Mais conteúdo relacionado

Apresentações para você(20)

Similar a GDPR - are you ready for the challenge?(20)


Mais de Sage HR(20)


GDPR - are you ready for the challenge?

  1. GDPR – are you ready for the challenge?, 28 March 2018
  2. Do you need to care? Kronbergs Čukste Derling 2018 2 Clients Suppliers Employees Data processors Databases Video surveilance Loyalty cards Online shops Direct marketing
  3. GDPR – purpose Rapid progress of new technological development New ways of providing services (internet banking etc.) Internet Social media Amount of publicly available personal data Failure of the previous regulation (Directive 95/46/EC) to provide adequate privacy protection Unified legal framework Kronbergs Čukste Derling 2018 3
  4. General aim of data protection Protect privacy of persons & balance interests European Convention of Human Rights – Article 8 (1) Lisbon Treaty – Article 16 (1) Charter of Fundamental Rights of the European Union – Article 8 The Constitution of The Republic of Latvia (Satversme) – Article 96 – everyone has the right to inviolability of his or her private life, home and correspondence Kronbergs Čukste Derling 2018 4
  5. What is personal data? Personal data – any information relating to an identified or identifiable natural person (data subject): Directly identifiable Indirectly identifiable - identifiers Opinion as personal data All forms of information False or inaccurate information may be personal data Data protection applies only to natural persons Kronbergs Čukste Derling 2018 5
  6. Applicability and scope of the GDPR GDPR is applicable if: The controller or the processor is established in the EU, regardless of the place where procession takes place The data subjects are in the EU, the controller or processor is not established in the EU and the processing activities relate to offering goods or services within the EU The controller is not established in the EU but in place where Member State law is applicable via international law GDPR is applicable to government organizations, public and private companies Kronbergs Čukste Derling 2018 6
  7. Lawfulness of processing Legal basis of data processing: Consent of the data subject For performance of the contract For compliance with legal obligation of the data controller For protection of vital interests of data subject or another natural person For public interests For legitimate interests of controller or third party Kronbergs Čukste Derling 2018 7
  8. Consent – is it the only way? Consent is only one legitimate way to process personal data: considered valid only if freely given, informed, specific, unambiguous and clear either in writing or oral with regards to the processing of personal data related to the data subject; Data subject has the right to withdraw consent but it does not affect the lawfulness of prior data processing Data Controller proactively must provide: Identity of the Data Controller Purposes of the processing Controller should «look for» other legal grounds to ensure reliable data processing Kronbergs Čukste Derling 2018 8
  9. Purpose of data processing Preciously defined purpose Specific Accurately stated & clear Legitimate Defined before (!) Procession of data – allowed within defined purpose Procession of data outside defined purpose – in specific cases: Archiving Public interests scientific or historical research statistical Kronbergs Čukste Derling 2018 9
  10. Purpose of data processing: controllers & processors Data Controller – determines the purposes and means of the processing of personal data Data Processor – processes personal data on behalf of the Data Controller Way to distinguish Data Controller from Data Processor – Data Processor has no purpose Data Processors should be very careful as there may appear their own purpose Data used for improvement of systems Data used for another purpose - statistical Kronbergs Čukste Derling 2018 10
  11. Legitimate data processing Kronbergs Čukste Derling 2018 11 Legal basis (at least 1 of 6) Purpose (legitimate, accurate, specific) Legitimate data processing
  12. Kronbergs Čukste Derling 2018 12 RIGHTS OF DATA SUBJECTS Right to be provided with information - Identity and contact details of processor; - contact details of operator; - purpose and legal basis of processing; - recipients of personal data Right of access - Right to receive a copy of data - Explanation of logics involved in automated processing - Period of storage Right of rectification - Rights to require a controller to rectify any errors Right to be forgotten Controller must delete personal data if its continued processing Right to object, inter alia, against automated decisions Right not to be evaluated in any material sense solely on the basis of automated processing Right to data portability Right to transfer personal data between controllers Obligation to respond to data subject requests in one month time free of charge twice a year (in concise and easy accessible form, in plain and clear language)!!!
