IIBA | - with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA … · 2017-10-15 · All rights...
Transcript of IIBA | - with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA … · 2017-10-15 · All rights...
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
with Xavier Darmstaedter
Managing Partner
GEDAPRE DACOTA Consulting
[email protected] [email protected]
tel 0475-41.03.22
Gent, 3 October 2017
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
4 facts
1. We are not really in control of our personal data
2. Our personal data are not properly and securely protected
3. In 2009, Mr Barroso launched the EU Agenda DIGITAL 2020 :
to make Europe the center of excellence
of Information Technologies in 2020.
This plan requires an efficient and effective control
of the personal data.
4. Our society has considerably evolved
since the Data Protection Directive (1995) !
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
AS IS TO BE
In 1995, the EU issued the Data Protection Directive 95/46 (DPD)
of excellence of Information Technologies
(Agenda DIGITAL 2020).
This implies an efficient and effective control
of the personal data.
DPD 95/46
Data
Protection
Directive
(1995)
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
Data
Subject
Data
(sub)Processor
Supervisory Authority
Data
Processor
Personal
DataR
eq
ue
st
Request
for A
dvic
e
Pro
ce
ssin
g
Processing
Data Controller
GDPR
Basic Components
and Interactions
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
Personal Data
Article 4 - Definitions
(1) personal data means any information relating to an
identified or identifiable natural person ('data subject’);
an identifiable natural person is one who can be
identified, directly or indirectly, in particular by
reference to an identifier such as a name, an
identification number, location data, an online identifier
or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or
social identity of that natural person.
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
Data Controller
Article 4 - Definitions
(7) Data controller means the natural or legal person, public
authority, agency or other body which, alone or jointly with others,
determines the purposes and means of the processing of personal
data ...
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
Processing
Article 4 - Definitions
(2) processing means any operation or set of operations which is
performed on personal data or on sets of personal data, whether or
not by automated means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration,
retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or
combination, restriction, erasure or destruction.
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
Data Controller – Data Processor
Article 4 - Definitions
(7) Data controller means the natural or legal person, public
authority, agency or other body which, alone or jointly with others,
determines the purposes and means of the processing of personal
data …
(8) Data processor means a natural or legal person, public authority,
agency or other body which processes personal data on behalf of
the controller.
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
Data
Subject
Data
(sub)Processor
Supervisory Authority
Data
Processor
Personal
DataR
eq
ue
st
Request
for A
dvic
e
Pro
ce
ssin
g
Processing
Data Controller
GDPR
Basic Components
and Interactions
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
Data
Subject
Data
(sub)Processor
Supervisory Authority
Data
Processor
Personal
DataR
eq
ue
st
Request
for A
dvic
e
Pro
ce
ssin
g
Processing
Data Controller
Breach
Breach
Breach
Breach Breach
GDPR
Basic Components
and Interactions
Breach
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationforIT Governance Ltd
https://www.itgovernance.co.uk
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
From “A Guide by Mason Hayes & Curran”
www.mhc.ie
NO
YES
Does EU law apply
under public
international law?
Does one of the exemptions from EU law
apply? Does the processing relate to
criminal investigation or relate to EU
foreign and security policy?
The GDPR does
not apply
Is it purely personal or
household activity?
Are you established
in the EU, and is data
processed in the context
of that establishment?
Are you monitoring
behaviour
of EU residents?
Are you offering
goods or services
in the EU?
The GDPR applies
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
Breach – Sanctions, Remedies, Liabilities
€10M or 2% €20M or 4%Conditions for obtaining a child's consent The core Data Protection principles
Processing which does not require identification The lawful processing conditions
Data Protection by design and default obligations The conditions for consent
Designating a representative in the State where the controller is not
established in the EU
The sensitive personal data processing conditions
Obligations of processors Data subjects' rights (including information, access, rectification,
erasure, restriction of processing, data portability, objection, profiling)
Instructions of a controller or processor Transfer of data to third countries
Records of processing Failure to provide access to premises of a controller or processor
Cooperation with the supervisory authority Compliance with a specific order or limitation on processing or the
suspension of data flows by the supervisory authority
Security measures Obligations adopted under Member State law in regard to specific
processing situations
Notification of a personal data breach to the supervisory authority
Communication of a personal data breach to the data subject
Conducting PIAs and prior consultation
Designation, position and tasks of the DPO
Monitoring of approved codes of conduct
Certification mechanisms
Administrative fines
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
Personal Data
Article 4 - Definitions
(1) personal data means any information relating to an
identified or identifiable natural person ('data subject’);
an identifiable natural person is one who can be
identified, directly or indirectly, in particular by
reference to an identifier such as a name, an
identification number, location data, an online identifier
or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or
social identity of that natural person.
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
Personal Rights to Personal Data Stored in Repository
Article 17 - Right to erasure ('right to be forgotten')
1. The data subject shall have the right to obtain from the controller the
erasure of personal data concerning him or her without undue delay and
the controller shall have the obligation to erase personal data without
undue delay where one of the following grounds applies:
a. the personal data is no longer necessary in relation to the purpose for
which it was originally collected/processed
b. the individual withdraws consent and there is no other legal ground for
the processing
c. the individual objects to the processing and there is no overriding
legitimate interest for continuing the processing
d. the personal data was unlawfully processed
Etc ...
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
Personal Data Breach
Article 4 - Definitions
(12) 'personal data breach' means a breach of security leading to the
accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data transmitted, stored or
otherwise processed;
Recitals
(86) The controller should communicate to the data subject a personal
data breach, without undue delay, where that personal data breach is
likely to result in a high risk to the rights and freedoms of the natural
person in order to allow him or her to take the necessary precautions.
