MyComplianceOffice presents our Oct 26th webinar, “ Prepare Your Firm for GDPR", co-hosted by MCO and Emily Mahoney a Technology Lawyer at Mason Hayes & Curran

1. Prepare your firm for GDPR
Thursday, October 26, 2017

2. Emily Mahoney
Technology Lawyer
Mason Hayes & Curran

3. 3
10 themes
• Territorial Scope
• Financial exposure
• Consent
• Transparency
• Data protection impact assessments
• Data protection officer
• Security
• Data processors
• Accountability
• Data subject rights

4. 4
Data Protection reform - background
• Current data protection rules:
• based upon 1995 EU Directive
• implemented separately in national laws
• not fully harmonised
• ‘GDPR’ = General Data Protection Regulation
• will apply directly in all Member States
• replaces 1995 Directive
• comes into effect 25 May 2018

5. 5
Data Protection principles
• Same basic concepts and principles but generally tighter controls and
greater emphasis on data subject rights
• Fair, lawful and transparent processing
• Purpose limitation
• Data minimisation
• Accuracy
• Data retention
• Data security
• Accountability

6. How many of you are based in
the EU or outside the EU?

7. 7
1 – Expanded Territorial Scope
• Territorial scope significantly expanded under GDPR to cover:
• offering goods or services to EU-based individuals; and
• “monitoring the behaviour” of EU-based individuals.
• GDPR will directly apply to FS firms and fintechs “established” in EU
• GDPR may directly apply to:
• FS firms and fintech established outside EU, i.e. Singapore if they target or offer services to EU-based individuals

8. 8
2 – Increased financial exposure
• Current rules across the EU differ – DPC cannot directly impose fines
• Significant fines due under GDPR:
o up to €10m or 2% of total worldwide annual turnover =
 breaches of obligations of controller
o up to €20m or 4% of total worldwide annual turnover =
 breaches of obligations including the basic principles for processing (inc. consent), the data subjects’ rights
and data transfers
• GDPR contains a list of factors for determining level of fine (repeat offenders etc.)
• Data subject claims:
o explicit right to compensation for damage, both material and non-material (pecuniary loss?)
o possible joint and several liability

9. What is a data controller?

10. 10
3 - Narrower interpretation of consent
• Consent is more tightly defined
― a statement or clear affirmative act required
― distinct consent for each operation
• Must prove you obtained consent
• Consent separate from terms and conditions
• Must be as easy to withdraw as it is to give it

11. 11
4 - Increased transparency
• Must have transparent, clear, concise and easily accessible
privacy policy
• Intelligible language adapted to data subjects
• More information, e.g.:
― legal basis
― any specific legitimate interest relied upon
― how long you will keep data
― profiling, logic involved and effects
― implement appropriate technical / organisational measures
• Notice for further processing

12. 12
5 -Data Protection Impact Assessments
• Must do a documented DPIA if high risk processing, eg
― systematic and extensive automated evaluation with legal effect / similarly significant affects DS
― large scale processing of sensitive data
― evaluation or scoring, including profiling and predicting
• Where appropriate, seek views of data subjects representatives
• Exclusion if based upon law that specifically regulates processing operations and DPIA already carried out for that law
• May have to seek relevant data protection commissioner opinion if DPIA shows high risks not mitigated

13. 13
6 - Data Protection Officer
• Financial institutions/Fintechs may need to appoint a DPO
• large scale processing of sensitive data; or
• by virtue of processing, requires regular and systematic monitoring of data subjects on a large scale
• Must be expert in data protection laws and practices
• Report directly to highest management level; be properly involved with all activities dealing with personal data
• Must provide DPO with sufficient resources
• Can be group DPO
• Can perform other tasks provided no conflict of interest
• Protected role – cannot be removed or penalised for performing tasks
• Can be outsourced

14. 14
7 - Security
• New security obligations: optional?
o Pseudonymisation and encryption
o Confidentiality, integrity, availability and resilience of IT systems
o Restore availability and access
o Testing of security measures

15. 15
7 - Security breach
• Notify DPC without undue delay and, where feasible, within 72 hours, unless unlikely to result in a risk
• Processor must notify controller without undue delay
• Must notify data subjects if likely to result in a high risk to privacy / rights (with some exceptions)
• Must document breaches
• Should have security breach response plan in place
• Dual notification requirement may exist depending on the security breach – NCSC & DPC

16. 16
8 – Data processors
• Obligations for data processing agreements significantly expanded
• The contract must now include:
• the subject matter and duration of the processing
• the nature and purposes of the processing
• the type of personal data
• the categories of data subjects
• Additional obligatory provisions include that the processor:
• makes information available to demonstrate compliance
• contributes to audits and inspections
• assists the controller regarding access requests, DPIAs and security breaches

17. What is the correct definition of personal
data under the GDPR?

18. 18
9 - Accountability
• DC / DP must document all processing activities, e.g.:
― categories of data subjects, recipients and data
― data transfers (including details of safeguards)
― retention / erasure period
― general description of security measures (if possible)
• DC also must document purposes and (indirectly) legal bases
― AML Documentation
• Should be consistent with privacy policy
• Privacy by design/default

19. 19
10 - Data subject rights
• Right of restriction
• accuracy contested or processing unlawful
• no longer needed for original purpose, but necessary to establish, exercise or defend legal rights
• pending verification where individual objects
• Right to be erasure – ‘right to be forgotten’
• Variety of situations where individuals can request erasure
• Subject access requests
• Changes to cost, timelines and ability to refuse requests (Right to charge or refuse request if “manifestly unfounded or excessive”)
• Right to data portability
• Provide certain data in a machine-readable format
• only applies if legitimised based upon consent or performance of a contrac
• Right of rectification

20. 20
10 - Data subject rights
• Right to object
― applies if use legitimate interest or public interest test
― must then show overriding compelling legitimate grounds
• Must inform data subject of right to object
― explicitly brought to their attention
― present clearly and separately from other information

21. 21
Key points
• Core principles broadly the same, but tighter controls
• Greater accountability and shift in burden of proof
• Increased records and compliance burden
• Increased financial exposure
• Broader data subject rights
• 7 months to get it right, but time to start preparing is now

22. 22
What to do now – step 1 (what are we doing)?
• Data mapping exercise
― data flows and disclosures
― purpose and legitimisation mapping
• Audit of data transfers (remember Brexit)
• Audit of data related contracts
• GDPR gap analysis and prioritisation

23. 23
What to do now – Step 2 (moving forward)?
• Use gap analysis to decide on key action points
• Create internal accountability records
• Update internal / external policies & contracts
• Create any necessary new policies and templates, eg
― privacy by design / default playbook
― DPIA protocol and templates
― security breach response plan
• Appoint DPO
• Education

24. Emily Mahoney
Technology Lawyer
Mason Hayes & Curran

25. 25
GDPR – What it means in Practice

26. Q&A

27. 27
MCO Platform
• Manage by alerts not reports
• Dashboards deliver greater oversight
• Custom questionnaire builder
• Continuous updates to the software
• Enhanced control
• 100% data capture
• 24/7/365 support
• Scalable into the future

28. 28
Contact
MyComplianceOffice
Email: advance@mycomplianceoffice.com
Website: https://mco.mycomplianceoffice.com
emahoney@mhc.ie
Emily Mahoney
+353 1 614 2396
MCH.ie

29. Thank You