three things you have always wanted to know about … things you have always wanted to know about...
TRANSCRIPT
Three things you have always
wanted to know about GDPR but
were afraid to ask
Marc Dautlich and Kathryn Wynn
Thursday 9 February 2017
Today’s agenda
GDPR and Brexit
Three questions
1. How do we know whether a product or project is
‘high risk’ under GDPR?
2. What does ‘privacy by design’ mean?
3. Transparency: Is there is a case for an industry-wide
approach?
GDPR AND BREXIT
• As things currently stand, GDPR
will apply before the expiry of
the two year period following a
trigger of Article 50
• How might data transfers from
the EU to the UK operate, and
on what basis?
• So what about a ‘UK’ Adequacy
Decision?
‘Brexit’ – what next for data
protection?
One Regulation to rule them
all…• Biggest shake-up of European Data
Protection Law in over 20 years.
• Published in the Official Journal
on 4 May 2016
• Directly binding on Member States
without any requirement for
implementation into national law
(in contrast to the 1995 Directive
and DPA)
• Aims to harmonise the law on data
protection, but there are a number
of areas where Member States have
discretion
• Came into force in all EU Member
States on 24 May 2016, and shall
apply from 25 May 2018
GDPR objectives
• A single set of rules on data protection,
valid across the EU
• “Strengthened data protection rights give
data subjects give people more control
over their personal data
• Make it easier for firms to work across
borders, by ensuring that the same rules
apply in all EU member states
BUT
• “...a more prescriptive approach will not
necessarily bring about better data
protection” - ICO, April 2012
Some of the key changes
Breach
notifica
tion
Fines
€20m /
4%
or
€10m /
2%
Definit
ion of
persona
l data
Consen
t
Data
protect
ion
officer
s
Profili
ng
Data
Processo
r
Obligati
ons
Compensati
on
Territo
ry
Privacy
Impact
Assessme
nts
Right
of
erasure
• Processing must be fair and lawful
• No unwarranted prejudice
Fairness (Principle 1)
• Purpose limitation
• Fair processing / data protection notices and privacy
Transparency (Principle 2)
• Consent: specific, fully informed and freely given
• Right to object to certain types of processing
Choice (Principles 1-2)
• Access to personal data
• Right to compensation
Individual rights (Principle 6)
• Accurate and up-to-date
• Adequate, relevant and not excessive
• Not kept for longer than is necessary
Data quality (Principles 3-5)
• Appropriate security measures
• Adequate protection for transfers outside EEA
Security (Principles 7-8)
The DPA: basic concepts
Where have the DPA principles
gone?
The three questions
1. How do we know whether a product or project is
‘high risk’ under GDPR?
2. We have heard that ‘privacy by design’ is key to
compliance - what does ‘privacy by design’ mean?
3. Transparency: Is there is a case for an industry-wide
approach?
HOW DO WE KNOW
WHETHER A PRODUCT
OR PROJECT IS ‘HIGH
RISK’ UNDER GDPR?
Profiling
Gender
Marital status
Age
Wealth
Health
Risk appetite
Shopping habits
Credit rating
Age and lifestyle of
dependents
Geolocation / daily routine
Current health data
Leisure habits CCTV/ ANPR
Google searches
Website browsing
What is ‘profiling’?
Collect data
through ‘monitori
ng’ people’s behaviour – web, CCTV, data
mining, other
interactions
Analyse data
for example,
via software-implement
ed algorithm
s
Build a profile
perhaps as part
of previous analysis step
Apply profile
for purposes
of certain decision
s / actions
including
through use of algorithms –
‘profiling’ in the
narrow sense
Take decision / actionregarding
data subject(automate
d decision making), and/or
analyse / predict preferenc
es, attitudes
, behaviour, etc.
DPA Position GDPR Position
•Right not to be subject to
automated processing for the
purposes of evaluating matters such
as performance at work,
creditworthiness, or reliability
•Significant effect on data subject
in a negative manner. Keep in mind
that every stage of ‘profiling’ is
‘processing’
Data subjects have the right not to
be subject to a decision based
solely on automated processing
(including profiling) which
produces legal effects concerning
them, or significantly affects them
There should be suitable safeguards
to protect data subject rights,
including a right to human
intervention
This data subject right does not
apply if the decision:
• Is necessary to enter into, or
perform, a contract with the data
subject;
• Is authorised by law; or
• Is based on the data subject’s
explicit consent
Profiling under the DPA and
GDPR
• DPIAs (or PIAs) are not a formal requirement of the DPA,
though they are recommended as good practice in the ICO’s
Code of Practice. They will be formalised under the GDPR
• They are currently used to help organisations identify
the most effective way of complying with the DPA (in
particular, the DPA principles), and carry out services /
projects in a way which respects data subjects’ rights
• An effective DPIA should enable an organisation to
identify issues and fix them at a sufficiently early
stage
Data protection impact assessments
under the DPA
• Article 35 requires controllers to carry out DPIAs where
intended processing is likely to result in a ‘high risk’ to
data subjects, and taking into account the nature, scope,
context and purposes of the processing (particularly when
using new technologies)
• DPIAs must be conducted in the case of a "systematic and
extensive evaluation of personal aspects relating to natural
persons which is based on automated processing, including
profiling, and on which decisions are based that produce
legal effects concerning the natural person or similarly
significantly affect the natural person“
• They are also required if the intention is to process "on a
large scale" special categories of data (sensitive data such
as health data), or personal data relating to criminal
convictions and offences; or in the case of "systematic
monitoring of a publicly accessible area on a large scale"
such as public CCTV or ANPR
Data protection impact assessments under
the GDPRWhen should a DPIA be carried
out?
