Presentation is loading. Please wait.

Presentation is loading. Please wait.

07/12/2018.

Similar presentations


Presentation on theme: "07/12/2018."— Presentation transcript:

1 07/12/2018

2 The GDPR: Key themes and implications for data sharing
Jon Belcher Senior Solicitor March 2016

3 Agenda What is the GDPR and when is it happening? Some key themes of the GDPR … … and some things we don’t (yet) know Implications for data sharing

4 What is the GDPR?

5 What is the GDPR? (1) The ‘General Data Protection Regulation’ A brand new data protection law for the whole of the EU Replaces the 1995 Data Protection Directive (95/46/EC) and domestic data protection law

6 What is the GDPR? (2) It’s a ‘regulation’ – means it will be directly effective across all 28 (at least for now) EU member states Represents a significant strengthening of data protection law NB – Accompanied by a new ‘directive’ for processing by crime and justice bodies

7 Why reform is needed? Data protection legislation across the EU currently based on the 1995 Data Protection Directive (95/46/EC) Widely seen as outdated – does not adequately deal with various modern trends (exponential increase in processing power, social media, big data, biometric and genetic information, internet of things …) A lack of consistency across EU member states

8 EU Data Protection Reform: Timeline

9 Initial proposals European Commission published proposals for data protection reform in January 2012: A new General Data Protection Regulation which would replace the existing Data Protection Directive A new Directive for processing of personal data by crime and justice bodies Key points: A regulation – so directly effective without the need for national implementing legislation. One set of rules for the whole of the EU rather than 27 separate regimes. Special rules for processing of personal data for public bodies with crime and justice functions

10 The Commission’s original view
“A stronger, simpler and clearer data protection framework …” “A single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year” “… simplifying the regulatory environment by cutting red tape and abolishing formalities such as general notification requirements … saving businesses around €130 million a year” These are some quotes from the Commission in January They illustrate the Commission’s thinking at the time: That DP reform would strengthen protection for data subjects, simplify the rules and save money for businesses by cutting red tape. It’s worth bearing these points in mind when looking at where we are now, and whether you think any of these objectives are likely to be achieved by the reforms.

11 Timeline since January 2012
May 2014 – European Parliament agrees its own draft text of the GDPR June 2015 – European Council (made up of representatives of governments of each EU member state) agrees its own draft text of the GDPR December 2015 – Trilogue completed and a final draft agreed Before a Regulation can be adopted, it must be agreed by the Commission, the European Parliament and the European Council. By June 2015 each of the three institutions had produced its own text of the GDPR. These drafts reflected the institutions’ own particular concerns – for example, the Parliament’s draft contained the strongest protections for data subjects, whereas the Council’s draft was more business-friendly and contained fewer obligations on controllers and processors. The three institutions then went through a process of negotiations (known as the “trilogue”) before a final text was agreed in December 2016.

12 The latest state of play
We now have an agreed draft (at last!) Final text is being translated / subject to minor changes Needs formal adoption and publication in official journal Two-year implementation period after publication (so new rules likely to be in place during 2018)

13 Key themes of the GDPR: Continuity

14 The GDPR: Continuity (1)
There is much in the Regulation that will be familiar: Concepts such as ‘personal data’, ‘controller’, ‘processor’ and ‘data subject’ remain (but watch out for the expanded definitions) (Article 4) Compliance is still based on data protection principles and conditions for processing (but note changes) (Articles 5 and 6) The first thing to say is that the GDPR does not look like a radical departure from the current Directive (and the DPA). The language is the same and many of the concepts are retained. However, the definition of ‘personal data’ is broader than its equivalent in the DPA – there are specific references to location data and online identifiers (such as IP addresses) that arguably are not PD under current rules. Compliance will still be based on a set of data protection principles, and you must ensure that there is a relevant condition for processing. The principles and conditions are similar to those in the DPA, although there are subtle differences that could have a wide impact. For instance, data controllers can rely on ‘consent’ as a condition for processing – but the definition of consent has been tightened. Data controllers will require explicit consent rather than relying on implied consent.

15 The GDPR: Continuity (2)
Additional rules for processing special categories of data (Articles 9 and 9a) Subject access rights are retained (but note additional rights for data subjects) (Chapter 3) Data subjects will still be able to request copies of their own personal data, so subject access requests are retained. However, there will be additional rights for data subjects . . .

