rec This presentation contains general information. This presentation is not intended to constitute legal advice and therefore should not be relied on as such. 20/06/2019 Atlantic Compliance 1
Agenda enda • Revisit – where we are now. • Breaches • Direct Marketing GDPR • • EPrivacy • What you could/should be doing now Atlantic Compliance 2
Enhanc En anced ed Ob Obligations tions for r Firms ms • New concept – need to be able to demonstrate that comply with Accountability bility the GDPR • Increases the amount of information that you must provide to Privacy Notice ices clients with collecting their data • Raises the bar higher if you are relying on consent for processing Consent ent data • Mandatory to notify the supervisory authority/individual of data Breac ach notif ifica ication tion breach in 72 hrs • Data protection impact assessments – must be performed where DPIA A processing is likely to result in high risk to rights and freedom of individuals • Now open to direct enforcement action by data subjects and Data a Proce cess ssor r liability bility regulators Data a mappin ping g • Retain records of all processing activities • Liability and compensation – Data subjects can sue for material or non Sanctio tions s material damage plus the supervisory authority can fine up to 4% WW turnover • Additional mechanism required to ensure third country has Intern ernationa tional l Data a Transf sfer ers adequate levels of protection 20/06/2019 Atlantic Compliance 3
Expansi Ex ansion on of Indi divi viduals duals rights hts • about the processing of their personal data – principle of Right t to be Inform rmed ed transparency • if their personal data is inaccurate or incomplete (requests to Right t to Rectif ifica icatio tion amend data will normally have to be processed within 1 month) • to their personal data and supplementary information, and the Right t of Access ess right to confirmation that their personal data is being processed • to their personal data and supplementary information, and the Right t to be Forgott tten en right to confirmation that their personal data is being processed • of their personal data, for example, if they consider that Right t to Restric trict t Process essin ing processing is unlawful or the data is inaccurate • of their personal data for their own purposes (they will be allowed Right t to Data Porta tabili bility to obtain and reuse their data) • to the processing of their personal data for direct marketing, Right t to Object ct scientific or historical research, or statistical purposes • Data subjects can initiate complaints with the courts to the Right t to make a Compla mplain int supervisory authority and seek compensation for both material and non material damage. Right t to not be evalu luate ted d on the • Right not to be subject to a decision based solely on automated basis is of autom tomated ed process essin ing processing which significantly affect them (including profiling). 20/06/2019 Atlantic Compliance 4
Data ta Protec tection ion Principles nciples 6 Principles Keep for one Process data Keep in a form that Ensure that it is specified, lawfully, fairly Keep it accurate, the data subject can adequate, Keep it safe and explicit and and complete and up- be identified only as relevant and secu re legitimate long as necessary to-date limited to what Transparently purposes is necessary 20/06/2019 Atlantic Compliance 5
Data ta Processi cessing ng Processing will only be lawful if ONE ONE of the following conditions is met: Legal Contractual Consent 1 3 Obligations 2 Obligations Data subject gives consent Processing is necessary to Processing is necessary to for one or more specific comply with legal meet contractual obligations purposes obligations of the entered into by the data controller subject Legitimate Vital Interests Public Interests 4 5 6 Interests Processing is necessary Processing is necessary to Processing is for the for tasks in the public protect the vital interests purposes of legitimate interest or exercise of of the data subject. interests pursued by the authority vested in the . controller controller . . 20/06/2019 Atlantic Compliance 6
Data ta Protec tection ion Principles nciples Processed fairly, lawfully and transparently Requires an additional compliance burden on organisations (albeit one that is implied under the Directive). It requires that organisations take additional care when designing and implementing data processing activities. Purpose Limitation - collected for specified, explicit and legitimate purposes. In summary, the purpose limitation principle states that personal data collected for one purpose should not be used for a new, incompatible, purpose. Data Minimisation - adequate, relevant and limited to what is necessary. The principle of data minimisation is essentially the idea that, subject to limited exceptions, an organisation should only process the personal data that it actually needs to process in order to achieve its processing purposes. 20/06/2019 Atlantic Compliance 7
Data ta Protec tection ion Principles nciples Accuracy - accurate and, where necessary, kept up to date. Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate are either erased or rectified without delay. Retention - kept for no longer than is necessary. Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, or scientific, historical, or statistical purposes in accordance with Art.89(1) and subject to the implementation of appropriate safeguards. Security - processed in a manner that ensures appropriate security. Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Acco counta tabil bility ity - new requirement that the controller be able to demonstrate accountability. 20/06/2019 Atlantic Compliance 8
Breac eaches hes – updates tes from om DPC PC • Use this form if you wish to contact us on behalf of an organisation to report a personal data breach that has occurred in your organisation (or that you think may have occurred), in circumstances where you have determined that the breach presents a risk to the affected individuals. • You can also use this form to update a breach report that you have previously submitted to us. • A personal data breach occurs when the data is accessed, disclosed, altered, lost or destroyed in contravention of an organisation’s obligation to keep personal data in its possession safe and secure • https://forms.dataprotection.ie/report-a-breach- of-personal-data Atlantic Compliance 9
Direct ect Market eting ing – GD GDPR PR lawfu wful l reason ason • You must have a lawful reason for processing personal data. • Direct Marketing is either consent or legitimate interest. • The GDPR states that : ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest’ ‘At any rate the existence of a legitimate interest would need careful assessment including whether a data • subject can reasonably expect at that time and in the context of the collection of the personal data that processing for what purpose takes place ‘ • Therefore yes Direct Marketing can be carried out without consent however , if using legitimate interest then you must carry out a legitimate interest assessment. Atlantic Compliance 10
Recommend
More recommend
