GDPR Any impact on procurement? 16/11/2017

Agenda 1 Introduction 2 Key implications of the GDPR 3 4 5 Introduction Key implications of the GDPR Impact on Procurement Road to GDPR Compliance Q&A

(no local law required) The Global Data Protection Regulation Introduction Introdction Applies to processing of personal data by data controllers and processors Regulation: directly effective in Member States (no local law required) The GDPR will apply in all Member States as from 25th of May 2018 The clock is ticking!

Data processing must comply with the 6 general GDPR principles Why is GDPR important Introduction Introdction Data processing must comply with the 6 general GDPR principles Lawfulness, fairness and transparency Integrity and confidentiality: personal data must be kept secure 1 4 Purpose limitation: personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes 2 Data minimization: personal data must be adequate, relevant and limited to the purpose 5 Retention: personal data must be kept in an identifiable format no longer than necessary 3 Accuracy: personal data must be accurate and up to date 6

Data processing must satisfy at least one processing condition The Global Data Protection Regulation Introduction Introdction Data processing must satisfy at least one processing condition Consent Necessary for the performance of a contract Legal obligation Vital interests Public functions Legitimate interests

Personal data Introduction Introdction Any information relating to the identification, directly or indirectly, of natural persons Factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity Name Identification number Location data Online identifier

Sensitive Personal data Introduction Introdction Personal data revealing: Genetic data or biometric data Racial or ethnic origin Political opinions, religious or philosophical beliefs Trade union membership Data concerning health or sex life and sexual orientation

Data controller Data processor Introduction Data controller The person or body that, alone or jointly with others, determines the purpose and means of the processing of personal data Data processor A natural/legal person or body which processes personal data on behalf of the controller

Introduction Data processing Any (automatic) operation which is performed on personal data Collection, recording Organization, structuring Storage Alteration, alignment or combination Retrieval, consultation Use Disclosure by transmission Making available, restriction Erasure or destruction

Agenda 1 Introduction 2 Key implications of the GDPR 3 4 5 Introduction Key implications of the GDPR Impact on Procurement Road to GDPR Compliance Q&A

Key Implications of the GDPR 1 2 3 4 5 6 7 8 9 10 11

Key Implications of the GDPR Increased fines Regulators can impose fines of up to 4% of annual turnover or €20.000.000 (whichever is highest) Regulator may perform audits, issue warnings or a (temporary) ban on processing Individuals may sue for compensation to recover (non-)material damages 1 2

Key Implications of the GDPR Proof of compliance Organizations must demonstrate they are compliant by: Evidencing that they comply with the 6 GDPR principles and processing conditions Documenting suitable policies that set out how you process personal data Performing Privacy Impact Assessments Implementing technical security measures 2 3

Key Implications of the GDPR Key Implications of GDPR Key Implications of the GDPR New rights Right to access and rectify personal data within 30 days Right to be forgotten Right to data portability Right to challenge profiling and automated decisions Right to object to direct marketing 3 4

Key Implications of the GDPR Privacy by Design, Privacy by Default Mandatory to implement Privacy by Design Ensure privacy and data protection is a key consideration during the entire lifecycle of any project Privacy by Default: Privacy as the default setting and embedded into design 4 5

Key Implications of the GDPR Data Protection Officers (DPO) Mandatory appointment in certain cases Report to highest levels of management, may not be dismissed or penalized 5 6

Key Implications of the GDPR Privacy Impact Assessments Mandatory for “high” risk personal data processing In some cases consulting the Supervisory Authority is required 6 7

Key Implications of the GDPR Privacy Notices Increase of mandatory amount of information included in privacy notices Supplied to the individual at the time they provide personal data If processing is for a new purpose, prior notification must be given Must be “concise, transparent, intelligible and easily accessible” Translation into local languages 7 8

Key Implications of the GDPR Consent Consent must be freely given, specifc, informed and unambiguous Consent may be withdrawn at any time Consent must be explicit for sensitive personal data and for data transfers outside the EU 8 9

Key Implications of the GDPR Key Implications of GDPR Key Implications of the GDPR Mandatory breach notifications Mandatory record keeping of all security breaches, regardless of whether they need to be notified to the supervisory authority 9 10

Key Implications of the GDPR Key Implications of GDPR Key Implications of the GDPR Obligations for data processors New obligations specifically for data processors: more responsibility, higher liability Data sub-processors fall into the same scope 10 11

Key Implications of the GDPR Key Implications of GDPR Key Implications of the GDPR Extra-territorial scope The GDPR applies to data controllers and processors established in the EU and organizations that target EU citizens 11 12

Privacy by Design Privacy by Default Key implications Key Implications of the GDPR 1 2 3 4 Increased fines Proof of compliance New rights Privacy by Design Privacy by Default 5 6 7 8 Data Protection Officers (DPO) Privacy Impact Assessments Privacy Notices Consent 9 10 11 Mandatory breach notifications Obligations for data processors Extra-territorial scope

Agenda 1 Introduction 2 Key implications of the GDPR 3 4 5 Introduction Key implications of the GDPR Impact on Procurement Road to GDPR Compliance Q&A

GDPR Compliance Reference framework for GDPR compliance: 13 steps of the Privacy Commission for the protection of privacy Awareness Data Inventory (template) Communication (e.g. privacy statement) Data Subject Rights Subject Access Request Lawfulness of Data Processing Consent Strategy Children Data Breaches Privacy by Design & DPIA International Data Transfers DPO Existing Contracts

Awareness Data inventory GDPR Compliance Awareness Data inventory Inform the stakeholders and policy makers about the upcoming changes. They have to estimate what the effects of the GDPR will be for the organization and are responsible for making the required changes. Identify what personal information you process, where the information comes from and with whom it is shared, why you perform the data processing, on which legal basis, ... Check and cultivate GDPR awareness of the Procurement department Analyze the existing vendor relationships

