new general data protection regulation (agnes andersson hammarstrand)
TRANSCRIPT
Agnes Andersson Hammarstrand
Partner and lawyer at Delphi Law Firm
New General Data Protection Regulation
@IT_advokaten
För att lägga in bild, klicka på ikonen. Gå sedan in i mappen ”Bilder till PowerPoint” sedan mappen ”Bilder”
New EU Regulation for personal data
• Direct applicable regulation replacing the
Personal Data Directive
• Applicable for all EU companies and public
public bodies
• The new rules will apply from 25 May 2018
New General Data Protection Regulation 2
För att lägga in bild, klicka på ikonen. Gå sedan in i mappen ”Bilder till PowerPoint” sedan mappen ”Bilder”
Sanctions
• Companies risk fines up to 20 000 000 EUR, or
up to 4 % of the total worldwide annual
turnover
• Also risk for damages, penalties, etc.
New General Data Protection Regulation 3
För att lägga in bild, klicka på ikonen. Gå sedan in i mappen ”Bilder till PowerPoint” sedan mappen ”Bilder”
• Personal data – Any information relating to an
identified or identifiable natural person who
could be identified directly or indirectly
– Customer data, purchasing history, pictures, e-mail,
name, phone number
– Even an IP-address or a car registration number
• B2B as well as B2C – all data of individuals
• Applies to everything you do with the data
When does the law apply?
New General Data Protection Regulation 4
För att lägga in bild, klicka på ikonen. Gå sedan in i mappen ”Bilder till PowerPoint” sedan mappen ”Bilder”
• The person who alone or together with others
determines the “purposes and means“ of the
processing of personal data
• Is always the responsible for compliance with
the law
• Thus, it is your company that is responsible that
your IT systems meet the legal requirements
(not the supplier)
• Joint responsibility
5
Controller
New General Data Protection Regulation
För att lägga in bild, klicka på ikonen. Gå sedan in i mappen ”Bilder till PowerPoint” sedan mappen ”Bilder”
• A natural or legal person which processes
personal data on behalf of the controller
• Is always outside the controller’s organisation
• For example IT supplier
6
Processor
New General Data Protection Regulation
För att lägga in bild, klicka på ikonen. Gå sedan in i mappen ”Bilder till PowerPoint” sedan mappen ”Bilder”
• Identify controller + processor
• In some cases both parties are each others
controllers and processors
7
Processor agreement Processor agreement
Processor Controller
Individual
New General Data Protection Regulation
För att lägga in bild, klicka på ikonen. Gå sedan in i mappen ”Bilder till PowerPoint” sedan mappen ”Bilder”
Is the processing legal?
Fundamental principles to comply with, e.g. sorting out, time
Requirements for sensitive data
Information to the data subject (privacy policy)
Security, routines for data portability, etc.
Agreements, documentation, routines etc..
Prohibition for trans-ferring to third countries
New General Data Protection Regulation
”Integrity stairs”
8
8
För att lägga in bild, klicka på ikonen. Gå sedan in i mappen ”Bilder till PowerPoint” sedan mappen ”Bilder”
When is processing permitted?
• Data shall only be processed as far as it is
necessary for compliance with the legal
purpose of the processing
• Processing is lawful only when
1. Necessary for the performance of a contract to
which the data subject is party
2. Necessary for compliance with a legal obligation
3. Necessary in order to protect the vital interests of
the data subject
4. Necessary for the performance of a task carried
out in the public interest or
5. Legitimate interests when not overridden by the
interests of the individual
6. Informed consent
New General Data Protection Regulation 9
För att lägga in bild, klicka på ikonen. Gå sedan in i mappen ”Bilder till PowerPoint” sedan mappen ”Bilder”
• What is the purpose of the specific processing?
• Legal basis according to the regulation?
– Legal obligation to carry out the processing
– Performance of a task carried out in the public
interest or in the exercise of official authority
– Requirement due to agreement with the data
subject
– Balance of interests
• Otherwise consent needed!
– Is the consent a reasonable and proportionate
measure or should we refrain from carry out the
processing?
– How do we collect consent?
New General Data Protection Regulation
Legal assessment
10
För att lägga in bild, klicka på ikonen. Gå sedan in i mappen ”Bilder till PowerPoint” sedan mappen ”Bilder”
• What is necessary for e.g. performance of a
contract or a legal obligation?
• NOTE!
– Minimization of purpose - data may never be
processed for a purpose other than that for which
it was collected.
– Minimization of data - the data should be
adequate, relevant and limited to what is
necessary for the purposes for which they are
processed.
– Minimization of storage – data must not kept
longer than necessary.
