data breaches, privacy programs and what will change for processors
TRANSCRIPT
Exove Tietoturvaloukkaukset,
yksityisyydensuojan parantaminen ja GDPR:n tuomat muutokset
henkilötietojen käsittelijöille Tobias Bräutigam, Counsel
Agenda
1. Rights for individuals 2. Controller/Processor Role based examples
of obligations 3. Data Breach
Page 2
Rights of individuals
New rights for individuals?
Page 4
Article What is it about New? 13/14 Transparency, right to be informed More details 15 Access to personal data Clarification, more detail 16 Rectification of inaccurate data Old 17 Right to be forgotten Not so new like you think 18 Right to restrict processing Clarification, more detail 20 Data portability New 21 Automated decision making More detail, larger scope
Page 5
Much ado about nothing?
1. Fines from authorities for the violation of rights • 4%, i.e. higher level
2. Enforcement via private action, Article 79 • Also "non-material" damage is covered, Article 82
3. Can be delegated • Consumer organizations will take care of it
Summary • As such relatively small changes, modifications, clarifications • Enforcement: Huge change
What does the GDPR mean for processors?
Your
Company
General
obligations (authorities)
As a processor
Towards data
subjects
As a
controller
Page 8
Processor's new obligations Assisting controllers ● Only act on the controller's documented instructions; ● Assisting the Controller for responding to requests from data subjects for:
access, rectification, suppression, limitation, objection, portability of data ● Return or delete personal data upon Controller's choice at the end of
services ● Assisting the controller to notify security breaches, implement DPIAs,
provide information ● Contribute to audits, including directly made by the Controller ● Mandatory contract clauses Own responsibility ● List of technical and organizational measures ● Processor's staff must be bound by confidentiality obligations ● Compliance with international data transfers
Page 9
Key action items as a processor Build your privacy program ● Hire a privacy officer where needed ● Define security measures, processes and
responsibilties
Indemnity and liability ● Push back on indemnities (strict liability) ● Push back on unlimited liability clauses, tie to
negligence
Define the lines of responsibilities ● Only process based on instructions and GDPR
Data Breach Notification
Page 11
Article 33
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority […], unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
What amounts to a ‘breach’ under the new rules and to whom the regime applies?
Page 12
● Relevant provisions in the GDPR can be found in:
• Recitals: 73, 85-88 • Articles: 4, 33, 34, 66 and 83
● The regime applies to data controllers but indirectly also to their processors
● The GDPR refers to "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed"
● It’s important to note that the wilful destruction or alteration of data is as much a breach as theft
Practical scenarios for your organisation to consider
Page 13
Breach? Four laptops containing 5,000 employee records are stolen from the HR department… A flash drive containing 5,000 customer records is forgotten in a bus and never retrieved. There is no evidence that customer records were compromised. An employee has given to a third party the login and password for an account with global access read only right to the client database. Logs evidence use of the account by this third party. A rogue employee supresses all contact details provided in the consumer records of his organisation before resigning.
Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses. Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC340318 and is authorised and regulated by the
Solicitors Regulation Authority. Its registered office and principal place of business is at 12 New Fetter Lane, London EC4A 1JP. A list of members of Bird & Bird LLP and of any non-members who are designated as partners, and of their respective professional qualifications, is open to inspection at that address.
twobirds.com
Thank you
Page 15
Demonstrate compliance with the GDPR's principles ● Implement appropriate security policies and measures ● Privacy impact assessment and prior consultation (when applicable) ● Adopt certain "data protection by design" measures ● Record of all processing activities ● Undertake audits ● Adherence to approved codes of conduct and certifications ● Implement Privacy Policies ● Appropriate staffing (e.g. data protection officer) ● Staff training programs
General obligations
Page 16
Work on your privacy program ● Audit your privacy practices (use self-assessments
and interviews) ● Start designing governance and risk management
elements first ● Decide which IT-systems need to be improved to
close gaps (e.g. consumer dash-board) ● Improve privacy processes like subcontractor
management, data subject access, partnering
Key action items for general compliance
Page 17
Transparency ● General privacy policy must mention specific information, such as
legal basis, data retention, contact details of DP officer etc. ● Specific notices where needed, e.g. information about the right to
withdraw consent Legitimacy of processing ● Most data processing is *not* based on consent! ● Performance of a contract or legitimate interest (e.g. Marketing to
employees of corporate subscribers) ● Where consent is the only option, systems must be ready for
withdrawal of consent Honouring data subject rights ● Access, rectification, limitation, objection, portability of data ● If acting as a processor, Exove must assist the controller fulfilling
those rights
Obligations towards data subjects (for example: corporate subscribers and consumers)
Page 18
Define reason for processing for each major process ● Legitimate interest, consent or contract? Review privacy notices ● Follow list in Articles 13/14 GDPR Design access and deletion process of data subjects ● This includes appropriate IT systems and training of staff ● Draft/update template responses
Key action items: compliance towards data subjects
Page 19
Managing processors ● Review and update all data processing agreements ● Instruct processors and follow up (audit) Accountability ● Keep records of all processing activities ● Appointment of DPO (if applicable) ● Map data transfer and compliance ● Staff training programs and collection of metrics General obligations ● Implement appropriate technical and organizational security
measures (incl. policies) ● Privacy by design and default ● Reply to data subject requests
Obligations as a controller
Page 20
Cover your own base (=> see also above ● Look for certification on technical and organizational matters ● Follow guidance of authorities Insist of DPA covering a minimum amount of rules on ● Type/categories of PD processed, purpose, duration ● Appropriate tech and org measures e.g. encryption &
pseudonymisation ● Breach notification assistance ● Permit and "contribute" to compliance audits ● Sub-contracting flow down commitments Provide instructions to the processor ● Best done via policies/standards that are regularly updated +
statement of works
Key action items as a controller
Lawfulness of processing Consent & Legitimate interests
Page 22
Lawfulness of processing
Processing only lawful if: ● Data subject has given consent ● Necessary for the performance of contract or to take steps prior
to entering into a contract ● Necessary to protect vital interests of data subject ● Necessary for legitimate interests of controller or 3rd party
MS are allowed to maintain or introduce national provisions to further specify the application of these rules (Recital 8)
● Necessary for compliance with legal obligation to which the controller is subject ● Necessary for task carried out in the public
interest or exercise of official authority
Page 23
Consent strengthened under GDPR
NEW ● Consent must be
• actively given • separable from other written agreements • clearly presented • as easily revoked as given
● Additional requirements include an effective prohibition on "bundled" consents and the offering of services which are contingent on consent to processing
● Where consent is relied on controllers should be able to demonstrate that consent was given by the data subject to the processing
Page 24
It will be even harder to rely on consent ● A clear, affirmative action ● A written, electronic or oral statement
• Ticking box on website • Choosing technical settings • Other statement or conduct ● Consent is NOT
• Silence (implied) • Pre-ticked boxes ● Consent must be given (and demonstrated to have been given)
for all purposes of the processing
Consent will be a very difficult basis to rely on
© Bird & Bird LLP 2016
Page 25
Lawfulness of processing (4) Legitimate interests
Article 7(f) DPD Article 6(1)(f) GDPR processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
Consent becomes rather difficult to achieve &
demonstrate Other grounds for
processingrelativelynarrow Legitimate interests likely to
become one of the most important grounds
Page 26
Legitimate interests
● NEW Controllers that rely on "legitimate interests" should maintain a record of the assessment to demonstrate that they have given proper consideration to the rights and freedoms of data subjects
● NEW When relying on "legitimate interests": must be set out in the information notices
● Recommendation: perform risk assessment and documentation
Examples ● Processing for direct marketing
purposes or preventing fraud ● Transmission of personal data
within a group of undertakings for internal administrative purposes, including client and employee data
● Processing for the purposes of ensuring network and information security, including preventing unauthorised access to e-communications networks and stopping damage to computer and e-communication systems
● Reporting possible criminal acts or threats to public security to a competent authority