Rights of the Data Subject GDPR Compliance Communication Rights of the Data Subject Evaluate your existing privacy notice, policy and plan any necessary changes aligned with the GDPR. Check if the current procedures in your organization provide all the rights that a concerned person can claim: right to rectify, right to be forgotten,… Review the existing processes/procedures for vendor management (i.e. you vs. vendor) Evaluate how a data subject’s rights can be fulfilled by the vendor (i.e. data subject vs. vendor)

Lawfulness of Processing GDPR Compliance Request for Access Lawfulness of Processing Update your existing access procedures and consider how a request for access will now be covered by the new terms in the GDPR. Document the different types of data processing you perform and identify the legal basis for each of them. Review the existing processes/procedures for vendor management (i.e. you vs. vendor) Evaluate how a data subject’s access request can be fulfilled by the vendor (i.e. data subject vs. vendor)

GDPR Compliance Consent Children Evaluate the manner in which you request, obtain and register permission and change where necessary. Develop systems that check the age of the person and the parent(s) or guardian(s) to request permission for the data processing of underage children.

Privacy by Design & DPIA GDPR Compliance Data Breaches Privacy by Design & DPIA Provide adequate procedures in case of a data breaches to trace, report and investigate it. Personal data breaches have to be reported to the appropriate supervisory authority. Familiarize yourself with the concepts “Privacy by Design” and “Data Protection Impact Assessment” and look how to implement these concepts into your organization. Identify the current data breach procedure at the vendor Processors are required to notify their relevant controller of any breach without undue delay after becoming aware of it

Data Privacy Officer (DPO) GDPR Compliance International Data Privacy Officer (DPO) Determine whether international transfers are authorized or not. Indicate, if necessary, a Data Protection Officer, or someone who bears the responsibility for compliance with the GDPR. Map data transfers from/to vendors Establish a working relationship between the DPO and the vendor’s DPO

GDPR Compliance Existing contracts Evaluate your existing contracts, mainly with processors and subcontractors , and make the necessary changes timely. Validate the template for third parties Evaluate all existing contracts and create an action plan (if necessary)

GDPR and Procurement Impact on Procurement Introdction Data controllers may only appoint data processors which provide sufficient guarantees to implement appropriate technical and organisational measures to ensure processing meets the requirements of the GDPR Processors must process personal data in accordance with the controller's instructions Controllers are responsible for compliance with the GDPR, even when another data processor is contracted A controller can’t simply outsource the responsibility of data governance and privacy compliance to their vendors GDPR compliance must be ensured throught the entire supply chain

Ordina’s TOP-model Use of a centralized vendor management system Impact on Procurement Use of a centralized vendor management system Responsible for Third Party selection and management Business Line Dedicated Procurement team Procurement Committee The process of managing third parties is a lifecycle Contractual requirements Security reviews

Ordina’s TOP-model Technology Organisation People Impact on Procurement Encryption of personal data Data Loss Prevention (DLP) Data mapping: what personal data is located where and to what purpose Data anonymization and/or pseudonymisation Accelerated adoption of cloud Technology Ensure proper Information Lifecycle Management is in place Introduce Privacy Impact Assessments and Privacy by Design in application and product lifecycles Appoint a Data Protection Officer/Privacy Officer Ensure GDPR requirements are included in incident response plans Add requirements in contracts with third party suppliers Organisation People Replace implicit consent through explicit consent Increase employees’ awareness Train staff Empower employees by integrating Privacy by Design Empower clients by humanizing consent requests

GDPR and Procurement Impact on Procurement Introdction Main GDPR responsibilities for data controllers w.r.t. procurement: Conduct Due Diligence Perform a DPIA or review DPIA results Perform security review (e.g. ISO27K) Have appropriate contract management and contract terms in place Monitor provided services for GDPR compliance Map the flow of personal data through supply chains

Obligations for data processors Impact on Procurement Obligations placed on processors Expanded list of provisions that controllers must include in their contracts with processors Controllers must select processors that meet the requirements of the GDPR Processors will be jointly and separately liable with the relevant controller for compensation claims by individuals

Data Processing Agreements Impact on Procurement Introdction Written contract or legal act binding the processor to the controller and stipulating a number of detailed requirements Must include the following: Determine subject matter, purposes, duration, nature of processing: in accordance with the instruction of the controller. Implement appropriate technical and organizational measures Processor only to act under data-controller instructions Vet employees and subcontractors to ensure confidentiality (e.g., awareness and training, confidentiality provisions) Assist the controller in responding to the requests for exercising data subjects’ rights Assist the controller in ensuring GDPR compliance Delete or return all personal data to the controller at the controller’s request Provide the controller with audit rights Make all information available to the controller at the controller’s request Make all information available to the controller to demonstrate compliance and contribute to audits

Agenda 1 Introduction 2 Key implications of the GDPR 3 4 5 Introduction Key implications of the GDPR Impact on Procurement Road to GDPR Compliance Q&A

“There can be Security without Data Protection, but there can be no Data Protection without Security”

6 Steps to GDPR Compliance 1 Awareness Positioning, explain rationale & secure internal support 2 Analysis & Assessment Map current situation & assess necessary GDPR requirements (“As Is”) 3 Design future state Prepare blue print for future GDPR Compliance (“To Be”) 4 Development Transform blueprint info into compliance product, services & processes 5 Implementation Launch new processes, policies & tooling 6 Governance Ensure GDPR compliance is monitored

Tom Cuypers Privacy & Security Consultant +32 472 71 83 49 tom Tom Cuypers Privacy & Security Consultant +32 472 71 83 49 tom.cuypers@ordina.be