Presentation is loading. Please wait.

Presentation is loading. Please wait.

GDPR Any impact on procurement? 16/11/2017.

Published byLilian Bates Modified over 5 years ago

Similar presentations

Presentation on theme: "GDPR Any impact on procurement? 16/11/2017."— Presentation transcript:

1 GDPR Any impact on procurement? 16/11/2017

2 Agenda 1 Introduction 2 Key implications of the GDPR 3
4 5 Introduction Key implications of the GDPR Impact on Procurement Road to GDPR Compliance Q&A

3 (no local law required)
The Global Data Protection Regulation Introduction Introdction Applies to processing of personal data by data controllers and processors Regulation: directly effective in Member States (no local law required) The GDPR will apply in all Member States as from 25th of May 2018 The clock is ticking!

4 Data processing must comply with the 6 general GDPR principles
Why is GDPR important Introduction Introdction Data processing must comply with the 6 general GDPR principles Lawfulness, fairness and transparency Integrity and confidentiality: personal data must be kept secure 1 4 Purpose limitation: personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes 2 Data minimization: personal data must be adequate, relevant and limited to the purpose 5 Retention: personal data must be kept in an identifiable format no longer than necessary 3 Accuracy: personal data must be accurate and up to date 6

5 Data processing must satisfy at least one processing condition
The Global Data Protection Regulation Introduction Introdction Data processing must satisfy at least one processing condition Consent Necessary for the performance of a contract Legal obligation Vital interests Public functions Legitimate interests

6 Personal data Introduction Introdction Any information relating to the identification, directly or indirectly, of natural persons Factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity Name Identification number Location data Online identifier

7 Sensitive Personal data
Introduction Introdction Personal data revealing: Genetic data or biometric data Racial or ethnic origin Political opinions, religious or philosophical beliefs Trade union membership Data concerning health or sex life and sexual orientation

8 Data controller Data processor
Introduction Data controller The person or body that, alone or jointly with others, determines the purpose and means of the processing of personal data Data processor A natural/legal person or body which processes personal data on behalf of the controller

9 Introduction Data processing Any (automatic) operation which is performed on personal data Collection, recording Organization, structuring Storage Alteration, alignment or combination Retrieval, consultation Use Disclosure by transmission Making available, restriction Erasure or destruction

10 Agenda 1 Introduction 2 Key implications of the GDPR 3
4 5 Introduction Key implications of the GDPR Impact on Procurement Road to GDPR Compliance Q&A

11 Key Implications of the GDPR
1 2 3 4 5 6 7 8 9 10 11

12 Key Implications of the GDPR
Increased fines Regulators can impose fines of up to 4% of annual turnover or € (whichever is highest) Regulator may perform audits, issue warnings or a (temporary) ban on processing Individuals may sue for compensation to recover (non-)material damages 1 2

13 Key Implications of the GDPR
Proof of compliance Organizations must demonstrate they are compliant by: Evidencing that they comply with the 6 GDPR principles and processing conditions Documenting suitable policies that set out how you process personal data Performing Privacy Impact Assessments Implementing technical security measures 2 3

14 Key Implications of the GDPR
Key Implications of GDPR Key Implications of the GDPR New rights Right to access and rectify personal data within 30 days Right to be forgotten Right to data portability Right to challenge profiling and automated decisions Right to object to direct marketing 3 4

15 Key Implications of the GDPR
Privacy by Design, Privacy by Default Mandatory to implement Privacy by Design Ensure privacy and data protection is a key consideration during the entire lifecycle of any project Privacy by Default: Privacy as the default setting and embedded into design 4 5

16 Key Implications of the GDPR
Data Protection Officers (DPO) Mandatory appointment in certain cases Report to highest levels of management, may not be dismissed or penalized 5 6

17 Key Implications of the GDPR
Privacy Impact Assessments Mandatory for “high” risk personal data processing In some cases consulting the Supervisory Authority is required 6 7

18 Key Implications of the GDPR
Privacy Notices Increase of mandatory amount of information included in privacy notices Supplied to the individual at the time they provide personal data If processing is for a new purpose, prior notification must be given Must be “concise, transparent, intelligible and easily accessible” Translation into local languages 7 8

