SlideShare una empresa de Scribd logo
1 de 31
GDPR – are you ready for the challenge?
Startin.lv, 28 March 2018
Do you need to care?
Kronbergs Čukste Derling 2018
2
Clients
Suppliers
Employees
Data
processors
Databases
Video
surveilance
Loyalty
cards
Online
shops
Direct
marketing
GDPR – purpose
Rapid progress of new technological development
New ways of providing services (internet banking etc.)
Internet
Social media
Amount of publicly available personal data
Failure of the previous regulation (Directive 95/46/EC) to provide
adequate privacy protection
Unified legal framework
Kronbergs Čukste Derling 2018
3
General aim of data protection
Protect privacy of persons & balance interests
European Convention of Human Rights – Article 8 (1)
Lisbon Treaty – Article 16 (1)
Charter of Fundamental Rights of the European Union – Article 8
The Constitution of The Republic of Latvia (Satversme) – Article 96 –
everyone has the right to inviolability of his or her private life, home and
correspondence
Kronbergs Čukste Derling 2018
4
What is personal data?
Personal data – any information relating to an identified or
identifiable natural person (data subject):
Directly identifiable
Indirectly identifiable - identifiers
Opinion as personal data
All forms of information
False or inaccurate information may be personal data
Data protection applies only to natural persons
Kronbergs Čukste Derling 2018
5
Applicability and scope of the GDPR
GDPR is applicable if:
The controller or the processor is established in the EU, regardless of the
place where procession takes place
The data subjects are in the EU, the controller or processor is not established
in the EU and the processing activities relate to offering goods or services
within the EU
The controller is not established in the EU but in place where Member State
law is applicable via international law
GDPR is applicable to government organizations, public and
private companies
Kronbergs Čukste Derling 2018
6
Lawfulness of processing
Legal basis of data processing:
Consent of the data subject
For performance of the contract
For compliance with legal obligation of the data controller
For protection of vital interests of data subject or another natural person
For public interests
For legitimate interests of controller or third party
Kronbergs Čukste Derling 2018
7
Consent – is it the only way?
Consent is only one legitimate way to process personal data:
considered valid only if freely given, informed, specific, unambiguous and
clear either in writing or oral with regards to the processing of personal data
related to the data subject;
Data subject has the right to withdraw consent but it does not affect the
lawfulness of prior data processing
Data Controller proactively must provide:
Identity of the Data Controller
Purposes of the processing
Controller should «look for» other legal grounds to ensure
reliable data processing
Kronbergs Čukste Derling 2018
8
Purpose of data processing
Preciously defined purpose
Specific
Accurately stated & clear
Legitimate
Defined before (!)
Procession of data – allowed within defined purpose
Procession of data outside defined purpose – in specific cases:
Archiving
Public interests
scientific or historical research
statistical
Kronbergs Čukste Derling 2018
9
Purpose of data processing:
controllers & processors
Data Controller – determines the purposes and means of the processing of
personal data
Data Processor – processes personal data on behalf of the Data Controller
Way to distinguish Data Controller from Data Processor – Data
Processor has no purpose
Data Processors should be very careful as there may appear their own
purpose
Data used for improvement of systems
Data used for another purpose - statistical
Kronbergs Čukste Derling 2018
10
Legitimate data processing
Kronbergs Čukste Derling 2018
11
Legal
basis
(at least 1
of 6)
Purpose
(legitimate,
accurate,
specific)
Legitimate
data
processing
Kronbergs Čukste Derling 2018
12
RIGHTS OF DATA SUBJECTS
Right to be provided with information - Identity and contact details of processor;
- contact details of operator;
- purpose and legal basis of processing;
- recipients of personal data
Right of access - Right to receive a copy of data
- Explanation of logics involved in automated
processing
- Period of storage
Right of rectification - Rights to require a controller to rectify any
errors
Right to be forgotten Controller must delete personal data if its
continued processing
Right to object, inter alia, against
automated decisions
Right not to be evaluated in any material sense
solely on the basis of automated processing
Right to data portability Right to transfer personal data between
controllers
Obligation to respond to data subject requests in one month time free of charge
twice a year (in concise and easy accessible form, in plain and clear language)!!!
Data Protection Officer
Obligation to appoint Data Protection Officer
Public authority or body (except courts)
Core activities require regular and systematic monitoring of data subjects on a large scale
Core activities consist of processing on a large scale of special categories of data
Group of undertakings may appoint a single DPO if he is easily accessible from
each establishment
DPO can be employee as well as outsourced service
DPO is designated on the basis of:
Professional qualities
Expert knowledge of data protection law and practices
Ability to fulfil the his tasks laid down in the GDPR
Latvian regulation – draft Data Processing Law states
Any person who meets requirements set out in the GDPR
Certification is no obligatory but Latvian authority may check DPO’s compliance with the
GDRP.
Kronbergs Čukste Derling 2018
13
Data Protection Officer (2)
Tasks of the DPO:
Informs and advises the data controller or the processor and the employees on
data protection
Monitors compliance with the GDRP and other laws, policies
Provides advice where requested in relation with data protection impact
assesment
Cooperates with supervisory authority
Acts as a contact point to the data subjects and supervisory authority
Data Controller or Data Processor is responsible for the compliance of
the DPO with requirements set out in the GDPR (!) and shall involve the
DPO in all issues which relate to the processing activities
Kronbergs Čukste Derling 2018
14
Kronbergs Čukste Derling 2018
15
PRINCIPLES & GDPR
Lawfulness, fairness, transparency Information to data subjects is provided in
a transparent manner
Purpose limitation Data is collected for specified and
legitimate purposes
Data minimization Data is limited to the necessary amount to
fulfil the purpose
Accuracy Precise and up-to-date data
Storage limitation Not for longer period that is needed for
the defined purpose
Integrity & confidentiality Appropriate level of safety by
implementing reasonable technical and
organisational measures (TOR)
Accountability Data controller is responsible for and must
be able to demonstrate compliance wit the
aforesaid principles
Accountability
Kronbergs Čukste Derling 2018
16
Data protection
impact assessment
• Pre-impact
assessment
• Only if «high risk
to rights and
freedoms of
natural persons»
Records of processing
activities
• No compulsory
registration of data
processing with
DVI
• Replaced by
internal records of
processing
activities
• Not always
applicable
Internal privacy policy
and training
• «Must have» to
ensure compliance
