Key highlights of the General Data Protection Regulation (GDPR), which organisations will need to consider when preparing for its coming into force on 25 May 2018.
2. The General Data Protection Regulation is
the most extensive change to EU data
protection law since the 1995 directive.
In 1995, Mark Zuckerberg was eleven years
old . . .
GDPR passed by European
Parliament in April 2016.
To come into effect on
25 May, 2018 in all member
states.
3. REGULATION (EU) 2016/679 OF
THE EUROPEAN PARLIAMENT AND
OF THE COUNCIL of 27 April 2016
on the protection of natural
persons with regard to the
processing of personal data and on
the free movement of such data,
and repealing Directive 95/46/EC
4. Personal data must:
1. Be fairly obtained & processed
2. For specified, explicit &
legitimate purpose(s)
3. Not be processed in a manner
incompatible with those
purpose(s)
4. Be kept safe & secure
5. Be kept accurate, complete &
up-to-date
6. Be adequate, relevant & not
excessive
7. Not be retained for longer than
is necessary
8. Be provided on request to the
data subject
5. Definition of personal
data
Accountability
Consent
Access requests
Joint data controllership
Controller / Processor
relationship
Breach notification
Data Protection Impact
Assessments
Mandatory Data
Protection Officers
Right to compensation
and liability
Financial penalties
6. Current definition:
Data relating to a
living individual who is
or can be identified
either from the data
or from the data in
conjunction with other
information that is in,
or is likely to come
into the possession of
the Data Controller.
S.1 Data Protection Act, 1988
GDPR redefinition:
any information
relating to ... an
identified natural
person or a natural
person who can be
identified, directly or
indirectly, by means
reasonably likely to be
used by the controller
or by any other natural
or legal person...
Art. 4(1), GDPR
8. “any freely given,
specific, informed and
unambiguous indication
of… wishes…”
Must be given “by a
statement or by a clear
affirmative action
signifying agreement”
Art. 4(11)
9. No fee unless request “manifestly
unfounded or excessive”
Requests can be made and must,
where appropriate, be responded
to electronically
Standard time limit 1 month
May take up to 3 months, but must
notify data subject within 1
month, giving reasoned
justification for delay
As well as personal data, other
info. such as sources, processing
purposes & right to complain to
DPA must be provided.
Art. 12 & 15 Janet McKnight
10. Where two or more controllers jointly
determine the purposes and means of the
processing of personal data, they are joint
controllers.
They shall in a transparent manner
determine their respective responsibilities
for compliance with the obligations under
this Regulation.
Art. 26
11. The carrying out of processing by a
processor shall be governed by a contract
or other legal act under Union or Member
State law, binding the processor to the
controller, setting out the subject matter
and duration of the processing, the
nature and purpose of the processing,
the type of personal data and categories
of data subjects.
The processor and any person acting under
the authority of the controller or of the
processor who has access to personal data
shall not process them except on
instructions from the controller, unless
required to do so by Union or Member
State law.
Art. 28
11
12. In the case of a personal data breach, the controller
shall without undue delay and, where feasible, not
later than 72 hours after having become aware of it,
notify the personal data breach to the supervisory
authority, unless the personal data breach is unlikely
to result in a risk for the rights and freedoms of
individuals. The notification to the supervisory
authority shall be accompanied by a reasoned
justification in cases where it is not made within 72
hours.
When the personal data breach is likely to result in a
high risk for the rights and freedoms of individuals
the controller shall communicate the personal data
breach to the data subject without undue delay.
Art. 33
13. DPIA is mandatory “where processing is likely to
result in a high risk”.
DPIA must include at least:
systematic description of envisaged processing and
the purposes of the processing, including where
applicable the legitimate interest pursued;
assessment of necessity and proportionality of
processing;
assessment of the risks to the rights and freedoms
of data subjects;
measures envisaged to address the risks.
Controller must consult DPA where processing would
result in high risk in absence of mitigating measures.
Art. 35
14. The controller or processor must designate a data protection officer in
any case where:
the processing is carried out by a public authority or body; or
the core activities of the controller or processor consist of
processing operations which because of their nature, scope or their
purposes, require regular and systematic monitoring of data
subjects on a large scale; or
the core activities of the controller or the processor consist of
processing on a large scale of sensitive personal data.
A group of undertakings may appoint a single data protection officer
provided that a data protection officer is easily accessible from each
establishment
Where the controller or processor is a public authority or body, a
single data protection officer may be designated for several of them,
taking account of their organisational structure and size.
Art. 37, 38 & 39
15. DPOs must have “expert” knowledge,
training and experience.
DPOs must report directly to the
highest level of management.
DPOs must be completely
independent in the performance of
their duties.
DPOs may be directly employed staff
or external service providers.
DPOs must be involved in a proper
and timely manner in all
organisational personal data
protection matters.Office of the Privacy Commissioner Canada
16. DPOs shall have at least these tasks:
Informing and advising the
organisation and its staff on
compliance.
Monitoring organisational data
protection compliance.
Advising on data protection impact
assessments.
Acting as the contact point for and
cooperating with the DPC.
Acting as the contact point for data
subjects.
May have other duties, provided they
aren’t incompatible with DPO role.Office of the Privacy Commissioner Canada
17. Current situation:
Collins v FBD Insurance
(Ireland)
Google v Vidal-Hall (UK)
In the GDPR:
Any person who has
suffered material or
non-material damage as
a result of an
infringement of this
Regulation shall have
the right to receive
compensation from the
controller or processor
for the damage
suffered.
Art 82.1
18. Where more than one controller or
processor or a controller and a processor
are involved in the same processing and,
where they are responsible for any
damage caused by the processing ... each
controller or processor shall be held
liable for the entire damage, in order to
ensure effective compensation of the
data subject.
Art 82.4
19. Two tier structure:
Greater of €10m or 2% of turnover
Greater of €20m or 4% of turnover
Each supervisory authority shall
ensure that the imposition of
administrative fines . . . shall in each
individual case be effective,
proportionate and dissuasive.
Art. 83
Most infringements in principle subject to
fines
Bruno Gencarelli, Head of Data Protection Unit, DG Justice
Not exhaustive - “edited highlights”
Leap Card & Eircode
Documented policies, standards & procedures, with evidence that they’re adhered to.
Think about WhatsApp and Uber - no “opt out”
Electronic response where electronic request, unless data subject indicates otherwise
[HOLD!]
Do exercise on p. 55 of Manual
L/A & Gardai re CCTV.
Other specific detail needed in contract, such as undertakings to follow instructions, assist with exercise by data subjects of rights, destruction of data on termination, etc
Core activities - main revenue generating activities?
DPO is not a mini DPA
Bavaria and the IT Manager, HR, internal audit - IAPP estimate
BTW, no personal liability in GDPR
Emphasise main risk is not enforcement, e.g., TalkTalk.