GDPR RGPD AVG

General Data Protection Regulation

Agenda

1. What is GDPR? 5. DC & DP’s Obligations

2. What’s new?

3. Why is it important? 7. How far are we?

4. Data Subject Rights 8. Next steps. Q&A

6. Principles

•  EU Data subjects get control over their personal data

•  Consent, type of data, non-EU transfers, profiling are sensitive issues

•  Data Controllers & Processors must follow 9 principles and demonsrate their conformity with GDPR (document eveything + data processing register)

•  Data Security & Data breach are regulated

•  Big fines may apply and could endanger the survival of non-compliant players

•  Some retroactivity!

1. What is GDPR? REGULATION (EU) 2016/679

27 APRIL 2016

In a nutshell

•  Harmony: Regulation vs. Directive = one law = simplification

•  Extended protection: Data protection applies to all personal data from EU citizens, even if companies processing them are not esablished in EU

•  Reinforced rights of EU citizens•  Extended power of national control

authorities•  Re-establish trust in digital marketing•  Market selection•  Differentiation & marketing communication

opportunity

Goals & Benefits

DPD (Data Protection Directive) 95/46/EC

History 1995

On May 4, 2016, the General Regulation was published and came into force 20 days

after its publication

2016 Article 8 of the EU’s Charter of Fundamental Rights (26/10/2012)

2012

Implementation of the GDPR 25/05/2018

2018

e-Privacy Directive 2002/58/CEwill be reviewed (privacy & electronic communication)

201?

Personal Data / Donnée Personnelle

PERSONAL DATA SENSITIVE PERSONAL DATA

Name! ID Numbers! Health! Genetic!

Location! IP Adresses ! Biometric! Racial & Ethnic!

Cookie Data! Email! Political Opinions! Sexual Orientation!

A few definitions

Data processing / Traitement de données? Any operation performed on personal data such as:

EXAMPLES OF DATA PROCESSING

Recording ! Consultation!

Organization! Use!

Structuring! Disclosure by transmission!

Storage! Dissemination or making available!

Adaptation or alteration! Restriction!

Retrieval! Erasure or destruction!

A few definitions

A few definitions

Data Controller vs. Data Processor Responsable du traitement vs. Sous-traitant

DATA CONTROLLER

DATA PROCESSOR

Determines the purposes and means ! of the processing of personal data!

Processes personal data on behalf of ! the controller!

Example: ! TEST ACHATS!

Example: ! EVO ! KWANKO: sous-traitant ultérieur!

Territorial Scope

Controller or processor in the Union,

regardless of whether the processing takes place in the Union or not.

…of data subjects who are in the Union by

a controller or processor not established in the Union,

Principles relating to processing of personal data - This Regulation applies to the processing of personal data…

Cross-Border Data Transfer

EEA EUROPEAN ECONOMIC AREA

ADEQUATE PROTECTION

PRIVACY SHIELD

(Safe Harbor)

SPECIAL SAFEGUARDS

28 EU countriesIceland

Liechtenstein Norway

Andorra, Argentina, Canada (commercial

organisations), Faroe Islands,

Guernsey, Israel, Isle of Man, Jersey,

New Zealand, Switzerland,

Uruguay

USA Others

Brexit! Talks are ongoing with Japan & South

Korea

Being challenged by the European Court

of Justice

to ensure that the protection travels

with the data

Protection of International Data Transfer

2. What’s new? « Because creating websites and activating channels is clearly

not enough to guarantee the best results and the best acquisition costs ! »

DPD (Directive 95/46/EC) « template » to transpose into local legislation

•  Diverging interpretations and enforcement, dependng on the location of the data controller

•  Many concepts and already in place•  Data collection and processing•  Data subject, personal data•  Data controller & data processor•  7 principles•  Fairness, specific purpose, restricted,

accurate, destroyed when obsolete, relevant, not excessive, security of processing, automated processing

•  Data subject rights: access, rectification, erasure (for controllers only!)

