responsibility and accountability under the gdpr
play

Responsibility and Accountability under the GDPR Regina Becker - PowerPoint PPT Presentation

Sep 21, 2022 •178 likes •439 views

Responsibility and Accountability under the GDPR Regina Becker ELIXIR-LU ELIXIR Workshop Data Protection ECCB 2018 / Athens 11. September 2018 GDPR is catching up with us GDPR: General Data Protection Regulation GDPR Became

  1. Responsibility and Accountability under the GDPR Regina Becker ELIXIR-LU ELIXIR Workshop Data Protection ECCB 2018 / Athens 11. September 2018

  2. GDPR is catching up with us… — GDPR: General Data Protection Regulation GDPR • Became effective on 25 May 2018 • Is directly applicable as law • Considerable consequences for processing of personal data • Defined scope of opening clauses gifmix.de for national specifications to further complicate the situation

  3. First things first… steemkr.com

  4. The axiom of Article 5 Art. 5.2 The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’). YOU are responsible stratford.edu for your processing

  5. Understanding the GDPR — The most important principles Lawfulness Fairness Art. 6 Legal Basis Art. 5.1 (b) purpose limitation Art. 9 Special categories Art. 5.1 (c) data minimisation of data Art. 5.1 (d) accuracy Art. 44-49 Transfer to Art. 5.1 (e) storage limitation third countries or Art. 5.1 (f) integrity and international confidentiality organisations Art. 16-21 data subjects’ rights Art. 5.1 Personal data shall be: Art. 5.1 Personal data shall be: Art. 5.1 Personal data shall be: Art. 5.1 Personal data shall be: (a) processed lawfully, fairly and in a transparent manner (a) processed lawfully, fairly and in a transparent manner (a) processed lawfully, fairly and in a transparent manner (a) processed lawfully, fairly and in a transparent manner in relation to the data subject in relation to the data subject in relation to the data subject in relation to the data subject (‘lawfulness, fairness and transparency’) (‘lawfulness, fairness and transparency’) (‘lawfulness, fairness and transparency’) (‘lawfulness, fairness and transparency’) Transparency Art. 12-15 data subjects’ rights, Art. 30 Records of processing

  6. What you need to know — Processing • Any operation […], such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or Asseco Poland destruction;[…] Art. 4 (2)

  7. The heart of the GDPR — The most important principles Lawfulness Fairness Art. 6 Legal Basis Art. 5.1 (b) purpose limitation Art. 9 Special categories Art. 5.1 (c) data minimisation of data Art. 5.1 (d) accuracy Art. 44-49 Transfer to Art. 5.1 (e) storage limitation third countries or Art. 5.1 (f) integrity and international confidentiality organisations Art. 16-21 data subjects’ rights Art. 5.1 Personal data shall be: Art. 5.1 Personal data shall be: Art. 5.1 Personal data shall be: Art. 5.1 Personal data shall be: (a) processed lawfully, fairly and in a transparent manner (a) processed lawfully, fairly and in a transparent manner (a) processed lawfully, fairly and in a transparent manner (a) processed lawfully, fairly and in a transparent manner in relation to the data subject in relation to the data subject in relation to the data subject in relation to the data subject (‘lawfulness, fairness and transparency’) (‘lawfulness, fairness and transparency’) (‘lawfulness, fairness and transparency’) (‘lawfulness, fairness and transparency’) à Sarion Bowers Transparency Art. 12-15 data subjects’ rights, Art. 30 Records of processing

  8. The heart of the GDPR — The most important principles Lawfulness Fairness Art. 6 Legal Basis Art. 5.1 (b) purpose limitation Art. 9 Special categories Art. 5.1 (c) data minimisation of data Art. 5.1 (d) accuracy Art. 44-49 Transfer to Art. 5.1 (e) storage limitation third countries or Art. 5.1 (f) integrity and international confidentiality organisations Art. 16-21 data subjects’ rights Art. 5.1 Personal data shall be: Art. 5.1 Personal data shall be: Art. 5.1 Personal data shall be: Art. 5.1 Personal data shall be: (a) processed lawfully, fairly and in a transparent manner (a) processed lawfully, fairly and in a transparent manner (a) processed lawfully, fairly and in a transparent manner (a) processed lawfully, fairly and in a transparent manner in relation to the data subject in relation to the data subject in relation to the data subject in relation to the data subject (‘lawfulness, fairness and transparency’) (‘lawfulness, fairness and transparency’) (‘lawfulness, fairness and transparency’) (‘lawfulness, fairness and transparency’) Transparency Art. 12-15 data subjects’ rights, Art. 30 Records of processing

