Imran Ahmad• Imran Ahmad is a partner at Miller Thomson LLP and specializes
in the areas of cybersecurity, technology and privacy law.
• Works closely with clients to develop and implement practical and informed strategies related to cyber threats and data breaches.
• Adjunct Professor of Cybersecurity Law at University of Toronto
• Author of Canada’s first legal incident preparation and response handbook titled A Handbook to Cyber Law in Canada (published in August 2017 by LexisNexis).
Glossary• Data Controller: A person or body, alone or jointly, which
determines the purposes and means of processing personal data.
• Data Processor: An entity which processes the data on behalf of the controller.
• Data Subject: Natural person who can be identified or is identifiable, directly or indirectly.
• DPO: Data Protection Officer.
• Personal Data: Any information relating to an identified / identifiable natural person, a “data subject”.
• Supervisory Authority. National data protection authorities, empowered to enforce the GDPR in their own member state.
Roles – Controller vs ProcessorController says how and why personal data is processed
Collects personal dataOverall control of personal dataRequired to ensure that contracts with processors comply with GDPRRetains overall accountability for processing activities
Processor acts on controller’s behalfRequired to maintain records of personal data and processing activitiesConduct PIA in its service offering (which will be reviewed and monitored by Controller
EnforcementIndividuals
Lodge complaint against Controller or Processor for non-compliance
Right to judicial remedy which Supervisory Authority fails to deal with complaint
Right to compensation from relevant Controller or Processor for damages
Potential for claim for non-pecuniary loss (e.g., distress)
Potential class action exposure
Administrative fines
Tiered approach:
Fines of up to €10,000,000 (or 2% of global turnover, whichever is higher); and
Fines of up to €20,000,000 (or 4% of global turnover, whichever is higher).
Other
Supervisory Authority have other enforcement powers
Demand information from Controller or Processor
Conduct data protection audits
Issuing of warnings, compliance orders, temporary bans on processing, etc.
GDPR – In a Nutshell
GDPR – Extra-Territorial• EU established
• Non-EU establish if:
- Offering goods and services within the EU; or
- Monitoring behavior of EU data subjects
• Transfers of data outside the EU
- EU approved “adequacy” list
- EU-US Privacy Shield
• Key is to know exactly where your data is collected, transferred and stored
Source: AdProfs, availailable online at: <http://adprofs.co/beginners-guide-to-gdpr/>
Operational Considerations1.Accountability
2.Privacy Structure – Data Protection Officer
3.Registers and Records
4.Legal Basis, Consent and Re-consenting*
5.Transparency
6.Information Rights Management
7.Third Party Risk Management*
8.Maintaining Business Effectiveness
9.Cross Border Data Transfers
10.Programme Delivery
Consent – Legal RequirementsSix (6) lawful bases for processing:
1. Consent2. Performance of a contract3. Compliance with a legal obligation4. Vital interests of the data subject or another person5. Performance of a task in the public interest or official authority of
the controller (not open to most private companies)6. Legitimate interests of the controller or a third party (not open to
public authorities)
Consent – Legal Basis• Selection of an appropriate legal basis is a critical business decision
- If the decision is found to be incorrect then the organisation may have to suspend processing or destroy data if a valid legal basis cannot be established
• Consent is invalid if there is an overriding legal basis
- e.g. If a contract exists between controller and subject for the purpose of processing, then there's no point in asking for consent
- "Please can we have your consent to process your data to send you your goods?”
• Consent is also invalid if asked for and withheld – no second attempts!
• Try to find another legal basis first (and if it exists, it may negatethe use of consent)
Accountability Governance
Data SecurityAwareness / Assessment
Compliance
✓ Commitment✓ Leadership ✓ Committee
Roles/Responsibility✓ Confirm DPO Needs✓ Governance✓ Document*
✓ Educate✓ Training✓ Assess PII✓ Locate✓ Data Map✓ Assess the Gaps
✓ Data Control✓ Data Preservation✓ Data Destruction✓ Policies/Procedures✓ Document *GOAL is data minimisation
✓ Data Subject Access Requests (DSAR)
✓ Update Privacy Notices✓ Data Breach Response
Plan✓ Establish deliverables
(quarterly) & ongoing evaluations/audit
Questions?