IAPP CIPP/E – General Data Protection Regulation (GDPR) Part 4

17. Data Breach Notifications

Data breach notifications. Hello everyone. This is the last part of the security related information we will study. Article 33 and 34 impose requirements on Controller repeating again on controllers to notify Personal Data Breaches to the Data Protection Authority and in some circumstances to people impacted.

Processors are only obliged to notify data controller for data breaches, but not the DPA or the data subjects. Article four provides the definition of Personal Data Breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed. Basic requirement of the security principle is to put in place breach detection measures.

The Controller needs to determine whether it meets the definition of Personal Data Breach and whether it is likely to cause a risk to the rights and freedoms of individuals. This has to be done very quickly because the Controller has to notify DPA without undue delay, which is subject to a 72 hours limit. Processors have to notify Personal Data Breaches to controllers without undue delay. The GDPR sets out the minimum level of information that a notification to a DPA should contain.

The organisation should provide one, contact details of the data protection officer or other contact person two, information regarding the categories and approximate number of data subjects and personal data records concerned. Three, a description of the nature of the breach four, likely consequences of the breach and five, measures the organization has taken or proposes to take to address the breach.

Controllers are also obliged to keep the record of data breaches even if it is not reported to DPA because it does not put the data subjects at risk. Article 34 requires controllers to inform data subject if those breaches are likely to present high risks to the rights and freedoms of individuals. For example, a breach of names and work emails might present enough risk to trigger DPA notification, but not high risk to notify data subjects.

The following exceptions removes Controller’s obligation to inform data subjects. Measures have been taken to render personal Data unintelligible, such as encryption. Controller has taken steps to prevent the high risks from materializing.

Notification would involve disproportionate effort. In such cases, there still has to be some effort to announce the breach, for example a press release or a statement on a website. Recital 75 gives example of potential physical, material or nonmaterial damage, and recital 76 identifies the need for a risk assessment to identify if it is high risk or not.

The risk assessment should involve number of data subjects, impacted, number of data records exposed, type of data, possible consequences and impact. Please read recital 75 and 76 before proceeding to the next lecture. This was the end of the security related subjects in GDPR. In our next lecture, we will learn more about accountability in GDPR.

18. Accountability

Accountability the General Data Protection Regulation has formally made it a legal liability to be accountable for organizations. It is probably best described as the different obligations with which an organisation must comply in order to show and evidence their compliance with the regulation. Regulators and legislators seek an approach that is more than just a tick box exercise. They want to see that data protection embedded within the corporate DNA. Accountability is one of the data protection principles. It makes you responsible for complying with the GDPR and says that you must be able to demonstrate your compliance. You need to put in place appropriate technical and organizational measures to meet the requirements of accountability. There are a number of measures that you can have in order to show compliance.

Adopting and implementing data protection policies. Taking a data protection by design and default approach. Putting written contracts in place with organizations that process personal data on your behalf maintaining documentation of your processing activities implementing appropriate security measures recording and where necessary, reporting personal data breaches carrying out data protection, impact assessments for uses. Of personal data that are likely to result in high risk to individuals ‘interests. Appointing a data protection officer adhering to relevant codes of conduct and signing up to certification schemes. We will now start detailing these measures one by one in the next lectures, except the security measures and data breaches because they were already explained in our previous lectures. You.

19. Data Protection Policies

Data protection policies. For many organizations, putting in place relevant policies is a fundamental part of their approach to data protection compliance. The GDPR explicitly says that where proportionate implementing data protection policies is one of the measures you can take to ensure and demonstrate compliance, what you have policies for and their level of detail depends on on what you do with personal data. If, for instance, you handle large volumes of personal data or particularly sensitive information such as special category data, then you should take greater care to ensure that your policies are robust and comprehensive.

Recycle 75 provides some examples of high risk processing in the context of this requirement. Those examples including Processing which gives rise to discrimination identity theft fraud or financial loss damage to reputation loss of confidentiality of personal data to protected by professional secrecy unauthorized reversal of pseudonymization any significant economic or social disadvantage processing special categories of data processing data of children processing data related to criminal convictions.

As well as drafting data protection policies, you should also be able to show that you have implemented and adhered to them. This could also include awareness raising, training, monitoring and audits all tasks that your data protection officer can undertake. Creating a policy document by just putting in the explanation of the principles is not an acceptable policy. The policies should include the responsibilities of employees, management, reporting process for incidents and clear objective of what the policy tries to achieve, which is aligned with the business context.

