ISACA Belgium Privacy Open Forum: GDPR current status

Click to edit Master title stylePrivacy Open Forum

Tuesday, 2th

of December 2015

Brussels, 2 December 2015 2

Agenda

1. 18:30 Introduction

2. 18:45 GDPR: current status

3. 19:30 Break

4. 19:50 GDPR: current status

5. 20:45 Close


Close

Brussels, 2 December 2015

PRIVACY: AN OVERVIEW

OF THE STATUS OF THE

GDPR

JOHAN VANDENDRIESSCHE

4


General warning

• Information is provided on the basis of

available information

• Excerpts from Council position and

trilogue documents available until this

date

• Not all trilogue information is available

• Trilogue principle: “nothing is agreed until

everything is agreed”

5


Agenda

• Overview

• Short timeline

• Overview initial agenda trilogues

• Review of EC Council position in first

reading

• Review of some information on

trilogues

6


Overview

• Additional requirements GDPR

• Privacy officer for large companies /

privacy sensitive companies

• Privacy by design

• Privacy by default

• Data portability

• Right to be forgotten

• Data breach notifications

• Data protection impact assessment

• Fines

7


Overview

• Data Protection Management

• Key principle: accountability

• Ensure and be able to demonstrate

compliance

• Adopt policies

• Implement appropriate measures

• Documentation

• Implementing data security requirements

• Performing data protection impact assessment

• Prior authorization or consultation (where

required)

• Data protection officer (DPO)8


GDPR: short timeline

• Reform of the data protection legal

framework in the EU

• Dec 1995: Directive 1995/46/EC

• Jan 2012: EC Proposal GDPR COM(2012)

11 final

• March 2014: EP GDPR text (first reading)

• June 2015: EC Council GDPR text (first

reading)

• June-December 2015: trilogue meetings

• Jan-July 2016: final text?

• July-Dec 2018: end of provisional period?

9


GDPR Initial Trilogue Agenda

• 24 June 2015

• General approach

• Agreement on roadmap

• General method and approach for

delegated and implementing acts

• 14 July 2015

• Territorial Scope, Representative

• Chapter V Transfer of personal data to a

third country or international organisation

10



• 16-17 & 29-30 September 2015

• Chapter II Principles

• Chapter III Rights of the data subject

• Chapter IV Controllers and processors

• 15 & 28 October 2015

• Chapter VI Independent supervisory

authorities

• Chapter VII Cooperation and consistency

• Chapter VIII Remedies, liability and

sanctions

11



• 11-12 & 24 November 2015

• Chapter I General Provisions

• Chapter IX Specific Regimes

• 10 & 15 December 2015

• Chapter X Delegated and implementing

acts

• Chapter XI Final provisions

• Remaining issues

• Parties intend to close discussions at

the end of 2015

12


Definitions

• Personal data

• Addition of wording “by means

reasonably likely to be used by the

controller or by any other […] person

• Tentative agreement to delete

additional wording

13


Definitions

• Main establishment

• Controller with establishments in more

than one Member State

• Central administration

• Establishment that decides on purposes and

means (power to implement)

• Processor with establishments in more

than one Member State

• Central administration

• Location of main processing activities

14


Definitions

• Pseudonymisation

• Prevent attribution to a specific data

subject without use of additional

information

• Additional information kept separately and

subject to measures to ensure non-

attribution

• No information on trilogue position

15


Definitions

• Profiling

• Automated processing of personal data

• Evaluate personal aspects

• Analyse and predict

• Performance at work

• Economic situation

• Interests

• Behaviour

• …

16


Material Scope

• Processing of personal data

• Wholly or partly by automated means

• Other processing where personal data are

intended to form part of a filing system

• Clarification on household exemption

• No requirement of absence of gainful

interest

• Tentative agreement in trilogue

17


Material Scope

• Exemption for law enforcement

processing

• Public authorities or not?

• Extension to prevention of threats to

public security

• Trilogue: suggestion to follow EC

Council text

18


Material Scope

• Effect on Directive 2000/31/EC

(information society services)

• Impact on liability of intermediaries

• Tentative agreement in trilogue to include

wording to apply Directive 2000/31/EC

19


Territorial Scope

• Controller or processor established in

the EU

• Activities linked to establishment

• Data subjects residing in the EU

• Offering of goods or services

• Monitoring of behaviour located in EU

20


Restriction of Data Subject Rights

• Restriction is permitted

• National security

• Defence

• Public security

• Law enforcement (broad sense)

• General public interest

• Judicial independence and judicial

proceedings

• ….

