Data breaches, privacy programs and what will change for processors, Tobias Bräutigam, Bird & Bird Exove and Bird & Bird seminar on Nov 23rd 2016: "GDPR - Practical Effects on Digital Business - juridical, technical, and customer point of view"

1. Exove
Tietoturvaloukkaukset,
yksityisyydensuojan parantaminen ja
GDPR:n tuomat muutokset
henkilötietojen käsittelijöille
Tobias Bräutigam, Counsel

2. Agenda
1. Rights for individuals
2. Controller/Processor Role based examples
of obligations
3. Data Breach
Page 2

3. Rights of individuals

4. New rights for individuals?
Page 4
Article What is it about New?
13/14 Transparency, right to be informed More details
15 Access to personal data Clarification, more detail
16 Rectification of inaccurate data Old
17 Right to be forgotten Not so new like you think
18 Right to restrict processing Clarification, more detail
20 Data portability New
21 Automated decision making More detail, larger scope

5. Page 5
Much ado about nothing?
1. Fines from authorities for the violation of rights
• 4%, i.e. higher level
2. Enforcement via private action, Article 79
• Also "non-material" damage is covered, Article 82
3. Can be delegated
• Consumer organizations will take care of it
Summary
• As such relatively small changes, modifications, clarifications
• Enforcement: Huge change

6. What does the GDPR mean for processors?

7. Your
Company
General
obligations
(authorities)
As a processor
Towards data
subjects
As a
controller

8. Page 8
Processor's new obligations
Assisting controllers
● Only act on the controller's documented instructions;
● Assisting the Controller for responding to requests from data subjects for:
access, rectification, suppression, limitation, objection, portability of data
● Return or delete personal data upon Controller's choice at the end of
services
● Assisting the controller to notify security breaches, implement DPIAs,
provide information
● Contribute to audits, including directly made by the Controller
● Mandatory contract clauses
Own responsibility
● List of technical and organizational measures
● Processor's staff must be bound by confidentiality obligations
● Compliance with international data transfers

9. Page 9
Key action items as a processor
Build your privacy program
● Hire a privacy officer where needed
● Define security measures, processes and
responsibilties
Indemnity and liability
● Push back on indemnities (strict liability)
● Push back on unlimited liability clauses, tie to
negligence
Define the lines of responsibilities
● Only process based on instructions and GDPR

10. Data Breach Notification

11. Page 11
Article 33
In the case of a personal data breach,
the controller shall without undue delay
and, where feasible, not later than 72
hours after having become aware of it,
notify the personal data breach to the
supervisory authority […], unless the
personal data breach is unlikely to
result in a risk to the rights and
freedoms of natural persons.

12. What amounts to a ‘breach’ under the new
rules and to whom the regime applies?
Page 12
● Relevant provisions in the GDPR can be found in:
• Recitals: 73, 85-88
• Articles: 4, 33, 34, 66 and 83
● The regime applies to data controllers but indirectly also to
their processors
● The GDPR refers to "a breach of security leading to the
accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, personal data
transmitted, stored or otherwise processed"
● It’s important to note that the wilful destruction or alteration of
data is as much a breach as theft

13. Practical scenarios for your organisation to
consider
Page 13
Breach?
Four laptops containing 5,000 employee records are stolen from
the HR department…
A flash drive containing 5,000 customer records is forgotten in a
bus and never retrieved. There is no evidence that customer
records were compromised.
An employee has given to a third party the login and password
for an account with global access read only right to the client
database. Logs evidence use of the account by this third party.
A rogue employee supresses all contact details provided in the
consumer records of his organisation before resigning.

14. Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses.
Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC340318 and is authorised and regulated by the
Solicitors Regulation Authority. Its registered office and principal place of business is at 12 New Fetter Lane, London EC4A 1JP. A list of members of Bird & Bird
LLP and of any non-members who are designated as partners, and of their respective professional qualifications, is open to inspection at that address.
twobirds.com
Thank you

15. Page 15
Demonstrate compliance with the GDPR's principles
● Implement appropriate security policies and measures
● Privacy impact assessment and prior consultation (when applicable)
● Adopt certain "data protection by design" measures
● Record of all processing activities
● Undertake audits
● Adherence to approved codes of conduct and certifications
● Implement Privacy Policies
● Appropriate staffing (e.g. data protection officer)
● Staff training programs
General obligations

16. Page 16
Work on your privacy program
● Audit your privacy practices (use self-assessments
and interviews)
● Start designing governance and risk management
elements first
● Decide which IT-systems need to be improved to
close gaps (e.g. consumer dash-board)
● Improve privacy processes like subcontractor
management, data subject access, partnering
Key action items for general compliance

