Niall Rooney FD Event 05.09.19

Niall Rooney FD Event 05.09.19
GDPR Update for Irish Food & Drink Businesses Niall Rooney 05.09.2019 This presentation is for general information only and is not intended to provide legal advice
General Data Protection Regulation (GDPR) • EU Regulation • Effective from 25 May 2018 after two year transition period • Data Protection Act 2018  Compliance obligations for businesses and organisations  “Accountability”  Stronger data subject rights for individuals  Right to lodge complaint and take legal action  Increased powers and sanctions of Data Protection Commission
GDPR scope: ‘processing’ of ‘personal data’ • ‘processing’ • anything you can do with or to personal data, electronically or in manual records, e.g. collecting, using, retaining, amending, sharing, deleting… • ‘personal data’ • any information relating to an identified or identifiable living person o special category data • racial or ethnic origin • political opinions, religious beliefs • trade union membership • genetic data • biometric data • data concerning health • data concerning a person's sex life or sexual orientation o criminal offence data
The Data Protection Principles (A 5) a) You must process personal data lawfully, fairly and transparently b) You must collect personal data for specified purposes, and not use it for incompatible purposes c) The personal data must be limited to what is necessary for the purposes d) You must keep personal data accurate, and up to date if necessary e) You must not keep personal data for any longer than is necessary for the purposes f) You must ensure security of the personal data, including confidentiality, integrity and availability  You (data controller) are responsible for complying with the principles and you have to be able to demonstrate your compliance
What does GDPR “compliance” look like? 1 Maintain a Record of Processing Activities containing specified information A 30 2 Provide individuals with Privacy Notices containing mandatory information A 13-14 3 Appoint a Data Protection Officer, if required A 37 4 Technical and organisational measures to ensure and demonstrate compliance A 5, 24 5 Data security measures appropriate to the risks A 32 6 Facilitate the exercise of data subject rights A 12, 15-22 7 Record and report personal data breaches A 33-34 8 Contracts with data processors (third parties processing on your behalf) A 28 9 International data transfer safeguards, unless adequacy A 44-47 10 Data protection by design and by default approach A 25 11 Data Protection Impact Assessment (DPIA) prior to likely high-risk processing A 35-36 12 Joint controller arrangement, if relevant A 26
Data Security & Personal Data Breaches • Ensure appropriate security of personal data (A 5) • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks of processing (A 32) • Identify, report and notify personal data breaches (“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or processed”)  Notify breach to DPC within 72 hours of becoming aware if the breach is likely to result in a risk to individuals (A 33)  Communicate breach to affected individuals without undue delay if the breach is likely to result in a high risk to individuals * (A 34)  Data controller must document every personal data breach, including the facts, effects, and remedial actions taken (A 33(5))
Data Subject Rights Individuals have rights in relation to their personal data – • The right to be informed (Privacy Notice) • The right of access (Subject Access Request) • The right to erasure (‘right to be forgotten’) • The right to object to certain processing • The right to rectification (correction) • The right to restrict processing • The right to data portability • Rights in relation to automated decision making and profiling • The data controller must facilitate the exercise of data subject rights, and must be able to demonstrate its compliance in this regard…
Right of Access (SAR) • Individuals have the right to get information about how their personal data is being processed and to obtain a copy of the personal data • No formality requirements and requester motive is irrelevant • Data controller has one month to respond (may extend by two months where requests are complex or numerous) • No fee or refusal allowed (unless manifestly unfounded or excessive) • Limited restrictions, including that disclosure of personal data concerning the requester would adversely affect the rights and freedoms of others • Data controller must provide the personal data to the requester securely • Data controller must be able to demonstrate compliance
Third Parties 1. Data Controller + Data Processor  Third party processing personal data on the data controller’s behalf  GDPR due diligence  Written contract with mandatory terms (A 28)  Liability issues 2. Joint Controllers  Jointly decide the purposes and means of processing of personal data  “Arrangement” setting out respective GDPR responsibilities (A 26) 3. Data Controller + Data Controller  Disclosure or sharing of personal data to or between independent parties  Separate compliance responsibilities as separate data controllers  Data Sharing Agreement is recommended 4. Third Party Data Request  Usually from a law enforcement body  Section 41 Data Protection Act 2018 – disclosure is “necessary and proportionate” for purposes specified in the section, e.g. detecting, investigating or prosecuting criminal offences  No obligation to comply with a S41 request, data controller bears risk..
International Data Transfers Transfer of personal data to a country outside EEA prohibited unless either – 1. The country is subject of a European Commission adequacy decision • includes AR, CA*, IL, IOM, JP*, JE, NZ, CH, UY • EU-US Privacy Shield* 2. Appropriate safeguards are provided • Standard Contractual Clauses; or • Binding Corporate Rules (BCRs) 3. An article 49 GDPR specific derogation applies (caution…) See: https://www.dataprotection.ie/en/organisations/international-transfers https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension- data-protection_en
‘No-Deal’ Brexit preparation tips • Even if UK can qualify for adequacy, this will not be in place on exit day, and it would take some time to negotiate… • When UK leaves the EU, transfer of personal data from Ireland to UK will be prohibited unless you have safeguards in place, such as Standard Contractual Clauses (until there’s a Commission adequacy decision, if that happens).  Review data flows and identify where you transfer personal data to NI and GB  Prepare to put SCC contracts in place to ensure that personal data can continue to flow once the UK is outside the EU  Review your Privacy Notices and internal compliance documentation to identify what will need updating when the UK leaves the EU  Make sure key people in your business are aware of the issues and risks  Stay up to date on developments, monitor DPC and ICO website updates
Questions? FP Logue Solicitors Data Protection, Privacy & Information Law 01 531 3510 | info@fplogue.com | www.fplogue.com

Niall Rooney FD Event 05.09.19

Check these out next

Niall Rooney FD Event 05.09.19

Recommended

More Related Content

Slideshows for you(20)

Similar to Niall Rooney FD Event 05.09.19(20)

Recently uploaded(20)

Niall Rooney FD Event 05.09.19