• Covers all
company’s privacy
aspects
• Included technical
and organizational
measures (TOM)
Data protection impact assessment
Article 35 of GDPR «Where a type of processing in particular using new technologies, and
taking into account the nature, scope, context and purposes of the processing, is likely to
result in a high risk to the rights and freedoms of natural persons»
High risk areas:
a systematic and extensive automated personal data processing, including profiling;
large scale processing of special categories of data, or personal data relating to criminal convictions and
offences;
a systematic monitoring of a publicly accessible area on a large scale.
DVI shall establish and publish a list of the kind of processing operations which are/are not
subject to the requirement for a data protection impact assessment
Decision not to perform the assessment must be documented
Aim - to assess the impact of the envisaged processing operations on the protection of
personal data:
description, purpose and legitimate interest (if applicable) of data processing;
necessity and proportionality of processing operations;
risks to the rights and freedoms of data subjects;
measures to address the risks, including safeguards, security measures and mechanisms to ensure the
protection of personal data and to demonstrate compliance.
Kronbergs Čukste Derling 2018
17
Records of processing activities
Kronbergs Čukste Derling 2018
18
Are there more than
250 employees in the
organization?
Is the processing more
than occasional (more
than once or twice per
year)
Are there any special
categories of data?
Is any data related to
criminal convictions or
offences processed
Would the processing
be likely to result in
risk to the rights and
freedoms of
individuals?
Not
applicable
No No
No
No
Records of processing activities (2)
Kronbergs Čukste Derling 2018
19
Controller Operator Officer Purpose Data
categories
Data
subject
categories
Data
recipients
Transfers
outside
EU/EEZ
Term of
storage
TOM general
description
SIA AAA SIA BBB Jānis
Bērziņš
Payroll Name,
personal
code, home
address,
bank
account,
family
status
Employees Employees,
SRS, VSAA,
banks
USA 75 years Privacy shield,
Binding
Corporate
Rules, operator
agreement, IT
audit, training
Article 30 of GDPR: «Each controller and, where applicable, the controller's representative,
shall maintain a record of processing activities under its responsibility»
What else can/must be done?
Data controller (together with data processor) is responsible for compliance with the
aforesaid personal data protection principles and demonstration of such compliance to
DVI
Each data controller/processor determines how to ensure compliance:
If required by GDPR – data protection impact assessment and records of processing activities in
compliance with GDPR requirements;
Otherwise – compliance measures not directly governed GDPR:
data protection audit (in-house or independent);
GDPR compliance achievement plan;
Practical implementation of GDPR requirements:
Internal Data Privacy Policy (taking data protection impact assessment and records of processing activities as a
benchmark),
Technical data protection measures;
Data subject’s consent and Privacy Policy
Privacy clauses of existing employment/client/supplier agreements;
Model agreements with data processors;
General and specialized personal data protection training
Procedure of responses to data subject’s requests
Procedure of notifications of personal data breaches
Kronbergs Čukste Derling 2018
20
Liability
Kronbergs Čukste Derling 2018
21
Administrative
• Up to EUR 20
million or
• 4% of previous
year worldwide
revenue
• Whichever is
higher
Criminal
• Illegal personal
data processing
which causes
material damage
Civil
• Right to receive
full and effective
compensation for
material or non-
material damage
GDPR and startups
Kronbergs Čukste Derling 2018
22
PROS:
- Enter market with GDPR compliant
business;
- Easier to achieve compliance from a
scratch;
- GDPR creates new business
opportunities!
CONS:
- High penalties can kill a young
business;
- Data protection issues as a high risk
area for investors and in M&A
transactions
- Legal and IT costs (albeit possibly
lower than for existing businesses)
GDPR implementation
Transforming GDPR requirements into compliant business operations
Startin.lv, 28 March 2018
Achieving GDPR compliance|Collaboration
Kronbergs Čukste Derling 2018
24
Legal
ITBussiness
Legal
Understanding regulation
Code of conduct
Contract addendums for existing relationships
…
IT
IT systems enhancements
Information Security
…
Business
Required data, purpose
Policies
Risk assessment
… DPO – appointed either from legal or
cyber security team… / outsourced for
smaller organizations…
GDPR compliance journey
Kronbergs Čukste Derling 2018
25
Build internal awareness
Current situation audit (compliance and procedures)
Identify GDPR requirements
Existing policies update / new policies development
IT changes implementation
People training
+ Continuous improvement/monitoring
Current situation audit – key aspects
Kronbergs Čukste Derling 2018
26
Legal aspect e.g., lawfulness basis …
Personal Data stored/processed vs ”really required”
Electronic documents
Paper documents
Data acquiring channel/method
Involved people, IT systems, partners (data access)
Possible data anonymization
Document flow / Information flow
Existing policies
IT system enhancements
Kronbergs Čukste Derling 2018
27
Getting all information about data subject stored
Personal Data
Data stored
Where it has been passed
Possibility to ensure data subject request for:
data correction
suspending processing
exclusion from automated processing(decision
making)
Possibility to extract data subject data for transfer
to other processor
Auditing data access
Who has accessed which Personal data and how
Consent management
Data encryption
IS Security Policy development
-> Procedures -> Instructions
Kronbergs Čukste Derling 2018
28
IS resources, classification, ownership and responsibilities
IT Risk assessment
IS security incidents management
Information classification
Relationship with other vendors(outsourcing,…)
PC (and other HW usage) usage
Anti-Viruses SW maintenance
IS resources physical security
IS resources logical security
Business continuity plan
…
GDPR Compliant Business Operations
Kronbergs Čukste Derling 2018
29
After GDPR compliance journey…
Operate
Justify and record lawfulness and Processing mechanisms
Process and record Data Subject requests (as per rights)
Validate and record Third Country data transfers
Report and manage Personal Data Breach incidents
Maintain
Evidence Data Protection policies understanding within organisation
Ensure Personal Data Processing register maintenance
Trigger risk assessments for business change events
Verify Partners / Third Party Data Processing activities compliance
Vineta Čukste-Jurjeva
Partner
Certified Personal Data Protection Officer
KRONBERGS ČUKSTE DERLING
vineta.cukste@kcderling.lv
Tel: +371-67043803, +371-29247097
Reinis Papulis
Associate
Certified Personal Data Protection Officer
KRONBERGS ČUKSTE DERLING
reinis.papulis@kcderling.lv
Tel: +371-67043803, +371-25666574
Aivars Belis
Partner / Principal Consultant
SIA VEDICARD
aivars.belis@vedicard.eu
Tel: +371-29446951
Indra Kešāne
Partner / Principal Consultant
SIA VEDICARD
Indra.kesane@vedicard.eu
Tel: +371-29221332
https://vedicard.eu

