1. Data Privacy i Norsk Hydro ASA og Yara International ASA
Malin Tønseth Head of Data Privacy and Legal Counsel Norsk Hydro ASA Cecilie Kjelland Yara International ASA

2. Hvordan arbeides det med personvern i Hydro og Yara - hvilken relevans har nye GDPR regler for internadvokater/jurister?
Agenda:
Part I
Organization of the data privacy work in Yara and Hydro
Part II
Data Privacy red flags to be aware of when advising clients
The role as Controller – how to comply with the GDPR requirements in the Legal Department

3. Hvorfor oppfattes GDPR implementering som vanskelig?
Nye begreper
(GDPR, BCR, DPIA….)
Manglende «mage-følelse»
«Data» = IT??
Problemer med å forstå relevans for
eget arbeid
Oversettelse til interne arbeidsstrømmer

4. Data Privacy in Yara

5. Arbeid med Data Privacy i Yara
2014: Arbeid med utkast til «Binding Corporate Rules» starter - HR initiert
: Gap-analyse av personopplysning håndtering og eksterne/interne krav
: Utvikling av internt rammeverk: Direktiver og prosedyrer
2016: Søknad om godkjennelse av «Binding Corporate Rules» sendt Data tilsynet.
Godkjent av utenlandske tilsyn (co-reviewers)
Venter p.t. på endelig godkjennelse fra DT.
2016: Kartlegging av persondata starter
Innsikt i hva slags data vi har
Vesentlige applikasjoner med persondata – sentralt - lokalt
Identifikasjon av risiko
2016: BCR/Data Privacy opprettet som et eget prosjekt
2017: Oppnevnelse av Yara’s Data Privacy organisasjon
Oppstart intern opplæring av ansatte
Januar 2018: Lansering av Yara’s Data Privacy program globalt
Mot mai 2018: Fortsettelse intern opplæring, gjennomgang av databehandleravtaler, utvikling av
interne arbeidsprosesser, kundedatabaser

6. Yara Data Privacy internal framework
Internal Control procedures
Mapping document
Overview of data flows
Audit Plan
Data Security Breach reporting
Role descriptions
Annual work cycle
Yara Data Privacy operational procedures
Procedure for inspection of s/electronic docs
Access Request Procedure
Complaint Handling Procedure
Retention Procedure
Digital Marketing procedure
Secondary Purpose Procedure
Off-boarding Procedure
Yara Data Privacy directives (BCRs)
Employee directive
Customer/3rd party directive

7. Data Privacy Organization in Yara
Management
Key Contributors to DP Network
DP contacts IT collaboration teams (examples)
Head of DP
Crop Nutrition
Supply Chain HR
Appointed? IT
Regional DP Coordinators
Europe
Asia
North America
Latin America
Brazil
Africa
RDPC
RDPC
RDPC
RDPC
RDPC
RDPC
Existing IT roles
Regional IT Managers
Regional IT Manager
Regional IT Manager
Regional IT Manager
Regional IT Manager
Regional IT Manager

8. Data Privacy Pulse intranet side i Yara

9. Organization of the Data Privacy compliance work in Hydro
Data Privacy i Norsk Hydro ASA of the Data Pri compliance work in Hydro
Organization of the Data Privacy compliance work in Hydro

10. Risk Universe in Hydro Data Privacy a part of the overall risk picture
As part of internal compliance project, 16 main compliance risks were identified, of which “Data Privacy was defined as one of the “top-5” high risks.
Hydro’s compliance system for managing compliance risks sets out certain minimum requirements for the governance of compliance risks that are defined as «high»
HSE
Compliance
Data
Privacy
Commercial
Competition
Corruption
Financial
reporting
Operational
Financial
Strategical
Legal &
Regulatory
Cyber Security

11. Data Privacy compliance system
Main components for the governance of data privacy compliance
‘‘Tone at the top’’
Risk mapping
Internal control systems
Steering documents
Guidelines/tools
Awareness training
Monitoring controls
Self assessment reviews
Internal audits
Data breach alert functions
Consequences
Recognition
Line reporting
Reporting to BoD
IAC reporting
Corporate staff reporting

