1 of 16

Let’s all survive the GDPR

The EU’s new General Data Protection Regulation

Simon McGarr, Data Compliance Europe

John Looney, Intercom

2 of 16

General Data Protection Regulation

Finalised 27^th April 2016
Replaces 1995 Data Protection Directive
Comes into force automatically on 25^th May 2018
In Ireland, the Data Protection Bill to implement GDPR is before the Oireachtas now
Across the EU, different countries are choosing some a la carte elements to implement. An excellent, regularly updated, resource on the status of those implementations is http://www.cearta.ie/2017/07/what-is-the-current-status-of-gdpr-incorporation-in-the-eus-28-member-states/
Some details and policies are still being worked on by regulators

Simon McGarr, Data Compliance Europe

3 of 16

Who does the GDPR apply to?

Probably you. If you’re;
Established in an EU member state
Established outside EU, but processing EU residents (not just citizens) data after offering them goods or services

‘Offering’ is a mushy swamp

Anyone, anywhere who monitors the behaviour of an EU resident

Profiling, cookies, tracking on the internet, recommendations…

Subject to EU law because of International Law

Simon McGarr, Data Compliance Europe

4 of 16

What do you need to do?

In Gist:
Complete your organisations’ GAP analysis as soon as possible
Establish a project plan to fill in those GAPs
Implement the plan before 25^th May 2018

Let’s look at some of the things you’ll need to do to get there

Simon McGarr, Data Compliance Europe

5 of 16

Step 0: Sound the alert in your organisation

Need top level support
GDPR is not just a compliance function
Success will require business reorganisation and change management

This is a culture change project.

Simon McGarr, Data Compliance Europe

6 of 16

Step 1: Map your data

You’re going to need to know what data you hold, and keep a register of that data
Work out what part of that data is personal data

Aggh! the US definition of PII is not the same as EU personal data

Create a record of all data processing activities under your responsibility

Both as a data controller and as a data processor

Identify the purpose for which the data is being processed
Create an up-to-date system of record

Must be accessible to regulators and individuals

Simon McGarr, Data Compliance Europe

7 of 16

Step 2: Review your consents for data use

If processing data about people, what’s your legal basis for it ?
If consent, identify the consent, ensure it's specific and accurate
Consent must be freely given, specific, informed and unambiguous
Consent must be distinct from other parts of the Terms & Conditions
Must be as easy to withdraw as to give
Keep an easily found records of those consents-

These are the title deeds to the data your business uses!

Ensure parental consent for children

still waiting for legislation on the age a child (age 13 to 16)

Simon McGarr, Data Compliance Europe

8 of 16

Step 2 (aside) Lawful processing basis

CONSENT

CONTRACT

LEGAL COMPLIANCE

VITAL INTEREST OF A HUMAN (life-or-death)

PUBLIC INTEREST

LEGITIMATE INTEREST (danger here)

EU MEMBER STATE SPECIFIC REASONS

CRIME AND JUSTICE

NEW PURPOSES! (so much danger)

Simon McGarr, Data Compliance Europe

Any personal/account record should contain what basis the records are being processed

Get consent, even if you are processing on another basis. A contract can state "You verify that you will gain and maintain consent for any data that we process at your behest".

Legal Compliance; i.e. credit histories in banking, may also be a defence.

If someone rings 999/112 looking for help, you do not have to ask permission to take their location data and pass it on to first responders.

Public Interest hasn't been strongly defined. Keeping call log data on politicians to leak later in a scandal probably won't be 'public interest'.

Legitimate Interest has been defined in court as in the interest of the person on whom the data has been kept, not on the legitimate interest of the company or person profiting from processing personal information. It will likely be difficult to argue in court that you had someone's best interests in mind, but didn't think it appropriate to ask permission.

There are certain carve-outs, not defined, that allow member states specific exemptions, and national security considerations will often be cited as reasons to invade privacy. These have not been defined in law yet.

9 of 16

Step 3: Change processes to deliver individual's rights

Data processing procedures must allow data subjects to exercise rights to Information, to rectify, to erase, to object, data portability etc
Such processes must be, in almost all cases, free of charge to the customer
Prepare to meet the requirement to provide extra information about your data retention policies etc
Establish clear assessment policies and procedures for the rare case where a request can be denied

Data Subject Requests time limits have dropped from 40 days to 1 month.

Simon McGarr, Data Compliance Europe

10 of 16

Step 3 SUPER BONUS: Automated Processing

“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”� - Article 22, GDPR

Let’s have a chat about this.

Simon McGarr, Data Compliance Europe

11 of 16

Step 4: Check your Contracts

Complete a full review of all controller/processor contractual relationships your organisation is committed to.�
Prioritise your contract risks by volume of personal data, sensitivity of data, numbers of people accessing it etc.�
Ensure that all contracts with processors conform to GDPR requirements. This will be time consuming.
Ensure that any Third Country transfers outside of EEA are lawful

(Risk of a fine of 2% of turnover or €10 million hangs on this project portion alone)

Simon McGarr, Data Compliance Europe

12 of 16

Step 5: Be ready to Report Data Breaches

New Mandatory breach notifications to the Data Protection Commissioner and, in many cases, to the individuals effected.

Unless your data breach unlikely to cause any harm

72 hour notification deadline (unless effective security measures such as encryption in place)
Tell the data subject without ‘undue delay’
Put a data breach plan in place now, to use later

Simon McGarr, Data Compliance Europe

13 of 16

Step 6: Privacy Impact Assessments

Adopt the procedures to implement Privacy by Design as part of the organisation’s planning system
Review the necessity and scope of any proposed new data processing before you bring it in.
Be ready to complete full Privacy Impact Assessments for future projects, as needed.��

Simon McGarr, Data Compliance Europe

14 of 16

Step 7: (Maybe) hire a Data Protection Officer

Certain organisations must hire DPOs

Public authorities
Those regularly processing large amounts of personal data
Those processing sensitive personal data at (some) scale

Others will decide it is good practice to hire one
Need specifically qualified people (this is very hard)

Consider if an external DPO fits your needs

Simon McGarr, Data Compliance Europe

15 of 16

Data Protection Commissioner powers

To obtain access to data and to premises

To issue warnings and reprimands

To order compliance

To limit data processing

To order rectification or erasure of data

To suspend data transfers to third countries

To impose fines to a maximum of €20m or 4% of annual global turnover, whichever is the larger

Simon McGarr, Data Compliance Europe

16 of 16

Any Questions?

hello@datacomplianceeurope.eu