3. Background
Data Protection Directive 95/46/EC Applies
1995 2012 2015
Data
Protection
Directive
95/46/EC
European
Commission
publishes the
legislative
proposal
Separate
negotiations
within
council and
European
parliament
EP Reaches
agreement
Negotiations
& approval
among the
three
institutions
Regulation
2016/679
published in
the official
journal
Two years
implementatio
n phase
Regulations
2016/679
applies from
Council
Agreement
Sprin
g
2014
4 May
2016
2016
2017
25
May
2018
GDPR Applies
4. Legal Structure
Current:
Data Protection Directive 95/46/EC
• Directive = implementation
by the EU Member States
through national law
• Significant variation and
fragmentation
Future:
General Data Protection Regulation
2016/679
• Goal: harmonise current
legal framework
• Regulation = directly
applicable
• Consistent effect
Increase legal certainty, reduce
administrative burden and cost
of compliance for organisations,
enhance consumer confidence
5. Scope
MATERIAL SCOPE
What is personal data?
Information relating to
an identified or
identifiable natural
person (‘data subject’)
F.e. name, identification
number, location data, online
identifier or factors specific
to physical, physiological,
genetic, mental, economic,
cultural or social identity of
that natural person
The processing of personal data wholly or partly by automated
means and to manual processing if the personal data form part
of a filing system or are intended to form part of a filing
system
What is processing?
Any (set of)
operation(s) which
is performed on
(sets of) personal
data
F.e. collection,
recording, organization,
structuring, storage,
adaption,…
6. Scope
TERRITORIAL SCOPE
Key change GDPR:
Extra-territorial
Applicability
• Regardless of the
company’s location
• All companies processing
the personal data of data
subjects in the EU/EEA
Overview
• Controllers/processors
established in the EU/EEA
• Controllers/processors
not established in the
EU/EEA
I. when offering goods or
services to data subjects
in the EU/EEA or
II. when monitoring their
behavior
• Non-EU/EEA controllers
established in a place
where EU/EEA law applies
by virtue of public
international law
7. Key Changes & Principles
• Adequate, relevant and
limited to what is
necessary for purposes
• More restrictive
obligation in GDPR
• Design data protection
into development of
business processes and new
systems
• Privacy settings are set
at a high level by default
Data minimization Privacy by design
8. Key Changes & Principles
• Freely given ‘consent’ or
‘explicit consent’ (for
sensitive data)
• Specific and unambiguous
• Informed (right to
withdraw or object)
• The right to be forgotten
• Google v. Spain case
• Affect on social
networks
• The right to data
portability
• The right to object to
profiling
Consent Data subject’s rigths
9. Key Changes & Principles
• Retention of data for no
longer than is necessary
for purposes
• Two new factors in GDPR
1. Longer retention period
possible: historical,
statistical or scientific
purposes
2. Shorter retention period
possible: “right to be
forgotten”
• Obligation to undertake
PIA when conducting risky
or large scale processing
of personal data
Data retention periods
Privacy impact assessments
(“pia”)
• Record keeping of
processing activities
Data register
10. Key Changes & Principles
• Data Controller
• Data breach
notification
• Data Processor
• New direct obligations
– an officially
regulated entity
• Data Protection Officer
(“DPO”)
Responsabilities
• Obligation to appoint in some
circumstances
11. Key Changes & Principles
Supervisory Authority (SA)
• Investigative power
• Carry out data protection audits, review
certifications, notify controller/processor of
any alleged infringement of the GDPR, obtain
from accesses to all personal data and all
information necessary to perform tasks, obtain
access to any premises of controller and
processor including data processing equipment
• Corrective power
• Issue warnings and reprimands, order
compliance, impose a temporary or definitive
limitation including a ban on processing,
order rectification, restriction or erasure of
data or order a certification body not to
issue a certificate, impose administrative
fines, order suspension of data flow to a
recipient in a third country or to an
international organisation
• Fines: Up to 4 % of annual
worldwide turnover or €
20,000,000
• Indemnities towards
individuals
• Reputation loss
AND
• Less business
Enforcement Sanctions
12. The end of big data?
• large amounts of
(personal) data;
• these data are analyzed
and combined; and
• Used to categorize them
and/or to predict their
behavior
• Behavioral advertising
• Credit risk analysis
• Insurance risk analyses
1. anonymize personal data;
2. be transparent;
3. embed a privacy impact
assessment process into
big data projects;
4. adopt a privacy by design
approach;
5. appoint a DPO
6. develop ethical
principles; and
7. implement audits of
machine learning
algorithms
Source: ico.org.uk
AVANTAGES of BIG DATA? RECOMMENDATIONS
13. How to prepare & comply?
DATA MINIMIZATION
1.
• AWARENESS
2.
• DEFINE THE PROCES TO BE REVIEWED
3.
• GAP ANALYSIS – IT & LEGAL
4.
• REMEDIATION
5.
• TRAINING/WORKSHOPS FOR STAFF
6.
• REPEAT/”BREATH” PRIVACY
•Operations•Management
•Legal•IT
Security/
privacy by
default
Contracts
Policies and
procedures
Accounta-
bility