isaca privacy open forum - gdpr

Click to edit Master title stylePrivacy Open Forum

Tuesday, 23th

of February 2016

Brussels, 23 February 2016 2

Agenda

1. 18:30 Introduction

2. 18:45 GDPR

3. 19:30 Break

4. 19:50 GDPR

5. 20:45 Close

Brussels, 23 February 2016

GDPR: AN OVERVIEW OF

CHANGES COMPARED TO

CURRENT LEGISLATION

JOHAN VANDENDRIESSCHE

GDPR Status Update

• GDPR Timeline

• 15 Dec 2015: agreement reach in trilogue

• Jan-Feb 2016: technical/legal review and

translation

• March-April 2016: official adoption

• By June 2016: publication & entry into

effect

• By June 2018: application

GDPR Status Update

• GDPR Guidance

• Article 29 WP 2016 Action Plan

• Creating European Data Protection Board

(EDPB)

• Preparing “one stop shop” and “consistency

mechanism”

• Issuing guidance

• New portability right

• Notion of risk

• DPIA guidance

• Certification

• DPO

• Communication concerning EDPB and the

GDPR Status Update

• Safe Harbor & EU/US Privacy Shield

• 2 Feb 2016: political agreement on new

framework

• By Feb 2016: text for agreement

• By March 2016: analysis by Art. 29 WP

• By April 2016: opinion from Art. 29 WP on

new agreement and on BCR and model

clauses

• Legal uncertainty for the moment

GDPR: scope

• Material scope

• Automated processing of personal data

• Other processing of personal data forming

part (or intended to form part) of a filing

system

• Exceptions

• Personal or household exception

• Other exceptions

GDPR: scope

• Territorial scope

• EU establishment of controller or

processor

• Location of processing is irrelevant

• Establishment of controller or processor

Outside EU

• Offering of goods or services to data subjects

in the EU

• Monitoring of behaviour taking place within the

GDPR: lawfulness of processing

• Consent

• Statement or clear affirmative action

• Mere silence is not sufficient

• Explicit consent is not generally required

• Required for processing of special categories

of personal data

• Right to retract consent

• “in a manner as easy as consent was given”

GDPR: lawfulness of processing

• Consent

• Written declaration: formal requirements

impacting validity of consent

• Consent by children

• Parental consent

• Reasonable means to verify parental consent

• Controller has burden of proof

GDPR: data subjects’ rights

• Overview

• Right to information and access to data

• Right to rectification and erasure (“RTBF”)

• Right to restriction of processing

• Right to data portability

• Right to object

• Rights in relation to automated individual

decision making, including profiling

• Transparency

• Identity and contact details (including

• Purposes of processing, including legal

basis for processing

• Recipients of personal data

• International data transfers

• Storage period

• Specific data subject rights

• Right to be forgotten

• No longer necessary

• Withdrawal for consent and no other legal

ground

• Objection

• Unlawful processing

• Erasure is required for compliance with a

legal obligation

• Personal data of children (conditional)

• Consequences

• Erasure of personal data

• If made public, take reasonable steps to

inform other controllers processing such

• Exceptions

• Freedom of expression and information

• Compliance with a legal obligation

• Public interest in the area of public health

• Archiving

• Legal claims

• Right to data portability

• Processing based on consent, contract or

• Right to receive a copy of his personal

• Structured, commonly used and machine

readable format

• Right to transmit personal data to another

controller without hindrance

• Right to require direct transmission

between controllers

• Automated individual decision making

• Right not to be subjected thereto

• Legal effect concerning him

• Significantly affects him

• Exceptions

• Contractual necessity

• Authorized by law

• Based on explicit consent

• Additional safeguards

DP by Design

• Data controller

• Appropriate technical and

organisational measures

• State of the art and cost of implementation

• Nature, scope, purposes and risk

• Integrate necessary safeguards to

ensure compliance

DP by default

• Technical and organisational measures

• Ensure only necessary data are

processed

• Amount

• Extent of processing

• Storage period

• Accessibility

GDPR: Accountability

• Main principle of GDPR

• Implement measures to ensure

compliance and to be able to demonstrate

compliance

• Burden of proof (!)

• Approved certification mechanisms may

be applied

• Risk based approach for some obligations

• Risk vs high risk

GDPR: record keeping

• Record keeping obligation

• Who?