19 Key Implications of the GDPR
Consent Consent must be freely given, specifc, informed and unambiguous Consent may be withdrawn at any time Consent must be explicit for sensitive personal data and for data transfers outside the EU 8 9

20 Key Implications of the GDPR
Key Implications of GDPR Key Implications of the GDPR Mandatory breach notifications Mandatory record keeping of all security breaches, regardless of whether they need to be notified to the supervisory authority 9 10

21 Key Implications of the GDPR
Key Implications of GDPR Key Implications of the GDPR Obligations for data processors New obligations specifically for data processors: more responsibility, higher liability Data sub-processors fall into the same scope 10 11

22 Key Implications of the GDPR
Key Implications of GDPR Key Implications of the GDPR Extra-territorial scope The GDPR applies to data controllers and processors established in the EU and organizations that target EU citizens 11 12

23 Privacy by Design Privacy by Default
Key implications Key Implications of the GDPR 1 2 3 4 Increased fines Proof of compliance New rights Privacy by Design Privacy by Default 5 6 7 8 Data Protection Officers (DPO) Privacy Impact Assessments Privacy Notices Consent 9 10 11 Mandatory breach notifications Obligations for data processors Extra-territorial scope

24 Agenda 1 Introduction 2 Key implications of the GDPR 3
4 5 Introduction Key implications of the GDPR Impact on Procurement Road to GDPR Compliance Q&A

25 GDPR Compliance Reference framework for GDPR compliance: 13 steps of the Privacy Commission for the protection of privacy Awareness Data Inventory (template) Communication (e.g. privacy statement) Data Subject Rights Subject Access Request Lawfulness of Data Processing Consent Strategy Children Data Breaches Privacy by Design & DPIA International Data Transfers DPO Existing Contracts

26 Awareness Data inventory
GDPR Compliance Awareness Data inventory Inform the stakeholders and policy makers about the upcoming changes. They have to estimate what the effects of the GDPR will be for the organization and are responsible for making the required changes. Identify what personal information you process, where the information comes from and with whom it is shared, why you perform the data processing, on which legal basis, ... Check and cultivate GDPR awareness of the Procurement department Analyze the existing vendor relationships

27 Rights of the Data Subject
GDPR Compliance Communication Rights of the Data Subject Evaluate your existing privacy notice, policy and plan any necessary changes aligned with the GDPR. Check if the current procedures in your organization provide all the rights that a concerned person can claim: right to rectify, right to be forgotten,… Review the existing processes/procedures for vendor management (i.e. you vs. vendor) Evaluate how a data subject’s rights can be fulfilled by the vendor (i.e. data subject vs. vendor)

28 Lawfulness of Processing
GDPR Compliance Request for Access Lawfulness of Processing Update your existing access procedures and consider how a request for access will now be covered by the new terms in the GDPR. Document the different types of data processing you perform and identify the legal basis for each of them. Review the existing processes/procedures for vendor management (i.e. you vs. vendor) Evaluate how a data subject’s access request can be fulfilled by the vendor (i.e. data subject vs. vendor)

29 GDPR Compliance Consent Children Evaluate the manner in which you request, obtain and register permission and change where necessary. Develop systems that check the age of the person and the parent(s) or guardian(s) to request permission for the data processing of underage children.

30 Privacy by Design & DPIA
GDPR Compliance Data Breaches Privacy by Design & DPIA Provide adequate procedures in case of a data breaches to trace, report and investigate it. Personal data breaches have to be reported to the appropriate supervisory authority. Familiarize yourself with the concepts “Privacy by Design” and “Data Protection Impact Assessment” and look how to implement these concepts into your organization. Identify the current data breach procedure at the vendor Processors are required to notify their relevant controller of any breach without undue delay after becoming aware of it

31 Data Privacy Officer (DPO)
GDPR Compliance International Data Privacy Officer (DPO) Determine whether international transfers are authorized or not. Indicate, if necessary, a Data Protection Officer, or someone who bears the responsibility for compliance with the GDPR. Map data transfers from/to vendors Establish a working relationship between the DPO and the vendor’s DPO

32 GDPR Compliance Existing contracts Evaluate your existing contracts, mainly with processors and subcontractors , and make the necessary changes timely. Validate the template for third parties Evaluate all existing contracts and create an action plan (if necessary)

