Introduction to EU General Data Protection Regulation (GDPR)Wale Omolere –January, 2016

Topics • GDPR Vocabulary • What is the GDPR• GDPR Resource Implications • GDPR Overview –no of articles• European Law Landscape • Key facts • GDPR Structure• Personally Identifiable Information• Territorial Scope - Articles 1-3• Remedies, Liabilities and Penalties - Articles 79, 82 & 83 • Data Collection Principles - Article 5• Lawfulness Articles - 5 & 6• Consent - Articles 7-9• Transparency - Articles 12-18• Data Security - Article 32• Data Breach Notification - Articles 33 & 34

Objectives • To provide a general understanding of the

challenges which UK organisation face in complying with the new General Data Protection Regulations (GDPR)

• To highlight the job opportunities for Business Analyst, Project Manager, Information Security Compliance, I T Specialist /Database Administrator

GDPR Vocabulary • Personal data • Data subject • Data controller • Data processor• Data breach • Consent• Data Privacy • Privacy Impact Assessment• ICO (Information Commission Office)

General Data Protection Regulation What it is:

• A complete overhaul of data protection regulation with extensive updates of what can be considered identifiable information

• Applies across all member states of the European Union• Applies to all organisations processing the data of EU data subjects –

wherever the organisation is geographically based • Specific and significant rights for data subjects to seek

compensation, rights to erasure and accurate representation • Compensation can be sought against organisations and individuals

employed by them• Fines of up €20,000,00 or 4% global annual turnover

GDPR Overview Chapters 11Articles 91Sections 15

Chapter 3: 5Chapter 4: 5Chapter 6: 2Chapter 7: 3

Summary of Articles Contained in the GDPR

EU Regulatory Structure

Directives –Implementation in each EU Member state through domestic legislationRegulations –directly applicable in each Member State and thus apply to firms directly

European Law LandscapeEuropean Legislation can be separated into two main branches:Directives• Require individual implementation in each Member State (Each

State can implement rules in their own way)• Implemented by the creation of national laws approved by the

parliaments of each Member State• European Directive 95/46/EC (The current Data Protection Act)

is a Directive• Sets out a goal that a member state must achieve –room for

tailoring• 28 different variations among Member States

European Law LandscapeRegulations:• Immediately applicable in each Member State in a uniform

manner• Binding Legislative Act • Derogations allow for fine tuning, examples include the age of a

child, and the definition of large scale data processing • EUGDPR is a Regulation• Regulations are not negotiable by member states • Regulations may apply to countries outside the EU if they affect

EU subjects (people who are

Key Facts about the GDPR • 4 May 2016, the official text of the Regulation was published in the EU Official

Journal in all the official languages.• The Regulation entered into force on 24 May 2016, and applies from 00:01 25

May 2018. • As it stands the United Kingdom will still be considered a Member

State at the time of inception and will therefore be subject to the requirements of the EUGDPR

• GDPR makes the appointment of a DPO mandatory certain organisations • It widens the definition of personal data• It introduces mandatory PIAs• It introduces a common data breach notification requirement• It introduces the right to be forgotten• It requires privacy by design• GDPR shall be binding in its entirety and directly applicable in all

Member States.

GDPR Structure

GDPR Structure • The European Data Protection Board will issue guidance for

controllers and processors• They will facilitate the use of Data Protection Impact

Assessments • The ICO will oversee both Data Controllers and Data

Processors • Breaches and Notifications will be made to the ICO• 3rd Countries – countries to which data is transferred • At the centre of the GDPR is the protection of Personally

Identifiable Information

Personally Identifiable Information (PII)

A PII can be defined as Information that can be used to identify a living individual. Examples include (but are not limited to):First & last name(combined)

Home address Date/place of birth

Photos and videos Username/password (login credentials)

National insurance /Social security number

Bank account details Credit card details Passport number

Medical records Financial records Vehicle registration number

Personal email addresses /emails Biometric data / Face, Finger prints or handwriting

Birthplace

Mac Address IP Address Genetic Information

Sensitive Personal Identifiable Information

Other information, while not individually useful as identifiable has been defined as high risk and as such breaches involving high risk data should be notified. High Risk data includes

• Racial and Ethnic Origin • Gender

• Religion • Trade Union Membership

• Healthcare Data • Political Opinion

• Sexual Orientation • Genetic Data

• Disability Information • Location Data

• Mental Health Status • Biometric Data

Territorial Scope• Articles 1-3 cover the applicability of the Regulation • Data Subjects = living individuals aka natural persons. They have

rights associated with:- The protection of personal data- The protection of the processing of personal data- Unrestricted movement of personal data throughout the European Union (with consent)