• Tentative agreement in the trilogue on

most items21


Data Protection Management

• Duty to document processing

• Controller

• All categories of personal data processing

activities

• Description of activity (name, purposes,

categories of data, recipients, transfers to third

countries, time limits for erasure, description

of security)

22



• Duty to document processing activities

• Processor

• All categories of processing performed on

behalf of data controller

• Description of activities (name process and

controller, DPO ID, tranfers to third countries,

description of security measures)

23



• Documentation duty exemptions

• Organisations < 250 persons except high

risk for rights and freedoms of data

subject

• Identity theft

• Fraud

• Reversal of pseudonymisation

• Damage (financial loss, loss of confidentiality,

…)

24


Data Breach Notification

• Data Breach Notification: restricted

scope

• Breach likely to result in high risk for the

rights and freedoms of individuals

• Not required if no communication to data

subject is required

• Deadline

• 72 hours

• Reasoned justification if not made within

deadline

25



• Contents

• Description of the data breach (where

possible and appropriate approximate

categories of personal data and number of

data subjects)

• DPO ID

• Likely consequences

• Remedial and mitigation action proposed

or taken

• Documentation duty re data breaches

26



• Communication to data subjects

• Likely to result in high risk for the rights

and freedoms of individuals

• Deadline: without undue delay

• Contents

• DPO ID

• Remedial and mitigation action proposed

and taken

27



• Exemption

• Technical measures to render data

unintelligeble (e.g. encryption)

• Subsequent measures to ensure that high

risk is no longer likely to materialise

• Disproportionate effort (public

communication is required)

• Adverse effect on a substantial public

interest

28



• Presidency suggestion

• Undue delay, not later than 72 hours

• Justification is later than 72 hours

• Risk for the rights and freedoms of

individuals

29


DPO

• Option DPO appointment, unless required by

law

• Groups and public authorities may appoint

single DPO

• Presidency position

• Mandatory DPO (12 months extra

transition period)

• Public authority

• Core activity processing requiring regular /

systematic monitoring on large scale

• Core activity processing special categories of

data on a large scale

30


Enforcement

• Power of supervisory authority

• Investigation powers

• Data protection audits

• Soft enforcement (notify, issue warnings,

reprimands, compliance orders)

• Administrative fines

• Suspend data flows to recipients in third

countries

• Initiate legal proceedings

• Tentative agreement on most issues

31


Enforcement

• Complaint procedure

• Single supervisory authority

• Member State of habitual residence, place

of work or place of alleged infringement

• Trilogue suggestion

• More or less identical to Council position

32


Enforcement

• Legal proceedings

• Courts of Member State of an

establishment

• Alternative jurisdiction: habitual residence

of data subject, unless public authority

acting in the exercise of its public powers


33


Enforcement

• Right to compensation

• Liability

• Controller: liable for infringement

• Processor: liable for specific processor

obligations or exceeding instructions of

controller

• Joint liability


34


Enforcement


• Effective, proportionate and disuasive

• Criteria define amount

• Nature, gravity and duration of infringement

• Intentional or negligent nature

• Mitigation action

• Degree of responsibility in security

• Existence of previous infringements

• Cooperation

• Categories of data involved

• …

• Tentative agreement in trilogue35


Enforcement

• Council position on administrative fines• 250.000 EUR or 0,5% of total worldwide annual turnover of

preceding financial year (whichever is higher)

• 500.000 EUR or 1% of total worldwide annual turnover of


• Data subject rights

• 1.000.000 EUR or 2% of total worldwide annual turnover of


• Essential provisions of GDPR

• Position is considerably more lenient than

EP (!)

36


Enforcement


• 500.000 EUR or 1% of total worldwide annual

turnover of preceding financial year (whichever is

higher)

• Security provisions

• Data flows to third countries

• 1.000.000 EUR or 2% of total worldwide annual

turnover of preceding financial year (whichever is

higher)

• Essential provisions of GDPR

• Suggested text for trilogue, but superseded

37


Enforcement

• Latest trilogue tekst

• Obligations for controllers

• 1.000.000 EUR or 2% total worldwide annual

turnover preceding year in case of undertaking

• Data subject rights



• Non-compliance order of supervisory

authority



38


Specific Data Processing Activities

• National law provisions

• Employment (especially consent)

• Social Security

• Archiving in public interest, scientific,

statistical and historical purposes

• Churches and religious associations

• Mostly tentatively agreed in trilogue

39


Entry into force

• Entry into force

• 20th day following official publication

• Transition period

• 2 years from entry into force

• Suggested text for trilogue

40


Contact details

Johan Vandendriessche

Partner - crosslaw CVBA

Visiting Professor ICT Law - UGent

Mobile Phone +32 486 36 62 34

E-mail [email protected]

Website www.crosslaw.be

mailto:[email protected]

http://www.crosslaw.be/


ISACA BELGIUM

ISACA Belgium Privacy Open Forum: GDPR current status

Law

Transcript of ISACA Belgium Privacy Open Forum: GDPR current status