33 GDPR and Procurement Impact on Procurement Introdction Data controllers may only appoint data processors which provide sufficient guarantees to implement appropriate technical and organisational measures to ensure processing meets the requirements of the GDPR Processors must process personal data in accordance with the controller's instructions Controllers are responsible for compliance with the GDPR, even when another data processor is contracted A controller can’t simply outsource the responsibility of data governance and privacy compliance to their vendors GDPR compliance must be ensured throught the entire supply chain

34 Ordina’s TOP-model Use of a centralized vendor management system
Impact on Procurement Use of a centralized vendor management system Responsible for Third Party selection and management Business Line Dedicated Procurement team Procurement Committee The process of managing third parties is a lifecycle Contractual requirements Security reviews

35 Ordina’s TOP-model Technology Organisation People
Impact on Procurement Encryption of personal data Data Loss Prevention (DLP) Data mapping: what personal data is located where and to what purpose Data anonymization and/or pseudonymisation Accelerated adoption of cloud Technology Ensure proper Information Lifecycle Management is in place Introduce Privacy Impact Assessments and Privacy by Design in application and product lifecycles Appoint a Data Protection Officer/Privacy Officer Ensure GDPR requirements are included in incident response plans Add requirements in contracts with third party suppliers Organisation People Replace implicit consent through explicit consent Increase employees’ awareness Train staff Empower employees by integrating Privacy by Design Empower clients by humanizing consent requests

36 GDPR and Procurement Impact on Procurement Introdction Main GDPR responsibilities for data controllers w.r.t. procurement: Conduct Due Diligence Perform a DPIA or review DPIA results Perform security review (e.g. ISO27K) Have appropriate contract management and contract terms in place Monitor provided services for GDPR compliance Map the flow of personal data through supply chains

37 Obligations for data processors
Impact on Procurement Obligations placed on processors Expanded list of provisions that controllers must include in their contracts with processors Controllers must select processors that meet the requirements of the GDPR Processors will be jointly and separately liable with the relevant controller for compensation claims by individuals

38 Data Processing Agreements
Impact on Procurement Introdction Written contract or legal act binding the processor to the controller and stipulating a number of detailed requirements Must include the following: Determine subject matter, purposes, duration, nature of processing: in accordance with the instruction of the controller. Implement appropriate technical and organizational measures Processor only to act under data-controller instructions Vet employees and subcontractors to ensure confidentiality (e.g., awareness and training, confidentiality provisions) Assist the controller in responding to the requests for exercising data subjects’ rights Assist the controller in ensuring GDPR compliance Delete or return all personal data to the controller at the controller’s request Provide the controller with audit rights Make all information available to the controller at the controller’s request Make all information available to the controller to demonstrate compliance and contribute to audits

39

40 Agenda 1 Introduction 2 Key implications of the GDPR 3
4 5 Introduction Key implications of the GDPR Impact on Procurement Road to GDPR Compliance Q&A

41 “There can be Security without Data Protection, but there can be no Data Protection without Security”

42 6 Steps to GDPR Compliance
1 Awareness Positioning, explain rationale & secure internal support 2 Analysis & Assessment Map current situation & assess necessary GDPR requirements (“As Is”) 3 Design future state Prepare blue print for future GDPR Compliance (“To Be”) 4 Development Transform blueprint info into compliance product, services & processes 5 Implementation Launch new processes, policies & tooling 6 Governance Ensure GDPR compliance is monitored

43

44 Tom Cuypers Privacy & Security Consultant +32 472 71 83 49 tom
Tom Cuypers Privacy & Security Consultant

Download ppt "GDPR Any impact on procurement? 16/11/2017."

Similar presentations

DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
DATA PROTECTION ACT 1998. INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March 2000. It is more far reaching than its predecessor,

DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.

Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
GDPR 12 POINTS 679/2016 DATA LEX 2016.

GDPR 12 POINTS 679/2016 DATA LEX 2016.
Tony Sheppard Mobile Guardian

Tony Sheppard Mobile Guardian
Data Protection Officer’s Overview of the GDPR

Data Protection Officer’s Overview of the GDPR
Key changes with the GDPR

Key changes with the GDPR
Accountability & Structured Privacy Management

Accountability & Structured Privacy Management
The future of data protection: General Data Protection Regulation

The future of data protection: General Data Protection Regulation

Similar presentations

Ads by Google