What is the new data protection regulation GDPR and why should you care? by Jesper Nevalainen, Bird & Bird Exove and Bird & Bird seminar on Nov 23rd 2016: "GDPR - Practical Effects on Digital Business - juridical, technical, and customer point of view"

1. Exove
Mikä on EU:n uusi tietosuoja-asetus
GDPR, ja miksi se kannattaa huomioida
ajoissa?
Jesper Nevalainen, Partner

2. New Data Protection Landscape in Europe
• After over 4 years of negotiations, the new EU data protection
framework has finally been adopted
• Two-year transition period, applicable on 25 May 2018
• The GDPR is set to replace the national laws and regulations based on
the EU Data Protection Directive (46/95/EC)
• The GDPR is directly applicable in each member state and will lead to
a greater degree of data protection harmonization across EU nations,
nonetheless, Member States have retained significant rights to
legislate in certain areas
Page 2

3. GDPR overview - Key changes
Controllers and processors
• Accountability
• Demonstrating compliance
• Increased documentation obligations
• Risk-based approach
• Privacy by design and default
• Privacy Impact Assessment and
prior consultation where risk is high
• Data Protection Officers
• New breach reporting obligations
• Detailed prescription of what must be
included in outsourcing contracts
Member states
• Significant scope for derogations at MS
level
Data subjects
• More extensive data subject rights
• Restriction
• Erasure
• Portability
• "Profiling"
• Changing consent requirements
(including in relation to children)
Supervisory authority
• New enforcement architecture
• One-stop-shop
• EDPB
• The stakes will be raised!
• Fines up to €20,000,000 / 4% global
turnover
Page 3

4. Page 4
The answer to this problem
Many companies,
growing amount of data,
lots of resources
Authorities: Few resouces
1. Risk based approach
2. Pushing responsibility
to controllers/
processors

5. Page 5
Risked-based approach under the GDPR
● Core concept: Accountability
● Risk = mentioned 75 times
● Risk = risk in relation to rights and
freedoms of individuals = legal risk
● Examples:
• Recital 74: "appropriate and effective measure"
• Article 24, 32: Technical and organisational measures relative to the risk
• Article 25: Data protection by Design and by default according to the risks
involved
• Article 33, 34: Notifications in data breach situations relevant to the risk
• Article 35: DPIA
• Article 39(2): Task of the DPO

6. • Incident Management
• Subcontractor Management
• International Data Transfers
• Law Enforcement Access
• Data Subject Access &
Complaint Management
• Internal Policies (high level)
• Guidelines & Instructions
• Privacy Requirements
• Training and Awareness
• Privacy policy
• Specific notifications (e.g.
description of files)
• Notifications to authorities
Elements of a Privacy Program
Risk
Management
Governance
Internal
Instructions
Privacy
Processes
• Documentation
• Privacy Engineering (PbD)
• Data Protection Impact
Assessments
• Appropriate Security Measures
External
Communication