EU-GDPR The General Data Protection Regulation

Similar documents
EXIN Privacy and Data Protection Foundation. Preparation Guide. Edition

IAB Europe Guidance THE DEFINITION OF PERSONAL DATA. IAB Europe GDPR Implementation Working Group WHITE PAPER

The General Data Protection Regulation and use of health data: challenges for pharmaceutical regulation

Biometric Data, Deidentification. E. Kindt Cost1206 Training school 2017

The EU's new data protection regime Key implications for marketers and adtech service providers Nick Johnson and Stephen Groom 11 February 2016

GDPR Awareness. Kevin Styles. Certified Information Privacy Professional - Europe Member of International Association of Privacy professionals

Privacy Policy SOP-031

Interest Balancing Test Assessment on the processing of the copies of data subjects driving licences for the MOL Limo service

HL7 Standards and Components to Support Implementation of the European General Data Protection Regulation (GDPR)

Ministry of Justice: Call for Evidence on EU Data Protection Proposals

Ocean Energy Europe Privacy Policy

The GDPR and Upcoming mhealth Code of Conduct. Dr Etain Quigley Postdoctoral Research Fellow (ARCH, UCD)

Personal Data Protection Competency Framework for School Students. Intended to help Educators

GDPR Implications for ediscovery from a legal and technical point of view

ICO submission to the inquiry of the House of Lords Select Committee on Communications - The Internet : To Regulate or not to Regulate?

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Privacy framework

Data Protection by Design and by Default. à la European General Data Protection Regulation

European Union General Data Protection Regulation Effects on Research

Robert Bond Partner, Commercial/IP/IT

PRIVACY ANALYTICS WHITE PAPER

Justice Select Committee: Inquiry on EU Data Protection Framework Proposals

Interaction btw. the GDPR and Clinical Trials Regulation

This policy sets out how Legacy Foresight and its Associates will seek to ensure compliance with the legislation.

The EFPIA Perspective on the GDPR. Brendan Barnes, EFPIA 2 nd Nordic Real World Data Conference , Helsinki

2

DEVELOPMENTS IN EU MDD & IVDD SOFTWARE REGULATION

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT. pursuant to Article 294(6) of the Treaty on the Functioning of the European Union

D2. Results of the feasibility analysis

clarification to bring legal certainty to these issues have been voiced in various position papers and statements.

What does the revision of the OECD Privacy Guidelines mean for businesses?

Dr Nicholas J. Gervassis University of Plymouth THE EMERGING UK DATA PROTECTION FRAMEWORK AND BEYOND

Wireless Sensor Networks and Privacy

The Information Commissioner s response to the Draft AI Ethics Guidelines of the High-Level Expert Group on Artificial Intelligence

ARTICLE 29 Data Protection Working Party

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

ISO/TR TECHNICAL REPORT. Intelligent transport systems System architecture Privacy aspects in ITS standards and systems

Towards Code of Conduct on Processing of Personal Data for Purposes of Scientific Research in the Area of Health

Lecture 7 Ethics, Privacy, and Politics in the Age of Data

Should privacy impact assessments be mandatory? David Wright Trilateral Research & Consulting 17 Sept 2009

The new GDPR legislative changes & solutions for online marketing

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: Safeguarding Policy Data Protection Policy

Personal Research Data. 25 Sept 2018 Solveig Fossum-Raunehaug (Research Support Office)

Having regard to the Treaty establishing the European Community, and in particular its Article 286,

CODE OF CONDUCT. STATUS : December 1, 2015 DES C R I P T I O N. Internal Document Date : 01/12/2015. Revision : 02

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Common evaluation criteria for evaluating proposals

International Seminar on Personal Data Protection and Privacy Câmara Dos Deputados-BRAZIL

TechAmerica Europe comments for DAPIX on Pseudonymous Data and Profiling as per 19/12/2013 paper on Specific Issues of Chapters I-IV

MISSISSAUGA LIBRARY COLLECTION POLICY (Revised June 10, 2015, Approved by the Board June 17, 2015)

QUALITY CHARTER FOR THE RESEARCHER S MOBILITY PORTAL

COMMUNICATIONS POLICY

Swedish Proposal for Research Data Act

Privacy Procedure SOP-031. Version: 04.01

Fiscal 2007 Environmental Technology Verification Pilot Program Implementation Guidelines

Opinion of the European Data Protection Supervisor

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: T:Drive. Safeguarding Policy Data Protection Policy

End-to-End Privacy Accountability

Our position. ICDPPC declaration on ethics and data protection in artificial intelligence

THE UNIVERSITY OF AUCKLAND INTELLECTUAL PROPERTY CREATED BY STAFF AND STUDENTS POLICY Organisation & Governance

Commonwealth Data Forum. Giovanni Buttarelli

First Components Ltd, Savigny Oddie Ltd, & Datum Engineering Ltd. is pleased to provide the following

