Presentation is loading. Please wait.

Presentation is loading. Please wait.

The gdpr – one month down the line

Published byBriana Patrick Modified over 6 years ago

Similar presentations

Presentation on theme: "The gdpr – one month down the line"— Presentation transcript:

1 The gdpr – one month down the line
A summary June 2018

2 GDPR og advokater – intern undervisning
10 Reasons not to fear the GDPR monster – and 1 to be absolutely terrified V/advokat Anne Mette Myrup Opstrup

3 10 Reasons…… One month down the line - and what do we know
The GDPR only applies to personal data – not data on companies = not BtB data The IT solutions needed may be complex – the law is not (that) complex Just know what you do, why you do it, and with whom The GDPR gives you/your company the chance to clean up, get structered og get that overview of the data you store and use – and not use With the GDPR – consent is not always the answer Most of it you know you do – now you just have to inform others about it Most of it you do already – now you just have to document it Lots of ”low hanging fruits” that will get you a long way towards being compliant. Helpfull websites, including the official EU website topic/data-protection/reform/rules-business-and-organisations_en The update of Privacy policies has been extensive – and necessary The one (or two) thing to fear: The risk of being fined – obviously Bad publicity

4 PERSONAL DATA NOTHING ELSE So what is a Personal Data identifier ?
a name and surname – unique names and ordinary names; a home address; an address - private + business address! an ID number; location data (for example the location data function on a mobile phone)*; an Internet Protocol (IP) address; a cookie ID*; the advertising identifier of your phone; a symbol that uniquely identifies a person

5 The legal requirements – short and sweet
Do the mapping Know what you do, why you do it, and with whom. The DGPR gives you/your company the chance to clean up, get structered og get that overview of the data you store and use – and not use Guideing principles: lawfulness, fairness, transparency, and accuracy purpose limitation, data minimisation , integrity, and confidentiality.

6 The legal requirements – short and sweet
What is your reason for processing data – think about it ! Necessary for the performance of a contract to which the individual (who’s data you are processing) is party, Your future contracting party has given you her/his data with the purpose of entering into a contract, You have to store data to comply with a legal obligation to which you as data controller is subject; You have to store or process data in order to protect the vital interests of the individual (who’s data you are processing) or of another natural person; You perform a task carried out in the public interest or in the exercise of official authority vested in you; You have a legitimate interests as a data controller or a third party has such interest - except where such interests are overridden by the interests or fundamental rights and freedoms of the individual (need to take a balanced view) LAST BUT NOT LEAST: You have individual consent to process someone’s personal data for one or more specific purposes You need to be able to document your reason

7 RESTRICTED/CONTROLLED BY THE AUTHORITIES
Racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation PROHIBITED!!!!! (UNLESS: consent, already public, non-profit organisation with ethnic, politic religious, etc. purpose – members Criminal convictions and offences or related security measures RESTRICTED/CONTROLLED BY THE AUTHORITIES All other personal data such as: Contact details, hobbies and interest, shopping habits, socio-economic status, employment info, debt, family and friends, network info HAVE A GOOD REASON! (OR CONSENT) Identification number/social security number PUBLIC AUTHORITY, A LEGAL REQUIREMENT, CONSENT, SCIENTIFIC PURPOSE, EXCERCISE OR DEFENCE OF LEGAL CLAIM (and a few more) The personal data hierarchy Level of protection Do not share data for marketing purposes unless you have active consent

8 With the GDPR – consent is not always the answer
When do you need consent to proces data If none of the other legal requirements apply If you want to use data for other purposes than the original purpose e.g. marketing If you want to share (sell) data with (to) third parties

9 Rights of customer/data subject
The right to be informed Provide information to your customers about: What are the grounds/purpose (legal basis) for processing personal data Categories of personal data processed How long do you plan to store personal data Do you plan to share data with others /others outside EU Any automated decision making, the logic involved including the consequences thereof The customer’s rights: The right to access own data The right to transfer data or have it removed The right to complaint The right to withdraw consent at any time The right to request rectification, erasure or restriction of processing of personal data