Más contenido relacionado

La actualidad más candente

Data Protection Seminar_GDPR_ISOLAS_26-06-17
Data Protection Seminar_GDPR_ISOLAS_26-06-17Data Protection Seminar_GDPR_ISOLAS_26-06-17
Data Protection Seminar_GDPR_ISOLAS_26-06-17Michael Adamberry
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role HackerOne
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowGDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowHackerOne
 
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]Kwanzoo Inc
 
Gdpr action plan - ISSA
Gdpr action plan - ISSAGdpr action plan - ISSA
Gdpr action plan - ISSAUlf Mattsson
 
Domain management and brand protection in the era of the EU's GDPR
Domain management and brand protection in the era of the EU's GDPRDomain management and brand protection in the era of the EU's GDPR
Domain management and brand protection in the era of the EU's GDPRBartLieben
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationVicky Dallas
 
Prep your app for gdpr compliance
Prep your app for gdpr compliancePrep your app for gdpr compliance
Prep your app for gdpr complianceAsanka Nissanka
 
mHealth Israel_EU General Data Protection Regulation_Simon Marks
mHealth Israel_EU General Data Protection Regulation_Simon MarksmHealth Israel_EU General Data Protection Regulation_Simon Marks
mHealth Israel_EU General Data Protection Regulation_Simon MarksLevi Shapiro
 
Charity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of ChangeCharity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of ChangeIBB Law
 
GDPR master class accountable research organisations (january 2018)
GDPR master class   accountable research organisations (january 2018)GDPR master class   accountable research organisations (january 2018)
GDPR master class accountable research organisations (january 2018)MRS
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingIT Governance Ltd
 
GDPR in a nutshell
GDPR in a nutshellGDPR in a nutshell
GDPR in a nutshellInitio
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRIT Governance Ltd
 

La actualidad más candente (20)

Data Protection Seminar_GDPR_ISOLAS_26-06-17
Data Protection Seminar_GDPR_ISOLAS_26-06-17Data Protection Seminar_GDPR_ISOLAS_26-06-17
Data Protection Seminar_GDPR_ISOLAS_26-06-17
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowGDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
 
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]
 
GDPR
GDPRGDPR
GDPR
 
Gdpr action plan - ISSA
Gdpr action plan - ISSAGdpr action plan - ISSA
Gdpr action plan - ISSA
 
Domain management and brand protection in the era of the EU's GDPR
Domain management and brand protection in the era of the EU's GDPRDomain management and brand protection in the era of the EU's GDPR
Domain management and brand protection in the era of the EU's GDPR
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
 
Prep your app for gdpr compliance
Prep your app for gdpr compliancePrep your app for gdpr compliance
Prep your app for gdpr compliance
 
mHealth Israel_EU General Data Protection Regulation_Simon Marks
mHealth Israel_EU General Data Protection Regulation_Simon MarksmHealth Israel_EU General Data Protection Regulation_Simon Marks
mHealth Israel_EU General Data Protection Regulation_Simon Marks
 
Charity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of ChangeCharity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of Change
 
GDPR master class accountable research organisations (january 2018)
GDPR master class   accountable research organisations (january 2018)GDPR master class   accountable research organisations (january 2018)
GDPR master class accountable research organisations (january 2018)
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketing
 
Gdpr for business full
Gdpr for business fullGdpr for business full
Gdpr for business full
 
GDPR-Overview
GDPR-OverviewGDPR-Overview
GDPR-Overview
 
GDPRR: The Key Changes
GDPRR: The Key ChangesGDPRR: The Key Changes
GDPRR: The Key Changes
 
GDPR in a nutshell
GDPR in a nutshellGDPR in a nutshell
GDPR in a nutshell
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPR
 

Similar a GDPR - are you ready for the challenge?

SCCE Processors and GDPR
SCCE Processors and GDPRSCCE Processors and GDPR
SCCE Processors and GDPRRobert Bond
 
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT LegalCyber Watching
 
Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1rtjbond
 
DAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials  by QualsysGDPR: Training Materials  by Qualsys
GDPR: Training Materials by QualsysQualsys Ltd
 
GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization  GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization Vishnuvarthanan Moorthy
 
Niall Rooney FD Event 05.09.19
Niall Rooney FD Event 05.09.19Niall Rooney FD Event 05.09.19
Niall Rooney FD Event 05.09.19Niall Rooney
 
EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?VYTIS MALECKAS
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)RAKESH S
 
An Introduction to the General Data Protection Regulation (GDPR)
An Introduction to the General Data Protection Regulation (GDPR)An Introduction to the General Data Protection Regulation (GDPR)
An Introduction to the General Data Protection Regulation (GDPR)Bright
 
Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Happiest Minds Technologies
 
Why GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkWhy GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkPECB
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? SecurityScorecard
 
GDPR webinar presentation | LawBite
GDPR webinar presentation | LawBiteGDPR webinar presentation | LawBite
GDPR webinar presentation | LawBiteClive Rich
 
NetSquared London - GDPR for charities
NetSquared London - GDPR for charitiesNetSquared London - GDPR for charities
NetSquared London - GDPR for charitiesTech Trust
 

