THE GDPR:FAIL TO PREPARE, PREPARE TO FAIL!

Fintan SwantonCygnus Consulting

15 December 2016

WHAT IS THE GDPR? The General Data Protection Regulation

is the most extensive change to EU data protection law since the 1995 directive.

In 1995, Mark Zuckerberg was eleven years old . . .

GDPR passed by European Parliament in April 2016.

To come into effect on25 May, 2018 in all member states.

WHAT IS THE GDPR?

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC

THE EIGHT RULES REMAIN THE SAME:

Personal data must:1. Be fairly obtained & processed2. For specified, explicit &

legitimate purpose(s)3. Not be processed in a manner

incompatible with those purpose(s)

4. Be kept safe & secure5. Be kept accurate, complete & up-

to-date6. Be adequate, relevant & not

excessive7. Not be retained for longer than is

necessary8. Be provided on request to the

data subject

SO WHAT’S CHANGING?

Definition of personal data

Accountability Consent Access requests Joint data controllership Controller / Processor

relationship

Breach notification Data Protection Impact

Assessments Mandatory Data

Protection Officers Right to compensation

and liability Financial penalties

PERSONAL DATACurrent definition:

Data relating to a living individual who is or can be identifiedeither from the data or from the data in conjunction with other information that is in, or is likely to come into the possession of the Data Controller.S.1 Data Protection Act, 1988

GDPR redefinition:

any information relating to ... an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person... Art. 4(1), GDPR

ACCOUNTABILITY

The controller shall be responsible for and be able to demonstrate compliance ...Art. 5.2

CONSENT“any freely given, specific, informed and unambiguous indication of… wishes…”

Must be given “by a statement or by a clear affirmative action signifying agreement”Art. 4(11)

SUBJECT ACCESS REQUESTS No fee unless request “manifestly

unfounded or excessive” Requests can be made and must,

where appropriate, be responded to electronically

Standard time limit 1 month May take up to 3 months, but must

notify data subject within 1 month, giving reasoned justification for delay

As well as personal data, other info. such as sources, processing purposes & right to complain to DPA must be provided.

Art. 12 & 15 Janet McKnight

JOINT DATA CONTROLLERS

Where two or more controllers jointly determine the purposes and means of the processing of personal data, they are joint controllers.

They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation.Art. 26

CONTROLLER / PROCESSORThe carrying out of processing by a processor shall be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects.

The processor and any person acting under the authority of the controller or of the processor who has access to personal data shall not process them except on instructions from the controller, unless required to do so by Union or Member State law.

Art. 2811

MANDATORY BREACH NOTIFICATIONIn the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 72 hours.

When the personal data breach is likely to result in a high risk for the rights and freedoms of individuals the controller shall communicate the personal data breach to the data subject without undue delay.Art. 33

DATA PROTECTION IMPACT ASSESSMENT DPIA is mandatory “where processing is likely to

result in a high risk”. DPIA must include at least:

systematic description of envisaged processing and the purposes of the processing, including where applicable the legitimate interest pursued;

assessment of necessity and proportionality of processing;

assessment of the risks to the rights and freedoms of data subjects;

measures envisaged to address the risks. Controller must consult DPA where processing would

result in high risk in absence of mitigating measures.Art. 35

GDPR – MANDATORY DPOThe controller or processor must designate a data protection officer in any case where: the processing is carried out by a public authority or body; orthe core activities of the controller or processor consist of processing operations which because of their nature, scope or their purposes, require regular and systematic monitoring of data subjects on a large scale; orthe core activities of the controller or the processor consist of processing on a large scale of sensitive personal data.A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishmentWhere the controller or processor is a public authority or body, a single data protection officer may be designated for several of them, taking account of their organisational structure and size.

Art. 37, 38 & 39

THE ROLE OF THE DATA PROTECTION OFFICER

DPOs must have “expert” knowledge, training and experience.

DPOs must report directly to the highest level of management.

DPOs must be completely independent in the performance of their duties.

DPOs may be directly employed staff or external service providers.

DPOs must be involved in a proper and timely manner in all organisational personal data protection matters.Office of the Privacy Commissioner Canada

THE ROLE OF THE DATA PROTECTION OFFICER (CONT.)

DPOs shall have at least these tasks: Informing and advising the

organisation and its staff on compliance.

Monitoring organisational data protection compliance.

Advising on data protection impact assessments.

Acting as the contact point for and cooperating with the DPC.

Acting as the contact point for data subjects.

May have other duties, provided they aren’t incompatible with DPO role.

Office of the Privacy Commissioner Canada

RIGHT TO COMPENSATIONCurrent situation:

Collins v FBD Insurance (Ireland)

Google v Vidal-Hall (UK)

In the GDPR:Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. Art 82.1

LIABILITYWhere more than one controller or processor or a controller and a processor are involved in the same processing and, where they are responsible for any damage caused by the processing ... each controller or processor shall be held liable for the entire damage, in order to ensure effective compensation of the data subject.Art 82.4

FINANCIAL PENALTIESTwo tier structure:

Greater of €10m or 2% of turnover Greater of €20m or 4% of turnover

Each supervisory authority shall ensure that the imposition of administrative fines . . . shall in each individual case be effective, proportionate and dissuasive.Art. 83

Most infringements in principle subject to fines

Cygnus Consulting LimitedData Protection Consultancy & Traininginfo@cygnus.ie www.cygnus.ie01 6854474 / 086 8271273