20. Data protection by design and by default

Day. Protection by design and default. Privacy by Design is an approach to systems engineering. Initially developed by Anne Kavukian, privacy by Design is based on seven foundational principles one proactive not reactive, preventative, not remedial. Two, privacy as the default setting. Three, privacy embedded into design. Four, full functionality positive sum, not zero sum. Five, end to end security full lifecycle protection. Six visibility and transparency keep it open. Seven, respect for user privacy keep it user centric. Data Protection by Design concept in EU legislative is based on these principles. Privacy by design does not only apply only to planning and execution stages of new developments. Logically, it should also address the ongoing operation and of such developments to enable companies to deal effectively with the entire lifecycle.

Data protection by default is a more practical term compared to data protection by design. Basically, GDPR is telling us to select the most protected option by default if the data subjects are given with multiple levels of protection. So no action from the data subject should be seen as the most protected option selection, which means you can’t PreCheck a checkbox allowing the controller to process personal data. By default, it should be unchecked, and the user has to check that option. This requirement means that companies should take steps not only to limit or minimize the amount of data they collect, but also to exercise greater controls over the extent of their processing. Another example can be the data retention period. By default, the data retention should be kept at the minimum unless the data subject asks you to do otherwise.

21. Contracts and Responsibilities

Contracts and Responsibilities if you have worked on a GDPR project before, you are already aware that contract are the most difficult part of the compliance because you have to align different opinions of different experts and it can be challenging. In this course we will study the mandatory things you have to include in your contracts. Whenever a controller uses a processor, it needs to have a written contract act in place. The contract is important so that both parties understand their responsibilities and liabilities. The GDPR sets out what needs to be included in the contract in the future. Standard contract clauses may be provided by the European Commission and may form part of certification schemes. However, at the moment no standard clauses have been drafted. Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide sufficient guarantees that the requirements of the GDPR will be met in the future.

Using a processor which adheres to an approved code of conduct or certification scheme may help controllers to satisfy this requirement, though again no such schemes are currently available. Processors must only act on the documented instruction of a controller. They will, however, have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply. Contracts must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject and the obligations and rights of the controller.

Now we will have a quick reminder to what we discussed in the security lecture. Contract acts must also include as a minimum the following terms requiring the processor to only act on the written instructions of the controller ensure that people processing the data are subject to a duty of confidence. Take appropriate measures. To ensure the security of processing only engage subprocessors with the prior consent of the controller and under a written contract. Assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR. Assist the controller in meeting its GDPR obligations in relation to the security of processing. The notification of personal data breaches and data protection impact assessments.

Delete or return all Personal Data to the controller as required at the end of the contract and subject to audits and inspections. Provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or Remember State a processor must only act on the documented instructions of a controller. If a processor determines the purpose and means of processing, then it will be considered to be a controller and will have the same liability as a controller. The Data Protection Authority will not look at the contract to decide if you are a processor or a controller, but look at how you are processing the data.

In addition to its contractual obligations to the controller under the GDPR, a processor also has the following direct responsibilities not to use a subprocessor without the prior written authorization of the data controller to cooperate with supervisory authorities. Such as the ICO to ensure the security of its processing, to keep records of processing activities, to notify any personal data breaches to the data controller, to Emoy a Data Protection officer and to appoint, in writing, a representative within the European Union if needed. If a processor fails to meet any of these obligations or acts outside or against the instruction of the controller, then it may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures. If a processor uses a subprocessor, then it will, as the original processor, remain directly liable to the controller for the performance of the sub processor’s obligations. We will learn how we should document our processing activities in the next lecture.

22. Documentation of processing activities

Implementation of processing activities. Article 30 of the Regulation outlines the records that must be kept by both data controllers and processors. This documentation is mandatory for organizations of 250 or more, or the processing is likely to result in risk to rights or freedoms, or processing is not occasional or special categories of data is processed.

Data controllers are required to maintain a record of the following information the name and contact details of your organization and, where applicable, of other controllers, your representative and your Data Protection Officer the purposes of your processing a description of the categories of data. Subjects and categories of personal data recipients of personal data details of your transfer to third countries, including documenting the transfer mechanism, safeguards in place retention schedules a description of your technical and organizational security.

Measures data processors are required to maintain recording information the name and contact details of your organization and, where applicable, of other processors, your representative and your data protection officer, the name and details of each controller and the name and their representatives and their data protection officers. Details of your transfers to third countries, including documenting the transfer mechanism safeguards in place a description of your technical and organizational security measures. You can use the links in the resources to download the templates for documentation. You don’t have to use exactly the same templates, but they will give you an idea of the expected information in the next lecture. Another documentation responsibility that is mandatory in some cases. Data protection impacts assessments.

