Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Data protection webinar presentation AIG ecoDa FERMA 23 feb 2016


Published on

The second webinar dedicated to data protection and cybersecurity in our series “Risk Conversation at Board level”
PART I – How to adapt the risk governance to the changing regulatory landscape for personal data ?
The good management of data is now an essential part of the business model of many organisations. But with new dependencies linked to the increased use of external hosting, collection, treatment and transfer of data, it is also posing heavy challenges legal, IT and strategic issues.

If it is no longer a pure IT or legal issues; who is required to take the strategic decisions to allocate the right resources (staff and budget)? What role for the Board?

Should data protection be higher on the Board agenda?

How the Board members should get the right information on the specific data risks of their organisation to be in a deciding position?

Who will be the interface between the practical concerns and the need for strategic decisions?
Is there a role for the risk manager as the instrument to collect, consolidate and analyse the relevant information related to the data protection and the cybersecurity of the organization?

Published in: Business
  • Be the first to comment

  • Be the first to like this

Data protection webinar presentation AIG ecoDa FERMA 23 feb 2016

  1. 1. Vivian Walry Head of Banking & Finance CMS Luxembourg Marie Gemma Dequae Scientific Advisor & former President of FERMA FERMA Thomas Koch Information Risk Management Senior Manager KPMG Luxembourg
  2. 2. CMS Luxembourg Timeline of Data Protection 3 EU - 4 November 1950 European Convention on Human Rights EU - 28 January 1981 Convention 108 for the protection of individuals with regard to automatic processing of personal data EU - 24 October 1995 Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data EU - 12 juillet 2002 Directive 2002/58/EC otherwise known as E-Privacy Directive EU - 27 November 2008 Framework decision 2008/909/JHA on the application of the principle of mutual recognition to judgments in criminal matters UE - 2016 General Data Protection Regulation Lux - 2 August 2002 Law on the Protection of Persons with regard to the Processing of Personal Data Lux - 30 May 2005 Law in respect of the processing of personal data in the electronic communications sector, Lux - 18 July 2014 Law on cybercrime
  3. 3. CMS Luxembourg Timeline of Data Protection 4 A new harmonisation for a dual purpose: −Ensuring that the fundamental right to personal data protection is consistently applied −Developing the digital economy The General Data Protection Regulation will be applicable in 2018
  4. 4. CMS Luxembourg Data protection in general 5 Main principles - Fair processing and collection - Data subject consent / understanding - Transparency - Purpose - Accuracy - Proportional use and storage - Processing shall be either notified or authorized, except in some limited cases
  5. 5. CMS Luxembourg Rights of the data subject 6 Current protection What’s new under the New Regulation:  Fair processing  Right of information  Rights of access and rectification  Right of opposition  Transparency  Right to be forgotten  Portability  Right to compensation
  6. 6. CMS Luxembourg Confidentiality and security - Obligations of the data controller 7 Principle: implementing appropriate technical and organizational measures to protect personal data AND documenting the measures. What’s new under the New Regulation: −Replacement of administrative formalities by a data protection impact assessment −Privacy by design / Privacy by default −Pseudonymisation – Minimisation - Codes of conduct −Certification mechanisms and data protection seals and marks
  7. 7. CMS Luxembourg Data breach notifications 8 Today : Very limited « obligation » -None vis-à-vis the CNPD (except telecom) -None vis-à-vis the Commassu if insurance company -Obligation vis-à-vis the CSSF if regulated entity (Circular 11/504) -None vis-à-vis the data subject (except telecom) but “duty of care” vis-à-vis customers and third parties => obligation to repair all resulting damage Under the new Regulation : Notification obligation -Without undue delay vis-à-vis the data subject -Without undue delay, and not later than 72 hours after having become aware of it, vis-à-vis the CNPD
  8. 8. CMS Luxembourg Sanctions 9 Today Mainly criminal sanctions (fine up to EUR 125,000 and up to 1 year in prison) and a few administrative sanctions Under the New Regulation Administrative sanctions (fine up to 20 000 000 EUR or, in case of an enterprise, up to 4% of its annual worldwide turnover)
  9. 9. 11 The General Data Protection Regulation (GDPR) from a risk governance point of view the Data Protection Officer (DPO) and the Data Protection Impact Assessment
  10. 10. 12 Focus on two innovations from the GDPR
  11. 11. 13 The DPO The Data Protection Impact Assessment Characteristics
  12. 12. 14 The DP Impact Assessment as a risk tool
  13. 13. 15 What interaction does the Risk Manager have with the DPO?
  14. 14. 16 Recommendations
  15. 15. -------------------------------------- -------------------------------------- ---------------------------------- ------------------------------------------ ------------------------------------------ ------------------------------------------