Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
GDPR RGPD AVG
General Data Protection Regulation
Agenda
1. What is GDPR? 5. DC & DP’s Obligations
2. What’s new?
3. Why is it important? 7. How far are we?
4. Data Subject Rights 8. Next steps. Q&A
6. Principles
• EU Data subjects get control over their personal data
• Consent, type of data, non-EU transfers, profiling are sensitive issues
• Data Controllers & Processors must follow 9 principles and demonsrate their conformity with GDPR (document eveything + data processing register)
• Data Security & Data breach are regulated
• Big fines may apply and could endanger the survival of non-compliant players
• Some retroactivity!
1. What is GDPR? REGULATION (EU) 2016/679
27 APRIL 2016
In a nutshell
• Harmony: Regulation vs. Directive = one law = simplification
• Extended protection: Data protection applies to all personal data from EU citizens, even if companies processing them are not esablished in EU
• Reinforced rights of EU citizens• Extended power of national control
authorities• Re-establish trust in digital marketing• Market selection• Differentiation & marketing communication
opportunity
Goals & Benefits
DPD (Data Protection Directive) 95/46/EC
History 1995
On May 4, 2016, the General Regulation was published and came into force 20 days
after its publication
2016 Article 8 of the EU’s Charter of Fundamental Rights (26/10/2012)
2012
Implementation of the GDPR 25/05/2018
2018
e-Privacy Directive 2002/58/CEwill be reviewed (privacy & electronic communication)
201?
Personal Data / Donnée Personnelle
PERSONAL DATA SENSITIVE PERSONAL DATA
Name! ID Numbers! Health! Genetic!
Location! IP Adresses ! Biometric! Racial & Ethnic!
Cookie Data! Email! Political Opinions! Sexual Orientation!
A few definitions
Data processing / Traitement de données? Any operation performed on personal data such as:
EXAMPLES OF DATA PROCESSING
Recording ! Consultation!
Organization! Use!
Structuring! Disclosure by transmission!
Storage! Dissemination or making available!
Adaptation or alteration! Restriction!
Retrieval! Erasure or destruction!
A few definitions
A few definitions
Data Controller vs. Data Processor Responsable du traitement vs. Sous-traitant
DATA CONTROLLER
DATA PROCESSOR
Determines the purposes and means ! of the processing of personal data!
Processes personal data on behalf of ! the controller!
Example: ! TEST ACHATS!
Example: ! EVO ! KWANKO: sous-traitant ultérieur!
Territorial Scope
Controller or processor in the Union,
regardless of whether the processing takes place in the Union or not.
…of data subjects who are in the Union by
a controller or processor not established in the Union,
Principles relating to processing of personal data - This Regulation applies to the processing of personal data…
Cross-Border Data Transfer
EEA EUROPEAN ECONOMIC AREA
ADEQUATE PROTECTION
PRIVACY SHIELD
(Safe Harbor)
SPECIAL SAFEGUARDS
28 EU countriesIceland
Liechtenstein Norway
Andorra, Argentina, Canada (commercial
organisations), Faroe Islands,
Guernsey, Israel, Isle of Man, Jersey,
New Zealand, Switzerland,
Uruguay
USA Others
Brexit! Talks are ongoing with Japan & South
Korea
Being challenged by the European Court
of Justice
to ensure that the protection travels
with the data
Protection of International Data Transfer
2. What’s new? « Because creating websites and activating channels is clearly
not enough to guarantee the best results and the best acquisition costs ! »
DPD (Directive 95/46/EC) « template » to transpose into local legislation
• Diverging interpretations and enforcement, dependng on the location of the data controller
• Many concepts and already in place• Data collection and processing• Data subject, personal data• Data controller & data processor• 7 principles• Fairness, specific purpose, restricted,
accurate, destroyed when obsolete, relevant, not excessive, security of processing, automated processing
• Data subject rights: access, rectification, erasure (for controllers only!)
GDPR (Regulation 2016/679)
• Document procedures• Processing Register• Perform risk assessments (DPIA)• Data Breach Notification (72 hours)• Privacy by Default (data minimization)• Extra-territoriality• Non-compliance fines• DPO
3. Why is it important?
Penalties: fines from the Supervising Authority (Art 83)
Outlines fines for non-compliance which can be up to (whatever is greater)20 MILLION € or 4% of GLOBAL ANNUAL TURNOVER
Article !83!
January 10, 2018: publication of the law of Dec. 3, 2017 about the Privacy Commission / Commission Vie Privée / Privacycommissie
è DPA, Data Protection Authority è APD, Autorité de Protection des Données è GBA, GegevensBeschermingsAutoriteit
3. Why is it important?
Penalties: fines from the Supervising Authority, up to 20 million € or 4% of global annual turnover (Art 83)
Corporate image: business impact
Trials: individuals, class actions / high visibility (“haters gonna hate”)
Unexpected audits: by the Privacy Commssion and/or clients
Business opportunity: brand image, reputation, trust
4. Data Subject Rights
Consentement explicite!
!Article 7!
Information de la personne!
!Article 11 à 14!
Droit !d’accès!
!Article 15!
Droit à !l’oubli!
!Article 17!
Droit de rectification!
!Article 16!
Droit à la !Portabilité!
!Article 20!
Droit !d’opposition!
!Article 21!
Décisions automatisées!
!Article 22!
Example: Consent
Art.4 Must be given freely Specific and informed Art. 7 DC must demonstrate consent Intelligible, easily accessible Using clear and plain language Right to withdraw at any time As easy to withdraw as to give Art. 8 Child if > 16 years old If not, consent by the parents Never below 13 years Verify age
Data controller: keep an opt-in
register (time stamp,
finality…)
5. DC & DP’s Obligations
Responsabilité &!« accountability »!
!Article 5!
Privacy by Design!& by default!
!Article 25!
Registre des!traitements!
!Article 30!
Data!Breach!
!Article 33 & 34!
Sécurisation des traitements!
!Article 32!
Data Privacy Impact Assess.
(DPIA)!Article 35!
Data !Protection Officer
(DPO)!Article 37 à 39!
Transfert de données!
!Article 44 à 49!
Data Processor Sous-traitant
Data Controller Responsable de traitement
Chain of Responsiblity Example
6. Basic Principles
1. Lawfullness
2. Fairness
3. Transparency
4. Purpose limitation
6. Accuracy
7. Storage limitation
9. Accountability
5. Data minimization
8. Integrity & confidentiality
7. How far are we?
Awareness Training
Contrat de travail
Procesing register
Audit / Discovery Data Flow Mapping
Gap analysis
Contracts analysis & modifica-
tion
Policies & Processes
(data lifecycle)
Privacy by design & by
default
Rule Book
Data security
assessmentRisk
register
Pseudo authentication
encryption minimisation offline backup
Cyber-risk insurance
Data breach
procedure 72h
Prevent Detect
Contain Respond
Report
Data subject
rights (30 days)
Marketing (consent, profiling - children)
DPIAMaintenance,
regular assessment improvement
Privacy policy, privacy notice
Ongoing Done To do
Legal counsel
Opt-in register
(time stamp, finality…)
DPO (DPD)
25/05/2018
8. Next steps?
Teamwork Project Mgt.: backlog / to do / done / internal workshops + review web sites, consents, contracts, rule book
Employee data: one last “HR workshop” with our legal counsel
Procedures: Say what we do (document!). Do what we say. Check. Become compliant ASAP
Continuous improvement: new projects, new clients, employee turnover, new regulations, certification, etc. DPO!
Any Question ?
New Slack channel: news, updates, information, questions & answers
Back-up slides
Overview
Mise en Conformité