GDPR: THE BIG PICTURE

Similar documents
Privacy vs Data Protection. PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation

New EU Data Protection legislation comes into force today. What does this mean for your business?

The European General Data Protection Regulation. A guide for the insurance industry

Factsheet on the Right to be

The reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

Overview. Data protection in a swirl of change Cloud computing. Software as a service. Infrastructure as a service. Platform as a service

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

How To Regulate Data Protection In European Union

Version 56 (29/11/2011)

Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015

5419/16 ADD 1 VH/np 1 DGD 2C

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Article 29 Working Party Issues Opinion on Cloud Computing

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

A guide for in-house lawyers

The potential legal consequences of a personal data breach

Council of the European Union Brussels, 26 June 2015 (OR. en)

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

Data and Cyber Laws Up-date 9 July 2015

BCS, The Chartered Institute for IT Consultation Response to:

Proposal of regulation Com /4 Directive 95/46/EC Conclusion

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

Impact of EU General Data Protection Regulation

slaughter and may The new EU Data Protection Regulation revolution or evolution?

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data

Federal Act on Data Protection (FADP) Aim, Scope and Definitions

Option Table - Directive on Statutory Audits of Annual and Consolidated Accounts

technical factsheet 176

AIRBUS GROUP BINDING CORPORATE RULES

PRESIDENT S DECISION No. 40. of 27 August Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

Council of the European Union Brussels, 9 March 2015 (OR. en)

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

HOW TO HANDLE A WHISTLEBLOWER REPORT IN THE EU

Council of the European Union Brussels, 12 September 2014 (OR. en)

RESTREINT UE/EU RESTRICTED

The E.U.-US Privacy Collision: A Turn to Institutions and Procedures

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS

How To Regulate Data Processing In European Union

An overview of UK data protection law

Privacy & Data Security: The Future of the US-EU Safe Harbor

Personal Data Act (1998:204);

Data Protection Standard

COUNCIL OF THE EUROPEAN UNION. Brussels, 22 November /06 DATAPROTECT 45 EDPS 3

10227/13 GS/np 1 DG D 2B

How To Understand The Privacy Shield

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

Response of the Northern Ireland Human Rights Commission on the Health and Social Care (Control of Data Processing) NIA Bill 52/11-16

Merthyr Tydfil County Borough Council. Data Protection Policy

Insurance Europe key messages on the European Commission's proposed General Data Protection Regulation

Contact: Kostas Rossoglou and Nuria Rodríguez

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

Application of Data Protection Concepts to Cloud Computing

Corporate ICT & Data Management. Data Protection Policy

GSK Public policy positions

The Role and Function of a Data Protection Officer in the European Commission s Proposed General Data Protection Regulation. Initial Discussion Paper

GDPR & Service Providers ( Cloud Focus )

2015 No FINANCIAL SERVICES AND MARKETS. The Small and Medium Sized Businesses (Credit Information) Regulations 2015

ARTICLE 29 DATA PROTECTION WORKING PARTY

2015 No FINANCIAL SERVICES AND MARKETS. The Small and Medium Sized Business (Credit Information) Regulations 2015

on the transfer of personal data from the European Union

Implications of the European Commission s proposal for a general data protection regulation for business

GDPR & Cloud Providers Keynote Presentation

EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda?

Data Protection Policy

Data Processing Agreement for Oracle Cloud Services

13772/14 GS/np 1 DG D 2C

Pursuant to Convention No. 108 of the Council of Europe for the protection of persons with regard to the automated processing of personal data;

Guidelines on Data Protection. Draft. Version 3.1. Published by

Table of contents: ***

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

TABLE OF CONTENTS. Maintaining the Quality and Integrity of Information. Notification of an Information Security Incident

Fitness and Probity Standards (Code issued under Section 50 of the Central Bank Reform Act 2010)

Council of the European Union Brussels, 28 July 2015 (OR. en)

Implementing and monitoring effective compliance policies & procedures. charlesrussellspeechlys.com

Firm Registration Form

Transcription:

GDPR: THE BIG PICTURE John Bowman Senior Principal Promontory, London Cecilia Álvarez Rigaudias Data Protection Officer Pfizer, Madrid Olivier Proust Of Counsel Privacy, Security & Information Team Fieldfisher, Brussels Bruno Gencarelli Head of Data Protection Unit European Commission, Brussels

SESSION OUTLINE 1. GDPR: overview and next steps 2. Rights, obligations & accountability 3. International data transfers 4. A new regulatory approach 5. Getting ready for the GDPR 6. Questions 7. Please give your feedback!

