general data protection regulation: what do you need to do to get prepared? - helena wootton
TRANSCRIPT
General Data Protection
Regulation
What do you need to
do to get prepared?
May 2016
Agenda• Scope and new concepts
• Data Processor Data controller relationship
• Children’s data
• Grounds for processing
• Transparency
• Rights for individuals
• Demonstrate data governance
• Transfers of personal data
• Brexit
Introduction
• The General Data Protection Regulations received
political approval
• The Regulation has set a 2 year implementation
period
• The Regulation will come into force in May 2018
Scope and new concepts
In brief…
• Scope: EU based data controllers and processors in the context of its activities
in the EU.
• Where no EU presence, the GDPR will still apply whenever an EU resident’s
personal data is processed in connection with goods/services offered to them or
the behaviour of individuals within the EU is “monitored”.
• The GDPR allows Member States to legislate in many areas.
• The data protection principles are revised but are broadly similar: fairness,
lawfulness and transparency; purpose limitation; data minimisation; data
quality; security, integrity and confidentiality.
• New concepts: Transparency and consent, Children and consent
• Expanded definitions of ‘personal data’ and ‘sensitive data’
• Pseudonymisation, Data breach notification
• Data protection by design and new accountability principle
• Enhanced rights – to be forgotten, data portability and to object
• Supervisory Authorities
Controller Processor Relationship
Controller retains overall accountability
for its processing activities, including the
decision to appoint and manage a
Processor
GDPR introduces direct obligations on,
and regulation of, Processors e.g
Processor will conduct PIA in its service
offering (which Controller will have to
check and monitor)
Controller and Processor may assign roles and
responsibilities (on a "best-placed" basis) in the
contract in relation to all the required matters,
subject always to the Controller's overall
accountability if they do not.
Unless respective responsibilities and liabilities
are clearly laid out in the written arrangement,
there can be joint and several liability for the
entire damage caused to any person who suffers
as result of unlawful processing or an action
incompatible with the GDPR.
If Processor goes outside the instructions of the
Controller, Processor becomes directly liable
under the GDPR to the Regulator and Data
Subjects (does not negate Controller's "control"
obligations over the Processor)
Controller Processor Relationship
Key constituent Controller obligations:
• due diligence and appointment: ensure
Processor is able to, and does, process
securely, ensure compliance with the GDPR
as a whole, and ensure the protection of
rights of the data subject
• monitoring/auditing: ensure Processor
complies with instructions and all measures
in place to satisfy the above
• written contract or other legal act binding
the parties must be put in place. The GDPR
sets out a list of 8 matters to be addressed
- but essentially, these cover all aspects of
the GDPR
Appointing Processors:
Key business impacts• Procurement processes: training of team; update of documentation, due diligence
practices, and results analysis
• Contracts: review and rewrite of all relevant contracts. Terms will be far more
specific. Standard phrases unlikely to be sufficient, including those that relate to
subcontracting or involving further Processors.
• Post-contract auditing processes will need to be built it
• Would be also prudent to seek appropriate indemnities and warranties from the
Processor about its processing and compliance and build in more reporting and MI
obligations on the Processor so that the Controller is given much more visibility and
transparency on a regular basis and not just at annual review or specific check-
points or audits or changes
• CRM issues as previously indicated
Additional Processor obligations
• Appointment of Data Protection Officers
• Data Protection Impact Assessments
• Data Security
• Breach Notification
Joint Controllers
Accountability of Joint Controllers
A Controller retains overall accountability, and liability, for its own processing activities. However, where there are Joint Controllers they:
must have an arrangement in place which determines who is effectively responsible for GDPR compliance
must give particular attention to how subjects can best exercise their rights
must make information about this arrangement available to subjects
Joint Controllers will have joint and several liability for all joint processing unless the arrangements are very clear on the point.
Each Controller is fully and independently responsible for complying with the DPA for its own processing activities, and for managing its data subjects. There is no specific legal obligation to enter into formal arrangements (although it is good practice and highly recommended to satisfy DPA Principles). Sharing of liability is an optional, commercial matter covered in any contract or data sharing agreement. There is no concept of joint and several liability under the DPA.
procurement:due diligence; relationship structures; contract negotiations & drafting
future-proof any current relationships which extend beyond GDPR implementation by addressing new compulsory requirements to the extent not already done.
group contracting policies/precedents
SAR process
customer relationship management: control of communications and standards; complaints handling; banking confidentiality (and FCA issues)
TCF initiatives
litigation policies
Children’s data
In brief…
• Under 16
• Children are “vulnerable individuals” and deserve “specific protection”
• Additional rules for online services provided to children under 16 – online, parental
prior consent required for use of an under 13 year old’s data.
• Member States are free to set their own rules for those aged 13 – 15. If not, parental
consent required for children under 16
What are the grounds for processing personal data?
• Similar to current rules, except for consent
• Restrictions and clarifications around the ability to rely on “legitimate interests”
• Consent subject to additional conditions
• Effective prohibition on “bundled” consents and offering of services contingent on
consent.
• Consent must be separable from other written agreements, clearly presented and as
easily revoked as given.
• Further restrictions may be imposed by codes of conduct.
In brief…
• Genetic data and biometric data
• Sensitive personal data
• New conditions regarding the processing of genetic, biometric or
health data
Transparency
In brief…
• Controllers must provide information notices to ensure transparency
of processing
• Specified information must be provided
• There is also a general transparency obligation
• Much of the additional information will not be difficult to supply –
although it may be hard for organisations to provide retention
periods
• There is an emphasis on clear, concise notices
Rights for individuals
In brief…
• Rights to object
• Subject access rights
• Data portability
• Right to erasure and right to restriction of
processing
Demonstrate data governance
In brief…
• Implement measures to reduce the breach risk
• Take governance seriously
• Privacy Impact Assessments, audits, policy reviews,
activity records and appointing a Data Protection
Officer
Transfers of Personal DataIn brief…
• Transfers outside the EEA continue to be regulated and
restricted
• Remains a significant issue
• Non-compliance proceedings can be brought against
controllers and/or processors
• Safe Harbor and Privacy Shield
Remedies and liabilities for breach
In brief…
• Higher of €20,000,000 or, in the case of
undertakings, 4% of global turnover
• Compensation claims
Impact of a Brexit
• UK would be outside EEA
• Would need to offer “adequate level of protection”
• Commission views UK as inadequate due to defective
implementation of 1995 Directive
• Commission’s infraction proceedings against UK are still
live
• If UK doesn’t meet 1995 Directive it will not meet GDPR
• UK would need to implement “essentially equivalent”
measures or non-UK businesses would need to rely on
derogations/exemptions
Thank you
Helena Wootton (Partner)
• Tel: 0115 976 6532
• Mobile: 07795400719
• Email: [email protected]