFN-CERT Services GmbH | GDPR and DPO: ToC Slide 2

GDPR and DPO

The DPO Role according to GDPR

© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 3

GDPR and National Adjustments

• No national adaption required• Member States may adjust and define within certain boundaries• National law for public bodies

© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 4

DPO by GDPR, legal grounds

Article 37 – DPO• 5. Professional qualities,• expert knowledge of data protection law and practices and• the ability to fulfill the tasks• 7. Controller shall publish contact details to supervisory authority

Article 38 – Position• 1. involved, properly and in a timely manner, in all issues which relate to the protection of

personal data• 2. support by controller,• 3. no instructions regarding DPO related tasks by controller

© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 5

Accountability

• Article 5 (2)• Article 24 (1)• requires Data Protection Management

© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 6

Data Protection at DFN-CERT

DFN-CERT• 50 employees, 5 teams, backoffice• various topics, all focus information security• awareness• separation of duties

DPO• Since July 2015, part time (20 %, real 15 %)• Trainings• Preparations for GDPR• Register of processing activities and Getting it

done• Issues brought up by colleagues• Identifying issues and check with persons in

charge

© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 7

Selecting a DPO

Personal suitability• No conflict of interests• Speak the language of the employees• Time slot

Skill set• Collaboration• Question superiors and seniors• Scrutinize every data processing activity• Dedication to the role• Self organization• Tasks may not be handled straight forward

© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 8

Challenges & Achievements

Challenges• Getting persons in charge getting things done• It’s about the time they have to dedicate to the

tasks or teaching them how to do it (fast butaccurately)

Achievements• Birthdays of employees in calendar

application• Access to email account for invoice during

vacation of the employee• Login timestamps in world-readable log file

© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 9

Framework for Data Protection Management

• Responsibilities• Awareness• Policies• Processes• Ressources

© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 10

Responsibilities

Controller• implement Data Protection Management• define responsibilities• raise awareness• define policies• define processes• provide ressources• fulfill Article 38 (Position of DPO)• Records of processing activities• Consider data protection in contractual

aggreements/contracts• Data protection impact assessment (Article

35)• Information systems security

DPO (Art. 39)• inform and advise controller• monitor compliance• cooperation with supervisory authority• contact point for supervisory authority• obviously not limited to these• report directly to board

© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 11

Awareness

• periodic trainings for employees• regular communication campaigns on data protection• data protection coordinator per team/faculty/. . .• project initiation should/may require consultation of DPO/DPM• highlight compliance to data protection principles (Article 5)

© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 12

Policies

• commitment of top level management• define responsibilities• define processes• sharing responsibilies if joint controller

© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 13

Processes

• Ensure data subjects’ rights• Article 12 clause 3• Notification of data breach• Communication of data breach• Re-assessment of DPM• changemanagement• access to data on DPO’s computer

© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 14

Ressources

• further training and networking for DPO and DPM officials• projects: documentation overhead and adjustments for data protection compliance• appropriate technical and organisational measures to ensure security of processing, data

protection by design and by default, data processing system security

© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 15

Links

• http://www.goodcorporation.com/wp-content/uploads/2015/11/GC_DataProtection-Framework-160811.pdf

• https://www.maastrichtuniversity.nl/events/data-protection-governance-data-protection-governance-enterpriseorganisation-risk-management

Danish vs. English version of GDPR• http://eur-lex.europa.eu/legal-content/EN-DA/TXT/?uri=CELEX:32016R0679&from=EN

© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 16

GDPR and DPO

Data Protection at research institutions and universities

© 2017 DFN-CERT Services GmbH | GDPR and DPO: Data Protection at research institutions and universities Slide 17

Scientific research

legal grounds for processing• Art. 5 (1) b• Art. 89• beware of special law e.g. telecommunication law

© 2017 DFN-CERT Services GmbH | GDPR and DPO: Data Protection at research institutions and universities Slide 18

Different set of challenges

Administration• centralized• employment• local DP coordinator• standardized data

processing activities• may be based on

state/national law (publicbody)

Teaching• Freedom of teaching (Art. 5

German Grundgesetz)• eLearning → Data

Protection!• evaluations• consent• awareness• may be based on

state/national law as well• Guideline: If and only if

required for evaluation

Research• decentralized• time-constraints• data protection measures

conflict with researchprogress/interests

• local DP coordinator• awareness• enforce policy• cooperation with other

bodies

© 2017 DFN-CERT Services GmbH | GDPR and DPO: Data Protection at research institutions and universities Slide 19

GDPR and DPO

Remaining challenges

© 2017 DFN-CERT Services GmbH | GDPR and DPO: Remaining challenges Slide 20

Interpretation of laws

• Court decisions affecting interpretations• commented printed versions

© 2017 DFN-CERT Services GmbH | GDPR and DPO: Remaining challenges Slide 21

Dealing with older or other laws

• data protection sections may not be applied anymore• e.g. private bodies or section is regulated by Union law• contrary public bodies or section not regulated by Union law

© 2017 DFN-CERT Services GmbH | GDPR and DPO: Remaining challenges Slide 22

ePrivacy Regulation 2018

• into force May 25 2018• still in draft• extends GDPR with regards to information security• specify legal situation for electronic communication data• refers to GDPR principles and regulations

© 2017 DFN-CERT Services GmbH | GDPR and DPO: Remaining challenges Slide 23

Adequacy Decisions

EU-US-Privacy-Shield• In evaluation after first year• New US administration disagrees with privacy

regulations for EU citizens

Brexit• UK government plans to adapt the GDPR

after the Brexit• Allows an adequacy decision• Ruling of ECJ?

© 2017 DFN-CERT Services GmbH | GDPR and DPO: Remaining challenges Slide 24

Further trainings

CertificationGDDcert.EU Certification as data protection

officer, focus on data protectionorganisation and data protectionmanagement (in German)

TÜV.IT Certification as data protectionofficer with technical focus (inGerman)

DFN-CERTConference https://www.dfn-cert.de/

veranstaltungen/201711Datenschutzkonferenz.html Conference organised byDFN-CERT for DFN with focus ondata protection (in German)

Tutorials https://www.dfn-cert.de/veranstaltungen/201710EU-Datenschutzgrundverordnung.html Tutorial highlightingDifferences between BDSG andGDPR (in German)

© 2017 DFN-CERT Services GmbH | GDPR and DPO: Remaining challenges Slide 25

Person of contact

Michel GerdesDPO DFN-CERT Services GmbHgerdes@dfn-cert.dedatenschutzbeauftragter@dfn-cert.dehttps://www.dfn-cert.de/

© 2017 DFN-CERT Services GmbH | GDPR and DPO: Remaining challenges Slide 26