The General Data Protection Regulation: An Overview of Challenges and Opportunities

Dr. Dimitrios Patsos,

Chief Technology Officer,

ADACOM S.A.

How we got here

Technology

• Increase on breaches

• Cyber Security

Politics

• Safe Harbour Diminished

• EU Reverses requirements

EU Framework

• Weakly Enforced Directive 95/46/EC

• Multiple constituents

The GDPR at a Glance

• Data of EU Citizens residing worldwide,

• Replaces Directive 95/46/EC,

• In full force: Friday, May 25th, 2018,

• Fines Up to 4% of worldwide turnover, or 20M € (whichever is bigger),

• 173 recitals setting the context of the regulation and how it will be interpreted by the Data Protection Authorities,

• 99 articles describing in detail the content of the regulation,

• 98 of 99 articles are not directly related to technology,

• 1 article (32) talking about technology.

Key Facts

GDPR

Fines

Data Protection

Officer

Breach Notification

ConsentData Subject

Rights

Privacy by Design

Wider Geographic

Scope

controller: determines the purposes and means of the processing of personal data

processor: processes personal data on behalf of the controller

data subject: person whose personal data is processed

Degrees of Change

7

2

7

6

2

8

7

4

5

6

5

9

6

9

9

9

2

2

7

8

9

6

9

2

0 1 2 3 4 5 6 7 8 9 10

Material and Territorial scope

Changed concepts

Data Protection Principles

Lawfulness of processing and further processing

Legitimate interests

Consent

Children

Sensitive Data and lawful processing

information notices

subject access, rectification and portability

rights to object

Right to erasure and right to restriction of processing

Profiling and automated decision-taking

Data Governance

Personal data breaches and notification

Codes of conduct and certifications

Transfers of personal data

Appointment of supervisory authorities

Competence, tasks and powers

Co-operation and consistency between supervisory authorities

European Data Protection Board

Remedies and liabilities

Administrative fines

Delegated acts, implementing acts and final provisions

OK, but…What Data ?

• Personal Data: anything related to an identified or identifiable natural person ("data subject"); asa name, an identification number, location data, online identifier or to one or more factorsspecific to the physical, physiological, genetic, mental, economic, cultural or social identity of thatperson (Art. 4 (1)),

• Sensitive Personal Data: anything revealing racial or ethnic origin, political opinions, religious orphilosophical beliefs, trade-union membership; data concerning health or sex life and sexualorientation; genetic data or biometric data. (Rec.10, 34, 35, 51; Art.9(1)),

• Data relating to criminal offences: Data relating to criminal offences and convictions may only beprocessed by national authorities. National law may provide derogations, subject to suitablesafeguards (Rec. 19, 50, 73, 80, 91, 97; Art.10),

• Anonymous data: The GDPR does not apply to data have been anonymized in a way that anindividual cannot be identified from the original data (Rec.26),

• Pseudonymous data: pseudonymous data are still treated as personal data because they enablethe identification of individuals (via a pseudonymization process). However, the risks are likely tobe lower (Rec.26, 28-29, 75, 78, 156; Art.4(5), 6(4)(e), 25(1), 32(1)(a), 40(2)(d), 89(1)).

Lawful processing

• Identify a legal basis before you can process personal data• Processing is necessary for compliance with a legal obligation,• processing is necessary for the performance of a task carried out in the public

interest or in the exercise of official authority vested in the controller (Article6(1)(c),(e)).

• Lawfulness of processing conditions• Consent of the data subject (Article 6(1)(a)),• Performance of a contract with the data subject or to take steps to enter into a

contract (Article 6(1)(b)),• Compliance with a legal obligation (Article 6(1)(c)),• Protect the vital interests of a data subject or another person (Article 6(1)(d) ),• Legitimate interests pursued by the controller or a third party, except where such

interests are overridden by the interests, rights or freedoms of the data subject(Article 6(1)(f )).

Consent

• Freely given, specific, informed and an unambiguous indication of theindividual’s wishes,

• Clear affirmative action,

• Silence, pre-ticked boxes or inactivity does not apply (Articles 6-10,Recitals 38, 40-50, 59),

• Must be verifiable,

• Individuals have a right to withdraw consent at any time.

Data Subject Rights

• The right to be informed,

• The right of access,

• The right to rectification,

• The right to erasure (be forgotten),

• The right to restrict processing,

• The right to data portability,

• The right to object,

• Rights in relation to automated decision making and profiling.

Privacy by Design

• Demonstration of compliance• Implement appropriate technical and organizational measures that ensure and demonstrate that you comply.

This may include internal data protection policies such as staff training, internal audits of processing activities,and reviews of internal HR policies,

• Maintain relevant documentation on processing activities,• Where appropriate, appoint a data protection officer,• Implement measures that meet the principles of data protection by design and data protection by default.

• Measures could include:• Pseudonymisation,• Transparency,• Allowing individuals to monitor processing,• Creating and improving security features on an ongoing basis.

• Use data protection impact assessments where appropriate,

• Adhere to approved codes of conduct and/or certification schemes.

