Session 4: Data Mapping and Data Subject Rights

Slides:



Advertisements
Similar presentations
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Advertisements

Class 13 Internet Privacy Law European Privacy.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
LexisNexis Confidential EU Privacy Framework Michael Lamb LexisNexis Risk Solutions Vice President and Lead Counsel: Regulatory, Privacy & Policy May 19,
1 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.
The EU General Data Protection Regulation Frank Rankin.
Data protection—training materials [Name and details of speaker]
General Data Protection Regulation (EU 2016/679)
Contracts – the small print
Data Protection Officer’s Overview of the GDPR
Key changes with the GDPR
Accountability & Structured Privacy Management
The future of data protection: General Data Protection Regulation
General Data Protection Regulation (GDPR)
Presentation to GTMC on GDPR
Operationele blik op GDPR
GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E
General Data Protection Regulation
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
Museums + Heritage webinar, 30 November 2017
GDPR Overview Gydeline – October 2017
GDPR Overview GDPR - General Data Protection Regulations
GDPR Overview Gydeline – October 2017
Data protection reform:
GDPR Road map to Compliance.
Public Sector Organisations - are you GDPR ready?
Bob Siegel President Privacy Ref, Inc.
GDPR - Individual’s Rights
GENERAL DATA PROTECTION REGULATION (GDPR)
Data Protection Reform in Local Government
GDPR - New Data Protection Regulation
GDPR 101 and ucsb’s response
General Data Protection Regulation
Introduction to GDPR 09/11/2018.
The General Data Protection Regulation (GDPR)
ESET UK IT Security Specialist
Precise. Proven. Performance
Data protection reform – update from the ICO
State of the privacy union
Appropriate Data Sharing in Health and Social Care
G.D.P.R General Data Protection Regulations
From DPA to GDPR: the key elements
GDPR – Practical Implementation Managing contracts, procurement and relationships with suppliers Terry Brewer Chief Executive.
GDPR Overview and Use Cases.
General Data Protection Regulation
Preparing for the GDPR - What do we need to do if we process children’s personal data? Data Protection Practitioners’ Conference 2018 #DPPC2018.
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
How is the GDPR enforced ?
Data Mapping On the Journey to Accountability
IMPLICATIONS OF GDPR ROBERT BELL.
GDPR (679/2016) and Monitoring
GDPR Workshop MEU Symposium Prague 2018
Welcome!.
Data transfers to non-EU countries under the new GDPR
The General Data Protection Regulation Six months on – What’s changed
Governing the risk of GDPR compliance
Presentation privacy law
This project is funded by the European Union
GDPR PERSONDATAFORORDNINGEN I PRAKSIS
Overview of the recommendations regarding approximation of the Law on personal data protection to the new EU General data protection regulation Valerija.
Data Protection for SDS Employers Alison Johnston Lead Policy Officer (Scotland) Information Commissioner’s Office.
Data Protection What you need to know
Getting Ready for the GDPR
Data Mapping & Data Subject Rights
Welcome 7- 8 March, 2019 Zagreb.
General Data Protection Regulation (GDPR)
Session 4: Data Mapping and Data Subject Rights
General Data Protection Regulation “11 months in”
GDPR Workshop – Partnerships for Jewish Schools
A. Šidlauskas Mykolas Romeris University (LITHUANIA)
Presentation transcript:

Session 4: Data Mapping and Data Subject Rights Tash Whitaker, Whitaker Solutions Ltd Facilitator: Sylvia Gillpatrick, CEESA Table leaders/ Panel: Cosimo Monda, ECPC Mark Orchison, 9ine John Mikton, Luxembourg Chris Vincent, ISZL Peter Murphy, International School of Vienna Jenny-Lee Moore, ISB

Controllers and Processors

Controllers and Processors - defined

Data Mapping and Record of Processing Who needs one and why? What exactly is it the Record of Processing? How do you create a data map? How do you create a record of processing? How does it relate to the Rights of the Individual?

Who needs it and why? (Article 30 and Recital 82) Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. Unless: you are an entity of less than 250 employees, only process data occasionally that poses a low risk to the individual, and do not process any special category or criminal conviction data. “In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. 2Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.” – Recital 82

Data Mapping Exercise Whiteboard exercise

Record of Processing - What is it? The Record of Processing Activities is “about the how and the why, the ‘where’ is secondary.” - Oran Kiazim, Senior Data Protection Advisor UK, Bird & Bird

Record of Processing Who is the data subject? What is the data? Why do we hold it? Where do we hold it? Source? Special category ? Special category derogation? Who do we transfer it to? What country is it transferred to? Third country transfer mechanism? How is it protected? How long will we keep it? Lawful basis? Who has access?

Rights of the Individual and Record of Processing Right to be informed Right to Access Erasure Erasure if data is not longer needed for the purpose that it was collected for Rectification Objection Portability Restriction Object to processing for marketing purposes Object to Automated decision making or profiling Not to be subjected to automated decision making, inc profiling, producing negative effects Complain to the Data Protection Authority Class action

Rights of the Individual and Record of Processing Right to be informed Right to Access Erasure Erasure if data is not longer needed for the purpose that it was collected for Rectification Objection Portability Restriction Object to processing for marketing purposes Object to Automated decision making or profiling Not to be subjected to automated decision making, inc profiling, producing negative effects Complain to the Data Protection Authority Class action

Session 5: Accountability: DPIAs, DPAs, Data Transfers Tash Whitaker, Whitaker Solutions Ltd Facilitator: Neven Soric, American International School of Zagreb Panel: Sandro Pace Bonello, ISL Sylvia Gillpatrick, CEESA Mark Dilworth, ZIS

DPIA – what and why?

DPIAs – when? The Regulation: A data protection impact assessment … shall in particular be required in the case of: a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or a systematic monitoring of a publicly accessible area on a large scale. Working Party 29 Guidance (endorsed by EUDPB) EUDPB Opinion on processing that needs a DPIA 703 school data breaches in uk last year

Data Processing Agreements – What, When and Why? “Processing by a processor shall be governed by a contract or other legal act…” (Article 28, GDPR)

DPA must include the subject matter of the processing; the duration of the processing; the nature and purpose of the processing; the type of personal data involved; the categories of data subject; the controller’s obligations and rights.

DPA must state the processor must only act on the controller’s documented instructions, unless required by law to act without such instructions; the processor must ensure that people processing the data are subject to a duty of confidence; the processor must take appropriate measures to ensure the security of processing; the processor must only engage a sub-processor with the controller’s prior authorisation and under a written contract; the processor must take appropriate measures to help the controller respond to requests from individuals to exercise their rights; taking into account the nature of processing and the information available, the processor must assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments; the processor must delete or return all personal data to the controller (at the controller’s choice) at the end of the contract, and the processor must also delete existing personal data unless the law requires its storage; and the processor must submit to audits and inspections. The processor must also give the controller whatever information it needs to ensure they are both meeting their Article 28 obligations.

Data Transfers outside the EEA are prohibited, unless… There is an adequacy agreement Binding Corporate Rules EU standard Clauses Contract Derogation Explicit consent Legal claim Vital interest Public Register Public Authority Compelling one-off vital interest