ICSA Irish Region General Data Protection Regulation event, 10 October 2017
•
2 likes•789 views
Presentation slides from the ICSA Irish Region General Data Protection Regulation event that took place on 10 October 2017.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to ICSA Irish Region General Data Protection Regulation event, 10 October 2017
Similar to ICSA Irish Region General Data Protection Regulation event, 10 October 2017 (20)
More from Institute of Chartered Secretaries and Administrators
More from Institute of Chartered Secretaries and Administrators (20)
Recently uploaded
Recently uploaded (20)
ICSA Irish Region General Data Protection Regulation event, 10 October 2017
- 1. GDPR and The Company Secretary Helen Dixon Data Protection Commissioner @DPCIreland 1 www.dataprotection.ie
- 2. 2
- 3. CLEAR RATIONALE FOR NEW DATA PROTECTION LAWS IN EUROPE Article 8 : Protection of personal data Charter of Fundamental Rights 3
- 5. 5
- 6. Revolution or Evolution ? 6
- 7. GDPR Text and EU Data Protection APP 7
- 8. 173 Recitals (not having force of law) 11 Chapters 99 Articles (having full force of law) 8
- 9. Focus of the GDPR Giving Data Subjects more control Making Data Controllers/Proce ssors more accountable Making personal data processing more transparent Reducing personal data security vulnerabilities Co-operation between Supervisory Authorities on cross-border processing 9
- 10. The 8 Principles of Data Protection Obtain and process information fairly Keep it only for one or more specified, explicit and lawful purposes Use and disclose it only in ways compatible with these purposes Keep it safe and secure Keep it accurate, complete and up- to-date Ensure that it is adequate, relevant and not excessive Retain it for no longer than is necessary for the purpose or purposes Give a copy of his/her personal data to that individual on request
- 11. Data Integrity Pseudonymisation Anonymization Cryptography Accountability Data Protection Officer Data Protection Impact Assessments Data minimisation Notification of Personal Data Breaches 11
- 12. What’s new in GDPR? Accountability – demonstrating compliance Transparency – providing information pre-processing Risk-based mandatory data breach reporting (72 hours) Strengthened ‘Consent’ obligations New and enhanced Data Subject rights Administrative Fines Data Protection Officer (DPO) for certain organisations 12
- 13. Article 24.1 “….the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation” Article 24.3 “Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller” 13
- 14. Data Protection Officer (Articles 37, 38 & 39) Public Authority or Body Core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale Processing on a large scale of special categories of data (Articles 9 and 10) 14
- 15. Demonstrating Accountability Privacy by Design Privacy by Default Data Protection Impact Assessment (DPIA) Codes of Conduct Certification 15
- 16. Notification to Supervising Authority Notification to Supervising Authority within 72 hours Unless “unlikely to result in a risk to the rights and freedoms of natural persons” ‘Risk’ might include, for example, a risk of identity theft or anything likely to lead to a financial loss for the data subject 16
- 17. Breach Communication to Data Subject “when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons” “the data controller shall communicate the personal data breach to the data subject without undue delay” ‘High Risk’ – higher threshold than report to SA 17
- 18. New and Enhanced Data Subject Rights Right to data portability Right to be informed Right to rectification Right of access Right of erasure Right to be forgotten (search engine de-indexing) Right to restrict processing Right to object to processing 18
- 19. Transparency Requirements • Identity of controller and DPO • Purpose of processing and legal basis • Recipients of the data • Data transfer arrangements • Retention period • Right of access • Right to withdraw consent • Right to lodge complaint with SA • Details of the contractual or statutory basis • Details of automated decision-making At the time when personal data are obtained provide the data subject with information on; 19
- 20. Transparency Article 12 “The controller shall take appropriate measures to provide any information……..relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child” 20
- 21. Administrative Fines Article 83 Up to €20m or 4% of global turnover for the preceding financial year 21
- 22. A Resourced and Effective Regulator 22
- 24. Q&A – Guest Panel • Helen Dixon, Data Protection Commissioner of Ireland • Denis Kelleher, Senior Legal Counsel, the Central Bank of Ireland • David Cullen, Partner and Head of Technology, William Fry
- 25. Closing Address • Ruairí Cosgrove President of the Irish Council of ICSA