General Data Protection Regulation “11 months in” Donna Creaven Head of Supervision – Multinationals & Technology

Our report in numbers

Some statistics….

Recap: Focus of the GDPR Accountability – demonstrating compliance Transparency – providing information pre-processing Risk-based mandatory data breach reporting (72 hours) Strengthened ‘Consent’ obligations Data protection by design and default New and enhanced Data Subject rights Administrative Fines Data Protection Officer (DPO) for certain organisations

Administrative Fines Article 83 Up to €20m or 4% of global turnover

Governance Transparency Accountability

Demonstrating Accountability Maintaining up-to-date inventories of processing (Article 30) Completing data protection impact assessments (Article 35) Ensuring the security of processing (Article 32) Adhering to the principles of data protection by design and by default (Article 25) Appointing and empowering a Data Protection Officer (Article 37 and 38) Strong foundation of governance - Practical approach Transparency Record Keeping Codes of Conduct Certification Impact Assessment Governance and Data Protection By Design & Default Contract, transfers, agreements, BCRs User rights Data Protection Officer Article 25 – Pbd&d Start to finish – business case to end-of-life Design and NFR factor from the start Whole organisation to engage – not just dev, QA, Ops Governance, policy, practice Throughout lifecycle – “time of determination”, “time of processing” Data Minimisation Pseudonymisation Effective risk management Default settings observing principles must be used Article 32 Art 32(1)(d) - testing Software engineering – standards? Essential for accountability, quality, security, protection Document, record, change control Unit, integration, UAT, feature, static and dynamic analysis, coverage reporting, automated build, continuous integration? Fixture data? Staging – consent? Secure servers, network? Patching? War games, network intrusion detection, leaks, error tolerance Incident Response plan, training Risk management, “function creep” Design and test not just for security - but for access-control, subject access, portability, deletion, purpose limitation

Accountability – the controller & processor relationship Monitoring this relationship is an ongoing task, for example: Undertaking external and internal audits Inspections Follow-up actions Spot checks Regular reviews

Transparency requirements Identity of controller and DPO Purpose of processing and legal basis Recipients of the data Data transfer arrangements Retention period Right of access Right to withdraw consent Right to lodge complaint with SA Details of the contractual or statutory basis Details of automated decision-making At the time when personal data is obtained provide the data subject with information on the:

Consent - Article 4.11 Unambiguous Freely given Informed by a clear affirmative action

Breach Notification to the Supervisory Authority Notification to SA within 72 hours Unless “unlikely to result in a risk to the rights and freedoms of natural persons” ‘Risk’ e.g. a risk of identity theft or anything likely to lead to a financial loss for the data subject

Breach Communication to Data Subject “when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons” “the data controller shall communicate the personal data breach to the data subject without undue delay” ‘High Risk’ – higher threshold than report to Supervisory Authority

Key deliverables Identify and document legal basis for processing Review and remediate storage and retention practices Article 30 Records of data processing Privacy Notices Review and refresh of databases, mailing lists   Review of organisational data security practices Identify and review third party processors Embed Privacy by Design and Privacy by Default practices & procedures Re-assess breach notification procedures

Some 2019 priorities Progressing Inquiries – first decisions Summer 2019 Supervising and engaging with big-tech (multi-faceted) Children’s Consultation DPC five year Regulatory Strategy DPC DPO Network Issuing Guidance

Thank You www.dataprotection.ie