Robert Bond Partner, Commercial/IP/IT

Similar documents
Robotics, AI and the Law

Should privacy impact assessments be mandatory? David Wright Trilateral Research & Consulting 17 Sept 2009

Biometric Data, Deidentification. E. Kindt Cost1206 Training school 2017

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: Safeguarding Policy Data Protection Policy

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: T:Drive. Safeguarding Policy Data Protection Policy

GDPR Awareness. Kevin Styles. Certified Information Privacy Professional - Europe Member of International Association of Privacy professionals

The Information Commissioner s response to the Draft AI Ethics Guidelines of the High-Level Expert Group on Artificial Intelligence

Privacy Policy SOP-031

The General Data Protection Regulation and use of health data: challenges for pharmaceutical regulation

Our position. ICDPPC declaration on ethics and data protection in artificial intelligence

PRIVACY ANALYTICS WHITE PAPER

ICC POSITION ON LEGITIMATE INTERESTS

ARTICLE 29 Data Protection Working Party

The Information Commissioner s role

EXIN Privacy and Data Protection Foundation. Preparation Guide. Edition

LAB3-R04 A Hard Privacy Impact Assessment. Post conference summary

Interest Balancing Test Assessment on the processing of the copies of data subjects driving licences for the MOL Limo service

Privacy Management in Smart Cities

ICO submission to the inquiry of the House of Lords Select Committee on Communications - The Internet : To Regulate or not to Regulate?

Privacy Impact Assessment on use of CCTV

End-to-End Privacy Accountability

This policy sets out how Legacy Foresight and its Associates will seek to ensure compliance with the legislation.

Legal Aspects of the Internet of Things. Richard Kemp June 2017

PRIVACY IMPACT ASSESSMENT

A Guide for Structuring and Implementing PIAs

The Medical Device Regulation: Transitioning between old and new

Appointment of External Auditors

IAB Europe Guidance THE DEFINITION OF PERSONAL DATA. IAB Europe GDPR Implementation Working Group WHITE PAPER

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Protection of Privacy Policy

Interaction btw. the GDPR and Clinical Trials Regulation

Details of the Proposal

The EU's new data protection regime Key implications for marketers and adtech service providers Nick Johnson and Stephen Groom 11 February 2016

Privacy. New technologies, same responsibilities. Carole Fleeman Office of the Victorian Privacy Commissioner

Photography and Videos at School Policy

I hope you will find these comments constructive and helpful.

Representation of the Conference at a recent meeting of an International Organisation

Specialist Services Section

GDPR Implications for ediscovery from a legal and technical point of view

What does the revision of the OECD Privacy Guidelines mean for businesses?

Violent Intent Modeling System

PGNiG. Code. of Responsible Gas and Oil Production

Ethics Guideline for the Intelligent Information Society

2018 / Photography & Video Bell Lane Primary School & Children s Centre

First Components Ltd, Savigny Oddie Ltd, & Datum Engineering Ltd. is pleased to provide the following

Justice Select Committee: Inquiry on EU Data Protection Framework Proposals

Making Materiality Judgements

Voluntary Carbon Standard

Employees, contractors and other personnel of KKR should note that a separate privacy notice will be made available to them.

Triennial Review of the Medicines and Healthcare Products Regulatory Agency. Call for Evidence

Towards Code of Conduct on Processing of Personal Data for Purposes of Scientific Research in the Area of Health

Hong Kong Personal Data Protection Regulatory Framework From Compliance to Accountability

The new GDPR legislative changes & solutions for online marketing

Gender pay gap reporting tight for time

Having regard to the Treaty establishing the European Community, and in particular its Article 286,

SPONSORSHIP AND DONATION ACCEPTANCE POLICY

2

Herts Valleys Clinical Commissioning Group. Review of NHS Herts Valleys CCG Constitution

The GDPR and Upcoming mhealth Code of Conduct. Dr Etain Quigley Postdoctoral Research Fellow (ARCH, UCD)

ITAC RESPONSE: Modernizing Consent and Privacy in PIPEDA

INTRODUCTION TO THE RESULTS OF THE IMO PUBLIC CONSULTATION ON ADMINISTRATIVE REQUIREMENTS IN MARITIME REGULATIONS

ARTICLE 29 DATA PROTECTION WORKING PARTY

Comments of the ELECTRONIC PRIVACY INFORMATION CENTER

SETTING UP YOUR OWN LEGAL BUSINESS

Pan-Canadian Trust Framework Overview

NOTIFICATION FOR PRIOR CHECKING INFORMATION TO BE GIVEN(2)

