IIBA | - with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA … · 2017-10-15 · All rights...

All rights reserved ©2017 - DACOTA Consulting - Commercial in Confidence

GDPR general presentationfor

with Xavier Darmstaedter

Managing Partner

GEDAPRE DACOTA Consulting

[email protected] [email protected]

tel 0475-41.03.22

Gent, 3 October 2017



4 facts

1. We are not really in control of our personal data

2. Our personal data are not properly and securely protected

3. In 2009, Mr Barroso launched the EU Agenda DIGITAL 2020 :

to make Europe the center of excellence

of Information Technologies in 2020.

This plan requires an efficient and effective control

of the personal data.

4. Our society has considerably evolved

since the Data Protection Directive (1995) !



AS IS TO BE

In 1995, the EU issued the Data Protection Directive 95/46 (DPD)

of excellence of Information Technologies

(Agenda DIGITAL 2020).

This implies an efficient and effective control

of the personal data.

DPD 95/46

Data

Protection

Directive

(1995)



Data

Subject

Data

(sub)Processor

Supervisory Authority

Data

Processor

Personal

DataR

eq

ue

st

Request

for A

dvic

e

Pro

ce

ssin

g

Processing

Data Controller

GDPR

Basic Components

and Interactions



Personal Data

Article 4 - Definitions

(1) personal data means any information relating to an

identified or identifiable natural person ('data subject’);

an identifiable natural person is one who can be

identified, directly or indirectly, in particular by

reference to an identifier such as a name, an

identification number, location data, an online identifier

or to one or more factors specific to the physical,

physiological, genetic, mental, economic, cultural or

social identity of that natural person.



Data Controller


(7) Data controller means the natural or legal person, public

authority, agency or other body which, alone or jointly with others,

determines the purposes and means of the processing of personal

data ...



Processing


(2) processing means any operation or set of operations which is

performed on personal data or on sets of personal data, whether or

not by automated means, such as collection, recording,

organisation, structuring, storage, adaptation or alteration,

retrieval, consultation, use, disclosure by transmission,

dissemination or otherwise making available, alignment or

combination, restriction, erasure or destruction.



Data Controller – Data Processor


(7) Data controller means the natural or legal person, public

authority, agency or other body which, alone or jointly with others,

determines the purposes and means of the processing of personal

data …

(8) Data processor means a natural or legal person, public authority,

agency or other body which processes personal data on behalf of

the controller.



Data

Subject

Data

(sub)Processor


Data

Processor

Personal

DataR

eq

ue

st

Request

for A

dvic

e

Pro

ce

ssin

g

Processing

Data Controller

GDPR

Basic Components

and Interactions



Data

Subject

Data

(sub)Processor


Data

Processor

Personal

DataR

eq

ue

st

Request

for A

dvic

e

Pro

ce

ssin

g

Processing

Data Controller

Breach

Breach

Breach

Breach Breach

GDPR

Basic Components

and Interactions

Breach


GDPR general presentationforIT Governance Ltd

https://www.itgovernance.co.uk



From “A Guide by Mason Hayes & Curran”

www.mhc.ie

NO

YES

Does EU law apply

under public

international law?

Does one of the exemptions from EU law

apply? Does the processing relate to

criminal investigation or relate to EU

foreign and security policy?

The GDPR does

not apply

Is it purely personal or

household activity?

Are you established

in the EU, and is data

processed in the context

of that establishment?

Are you monitoring

behaviour

of EU residents?

Are you offering

goods or services

in the EU?

The GDPR applies



Breach – Sanctions, Remedies, Liabilities

€10M or 2% €20M or 4%Conditions for obtaining a child's consent The core Data Protection principles

Processing which does not require identification The lawful processing conditions

Data Protection by design and default obligations The conditions for consent

Designating a representative in the State where the controller is not

established in the EU

The sensitive personal data processing conditions

Obligations of processors Data subjects' rights (including information, access, rectification,

erasure, restriction of processing, data portability, objection, profiling)

Instructions of a controller or processor Transfer of data to third countries

Records of processing Failure to provide access to premises of a controller or processor

Cooperation with the supervisory authority Compliance with a specific order or limitation on processing or the

suspension of data flows by the supervisory authority

Security measures Obligations adopted under Member State law in regard to specific

processing situations

Notification of a personal data breach to the supervisory authority

Communication of a personal data breach to the data subject

Conducting PIAs and prior consultation

Designation, position and tasks of the DPO

Monitoring of approved codes of conduct

Certification mechanisms

Administrative fines



Personal Data


(1) personal data means any information relating to an

identified or identifiable natural person ('data subject’);

an identifiable natural person is one who can be

identified, directly or indirectly, in particular by

reference to an identifier such as a name, an

identification number, location data, an online identifier

or to one or more factors specific to the physical,

physiological, genetic, mental, economic, cultural or

social identity of that natural person.





Personal Rights to Personal Data Stored in Repository

Article 17 - Right to erasure ('right to be forgotten')

1. The data subject shall have the right to obtain from the controller the

erasure of personal data concerning him or her without undue delay and

the controller shall have the obligation to erase personal data without

undue delay where one of the following grounds applies:

a. the personal data is no longer necessary in relation to the purpose for

which it was originally collected/processed

b. the individual withdraws consent and there is no other legal ground for

the processing

c. the individual objects to the processing and there is no overriding

legitimate interest for continuing the processing

d. the personal data was unlawfully processed

Etc ...