Similar a GDPR - are you ready for the challenge? (20)

SCCE Processors and GDPR
SCCE Processors and GDPRSCCE Processors and GDPR
SCCE Processors and GDPR
 
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
 
Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1
 
GDPR for your Payroll Bureau
GDPR for your Payroll BureauGDPR for your Payroll Bureau
GDPR for your Payroll Bureau
 
DAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland - GDPR
DAMA Ireland - GDPR
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials  by QualsysGDPR: Training Materials  by Qualsys
GDPR: Training Materials by Qualsys
 
Employee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdfEmployee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdf
 
GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization  GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization
 
Niall Rooney FD Event 05.09.19
Niall Rooney FD Event 05.09.19Niall Rooney FD Event 05.09.19
Niall Rooney FD Event 05.09.19
 
EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)
 
GDPR: Key Article Overview
GDPR: Key Article OverviewGDPR: Key Article Overview
GDPR: Key Article Overview
 
An Introduction to the General Data Protection Regulation (GDPR)
An Introduction to the General Data Protection Regulation (GDPR)An Introduction to the General Data Protection Regulation (GDPR)
An Introduction to the General Data Protection Regulation (GDPR)
 
Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)
 
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
GDPR: 3 Months On | Guest Speaker: Data Protection CommissionersGDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
 
Why GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkWhy GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC Framework
 
GDPR (En) JM Tyszka
GDPR (En)  JM TyszkaGDPR (En)  JM Tyszka
GDPR (En) JM Tyszka
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
GDPR webinar presentation | LawBite
GDPR webinar presentation | LawBiteGDPR webinar presentation | LawBite
GDPR webinar presentation | LawBite
 
NetSquared London - GDPR for charities
NetSquared London - GDPR for charitiesNetSquared London - GDPR for charities
NetSquared London - GDPR for charities
 

Más de Sage HR

Remote Working in a Crisis: A Workplace Toolkit [White Paper]
Remote Working in a Crisis: A Workplace Toolkit [White Paper]Remote Working in a Crisis: A Workplace Toolkit [White Paper]
Remote Working in a Crisis: A Workplace Toolkit [White Paper]Sage HR
 
HR for Small Businesses
HR for Small BusinessesHR for Small Businesses
HR for Small BusinessesSage HR
 
Human Resources Gurus for Q2 2019: CakeHR’s A-Z HR Experts List for the Secon...
Human Resources Gurus for Q2 2019: CakeHR’s A-Z HR Experts List for the Secon...Human Resources Gurus for Q2 2019: CakeHR’s A-Z HR Experts List for the Secon...
Human Resources Gurus for Q2 2019: CakeHR’s A-Z HR Experts List for the Secon...Sage HR
 
HR Gurus for Q1 2019: The A-Z of Human Resources Experts This Quarter [Infogr...
HR Gurus for Q1 2019: The A-Z of Human Resources Experts This Quarter [Infogr...HR Gurus for Q1 2019: The A-Z of Human Resources Experts This Quarter [Infogr...
HR Gurus for Q1 2019: The A-Z of Human Resources Experts This Quarter [Infogr...Sage HR
 
A-Z HR Gurus of Q4 2018: See the Current Experts in Human Resources!
A-Z HR Gurus of Q4 2018: See the Current Experts in Human Resources!A-Z HR Gurus of Q4 2018: See the Current Experts in Human Resources!
A-Z HR Gurus of Q4 2018: See the Current Experts in Human Resources!Sage HR
 
CakeHR Pitch Deck for Zīmolu Tops - Latvia's Most Beloved Startup Brands.
CakeHR Pitch Deck for Zīmolu Tops - Latvia's Most Beloved Startup Brands.CakeHR Pitch Deck for Zīmolu Tops - Latvia's Most Beloved Startup Brands.
CakeHR Pitch Deck for Zīmolu Tops - Latvia's Most Beloved Startup Brands.Sage HR
 
CakeHR’s A-Z HR Gurus for Q2 2018: Current Experts in Human Resources [Infogr...
CakeHR’s A-Z HR Gurus for Q2 2018: Current Experts in Human Resources [Infogr...CakeHR’s A-Z HR Gurus for Q2 2018: Current Experts in Human Resources [Infogr...
CakeHR’s A-Z HR Gurus for Q2 2018: Current Experts in Human Resources [Infogr...Sage HR
 
HR Experts for Q12018: See the Gurus Who Made This Quarter’s List!
HR Experts for Q12018: See the Gurus Who Made This Quarter’s List!HR Experts for Q12018: See the Gurus Who Made This Quarter’s List!
HR Experts for Q12018: See the Gurus Who Made This Quarter’s List!Sage HR
 
Introducing you to the top 112 HR Analytics experts [infographic]
Introducing you to the top 112 HR Analytics experts [infographic]Introducing you to the top 112 HR Analytics experts [infographic]
Introducing you to the top 112 HR Analytics experts [infographic]Sage HR
 
HR Gurus A-Z List: Revisiting the Current Industry Experts for Q4 2017
HR Gurus A-Z List: Revisiting the Current Industry Experts for Q4 2017HR Gurus A-Z List: Revisiting the Current Industry Experts for Q4 2017
HR Gurus A-Z List: Revisiting the Current Industry Experts for Q4 2017Sage HR
 
Human Resource’s Gurus: Picking HR’s Ultimate A-Z Team | Q3 2017
Human Resource’s Gurus: Picking HR’s Ultimate A-Z Team | Q3 2017Human Resource’s Gurus: Picking HR’s Ultimate A-Z Team | Q3 2017
Human Resource’s Gurus: Picking HR’s Ultimate A-Z Team | Q3 2017Sage HR
 
Defining Your Employee Value Proposition. 34 Surprisingly Useful Questions to...
Defining Your Employee Value Proposition. 34 Surprisingly Useful Questions to...Defining Your Employee Value Proposition. 34 Surprisingly Useful Questions to...
Defining Your Employee Value Proposition. 34 Surprisingly Useful Questions to...Sage HR
 
