Presentation is loading. Please wait.

Presentation is loading. Please wait.

‘EU Data Protection Regulations Future Challenges’

Published byAgatha Daniels Modified over 9 years ago

Similar presentations

Presentation on theme: "‘EU Data Protection Regulations Future Challenges’"— Presentation transcript:

1

2 ‘EU Data Protection Regulations Future Challenges’
. Hugh Jones Sytorus ‘EU Data Protection Regulations Future Challenges’

3 New Definitions Pseudonymised Data Profile Encryption Data Recipient
Third Party Data Subject Consent Breach Genetic/Biometric Data Health Data Establishment Nominated Representative Child

4 Key Principles Selection (“One-stop Shop”)
Accountability and Liability Data Processing must be: Fair and Justifiable Security Portability and Accessibility Specified and Lawful Transparent and Explicit Adequate and Relevant Specific Categories of Processing

5 Selection of Jurisdiction
Referred-to as ‘The One-Stop Shop’ Data Controller reports to the Statutory Authority where the Controller is established / operational Where Controller is active in several EU jurisdictions, they can indicate a preferred jurisdiction That authority will then be responsible for the Controller’s compliance

6 Accountability Role of Data Controller Role of Data Processor
Primary point of compliance Role of Data Processor Mandatory contract in place Role of Data Protection Officer Dedicated role within the organisation Not necessarily an employee Individual accountability of Board members

7 Revision of Key Roles Must be able to demonstrate compliance processing Evidence of Privacy by Design or by Default Possibility of being a ‘Joint Controller’ Obligations for non-EU based Data Controller Required clauses for Data Processor Contract Control over sub-contracting

8 Individual Liability under the Acts
“Where an offence under this Act has been committed.... by a body corporate and is proven to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of a person, being a director, manager, secretary or other officer of that body corporate, or a person who was purporting to act in any such capacity... that person, as well as the body corporate, shall be guilty of that offence and be liable to be proceeded against and punished accordingly”

9 Data Protection Officer (DPO)
The Controller or Processor must designate a Data Protection Officer under certain criteria: to monitor internal compliance with the Regulations where the processing is carried out in the public sector or in the private sector by a large enterprise, or where the core activities of the controller require regular and systematic monitoring of Data Subjects, e.g. CCTV Governance of organisation’s data management Drafting of compliant with data policies Influencing system and functional changes Currently an optional role May be mandatory in certain circumstances

10 Privacy Impact Assessment
Where processing is likely to give rise to risk to the data Where relevant, involve the DPO Systematic evaluation of proposed processing Identification of risk Outline of the measures being taken to mitigate those risks Outline of structures and measures planned to achieve compliance Where substantial risk is identified, must check with Supervisor Authority

11 Privacy Impact Assessment
1. Stakeholders, Entities & Systems 2. Identify Processess 3. Work flow analysis 4. Privacy Impact Assessment 5. Risk Analysis 6. Implementation

12 Fair and Justifiable To opt out from marketing To object to processing
Fair Processing Notice Reference to Lawful Processing Conditions Additional considerations for Sensitive Personal Data Burden of Justification rests with Data Controller Not about the data the Subject is willing to disclose Assumption that consent is necessary Distinction between Mandatory and Optional fields Reminder of Data Subject Rights To opt out from marketing To object to processing To have data rectified or removed “Right to be Forgotten”

13 Retention Considerations
Knowing the useful life of your data The point of minimum economic value Appropriate and cost-effective storage Appropriate and verifiable destruction Business need v. regulatory obligation Operational v. Historical value Proportional storage solutions Efficient retrieval procedures Appropriate data catalogues

14 Secure Processing Prevention of unauthorised access or modification
Prevention of unlawful disclosure or loss Proportional solutions based on ‘nature, scope, context and purpose’ Overseas Transfer ‘Second’ Countries (30 currently) ‘Safe’ Countries (10 currently) ‘Safe Harbor’ – currently under fire! Adequacy Criteria Binding Corporate Rules Model Contracts

15 Data Security Considerations
Data Security Policy Organisation of Information Security Human Resources Security Physical and Environmental Security Communications and Operations Management Appropriate Access Controls Information Security Incident Management Business Continuity Management Compliance

16 Data Portability & Accessibility
Data Subject has the right of access to their data Data to be managed in a way that allows collation On request, data to be ‘packaged’ for transport May be sent to a competitor or alternative service provider Data Controller cannot object to the request Manage the data in a way to enable efficient collation Data can be retained by the original Controller, if justified

17 Specified and Lawful Appropriate notification
Identification of Controller Outline of intended processing Identification of Processors Any other information to make the processing fair Profiling Automated Processing Segmentation Big Data opportunities

18 Transparent and Explicit
No obligation to register as DC or DP Proactive assessment of processing Logging and recording of incidents Notification of processing in some circumstances Controller obligation to maintain log of processing Processor obligation to maintain log of processing Identification of categories of data being processed Identification of categories of processors to be engaged Envisaged time limit for retention Breach Notification Within 72 hours of becoming known Describe implications, measures taken to prevent recurrence Outline stems taken to minimise impact on Data Subject

19 Adequate and Relevant Adequacy Criteria include:
Rule of Law – is the processing legitimate? Necessity – is the processing necessary? Security – what security measures are in place? Appropriateness – is the processing compatible with the purpose? Alignment – will the processing enable the stated objective? Adequate – will the processing achieve the objective on its own? Alternatives – could the same objective be achieved by other means?