• The scope of the GDPR includes personal data that is wholly or partly by automated means and personal data that is part of a filing system (or is intended to be)

• Any organisation that processes the data of EU citizens, are subject to the Regulation

Remedies, Liabilities & Penalties

• Enforcement powers of ICO will be significantly enhanced with the issuing of measures, notices and monetary fines intended to be effective, proportionate and dissuasive

• Fines can be up to €10,000,000 for enterprise or 2% total worldwide turnover for the preceding year, whichever is greater

• Fines are calculated based on several factors: - Controls already in place - Nature, gravity, extent and duration of infringement - The types of personal data involved in the infringement- Actions taken by the controller or processor to mitigate, negate or notify affected parties (including the ICO) of a breach

Remedies, Liabilities & Penalties

• Data Subjects have the right to effective judicial remedy against a controller or processor when the rights of the data subject has been infringed as a result of processing

• Action can be sought either:- In the courts of a Member state where the processor has an establishment - In the courts of a Member state where the subject habitually resides - Against a controller for the inadequate control of data or a processor for processing

Lawfulness of Processing• The Regulation introduces the concept of Lawfulness and places

specific obligations on the controller and processor: • Data must be secured against accidental loss, damage or

destruction• Processing must be lawful which means inter alia:

- Data subject must provide explicit consent for processing for each service - The processing to be performed is necessary for the performance of a contract- processing is necessary for compliance with a legal obligation

• Controllers have one month to process Subject Access Requests – no charges (unless vexatious)

Lawfulness of Processing• Consent must be clear and affirmative – no action on behalf of the data

subject no longer implies consent• Controllers must be able to demonstrate that consent was given in a

clear, intelligible and easily accessible way or else it is not binding• It must be possible for data subjects to withdraw consent at any time

and must be as easy to withdraw as it is to give. This has significant implications on how data is processed

• Special conditions for children under the age of 16 • Separate, explicit consent must be given for high risk personal data

along with an outline of what the controller intends to do with it in terms of processing (except in protecting the public interest)

• All information should be secured

Data Security A requirement on controllers and processors to implement a level of security appropriate to the risk. • Techniques:• Pseudonymisation - Separation of data from direct identifiers so that linkage to

an identity is not possible without additional information that is held separately.• Encryption - Conversion of electronic data into another form, called ciphertext,

which cannot be easily understood by anyone except authorised parties.• Minimisation - Reducing the data collection to the minimum required to deliver

the service agreed by the data subject• Penetration Testing - Agreeing a process for regularly testing assessing and

evaluating the effectiveness of security measures • Ensuring on-going application of confidentiality, integrity and availability

controls

Data Breach Notification

• The GDPR stipulates specific requirements for breach notification• The legislation defines a breach as:• “a breach of security leading to the accidental or unlawful destruction,

loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

• Processors must notify Controllers of any breach • Controllers must notify the Lead Supervisory Authority of high risk

breaches without undue delay and where feasible not later than 72 hours after becoming aware of it

• How and when a notification is made has a significant impact on mitigation from the Lead Supervisory Authority

Notification Requirements • Notification to the ICO without undue delay (within 72 Hours)

• Description of the nature of breach• Specify categories of data subjects (gender, adult or child, patient,

student etc.)• The number of data subjects affected • The number of personal records breached • The likely implications of the breach• Details of Data Protection Officer • The measures taken to mitigate• Currently no requirement to notify if the breach is not considered

high risk and the breach is unlikely to impact the rights and freedoms of data subject (guidance on what constitutes high risk to be confirmed)

Notification Requirements • When a high risk breach has occurred, the data controller has specific

obligations regarding communication to affected data subjects• Communication can be mandated by the supervisory authority• Communication must be carried out without undue delay• Communication must be in clear, plain language• Exceptions if appropriate measures have been implemented to minimise

risk • Exceptions if communication would involve disproportionate effort

compared to risk

Resource http://www.eugdpr.org/article-summaries.htmlhttp://www.computerweekly.com/news/450296306/10-key-facts-businesses-need-to-note-about-the-GDPRhttps://blog.varonis.com/what-is-the-eu-general-data-protection-regulation/#vocabularyhttps://iapp.org/resources/article/top-10-operational-impacts-of-the-gdpr/https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/