• Data controller

• Data processor

• Which information

• Contact details (including DPO)

• Categories of data subjects and personal data

• Categories of recipients

• International data transfers

• Time limits

• Security measures

Data Protection Impact Assessment

• Impact assessment in relation to

protection of personal data

• High risk

• Systemic and extensive profiling

• Processing on a large scale of special

categories of data

• Systematic monitoring of publicly accessible

areas on a large scale

• …

• Guidance from supervisory authority

Data Protection Impact Assessment

• DPIA contents

• Description of processing

• Assessment of necessity and

proportionality of processing

• Assessement of risks

• Measures to address risk

• If appropriate: implicate data subjects

or their representatives

Prior consultation

• DPIA concludes that high risk is

present

• Prior consultation of supervisory authority

• Advice within 8 weeks if supervisory

authority believes processing to be non-

compliant

• Mandatory DPO?

• Public authority or body

• Core activity requiring regular and

systematic monitoring of data subjects

• Core activities consisting of processing

on a large scale of special categories of

personal data

• Required by member state law

• Groups may designate a single DPO

• Who?

• Expert in data protection law

• Employee or service provider

• Tasks

• Inform and advise

• Monitor compliance

• Provide advice on DPIAs

• Cooperate with supervisory authorities

• SPOC for supervisory authorities

• Direct reporting link to highest

management level26

Personal Data Breach Notification

• Personal data breach notification

• Personal data breach

• Notification to supervisory authority

• Deadline: without undue delay, but not

later than 72 hours after having become

• Exception: no risk

• Data processor must inform data

controller without undue delay

• Personal data breach notification

• What?

• Nature of breach, data involved and approx.

number of data subjects

• Contact details of DPO

• Likely consequences

• Mitigation action

• Document personal data breaches

• Notification of data subjects

• High risk

• Not applicable if

• Appropriate measures, e.g. encryption

• Subsequent measures that reduce risk (no

longer high risk)

• Disproportionate effort

• May be imposed by supervisory

authority

Codes of Conduct

• Mechanism for drafting and approving

codes of conduct

• Approval for compliance

• Mechanism for international data transfers

• Certification mechanisms

International data transfers

• Prohibition to transfer personal data to

third countries

• Adequacy decision is regulated more

strictly

• Onward transfers are restricted

International data transfers

• Legally binding instrument between

public authorities

• BCR

• Standard data protection clauses

• Approved code of conduct

• Approved certification mechanism

• Ad hoc solution

• Exceptions

One Stop Shop

• Competence mechanism

• Main establishment

• Data controller

• Place of central administration except if

data protection decisions are taken

elsewhere

• Data processor

• Place of central administration except, if

none, place of main processing activities

One Stop Shop

• Complaint mechanism

• Lead supervisory

• Supervisory authority (subject to

information duty and priority mechanism)

• Relates only to establishment in Member State

• Substantially affects data subjects only in

Member State

Sanctions

• Complaint procedure

• Right to compensation and liability

• Criminal liability

• Administrative fines

• 2% of global annual turnover or 10MEUR,

whichever is higher: organisational issues

• 4% of global annual turnover or 20MEUR,

whichever is higher: principles, data

subject rights

Contact details

Johan Vandendriessche

Partner - Crosslaw CVBA

Visiting Professor ICT Law - UGent

Mobile Phone +32 486 36 62 34

E-mail j.vandendriessche@crosslaw.be

Website www.crosslaw.be

ISACA BELGIUM

isaca privacy open forum - gdpr

Law

gdpr compliance checklist - global privacy & security...

isaca privacy open forum - gdpr: how to prepare for the...

isaca privacy forum - how what you don't know can hurt you

california consumer privacy act and gdpr – how do...

methods and tools for gdpr compliance through privacy and

developer view on new eu privacy legislation (gdpr)

isaca privacy open forum on drones and safe harbor

demonstrating data privacy for gdpr and beyond ·...

privacy risk assessments - perkins &...

isaca cacs 2012 - mobile device security and privacy

isaca privacy open forum - gdpr & hr

what does it mean to me? gdpr data … · 1 gdpr data...

gdpr for marketers february 2020 · gdpr: requirements of...

- milestone gdpr privacy guide · 2020-06-08 ·...

isaca privacy forum 17 october 2013 on big data and facebook...

isaca privacy open forum: status update on the eprivacy...

isaca new delhi india - privacy and big data

comparing privacy laws: gdpr v. appi

manuale privacy gdpr - industria casearia serafini...manuale...

roadmap to the gdpr - privacy shield