20 Offences under the GDPR
Failure to meet time-line for response to Subject Access Request Provision of false or inadequate information to the Statutory Authority Fails to respect individual Rights – rectification, erasure, opt out, etc. Failure to comply with a formal Notice from the Statutory Authority Failure to notify the Statutory Authority of a Data Breach Failure to appoint a Data Protection Officer, if required Failure to carry out a Privacy Impact Assessment Failure to maintain appropriate logs and documentation (PIA, etc.) Inability to adequately demonstrate the compliance of data processing Disclosure of personal data which was obtained without authority Inappropriate engagement of a Data Processor (e.g. no contract in place)

21 Enforcement of legislation
Formal notices Information Enforcement Prohibition Evidence of compliance effort? Negotiated Resolution v Prosecution Reputational damage of a breach Cost of recovery of market share, good will, trust

22 Specific Situations of Data Processing
Reconciliation of conflict between GDPR and national legislation Publication of data in public files Re-Use of public sector information Use of PPSN Health and Genetic data – awaiting clarification Processing for Employment – e.g. Danish guidelines (Jan 2015) Processing for Social Protection Processing for Statistics, Archives, Historical records Processing for Church and Religious organisations Secrecy Obligations due to other legislative commitments

23 Timeline for Deployment (anticipated)
Mid-September to mid-October 2013: Orientation vote in LIBE Committee Autumn 2013 (depending on progress in the Council of Ministers) Negotiations between European Parliament, Council and Commission (the Trilogue) Finalisation of new wording – end-2015 (Luxembourg EU Presidency) Expected formal adoption by Trilogue in early 2016 Deployment and enforcement end-2017 / early-2018.

24 So why comply with the GDPR?
‘It’s the law of the EEA’ Protection of brand from negative publicity Avoid risk to reputation from prosecution Protection of trust Employees Suppliers Customers Enables better decision-making Makes good business sense Delivers business value

25 Sytorus Ltd. – who we are Data Protection Consultancy and Advice Training for DPO’s Privacy Impact Assessments DP Executive Assessments Interim Data Protection Officer Liaison with Office of the DP Statutory Authority Free, 30-day trial of our online Knowledge Base!

26 Questions

Download ppt "‘EU Data Protection Regulations Future Challenges’"

Similar presentations

Identifying Data Protection Issues Developing Lifelong Learner Record Systems and ePortfolios in FE and HE: Planning for, and Coping with, Legal Issues.

Identifying Data Protection Issues Developing Lifelong Learner Record Systems and ePortfolios in FE and HE: Planning for, and Coping with, Legal Issues.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
Draft EU Privacy Regulation Corporate Privacy Forum January 26, 2012.

Draft EU Privacy Regulation Corporate Privacy Forum January 26, 2012.
Marta Tomlinson Solicitor Shakespeares LLP. Dictionary definition of leadership: NOUN 1. the position or function of a leader, a person who guides or.

Marta Tomlinson Solicitor Shakespeares LLP. Dictionary definition of leadership: NOUN 1. the position or function of a leader, a person who guides or.
EHRs and the European Union – current legislation and future directions. Dr Richard Fitton.

EHRs and the European Union – current legislation and future directions. Dr Richard Fitton.
SWISS DATA PROTECTION LAW AND PERSONAL DATA SECURITY MEASURES.

SWISS DATA PROTECTION LAW AND PERSONAL DATA SECURITY MEASURES.
Data Protection Act AS Module 1 10.8 Heathcote Ch. 12.

Data Protection Act AS Module Heathcote Ch. 12.
IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.

IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.
Preparing Russian Companies for UK Bribery Act Enforcement - The Defence of “Adequate Procedures” Nicholas Munday 14 December 2010 Moscow.

Preparing Russian Companies for UK Bribery Act Enforcement - The Defence of “Adequate Procedures” Nicholas Munday 14 December 2010 Moscow.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.

PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.
INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.

INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.
DATA PROTECTION ACT 1998. INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March 2000. It is more far reaching than its predecessor,

DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
Information Security TechLink Seminar, 17 April 2013 James Knapton, Information Compliance Officer, Registrary’s Office.

Information Security TechLink Seminar, 17 April 2013 James Knapton, Information Compliance Officer, Registrary’s Office.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.

Similar presentations

Ads by Google