Auditing your EU entities for data protection compliance Robert Bond Head of Data Protection & Information Law James Castr...
Our team <ul><li>We are a full service law firm providing local and international services to a diverse range of clients <...
Topics <ul><li>Overview of the Directive (95/46/EC) </li></ul><ul><li>Notification/registration procedures </li></ul><ul><...
Polling questions <ul><li>Has your company appointed a CPO or DPO? </li></ul><ul><li>Has your company carried out an EU da...
The Directive <ul><li>EU Data Protection Directive (also known as Directive 95/46/EC) is a directive adopted by the Europe...
Notification with the EU DPA’s <ul><li>Some countries do not require notification if you have a DPO (Germany) </li></ul><u...
Personal data <ul><li>Data which relate to a living individual who can be identified </li></ul><ul><li>from such data </li...
Sensitive personal data <ul><li>Personal data consisting of information on: </li></ul><ul><li>racial or ethnic origin </li...
Controller or Processor? <ul><ul><li>A “data controller”  is a  person or organization that (alone or with others) determi...
The Eight Data Protection Principles  <ul><li>Data must be fairly and lawfully processed with the consent of the individua...
Data Protection <ul><ul><li>Consent (but not always) </li></ul></ul><ul><ul><li>Explicit consent (always) for sensitive pe...
Data Protection <ul><li>Data may only be obtained for specified lawful purposes, and may not be further processed in any m...
Data Protection <ul><li>Data must be adequate, relevant, and not excessive in relation to the purpose(s) for which it is c...
Data Protection <ul><li>Data must be processed in accordance with rights of data subjects under the Directive (right to in...
The Seventh Principle <ul><li>Appropriate technical and organizational measures shall be taken against unauthorized or unl...
EU Restrictions on International Data Transfers Personal data may not be transferred from a blue or green country to a red...
Does the “third country” ensure an adequate level of protection? <ul><li>Only Switzerland, Canada, Argentina, Isle of Man,...
Have the Parties Themselves Assured Adequate Protection? <ul><li>There are contractual solutions that are deemed “adequate...
What should the audit achieve? <ul><li>“  A systematic and independent examination to determine whether activities involvi...
Analysing entities and their roles <ul><li>Establish names and locations of all entities </li></ul><ul><li>Establish wheth...
Analysing fair processing and policies <ul><li>Audit methods of data collection and consents </li></ul><ul><li>Audit websi...
Contracts and Codes <ul><li>Audit trans border data flow solutions </li></ul><ul><li>Audit 3 rd  party processor contracts...
Benefits of a compliance audit <ul><li>Facilitates compliance with the law </li></ul><ul><li>Measures and helps improve co...
<ul><li>Construction & Engineering </li></ul><ul><li>1 November 2006 </li></ul>Further Information For more information on...
Upcoming SlideShare
Loading in …5
×

Auditing your EU entities for data protection compliance 5661651 1

1,408 views

Published on

Published in: Business, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,408
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
34
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • 08/07/11
  • 08/07/11
  • 08/07/11
  • 08/07/11
  • 08/07/11
  • 08/07/11
  • 08/07/11
  • 08/07/11
  • 08/07/11
  • 08/07/11
  • 08/07/11
  • 08/07/11
  • 08/07/11
  • 08/07/11
  • 08/07/11
  • 08/07/11
  • 08/07/11
  • 08/07/11
  • 08/07/11
  • 08/07/11
  • 08/07/11
  • 08/07/11
  • 08/07/11
  • 08/07/11
  • Auditing your EU entities for data protection compliance 5661651 1

