MyComplianceOffice presents our Oct 26th webinar, “ Prepare Your Firm for GDPR", co-hosted by MCO and Emily Mahoney a Technology Lawyer at Mason Hayes & Curran
3. 3
10 themes
• Territorial Scope
• Financial exposure
• Consent
• Transparency
• Data protection impact assessments
• Data protection officer
• Security
• Data processors
• Accountability
• Data subject rights
4. 4
Data Protection reform - background
• Current data protection rules:
• based upon 1995 EU Directive
• implemented separately in national laws
• not fully harmonised
• ‘GDPR’ = General Data Protection Regulation
• will apply directly in all Member States
• replaces 1995 Directive
• comes into effect 25 May 2018
5. 5
Data Protection principles
• Same basic concepts and principles but generally tighter controls and
greater emphasis on data subject rights
• Fair, lawful and transparent processing
• Purpose limitation
• Data minimisation
• Accuracy
• Data retention
• Data security
• Accountability
6. How many of you are based in
the EU or outside the EU?
7. 7
1 – Expanded Territorial Scope
• Territorial scope significantly expanded under GDPR to cover:
• offering goods or services to EU-based individuals; and
• “monitoring the behaviour” of EU-based individuals.
• GDPR will directly apply to FS firms and fintechs “established” in EU
• GDPR may directly apply to:
• FS firms and fintech established outside EU, i.e. Singapore if they target or offer services to EU-based individuals
8. 8
2 – Increased financial exposure
• Current rules across the EU differ – DPC cannot directly impose fines
• Significant fines due under GDPR:
o up to €10m or 2% of total worldwide annual turnover =
breaches of obligations of controller
o up to €20m or 4% of total worldwide annual turnover =
breaches of obligations including the basic principles for processing (inc. consent), the data subjects’ rights
and data transfers
• GDPR contains a list of factors for determining level of fine (repeat offenders etc.)
• Data subject claims:
o explicit right to compensation for damage, both material and non-material (pecuniary loss?)
o possible joint and several liability
10. 10
3 - Narrower interpretation of consent
• Consent is more tightly defined
― a statement or clear affirmative act required
― distinct consent for each operation
• Must prove you obtained consent
• Consent separate from terms and conditions
• Must be as easy to withdraw as it is to give it
11. 11
4 - Increased transparency
• Must have transparent, clear, concise and easily accessible
privacy policy
• Intelligible language adapted to data subjects
• More information, e.g.:
― legal basis
― any specific legitimate interest relied upon
― how long you will keep data
― profiling, logic involved and effects
― implement appropriate technical / organisational measures
• Notice for further processing
12. 12
5 -Data Protection Impact Assessments
• Must do a documented DPIA if high risk processing, eg
― systematic and extensive automated evaluation with legal effect / similarly significant affects DS
― large scale processing of sensitive data
― evaluation or scoring, including profiling and predicting
• Where appropriate, seek views of data subjects representatives
• Exclusion if based upon law that specifically regulates processing operations and DPIA already carried out for that law
• May have to seek relevant data protection commissioner opinion if DPIA shows high risks not mitigated
13. 13
6 - Data Protection Officer
• Financial institutions/Fintechs may need to appoint a DPO
• large scale processing of sensitive data; or
• by virtue of processing, requires regular and systematic monitoring of data subjects on a large scale
• Must be expert in data protection laws and practices
• Report directly to highest management level; be properly involved with all activities dealing with personal data
• Must provide DPO with sufficient resources
• Can be group DPO
• Can perform other tasks provided no conflict of interest
• Protected role – cannot be removed or penalised for performing tasks
• Can be outsourced
14. 14
7 - Security
• New security obligations: optional?
o Pseudonymisation and encryption
o Confidentiality, integrity, availability and resilience of IT systems
o Restore availability and access
o Testing of security measures
15. 15
7 - Security breach
• Notify DPC without undue delay and, where feasible, within 72 hours, unless unlikely to result in a risk
• Processor must notify controller without undue delay
• Must notify data subjects if likely to result in a high risk to privacy / rights (with some exceptions)
• Must document breaches
• Should have security breach response plan in place
• Dual notification requirement may exist depending on the security breach – NCSC & DPC
16. 16
8 – Data processors
• Obligations for data processing agreements significantly expanded
• The contract must now include:
• the subject matter and duration of the processing
• the nature and purposes of the processing
• the type of personal data
• the categories of data subjects
• Additional obligatory provisions include that the processor:
• makes information available to demonstrate compliance
• contributes to audits and inspections
• assists the controller regarding access requests, DPIAs and security breaches
17. What is the correct definition of personal
data under the GDPR?
18. 18
9 - Accountability
• DC / DP must document all processing activities, e.g.:
― categories of data subjects, recipients and data
― data transfers (including details of safeguards)
― retention / erasure period
― general description of security measures (if possible)
• DC also must document purposes and (indirectly) legal bases
― AML Documentation
• Should be consistent with privacy policy
• Privacy by design/default
19. 19
10 - Data subject rights
• Right of restriction
• accuracy contested or processing unlawful
• no longer needed for original purpose, but necessary to establish, exercise or defend legal rights
• pending verification where individual objects
• Right to be erasure – ‘right to be forgotten’
• Variety of situations where individuals can request erasure
• Subject access requests
• Changes to cost, timelines and ability to refuse requests (Right to charge or refuse request if “manifestly unfounded or excessive”)
• Right to data portability
• Provide certain data in a machine-readable format
• only applies if legitimised based upon consent or performance of a contrac
• Right of rectification
20. 20
10 - Data subject rights
• Right to object
― applies if use legitimate interest or public interest test
― must then show overriding compelling legitimate grounds
• Must inform data subject of right to object
― explicitly brought to their attention
― present clearly and separately from other information
21. 21
Key points
• Core principles broadly the same, but tighter controls
• Greater accountability and shift in burden of proof
• Increased records and compliance burden
• Increased financial exposure
• Broader data subject rights
• 7 months to get it right, but time to start preparing is now
22. 22
What to do now – step 1 (what are we doing)?
• Data mapping exercise
― data flows and disclosures
― purpose and legitimisation mapping
• Audit of data transfers (remember Brexit)
• Audit of data related contracts
• GDPR gap analysis and prioritisation
23. 23
What to do now – Step 2 (moving forward)?
• Use gap analysis to decide on key action points
• Create internal accountability records
• Update internal / external policies & contracts
• Create any necessary new policies and templates, eg
― privacy by design / default playbook
― DPIA protocol and templates
― security breach response plan
• Appoint DPO
• Education
27. 27
MCO Platform
• Manage by alerts not reports
• Dashboards deliver greater oversight
• Custom questionnaire builder
• Continuous updates to the software
• Enhanced control
• 100% data capture
• 24/7/365 support
• Scalable into the future
As we’ve seen at the start of the webinar, poor management of your risk and compliance program can be very expensive for the organization and indeed for the individuals concerned! MyComplianceOffice has been developed and refined to help you synchronize the demands of the regulators with the needs of the organization, and we do this through a range of integrated software modules that will automate and control your risk and compliance program.
Risk and compliance management is a tough job and it is not easy to keep an organization compliant; one look at the fines tells us all about that. MCO can help you to automate your third party and vendor risk management program, your employee compliance program, your firms trading, and your customer management. This covers a very broad range of activities from employee trade management to gifts and entertainment and outside business activities. From vendor on-boarding to risk assessments and on-going due diligence. It is our job to enhance you reputation through better risk and compliance management across the board.
If that sounds like something that you can benefit from, please let us know.