  9. Purpose limitation — Stick to your promise! Beware: • Stay within scope of your communicated purposes at the time of collection Further • Should be “not incompatible” according to Art. 5.1 processing • May not be available under consent in all countries (See statements preparations for Swedish Research Act / p32: https://www.regeringen.se/rattsliga- dokument/statens-offentliga- utredningar/2017/06/sou-201750/ ) • Requires advance information (independent of the legal basis) • Responsibility to ensure by contract the adherence Data to the purpose limitation Sharing

  10. Data minimisation — What is minimal enough? Collection • Collect only what is needed — which can be a lot considering the determinants of health and disease are unknown Purpose • Where no directly identifying data is needed à pseudonymise or anonymise data • Data analysis plans should specify which data types are needed Access • Access only on a need basis, not by default • Delete data if no longer needed Retention — avoid data graveyards!

  11. Accuracy — Data needs to be accurate • We all aim for that!!! the-scientist.com

  12. Storage limitation — Nothing lasts forever! • Defined time point to be given • Alternative: criteria how long data will be kept • Independent of choice: needs to be told to the study participants • Beware: don’t forget your archiving obligations in the communication with the study participants What do you mean, we need to delete the data right after the project? What about archiving?

  13. Integrity — Avoid data corruption or data loss • Use checksums to test for corruption • Backups are important — we know that anyway! J

  14. Confidentiality — Art. 25 & 32: Organisational and technical measures • Technical security measures (pseudonymisation, encryption, access restriction, event logging, compliance monitoring, … ) • Policies • Training • Security clauses

  15. Data subjects’ rights: Articles 15 – 21 — Actions to be taken on demand of the data subject • Give access to data • Inform about every user and every project • Have data deleted or rectified – even from subsequent recipients • Withdrawal of consent or objection to A2jlab.org processing • Portability - transfer data to another processor or controller

  16. The heart of the GDPR — The most important principles Lawfulness Fairness Art. 6 Legal Basis Art. 5.1 (b) purpose limitation Art. 9 Special categories Art. 5.1 (c) data minimisation of data Art. 5.1 (d) accuracy Art. 44-49 Transfer to Art. 5.1 (e) storage limitation third countries or Art. 5.1 (f) integrity and international confidentiality organisations Art. 16-21 data subjects’ rights Art. 5.1 Personal data shall be: Art. 5.1 Personal data shall be: Art. 5.1 Personal data shall be: Art. 5.1 Personal data shall be: (a) processed lawfully, fairly and in a transparent manner (a) processed lawfully, fairly and in a transparent manner (a) processed lawfully, fairly and in a transparent manner (a) processed lawfully, fairly and in a transparent manner in relation to the data subject in relation to the data subject in relation to the data subject in relation to the data subject (‘lawfulness, fairness and transparency’) (‘lawfulness, fairness and transparency’) (‘lawfulness, fairness and transparency’) (‘lawfulness, fairness and transparency’) Transparency Art. 12-15 data subjects’ rights, Art. 30 Records of processing

  17. Art. 13 - 15: Information provision — “The data subject should never be surprised…” • Inform about: Identity and contact of controller, legal basis, purpose of processing, recipients, transfers outside the EU, source of the data, automated decision making, rights of the data subject • Important guidance from European Data Protection Board (EDPB) https://edpb.europa.eu/our-work-tools/our- documents/guideline/consent_en • Beware: EDPB states that ethics information must be separate from data protection information • Keep in mind: information obligation applies in the same way to your website privacy notes!!

  18. Record keeping following Art. 30.1 — Documentation is key under GDPR Content of processing records • Contact details of controller: representative and data protection officer • Purposes of the processing • Categories of data subjects and categories of personal data • Categories of recipients, in particular: recipients in third countries or international organisations • Transfers outside the EU including safeguards • Envisaged time limits for erasure of different categories of data • Description of technical and organisational security measures Problem for most institutions • Registries need to cover a wide field of activities: Personnel administration, teaching, research, …

  19. DAISY – a GDPR registry for research data Data Information System (DAISY)

  20. DAISY – a GDPR registry for research data Data Information System (DAISY)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Accountability and Governance evidence To what extent can an agreed RMP act as evidence

Accountability and Governance evidence To what extent can an agreed RMP act as evidence

RMPs and GDPR Accountability and Governance evidence To what extent can an agreed RMP act as evidence of compliance with GDPR obligations around accountability and governance? Article 5(2) Accountability Principle The

362 views • 13 slides
Property Accountability CW2 Mandee L. Mintz 4 th Brigade Property Book Officer Agenda

Property Accountability CW2 Mandee L. Mintz 4 th Brigade Property Book Officer Agenda

Property Accountability CW2 Mandee L. Mintz 4 th Brigade Property Book Officer Agenda Fundamentals of Property Accountability Assigning Responsibility Accountability & Inventory Basics Obtaining Relief from Responsibility

981 views • 68 slides
GDPR How does it apply to me? What is GDPR? It is the LAW! What is GDPR? The General Data

GDPR How does it apply to me? What is GDPR? It is the LAW! What is GDPR? The General Data

GDPR How does it apply to me? What is GDPR? It is the LAW! What is GDPR? The General Data Protection Regulation Came into force on May 25 th Replaces the current 1995 Data Protection Directive and Data Protection Act (1998). What is GDPR?