12. Data Privacy body of rules
Legal and Corporate framework
EU General Data Protection Regulation (GDPR)
Enters into force 25 May 2018
Stricter rules for data protection in the EU/EEA
Substantial fines for non-compliance
Hydro’s Data Protection Procedure
Establish the general requirements for the processing of personal data in Hydro
Constituting Hydro’s Binding Corporate Rules - BCR
(the Legal basis for transfer of personal data from EU/EEA countries to non EU/EEA countries within Hydro group pf companies)

13. Hydro’s plan for getting ready for the GDPR
Actions implemented by Hydro
Global policy for the protection of personal data (Global Data Protection Procedure - BCR)
Sub-procedures and instructions regarding specific issues of data protection
Organization of a Data Privacy Network - staff designated to supervise compliance with the data protection requirements
Records of data processing activities (current and future)
Reviews and assessments of third party suppliers and available Data Processing Agreements
Legal basis for transferring personal information to suppliers outside of the EU (Model Clause agreements or ensure that the supplier is Privacy Shield Certified)
eLearning, training material, guidelines and Intranet articles (awareness material)
Data Privacy Information on Intranet (static webpage)
Corporate guideline available on Hydro intranet (ENG / DE / NO / PT-BR)

14. Data Privacy work in Hydro – Organizational setup
Corporate Compliance
RP DP Coordinator*
Rolled Products
Bauxite & Alumina
Corporate Functions
Energy
Head of Data Privacy
B&A DP Coordinator*
RP DP
Champions
Primary Metal
Energy DP Coordinator*
PM DP Coordinator*
Corp. DP Coordinators**
B&A DP
Energy DP Champions
PM DP Champions
Corp. DP Champions
Legally appointed DPO‘s (where applicable)
Solid line reporting
DP Compliance alignment
Data Privacy Network
Extruded Solutions
ES DP Coordinator*
ES DP Champions
* BA Data Privacy Coordinator assist line management with coordinating the data privacy compliance work in relevant BA
** Main Corp. functions appoint their Data Privacy Coordinator to assist line management with compliance work in relevant function

15. Governance and organization of work
Roles and responsibilities
Head of Data Privacy
Supervise Data Privacy Compliance in Hydro globally
Monitor and support global implementation of Hydro’s BCR
Chair Hydro’s Data Privacy Network
Report to management board on DP issues
Data Privacy Coordinators
(BA / Corporate level)
Monitor and coordinate data privacy compliance work in business areas
Report data privacy compliance to the Head of Data Privacy
Contribute to Hydro’s Data Privacy Network
Data Privacy Champions
(HR/ISIT/Communications)
Hands-on data privacy compliance work in areas and units
Assist the Data Privacy Coordinators as appropriate

16. Applicable data privacy principles
Derived from Hydros’ Data Protection Procedure (planned to be launched in March)
Guidance sheets available on Hydro Intranet:
General introduction to data protection (GS#1)
Protect personal data and respect confidentiality (GS#2)
Keep Personal data secured (GS#3)
Keep collection of personal data to a minimum (GS#4)
Personal data retention and deletion (GS#5)
Information security measures (GS#6)
Data Processing agreements (GS#7)

17. Data Privacy awareness activities
Timeline / plan 2018 Q1 Q2 Q3 Q4
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec
International Data Privacy Day
Launch DP static site Intranet
Awareness activity DP
Mgt. Info. package
DP workshops / specific target groups
DP eLearning training launch

19. Red flags to be aware of when advising clients

20. Our global presence is growing
14 736
The number of people we employ
+160
The number of countries we sell to
+60
The number of countries we operate in
300 million
people our products help to feed
50 million
citizens our products deliver fresh air for
240 million
tons of grains our products help produce
15 million
The number of farmers we work with

21. Our integrated business model creates value through scale and flexibility

22. Data Privacy – hvorfor relevant for alle ansatte?
Forskjeller fra «traditional Compliance»:
Kompleksitet:
Stort antall krav
De fleste krav kommer til anvendelse i mange arbeidsstrømmer
Eksempel: Vurderinger ved bruk av data til nytt formål
Ofte manglende oversikt over egen lagring/bruk av personopplysninger
Hva er persondata egentlig – nødvendig å forstå for å se relevans
Er Data Privacy en IT-greie? En juridisk greie?