    1. 1. Auditing your EU entities for data protection compliance Robert Bond Head of Data Protection & Information Law James Castro-Edwards Senior Solicitor in Data Protection & Information Law
    2. 2. Our team <ul><li>We are a full service law firm providing local and international services to a diverse range of clients </li></ul><ul><li>Our three Client Divisions are Business Services, Real Estate Engineering & Construction and Private Client </li></ul><ul><li>Our Data Protection & Information Law team provide a range of expertise on data privacy audit, compliance, risk management, information security and data breaches </li></ul><ul><li>We are listed in Chambers 2009 as a leading law firm for Data Protection and have advised on this area of law since 1983 </li></ul>
    3. 3. Topics <ul><li>Overview of the Directive (95/46/EC) </li></ul><ul><li>Notification/registration procedures </li></ul><ul><li>Key definitions </li></ul><ul><li>The eight data protection principles </li></ul><ul><li>What should the audit achieve? </li></ul><ul><li>Analysing entities and their roles as controller or processor </li></ul><ul><li>Auditing data and data flows –what and where </li></ul><ul><li>Auditing online and offline data processing </li></ul><ul><li>Auditing policies and procedures </li></ul><ul><li>Auditing contracts </li></ul>
    4. 4. Polling questions <ul><li>Has your company appointed a CPO or DPO? </li></ul><ul><li>Has your company carried out an EU data protection compliance audit in the past year? </li></ul><ul><li>Does your company plan to carry out such an audit in 2011? </li></ul>
    5. 5. The Directive <ul><li>EU Data Protection Directive (also known as Directive 95/46/EC) is a directive adopted by the European Union designed to protect the privacy and protection of all personal data collected for or about citizens of the EU, especially as it relates to processing, using, or exchanging such data. Directive 95/46/EC encompasses all key elements from article 8 of the European Convention on Human Rights, which states its intention to respect the rights of privacy in personal and family life, as well as in the home and in personal correspondence. </li></ul>
    6. 6. Notification with the EU DPA’s <ul><li>Some countries do not require notification if you have a DPO (Germany) </li></ul><ul><li>Some require it in limited circumstances (UK) </li></ul><ul><li>Most require it before personal data can be processed at all (France, Italy, Poland and Spain) </li></ul><ul><li>Some require annual notifications and audits (Italy, UK) </li></ul><ul><li>Some countries have sophisticated online procedures (UK) </li></ul><ul><li>Some countries charge a fee (UK, Belgium, Ireland) </li></ul><ul><li>Some DPA’s have searchable websites to check on notifications (UK) </li></ul>
    7. 7. Personal data <ul><li>Data which relate to a living individual who can be identified </li></ul><ul><li>from such data </li></ul><ul><li>from such data and other information which is or is likely be in the possession of the data controller </li></ul><ul><li>and which are in electronic form or held manually in a relevant filing system </li></ul>
    8. 8. Sensitive personal data <ul><li>Personal data consisting of information on: </li></ul><ul><li>racial or ethnic origin </li></ul><ul><li>political opinions </li></ul><ul><li>religious or similar beliefs </li></ul><ul><li>trade union details </li></ul><ul><li>health data </li></ul><ul><li>sexual life data </li></ul><ul><li>offences or alleged offences </li></ul><ul><li>court proceedings </li></ul>
    9. 9. Controller or Processor? <ul><ul><li>A “data controller” is a person or organization that (alone or with others) determines the purposes for which and the manner in which personal data will be processed </li></ul></ul><ul><ul><li>A “data processor” any person or organization (other than an employee of the data controller) who processes personal data on behalf of the data controller </li></ul></ul>
    10. 10. The Eight Data Protection Principles <ul><li>Data must be fairly and lawfully processed with the consent of the individual </li></ul><ul><li>Data may only be obtained for specified lawful purposes, and may not be further processed in any manner incompatible with that purpose </li></ul><ul><li>Data must be adequate, relevant, and not excessive in relation to the purpose(s) for which it is collected </li></ul><ul><li>Data must be accurate and, where necessary, kept up to date </li></ul><ul><li>Data must not be kept longer than necessary </li></ul><ul><li>Data must be processed in accordance with rights of data subjects under the Directive (right to inspect and correct data) </li></ul><ul><li>Security measures must be taken against unauthorized or unlawful processing, and against accidental loss, destruction, or damage of data </li></ul><ul><li>Data must not be transferred outside EEA unless recipient country provides adequate data protection </li></ul>
    11. 11. Data Protection <ul><ul><li>Consent (but not always) </li></ul></ul><ul><ul><li>Explicit consent (always) for sensitive personal data </li></ul></ul><ul><ul><li>To get their data you have to give them information! </li></ul></ul>Personal data shall be processed fairly and lawfully