GDPR: OVERVIEW & NEXT STEPS John Bowman & Bruno Gencarelli

OVERVIEW EU Charter of Fundamental Rights sets out that everyone has the right to the protection of personal data concerning them The Treaty on the Functioning of the European Union provides that the European Parliament and the Council shall lay down rules relating to the protection of personal data Milestones along the path to agreement: January 2012: European Commission publishes proposals for data protection reform October 2013: LIBE Committee vote March 2014: European Parliament first reading June 2015: Council general approach, trilogues commence December 2015: informal compromise agreement following trilogues

NEXT STEPS IN THE ADOPTION PROCESS Q1-2 2016 Q2-3 2018 Lawyer linguist review and translation Council vote European Parliament vote Entry into force 20 days after publication in Official Journal of EU Rules apply two years after entry into force Other activity 2016-2018 Agreement of delegated and implementing acts by Commission and Council Member state legislation for local carve-outs and law enforcement Directive Establishment of EDPB and appointment of chair Guidance to be prepared by supervisory authorities

RIGHTS, OBLIGATIONS & ACCOUNTABILITY Olivier Proust & Cecilia Álvarez Rigaudias

KEY CHANGES TO EU DATA PROTECTION LAW 1/4 Key Issue Territorial Scope Data Processors Expanded definitions / new concepts Changes introduced by GDPR Broader territorial scope will apply to: (i) Data controllers and data processors established in EU that process personal data; and (ii) Data controllers and data processors not based in EU who target individuals who are in the EU GDPR introduces direct statutory obligations for data processors, including (i) appointment of a Data Protection Officer; (ii) duty to notify the data controller without undue delay in case of a data security breach; and (iii) international data transfer obligations. Personal Data includes location data, online identifiers and technology identifiers Pseudonymous Data defined as data that does not allow identification of individuals without additional information and is kept separate Sensitive Data includes genetic data and biometric data Profiling - automated processing of personal data used to evaluate an individual s personal aspects

KEY CHANGES TO EU DATA PROTECTION LAW 2/4 Key Issue Changes introduced by GDPR Consent Data subject if rights Profiling Minors Enforcement Consent must be either (i) unambiguous consent for general processing of personal data; or (ii) explicit consent for processing of sensitive personal data. Existing rights reinforced (access, rectification, deletion, objection to the processing) New rights: erasure (and right to be forgotten), restriction of the processing, data portability, right not to be subject to data profiling Automated decision making (including profiling) that either produces a legal effect or significantly affects individuals must be (i) authorised by law; or (ii) necessary to enter into or perform a contract with that individual; or (iii) based on individual s explicit consent. Consent must be obtained from parents when information society services are provided to minors below the age of 16. DPAs now have investigative and corrective powers They may impose fines of up to EUR 20 million or up to 4% of worldwide annual turnover (whichever is higher)

KEY CHANGES TO EU DATA PROTECTION LAW 3/4 Key Issue Accountability Records of processing activities Privacy by Design / Privacy by Default Data Protection Impact Assessments Changes introduced by GDPR GDPR introduces new explicit principle of accountability data controllers must ensure compliance with the general data processing principles No more DPA registrations But controllers and processors must maintain internal records of all the data processing activities under their responsibility GDPR introduces new concepts of privacy by design and privacy by default The controller must implement appropriate technical and organizational measures which are designed to integrate the necessary safeguards into the processing Data controller must carry out a data protection impact assessment prior to processing data where the processing is likely to result in a high risk for the rights / freedoms of individuals due to (i) the use of new technologies; (ii) the nature, scope, context and purposes of processing.

KEY CHANGES TO EU DATA PROTECTION LAW 4/4 Key Issue Technical and organisational measures Changes introduced by GDPR Controllers must implement technical and organizational measures to ensure and be able to demonstrate compliance with the GDPR including the implementation of appropriate policies Data breach notification Data Protection Officer GDPR introduces an obligation to notify data breaches: (i) to the data protection authority within 72 hours; and (ii) to affected individuals without undue delay. Data controllers and processors must appoint a DPO in case of: (i) regular and systematic processing of data subjects on a large scale; and (ii) when the core activities of the controller or the processor consist of processing on a large scale of sensitive data or data relating to criminal convictions and offences.

