Presentation is loading. Please wait.

Presentation is loading. Please wait.

Governing the risk of GDPR compliance

Published byJulia Katariina Tamminen Modified over 5 years ago

Similar presentations

Presentation on theme: "Governing the risk of GDPR compliance"— Presentation transcript:

1 Governing the risk of GDPR compliance
Denis Kelleher, Head of Privacy EMEA, LinkedIn

2 What is a risk? “A situation involving exposure to danger” “The possibility that something unpleasant will happen”

3

4 A bit about me: Lawyer currently: Previously
Head of Privacy EMEA Previously Senior Legal Counsel Central Bank of Ireland, Legal Counsellor, Permanent Representation of Ireland, Advisory Counsel, Office of the Attorney General Author of Privacy and Data Protection Law in Ireland, co-author of EU Data Protection Law. BCL, LLD, Barrister

5 Why do I care about risk?

6 Risk in the GDPR… Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Article 25(1)

7 What is a risk? The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage: discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality/anonymity any other significant economic or social disadvantage Deprivation of rights and freedoms Prevented from exercising control over their personal data; Racial/ethnic/genetic etc. profiling Work-place, economic, health, personal, reliability or behaviour, location or profiling vulnerable natural persons/children or where processing involves a large amount of personal data and affects a large number of data subjects. Recital 74

8 What are these rights & Freedoms?
The four freedoms – TFEU persons; capital; goods; and, Services. Rights – Charter Expression Communication Religion Conduct a business Create art Assembly equality

9 How do we measure these risks?
“The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk” Recital 76

10 “Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the (European Data Protection) Board or indications provided by a data protection officer. The (European Data Protection) Board may also issue guidelines on processing operations that are considered to be unlikely to result in a high risk to the rights and freedoms of natural persons and indicate what measures may be sufficient in such cases to address such risk” Recital 77

11 How do we manage these risks?
General & Specific measures

12 General measures “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary” Article 25(1)

13 But be careful: “Where proportionate in relation to processing activities, the(se) measures… shall include the implementation of appropriate data protection policies by the controller” Article 25(2)

14 Specific measures: Data Protection by design Security DPIA
Prior consultation Hiring a processor DPO

15 Data Protection by design
“Taking into account: the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing the controller shall…implement appropriate technical and organisational measures, which are designed to implement data-protection principles… in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

16 Data security “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…” “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed” Article 32(1) & (2)

17 Breach notification “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority… unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons” Article 33(1) “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay” Article 34(1)

18

19 DPIA “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks” Article 35(1)

20

21 “Your organisation can choose the risk management approach that best suits your existing project management process. The same tools you use for identifying other regulatory or commercial risks as part of your project management process can be used to assess the data protection risks involved in a project. The key point is to ensure that a methodological approach to identifying risks is adopted, and that records are kept of this process, and of all the risks identified. Your organisation may wish to maintain a data protection risk register to describe the risks associated with a project and assess their likelihood and impact. You can then go back to the register in the event of any changes to the project, to make note of any steps taken to mitigate risk, or any additional risks that emerge. This can be incorporated into an existing risk register if one exists for the project. Small scale projects may adopt a relatively informal approach to risk. You can still use a data protection risk register in such cases, but with the entries reflecting the less formal approach adopted.

22 3 types of risk Personal risk Corporate risk Compliance risk
Merging of datasets may result in a data controller having far more information about individuals than anticipated by the individuals. Merging of datasets may inadvertently allow individuals to be identified from anonymised data. Use of technology capable of making visual or audio recordings may be unacceptably intrusive. Corporate risk Public distrust of your organisation’s use of personal information may lead to a reluctance on the part of individuals to deal with your organisation. Compliance risk Your organisation may face risks of prosecution, significant financial penalties, or reputational damage if you fail to comply with the GDPR. Individuals affected by a breach of the GDPR can seek compensation for both material and non-material damage.

23 DPIA must contain: “…an assessment of the risks to the rights and freedoms of data subjects…” “…the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned” Article 35(7)(c) & (d)

24 Risk assessment may continue:
“Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations” Article 35(11)

25 Prior consultation “The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk”.

26 Entering into a contract with a processor
“The carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject- matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject.

27 DPO “The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing” Article 39(2)

28 What happens when we don’t manage risk?
“…the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32” Article 83(2)(d)

29 Thank you, Good afternoon

Download ppt "Governing the risk of GDPR compliance"

Similar presentations

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
The Data Protection Act 1998 The Eight Principles.

The Data Protection Act 1998 The Eight Principles.
DATA PROTECTION ACT 1998. INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March 2000. It is more far reaching than its predecessor,

DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.

CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Business Challenges in the evolution of HOME AUTOMATION (IoT)

Business Challenges in the evolution of HOME AUTOMATION (IoT)
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.

Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
Data Protection Officer’s Overview of the GDPR

Data Protection Officer’s Overview of the GDPR
The future of data protection: General Data Protection Regulation

The future of data protection: General Data Protection Regulation
Running a Privacy Impact Assessment (PIA)

Running a Privacy Impact Assessment (PIA)
THE NEW GENERAL DATA PROTECTION REGULATION: A EUROPEAN OR A GLOBAL STANDARD? Bart van der Sloot Senior Researcher Tilburg Institute for Law, Technology,

THE NEW GENERAL DATA PROTECTION REGULATION: A EUROPEAN OR A GLOBAL STANDARD? Bart van der Sloot Senior Researcher Tilburg Institute for Law, Technology,
Issues of personal data protection in scientific research

Issues of personal data protection in scientific research
WORLD OF CLOUD COMPUTING AFTER GDPR challenges, opportunities and the unknown Matjaž Drev, MA. National Supervisor for Personal Data Protection, Information.

WORLD OF CLOUD COMPUTING AFTER GDPR challenges, opportunities and the unknown Matjaž Drev, MA. National Supervisor for Personal Data Protection, Information.
Privacy Impact Assessments (PIAs)

Privacy Impact Assessments (PIAs)
GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E

GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E
General Data Protection Regulation (GDPR

General Data Protection Regulation (GDPR

Similar presentations

Ads by Google