This is a session given by Agnes Andersson Hammarstrand at Nordic APIs 2016 Platform Summit on October 25th, in Stockholm Sweden. Description: This spring a new EU General Data Protection Regulation was adopted to replace the current personal data legislations. Companies that break the rules risk fines of up to 4 % of the worldwide group turnover. The new regulations entail a large number of news that all companies should be informed about. Among other things, IT systems need to be adapted to privacy under the principles of privacy by design. Agnes Hammarstrand, partner at Delphi Law firm and expert within IT and online provides an introduction to the new regulations and what you need to do.

1. Agnes Andersson Hammarstrand
Partner and lawyer at Delphi Law Firm
New General Data
Protection Regulation
@IT_advokaten

2. New EU Regulation for personal
data
• Direct applicable regulation replacing the
Personal Data Directive
• Applicable for all EU companies and public
public bodies
• The new rules will apply from 25 May 2018
New General Data Protection Regulation 2

3. Sanctions
• Companies risk fines up to 20 000 000 EUR, or
up to 4 % of the total worldwide annual
turnover
• Also risk for damages, penalties, etc.
New General Data Protection Regulation 3

4. • Personal data – Any information relating to an
identified or identifiable natural person who
could be identified directly or indirectly
– Customer data, purchasing history, pictures, e-mail,
name, phone number
– Even an IP-address or a car registration number
• B2B as well as B2C – all data of individuals
• Applies to everything you do with the data
When does the law apply?
New General Data Protection Regulation 4

5. • The person who alone or together with others
determines the “purposes and means“ of the
processing of personal data
• Is always the responsible for compliance with
the law
• Thus, it is your company that is responsible that
your IT systems meet the legal requirements
(not the supplier)
• Joint responsibility
5
Controller
New General Data Protection Regulation

6. • A natural or legal person which processes
personal data on behalf of the controller
• Is always outside the controller’s organisation
• For example IT supplier
6
Processor
New General Data Protection Regulation

7. • Identify controller + processor
• In some cases both parties are each others
controllers and processors
7
Processor agreement Processor agreement
ProcessorController
Individual
New General Data Protection Regulation

8. Is the
processing
legal?
Fundamental
principles to
comply with,
e.g. sorting out,
time
Requirements
for sensitive
data
Information to
the data subject
(privacy policy)
Security,
routines for
data portability,
etc.
Agreements,
documentation,
routines etc..
Prohibition
for trans-
ferring to
third
countries
New General Data Protection Regulation
”Integrity stairs”
8

9. When is processing permitted?
• Data shall only be processed as far as it is
necessary for compliance with the legal
purpose of the processing
• Processing is lawful only when
1. Necessary for the performance of a contract to
which the data subject is party
2. Necessary for compliance with a legal obligation
3. Necessary in order to protect the vital interests of
the data subject
4. Necessary for the performance of a task carried
out in the public interest or
5. Legitimate interests when not overridden by the
interests of the individual
6. Informed consent
New General Data Protection Regulation 9

10. • What is the purpose of the specific processing?
• Legal basis according to the regulation?
– Legal obligation to carry out the processing
– Performance of a task carried out in the public
interest or in the exercise of official authority
– Requirement due to agreement with the data
subject
– Balance of interests
• Otherwise consent needed!
– Is the consent a reasonable and proportionate
measure or should we refrain from carry out the
processing?
– How do we collect consent?
New General Data Protection Regulation
Legal assessment
10

11. • What is necessary for e.g. performance of a
contract or a legal obligation?
• NOTE!
– Minimization of purpose - data may never be
processed for a purpose other than that for which
it was collected.
– Minimization of data - the data should be
adequate, relevant and limited to what is
necessary for the purposes for which they are
processed.
– Minimization of storage – data must not kept
longer than necessary.
Necessary in order to…
New General Data Protection Regulation 11

12. • The controller shall implement appropriate
technical and organisational measures to
ensure an appropriate level of safety for the
data that is being processed
• These measures shall provide a level of security
that is appropriate with regard to
– The latest developments
– Implementation costs
– The nature of the processing, context, purpose
– The risks
• Code of conduct
12
Security requirement
New General Data Protection Regulation

13. 13
Security
requirements
Technical measures
Organisational measures
Antivirus,
authorisation
requirements, access
control
Firewall and encryption
features, etc.
Instructions and
Polices
Organisation and
routines
Sensitive data
Privacy
Special requirements
Information of offense
etc.
Security level in
relation to risk
New General Data Protection Regulation
Procedure for
continuous testing

14. • ”Data protection by design”
• Data minimisation
• Aspects regarding safety and privacy must be
taken into consideration when planning and
developing IT systems
• The data controller shall decide the
requirements = increased requirements on IT
Procurement
• Avoid free text fields, access control, default
storage settings etc.
• The Commission may adopt implementing acts
regarding the interpretation and technical
standards
14
Privacy by design
New General Data Protection Regulation

15. • Data minimisation
• Anonymity if possible, avoid pointing out
individuals
• Restrict access to data
• High security
– Possibilities for encryption, backup and log, secure
erasure
• Functions for authensation and access control
• Mechanisms for sorting out and erase data that is
not needed
• Permit the omission of information to data
subjects
• Minimize free text fields
New General Data Protection Regulation 15
Privacy by design – how?

16. • Notify the ”personal data breach” without
undue delay
• Notify the supervisory authority
– General rule: not later than 72 hours after having
become aware of it
• Notify every data subject
– If it is likely to result in a high risk to the rights and
freedoms of natural persons;
– Exception, e.g. if there is a system to prove that the
”lost” data has been made unintelligible to
unauthorised, such as encryption;
– Disproportionate effort: Instead public
communication.
• Organisations need to strengthen their security
measures
New General Data Protection Regulation 16
Information requirements at
personal data breach

17. Many other news….
New General Data Protection Regulation 17

18. What does this mean in practice?
• Privacy is a question for top management
• More important to comply with the law
• Increased focus on preventive action
• Budget for privacy is necessary
New General Data Protection Regulation 18

19. New General Data Protection Regulation 19
•Is the processing legal, how is it done today? Legal basis/purpose of the processing is done
(records available)? Documentation of processing, etc.Legal investigation
•Internal privacy policy for processing, Processor agreement, Information to individuals
(privacy policy), necessary consent texts, template for dokumentation of data protection
impact assessment, dokumentation/agreement for transferring to third countries , etc.
Legal documents/
policys
•Security requirement, privacy by design, access control, authentication, encryption
requirements, etc.Technical measures
•Data protection officer, responsibility of systems and routines, reporting scheme etc.Organisation
•Information disclosure, document consents, checklists, records of processing, procedures for
notification of personal data incident, the impact assessment for new treatment procedures,
routines for procurement, etc.
Organisational
measures - routines

20. • Budget and plan carefully
• Creating awareness internally about the new
rules
• Investigate current situation
• Engage people with different competence and
background
• Compliance project
– Ensure that the processing is lawful
– Set responsibility and organisation
– Legal documents, agreements and policies
– IT measures
– Organisational measures
20
How can we prepare?
New General Data Protection Regulation

21. Agnes Andersson Hammarstrand / Partner, Attorney
Phone: +46 (0)31 10 72 19
Mobile: +46 (0)730 83 50 70
agnes.hammarstrand@delphi.se
@IT_advokaten
Advokatfirman Delphi
Östra Hamngatan 29, 411 10 Göteborg, Sweden
+ 46 (0)31 10 72 00 Fax +46 (0)31 13 94 69 www.delphi.se
New General Data Protection Regulation 21