Introduction to the HR management software CakeHR
Introduction to the HR management software CakeHRIntroduction to the HR management software CakeHR
Introduction to the HR management software CakeHRSage HR
 
Technology in HR - Human Resources Management Software
Technology in HR - Human Resources Management SoftwareTechnology in HR - Human Resources Management Software
Technology in HR - Human Resources Management SoftwareSage HR
 
5 Reasons Why Holacracy is Failing. Is it Time to Say Goodbye to Holacracy (a...
5 Reasons Why Holacracy is Failing. Is it Time to Say Goodbye to Holacracy (a...5 Reasons Why Holacracy is Failing. Is it Time to Say Goodbye to Holacracy (a...
5 Reasons Why Holacracy is Failing. Is it Time to Say Goodbye to Holacracy (a...Sage HR
 
10 Easy Ways to Unleash Your Kid's Brain Power
10 Easy Ways to Unleash Your Kid's Brain Power10 Easy Ways to Unleash Your Kid's Brain Power
10 Easy Ways to Unleash Your Kid's Brain PowerSage HR
 
How to Skyrocket Your Communication Skills - 23 Awesome Tips!
How to Skyrocket Your Communication Skills - 23 Awesome Tips!How to Skyrocket Your Communication Skills - 23 Awesome Tips!
How to Skyrocket Your Communication Skills - 23 Awesome Tips!Sage HR
 
The Power of Employee Appreciation. 5 Best Practices in Employee Recognition.
The Power of Employee Appreciation. 5 Best Practices in Employee Recognition.The Power of Employee Appreciation. 5 Best Practices in Employee Recognition.
The Power of Employee Appreciation. 5 Best Practices in Employee Recognition.Sage HR
 
How Volkswagen Mocked Corporate Social Responsibility: “Diesel Gate” Outs Sus...
How Volkswagen Mocked Corporate Social Responsibility: “Diesel Gate” Outs Sus...How Volkswagen Mocked Corporate Social Responsibility: “Diesel Gate” Outs Sus...
How Volkswagen Mocked Corporate Social Responsibility: “Diesel Gate” Outs Sus...Sage HR
 
The Rise and Fall of Ellen Pao. Perpetrator or Victim?
The Rise and Fall of Ellen Pao. Perpetrator or Victim?The Rise and Fall of Ellen Pao. Perpetrator or Victim?
The Rise and Fall of Ellen Pao. Perpetrator or Victim?Sage HR
 

Más de Sage HR (20)

Remote Working in a Crisis: A Workplace Toolkit [White Paper]
Remote Working in a Crisis: A Workplace Toolkit [White Paper]Remote Working in a Crisis: A Workplace Toolkit [White Paper]
Remote Working in a Crisis: A Workplace Toolkit [White Paper]
 
HR for Small Businesses
HR for Small BusinessesHR for Small Businesses
HR for Small Businesses
 
Human Resources Gurus for Q2 2019: CakeHR’s A-Z HR Experts List for the Secon...
Human Resources Gurus for Q2 2019: CakeHR’s A-Z HR Experts List for the Secon...Human Resources Gurus for Q2 2019: CakeHR’s A-Z HR Experts List for the Secon...
Human Resources Gurus for Q2 2019: CakeHR’s A-Z HR Experts List for the Secon...
 
HR Gurus for Q1 2019: The A-Z of Human Resources Experts This Quarter [Infogr...
HR Gurus for Q1 2019: The A-Z of Human Resources Experts This Quarter [Infogr...HR Gurus for Q1 2019: The A-Z of Human Resources Experts This Quarter [Infogr...
HR Gurus for Q1 2019: The A-Z of Human Resources Experts This Quarter [Infogr...
 
A-Z HR Gurus of Q4 2018: See the Current Experts in Human Resources!
A-Z HR Gurus of Q4 2018: See the Current Experts in Human Resources!A-Z HR Gurus of Q4 2018: See the Current Experts in Human Resources!
A-Z HR Gurus of Q4 2018: See the Current Experts in Human Resources!
 
CakeHR Pitch Deck for Zīmolu Tops - Latvia's Most Beloved Startup Brands.
CakeHR Pitch Deck for Zīmolu Tops - Latvia's Most Beloved Startup Brands.CakeHR Pitch Deck for Zīmolu Tops - Latvia's Most Beloved Startup Brands.
CakeHR Pitch Deck for Zīmolu Tops - Latvia's Most Beloved Startup Brands.
 
CakeHR’s A-Z HR Gurus for Q2 2018: Current Experts in Human Resources [Infogr...
CakeHR’s A-Z HR Gurus for Q2 2018: Current Experts in Human Resources [Infogr...CakeHR’s A-Z HR Gurus for Q2 2018: Current Experts in Human Resources [Infogr...
CakeHR’s A-Z HR Gurus for Q2 2018: Current Experts in Human Resources [Infogr...
 
HR Experts for Q12018: See the Gurus Who Made This Quarter’s List!
HR Experts for Q12018: See the Gurus Who Made This Quarter’s List!HR Experts for Q12018: See the Gurus Who Made This Quarter’s List!
HR Experts for Q12018: See the Gurus Who Made This Quarter’s List!
 
Introducing you to the top 112 HR Analytics experts [infographic]
Introducing you to the top 112 HR Analytics experts [infographic]Introducing you to the top 112 HR Analytics experts [infographic]
Introducing you to the top 112 HR Analytics experts [infographic]
 
HR Gurus A-Z List: Revisiting the Current Industry Experts for Q4 2017
HR Gurus A-Z List: Revisiting the Current Industry Experts for Q4 2017HR Gurus A-Z List: Revisiting the Current Industry Experts for Q4 2017
HR Gurus A-Z List: Revisiting the Current Industry Experts for Q4 2017
 
Human Resource’s Gurus: Picking HR’s Ultimate A-Z Team | Q3 2017
Human Resource’s Gurus: Picking HR’s Ultimate A-Z Team | Q3 2017Human Resource’s Gurus: Picking HR’s Ultimate A-Z Team | Q3 2017
Human Resource’s Gurus: Picking HR’s Ultimate A-Z Team | Q3 2017
 
Defining Your Employee Value Proposition. 34 Surprisingly Useful Questions to...
Defining Your Employee Value Proposition. 34 Surprisingly Useful Questions to...Defining Your Employee Value Proposition. 34 Surprisingly Useful Questions to...
Defining Your Employee Value Proposition. 34 Surprisingly Useful Questions to...
 
