The second webinar dedicated to data protection and cybersecurity in our series “Risk Conversation at Board level” PART I – How to adapt the risk governance to the changing regulatory landscape for personal data ? The good management of data is now an essential part of the business model of many organisations. But with new dependencies linked to the increased use of external hosting, collection, treatment and transfer of data, it is also posing heavy challenges legal, IT and strategic issues. If it is no longer a pure IT or legal issues; who is required to take the strategic decisions to allocate the right resources (staff and budget)? What role for the Board? Should data protection be higher on the Board agenda? How the Board members should get the right information on the specific data risks of their organisation to be in a deciding position? Who will be the interface between the practical concerns and the need for strategic decisions? Is there a role for the risk manager as the instrument to collect, consolidate and analyse the relevant information related to the data protection and the cybersecurity of the organization?

1. Vivian Walry
Head of Banking & Finance
CMS Luxembourg
Vivian.Walry@cms-dblux.com
Marie Gemma Dequae
Scientific Advisor &
former President of FERMA
FERMA
Thomas Koch
Information Risk Management
Senior Manager
KPMG Luxembourg
Thomas.Koch@kpmg.lu

3. CMS Luxembourg
Timeline of Data Protection
3
EU - 4 November 1950
European Convention on Human Rights
EU - 28 January 1981
Convention 108 for the protection of
individuals with regard to automatic
processing of personal data
EU - 24 October 1995
Directive 95/46/EC on the protection of individuals
with regard to the processing of personal data
and on the free movement of such data
EU - 12 juillet 2002
Directive 2002/58/EC otherwise known as
E-Privacy Directive
EU - 27 November 2008
Framework decision 2008/909/JHA on the application of the
principle of mutual recognition to judgments in criminal
matters
UE - 2016
General Data Protection
Regulation
Lux - 2 August 2002
Law on the Protection of Persons with regard to the
Processing of Personal Data
Lux - 30 May 2005
Law in respect of the processing
of personal data in the electronic
communications sector,
Lux - 18 July 2014
Law on cybercrime

4. CMS Luxembourg
Timeline of Data Protection
4
A new harmonisation for a dual purpose:
−Ensuring that the fundamental right to personal data protection is consistently
applied
−Developing the digital economy
The General Data Protection Regulation
will be applicable in 2018

5. CMS Luxembourg
Data protection in general
5
Main principles
- Fair processing and collection
- Data subject consent / understanding
- Transparency
- Purpose
- Accuracy
- Proportional use and storage
- Processing shall be either notified or authorized, except in some limited cases

6. CMS Luxembourg
Rights of the data subject
6
Current protection
What’s new under the New
Regulation:
 Fair processing
 Right of information
 Rights of access and rectification
 Right of opposition
 Transparency
 Right to be forgotten
 Portability
 Right to compensation

7. CMS Luxembourg
Confidentiality and security - Obligations of the data controller
7
Principle: implementing appropriate technical and organizational measures to
protect personal data AND documenting the measures.
What’s new under the New Regulation:
−Replacement of administrative formalities by a data protection impact
assessment
−Privacy by design / Privacy by default
−Pseudonymisation – Minimisation - Codes of conduct
−Certification mechanisms and data protection seals and marks

8. CMS Luxembourg
Data breach notifications
8
Today : Very limited « obligation »
-None vis-à-vis the CNPD (except telecom)
-None vis-à-vis the Commassu if insurance company
-Obligation vis-à-vis the CSSF if regulated entity (Circular 11/504)
-None vis-à-vis the data subject (except telecom) but “duty of care” vis-à-vis customers and third
parties => obligation to repair all resulting damage
Under the new Regulation : Notification obligation
-Without undue delay vis-à-vis the data subject
-Without undue delay, and not later than 72 hours after having become aware of it, vis-à-vis the
CNPD

9. CMS Luxembourg
Sanctions
9
Today
Mainly criminal sanctions (fine up to EUR 125,000 and up to 1 year in prison)
and a few administrative sanctions
Under the New Regulation
Administrative sanctions (fine up to 20 000 000 EUR or, in case of an
enterprise, up to 4% of its annual worldwide turnover)

11. 11
The General Data Protection
Regulation (GDPR) from a risk
governance point of view
the Data Protection Officer (DPO) and
the Data Protection Impact Assessment

12. 12
Focus on two innovations from the GDPR

13. 13
The DPO
The Data
Protection
Impact
Assessment
Characteristics

14. 14
The DP Impact Assessment as a risk tool

15. 15
What interaction does the Risk Manager
have with the DPO?

16. 16
Recommendations

27. --------------------------------------
--------------------------------------
----------------------------------
------------------------------------------
------------------------------------------
------------------------------------------