(87) It should be ascertained whether all appropriate technological
protection and organisational measures have been implemented to
establish immediately whether a personal data breach has taken place
and to inform promptly the supervisory authority and the data subject.
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
Article 39 – Tasks of the data protection officer
1. The data protection officer shall have at least the following tasks:
(a) to inform and advise the controller or the processor and the
employees who carry out processing of their obligations …
(b) to monitor compliance with this Regulation, with other Union or
Member State data protection provisions and with the policies of the
controller or processor …, including the assignment of responsibilities,
awareness-raising and training of staff involved in processing operations,
and the related audits
(c) to provide advice where requested as regards the data protection
impact assessment and monitor its performance
(d) to cooperate with the supervisory authority
(e) to act as the contact point for the supervisory authority on issues
relating to processing, …, and to consult, where appropriate, with regard
to any other matter.
…
DPO - Data Protection Officer
From “A Guide by Mason Hayes & Curran”
www.mhc.ie
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
Article 35 – Data protection impact assessment
1. Where a type of processing … is likely to result in a high risk to the
rights and freedoms of natural persons, the controller shall, prior to the
processing, carry out an assessment of the impact of the envisaged
processing operations on the protection of personal data. A single
assessment may address a set of similar processing operations that present
similar high risks.
2. The controller shall seek the advice of the data protection officer,
where designated, when carrying out a data protection impact assessment.
…
Privacy Impact Analysis (PIA/DPIA)
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
Personal Data Processing Principles
Article 25 – Data protection by design and by default
1. … the controller shall, both at the time of the determination of the
means for processing and at the time of the processing itself, implement
appropriate technical and organisational measures, such as
pseudonymisation, which are designed to implement data-protection
principles, such as data minimisation, in an effective manner and to
integrate the necessary safeguards into the processing …
2. The controller shall implement appropriate technical and organisational
measures for ensuring that, by default, only personal data which are
necessary for each specific purpose of the processing are processed. That
obligation applies to the amount of personal data collected, the extent of
their processing, the period of their storage and their accessibility. In
particular, such measures shall ensure that by default personal data are not
made accessible without the individual's intervention to an indefinite
number of natural persons.
…
Privacy by Design
requires organisations to
consider privacy
measures during product
design processes,
while Privacy by Default
requires controllers to
ensure that, by default,
only necessary data is
processed.
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
AGENDA
Introduction and Scope
The GDPR0. Personal Data
1. Personal Rights to Personal data
2. Processing Personal Data
3. Organization, principles & Rules
4. Supervisory Authority
Workgroup sessions
GDPR – Agenda
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
AGENDA
Introduction
The GDPR0. Personal Data
1. Personal Rights to Personal data
2. Processing Personal Data
3. Organization, principles & Rules
4. Supervisory Authority
Workgroup sessions
GDPR – Agenda
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
Data Controller
Controllers have specific responsibility for:
• carrying out data protection impact assessments when the type
of processing is “likely to result in a high risk to the rights and
freedoms of natural persons” and implementing appropriate
technical safeguards
• assuring the protection of data subject rights, such as erasure,
reporting and notice requirements, and maintaining records of
processing activities
• duties to the supervisory authority, such as data breach
notification and consultation prior to processing
• documenting personal data breaches, including the facts of the
breach, its effects, and remedial actions
• demonstrating their compliance with the Regulation by adhering
to codes of conduct and certifications that were approved by DPAs
• consider carrying out a data protection impact assessment prior
to selecting a processor.
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
Data Processor
Processors have specific responsibility (primarily to controllers) for:
• processing data only as instructed by controllers
• using appropriate technical and organisational measures to comply
with the GDPR
• deleting or returning data to the controller once processing is
complete
• submitting to specific conditions for engaging other processors
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
AGENDA
Introduction
The GDPR0. Personal Data
1. Personal Rights to Personal data
2. Processing Personal Data
3. Organization, principles & Rules
4. Supervisory Authority
Workgroup sessions
GDPR – Agenda
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
AGENDA
Introduction and Scope
The GDPR0. Personal Data
1. Personal Rights to Personal data
2. Processing Personal Data
3. Organization, principles & Rules
4. Supervisory Authority
Workgroup sessions
GDPR – Agenda
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
33
To the
workshops
GDPRGeneral Website ://www.eugdpr.org/eugdpr.org.html
Text (in all languages – quick access) : https://www.privacy-regulation.eu/
Which Way to GDPR ?
Follow the Guide !
All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence
GDPR general presentationfor
Some GDPR Issues for Business Analysts
1. What Personal Data do we have and where is it located ?
Who has access, when and how ? Can / Do we track these accesses ? Keep up-to-date ?
2. Categorization of the Personal Data : basic, transactional, sensitive, audio, video, etc.
3. Monitor, Control and Manage the user access to Personal Data (IAM)
4. Consent acquisition, recording, and limiting Data storage – providing Personal Data (in portable format)
5. Erasure : What ? When ? How ? Where ?
6. Understanding and following nothing but the « Documented Instructions » of the Data Controller
7. Keeping « Records of (Categories of) Processing Activities »
8. Protection by Design / Default : with what Method ?
9. Risk Impact Assessment : what is at risk ? What are the threats, the risks ?
How to assess the risks ? For each area, what is an acceptable level of risk ?
10. Breach : Detection / Qualification (incident or breach ?) / Notification / before-during-after
11. Internal Organization : New Teams and revised Policies and Processes
12. « Appropriate technical and organizational measures » : what are they ? How to apply them ? How to
provide evidence ?
13. Cross-border transfers