Session 4: Data Mapping and Data Subject Rights Tash Whitaker, Whitaker Solutions Ltd Facilitator: Sylvia Gillpatrick, CEESA Table leaders/ Panel: Cosimo Monda, ECPC Mark Orchison, 9ine John Mikton, Luxembourg Chris Vincent, ISZL Peter Murphy, International School of Vienna Jenny-Lee Moore, ISB

Data Mapping and Record of Processing Who needs one and why? What exactly is it the Record of Processing? How do you create a data map? How do you create a record of processing? How does it relate to the Rights of the Individual?

Who needs it and why? (Article 30 and Recital 82) Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. Unless: you are an entity of less than 250 employees, only process data occasionally that poses a low risk to the individual, and do not process any special category or criminal conviction data. “In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. 2Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.” – Recital 82

What is it? The Record of Processing Activities is “about the how and the why, the ‘where’ is secondary.” - Oran Kiazim, Senior Data Protection Advisor UK, Bird & Bird

Data Mapping Exercise Whiteboard exercise

Record of Processing Who is the data subject? What is the data? Why do we hold it? Where do we hold it? Source? Special category ? Special category derogation? Who do we transfer it to? What country is it transferred to? Third country transfer mechanism? How is it protected? How long will we keep it? Lawful basis? Who has access?

Rights of the Individual and Record of Processing Right to be informed Right to Access Erasure Erasure if data is not longer needed for the purpose that it was collected for Rectification Objection Portibility Restriction Object to Automated decision making or profiling Not to be subjected to automated decision making, inc profiling, producing negative effects Complain to the DPA

Rights of the Individual and Record of Processing Right to be informed Right to Access Erasure Erasure if data is not longer needed for the purpose that it was collected for Rectification Objection Portability Restriction Object to processing for marketing purposes Object to Automated decision making or profiling Not to be subjected to automated decision making, inc profiling, producing negative effects Complain to the Data Protection Authority

Session 5: Accountability: DPIAs, DPAs, Data Transfers Tash Whitaker, Whitaker Solutions Ltd Facilitator: Neven Soric, American International School of Zagreb Panel: Sandro Pace Bonello, ISL Sylvia Gillpatrick, CEESA Mark Dilworth, ZIS

DPIA – what and why?

DPIAs – when? The Regulation: A data protection impact assessment … shall in particular be required in the case of: a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or a systematic monitoring of a publicly accessible area on a large scale. Working Party 29 Guidance (endorsed by EUDPB) EUDPB Opinion on processing that needs a DPIA 703 school data breaches in uk last year

Data Processing Agreements – What, When and Why? “Processing by a processor shall be governed by a contract or other legal act…” (Article 28, GDPR)

DPA must include the subject matter of the processing; the duration of the processing; the nature and purpose of the processing; the type of personal data involved; the categories of data subject; the controller’s obligations and rights.

DPA must state the processor must only act on the controller’s documented instructions, unless required by law to act without such instructions; the processor must ensure that people processing the data are subject to a duty of confidence; the processor must take appropriate measures to ensure the security of processing; the processor must only engage a sub-processor with the controller’s prior authorisation and under a written contract; the processor must take appropriate measures to help the controller respond to requests from individuals to exercise their rights; taking into account the nature of processing and the information available, the processor must assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments; the processor must delete or return all personal data to the controller (at the controller’s choice) at the end of the contract, and the processor must also delete existing personal data unless the law requires its storage; and the processor must submit to audits and inspections. The processor must also give the controller whatever information it needs to ensure they are both meeting their Article 28 obligations.

Data Transfers outside the EEA are prohibited, unless… There is an adequacy agreement Binding Corporate Rules EU standard Clauses Contract Derogation Explicit consent Legal claim Vital interest Public Register Public Authority Compelling one-off vital interest