23. Eksempel på oversettelse av regelverk/prosedyrer til arbeidsstrøm (HR)
Rekrutteringsprosess:
Kartlegging av nåværende/interne ressurser →
Annonsering og mottagelse av CV’er
Distribusjon av CV’er internt
Vurderinger og utvalg av kandidater → Bruk av eksterne rådgivere? → Utenfor EU/EØS?
→ → Databehandleravtale? → EU Model Clause Agrm?
Intervjuvurderinger
Tilbakemeldinger til søkere
Lagring av CV’er til senere bruk
Lagring av den nyansattes persondata i HR-systemer→

24. Red flags to be aware of when advising your clients
Are the use of Personal Data within the intended purpose?
Secondary purpose assessment (Art. 1 b GDPR)
Be aware by use of Employee information for control/monitoring purposes
What happens to the data after collection/processing?
Client must be aware of duty to delete data when the purpose is fulfilled (Chapter 2 GDPR)
Limit distribution (Chapter 2 GDPR)
Avoid collection of Personal Data which is not necessary for fulfilling the purpose (Chapter 2 GDPR)
Do the client rely on consent from the data subject as legal basis?
Consent for processing of Employee Personal Data normally not valid (Art. 7 GDPR)
Be aware by digital marketing initiatives – consent often needed (Marketing legislation)
Is your company providing sufficient information to the Data subjects?
Easily accessible Privacy policies and/or other information documents (Art GDPR)
Opt-out option may have to be provided (Art GDPR)
Always a right by digital marketing initiatives

25. Red flags to be aware of when advising your clients (cont.)
Are the contract implying that one Party processes data on behalf of the other Party?
Data Processing agreement (Art. 28 GDPR)
Software providers
Travel agencies, other service providers and consultants
Talent databases
Sub-contractors (supply chain, construction projects, intermediates)
Will Personal Data be transferred outside EU as part of the project/contract?
EU Model Clause Agreement, US Privacy Shield or other basis necessary (Chapter 5 GDPR)
Do your contract party use sub-contractors outside EU/EEA or store Personal Data outside EU/EEA?
M&A: Is the M&A object able to demonstrate Data Privacy compliance?
Ensure DP as part of the DD process
Ensure secure and compliant handling of Personal Data in the IDD process
Does the project imply extensive and/or new processing of Personal Data?
Risk assessments – DPIA’s (Art. 35 GDPR)
Assessment of legal basis and purpose for processing (Chapter 2 GDPR)

26. AWARENESS
ASSESSMENT
DOCUMENTATION

27. Organization of the Data Privacy compliance work in Hydro
Compliance with GDPR – Legal Department in the role as data controller
Organization of the Data Privacy compliance work in Hydro

28. Compliance with GDPR – Legal Department in the role as data controller
- «Controller»: the natural or legal person, public authority, agency or other body which, alone or joinly with others determines the purposes and means of the processing of personal data
- The GDPR generally applies to the legal department in it’s role as a controller
- Legal departments own processing activities (including when processing client’s personal data)
- Generally not regarded an (internal) processer / no need for internal data processing agreements
- Legal basis for processing personal data:
- GDPR art. 6 (general requirement) / GDPR art. 9 (special data)
- GDPR requirements on confidentiality applies additionally to the statutory duty of confidentiality applicable to lawyers