Ethics Guideline for the Intelligent Information Society

Pan-Canadian Trust Framework Overview

ICC POSITION ON LEGITIMATE INTERESTS

EUROPEAN COMMISSION Information Society and Media Directorate-General

"Workshops on key economic issues regarding the. enforcement of IPR in the European Union"

Preparing for the new Regulations for healthcare providers

EU Research Integrity Initiative

GUIDELINES ON PRIVACY BY DESIGN AND PRIVACY IMPACT ASSESSMENT

Access to scientific information in the digital age: European Commission initiatives

OPINION Issued June 9, Virtual Law Office

IET Guidelines for Volunteers: Data Protection

RECOMMENDATIONS. COMMISSION RECOMMENDATION (EU) 2018/790 of 25 April 2018 on access to and preservation of scientific information

Protection of Privacy Policy

510 Data Responsibility Policy

Submission to the Productivity Commission inquiry into Intellectual Property Arrangements

Outdoing Huxley: Forging a high level of data protection for Europe in the brave new digital world

ITAC RESPONSE: Modernizing Consent and Privacy in PIPEDA

Polish Science Database (BWNP)

Digital transformation in the Catalan public administrations

Data protection and INSPIRE: an uncomfortable combination?

CARAPELLI FOR ART COMPETITION RULES AND REGULATIONS

Ten Principles for a Revised US Privacy Framework

March 27, The Information Technology Industry Council (ITI) appreciates this opportunity

UNIVERSAL SERVICE PRINCIPLES IN E-COMMUNICATIONS

Seminar on Consultation on. Review of the Personal Data (Privacy) Ordinance. Why the review is being conducted and what this means to you

#SNS #Google Glass #Video Surveillance #Quadcopter #Natural person - Will the future EU Regulation be applicable?

Hong Kong Personal Data Protection Regulatory Framework From Compliance to Accountability

CONSENT IN THE TIME OF BIG DATA. Richard Austin February 1, 2017

BBMRI-ERIC WEBINAR SERIES #2

Principles and Rules for Processing Personal Data

The Game Changer: Privacy by Design

European Law as an Instrument for Avoiding Harmful Interference 5-7 June Gerry Oberst, SES Sr. Vice President, Global Regulatory & Govt Strategy

Violent Intent Modeling System

28 TH INTERNATIONAL CONFERENCE OF DATA PROTECTION

Global Standards Symposium. Security, privacy and trust in standardisation. ICDPPC Chair John Edwards. 24 October 2016

Implementation of Directive 2010/63/EU: - the animal welfare perspective

Committee on the Internal Market and Consumer Protection. of the Committee on the Internal Market and Consumer Protection

At its meeting on 18 May 2016, the Permanent Representatives Committee noted the unanimous agreement on the above conclusions.

THE LABORATORY ANIMAL BREEDERS ASSOCIATION OF GREAT BRITAIN

Transcription:

EU-GDPR The General Data Protection Regulation Lucas Heymans, Higher Education Applications Product Strategy EMEA

Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. Not all technologies identified are available for all cloud services. Disclaimer The information in this document may not be construed or used as legal advice about the content, interpretation or application of any law, regulation or regulatory guideline. Customers and prospective customers must seek their own legal counsel to understand the applicability of any law or regulation on their processing of personal data, including through the use of any vendor s products or services. Copyright 2017, Oracle and/or its affiliates. All rights reserved. 2

A quick history of the legislation: 25 Jan 2012 European Commission presents the initial proposal. 12 Mar 2014 First reading in the European parliament. 15 Jun 2015 First reading inthe European Council. 24 Jun 2015 Trilogue Starts (10 meetings). 15 Dec 2015 Agreement between Commission, Council and the Parliament. 04 May 2016 Publication inthe Official Journal of the EU. 25 May 2016 Regulation enters into force. We are here 25 May 2018 Grace period is over. Application of the regulation.

From the Eurobarometer: 81% of Europeans feel that they do not have complete control over their personal data online 31% think they have no control over it at all. 69% would like to give their explicit approval before the collection and processing of their personal data Only 24% of Europeans have trust in online businesses such as search engines, social networking sites and e-mail services. Almost all Europeans say they would want to be informed, should their data be lost or stolen. A majority of people are uncomfortable about Internet companies using their personal information to tailor advertisements. 71% of Europeans feel that there is no alternative other than to disclose personal information if they want to obtain products or services. Around seven out of ten people are concerned about their information being used for a different purpose from the one it was collected for.

The Guardian 26 Feb 2017

GDPR: WHY? TRUST NEEDED Social Networks Search Engines / integrated databases Big Data Internet of Things Location based services Customer profiling Cloud computing Foreign transfers Mass surveillance

The objective of GDPR to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons. The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data. Those developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market.