GDPR (Regulation 2016/679)

•  Document procedures•  Processing Register•  Perform risk assessments (DPIA)•  Data Breach Notification (72 hours)•  Privacy by Default (data minimization)•  Extra-territoriality•  Non-compliance fines•  DPO

3. Why is it important?

Penalties: fines from the Supervising Authority (Art 83)

Outlines fines for non-compliance which can be up to (whatever is greater)20 MILLION € or 4% of GLOBAL ANNUAL TURNOVER

Article !83!

January 10, 2018: publication of the law of Dec. 3, 2017 about the Privacy Commission / Commission Vie Privée / Privacycommissie

è DPA, Data Protection Authority è APD, Autorité de Protection des Données è GBA, GegevensBeschermingsAutoriteit

3. Why is it important?

Penalties: fines from the Supervising Authority, up to 20 million € or 4% of global annual turnover (Art 83)

Corporate image: business impact

Trials: individuals, class actions / high visibility (“haters gonna hate”)

Unexpected audits: by the Privacy Commssion and/or clients

Business opportunity: brand image, reputation, trust

4. Data Subject Rights

Consentement explicite!

!Article 7!

Information de la personne!

!Article 11 à 14!

Droit !d’accès!

!Article 15!

Droit à !l’oubli!

!Article 17!

Droit de rectification!

!Article 16!

Droit à la !Portabilité!

!Article 20!

Droit !d’opposition!

!Article 21!

Décisions automatisées!

!Article 22!

Example: Consent

Art.4 Must be given freely Specific and informed Art. 7 DC must demonstrate consent Intelligible, easily accessible Using clear and plain language Right to withdraw at any time As easy to withdraw as to give Art. 8 Child if > 16 years old If not, consent by the parents Never below 13 years Verify age

Data controller: keep an opt-in

register (time stamp,

finality…)

5. DC & DP’s Obligations

Responsabilité &!« accountability »!

!Article 5!

Privacy by Design!& by default!

!Article 25!

Registre des!traitements!

!Article 30!

Data!Breach!

!Article 33 & 34!

Sécurisation des traitements!

!Article 32!

Data Privacy Impact Assess.

(DPIA)!Article 35!

Data !Protection Officer

(DPO)!Article 37 à 39!

Transfert de données!

!Article 44 à 49!

Data Processor Sous-traitant

Data Controller Responsable de traitement

Chain of Responsiblity Example

6. Basic Principles

1.  Lawfullness

2. Fairness

3. Transparency

4. Purpose limitation

6. Accuracy

7. Storage limitation

9. Accountability

5. Data minimization

8. Integrity & confidentiality

7. How far are we?

Awareness Training

Contrat de travail

Procesing register

Audit / Discovery Data Flow Mapping

Gap analysis

Contracts analysis & modifica-

tion

Policies & Processes

(data lifecycle)

Privacy by design & by

default

Rule Book

Data security

assessmentRisk

register

Pseudo authentication

encryption minimisation offline backup

Cyber-risk insurance

Data breach

procedure 72h

Prevent Detect

Contain Respond

Report

Data subject

rights (30 days)

Marketing (consent, profiling - children)

DPIAMaintenance,

regular assessment improvement

Privacy policy, privacy notice

Ongoing Done To do

Legal counsel

Opt-in register

(time stamp, finality…)

DPO (DPD)

25/05/2018

8. Next steps?

Teamwork Project Mgt.: backlog / to do / done / internal workshops + review web sites, consents, contracts, rule book

Employee data: one last “HR workshop” with our legal counsel

Procedures: Say what we do (document!). Do what we say. Check. Become compliant ASAP

Continuous improvement: new projects, new clients, employee turnover, new regulations, certification, etc. DPO!

Any Question ?

New Slack channel: news, updates, information, questions & answers

Back-up slides

Overview

Mise en Conformité