How GDPR will change Personal Data Control and Affect Everyone
SCCE Processors and GDPR
1. EU General Data Protection
Regulation and Processors
Robert Bond, BA, CCEP
2. Tel:
2
Partner
Robert Bond, CCEP
"astounding” Legal 500, 2015
"absolutely exemplary" and the fact that his
knowledge of data protection law is
"astounding, and his application equally
impressive."
Chambers UK, 2016
Robert Bond has over 37 years' experience in advising national
and international clients on all of their technology, data
protection and cyber law requirements. He is a legal expert and
author in the fields of e-commerce, computer games, media
and publishing, data protection, information security and cyber
risks.
He is Secretary of the Board of SCCE, Chairman of the Big
Data Governance committee of Tech UK and a member of the
UN Data Privacy Advisory Group to the United Nations
He is an Ambassador for Privacy by Design
rtjbond@icloud.com
3. Current EU law
Overview of GDPR
Controllers and processors
Contractual needs
Use of sub-processors
Role of DPO
Trans border data flows
Due diligence
14 January 20173
Today’s topics
GDPR and Processors
4. Term Definition
Data Controller A person who (either along or jointly in common with other
persons) determines the purposes for which and the manner
in which any personal data are, or are to be, processed
Data Processor Any person who (other than an employee of the data
controller) who processes the data on behalf of the data
controller
Personal data Data which relate to a living individual who can be identified
from those data, or from those data and other information
which is in the possession of, or is likely to come into the
possession of, the data controller
Data Subject An individual who is the subject of personal data
14 January 20174
Key definitions
Quick recap
5. Term Definition
Sensitive personal
data
Racial or ethnic origin, Political opinions, Religious beliefs
Trade Union Membership, Physical or mental health
condition, Sexual life, Criminal offences
Processing Recording or holding the information or data or carrying out
any operation or set of operations on the information or data
DPA/Supervisory
Authority
Tasked with the protection of personal data and privacy and
take enforcement action against those who do not comply
with the data protection law
Privacy Impact
Assessment
A tool that you can use to identify and reduce the privacy
risks of your projects. A PIA can reduce the risks of harm to
individuals through the misuse of their personal information.
It can also help you to design more efficient and effective
processes for handling personal data (DPA)
14 January 20175
Key definitions
Quick recap
6. 8 Key
principles
of DP law
Personal
data
must…
Be processed fairly and lawfully
Only be processed for one or more specified and lawful purposes and not further
processed in a manner incompatible with those purposes
Be adequate, relevant and not excessive
Be Accurate and where necessary kept up-to-date
Not be processed for longer than is necessary
In accordance with data subjects’ rights
Be protected by appropriate technical and organisational security measures
Not be transferred outside of the EEA unless that country ensures an adequate level of
protection for personal data
14 January 20176
Key principles
Quick recap
7. General Data Protection Regulation
Scope of regime:
Wider definition of Personal Data
All organisations
Pan-European (no local legislation)
Extra-territorial application
7
8. General Data Protection Regulation
• Documentation
• Breach notification –
Regulator & Data subject
Privacy Impact
Assessments
• Compulsory DPOs
• Certifications and seals
• International transfers
• One-stop shop regulation
• Cooperation and
consistency
• EU Data Protection Board
• Fines
• Sector exemptions – e.g.