570 views • 18 slides
General Data Protec-on Regula-on Based on the Pinsent Mason Paper New Features of the GDPR

General Data Protec-on Regula-on Based on the Pinsent Mason Paper New Features of the GDPR

General Data Protec-on Regula-on Based on the Pinsent Mason Paper New Features of the GDPR Accountability measures: GDPR requires compliance and evidence of compliance: documented policies and procedures, records of consents etc.

355 views • 9 slides
Accountability, Responsibility and Robustness in Agent Organizations CILC 2019, Trieste Matteo

Accountability, Responsibility and Robustness in Agent Organizations CILC 2019, Trieste Matteo

Accountability, Responsibility and Robustness in Agent Organizations CILC 2019, Trieste Matteo Baldoni 1 , Cristina Baroglio 1 , Roberto Micalizio 1 1 Universit` a degli Studi di Torino - Dipartimento di Informatica, Torino, Italy Multiagent

663 views • 44 slides
Data minimization & concentration: Intended and unintended consequences of the GDPR Garrett

Data minimization & concentration: Intended and unintended consequences of the GDPR Garrett

garjoh_canuck Data minimization & concentration: Intended and unintended consequences of the GDPR Garrett Johnson (Boston U) Scott Shriver (U Colorado Boulder) GDPR Impact GDPR General Data Protection Regulation EU EEA Brexit GDPR

833 views • 27 slides
Protection Regulation (GDPR) Presentation Structure What is the GDPR? When and where does

Protection Regulation (GDPR) Presentation Structure What is the GDPR? When and where does

Presentation by Michalis Mantzaris, PhD Introduction to General Data Protection Regulation (GDPR) Presentation Structure What is the GDPR? When and where does it apply? Consisting elements and Guideline provision Key changes and

605 views • 23 slides
Overview What is the GDPR? What are the main changes? Risks? What do you need to do

Overview What is the GDPR? What are the main changes? Risks? What do you need to do

Overview What is the GDPR? What are the main changes? Risks? What do you need to do to be compliant? Data Breaches How does the GDPR affect you? Steps to Compliance Summary What is the GDPR? q The EU's General Data

355 views • 17 slides
PROTECTION REGULATIONS May 2018 GDPR What is GDPR What is different Principles

PROTECTION REGULATIONS May 2018 GDPR What is GDPR What is different Principles

GENERAL DATA PROTECTION REGULATIONS May 2018 GDPR What is GDPR What is different Principles of of GDPR How does it effect school How are school preparing How does it effect individual staff How can

475 views • 12 slides
Welcome Agenda GDPR is in force now and applies to Australian businesses What does GDPR require?

Welcome Agenda GDPR is in force now and applies to Australian businesses What does GDPR require?

Welcome Agenda GDPR is in force now and applies to Australian businesses What does GDPR require? How does an Australian business comply? Action Plan Section 1: GDPR is here Privacy in the digital age Historically, privacy was almost

513 views • 40 slides
Click to add title Click to add subtitle Before the GDPR: the great GDPR compliance panic The

Click to add title Click to add subtitle Before the GDPR: the great GDPR compliance panic The

Almost one year after the GDPR, where are we now? Click to add title Click to add subtitle Before the GDPR: the great GDPR compliance panic The first year of the GDPR can best be described as "quiet test run. What are the most striking

405 views • 8 slides
GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU

GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU

GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU General Data Protection 1995 Regulation 2016 Data Protection Act 1998 Data Protection Bill 2017-19 Fines DPA GDPR Maximum Fine 500k Two

622 views • 17 slides
Pathway of Responsibility What is responsibility? What is our responsibility personally

Pathway of Responsibility What is responsibility? What is our responsibility personally

Pathway of Responsibility What is responsibility? What is our responsibility personally and corporately? Definition - the state or job of being in charge of something and of making sure that what happens is right or satisfactory

1.08k views • 60 slides
GDPR Dont be scared Even if you cant answer all the questions on the form GDPR Dont

GDPR Dont be scared Even if you cant answer all the questions on the form GDPR Dont