Introduction to the HR management software CakeHR
Introduction to the HR management software CakeHRIntroduction to the HR management software CakeHR
Introduction to the HR management software CakeHR
 
Technology in HR - Human Resources Management Software
Technology in HR - Human Resources Management SoftwareTechnology in HR - Human Resources Management Software
Technology in HR - Human Resources Management Software
 
5 Reasons Why Holacracy is Failing. Is it Time to Say Goodbye to Holacracy (a...
5 Reasons Why Holacracy is Failing. Is it Time to Say Goodbye to Holacracy (a...5 Reasons Why Holacracy is Failing. Is it Time to Say Goodbye to Holacracy (a...
5 Reasons Why Holacracy is Failing. Is it Time to Say Goodbye to Holacracy (a...
 
10 Easy Ways to Unleash Your Kid's Brain Power
10 Easy Ways to Unleash Your Kid's Brain Power10 Easy Ways to Unleash Your Kid's Brain Power
10 Easy Ways to Unleash Your Kid's Brain Power
 
How to Skyrocket Your Communication Skills - 23 Awesome Tips!
How to Skyrocket Your Communication Skills - 23 Awesome Tips!How to Skyrocket Your Communication Skills - 23 Awesome Tips!
How to Skyrocket Your Communication Skills - 23 Awesome Tips!
 
The Power of Employee Appreciation. 5 Best Practices in Employee Recognition.
The Power of Employee Appreciation. 5 Best Practices in Employee Recognition.The Power of Employee Appreciation. 5 Best Practices in Employee Recognition.
The Power of Employee Appreciation. 5 Best Practices in Employee Recognition.
 
How Volkswagen Mocked Corporate Social Responsibility: “Diesel Gate” Outs Sus...
How Volkswagen Mocked Corporate Social Responsibility: “Diesel Gate” Outs Sus...How Volkswagen Mocked Corporate Social Responsibility: “Diesel Gate” Outs Sus...
How Volkswagen Mocked Corporate Social Responsibility: “Diesel Gate” Outs Sus...
 
The Rise and Fall of Ellen Pao. Perpetrator or Victim?
The Rise and Fall of Ellen Pao. Perpetrator or Victim?The Rise and Fall of Ellen Pao. Perpetrator or Victim?
The Rise and Fall of Ellen Pao. Perpetrator or Victim?
 

Último

ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...
ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...
ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...Anadi Tewari
 
Embed-7.pdfp;kpokipppedoioediouedooedijed
Embed-7.pdfp;kpokipppedoioediouedooedijedEmbed-7.pdfp;kpokipppedoioediouedooedijed
Embed-7.pdfp;kpokipppedoioediouedooedijedbhavenpr
 
The Ultimate Guide to Drafting Your Separation Agreement with a Template
The Ultimate Guide to Drafting Your Separation Agreement with a TemplateThe Ultimate Guide to Drafting Your Separation Agreement with a Template
The Ultimate Guide to Drafting Your Separation Agreement with a TemplateBTL Law P.C.
 
An introduction to Indian Contract Act, 1872 by Shraddha Pandit
An introduction to Indian Contract Act, 1872 by Shraddha PanditAn introduction to Indian Contract Act, 1872 by Shraddha Pandit
An introduction to Indian Contract Act, 1872 by Shraddha PanditSHRADDHA PANDIT
 
Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...
Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...
Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...SHRADDHA PANDIT
 
Law-on-Partnership-and-Corporation business org
Law-on-Partnership-and-Corporation business orgLaw-on-Partnership-and-Corporation business org
Law-on-Partnership-and-Corporation business orgAnonymousUKTzN2ggtG
 
Classification of Contracts in Business Regulations
Classification of Contracts in Business RegulationsClassification of Contracts in Business Regulations
Classification of Contracts in Business RegulationsSyedaAyeshaTabassum1
 
Islamabad High Court Judges wrote a letter to Supreme Judicial Council.pdf
Islamabad High Court Judges wrote a letter to Supreme Judicial Council.pdfIslamabad High Court Judges wrote a letter to Supreme Judicial Council.pdf
Islamabad High Court Judges wrote a letter to Supreme Judicial Council.pdfNo One
 
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...Dr. Oliver Massmann
 

Último (9)

ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...
ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...
ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...
 
Embed-7.pdfp;kpokipppedoioediouedooedijed
Embed-7.pdfp;kpokipppedoioediouedooedijedEmbed-7.pdfp;kpokipppedoioediouedooedijed
Embed-7.pdfp;kpokipppedoioediouedooedijed
 
The Ultimate Guide to Drafting Your Separation Agreement with a Template
The Ultimate Guide to Drafting Your Separation Agreement with a TemplateThe Ultimate Guide to Drafting Your Separation Agreement with a Template
The Ultimate Guide to Drafting Your Separation Agreement with a Template
 
An introduction to Indian Contract Act, 1872 by Shraddha Pandit
An introduction to Indian Contract Act, 1872 by Shraddha PanditAn introduction to Indian Contract Act, 1872 by Shraddha Pandit
An introduction to Indian Contract Act, 1872 by Shraddha Pandit
 
Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...
Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...
Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...
 
Law-on-Partnership-and-Corporation business org
Law-on-Partnership-and-Corporation business orgLaw-on-Partnership-and-Corporation business org
Law-on-Partnership-and-Corporation business org
 
Classification of Contracts in Business Regulations
Classification of Contracts in Business RegulationsClassification of Contracts in Business Regulations
Classification of Contracts in Business Regulations
 
Islamabad High Court Judges wrote a letter to Supreme Judicial Council.pdf
Islamabad High Court Judges wrote a letter to Supreme Judicial Council.pdfIslamabad High Court Judges wrote a letter to Supreme Judicial Council.pdf
Islamabad High Court Judges wrote a letter to Supreme Judicial Council.pdf
 
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
 

GDPR - are you ready for the challenge?

