Presentation is loading. Please wait.

Presentation is loading. Please wait.

Management of a Data Breach under the GDPR

Published byAlbert Brabander Modified over 6 years ago

Similar presentations

Presentation on theme: "Management of a Data Breach under the GDPR"— Presentation transcript:

1 Management of a Data Breach under the GDPR

2 Insurance Company Staff caught spying on Celebrities’ Records
In the headlines.... Details of online Sony video game players stolen Insurance Company Staff caught spying on Celebrities’ Records Sony Hackers Hit Up To 250,000 Irish Users in Data Theft Protecting privacy - A victory for us all Top telecoms firms fined for cold calling customers PlayStation Users on high alert after hacking Customer “harassed” by 225 calls from UPC 40% of tech firms view potential staff on Web Insurers to discuss Code after Report identifies breaches of data law Telecoms companies plead guilty to data protection offences Telecom companies plead guilty in unsolicited calls case PlayStation fans hit by Credit Card hacker Telecom firms prosecuted for sales methods Celebs in Insurance Spy Probe

3 1956

4

5 What’s next?

6 What constitutes a Data Security Breach?
“a breach of security… leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data being transmitted, stored or otherwise processed. (GDPR Article 4.12) Remember: A Breach is not automatically an Offence!

7 Data Management Considerations
Security v’s Access Creative and Compliant Users – Ambassadors v Assassins Protecting the Brand Processing Efficiency Retention Schedule – Keep? Destroy? Take the risk? Use of Test Data Formal engagement of third party Processors Policies and Procedures Staff Awareness-raising

8 How to respond to a Breach
GDPR outlines specific obligations (Art. 33, 34) Controller must report to ODPC within 72 hours of becoming aware unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons Breach Notification Report now available on ODPC web-site 38-question form must be completed – 22 are mandatory New breach v update on existing reported incident (Indications of a public register of all those firms who have reported a breach)

9 Reporting a Breach to the ODPC
Report should include at least: a description of the nature of the personal data breach… the categories and approximate number of data subjects concerned; and the categories and approximate number of personal data records concerned; the name and contact details of the data protection officer or other contact point where more information can be obtained; a description of the likely consequences of the personal data breach; whether or not the impacted data has been recovered; a description of the measures taken or proposed to be taken by the Controller to address the personal data breach, and, where appropriate, measures to mitigate its possible adverse effects and prevent recurrence.

10 Liaison with the DP Commission
Guidance now available on the Commission’s re-branded website Indication that the DP Commission will issue a Case Reference for each Breach reported Keep it to the point, accurate and collaborative. Be Transparent. Guidance on impact – low, medium, high, severe Consideration of the vulnerability of the data subjects – minors, elderly, patients, etc. Separate consideration for breach involving law enforcement data

11 Reporting a Breach to the Data Subject
“When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.” (Art. 34) Provide information on the following at least: the name and contact details of the data protection officer or other contact point where more information can be obtained; a description of the likely consequences of the personal data breach; a description of the measures taken or proposed to be taken by the Controller to address the personal data breach, and, where appropriate, measures to mitigate its possible adverse effects and prevent recurrence The ODPC may instruct the Controller to report to the Data Subjects

12 Implications of GDPR Principles for Health data
1 – Transparency – clear and open explanation to patients re the use of their data, provision of care, sharing of data with other entities, etc.; 2 – Specified Purpose (permissible under Articles 9(h) and (i); 3 – Minimisation – keep processing to a minimum, pseudonymisation where possible, avoid disclosure of records, test results, etc.; 4 – Accuracy and Currency – regular checks, e.g. during each GP visit, to ensure that personal data records remain up-to-date and fit for purpose; 5 – Retention and Deletion – HIQA guidance to keep medical records in perpetuity, particularly records regarding the provision of treatment to minors; 6 – Security – evidence of both organisational and technological measures in place to prevent unauthorised loss or disclosure of health records – must be robust and proportional; 7 – Evidence of accountability – DPIA process, Breach Notifications, appropriate contracts in place with Processors and peers (data sharing), Processing Activity Logs – mandatory given the ‘special category’ nature of health and biometric data

13 Medical Data – Article 9 Lawful Processing Conditions: Article 9 (h):
processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3; Article 9(i): processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy; © Sytorus Ltd.

14 Additional obligations for Health data
Key criterion for the completion of a DPIA (Art 35.3(b)): “processing on a large scale of special categories of data referred to in Article 9(1)”; Key criterion for mandatory appointment of a DPO (Art 37.1(c)): “the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9.1“

15 Exemptions for health data under GDPR
Under GDPR, includes medical, biometric and genetic information; ‘Right to erasure’ does not apply where processing is necessary for the public interest in the area of health and provision of medical care; [e.g. a patient with a contagious illness cannot seek to have those records deleted where they remain a risk to public safety (Ebola, etc.)] Certain rights provided under the GDPR can be restricted in the public interest, “…including (processing relating to) monetary, budgetary and taxation matters, public health and social security” – Art. 23

16 GDPR Considerations, Restrictions and Exemptions
DPIA – An additional obligation to consult with the ODPC where the proposed change to processing involves health or medical information (Art.36.5) Specific guidance from French Supervisory Authority (CNIL) regarding the conduct of clinical trials under the GDPR, with emphasis on explicit consent, minimisation of processing, and pseudonymisation; Recent HIQA guidance on Data Sharing Agreements between hospitals and other institutions which collaborate on patient care and treatment;

17 What should you do Company structure DPO DP Champions Implement…
Privacy by Design/Default, Logs, Processes, Contracts… Tools Platform Demonstrate compliance Training DPO Onsite Online © Sytorus Ltd.

18 Logging of Processing Activities (Article 30)
That record should contain, for example, The name and contact details of the Controller The purposes of the processing A description of the categories of Data Subjects The categories of recipients Transfers of personal data to a third © Sytorus Ltd.

19 Demonstrate Compliance
Processing Activity Log Risk Log & proof of mitigation (for example, training) Incident log Breach log DPIA log Subject Access Request Log © Sytorus Ltd.

20 Thanks You Questions? © Sytorus Ltd.

Download ppt "Management of a Data Breach under the GDPR"

Similar presentations

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
Finance and Governance Workshop Data Protection and Information Management 10 June 2014.

Finance and Governance Workshop Data Protection and Information Management 10 June 2014.
The Data Protection Act 1998. What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;

The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.

INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.

An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.
© University of Reading 2007 www.reading.ac.uk/data_protection Lee Shailer 06 June 2016 Data Protection the basics.

© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.

Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.

Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
Data Protection Officer’s Overview of the GDPR

Data Protection Officer’s Overview of the GDPR
Key changes with the GDPR

Key changes with the GDPR

Similar presentations

Ads by Google