29. Lawfullness of processing
GDPR art. 6, 1 a) – Consent
GDPR art. 6, 1 b) – Performance of a contract
GDPR art. 6, 1 c) – Compliance with legal obligation
GDPR art. 6, 1 d) – Protect vital interests
GDPR art. 6, 1 e) – Pursue public interests
GDPR art. 6, 1 f) – Pursue legitimate interests (balancing interests of data subjects)
(selection)
GDPR art. 9, 2 a) – Consent
GDPR art. 9, 2 b) – Obligations under employment law
GDPR art. 9, 2 f) – Establishment, exercise or defence of legal claims
GDPR art. 9, 2 h) – Health, medicine, social care (preventive / occupational)
Personal
data (general)
Special
categories
of data

30. Legal basis - the role as (internal) legal councel
Examples
Processing purposes
Legal basis for processing
Client relationship administration
GDPR art. 6 nr. 1, a (consent), b (agreement) and c (legal requirement)
GDPR art. 9 nr. 2, f (establish a legal claim)
Case handling
GDPR art. 6 nr. 1, a (consent) and f (legitimate interests)
Knowledge management
GDPR art. 6 nr. 1, f (legitimate interests)
(avoid sensitive personal data)
Archiving
GDPR art. 6 nr. 1, b (agreement), c (legal requirement), f (legitimate interests)
Employee administration
GDPR art. 9 nr. 2, b (agreement)

31. Specific processing activities - legal department
(examples)
Investigations
Whistleblowing
Screenings
Authorizations
CCTV / access controls
Datalogging (IT-systems)
Innside lists
etc.…
(National law)
Bokføringslov
Hvitvaskingslov
Arbeidsmiljølov
Verdipapirlov
Straffelov
Diskrimineringslov
etc…
GDPR
art. 6, 1 c)
art. 9 2 b) &f)

32. Records of processing activities
GDPR art. 30
The requirement for a controller to maintain records of processing activities under it’s respopnsibility (i.g. a description «per activity» of the following):
Purpose of processing
Categories of personal data and data subjects
Categories of recipients
Transfers of the personal data (where applicable)
Envisaged time limits for erasure of different categories
General description of technical and organizational security measures

33. … Processing purpose Personal data Legal basis Recipients
outside the org.
DPA ref
Transfers
Retention period
TOMs
Internal resp.
Client relationship administration
What?
Why?
Who?
Legal basis disclosure?
Legal basis transfer?
How long?
How?
Case handling …
Knowledge management
Archiving
Employee administration
Security

34. Obligations and principles applicable to the Controller
Must know why data is being used, which data is needed, what quality, not ask for more data than necessary
Be transparent about the processing: Provide understandable information to affected persons
Keep data no longer than necessary
Observe the right to access own personal data
nb: conflicting confidentiality rights?
Privacy by design: thinking about data protection when designing and developing IT-solutions
Ensure that data processing agreements are in place with suppliers. Ensure that the suppliers have sufficient information security

35. Applying the obligations in practice
Data minimization: Keep collection of personal data to a minimum
Privacy by design: think confidentiality, security, integrity and quality of the personal data – build into the design
Privacy impact assessment; consider:
The nature, sensitivity and volume of personal information
The ease of identification of individuals
The severity of consequences for individuals
The special characteristics of the individuals
The special characteristics of the data controller
Storage limitation
Storing collected data in as few IT systems/physical files as possible
Attention to: Unstructured data, “inbox-issues”, old archives, sensitive data in case documents etc.
Access restrictions and controls
Supported by internal instructions and confidentiality requirements
Routines for retention and deletion of personal data
Legal department in the role as a data controller
- not a «high risk» group
- however, expected to be best in class
(or, at least, «prove a good example»)

36. Documentation overview
Recommended actions
Internal routine descriptions
Records of processing activities
Assignment confirmation / agreements
Internal control documentation
Preventing
Detecting
Reporting / Responding
Documentation of privacy risk assessments
SOPs (examples):
Access rights
Retention and deletion of data
access
Risk assessments /DPA
Data Processing Agreements
Privacy Statement

37. Takk for oss!