EVRM Artikel 8 Recht op eerbiediging van privéleven, familie- en gezinsleven 1.Een ieder heeft recht op respect voor zijn privéleven, zijn familie- en gezinsleven, zijn woning en zijn correspondentie. 2.Geen inmenging van enig openbaar gezag is toegestaan in de uitoefening van dit recht, dan voor zover bij de wet is voorzien en in een democratische samenleving noodzakelijk is in het belang van de nationale veiligheid, de openbare veiligheid of het economisch welzijn van het land, het voorkomen van wanordelijkheden en strafbare feiten, de bescherming van de gezondheid of de goede zeden of voor de bescherming van de rechten en vrijheden van anderen.

IT Security, Data Protection and Privacy IT-Security the potential damage for the university (reputation, money, ) Data Protection the risk of varying likelihood and severity for the rights and freedoms of natural persons A change of perspective from the perspective of the university to the perspective of the data subject

GDPR simplifies The GDPR introduces the concept of a one-stop shop

The Concept: Self Regulation You decide, which technical measures you implement, but you have to justify and document the measures

GDPR Applies to all Quite exceptional and unique Applicable on any organization - in the EU that processes personal data - outside of the EU that processes data of EU citizens ( a person residing in the EU )

The GDPR widens the definition of personal data personal data means any information relating to an identified or identifiable natural person ( data subject ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; NEW!

The GDPR tightens the rules for obtaining valid consent to using personal information Explicit consent needed for each purpose, processing type... in a concise, transparent, intelligible and easily accessible form, using clear and plain language, When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. (Art7 4) In General: Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited. Except with explicit consent, specific purposes or organizations etc.

More individual rights The right to be forgotten Do you have technology and procedures in place to execute? Data access, rectification or erasure Data portability Individuals can ask a copy of their data in a structured, commonly used and machine-readable format Object to processing for direct marketing purposes and automated individual decision making explicit, clear and separate communication on this kind of processing needed Information E.g. About the purposes of the processing for which the personal data are intended as well as the legal basis for the processing E.g. about data transfer to third parties, access rights, correction rights, period of storage, controller & DPO contact details,... E.g. About the existence of automated decision-making, including profiling, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The GDPR requires privacy by design and by default Privacy by design ( ) implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. Privacy by default ( ) implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.

The GDPR makes the appointment of a DPO mandatory for certain organisations A Data Protection Officer needs to be appointed - An independent, competent and senior person - Shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices - Is involved, properly and in a timely manner, in all issues which relate to the protection of personal data

The GDPR introduces mandatory Data Protection Impact Assessments

The GDPR expands liability beyond data controllers The GDPR also covers any organisation that provides data processing services to the data controller, which means that even organisations that are purely service providers that work with personal data will need to comply with rules such as data minimisation The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures.

Notification of a personal data breach To the supervisory authority: without undue delay and, where feasible, not later than 72 hours after having become aware of it (art. 33) To the data subject: When the data breach is likely to result in a high risk to the rights and freedoms of natural persons, ( ) without undue delay Details of the notification content are defined too.

Financial Times 18 May 2017

Administrative fines (shall) be effective, proportionate and dissuasive. Infringements (shall) be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover ( ) whichever is higher

In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation, in addition to, or instead of appropriate measures imposed by the supervisory authority pursuant to this Regulation. In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine. Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor. The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process.

Where to start? Appoint a DPO Start documenting and update your information portals Update your privacy procedures Use the technology that is available: e.g.masking, security, user access rights Rethink your consent practices Review your data processing agreements Work together, share, Associations and other bodies representing categories of controllers or processors may prepare codes of conduct Talk to your security colleagues about reporting breaches

An example from The Netherlands

An example from Finland ONGOING ACTIONS: 1. Analyze the legal framework 2. Analyze the personal data processing activities 3. Identify and document privacy risks, including risks in agreements 4. Create and update necessary Data Protection Rules, Policies and Processes 5. Create the General Data Processing Agreement 6. Provide necessary infrastructure and services for the researchers and other employees 7. Create Communication Plans and Communicate 8. Create Data Protection and Data Security Training for employees 9. Handle Data Security and Data Breach Notification in 72 hours 10. Monitor compliance with the GDPR continuously 11. Report regularly to the University s Management

Just my opinion... Take this serious But: Universities are not THE target Proportionality is key : appropriate, sufficient,... the controller, taking account of available technology and the cost of implementation, shall take reasonable steps Very balanced regulation: the public interest, common good, fundamental rights, logical and reasonable sense prevail. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing ( ) the controller ( ) shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. It s a journey, not a destination

In Summary... GDPR is about human rights, trust and the economy Raising the bar, but other legislations will follow The legislation is sometimes vague, but very reasonable There is a lot that you can do in 6 months Don t focus on the exception It is a forced but great opportunity to review your data protection and privacy practices. It s a journey, not a destination

Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. Not all technologies identified are available for all cloud services. Disclaimer The information in this document may not be construed or used as legal advice about the content, interpretation or application of any law, regulation or regulatory guideline. Customers and prospective customers must seek their own legal counsel to understand the applicability of any law or regulation on their processing of personal data, including through the use of any vendor s products or services. Copyright 2017, Oracle and/or its affiliates. All rights reserved. 35

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback