#admbe

Are you ready for the EU General Data

Protection Regulation?

Brussels, 24 October 2013

#admbe Highlights of the session

The slides hereafter give you an overview of the essentials presented during the ADM session on 24 October 2014 – based on the situation as decided upon just 2 days earlier in the Commission.

The complete presentation by Deloitte and Allen&Overy is available to ADM members on the ADM website .

#admbe Privacy vs Information Security?

Lawfully Fairly Transparancy Adequate … (GDPR)

Confidentiality Integrity Availability (ISO 27k)

#admbe Why talking about privacy?

“Het probleem ligt niet bij toezicht, maar bij inzicht (Edward Snowden)”

“Commissie maakt werk van privacy-politie”

#admbe Where are we today?

Bron http://lobbyplag.eu/lp

#admbe Table of content (highlights)

The upcoming EU Data Protection Regulation From Directive to Regulation

Scope

Internal Privacy Organization

Security of personal data processing

Relations with privacy regulators

Enforcement

Legitimate processing grounds

Notice to data subjects

Data subject rights

(International) data transfers

Other changes

Conclusion / Recommended next steps to be compliant

Quentin Van Peteghem- Attorney-at-lawat Allen & Overy LLP

David Lenaerts - Manager at Deloitte

Erik Luysterborg - BE Security & Privacy Leader,

EMEA Data Protection & Privacy Leader at Deloitte

© 2013 Deloitte Belgium

A. From a Directive to a Regulation Future Legal Framework

7 ADM - Are you ready for the EU General Data Protection Regulation?

All national general Data Protection laws (and decrees) will be directly

replaced by the General Data Protection Regulation.

Consequences

© 2013 Deloitte Belgium

B. Scope of the Regulation Highlight of Key Changes

8 ADM - Are you ready for the EU General Data Protection Regulation?

• Assess under which role you (will) act.

• Assess whether you have to comply with new requirements, depending on

your role.

How to prepare

© 2013 Deloitte Belgium

C. Internal Privacy Organization Highlight of Key Changes

9 ADM - Are you ready for the EU General Data Protection Regulation?

• Create template for privacy documentation.

• Review privacy & compliance policies & procedures.

• Update public reporting procedures.

• Verify if you’ll have to appoint a DPO.

• Decide on who will be DPO, where in the organization ? Etc. (Come to our

next info session for more details )!

• Review and update your internal procedures regarding the setup of new

projects to make sure that privacy is appropriately taken into account.

• Review current/planned software systems and applications from a privacy

angle

• Update the (privacy) risk assessment procedures (roles & responsibilities,

templates, triggers to escalate, …) to include specific privacy concerns such

as usage of data, location/access to data etc.

How to prepare

© 2013 Deloitte Belgium

D. Security of personal data processing Highlight of Key Changes

10 ADM - Are you ready for the EU General Data Protection Regulation?

• Review your current security policies & procedures and their implementations

(especially at third parties)

• Check your cybersecurity measures and come to our next info session!

How to prepare

© 2013 Deloitte Belgium

E. Relations with Privacy Regulators Highlight of Key Changes

11 ADM - Are you ready for the EU General Data Protection Regulation?

• Identify when and what may need to be published by default to the DPA.

• Update the procedures of internal DP review and DPA notification.

How to prepare

© 2013 Deloitte Belgium

F. Enforcement & Redress Highlight of Key Changes

12 ADM - Are you ready for the EU General Data Protection Regulation?

• Tell the Board!

• Update the impact and probability parameters of your risk matrices!

How to prepare

© Allen & Overy LLP 2010

Personal data

13

Current status EU Data Protection Regulation

Proposal – Pseudonymous data concept: personal data processed in such a way that the data cannot

be attributed to a specific data subject without the use of additional information

New Original EU Data Protection Regulation Proposal – Anonymous data concept: data subject is no longer identifiable

Current EU Data Protection Directive – Personal Data concept : information relating to an identified or identifiable natural person, ie

the data subject

– “Identifiable”: the data directly or indirectly allows for the identification of the individual

© Allen & Overy LLP 2010

Notice to data subjects – breach notification

14

New Original EU Data Protection Regulation Proposal – Obligation to report data security breaches for data controllers without undue delay (within

24 hours where feasible) to supervisory authority

– Exemption: controller demonstrates it has implemented appropriate technological protection

measures

Current EU Data Protection Directive – No obligation to notify data security breaches

Current status EU Data Protection Regulation

Proposal – “24 hours” deleted

– New notification condition: severely affect the rights and freedoms of the data subject

– Exemption: controller demonstrates that it has implemented appropriate technological

protection measures applied in particular to pseudonymous data

#admbe Next in this track

12 March 2014:

The DPO office(r) 15.00 hrs

Communication about data breach 17.00 hrs

© 2013 Deloitte Belgium ADM - Are you ready for the EU General Data Protection Regulation? 16

David Lenaerts Manager, CIPP/E

dlenaerts@deloitte.com

Deloitte Enterprise Risk Services

Direct: + 32 2 800 25 03

Mobile: + 32 479 20 07 91

Erik Luysterborg Partner, CIPP

EMEA Data Protection &

Privacy Leader eluysterborg@deloitte.com

Deloitte Enterprise Risk Services

Direct: + 32 2 800 23 36

Mobile: + 32 497 51 53 95

+32 3 543 73 23

info@adm.be

@admteam (#admbe)

ADM: Where business and ICT meet

www.youtube.com/user/ADMVideoChannel

www.slideshare.net/ADM-Slideshare

www.adm.be