16 Key themes of the GDPR: Transparency

17 The GDPR: Transparency (1)
Additional requirements for fair processing notices / privacy policies (Articles 14 and 14a) more prescriptive approach More stringent requirements for obtaining consent from data subjects (Article 7) onus on controller to demonstrate consent was given must be clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language “It shall be as easy to withdraw consent as to give it” More prescriptive approach – e.g. recipients / period for which data will be stored / existence of individuals’ rights / appropriate safeguards if data is to be exported

18 The GDPR: Transparency (2)
Mandatory breach notification provisions: to supervisory authorities (Article 31) without undue delay and not later than 72 hours after becoming aware of the breach exception if unlikely to result in risk to subjects to data subjects (Article 32) where the breach is likely to result in a high risk to the rights and freedoms of individuals from processors to controllers (Article 31)

19 Key themes of the GDPR: Accountability

20 The GDPR: Accountability (1)
Overarching ‘accountability principle’ (Article 5): “the controller shall be responsible for and be able to demonstrate compliance with paragraph 1 [the principles]”

21 The GDPR: Accountability (2)
Controllers and processors obliged to: maintain adequate records of processing activities; and make records available to supervisory authorities on request (Article 28)

22 The GDPR: Accountability (3)
Requirement to appoint a Data Protection Officer (Article 35) applies to: public sector bodies controllers or processors whose core activities: consist of processing requiring regular and systematic monitoring of data subjects on a large scale consist of processing on a large scale special categories of data

23 Key themes of the GDPR: Enhanced individual rights

24 The GDPR: Enhanced individual rights (1)
Individual rights set out in Chapter 3: To receive detailed fair processing information (Articles 14 and 14a) To subject access (Article 15) no fee payable one month to comply, but can be extended to up to three months

25 The GDPR: Enhanced individual rights (2)
Individual rights set out in Chapter 3: To rectification (Article 16) To erasure / right to be forgotten (Article 17) To data portability (Article 18) NB – national law may restrict some of these rights (Article 21)

26 Key themes of the GDPR: Liabilities and penalties

27 The GDPR: Liabilities & penalties (1)
A major innovation under the GDPR is that processors will have direct obligations: Security (Article 30) Maintain records (Article 28) Restriction on appointing sub-processors (Article 26) Specific provisions to be included in processor agreements (Article 26) – much more prescriptive than under existing law

28 The GDPR: Liabilities & penalties (2)
Much tougher penalties (Article 79): Supervisory authorities have the power to impose administrative fines. Two tiers: Greater of €20m or 4% of worldwide turnover Greater of €10m or 2% of worldwide turnover Other sanctions available Right to compensation for individuals (Article 77): “material or immaterial damage”

29 What we don’t (yet) know

30 What we don’t (yet) know (1)
Significant scope for national law to impact on GDPR requirements: criminal offences administrative fines for public bodies exemptions to individuals’ rights Guidance on implementation How the regulators will approach enforcement consistency mechanism

31 What we don’t (yet) know (2)
June 23 is on the horizon …

32 Implications of the GDPR for data sharing

33 Implications for data sharing (1)
There’s nothing in the GDPR that’s likely to revolutionise your current information sharing practices As organisations that are part of WASPI, you’re all working to a high standard already. Nevertheless, this doesn’t mean you should be complacent . . .

34 Implications for data sharing (2)
The GDPR is a major reform You will need to take some time (well before 2018) to prepare for its implementation Some issues for you to think about . . .

35 Implications for data sharing (3)
Take stock of your current data sharing activities: Think about what information you're collecting, who you're sharing it with and what the potential risks may be Could you be doing things differently to reduce these risks?  Could anonymisation be used to take the processing outside the Regulation altogether? Note the wider definition of personal data. Is there any data sharing you’re currently doing that will now fall within the Regulation?

36 Implications for data sharing (4)
Are you providing enough information to individuals? The GDPR contains more prescriptive rules on what information you need to provide individuals Are your privacy notices / fair processing notices compliant? If you currently use consent as a condition for processing, do your consent mechanisms meet the higher standard required under the GDPR?

37 Implications for data sharing (5)
Can you show that you are complying with the new rules? Think about whether your internal systems are fit for purpose. Can you demonstrate compliance in accordance with the accountability principle? Can you meet the breach notification timescales? Do you need to put additional processes in place to ensure that your processing activities are clearly documented?

38 Implications for data sharing (6)
Does your data sharing comply with the new rights for individuals? You should consider auditing your internal systems to ensure that they meet the additional requirements Will you be able to meet requests for information to be erased? What about data portability?

39 Implications for data sharing (7)
And finally (a shameless plug) . . . If in doubt, please don’t be afraid to ask for help We can advise you on compliance with existing law and the requirements of the new GDPR

40 Contact information Jon Belcher Senior Solicitor

41 07/12/2018


Download ppt "07/12/2018."

Similar presentations


Ads by Google