17. Page 17
Transparency
● General privacy policy must mention specific information, such as
legal basis, data retention, contact details of DP officer etc.
● Specific notices where needed, e.g. information about the right to
withdraw consent
Legitimacy of processing
● Most data processing is *not* based on consent!
● Performance of a contract or legitimate interest (e.g. Marketing to
employees of corporate subscribers)
● Where consent is the only option, systems must be ready for
withdrawal of consent
Honouring data subject rights
● Access, rectification, limitation, objection, portability of data
● If acting as a processor, Exove must assist the controller fulfilling
those rights
Obligations towards data subjects
(for example: corporate subscribers and consumers)

18. Page 18
Define reason for processing for each major process
● Legitimate interest, consent or contract?
Review privacy notices
● Follow list in Articles 13/14 GDPR
Design access and deletion process of data subjects
● This includes appropriate IT systems and training of staff
● Draft/update template responses
Key action items: compliance towards data
subjects

19. Page 19
Managing processors
● Review and update all data processing agreements
● Instruct processors and follow up (audit)
Accountability
● Keep records of all processing activities
● Appointment of DPO (if applicable)
● Map data transfer and compliance
● Staff training programs and collection of metrics
General obligations
● Implement appropriate technical and organizational security
measures (incl. policies)
● Privacy by design and default
● Reply to data subject requests
Obligations as a controller

20. Page 20
Cover your own base (=> see also above
● Look for certification on technical and organizational matters
● Follow guidance of authorities
Insist of DPA covering a minimum amount of rules on
● Type/categories of PD processed, purpose, duration
● Appropriate tech and org measures e.g. encryption &
pseudonymisation
● Breach notification assistance
● Permit and "contribute" to compliance audits
● Sub-contracting flow down commitments
Provide instructions to the processor
● Best done via policies/standards that are regularly updated +
statement of works
Key action items as a controller

21. Lawfulness of processing
Consent & Legitimate interests

22. Page 22
Lawfulness of processing
Processing only lawful if:
● Data subject has given consent
● Necessary for the performance of contract or to take steps prior
to entering into a contract
● Necessary to protect vital interests of data subject
● Necessary for legitimate interests of controller or 3rd party
MS are allowed to
maintain or introduce
national provisions to
further specify the
application of these rules
(Recital 8)
● Necessary for compliance with legal
obligation to which the controller is subject
● Necessary for task carried out in the public
interest or exercise of official authority

23. Page 23
Consent strengthened under GDPR
NEW
● Consent must be
• actively given
• separable from other written agreements
• clearly presented
• as easily revoked as given
● Additional requirements include an effective prohibition on
"bundled" consents and the offering of services which are
contingent on consent to processing
● Where consent is relied on controllers should be able to
demonstrate that consent was given by the data subject to the
processing

24. Page 24
It will be even harder to rely on consent
● A clear, affirmative action
● A written, electronic or oral statement
• Ticking box on website
• Choosing technical settings
• Other statement or conduct
● Consent is NOT
• Silence (implied)
• Pre-ticked boxes
● Consent must be given (and demonstrated to have been given)
for all purposes of the processing
Consent will be a very difficult basis to rely on
© Bird & Bird LLP 2016

25. Page 25
Lawfulness of processing (4)
Legitimate interests
Article 7(f) DPD Article 6(1)(f) GDPR
processing is necessary for the
purposes of the legitimate interests
pursued by the controller or by the
third party or parties to whom the data
are disclosed, except where such
interests are overridden by the
interests for fundamental rights and
freedoms of the data subject which
require protection under Article 1 (1).
processing is necessary for the purposes of the
legitimate interests pursued by the controller or
by a third party, except where such interests are
overridden by the interests or fundamental rights
and freedoms of the data subject which require
protection of personal data, in particular where
the data subject is a child. This shall not apply to
processing carried out by public authorities in the
performance of their tasks.
Consent becomes rather
difficult to achieve &
demonstrate
Other grounds for
processingrelativelynarrow
Legitimate interests likely to
become one of the most
important grounds

26. Page 26
Legitimate interests
● NEW Controllers that rely on "legitimate
interests" should maintain a record of the
assessment to demonstrate that they have
given proper consideration to the rights and
freedoms of data subjects
● NEW When relying on "legitimate interests":
must be set out in the information notices
● Recommendation: perform risk assessment
and documentation
Examples
● Processing for direct marketing
purposes or preventing fraud
● Transmission of personal data
within a group of undertakings for
internal administrative purposes,
including client and employee data
● Processing for the purposes of
ensuring network and information
security, including preventing
unauthorised access to e-
communications networks and
stopping damage to computer and
e-communication systems
● Reporting possible criminal acts or
threats to public security to a
competent authority