  • 1. GDPR – are you ready for the challenge? Startin.lv, 28 March 2018
  • 2. Do you need to care? Kronbergs Čukste Derling 2018 2 Clients Suppliers Employees Data processors Databases Video surveilance Loyalty cards Online shops Direct marketing
  • 3. GDPR – purpose Rapid progress of new technological development New ways of providing services (internet banking etc.) Internet Social media Amount of publicly available personal data Failure of the previous regulation (Directive 95/46/EC) to provide adequate privacy protection Unified legal framework Kronbergs Čukste Derling 2018 3
  • 4. General aim of data protection Protect privacy of persons & balance interests European Convention of Human Rights – Article 8 (1) Lisbon Treaty – Article 16 (1) Charter of Fundamental Rights of the European Union – Article 8 The Constitution of The Republic of Latvia (Satversme) – Article 96 – everyone has the right to inviolability of his or her private life, home and correspondence Kronbergs Čukste Derling 2018 4
  • 5. What is personal data? Personal data – any information relating to an identified or identifiable natural person (data subject): Directly identifiable Indirectly identifiable - identifiers Opinion as personal data All forms of information False or inaccurate information may be personal data Data protection applies only to natural persons Kronbergs Čukste Derling 2018 5
  • 6. Applicability and scope of the GDPR GDPR is applicable if: The controller or the processor is established in the EU, regardless of the place where procession takes place The data subjects are in the EU, the controller or processor is not established in the EU and the processing activities relate to offering goods or services within the EU The controller is not established in the EU but in place where Member State law is applicable via international law GDPR is applicable to government organizations, public and private companies Kronbergs Čukste Derling 2018 6
  • 7. Lawfulness of processing Legal basis of data processing: Consent of the data subject For performance of the contract For compliance with legal obligation of the data controller For protection of vital interests of data subject or another natural person For public interests For legitimate interests of controller or third party Kronbergs Čukste Derling 2018 7
  • 8. Consent – is it the only way? Consent is only one legitimate way to process personal data: considered valid only if freely given, informed, specific, unambiguous and clear either in writing or oral with regards to the processing of personal data related to the data subject; Data subject has the right to withdraw consent but it does not affect the lawfulness of prior data processing Data Controller proactively must provide: Identity of the Data Controller Purposes of the processing Controller should «look for» other legal grounds to ensure reliable data processing Kronbergs Čukste Derling 2018 8
  • 9. Purpose of data processing Preciously defined purpose Specific Accurately stated & clear Legitimate Defined before (!) Procession of data – allowed within defined purpose Procession of data outside defined purpose – in specific cases: Archiving Public interests scientific or historical research statistical Kronbergs Čukste Derling 2018 9
  • 10. Purpose of data processing: controllers & processors Data Controller – determines the purposes and means of the processing of personal data Data Processor – processes personal data on behalf of the Data Controller Way to distinguish Data Controller from Data Processor – Data Processor has no purpose Data Processors should be very careful as there may appear their own purpose Data used for improvement of systems Data used for another purpose - statistical Kronbergs Čukste Derling 2018 10
  • 11. Legitimate data processing Kronbergs Čukste Derling 2018 11 Legal basis (at least 1 of 6) Purpose (legitimate, accurate, specific) Legitimate data processing
  • 12. Kronbergs Čukste Derling 2018 12 RIGHTS OF DATA SUBJECTS Right to be provided with information - Identity and contact details of processor; - contact details of operator; - purpose and legal basis of processing; - recipients of personal data Right of access - Right to receive a copy of data - Explanation of logics involved in automated processing - Period of storage Right of rectification - Rights to require a controller to rectify any errors Right to be forgotten Controller must delete personal data if its continued processing Right to object, inter alia, against automated decisions Right not to be evaluated in any material sense solely on the basis of automated processing Right to data portability Right to transfer personal data between controllers Obligation to respond to data subject requests in one month time free of charge twice a year (in concise and easy accessible form, in plain and clear language)!!!
  • 13. Data Protection Officer Obligation to appoint Data Protection Officer Public authority or body (except courts) Core activities require regular and systematic monitoring of data subjects on a large scale Core activities consist of processing on a large scale of special categories of data Group of undertakings may appoint a single DPO if he is easily accessible from each establishment DPO can be employee as well as outsourced service DPO is designated on the basis of: Professional qualities Expert knowledge of data protection law and practices Ability to fulfil the his tasks laid down in the GDPR Latvian regulation – draft Data Processing Law states Any person who meets requirements set out in the GDPR Certification is no obligatory but Latvian authority may check DPO’s compliance with the GDRP. Kronbergs Čukste Derling 2018 13
  • 14. Data Protection Officer (2) Tasks of the DPO: Informs and advises the data controller or the processor and the employees on data protection Monitors compliance with the GDRP and other laws, policies Provides advice where requested in relation with data protection impact assesment Cooperates with supervisory authority Acts as a contact point to the data subjects and supervisory authority Data Controller or Data Processor is responsible for the compliance of the DPO with requirements set out in the GDPR (!) and shall involve the DPO in all issues which relate to the processing activities Kronbergs Čukste Derling 2018 14
  • 15. Kronbergs Čukste Derling 2018 15 PRINCIPLES & GDPR Lawfulness, fairness, transparency Information to data subjects is provided in a transparent manner Purpose limitation Data is collected for specified and legitimate purposes Data minimization Data is limited to the necessary amount to fulfil the purpose Accuracy Precise and up-to-date data Storage limitation Not for longer period that is needed for the defined purpose Integrity & confidentiality Appropriate level of safety by implementing reasonable technical and organisational measures (TOR) Accountability Data controller is responsible for and must be able to demonstrate compliance wit the aforesaid principles
  • 16. Accountability Kronbergs Čukste Derling 2018 16 Data protection impact assessment • Pre-impact assessment • Only if «high risk to rights and freedoms of natural persons» Records of processing activities • No compulsory registration of data processing with DVI • Replaced by internal records of processing activities • Not always applicable Internal privacy policy and training • «Must have» to ensure compliance • Covers all company’s privacy aspects • Included technical and organizational measures (TOM)
