Viewing the GDPR Through a De-Identification Lens

Slides:



Advertisements
Similar presentations
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Advertisements

Convention for the protection of individual with regard to automatic processing of personal data “The purpose of this convention is to secure in the territory.
The European Data Protection Regulation and research Graham Love Chief Executive Health Research Board 1.
Data Protection Principles as Basic Foundation for Data Protection in EU/EEA Introduction to Data Protection Theory Seminar - AFIN Stephen.
The EU General Data Protection Regulation Frank Rankin.
General Data Protection Regulation (EU 2016/679)
Brussels Privacy Symposium on Identifiability
Key changes with the GDPR
Accountability & Structured Privacy Management
Brussels Privacy Symposium on Identifiability
Processing for archiving purposes in the GDPR
Seamus Carroll Civil Law Reform Division
GDPR (General Data Protection Regulation)
Luca De Matteis Justice counsellor (criminal law, data protection)
Issues of personal data protection in scientific research
General Data Protection Regulation (GDPR)
Amandine Jambert - IT Experts Department
Presentation to GTMC on GDPR
GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E
General Data Protection Regulation
Museums + Heritage webinar, 30 November 2017
The EU General Data Protection Regulation (GDPR)
GDPR Overview Gydeline – October 2017
Data Protection Update – GDPR or bust
GDPR Overview GDPR - General Data Protection Regulations
GDPR Overview Gydeline – October 2017
Data Protection & Freedom of Information- An Introduction
Radar Watchkeeping: Have you monitored your Communication department’s radar to avoid collisions with the new Regulation? 43rd EDPS-DPO meeting, 31 May.
Bob Siegel President Privacy Ref, Inc.
GDPR - Individual’s Rights
6 Principles of the GDPR and SQL Provision
GDPR - New Data Protection Regulation
GDPR 101 and ucsb’s response
General Data Protection Regulation
Introduction to GDPR 09/11/2018.
The General Data Protection Regulation (GDPR)
New Data Protection Legislation
State of the privacy union
The general data protection regulations practicalities for practice
Appropriate Data Sharing in Health and Social Care
G.D.P.R General Data Protection Regulations
The GDPR and research data
FEK årskonferanse 28. februar 2018.
Bart van der Sloot Data Protection 2.0 The proposal for a General Data Protection Regulation Bart van.
The GDPR & Schools - An Introduction -
General Data Protection Regulation
Preparing for the GDPR - What do we need to do if we process children’s personal data? Data Protection Practitioners’ Conference 2018 #DPPC2018.
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
GDPR - New Data Protection Regulation
Bart van der Sloot Data Protection 2.0 The proposal for a General Data Protection Regulation Bart van.
General Data Protection Regulations 2018
The General Data Protection Regulation Six months on – What’s changed
Governing the risk of GDPR compliance
Is Data Protection a Fundamental Right Protecting the Individual?
Information Handling Research Student Induction Day
Data Management Ethical considerations for educational research
Presentation privacy law
The General Data Protection Regulation: Are You Ready?
PERSONAL INFORMATION BILL
Data protection by design, Art.25.1 of the GDPR
IAPP TRUSTe SYMPOSIUM 9-11 JUNE 2004
Welcome IITA Inbound Insider Webinar: An Introduction to GDPR
General Data Protection regulation (GDPR)
Dr Elizabeth Lomas The General Data Protection Regulation (GDPR): Changing the data protection landscape Dr Elizabeth Lomas
Data Protection What can I do? GDPR Principles General Data Protection
General Data Protection Regulation Community Councils
The EU General Data Protection Regulation
Getting Ready For GDPR Simon Marks Director
EU Data Privacy: What US Orgs Need to Do Now to Prepare for the GDPR
A. Šidlauskas Mykolas Romeris University (LITHUANIA)
Presentation transcript:

Viewing the GDPR Through a De-Identification Lens Mike Hintze Partner, Hintze Law PLLC Adjunct Professor, University of Washington School of Law

De-Identification Under the GDPR The GDPR provides the basis to recognize a more comprehensive spectrum of de-identification Identified vs. Identifiable in the definition of “personal data” Pseudonymous data as a particular type of “Identifiable” data Article 11 strong de-identification: “not in a position to identify the data subject” Anonymous data: GDPR requirements don’t apply   Identified Identifiable Article 11 De-Identified Anonymous / Aggregate Directly linked to identifying data Yes No Known, systematic way to (re)identify Relates to a specific person Article 4(5) ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person; Article 11(2). the controller is able to demonstrate that it is not in a position to identify the data subject. Recital 26. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

GDPR Obligations Through De-ID Lens Consent or Legitimate Interests Notice to Data Subjects Data Retention Limitations Appropriate Data Security Access, Erasure, Controls Identified   Consent of Data Subject ↕ Legitimate Interests Prominent Notice Discoverable Notice Shorter Retention Longer Retention Stronger Protections Some Protections Required Identifiable Article 11 De-Identified No Requirement Anonymous / Aggregated No Requirements Legitimate interests: Article 6(1)(f) involves a balance between the legitimate interests of the controller, and the fundamental rights and freedoms of the data subjects. It’s clear that the stronger the de-identification, the lower the risk to the data subject’s fundamental rights and freedoms. a Plus, Article 6(4) supports the idea that de-identification can be used to help justify a basis for lawful processing other than consent. “Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent . . . the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia . . . (e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.” Data retention: Article 5(e) of the GDPR establishes the general rule that personal data may be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” Data Security: Article 32 of the GDPR requires organizations to implement security measures sufficient “to ensure a level of security appropriate to the risk.” Article 12(2) states that Article 11 De-Identified data (the controller is able to demonstrate that it is not in a position to identify the data subject), certain Article do not apply – including right of access, rectification, erasure, and data portability.

De-Identification’s Role in GDPR Guidance GDPR guidance that recognizes a full range of de-identification can: provide greater clarity in areas of the GDPR that remain opaque; enable organizations to adopt pragmatic compliance tools and strategies; increase incentives for companies to adopt the strongest de-identification that is compatible with the purposes of the data processing (thus achieving an optimal balance between data protection and data utility); and advance the objectives of the GDPR by enhancing the protection of individuals’ personal data.    Identified Identifiable Article 11 De-Identified Anonymous / Aggregate

Questions? mike@hintzelaw.com @mhintze Hintze Law Privacy + Security