1. General Data Protection Regulation “11 months in”
Donna Creaven
Head of Supervision – Multinationals & Technology

2. Our report in numbers

3. Some statistics….

4. Recap: Focus of the GDPR
Accountability – demonstrating compliance
Transparency – providing information pre-processing
Risk-based mandatory data breach reporting (72 hours)
Strengthened ‘Consent’ obligations
Data protection by design and default
New and enhanced Data Subject rights
Administrative Fines
Data Protection Officer (DPO) for certain organisations

5. Administrative Fines
Article 83
Up to €20m or 4% of global turnover

6. Governance
Transparency
Accountability

7. Demonstrating Accountability
Maintaining up-to-date inventories of processing (Article 30)
Completing data protection impact assessments (Article 35)
Ensuring the security of processing (Article 32)
Adhering to the principles of data protection by design and by default (Article 25)
Appointing and empowering a Data Protection Officer (Article 37 and 38)
Strong foundation of governance - Practical approach
Transparency
Record Keeping
Codes of Conduct
Certification
Impact Assessment
Governance and Data Protection By Design & Default
Contract, transfers, agreements, BCRs
User rights
Data Protection Officer
Article 25 – Pbd&d
Start to finish – business case to end-of-life
Design and NFR factor from the start
Whole organisation to engage – not just dev, QA, Ops
Governance, policy, practice
Throughout lifecycle – “time of determination”, “time of processing”
Data Minimisation
Pseudonymisation
Effective risk management
Default settings observing principles must be used
Article 32
Art 32(1)(d) - testing
Software engineering – standards?
Essential for accountability, quality, security, protection
Document, record, change control
Unit, integration, UAT, feature, static and dynamic analysis, coverage reporting, automated build, continuous integration?
Fixture data? Staging – consent?
Secure servers, network? Patching?
War games, network intrusion detection, leaks, error tolerance
Incident Response plan, training
Risk management, “function creep”
Design and test not just for security - but for access-control, subject access, portability, deletion, purpose limitation

8. Accountability – the controller & processor relationship
Monitoring this relationship is an ongoing task, for example:
Undertaking external and internal audits
Inspections
Follow-up actions
Spot checks
Regular reviews

9. Transparency requirements
Identity of controller and DPO
Purpose of processing and legal basis
Recipients of the data
Data transfer arrangements
Retention period
Right of access
Right to withdraw consent
Right to lodge complaint with SA
Details of the contractual or statutory basis
Details of automated decision-making
At the time when personal data is obtained provide the data subject with information on the:

10. Consent - Article 4.11 Unambiguous Freely given
Informed by a clear affirmative action

11. Breach Notification to the Supervisory Authority
Notification to SA within 72 hours
Unless “unlikely to result in a risk to the rights and freedoms of natural persons”
‘Risk’ e.g. a risk of identity theft or anything likely to lead to a financial loss for the data subject

12. Breach Communication to Data Subject
“when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons”
“the data controller shall communicate the personal data breach to the data subject without undue delay”
‘High Risk’ – higher threshold than report to Supervisory Authority

13. Key deliverables Identify and document legal basis for processing
Review and remediate storage and retention practices
Article 30 Records of data processing
Privacy Notices
Review and refresh of databases, mailing lists  
Review of organisational data security practices
Identify and review third party processors
Embed Privacy by Design and Privacy by Default practices & procedures
Re-assess breach notification procedures

14. Some 2019 priorities
Progressing Inquiries – first decisions Summer 2019
Supervising and engaging with big-tech (multi-faceted)
Children’s Consultation
DPC five year Regulatory Strategy
DPC DPO Network
Issuing Guidance

15. Thank You