GDPR Dont be scared Even if you cant answer all the questions on the form GDPR Dont be scared 60% of people welcome the rights under GDPR 48% of UK adults plan to activate their rights 56% welcome the right to object to marketing

1.32k views • 37 slides
GDPR Obligations & Rules Introduction to Privacy and the GDPR Simone Fischer-Hbner

GDPR Obligations & Rules Introduction to Privacy and the GDPR Simone Fischer-Hbner

GDPR Obligations & Rules Introduction to Privacy and the GDPR Simone Fischer-Hbner CC-BY-4.0 Advising, Monitoring, Enforcing European Data Protection Board Art. 68 - 73 (replacing the Art. 29 Working Party) advise Supervisory

626 views • 8 slides
GDPR Breach & Automated Decision Making Part 5 of our series on GDPR and its impact on the

GDPR Breach & Automated Decision Making Part 5 of our series on GDPR and its impact on the

GDPR Breach & Automated Decision Making Part 5 of our series on GDPR and its impact on the recruitment industry This webinar is provided for information purposes and is NOT intended to be legal advice pertaining to the subject matter. If you

617 views • 38 slides
Science Literacy for the Church Jack C. Swearengen ASA Conference July 2017 The Age of

Science Literacy for the Church Jack C. Swearengen ASA Conference July 2017 The Age of

Science Literacy for the Church Jack C. Swearengen ASA Conference July 2017 The Age of Disbelief NATIONAL GEOGRAPHIC March 2015 Climate Change does not exist Evolution never happened The Moon Landing was faked Vaccinations can

725 views • 25 slides
Brain Migration, Knowledge Spillovers and the Ethics of Public Private Partnerships A Canadian

Brain Migration, Knowledge Spillovers and the Ethics of Public Private Partnerships A Canadian

Brain Migration, Knowledge Spillovers and the Ethics of Public Private Partnerships A Canadian Workshop in Conjunction with the European Regional Economic Forum 2009 May 7, 2009 Westin Hotel 11 Colonel By Drive Ottawa, Canada Organized by: David

623 views • 33 slides
CS-5630 / CS-6630 Visualization for Data Science Set Visualization Alexander Lex

CS-5630 / CS-6630 Visualization for Data Science Set Visualization Alexander Lex

CS-5630 / CS-6630 Visualization for Data Science Set Visualization Alexander Lex alex@sci.utah.edu [xkcd] Design Workshop item1 : A item2 : A A item3 : A, B item4 : A, C item5 : A, B, C B item6 : B item7 : B, C C item8 : C

926 views • 63 slides
Patient Safety in Primary Care April 22-23, 2016, Prague www.equip2016.cz 49 th EQuiP Assembly

Patient Safety in Primary Care April 22-23, 2016, Prague www.equip2016.cz 49 th EQuiP Assembly

49 th EQuiP Assembly Meeting 2016 European Society for Quality and Safety in Family Practice Patient Safety in Primary Care April 22-23, 2016, Prague www.equip2016.cz 49 th EQuiP Assembly Meeting 2016, Prague Patient Safety in Primary Care

494 views • 30 slides
Systematical Parameterization, Storage and Representation of Volumetric DICOM Data for

Systematical Parameterization, Storage and Representation of Volumetric DICOM Data for

Systematical Parameterization, Storage and Representation of Volumetric DICOM Data for Visualization: 3D Presentation States (3DPR) Dr. M. Alper SELVER Dokuz Eylul University Electrical and Electronics Engineering Research Group FH-Juelich

471 views • 19 slides
Mining for Medical Relations in Research Articles: Training Models Hannes Berntsson Purpose

Mining for Medical Relations in Research Articles: Training Models Hannes Berntsson Purpose

Mining for Medical Relations in Research Articles: Training Models Hannes Berntsson Purpose Process and tag millions of medical abstracts and texts quickly. Save biomedical scientists decades of work. Goals Create a baseline

595 views • 13 slides
Innovation and Education M edical Use of Isotopes Patient Perspectives J osh M ailman NorCal

Innovation and Education M edical Use of Isotopes Patient Perspectives J osh M ailman NorCal

Innovation and Education M edical Use of Isotopes Patient Perspectives J osh M ailman NorCal CarciNET Community Disclosure NorCal CarciNET receives funding for educational and speaking events from AAA, Curium, IPSEN, Lexicon, Novartis, and

394 views • 13 slides
Inference Statistical inference Definition: Definition: The act or process of reaching

Inference Statistical inference Definition: Definition: The act or process of reaching

10/20/2016 Outline Statistics in medicine Inference Lecture 2: Hypothesis testing and inference Hypothesis testing Type I error Type II error Fatma Shebl, MD, MS, MPH, PhD Confidence interval Assistant Professor Chronic

187 views • 6 slides

More recommend