new general data protection regulation (agnes andersson hammarstrand)

Agnes Andersson Hammarstrand

Partner and lawyer at Delphi Law Firm

New General Data Protection Regulation

@IT_advokaten

http://www.google.se/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwiBh_q5rqLPAhVM1SwKHR5TAAsQjRwIBw&url=http://www.babaimage.com/image/instagram-twitter-transparent-logo-twitter-icon-instagram-icon&bvm=bv.133387755,d.bGg&psig=AFQjCNGBGs2XWN3TLdR6mC8raoHvMEauIw&ust=1474612670811752

För att lägga in bild, klicka på ikonen. Gå sedan in i mappen ”Bilder till PowerPoint” sedan mappen ”Bilder”

New EU Regulation for personal data

• Direct applicable regulation replacing the

Personal Data Directive

• Applicable for all EU companies and public

public bodies

• The new rules will apply from 25 May 2018

New General Data Protection Regulation 2


Sanctions

• Companies risk fines up to 20 000 000 EUR, or

up to 4 % of the total worldwide annual

turnover

• Also risk for damages, penalties, etc.



• Personal data – Any information relating to an

identified or identifiable natural person who

could be identified directly or indirectly

– Customer data, purchasing history, pictures, e-mail,

name, phone number

– Even an IP-address or a car registration number

• B2B as well as B2C – all data of individuals

• Applies to everything you do with the data

When does the law apply?



• The person who alone or together with others

determines the “purposes and means“ of the

processing of personal data

• Is always the responsible for compliance with

the law

• Thus, it is your company that is responsible that

your IT systems meet the legal requirements

(not the supplier)

• Joint responsibility

5

Controller



• A natural or legal person which processes

personal data on behalf of the controller

• Is always outside the controller’s organisation

• For example IT supplier

6

Processor



• Identify controller + processor

• In some cases both parties are each others

controllers and processors

7

Processor agreement Processor agreement

Processor Controller

Individual



Is the processing legal?

Fundamental principles to comply with, e.g. sorting out, time

Requirements for sensitive data

Information to the data subject (privacy policy)

Security, routines for data portability, etc.

Agreements, documentation, routines etc..

Prohibition for trans-ferring to third countries


”Integrity stairs”

8

8


When is processing permitted?

• Data shall only be processed as far as it is

necessary for compliance with the legal

purpose of the processing

• Processing is lawful only when

1. Necessary for the performance of a contract to

which the data subject is party

2. Necessary for compliance with a legal obligation

3. Necessary in order to protect the vital interests of

the data subject

4. Necessary for the performance of a task carried

out in the public interest or

5. Legitimate interests when not overridden by the

interests of the individual

6. Informed consent



• What is the purpose of the specific processing?

• Legal basis according to the regulation?

– Legal obligation to carry out the processing

– Performance of a task carried out in the public

interest or in the exercise of official authority

– Requirement due to agreement with the data

subject

– Balance of interests

• Otherwise consent needed!

– Is the consent a reasonable and proportionate

measure or should we refrain from carry out the

processing?

– How do we collect consent?


Legal assessment

10


• What is necessary for e.g. performance of a

contract or a legal obligation?

• NOTE!

– Minimization of purpose - data may never be

processed for a purpose other than that for which

it was collected.

– Minimization of data - the data should be

adequate, relevant and limited to what is

necessary for the purposes for which they are

processed.

– Minimization of storage – data must not kept

longer than necessary.

Necessary in order to…



• The controller shall implement appropriate

technical and organisational measures to

ensure an appropriate level of safety for the

data that is being processed

• These measures shall provide a level of security

that is appropriate with regard to

– The latest developments

– Implementation costs

– The nature of the processing, context, purpose

– The risks

• Code of conduct

12

Security requirement


13

Security requirements

Technical measures

Organisational measures

Antivirus, authorisation

requirements, access control

Firewall and encryption features, etc.

Instructions and Polices

Organisation and routines

Sensitive data Privacy

Special requirements Information of offense

etc.

Security level in relation to risk


Procedure for continuous testing


• ”Data protection by design”

• Data minimisation

• Aspects regarding safety and privacy must be taken into consideration when planning and developing IT systems

• The data controller shall decide the requirements = increased requirements on IT Procurement

• Avoid free text fields, access control, default storage settings etc.

• The Commission may adopt implementing acts regarding the interpretation and technical standards

14

Privacy by design



• Data minimisation

• Anonymity if possible, avoid pointing out individuals

• Restrict access to data

• High security

– Possibilities for encryption, backup and log, secure erasure

• Functions for authensation and access control

• Mechanisms for sorting out and erase data that is not needed

• Permit the omission of information to data subjects

• Minimize free text fields


Privacy by design – how?


• Notify the ”personal data breach” without undue delay

• Notify the supervisory authority

– General rule: not later than 72 hours after having become aware of it

• Notify every data subject

– If it is likely to result in a high risk to the rights and freedoms of natural persons;

– Exception, e.g. if there is a system to prove that the ”lost” data has been made unintelligible to unauthorised, such as encryption;

– Disproportionate effort: Instead public communication.

• Organisations need to strengthen their security measures


Information requirements at personal data breach


Many other news….



What does this mean in practice?

• Privacy is a question for top management

• More important to comply with the law

• Increased focus on preventive action

• Budget for privacy is necessary




•Is the processing legal, how is it done today? Legal basis/purpose of the processing is done (records available)? Documentation of processing, etc. Legal investigation

•Internal privacy policy for processing, Processor agreement, Information to individuals (privacy policy), necessary consent texts, template for dokumentation of data protection impact assessment, dokumentation/agreement for transferring to third countries , etc.

Legal documents/ policys

•Security requirement, privacy by design, access control, authentication, encryption requirements, etc. Technical measures

•Data protection officer, responsibility of systems and routines, reporting scheme etc. Organisation

•Information disclosure, document consents, checklists, records of processing, procedures for notification of personal data incident, the impact assessment for new treatment procedures, routines for procurement, etc.

Organisational measures - routines


• Budget and plan carefully

• Creating awareness internally about the new

rules

• Investigate current situation

• Engage people with different competence and

background

• Compliance project

– Ensure that the processing is lawful

– Set responsibility and organisation

– Legal documents, agreements and policies

– IT measures

– Organisational measures

20

How can we prepare?


Agnes Andersson Hammarstrand / Partner, Attorney

Phone: +46 (0)31 10 72 19

Mobile: +46 (0)730 83 50 70

[email protected]

@IT_advokaten

Advokatfirman Delphi

Östra Hamngatan 29, 411 10 Göteborg, Sweden

+ 46 (0)31 10 72 00 Fax +46 (0)31 13 94 69 www.delphi.se


new general data protection regulation (agnes andersson hammarstrand)

Technology