23. Data protection impact assessments

Data Protection Impact Assessments The GDPR introduces a new obligation to do a DPIA before carrying out types of processing likely to result in high risks to individuals interests. If your DPIA identifies a high risk that you cannot mitigate, you must consult the supervisory authority. This is a key element of the new focus on accountability and data protection. By design, some organizations already carry out privacy impact assessments as a matter of good practice. If so, the concept will be familiar, but you still need to review your processes to make sure they comply with GDPR requirements. DPIAs are now mandatory in some cases, and there are specific legal requirements for content and process. If you have not already got a PIA process, you need to design a new DPIA process and embed this into your organization’s polish and policies and procedures.

You must do a DPI before you begin any type of processing which is likely to result in a high risk. This means that although you have not yet assessed the actual level of risk, you need to screen for factors that point to the potential for a widespread or serious impact on individuals. In particular, the GDPR says you must do a DPI if you plan to use systematic and extensive profiling with significant effects process, special category or criminal offense data on a large scale, or systematically monitor publicly accessible places on a large scale. You should also think carefully about doing a DPI for any other processing that is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals. Even if there is no specific indication of likely high risk, it is good practice to do a DPI for any major new project involving the use of personal data. The following figure, created by Working Party 29 and accepted by European Data Protection Board, illustrates the basic principles related to the DPI in the GDPR. You can download the full report from the Resources section. You can also download templates for DPI from the Links and Resources.

DPI must contain at least the following a systematic description of the processing operation the purposes and the legal basis, including any legitimate interest pursued by the controller necessity and proportionality of processing assessment of risks the measures adopted to address the risk, including safeguards security the DPIA reveals the risk of the processing. If, after DPIA, the processing is categorized as high risk and there are no sufficient measures capable of mitigating the risk, the controller will be required to consult their data Protection Authority. The regulation allows DPA up to eight weeks to make a decision about the processing. The controller should stop processing until the decision is made. DPA can extend this by an additional six weeks. One last thing before the end of this lecture processors do not need to have a DPIA, but should help controllers if needed. In the next lecture, we will learn the circumstances where controllers and processors must designate a DPO and DPO tasks.

24. Data Protection Officer

Data Protection officer. The appointment of a data protection officer is formally recognized in the regulation, but not every company must appoint one. The circumstances where data controllers and processors must designate a DPO are where processing is carried out by a public authority. If the core activities involve regular and systematic monitoring on a large scale if the core activities involve processing of special categories of data on a large scale there are two important keywords in this explanation core activities and large scale. In particular, the WP 29 identified the following large scale factors to decide what is large scale and what is not the number of data subjects, the volume of data or the range of different data items the duration or permanence of processing the geographic graphical coverage of the processing.

We can give the difference between a hospital and an individual private doctor. The hospital will need a DPO because the special categories of data is processed on a large scale, whereas the private doctor’s process is not on a large scale. An important note for Internet businesses here regular systematic monitoring of data subjects includes all forms of Internet based tracking and profiling. We also need to explain what is considered as core business.

We can easily do this with an example. For a digital advertising company, processing personal information of Internet users for advertising is within their core business, but processing payroll information to pay the salary of employees is not within their core business. The GDPR says that you should appoint a DPO on the basis of their professional qualities and in particular, experience and expert knowledge of data protection law. It doesn’t specify the precise credentials they are expected to have. Does say that this should be proportionate to the type of processing you carry out. Taking into consideration the level of protection the personal data requires, it would be an advantage for your DPO to also have a good knowledge of your industry or sector as well as your data protection needs and processing activities.

The DPO’s tasks are defined in Article 39 as to inform and advise you and your employees about your obligations to comply with the GDPR and other data protection laws to monitor compliance with the GDPR and other data protection. Laws and with your data protection policies, including managing internal data protection activities, raising awareness of data protection issues, training staff and conducting internal audits to advise on and to monitor data protection impact assessments, to cooperate with the supervisory authority and to be the first point of contact for supervisory authorities and for individuals whose data is processed when cut their tasks. The DPO is required to take into account the risk associated with the processing you are undertaking.

They must have regard to the nature, scope, context and purposes of the processing. The DPO should prioritize and focus on the more risky activities, for example, where special category data is being processed or where the potential impact on individuals could be damaging. Therefore, DPOs should provide risk based advice to your organization. If you decide not to follow the advice given by your DPO, you should document your reasons to help demonstrate your accountability for a large international organization. You may have to appoint more than one DPO, because the DPO must be easily accessible, and it will not be so because of time zones and the language. DPO role can be outsourced or hired internally. It can even be a part time role of an existing employee as long as there is no conflict of interest, for example, the Hapo, because the business goals of the head of products may conflict with the DPO responsibilities.

The last principle was adhering to relevant codes of conduct and signing up to certification schemes, and I will try to give a brief information on that rather than a dedicated lecture. Trade associations or bodies representing a sector can create codes of conduct in consultation with relevant stakeholders, including the public. Where feasible, they can amend or extend existing codes to comply with the GDPR requirements. They have to submit the draft code to the local DPA for approval. Adhering to a code of conduct shows that you follow the GDPR requirements for data prediction and that you are addressing the level of risk relevant to your sector and the type of processing you are doing.