Personal Data Breach


(12) 'personal data breach' means a breach of security leading to the

accidental or unlawful destruction, loss, alteration, unauthorised

disclosure of, or access to, personal data transmitted, stored or

otherwise processed;

Recitals

(86) The controller should communicate to the data subject a personal

data breach, without undue delay, where that personal data breach is

likely to result in a high risk to the rights and freedoms of the natural

person in order to allow him or her to take the necessary precautions.

(87) It should be ascertained whether all appropriate technological

protection and organisational measures have been implemented to

establish immediately whether a personal data breach has taken place

and to inform promptly the supervisory authority and the data subject.



Article 39 – Tasks of the data protection officer

1. The data protection officer shall have at least the following tasks:

(a) to inform and advise the controller or the processor and the

employees who carry out processing of their obligations …

(b) to monitor compliance with this Regulation, with other Union or

Member State data protection provisions and with the policies of the

controller or processor …, including the assignment of responsibilities,

awareness-raising and training of staff involved in processing operations,

and the related audits

(c) to provide advice where requested as regards the data protection

impact assessment and monitor its performance

(d) to cooperate with the supervisory authority

(e) to act as the contact point for the supervisory authority on issues

relating to processing, …, and to consult, where appropriate, with regard

to any other matter.

…

DPO - Data Protection Officer

From “A Guide by Mason Hayes & Curran”

www.mhc.ie



Article 35 – Data protection impact assessment

1. Where a type of processing … is likely to result in a high risk to the

rights and freedoms of natural persons, the controller shall, prior to the

processing, carry out an assessment of the impact of the envisaged

processing operations on the protection of personal data. A single

assessment may address a set of similar processing operations that present

similar high risks.

2. The controller shall seek the advice of the data protection officer,

where designated, when carrying out a data protection impact assessment.

…

Privacy Impact Analysis (PIA/DPIA)





Personal Data Processing Principles

Article 25 – Data protection by design and by default

1. … the controller shall, both at the time of the determination of the

means for processing and at the time of the processing itself, implement

appropriate technical and organisational measures, such as

pseudonymisation, which are designed to implement data-protection

principles, such as data minimisation, in an effective manner and to

integrate the necessary safeguards into the processing …

2. The controller shall implement appropriate technical and organisational

measures for ensuring that, by default, only personal data which are

necessary for each specific purpose of the processing are processed. That

obligation applies to the amount of personal data collected, the extent of

their processing, the period of their storage and their accessibility. In

particular, such measures shall ensure that by default personal data are not

made accessible without the individual's intervention to an indefinite

number of natural persons.

…

Privacy by Design

requires organisations to

consider privacy

measures during product

design processes,

while Privacy by Default

requires controllers to

ensure that, by default,

only necessary data is

processed.



AGENDA

Introduction and Scope

The GDPR0. Personal Data

1. Personal Rights to Personal data

2. Processing Personal Data

3. Organization, principles & Rules

4. Supervisory Authority

Workgroup sessions

GDPR – Agenda



AGENDA

Introduction






Workgroup sessions

GDPR – Agenda





Data Controller

Controllers have specific responsibility for:

• carrying out data protection impact assessments when the type

of processing is “likely to result in a high risk to the rights and

freedoms of natural persons” and implementing appropriate

technical safeguards

• assuring the protection of data subject rights, such as erasure,

reporting and notice requirements, and maintaining records of

processing activities

• duties to the supervisory authority, such as data breach

notification and consultation prior to processing

• documenting personal data breaches, including the facts of the

breach, its effects, and remedial actions

• demonstrating their compliance with the Regulation by adhering

to codes of conduct and certifications that were approved by DPAs

• consider carrying out a data protection impact assessment prior

to selecting a processor.



Data Processor

Processors have specific responsibility (primarily to controllers) for:

• processing data only as instructed by controllers

• using appropriate technical and organisational measures to comply

with the GDPR

• deleting or returning data to the controller once processing is

complete

• submitting to specific conditions for engaging other processors





AGENDA

Introduction






Workgroup sessions

GDPR – Agenda







AGENDA

Introduction and Scope






Workgroup sessions

GDPR – Agenda





33

To the

workshops

GDPRGeneral Website ://www.eugdpr.org/eugdpr.org.html

Text (in all languages – quick access) : https://www.privacy-regulation.eu/

Which Way to GDPR ?

Follow the Guide !



Some GDPR Issues for Business Analysts

1. What Personal Data do we have and where is it located ?

Who has access, when and how ? Can / Do we track these accesses ? Keep up-to-date ?

2. Categorization of the Personal Data : basic, transactional, sensitive, audio, video, etc.

3. Monitor, Control and Manage the user access to Personal Data (IAM)

4. Consent acquisition, recording, and limiting Data storage – providing Personal Data (in portable format)

5. Erasure : What ? When ? How ? Where ?

6. Understanding and following nothing but the « Documented Instructions » of the Data Controller

7. Keeping « Records of (Categories of) Processing Activities »

8. Protection by Design / Default : with what Method ?

9. Risk Impact Assessment : what is at risk ? What are the threats, the risks ?

How to assess the risks ? For each area, what is an acceptable level of risk ?

10. Breach : Detection / Qualification (incident or breach ?) / Notification / before-during-after

11. Internal Organization : New Teams and revised Policies and Processes

12. « Appropriate technical and organizational measures » : what are they ? How to apply them ? How to

provide evidence ?

13. Cross-border transfers

Date post:	30-Jun-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

IIBA | - with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA … · 2017-10-15 · All rights...

Documents