WHAT DOES ‘PRIVACY BY
DESIGN’ MEAN?
• Data protection ‘by design and default’ (including security by
design and default) is aimed at building in data protection from
the outset
• Failure to do so may be subject to a lower-tier fine, while
implementing such measures may help to reduce or avoid fines if
an infringement of the GDPR occurs
• Processes should be reviewed to ensure data protection by design
and default, particularly for new projects, services or products
• Data protection impact assessments could be used for this
purpose
Data protection ‘by design’ and
‘by default’
What does Privacy by Design
mean?GDPR requirement IT System functionality requirement
Right to subject access
Right to data portability
“Ability to search for information
about a specific data subject and
print out all information and
provide electronically”
Right to subject access “Ability to automatically translate
codes or provide keys to codes”
To delete data that is out of date
or inaccurate
To respond to demands from court or
ICO to stop processing
“Deletion capability for all data
including archived/backup/replicant
data built-in”
Fair and lawful processing
Processing in line with specified
purposes
Appropriate technical security to
safeguard data against unauthorised
use and access
“Audit trail to identify access to
and amendment of data, showing who,
when and where”
TRANSPARENCY: IS
THERE IS A CASE FOR AN
INDUSTRY-WIDE
APPROACH?
Why transparency is important?
• Should be easy to get
right but easy to get
wrong (more information
presented more clearly)
• It is not simply an
obligation on the data
controller but a right
of the data subject
• Infringements of
principles and/or data
subjects rights will
attract the higher tier
fine
Transparency under the GDPR
• More information must be notified to data
subjects, differing slightly in terms of content
and timing of notification depending on:
– whether the data were obtained directly from the
data subject (or not); and
– where further processing for other purposes is
intended
• The information need not be notified where the
data subject already has it, or an exemption
applies (in relation only to data not obtained
directly from the data subject)
• Code of Conduct?
General
Transparency under the GDPR
• Clear notices: meet
transparency
requirements in a
concise, transparent,
intelligible and
easily accessible form
using clear and plain
language.
• Children: must give
consideration where
the data subject is a
child. Will they
understand the notice?
Is it 'intelligible'
to them? Is the
The basic requirements
Transparency under the GDPR
The additional requirements
DPA transparency
requirements
Additional GDPR requirements
• The identity of the data
controller
• Identity of nominated
representative (if
applicable)
• The purpose or purposes
for which the data is
intended to be processed
• Any further information
which is necessary to
enable processing in
respect of the data
• The purposes of processing,
plus the legal basis for
processing (remember it must
be 'clear', 'plain' and
'intelligible'!)
• Any legitimate interests
that are being relied on
• Notify any data transfers
outside the EEA, with
reference to the EU
Commission adequacy
decision, or suitable
safeguards, that are being
relied on
Transparency under the GDPR
Further info necessary to ensure fair and
transparent processing • Retention period or retention criteria
• Inform of all data subject rights
• Where relying on consent, the right to withdraw at any consent at any time (should
be as easy to give consent as to withdraw)
• Right to complain to ICO
• Whether provision of personal data is a statutory or contractual requirement, or
necessary to enter into a contract, whether obliged to provide and consequences
for failing to provide
• Whether any automated decision making used, including logic involved,
significance and envisaged consequence of automated decision making
Codes of Conduct
• Associations or other bodies representing categories of
controllers or processors are encouraged to draw up
codes of conduct in compliance with the GDPR
• Take account of the specific characteristics of the
processing carried in that sector and the specific needs
of the members
• Process of implementation: consult relevant
stakeholders and data subjects (where feasible)
Contents of the Code: Common
standards
• Fair and transparent
processing
• The legitimate interests
pursued by controllers in
specific contexts
• The collection of personal data
• The information provided to the
public and to data subjects
Monitoring of compliance with
the Code
• Monitoring could be carried out by TISA if accredited by the ICO
• Independence and expertise
• Established procedures to:
• assess the eligibility of controllers and processors concerned to apply
the Code
• monitor compliance with its provisions
• periodically review the Code
• Procedures and structures to handle complaints about infringements of the
code or implementation of the Code
• No conflict of interests
• TISA would be the first point of escalation re infringements and could take
enforcement action (eg suspensions or exclusion)
Question & Answer
Session
Contact
Tel: 0207 490 6533
Tel: 0131 225 0043
www.pinsentmasons.com
Pinsent Masons LLP is a limited liability partnership, registered in England and Wales (registered number: OC333653) authorised and regulated by
the Solicitors Regulation Authority and the appropriate jurisdictions in which it operates. The word 'partner', used in relation to the LLP, refers to a
member or an employee or consultant of the LLP, or any firm of equivalent standing. A list of the members of the LLP, and of those non-members
who are designated as partners, is available for inspection at our registered office: 30 Crown Place, London, EC2A 4ES, United Kingdom. ©
Pinsent Masons 2017.
For a full list of the jurisdictions where we operate, see www.pinsentmasons.com