GDPR – Iceland

Dr. Ross Federgreen, CIPM, CIPP/US/E/C/G Fellow – European Privacy Association

January 2017

Why Does It Matter?

CONFIDENTIAL 2

What You Will Take Away

• Critical Components of the GDPR

• Global Effect

• Benefits of CSR Readiness® Pro

CONFIDENTIAL 3

GDPR

CONFIDENTIAL 4

Replaced 94/95 Data Protection Directive

Approved December 2015 – Effective May 2018 (now)

Officially Numbered: Regulation 2016/679

GENERAL DATA PROTECTION REGULATION

Modernize Data Protection Strengthen  Citizen’s  Rights

Harmonize Member State Laws Streamline Data Protection Agencies (One-Stop-Shop)

Iceland

CONFIDENTIAL 5

Regulation no. 712/2008 of notification obligations and authorization processing of personal data

Act on the Protection and Processing of Personal Data, No. 77/2000

• All electronic processing of personal data, which falls under the Data Protection Act, must be notified to the Icelandic Data Protection Authority, by the controller of the data, unless an exemption applies.

No rules. 837/2006 on electronic monitoring and processing of personal data by electronic monitoring

• Already closely related to the GDPR • “7.  Consent:  A  specific,  unambiguous  declaration,  which  is  given  freely  by  

an  individual,  signifying  that  he  agrees…”  

6 CONFIDENTIAL

Important Points

• Consent – Opt-In

Complexity

• Data Subject Rights – Unobstructed access

– 30 days to respond

– Copy, modify, transfer, erase

• 173 Recitals, 99 Articles • Global reach

• Records of Processing Activities – Applies to Controller & Processor

– Derogation for under 250 employees

• Data Protection Officer – Expert knowledge & experience

– Shortage of experts

• Third-Parties / Processors – Data Protection Officer law applicable

– Compliance within Contract

Important Points Global Reach

CONFIDENTIAL 7

• Territorial Scope – Established controller or processor in the EU, regardless

of processing location

– Controller or processor, regardless of location, that processes EU personal data related to:

• Offering of goods or services (regardless of payment)

• Monitoring of behavior (for behavior taking place in the EU

Article 3

CSR Readiness Pro®

CONFIDENTIAL 8

Readiness delivers a PROACTIVE solution

SELF-ASSESSMENT QUESTIONNAIRE REMEDIATION OFFERINGS

Best Practices / Templates

COMPLETE

Expires 01/28/17

SELF ASSESSED

DISPLAY SEAL

MAINTAIN

Appendix

Program Components

CONFIDENTIAL 9

User clicks  “Register”  from  the  Sidebar  Menu Built in work-flow directs users to the appropriate screen

Welcome Page

User Completes at Own Pace

CONFIDENTIAL 10

Readiness covers 6 domains: Privacy, Compliance, Security, Incident Response, Governance, and Iceland specific questions.

The status bar, shown above, lets user track completion progress.

Results and Action Steps Page

CONFIDENTIAL 11

Scores

Follow instructions to improve processes

Download and implement best practices and purchase policies

Best Practices and Policies

CONFIDENTIAL 12

Best Practices Documents

Policies

Train employees on policies and procedures

Certification of Readiness Completion

Upon completion of the Readiness questionnaire, remediation instructions and implementation of policies and best practices, your business customers will earn a Certificate of Completion and receive their ID Stay Safe Seal.

Appendix

Readiness  assists  in  “demonstrating  compliance”   for GDPR Article 5.2: Accountability

THANK YOU

rfedergreen@csrps.com Headquarters: +1 772.225.0007 Toll Free: +1 888.294.6971

Ross Federgreen