  13. Data Protection Officer Obligation to appoint Data Protection Officer Public authority or body (except courts) Core activities require regular and systematic monitoring of data subjects on a large scale Core activities consist of processing on a large scale of special categories of data Group of undertakings may appoint a single DPO if he is easily accessible from each establishment DPO can be employee as well as outsourced service DPO is designated on the basis of: Professional qualities Expert knowledge of data protection law and practices Ability to fulfil the his tasks laid down in the GDPR Latvian regulation – draft Data Processing Law states Any person who meets requirements set out in the GDPR Certification is no obligatory but Latvian authority may check DPO’s compliance with the GDRP. Kronbergs Čukste Derling 2018 13
  14. Data Protection Officer (2) Tasks of the DPO: Informs and advises the data controller or the processor and the employees on data protection Monitors compliance with the GDRP and other laws, policies Provides advice where requested in relation with data protection impact assesment Cooperates with supervisory authority Acts as a contact point to the data subjects and supervisory authority Data Controller or Data Processor is responsible for the compliance of the DPO with requirements set out in the GDPR (!) and shall involve the DPO in all issues which relate to the processing activities Kronbergs Čukste Derling 2018 14
  15. Kronbergs Čukste Derling 2018 15 PRINCIPLES & GDPR Lawfulness, fairness, transparency Information to data subjects is provided in a transparent manner Purpose limitation Data is collected for specified and legitimate purposes Data minimization Data is limited to the necessary amount to fulfil the purpose Accuracy Precise and up-to-date data Storage limitation Not for longer period that is needed for the defined purpose Integrity & confidentiality Appropriate level of safety by implementing reasonable technical and organisational measures (TOR) Accountability Data controller is responsible for and must be able to demonstrate compliance wit the aforesaid principles
  16. Accountability Kronbergs Čukste Derling 2018 16 Data protection impact assessment • Pre-impact assessment • Only if «high risk to rights and freedoms of natural persons» Records of processing activities • No compulsory registration of data processing with DVI • Replaced by internal records of processing activities • Not always applicable Internal privacy policy and training • «Must have» to ensure compliance • Covers all company’s privacy aspects • Included technical and organizational measures (TOM)
  17. Data protection impact assessment Article 35 of GDPR «Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons» High risk areas: a systematic and extensive automated personal data processing, including profiling; large scale processing of special categories of data, or personal data relating to criminal convictions and offences; a systematic monitoring of a publicly accessible area on a large scale. DVI shall establish and publish a list of the kind of processing operations which are/are not subject to the requirement for a data protection impact assessment Decision not to perform the assessment must be documented Aim - to assess the impact of the envisaged processing operations on the protection of personal data: description, purpose and legitimate interest (if applicable) of data processing; necessity and proportionality of processing operations; risks to the rights and freedoms of data subjects; measures to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance. Kronbergs Čukste Derling 2018 17
  18. Records of processing activities Kronbergs Čukste Derling 2018 18 Are there more than 250 employees in the organization? Is the processing more than occasional (more than once or twice per year) Are there any special categories of data? Is any data related to criminal convictions or offences processed Would the processing be likely to result in risk to the rights and freedoms of individuals? Not applicable No No No No
  19. Records of processing activities (2) Kronbergs Čukste Derling 2018 19 Controller Operator Officer Purpose Data categories Data subject categories Data recipients Transfers outside EU/EEZ Term of storage TOM general description SIA AAA SIA BBB Jānis Bērziņš Payroll Name, personal code, home address, bank account, family status Employees Employees, SRS, VSAA, banks USA 75 years Privacy shield, Binding Corporate Rules, operator agreement, IT audit, training Article 30 of GDPR: «Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility»