Data Protection and Ethics in Healthcare

Staffordshire Police

COMMISSION RECOMMENDATION. of on access to and preservation of scientific information. {SWD(2012) 221 final} {SWD(2012) 222 final}

KKR Credit Advisors (Ireland) Unlimited Company PILLAR 3 DISCLOSURES

The University of Sheffield Research Ethics Policy Note no. 14 RESEARCH INVOLVING SOCIAL MEDIA DATA 1. BACKGROUND

Personal Data Protection Competency Framework for School Students. Intended to help Educators

Interactive Workshop on Data Protection Impact Assessment

MINISTRY OF HEALTH STAGE PROBITY REPORT. 26 July 2016

UK Research and Innovation Conflicts of Interest Policy

EU-GDPR The General Data Protection Regulation

IoT in Health and Social Care

Internal Governance within the Banking Industry: Issues and Developments MALTA April 2013

Fact Sheet IP specificities in research for the benefit of SMEs

Legal Aspects of Identity Management and Trust Services

Standards and privacy engineering ISO, OASIS, PRIPARE and Other Important Developments

CORPORATE SOCIAL RESPONSIBILITY

Application Form for a GNSS Repeater Licence

Australian Census 2016 and Privacy Impact Assessment (PIA)

ARTICLE 29 DATA PROTECTION WORKING PARTY

Osborne Clarke Expert European legal advice to US businesses

HealthTech: What does it mean for compliance?

Consumer and Community Participation Policy

GLOBAL RISK AND INVESTIGATIONS JAPAN CAPABILITY STATEMENT

TechAmerica Europe comments for DAPIX on Pseudonymous Data and Profiling as per 19/12/2013 paper on Specific Issues of Chapters I-IV

Get Compliant and Stay Compliant with Department of Labor (DOL) Final Rule Fiduciary Regulations. White Paper

Privacy and the EU GDPR US and UK Privacy Professionals

Medical Education Activities

European Union General Data Protection Regulation Effects on Research

Dr Nicholas J. Gervassis University of Plymouth THE EMERGING UK DATA PROTECTION FRAMEWORK AND BEYOND

PBI CYBERLAW UPDATE 2018

Disclosure Initiative Principles of Disclosure

CONSENT IN THE TIME OF BIG DATA. Richard Austin February 1, 2017

SMA Europe Code of Practice on Relationships with the Pharmaceutical Industry

Tribute Pharmaceuticals Canada Inc.

Transcription:

Using Privacy Impact Assessments Effectively robert.bond@bristows.com Robert Bond Partner, Commercial/IP/IT BA (Hons) Law, Wolverhampton University Qualified as a Solicitor 1979 Qualified as a Notary Public 1989 Companion of the British Computer Society Certified Compliance & Ethics Professional Robert Bond has nearly 40 years' experience in advising national and international clients on all of their technology, data protection and information security law requirements. He is a recognised legal expert and author in the fields of IT, e- commerce, computer games, media and publishing, data protection, information security and cyber risks. He is Chairman of the Data Protection Network, Trustee of the UK Safer Internet Centre, a member of the Data Privacy Advisory Group to the United Nations, a member of the Board of TAPESTRY (Trust, Authentication and Privacy over a DeCentralised Social Registry) and is an Ambassador for Privacy by Design. Experience Assisting clients in the financial services, life sciences, technology and retail sectors on a range of international regulatory and compliance issues Advising major medical device and pharmaceutical multinationals on data incidents Negotiating and drafting technology contracts for large and medium sized providers with customers. Acting for numerous multinationals on GDPR and global data protection compliance issues. Representing digital media companies as well as computer games companies on a range of commercial and online matters. 2 1

40 YEARS AGO WE DIDN T HAVE Telex email Internet Mobiles Fax Big Data Social Media Tablets IoT AI Cloud Websites Drones Blogs CAV Smart Cities Data Protection Impact Assessment (DPIA) What and Why? DPIA is a process which helps assess privacy risks to individuals in the collection, use and disclosure of personal information Not mandatory, but promotes good practise DPIA identifies privacy risks and improves transparency Projects that may require DPIA: A new IT system for storing and accessing personal data; Using existing data for a new and unexpected purpose; A new database acquisition Corporate restructuring Monitoring in the workplace 4 2

A right to know and assess privacy impacts People have a right to know if new technologies or services will intrude upon their privacy and human rights just as they have a right to know about the quality of the water they drink or the impact upon the environment of a new chemical production factory. Trilateral Research & Consulting 2013 (EU PIA Framework) 5 What is a DPIA? a process for assessing the impacts on privacy of a project, technology, service, policy or other initiative and, in consultation with stakeholders, for taking remedial actions as necessary in order to avoid or minimise the negative impacts. A PIA is about identifying risks and finding solutions, not simply producing a report that demonstrates compliance. Trilateral Research & Consulting 2013 (EU PIA Framework) 6 3

ICO Guidance on PIA Way of complying with data protection obligations Method of Good Practice Can reduce costs Publish where appropriate Promotes trust 8 ISO 22307:2008 1. recognizes that a privacy impact assessment (PIA) is an important financial services and banking management tool to be used within an organization, or by contracted third parties, to identify and mitigate privacy issues and risks associated with processing consumer data using automated, networked information systems. 4

The General Data Protection Regulation Data Protection Impact Assessments and Prior Consultations (Articles 33 ) Required where using new technologies and where potentially high risks for individuals privacy rights DPO to consult with DPA where risks are particularly high 9 The General Data Protection Regulation Privacy impact assessments DPIAs will become mandatory in the following cases: A systematic and extensive evaluation of personal aspects of natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects on the individual or similarly affect the individual Processing on a large scale of special categories of data or data relating to criminal offences A systematic monitoring of publicly accessible areas on a large scale DPAs will publish a list of when a DPIA is required or not required 10 5

Data Protection Impact Assessment (DPIA) WP29 Guidance 11 DPIA process 1 Identify need for a DPIA 2 Describe information flows 3 Identify privacy risks 4 Identify privacy solutions 5 Record PIA outcomes, and sign-off 6 Integrate PIA outcomes into project plan 6

DPIA process 1 Identify need for a DPIA 2 Describe information flows 3 Identify privacy risks 4 Identify privacy solutions 5 Record DPIA outcomes, and sign-off 6 Integrate DPIA outcomes into project plan 14 Identify need for a DPIA 1. What does the project or action hope to achieve? 2. Will new personal data be processed? 3. What choice will individuals have regarding their data? 4. Will human rights be impacted? 5. How intrusive will the technology be? 6. Is the processing of data proportionate? 7. Will the project have the potential to disadvantage individuals? 8. If you conclude no DPIA is necessary, explain why! 7

DPIA process 1 Identify need for a DPIA 2 Describe information flows 3 Identify privacy risks 4 Identify privacy solutions 5 Record DPIA outcomes, and sign-off 6 Integrate DPIA outcomes into project plan 16 Describe information flows 1. How will information be obtained, used and retained 2. Identify potential function creep more use of personal data than might be expected 3. Ensure all people using such data focus on the practical implications 4. How, what, when, where and why will personal data be processed? 8

DPIA process 1 Identify need for a DPIA 2 Describe information flows 3 Identify privacy risks 4 Identify privacy solutions 5 Record DPIA outcomes, and sign-off 6 Integrate DPIA outcomes into project plan 18 Identify privacy risks 1. Record the risks to individuals, including privacy intrusion 2. Assess corporate and reputational risks 3. Conduct a compliance audit against applicable laws and regulations 4. Maintain a record of the identified risks 9

DPIA process 1 Identify need for a DPIA 2 Describe information flows 3 Identify privacy risks 4 Identify privacy solutions 5 Record DPIA outcomes, and sign-off 6 Integrate DPIA outcomes into project plan 20 Identify privacy solutions Devise ways to eliminate privacy risks Assess the costs and benefits of each solution Consider how each solution reduces privacy risks Consider how each solution impacts upon the project 10

DPIA process 1 Identify need for a DPIA 2 Describe information flows 3 Identify privacy risks 4 Identify privacy solutions 5 Record DPIA outcomes, and sign-off 6 Integrate DPIA outcomes into project plan 22 Record DPIA outcomes, and sign-off 1. Record the outcome of the DPIA and the methodology used 2. Obtain sign-off from an authorised officer 3. Make the DPIA Report available as necessary to key stakeholders 11