INTERNATIONAL DATA TRANSFERS Olivier Proust & Bruno Gencarelli

DATA TRANSFERS AT A GLANCE General principle remains the same: transfers outside the EEA are possible under certain conditions Data transfer restrictions apply now both to controllers and processors Data transfer rules now apply both to transfers to a third country; or an international organization outside the EEA Data transfer rules apply both to initial transfers outside the EEA and onward transfers

LEGAL SOLUTIONS FOR TRANSFERRING DATA 1. Adequacy decision 2. Appropriate safeguards Appropriate safeguards that do not require any special authorization from the DPA Standard contractual clauses adopted by the EU Commission Standard contractual clauses adopted by a DPA and approved by the EU Commission NEW! Binding Corporate Rules NEW! Code of conduct NEW! Certification mechanism (e.g., data protection seal or mark) NEW! Appropriate safeguards which do require specific authorization from the DPA Contractual clauses between the exporter and importer NEW! 3. Legal derogations

TRANSFERS OR DISCLOSURES NOT AUTHORISED BY UNION LAW Article 43a Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter. (Chapter V).

A NEW REGULATORY APPROACH John Bowman & Bruno Gencarelli

SUPERVISORY AUTHORITIES Tasks of the supervisory authority (selected) Promote public awareness of risks, rules, safeguards and rights Promote awareness of the Regulation amongst controllers and processers Deal with complaints, conduct and co-operate in investigations Give advice on processing following a DPIA which indicates a high risk to individuals Authorise contractual clauses and binding corporate rules Contribute to the activities of the EDPB Sanctions Regarding obligations of the controller and the processor: up to 10 million, or 2% of worldwide annual turnover whichever is higher Regarding the basic principles for processing, data subject rights, transfers of personal data, or noncompliance with an order by the supervisory authority: up to 20 million, or 4% of worldwide annual turnover whichever is higher Other enforcement powers available include issuing warnings and reprimands, ordering compliance with the GDPR, and imposing temporary and definitive bans on processing

ONE-STOP SHOP The lead authority is the supervisory authority located in the territory of the main establishment. For matters of cross-border interest, the lead authority will co-ordinate the investigation with other concerned authorities and prepare the draft decision If the case is purely a matter that is local to the data subject, the lead authority can delegate competence to deal with the case to the local authority If a concerned supervisory authority provides a reasoned objection to a lead authority s draft decision, the case shall be referred to the European Data Protection Board for a binding decision under the consistency mechanism A concerned person may challenge the validity of the implementation of an EDPB decision by a national supervisory authority in a court of the member state where that authority is established Any person has the right to bring an action for annulment of decisions of the EDPB before the Court of Justice of the European Union where it is of direct and individual concern to them

GETTING READY FOR THE GDPR Olivier Proust & Cecilia Álvarez Rigaudias

GDPR COMPLIANCE PROGRAMME

STEP 1: BUILD A BUSINESS CASE What is your plan? Create a brief and easily digestible business case document Bring the business case arguments out on the first page Focus on key compliance areas in the remainder and show you know what you re doing Slide decks, stakeholder meetings, etc. as required

STEP 2: GAP ANALYSIS Why, how and who should do it? 1. Why: understand where you are against GDPR standards and how much work you have to do 2. How: Gap Analysis Questionnaire 3. Who: privacy function / DPO leads; senior management backing (GDPR Champion); support from legal and compliance; external counsel; project team to run it; all parts of business to input as required. 4. What s next: GDPR Readiness Report

STEP 3: GDPR READINESS REPORT Sets out for each GDPR compliance area: 1. The GDPR requirement 2. What it means for your company 3. Where your company is now 4. Where it should be to meet GDPR standards 5. How to get there These are the objectives of your project plan

HOW DID THINGS GO? (WE REALLY WANT TO KNOW!) Did you enjoy this session? Is there anyway we could make it better? Let us know by filling out a speaker evaluation. Start by opening the IAPP Events mobile app. Select this session and tap Click the following link for speaker evaluations. Once you ve answered all three questions, tap Done and you re all set. Thank you!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information