    12. 12. Data Protection <ul><li>Data may only be obtained for specified lawful purposes, and may not be further processed in any manner incompatible with that purpose </li></ul><ul><ul><li>“ Fair processing” statement is needed </li></ul></ul><ul><ul><li>Needs to be clear and readily available </li></ul></ul><ul><ul><li>Layered transparent policies are preferred </li></ul></ul><ul><ul><li>Should be kept up to date </li></ul></ul>
    13. 13. Data Protection <ul><li>Data must be adequate, relevant, and not excessive in relation to the purpose(s) for which it is collected </li></ul><ul><li>Data must be accurate and, where necessary, kept up to date </li></ul><ul><li>Data must not be kept longer than necessary </li></ul><ul><ul><li>Several DPAs have ruled whistleblower systems breach these </li></ul></ul><ul><ul><li>Several DPAs have ruled that search engines and monitoring policies breach these </li></ul></ul><ul><ul><li>Regular audits are necessary </li></ul></ul><ul><ul><li>Data retention and destruction policies are required </li></ul></ul>
    14. 14. Data Protection <ul><li>Data must be processed in accordance with rights of data subjects under the Directive (right to inspect and correct data) </li></ul><ul><ul><li>Subject access requests </li></ul></ul><ul><ul><li>How “personal” does data have to be? </li></ul></ul><ul><ul><li>Does all personal data have to be “disclosed”? </li></ul></ul><ul><ul><li>Right to be forgotten </li></ul></ul>
    15. 15. The Seventh Principle <ul><li>Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. </li></ul><ul><li>Consider: </li></ul><ul><li>Sensitivity of information </li></ul><ul><li>Consequences of breach </li></ul><ul><li>Remote access </li></ul><ul><li>Outsourcing </li></ul>
    16. 16. EU Restrictions on International Data Transfers Personal data may not be transferred from a blue or green country to a red country without “adequate protection”
    17. 17. Does the “third country” ensure an adequate level of protection? <ul><li>Only Switzerland, Canada, Argentina, Isle of Man, Jersey, Faroe Islands, Guernsey and recently Andorra and Israel have adopted “adequate” data protection laws in the opinion of the EU </li></ul><ul><li>The U.S. Safe Harbor also provides an “adequate” level of protection </li></ul>
    18. 18. Have the Parties Themselves Assured Adequate Protection? <ul><li>There are contractual solutions that are deemed “adequate” under European data protection laws: The parties must enter into a “trans border data flow agreement” that incorporates either model clauses promulgated by the European Commission or proposed by the ICC and approved by the European Commission. </li></ul><ul><li>A second solution, Binding Corporate Rules (BCR) has been approved by up to 14 member states in the EU. </li></ul>
    19. 19. What should the audit achieve? <ul><li>“ A systematic and independent examination to determine whether activities involving the processing of personal data are carried out in accordance with an organisation’s data protection policies and procedures, and whether this processing meets the requirements of the [law].” UK Information Commissioner’s Office </li></ul><ul><li>Assess compliance with the law </li></ul><ul><li>Assess compliance with entities’ own policies and procedures </li></ul><ul><li>Assess gaps and weaknesses </li></ul><ul><li>Provide information to ensure compliance </li></ul><ul><li>Ensure awareness </li></ul><ul><li>Minimise risk </li></ul>
    20. 20. Analysing entities and their roles <ul><li>Establish names and locations of all entities </li></ul><ul><li>Establish whether they are controllers or processors </li></ul><ul><li>Establish types of data and systems used </li></ul><ul><li>Establish data subjects and data recipients </li></ul><ul><li>Establish points of collection of data </li></ul><ul><li>Audit notifications/registrations </li></ul>
    21. 21. Analysing fair processing and policies <ul><li>Audit methods of data collection and consents </li></ul><ul><li>Audit websites and terms of use </li></ul><ul><li>Audit business codes of conduct and policies </li></ul><ul><li>Audit contracts of employment and staff manuals </li></ul><ul><li>Audit staff knowledge and training </li></ul><ul><li>Audit appointments of CPO/DPO </li></ul>
    22. 22. Contracts and Codes <ul><li>Audit trans border data flow solutions </li></ul><ul><li>Audit 3 rd party processor contracts </li></ul><ul><li>Audit permissions from DPA </li></ul><ul><li>Ensure all policies and procedures comply with local laws </li></ul><ul><li>Monitor ongoing changes to company structures, data handling practices and notifications </li></ul>
    23. 23. Benefits of a compliance audit <ul><li>Facilitates compliance with the law </li></ul><ul><li>Measures and helps improve compliance with policies </li></ul><ul><li>Increases awareness amongst staff and management </li></ul><ul><li>Elevates data protection to a key part of corporate governance </li></ul><ul><li>Minimises risk </li></ul><ul><li>Satisfies insurance requirements </li></ul><ul><li>Improves trust and customer satisfaction </li></ul>
    24. 24. <ul><li>Construction & Engineering </li></ul><ul><li>1 November 2006 </li></ul>Further Information For more information on our services, please contact: Robert Bond Partner IP, Technology & Commercial +44 (0)20 7427 6660 [email_address] www.speechlys.com

    ×