PIA process 1 Identify need for a DPIA 2 Describe information flows 3 Identify privacy risks 4 Identify privacy solutions 5 Record DPIA outcomes, and sign-off 6 Integrate DPIA outcomes into project plan 24 Integrate DPIA outcomes back into the project 1. Ensure that the outcomes of the DPIA Report are implemented 2. Ensure that the DPIA is a living document and is consulted during the lifecycle of the project 3. Integrate any lessons learned from the DPIA into a DPIA Policy and Handbook 12

25 DPIA Policy and Handbook 1. Create a Policy 2. Create a Handbook 3. Train and train again! How to make legitimate interests "legitimate"? 13

How to make legitimate interests legitimate Guidance on the use of Legitimate Interests under GDPR EU Data Protection Directive (95/46/EC) includes Legitimate Interests as a lawful ground for processing EU General Data Protection Regulation sets out 6 lawful grounds for for processing, of which Legitimate Interests is one Under Article 6 1(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a Third Party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data, in particular where the data subject is a child. Under Recital 47 The legitimate interests of a controller, including those of a controller to which the Personal Data may be disclosed, or of a Third Party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. 27 How to make legitimate interests legitimate Guidance on the use of Legitimate Interests under GDPR Processing needs a legal basis Consent Contractual Legal obligation Vital interests Public task Legitimate interests There is no hierarchy of grounds for lawful processing, but Different legal grounds carry different duties Controllers must be transparent about which basis they rely upon 28 14

How to make legitimate interests legitimate Guidance on the use of Legitimate Interests under GDPR Recitals 47 to 50 in the GDPR give some examples of when a Controller may be able to rely on Legitimate Interests: 1) DIRECT MARKETING - processing for direct marketing purposes under Legitimate Interests is specifically mentioned in the last sentence of Recital 47. 2) REASONABLE EXPECTATIONS - where individuals have a reasonable expectation that the Controller will process their Personal Data, subject to the balancing test. 3) RELEVANT & APPROPRIATE RELATIONSHIP - where there is a relevant and appropriate relationship between the individual and the Controller in situations where the individual is a client or in the service of the organisation. Examples of this would include (i) if an individual had recently (within the last 2 years) purchased goods or services from the Controller or donated to an organisation (ii) where the individual was a member of staff of the Controller. 4) STRICTLY NECESSARY FOR FRAUD PREVENTION - where the processing is strictly necessary for the purpose of preventing fraud. This could include verifying the registered address of the cardholder for a particular credit or debit card is the same as the cardholder s normal place of residence or work. 5) ORGANISATIONAL - where Controllers that are part of an organisational group or institutions affiliated to a central body transmit Personal Data within that organisational group or to the central body. However, the rules on transferring Personal Data to a country outside Europe must be complied with if this is relevant. 6) NETWORK & INFORMATION SECURITY - where the processing of Personal Data is strictly necessary and proportionate for the purposes of ensuring network and information security. An example of this would include monitoring authorised users access to a Controller s computer network for the purpose of preventing cyber-attacks. 29 How to make legitimate interests legitimate Guidance on the use of Legitimate Interests under GDPR If a Controller wishes to rely on Legitimate Interests for processing Personal Data it must carry out an appropriate assessment, which we have called a Legitimate Interests Assessment, or LIA. When carrying out an assessment, the Controller must balance its right to process the Personal Data against the individuals data protection rights. In certain circumstances an LIA may be straight forward. However, under the accountability provisions of the GDPR, the Controller must maintain a written record that it has carried out an LIA and the reasons why it came to the conclusion that the balancing test was met. Legitimate Interests may be considered where: another legal basis is not available due to the nature and/or scope of the proposed processing; or where there are a number of legal bases that could be used but Legitimate Interests is the most appropriate. 30 15

Questions? Thank you Bristows LLP 100 Victoria Embankment London EC4Y 0DH T +44(0)20 7400 8000 This document is for information purposes only and any statements or comments it contains relating to matters of law are not intended to be acted on, or relied upon, without specific legal advice on the matters concerned. To the fullest extent permitted by law, we disclaim all liability and responsibility for any reliance on the statements or comments contained in this document. Bristows LLP is a limited liability partnership registered in England under registration number OC358808 and is authorised and regulated by the Solicitors Regulation Authority (SRA Number 44205). 32 16

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback