data breaches, privacy programs and what will change for processors

Exove Tietoturvaloukkaukset,

yksityisyydensuojan parantaminen ja GDPR:n tuomat muutokset

henkilötietojen käsittelijöille Tobias Bräutigam, Counsel

Agenda

1.  Rights for individuals 2.  Controller/Processor Role based examples

of obligations 3.  Data Breach

Rights of individuals

New rights for individuals?

Article What is it about New? 13/14 Transparency, right to be informed More details 15 Access to personal data Clarification, more detail 16 Rectification of inaccurate data Old 17 Right to be forgotten Not so new like you think 18 Right to restrict processing Clarification, more detail 20 Data portability New 21 Automated decision making More detail, larger scope

Much ado about nothing?

1.  Fines from authorities for the violation of rights •  4%, i.e. higher level

2.  Enforcement via private action, Article 79 •  Also "non-material" damage is covered, Article 82

3.  Can be delegated •  Consumer organizations will take care of it

Summary •  As such relatively small changes, modifications, clarifications •  Enforcement: Huge change

What does the GDPR mean for processors?

Your

Company

General

obligations (authorities)

As a processor

Towards data

subjects

As a

controller

Processor's new obligations Assisting controllers ●  Only act on the controller's documented instructions; ●  Assisting the Controller for responding to requests from data subjects for:

access, rectification, suppression, limitation, objection, portability of data ●  Return or delete personal data upon Controller's choice at the end of

services ●  Assisting the controller to notify security breaches, implement DPIAs,

provide information ●  Contribute to audits, including directly made by the Controller ●  Mandatory contract clauses Own responsibility ●  List of technical and organizational measures ●  Processor's staff must be bound by confidentiality obligations ●  Compliance with international data transfers

Key action items as a processor Build your privacy program ●  Hire a privacy officer where needed ●  Define security measures, processes and

responsibilties

Indemnity and liability ●  Push back on indemnities (strict liability) ●  Push back on unlimited liability clauses, tie to

negligence

Define the lines of responsibilities ●  Only process based on instructions and GDPR

Data Breach Notification

Article 33

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority […], unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

What amounts to a ‘breach’ under the new rules and to whom the regime applies?

●  Relevant provisions in the GDPR can be found in:

•  Recitals: 73, 85-88 •  Articles: 4, 33, 34, 66 and 83

●  The regime applies to data controllers but indirectly also to their processors

●  The GDPR refers to "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed"

●  It’s important to note that the wilful destruction or alteration of data is as much a breach as theft

Practical scenarios for your organisation to consider

Breach? Four laptops containing 5,000 employee records are stolen from the HR department… A flash drive containing 5,000 customer records is forgotten in a bus and never retrieved. There is no evidence that customer records were compromised. An employee has given to a third party the login and password for an account with global access read only right to the client database. Logs evidence use of the account by this third party. A rogue employee supresses all contact details provided in the consumer records of his organisation before resigning.

Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses. Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC340318 and is authorised and regulated by the

Solicitors Regulation Authority. Its registered office and principal place of business is at 12 New Fetter Lane, London EC4A 1JP. A list of members of Bird & Bird LLP and of any non-members who are designated as partners, and of their respective professional qualifications, is open to inspection at that address.

twobirds.com

Thank you

Demonstrate compliance with the GDPR's principles ●  Implement appropriate security policies and measures ●  Privacy impact assessment and prior consultation (when applicable) ●  Adopt certain "data protection by design" measures ●  Record of all processing activities ●  Undertake audits ●  Adherence to approved codes of conduct and certifications ●  Implement Privacy Policies ●  Appropriate staffing (e.g. data protection officer) ●  Staff training programs

General obligations

Work on your privacy program ●  Audit your privacy practices (use self-assessments

and interviews) ●  Start designing governance and risk management

elements first ●  Decide which IT-systems need to be improved to

close gaps (e.g. consumer dash-board) ●  Improve privacy processes like subcontractor

management, data subject access, partnering

Key action items for general compliance

Transparency ●  General privacy policy must mention specific information, such as

legal basis, data retention, contact details of DP officer etc. ●  Specific notices where needed, e.g. information about the right to

withdraw consent Legitimacy of processing ●  Most data processing is *not* based on consent! ●  Performance of a contract or legitimate interest (e.g. Marketing to

employees of corporate subscribers) ●  Where consent is the only option, systems must be ready for

withdrawal of consent Honouring data subject rights ●  Access, rectification, limitation, objection, portability of data ●  If acting as a processor, Exove must assist the controller fulfilling

those rights

Obligations towards data subjects (for example: corporate subscribers and consumers)

Define reason for processing for each major process ●  Legitimate interest, consent or contract? Review privacy notices ●  Follow list in Articles 13/14 GDPR Design access and deletion process of data subjects ●  This includes appropriate IT systems and training of staff ●  Draft/update template responses

Key action items: compliance towards data subjects

Managing processors ●  Review and update all data processing agreements ●  Instruct processors and follow up (audit) Accountability ●  Keep records of all processing activities ●  Appointment of DPO (if applicable) ●  Map data transfer and compliance ●  Staff training programs and collection of metrics General obligations ●  Implement appropriate technical and organizational security

measures (incl. policies) ●  Privacy by design and default ●  Reply to data subject requests

Obligations as a controller

Cover your own base (=> see also above ●  Look for certification on technical and organizational matters ●  Follow guidance of authorities Insist of DPA covering a minimum amount of rules on ●  Type/categories of PD processed, purpose, duration ●  Appropriate tech and org measures e.g. encryption &

pseudonymisation ●  Breach notification assistance ●  Permit and "contribute" to compliance audits ●  Sub-contracting flow down commitments Provide instructions to the processor ●  Best done via policies/standards that are regularly updated +

statement of works

Key action items as a controller

Lawfulness of processing Consent & Legitimate interests

Lawfulness of processing

Processing only lawful if: ●  Data subject has given consent ●  Necessary for the performance of contract or to take steps prior

to entering into a contract ●  Necessary to protect vital interests of data subject ●  Necessary for legitimate interests of controller or 3rd party

MS are allowed to maintain or introduce national provisions to further specify the application of these rules (Recital 8)

●  Necessary for compliance with legal obligation to which the controller is subject ●  Necessary for task carried out in the public

interest or exercise of official authority

Consent strengthened under GDPR

NEW ●  Consent must be

•  actively given •  separable from other written agreements •  clearly presented •  as easily revoked as given

●  Additional requirements include an effective prohibition on "bundled" consents and the offering of services which are contingent on consent to processing

●  Where consent is relied on controllers should be able to demonstrate that consent was given by the data subject to the processing

It will be even harder to rely on consent ●  A clear, affirmative action ●  A written, electronic or oral statement

•  Ticking box on website •  Choosing technical settings •  Other statement or conduct ●  Consent is NOT

•  Silence (implied) •  Pre-ticked boxes ●  Consent must be given (and demonstrated to have been given)

for all purposes of the processing

Consent will be a very difficult basis to rely on

© Bird & Bird LLP 2016

Lawfulness of processing (4) Legitimate interests

Article 7(f) DPD Article 6(1)(f) GDPR processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.

Consent becomes rather difficult to achieve &

demonstrate Other grounds for

processingrelativelynarrow Legitimate interests likely to

become one of the most important grounds

Legitimate interests

●  NEW Controllers that rely on "legitimate interests" should maintain a record of the assessment to demonstrate that they have given proper consideration to the rights and freedoms of data subjects

●  NEW When relying on "legitimate interests": must be set out in the information notices

●  Recommendation: perform risk assessment and documentation

Examples ●  Processing for direct marketing

purposes or preventing fraud ●  Transmission of personal data

within a group of undertakings for internal administrative purposes, including client and employee data

●  Processing for the purposes of ensuring network and information security, including preventing unauthorised access to e-communications networks and stopping damage to computer and e-communication systems

●  Reporting possible criminal acts or threats to public security to a competent authority