• Article 5(2)

Documentation

• Internal records of processing activities, such as:• Name and details of your organization (and where applicable, of other

controllers, your representative and data protection officer),• Purposes of the processing,• Description of the categories of individuals and categories of personal data,• Categories of recipients of personal data,• Details of transfers to third countries including documentation of the transfer

mechanism safeguards in place,• Retention schedules,• Description of technical and organizational security measures.

• Article 25, Recital 78

Privacy Impact Assessment

When ?

• Using new technologies; and processing is likely to result in a high risk, such as:• systematic and extensive processing activities, including profiling and where decisions that have legal effects –

or similarly significant effects – on individuals,• large scale processing of special categories of data or personal data relation to criminal convictions or

offences,• considerable amount of personal data at regional, national or supranational level; that affects a large number

of individuals; and involves a high risk to rights and freedoms.

What ?• A description of the processing operations and the purposes, including, where applicable, the legitimate

interests pursued by the controller,• An assessment of the necessity and proportionality of the processing in relation to the purpose.• An assessment of the risks to individuals,• The measures in place to address risk, including security and to demonstrate that you comply,• A PIA can address more than one project.

• Articles 35, 36, 83 and Recitals 84, 89-96

How are my databeing used?

Where are my data?

How are my data protected ?

Privacy Impact Assessment - How

What are mydata?

guidelinespolicies procedures awareness

integrity quality compliance

Data Protection Officer

• Tasks• Inform and advise the organization and its employees about their obligations to comply with

the GDPR and other data protection laws,• Monitor compliance with the GDPR and other data protection laws, advise on data protection

impact assessments; train staff and conduct internal audits,• Point of contact for supervisory authorities and for individuals whose data is processed

(employees, customers etc.).

• Position & Skill Set• The DPO reports to the highest management level– i.e. board level,• The DPO operates independently and is not dismissed or penalized for performing their task.• Adequate resources are provided to enable DPOs to meet their GDPR obligations,• Can be an internal employee or an external contractor,• Should have professional experience and knowledge of data protection law.

• (Articles 37-39, 83 and Recital 97)

Breach notification

• Data Breach >> Loss of Data

• Data breach == event leading to the destruction, loss, alteration,unauthorized disclosure of, or access to, personal data

• What Should I Report, Where and How Fast ?• A breach where it is likely to result in a risk to the rights and freedoms of individuals,• Notify the relevant supervisory authority & those concerned directly*,• Within 72 Hours from becoming aware of,• Failing to notify results to fines.

• Exclusions?• Encrypted Data

• Articles 33, 34, 83 and Recitals 85, 87, 88

Technology

• Article 32 (Security of processing) specifies:• (a) the pseudonymization and encryption of personal data;

• (b) the ability to ensure the ongoing confidentiality, integrity, availability andresilience of processing systems and services;

• (c) the ability to restore the availability and access to personal data in a timelymanner in the event of a physical or technical incident;

• (d) a process for regularly testing, assessing and evaluating the effectivenessof technical and organizational measures for ensuring the security of theprocessing.

The Cloud

• Controllers and processors must know the location where thepersonal data are stored or otherwise processed,

• Limits the ability of entities covered by the GDPR to transfer data torecipients outside the EEA,

• In cascaded cloud environments the transfer of personal data mustcomply with the data transfer rules of the GDPR,

• Controllers & Processors (incl. sub-processors) should take adequatesecurity measures to protect the personal data and must supervisethe implementation of security measures by the processor byconducting regular audits.

A Draft Action Plan

Q1/17 Q2/17 Q3/17 Q4/17 Q1/18

Today DeadlineData

InventoryData Flow

Mapping

PIA & Consent

Mechanism

Data Subject Rights

Assess Readiness

Identify DPO

Build a Plan

Data BreachPlan

Training andAwareness

Calculate Residual Risk

A Draft Methodology

Data Collection

• Lawfulness

• Consent

• Relevance

• Types of Data

Data Processing

• Specific Data

• Specific Purpose

• Change Notification

Data Security

• Process

• Technology

• Awareness

Data Management

• Access

• Rules

• Subject Rights

Main Challenges

• Reconciliation of multiple mandates (Lawful Processing),

• Collaboration with Stakeholders (Data Subject Rights),

• Accountability,

• Usage of Cloud Providers, BYOD, Consumerization,

• Codes of Conduct, Certifications, Seals and BCRs,

• SMEs and Start-ups,

• Time Restrictions & Tight Budgets.

Opportunities

• Skill Shortage (Data Protection Officer),

• The rise of encryption and data security technologies,

• Synergies & Collaborations,

• Additional budgets,

• New and Innovative solutions,

• Market Awareness.

Summary

• A demanding, ambitious but fair legislation aiming to the protection of EU Citizens’ personal data worldwide,

• Applies without further consultation,

• Heavy fines involved,

• Wide manoeuvre room, Article 29 WP trying to provide further explanations and resolve conflicts (i.e. EU-US Privacy Shield),

• Multiple Challenges and Multiple Opportunities,

• The Clock is Ticking !

Questions ?

Greece

Athens

25 Kreontos St.,

104 42 Athens

+30 210 5193740

Israel

Tel Aviv

16th Ha’ Melecha St.

48091 Rosh Ha’Ayin

+972 74 7019424

United Kingdom

London

16 Great Queen St.,

WC2B5AH Covent Garden

+44 203 126 4590

Thanks for Watching !