Necessary in order to…
New General Data Protection Regulation 11
För att lägga in bild, klicka på ikonen. Gå sedan in i mappen ”Bilder till PowerPoint” sedan mappen ”Bilder”
• The controller shall implement appropriate
technical and organisational measures to
ensure an appropriate level of safety for the
data that is being processed
• These measures shall provide a level of security
that is appropriate with regard to
– The latest developments
– Implementation costs
– The nature of the processing, context, purpose
– The risks
• Code of conduct
12
Security requirement
New General Data Protection Regulation
13
Security requirements
Technical measures
Organisational measures
Antivirus, authorisation
requirements, access control
Firewall and encryption features, etc.
Instructions and Polices
Organisation and routines
Sensitive data Privacy
Special requirements Information of offense
etc.
Security level in relation to risk
New General Data Protection Regulation
Procedure for continuous testing
För att lägga in bild, klicka på ikonen. Gå sedan in i mappen ”Bilder till PowerPoint” sedan mappen ”Bilder”
• ”Data protection by design”
• Data minimisation
• Aspects regarding safety and privacy must be taken into consideration when planning and developing IT systems
• The data controller shall decide the requirements = increased requirements on IT Procurement
• Avoid free text fields, access control, default storage settings etc.
• The Commission may adopt implementing acts regarding the interpretation and technical standards
14
Privacy by design
New General Data Protection Regulation
För att lägga in bild, klicka på ikonen. Gå sedan in i mappen ”Bilder till PowerPoint” sedan mappen ”Bilder”
• Data minimisation
• Anonymity if possible, avoid pointing out individuals
• Restrict access to data
• High security
– Possibilities for encryption, backup and log, secure erasure
• Functions for authensation and access control
• Mechanisms for sorting out and erase data that is not needed
• Permit the omission of information to data subjects
• Minimize free text fields
New General Data Protection Regulation 15
Privacy by design – how?
För att lägga in bild, klicka på ikonen. Gå sedan in i mappen ”Bilder till PowerPoint” sedan mappen ”Bilder”
• Notify the ”personal data breach” without undue delay
• Notify the supervisory authority
– General rule: not later than 72 hours after having become aware of it
• Notify every data subject
– If it is likely to result in a high risk to the rights and freedoms of natural persons;
– Exception, e.g. if there is a system to prove that the ”lost” data has been made unintelligible to unauthorised, such as encryption;
– Disproportionate effort: Instead public communication.
• Organisations need to strengthen their security measures
New General Data Protection Regulation 16
Information requirements at personal data breach
För att lägga in bild, klicka på ikonen. Gå sedan in i mappen ”Bilder till PowerPoint” sedan mappen ”Bilder”
Many other news….
New General Data Protection Regulation 17
För att lägga in bild, klicka på ikonen. Gå sedan in i mappen ”Bilder till PowerPoint” sedan mappen ”Bilder”
What does this mean in practice?
• Privacy is a question for top management
• More important to comply with the law
• Increased focus on preventive action
• Budget for privacy is necessary
New General Data Protection Regulation 18
För att lägga in bild, klicka på ikonen. Gå sedan in i mappen ”Bilder till PowerPoint” sedan mappen ”Bilder”
New General Data Protection Regulation 19
•Is the processing legal, how is it done today? Legal basis/purpose of the processing is done (records available)? Documentation of processing, etc. Legal investigation
•Internal privacy policy for processing, Processor agreement, Information to individuals (privacy policy), necessary consent texts, template for dokumentation of data protection impact assessment, dokumentation/agreement for transferring to third countries , etc.
Legal documents/ policys
•Security requirement, privacy by design, access control, authentication, encryption requirements, etc. Technical measures
•Data protection officer, responsibility of systems and routines, reporting scheme etc. Organisation
•Information disclosure, document consents, checklists, records of processing, procedures for notification of personal data incident, the impact assessment for new treatment procedures, routines for procurement, etc.
Organisational measures - routines
För att lägga in bild, klicka på ikonen. Gå sedan in i mappen ”Bilder till PowerPoint” sedan mappen ”Bilder”
• Budget and plan carefully
• Creating awareness internally about the new
rules
• Investigate current situation
• Engage people with different competence and
background
• Compliance project
– Ensure that the processing is lawful
– Set responsibility and organisation
– Legal documents, agreements and policies
– IT measures
– Organisational measures
20
How can we prepare?
New General Data Protection Regulation
Agnes Andersson Hammarstrand / Partner, Attorney
Phone: +46 (0)31 10 72 19
Mobile: +46 (0)730 83 50 70
@IT_advokaten
Advokatfirman Delphi
Östra Hamngatan 29, 411 10 Göteborg, Sweden
+ 46 (0)31 10 72 00 Fax +46 (0)31 13 94 69 www.delphi.se
New General Data Protection Regulation 21