9. Focus of the GDPR
Giving Data
Subjects more
control
Making Data
Controllers/Proce
ssors more
accountable
Making
personal data
processing
more
transparent
Reducing
personal data
security
vulnerabilities
Co-operation
between
Supervisory
Authorities on
cross-border
processing
9
10. The 8 Principles of Data Protection
Obtain and
process
information
fairly
Keep it
only for
one or
more
specified,
explicit
and lawful
purposes
Use and
disclose it
only in
ways
compatible
with these
purposes
Keep it
safe and
secure
Keep it
accurate,
complete
and up-
to-date
Ensure
that it is
adequate,
relevant
and not
excessive
Retain it
for no
longer
than is
necessary
for the
purpose
or
purposes
Give a
copy of
his/her
personal
data to
that
individual
on
request
12. What’s new in GDPR?
Accountability
–
demonstrating
compliance
Transparency
– providing
information
pre-processing
Risk-based
mandatory
data breach
reporting (72
hours)
Strengthened
‘Consent’
obligations
New and
enhanced Data
Subject rights
Administrative
Fines
Data
Protection
Officer (DPO)
for certain
organisations
12
13. Article 24.1
“….the controller shall implement appropriate technical and
organizational measures to ensure and to be able to
demonstrate that processing is performed in accordance with
this Regulation”
Article 24.3
“Adherence to approved codes of conduct as referred to in
Article 40 or approved certification mechanisms as referred to
in Article 42 may be used as an element by which to
demonstrate compliance with the obligations of the controller”
13
14. Data Protection Officer (Articles 37, 38 & 39)
Public Authority or Body
Core activities consist of processing
operations which require regular
and systematic monitoring of data
subjects on a large scale
Processing on a large scale of
special categories of data (Articles
9 and 10)
14
16. Notification to Supervising Authority
Notification to
Supervising
Authority
within 72 hours
Unless “unlikely to
result in a risk to the
rights and freedoms
of natural persons”
‘Risk’ might include, for
example, a risk of
identity theft or
anything likely to lead
to a financial loss for
the data subject
16
17. Breach Communication to Data Subject
“when the personal data breach is likely
to result in a high risk to the rights and
freedoms of natural persons”
“the data controller shall communicate
the personal data breach to the data
subject without undue delay”
‘High Risk’ – higher threshold than report
to SA
17
18. New and Enhanced Data Subject Rights
Right to data portability
Right to be informed
Right to rectification
Right of access
Right of erasure
Right to be forgotten (search engine de-indexing)
Right to restrict processing
Right to object to processing
18
19. Transparency Requirements
• Identity of controller and DPO
• Purpose of processing and legal basis
• Recipients of the data
• Data transfer arrangements
• Retention period
• Right of access
• Right to withdraw consent
• Right to lodge complaint with SA
• Details of the contractual or statutory
basis
• Details of automated decision-making
At the time
when
personal
data are
obtained
provide the
data subject
with
information
on; 19
20. Transparency
Article 12
“The controller shall take appropriate
measures to provide any
information……..relating to processing
to the data subject in a concise,
transparent, intelligible and easily
accessible form, using clear and plain
language, in particular for any
information addressed specifically to a
child”
20
24. Q&A – Guest Panel
• Helen Dixon, Data Protection Commissioner of Ireland
• Denis Kelleher, Senior Legal Counsel, the Central Bank of Ireland
• David Cullen, Partner and Head of Technology, William Fry