For example, in a high risk sector, such as processing children’s or health data, the code may contain more demanding requirements. Member states, supervisors, the European Data Protection Board, EDPB, and the Commission will promote certification as a means to enhance transparency and compliance with the regulation. Certification is a way of demonstrating that your processing of personal data complies with the GDPR requirements. In line with the accountability principle, your customers can use certification as a means to quickly assess the level of data protection of your particular product or service.

The GDPR says that certification is a means to demonstrate compliance with the provisions on data protection by design and by default. Article 25 demonstrate that you have appropriate technical and organizational measures to ensure data security article 32 and to support transfers of personal data to third countries or international organizations article 46 we covered all the subjects in GDPR except two cross border transfers and supervision enforcements. In the next lecture picture, we will cut cross border personal data transfers, data transfer.

25. Cross-border data transfers

Cross border Transfers the GDPR imposes restriction on the transfer of personal data outside the EEA to third countries or international organizations. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined. Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in in Chapter five of the GDPR. Article 44 explains international data transfers as below any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization shall take place only if subject to the other provisions of this regulation.

The conditions laid down in this chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organization to another fully or to another international organization. All provisions in this chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this regulation is not undermined. Companies can lie on three different legal basis for data transfer to a third country or an international organization. We will now learn all the details about these legal basis for data transfers on the basis of an adequacy decision. Article 45. 1 states that a transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, a territory, or one or more specified sectors within that third country or the international organization in question ensures an adequate level of protection.

Such a transfer shall not require any specific authorization. Currently, there are twelve countries that the European Commission found adequate for free data movement. In addition to the controversial privacy shield deal with the US. The EU has adequacy agreements that allow companies to share data with Switzerland Andora the Pharaoh Islands. Guernsey, Jersey the Isle of man, argentina, Canada, Israel, New Zealand and Uruguay. EU adequacy agreements have faced increased scrutiny over the last two years. In 2015, the European Court of justice ruled the EU safe harbor deal with the United States to be illegal because the US. Did not protect Europeans from government surveillance.

The Commission signed off last year on the Privacy Shield, a replacement arrangement to uphold billions of euros in digital trade between the EU and the US. Transfers Subject to Appropriate Safeguards Article 46. 1 states that in the absence of a decision pursuant to Article 45 adequacy, a controller or processor may transmit data to a third country or an international organization only if the controller or processor has provided appropriate safeguards and on condition that enforceable data. Subject rights and effective legal remedies for data subjects are available. These appropriate safeguards can be based on one of the following one standard data protection clauses by the Commission. Companies can rely on standard clauses published by the Commission 2010.

This is the most common way of providing appropriate safeguards supported by a contract. There is a confusion in the ecosystem how to call this so you may have heard of this as standard model contract or model clauses. Two standard data protection clauses by the supervisory authority. Supervisory authority can create a different standard contract than the one published by the commission. This has to be approved by the commission. Once approved, it can be used like the one above. Three binding corporate Rules this method is mostly used for international companies that share data between the subsidiaries or group companies in different countries.

It is crucial to mention that the binding corporate rules have to be approved by the supervisory authority, and it is a lengthy, difficult process which may take up to one to two years. The minimum set of rules that have to be included is explained in GDPR Article 47. Four codes of Conduct and Certification trade associations or bodies representing a sector can create codes of conduct in consultation with relevant stakeholders ink where feasible, they can amend or extend existing codes to comply with the GDPR requirements. They have to submit the draft code to supervisory authority for approval. Five custom contractual clauses custom contractual clauses or provisions agreed by the parties that is authorized by the competent supervisory authority.

This process is also not very easy and can take up to one year. Transfers Based Derogations The GDPR provides derogations from the general prohibition on transfers of personal data outside the EU for certain specific situations. A transfer or set of transfers may be made where the transfer is made with the individual’s informed consent necessary for the performance of a contract between the individual and the organization, or for the precontractual steps taken at the individual’s request.

Necessary for important reasons of public interest, necessary exercise or defense of legal claims necessary to protect the vital interests of the data subject or other persons where the data subject is physically or legally incapable of giving consent or made from a register which, under UK or EU law, is intended to provide information to the public and which is open to consultation by either the public in general or those able to show a legitimate interest in inspecting the register. The first three derogations are not available for the activities of public authorities in the exercise of their public powers. You are almost there. We have one more subject to cover and then we will will get to our final lecture for more practical information. The next lecture. Supervision and enforcement.

• Category: Uncategorized