  • 17. Data protection impact assessment Article 35 of GDPR «Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons» High risk areas: a systematic and extensive automated personal data processing, including profiling; large scale processing of special categories of data, or personal data relating to criminal convictions and offences; a systematic monitoring of a publicly accessible area on a large scale. DVI shall establish and publish a list of the kind of processing operations which are/are not subject to the requirement for a data protection impact assessment Decision not to perform the assessment must be documented Aim - to assess the impact of the envisaged processing operations on the protection of personal data: description, purpose and legitimate interest (if applicable) of data processing; necessity and proportionality of processing operations; risks to the rights and freedoms of data subjects; measures to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance. Kronbergs Čukste Derling 2018 17
  • 18. Records of processing activities Kronbergs Čukste Derling 2018 18 Are there more than 250 employees in the organization? Is the processing more than occasional (more than once or twice per year) Are there any special categories of data? Is any data related to criminal convictions or offences processed Would the processing be likely to result in risk to the rights and freedoms of individuals? Not applicable No No No No
  • 19. Records of processing activities (2) Kronbergs Čukste Derling 2018 19 Controller Operator Officer Purpose Data categories Data subject categories Data recipients Transfers outside EU/EEZ Term of storage TOM general description SIA AAA SIA BBB Jānis Bērziņš Payroll Name, personal code, home address, bank account, family status Employees Employees, SRS, VSAA, banks USA 75 years Privacy shield, Binding Corporate Rules, operator agreement, IT audit, training Article 30 of GDPR: «Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility»
  • 20. What else can/must be done? Data controller (together with data processor) is responsible for compliance with the aforesaid personal data protection principles and demonstration of such compliance to DVI Each data controller/processor determines how to ensure compliance: If required by GDPR – data protection impact assessment and records of processing activities in compliance with GDPR requirements; Otherwise – compliance measures not directly governed GDPR: data protection audit (in-house or independent); GDPR compliance achievement plan; Practical implementation of GDPR requirements: Internal Data Privacy Policy (taking data protection impact assessment and records of processing activities as a benchmark), Technical data protection measures; Data subject’s consent and Privacy Policy Privacy clauses of existing employment/client/supplier agreements; Model agreements with data processors; General and specialized personal data protection training Procedure of responses to data subject’s requests Procedure of notifications of personal data breaches Kronbergs Čukste Derling 2018 20
  • 21. Liability Kronbergs Čukste Derling 2018 21 Administrative • Up to EUR 20 million or • 4% of previous year worldwide revenue • Whichever is higher Criminal • Illegal personal data processing which causes material damage Civil • Right to receive full and effective compensation for material or non- material damage
  • 22. GDPR and startups Kronbergs Čukste Derling 2018 22 PROS: - Enter market with GDPR compliant business; - Easier to achieve compliance from a scratch; - GDPR creates new business opportunities! CONS: - High penalties can kill a young business; - Data protection issues as a high risk area for investors and in M&A transactions - Legal and IT costs (albeit possibly lower than for existing businesses)
  • 23. GDPR implementation Transforming GDPR requirements into compliant business operations Startin.lv, 28 March 2018
  • 24. Achieving GDPR compliance|Collaboration Kronbergs Čukste Derling 2018 24 Legal ITBussiness Legal Understanding regulation Code of conduct Contract addendums for existing relationships … IT IT systems enhancements Information Security … Business Required data, purpose Policies Risk assessment … DPO – appointed either from legal or cyber security team… / outsourced for smaller organizations…
  • 25. GDPR compliance journey Kronbergs Čukste Derling 2018 25 Build internal awareness Current situation audit (compliance and procedures) Identify GDPR requirements Existing policies update / new policies development IT changes implementation People training + Continuous improvement/monitoring
  • 26. Current situation audit – key aspects Kronbergs Čukste Derling 2018 26 Legal aspect e.g., lawfulness basis … Personal Data stored/processed vs ”really required” Electronic documents Paper documents Data acquiring channel/method Involved people, IT systems, partners (data access) Possible data anonymization Document flow / Information flow Existing policies
  • 27. IT system enhancements Kronbergs Čukste Derling 2018 27 Getting all information about data subject stored Personal Data Data stored Where it has been passed Possibility to ensure data subject request for: data correction suspending processing exclusion from automated processing(decision making) Possibility to extract data subject data for transfer to other processor Auditing data access Who has accessed which Personal data and how Consent management Data encryption
  • 28. IS Security Policy development -> Procedures -> Instructions Kronbergs Čukste Derling 2018 28 IS resources, classification, ownership and responsibilities IT Risk assessment IS security incidents management Information classification Relationship with other vendors(outsourcing,…) PC (and other HW usage) usage Anti-Viruses SW maintenance IS resources physical security IS resources logical security Business continuity plan …
  • 29. GDPR Compliant Business Operations Kronbergs Čukste Derling 2018 29 After GDPR compliance journey… Operate Justify and record lawfulness and Processing mechanisms Process and record Data Subject requests (as per rights) Validate and record Third Country data transfers Report and manage Personal Data Breach incidents Maintain Evidence Data Protection policies understanding within organisation Ensure Personal Data Processing register maintenance Trigger risk assessments for business change events Verify Partners / Third Party Data Processing activities compliance
  • 30. Vineta Čukste-Jurjeva Partner Certified Personal Data Protection Officer KRONBERGS ČUKSTE DERLING vineta.cukste@kcderling.lv Tel: +371-67043803, +371-29247097 Reinis Papulis Associate Certified Personal Data Protection Officer KRONBERGS ČUKSTE DERLING reinis.papulis@kcderling.lv Tel: +371-67043803, +371-25666574
  • 31. Aivars Belis Partner / Principal Consultant SIA VEDICARD aivars.belis@vedicard.eu Tel: +371-29446951 Indra Kešāne Partner / Principal Consultant SIA VEDICARD Indra.kesane@vedicard.eu Tel: +371-29221332 https://vedicard.eu