Media & Health
• Definitions of Personal data
• Consent
• Children’s (Parental)
consent
• Information
• Data Subject rights &
access
• Right to be forgotten
• Data portability
• Controller and Processor
responsibilities
• Data protection by design
and default
• Designation for non-EU
controllers 8
9. Applies to controllers and processors
established in EU
Applies to any controller and processor
not located in the EU where the
processing activities are related to:
The offering of goods or services to data
subjects in the EU, irrespective of whether
a payment is required; or
The monitoring of their behaviour as far as
their behaviour takes place within the EU
14 January 20179
Applicability – New law
Preparing for GDPR
10. Controllers or processors not established in
the EU but where Article 3(2) applies must
designate in writing a representative
Representative must be established in a
member state where the data subjects whose
data are being processed by the controller or
processor are located (or where most of them
are located)
All DP issues from data subjects / data
protection authority should be addressed to
the representative
The designation of the representative does
not affect the responsibility and liability of the
controller or processor under the Regulation
14 January 201710
Representatives of controllers / processors not
Preparing for GDPR
11. Controller must ensure processor will comply with
GDPR
Must be an appropriate contract between controller
and processor
Processor must have adequate information security
Processor must not use sub-processors without consent
of the controller
Processor must co-operate with the relevant DPA
Processor must report data breaches to controller
without delay
Processor may need to appoint a DPO
Processor must keep records of processing activities
Processor must comply with EU trans border transfer
rules
Processor must help controller comply with data
subject rights
Processors are directly liable for non-compliance
GDPR and processors - overview
12. Documented instructions
Confidentiality
Information security
Control of sub-processors
Measures to help controller comply
with data subject rights
Co-operation with controller and DPA
Destruction or return of data at end of
contract
Provide controller with evidence of
GDPR compliance
Contractual needs
13. No use of sub-processors
without consent of controller
Any third party processing
personal data for a processor
is a sub-processor
Sub-processors must be
contractually controlled
Controllers are likely to do
considerable due diligence
Use of sub-processors
14. Notifications abolished
Applies to both controllers and processors
Mandatory requirement for:
Public authorities
Where the core activities…consist of
processing operations which, by virtue of
their nature, scope and / or their purposes,
require regular and systematic monitoring of
data subjects on a large scale; or
Where the core activities…consist of
processing on a large scale of special
categories of data and data relating to
criminal offences
14 January 201714
Data Protection Officers / Notifications – New Law
DPO
15. Possible to have one DPO for a
group of undertakings provided that
the DPO is ‘easily accessible from
each establishment’
DPO can be a member of staff or on
a service contract
Contact details of DPO must be
provided to the supervisory
authority
DPO must have ‘expert knowledge
of data protection law and practices’
Must be ‘independent’
Must report to the ‘highest
management level’
14 January 201715
Data Protection Officers / Notifications – New Law
DPO
16. 14 January 201716
Tasks of DPO
Inform and advise the controller or processor and the employees who are processing personal
data of their obligations under the Regulation
Monitor compliance with the Regulation, including the assignment of responsibilities,
awareness-raising of staff involved in processing operations and the related audits
To provide advice where requested as regard data protection impact assessments
Co-operate with the relevant data protection authority (DPA)
To act as a contact point for the DPA , in particular in relation to prior consultations referred to
in Article 34
17. Safe Harbor
Privacy Shield
European Commission approved
Model Contract Clauses
Binding Corporate Rules
Consent (although precarious to
rely on)
Codes of Conduct (Article 38)
Certifications / Seals (Article 39)
14 January 201717
Data Transfers – New Law
Trans border data flows
18. 14 January 201718
Data subjects rights – New Law
Data Subject Rights
Data
Subject
Rights
Information
(Art 14)
Access
(Art 15)
Rectification
(Art 16)
Erasure
(right to be
forgotten)
(Art 17)
Restriction of
processing
(Art 17a)
Data
portability
(Art 18)
Object
(Art 19)
Automated
decision
making /
profiling
(Art 20)
19. Sanctions for non-compliance – two levels of
fines…
Up to the greater of 2% annual worldwide
turnover of preceding financial year or EUR 10
million – for matters re internal record
keeping, data processor contracts, data
protection officers, data protection by design
and default
Up to the greater of 4% annual worldwide
turnover of preceding financial year or EUR 20
million – for matters re breaching data
protection principles, conditions for consent,
data subjects’ rights and international data
transfers
14 January 201719
Sanctions for non-compliance – New Law
Enforcements and fines
20. Due diligence
GDPR compliance
Data Protection audit
Do they process personal data and sensitive data?
What are their data flows?
What are their information security policies & procedures?
Have they had any breaches – notified or not?
Have they been audited by a DPA?
Who is their DPO?
Document data processing activities
Data processing map – intra group and third parties
Do they claim any ownership of personal data
Retention and destruction practices
Use of sub-processors
Review policies & procedures
Data breach response policy and procedures
Data sharing policy and procedures
Vetting of staff
Information security and cyber risk?
Training
20
21. Processors should….
Carry out a compliance assessment
Rewrite their terms of business
Audit their sub-processors
Review their insurance
Address data transfer solutions
Consider if they are a
processor/and or a controller
Assess their policies & procedures
Decide if a DPO is necessary
Anticipate their customers’ needs
Put in place staff training