  20. What else can/must be done? Data controller (together with data processor) is responsible for compliance with the aforesaid personal data protection principles and demonstration of such compliance to DVI Each data controller/processor determines how to ensure compliance: If required by GDPR – data protection impact assessment and records of processing activities in compliance with GDPR requirements; Otherwise – compliance measures not directly governed GDPR: data protection audit (in-house or independent); GDPR compliance achievement plan; Practical implementation of GDPR requirements: Internal Data Privacy Policy (taking data protection impact assessment and records of processing activities as a benchmark), Technical data protection measures; Data subject’s consent and Privacy Policy Privacy clauses of existing employment/client/supplier agreements; Model agreements with data processors; General and specialized personal data protection training Procedure of responses to data subject’s requests Procedure of notifications of personal data breaches Kronbergs Čukste Derling 2018 20
  21. Liability Kronbergs Čukste Derling 2018 21 Administrative • Up to EUR 20 million or • 4% of previous year worldwide revenue • Whichever is higher Criminal • Illegal personal data processing which causes material damage Civil • Right to receive full and effective compensation for material or non- material damage
  22. GDPR and startups Kronbergs Čukste Derling 2018 22 PROS: - Enter market with GDPR compliant business; - Easier to achieve compliance from a scratch; - GDPR creates new business opportunities! CONS: - High penalties can kill a young business; - Data protection issues as a high risk area for investors and in M&A transactions - Legal and IT costs (albeit possibly lower than for existing businesses)
  23. GDPR implementation Transforming GDPR requirements into compliant business operations, 28 March 2018
  24. Achieving GDPR compliance|Collaboration Kronbergs Čukste Derling 2018 24 Legal ITBussiness Legal Understanding regulation Code of conduct Contract addendums for existing relationships … IT IT systems enhancements Information Security … Business Required data, purpose Policies Risk assessment … DPO – appointed either from legal or cyber security team… / outsourced for smaller organizations…
  25. GDPR compliance journey Kronbergs Čukste Derling 2018 25 Build internal awareness Current situation audit (compliance and procedures) Identify GDPR requirements Existing policies update / new policies development IT changes implementation People training + Continuous improvement/monitoring
  26. Current situation audit – key aspects Kronbergs Čukste Derling 2018 26 Legal aspect e.g., lawfulness basis … Personal Data stored/processed vs ”really required” Electronic documents Paper documents Data acquiring channel/method Involved people, IT systems, partners (data access) Possible data anonymization Document flow / Information flow Existing policies
  27. IT system enhancements Kronbergs Čukste Derling 2018 27 Getting all information about data subject stored Personal Data Data stored Where it has been passed Possibility to ensure data subject request for: data correction suspending processing exclusion from automated processing(decision making) Possibility to extract data subject data for transfer to other processor Auditing data access Who has accessed which Personal data and how Consent management Data encryption
  28. IS Security Policy development -> Procedures -> Instructions Kronbergs Čukste Derling 2018 28 IS resources, classification, ownership and responsibilities IT Risk assessment IS security incidents management Information classification Relationship with other vendors(outsourcing,…) PC (and other HW usage) usage Anti-Viruses SW maintenance IS resources physical security IS resources logical security Business continuity plan …
  29. GDPR Compliant Business Operations Kronbergs Čukste Derling 2018 29 After GDPR compliance journey… Operate Justify and record lawfulness and Processing mechanisms Process and record Data Subject requests (as per rights) Validate and record Third Country data transfers Report and manage Personal Data Breach incidents Maintain Evidence Data Protection policies understanding within organisation Ensure Personal Data Processing register maintenance Trigger risk assessments for business change events Verify Partners / Third Party Data Processing activities compliance
  30. Vineta Čukste-Jurjeva Partner Certified Personal Data Protection Officer KRONBERGS ČUKSTE DERLING Tel: +371-67043803, +371-29247097 Reinis Papulis Associate Certified Personal Data Protection Officer KRONBERGS ČUKSTE DERLING Tel: +371-67043803, +371-25666574
  31. Aivars Belis Partner / Principal Consultant SIA VEDICARD Tel: +371-29446951 Indra Kešāne Partner / Principal Consultant SIA VEDICARD Tel: +371-29221332