10 Rights of customer/data subject
The right of acces Inform your customers in a clear and concise manner – no need to use formal language Reply to requests of acces with in 1 (one ) month or 2 months if complex Do not request a fee – unless excessive requets! Refuse if unfounded or excessive request Request identification of customer or more specification if unclear request Inform about complaint proceedures if you have grounds to refuse

11 Rights of customer/data subject
The excemptions No obligation to inform if the customer knows already - and you can prove it No obligation to inform if vital interests outweigh the interest of the data subect Do not disclose information on third parties even if it is included in information you have to disclose = erase

12 Rights of customer/data subject
The right to be forgotten Delete data when – (main reasons) Data is longer necessary for the purposes for which they were collected or processed Set up an automated system or a reminder Consent has been withdrawn AND there is no other legal ground for the processing Evaluate your need for consent Objection to the processing AND there are no overriding legitimate grounds for the processing Balance your interests Unlawfully processing Just do it – delete!

13 Rights of customer/data subject
Delete shared data /distributed data Take reasonable steps, including technical measures, to inform other data controllers with whom you have shared the data, that they need to delete data due to requests from data subjects Take account of available technology and the cost of implementation Document what you do

14 Documentation is key If you can do it you, can show it
Write a privacy policy, and make it available Train your staff/yourself in how to comply Have your data information sheet ready Have a standard reply for acces requests ready Have consent form/boxes to be ticked ready Have an organisation plan ready – who does what Have your breach plan ready – who does what

15 Security Breaches - report to authorities
Loss of data = report both loss of physical and electronic data

16 You will be fined – you will receive bad publicity
How to mitigate Breaches: Non-compliance with rights of data subjects Security breach/loss of data or risk of loss of data Mitigation: Do what you reasonable can to mitigate consequences for data subjects Inform authorities Inform data subjects Coorperate with the authorities Document improvements to show compliance after breach Consider taking out a cyber risk insurance

17 New EU preliminary ruling - facebook
C210/16 – old regulation but applicable principles Ruling: The administrator (any private company) of a social network fan website and the host of the social network (facebook) has joint responsibility as data controllers. According to Danish Data Authorities this means: YOU need to ensure adequate information to data subjects and consent if necessary YOU need to ensure a datacontroller agreement with the social network in order to agree on shared responsibilities YOU need to inform data subjects of the shared responsibility Data subjects can excercise their right of acces towards YOU, including the right to be forgotten Joint and several liability with social network host

18 next: the E-Privacy regulation
By the end of 2018…… June 2018

Download ppt "The gdpr – one month down the line"

Similar presentations

Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2 nd LAPSI.

Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2 nd LAPSI.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection: The Law. EU & Irish Legislation Data Protection Directive 95/46/EC Electronic Privacy Directive 2002/58/EC EUROPOL etc Data Protection.

Data Protection: The Law. EU & Irish Legislation Data Protection Directive 95/46/EC Electronic Privacy Directive 2002/58/EC EUROPOL etc Data Protection.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
LexisNexis Confidential EU Privacy Framework Michael Lamb LexisNexis Risk Solutions Vice President and Lead Counsel: Regulatory, Privacy & Policy May 19,

LexisNexis Confidential EU Privacy Framework Michael Lamb LexisNexis Risk Solutions Vice President and Lead Counsel: Regulatory, Privacy & Policy May 19,
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
The Data Protection Act 1998. What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;

The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
Data Protection Act 1998. The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.

Data Protection Act The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.
DATA PROTECTION ACT 1998. INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March 2000. It is more far reaching than its predecessor,

DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
© University of Reading 2007 www.reading.ac.uk/data_protection Lee Shailer 06 June 2016 Data Protection the basics.

© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Protection of Personal Information Act An Analysis on the impact.

Protection of Personal Information Act An Analysis on the impact.
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.

Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.

Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)

Similar presentations

Ads by Google