GDPR - are you ready for the challenge?

GDPR – are you ready for the challenge?
Startin.lv, 28 March 2018

Do you need to care?
Kronbergs Čukste Derling 2018
2
Clients
Suppliers
Employees
Data
processors
Databases
Video
surveilance
Loyalty
cards
Online
shops
Direct
marketing

GDPR – purpose
Rapid progress of new technological development
New ways of providing services (internet banking etc.)
Internet
Social media
Amount of publicly available personal data
Failure of the previous regulation (Directive 95/46/EC) to provide
adequate privacy protection
Unified legal framework
3

General aim of data protection
Protect privacy of persons & balance interests
European Convention of Human Rights – Article 8 (1)
Lisbon Treaty – Article 16 (1)
Charter of Fundamental Rights of the European Union – Article 8
The Constitution of The Republic of Latvia (Satversme) – Article 96 –
everyone has the right to inviolability of his or her private life, home and
correspondence
4

What is personal data?
Personal data – any information relating to an identified or
identifiable natural person (data subject):
Directly identifiable
Indirectly identifiable - identifiers
Opinion as personal data
All forms of information
False or inaccurate information may be personal data
Data protection applies only to natural persons
5

Applicability and scope of the GDPR
GDPR is applicable if:
The controller or the processor is established in the EU, regardless of the
place where procession takes place
The data subjects are in the EU, the controller or processor is not established
in the EU and the processing activities relate to offering goods or services
within the EU
The controller is not established in the EU but in place where Member State
law is applicable via international law
GDPR is applicable to government organizations, public and
private companies
6

Lawfulness of processing
Legal basis of data processing:
Consent of the data subject
For performance of the contract
For compliance with legal obligation of the data controller
For protection of vital interests of data subject or another natural person
For public interests
For legitimate interests of controller or third party
7

Consent – is it the only way?
Consent is only one legitimate way to process personal data:
considered valid only if freely given, informed, specific, unambiguous and
clear either in writing or oral with regards to the processing of personal data
related to the data subject;
Data subject has the right to withdraw consent but it does not affect the
lawfulness of prior data processing
Data Controller proactively must provide:
Identity of the Data Controller
Purposes of the processing
Controller should «look for» other legal grounds to ensure
reliable data processing
8

Purpose of data processing
Preciously defined purpose
Specific
Accurately stated & clear
Legitimate
Defined before (!)
Procession of data – allowed within defined purpose
Procession of data outside defined purpose – in specific cases:
Archiving
Public interests
scientific or historical research
statistical
9

Purpose of data processing:
controllers & processors
Data Controller – determines the purposes and means of the processing of
personal data
Data Processor – processes personal data on behalf of the Data Controller
Way to distinguish Data Controller from Data Processor – Data
Processor has no purpose
Data Processors should be very careful as there may appear their own
purpose
Data used for improvement of systems
Data used for another purpose - statistical
10

Legitimate data processing
11
Legal
basis
(at least 1
of 6)
Purpose
(legitimate,
accurate,
specific)
Legitimate
data
processing

12
RIGHTS OF DATA SUBJECTS
Right to be provided with information - Identity and contact details of processor;
- contact details of operator;
- purpose and legal basis of processing;
- recipients of personal data
Right of access - Right to receive a copy of data
- Explanation of logics involved in automated
processing
- Period of storage
Right of rectification - Rights to require a controller to rectify any
errors
Right to be forgotten Controller must delete personal data if its
continued processing
Right to object, inter alia, against
automated decisions
Right not to be evaluated in any material sense
solely on the basis of automated processing
Right to data portability Right to transfer personal data between
controllers
Obligation to respond to data subject requests in one month time free of charge
twice a year (in concise and easy accessible form, in plain and clear language)!!!

Data Protection Officer
Obligation to appoint Data Protection Officer
Public authority or body (except courts)
Core activities require regular and systematic monitoring of data subjects on a large scale
Core activities consist of processing on a large scale of special categories of data
Group of undertakings may appoint a single DPO if he is easily accessible from
each establishment
DPO can be employee as well as outsourced service
DPO is designated on the basis of:
Professional qualities
Expert knowledge of data protection law and practices
Ability to fulfil the his tasks laid down in the GDPR
Latvian regulation – draft Data Processing Law states
Any person who meets requirements set out in the GDPR
Certification is no obligatory but Latvian authority may check DPO’s compliance with the
GDRP.
13

Data Protection Officer (2)
Tasks of the DPO:
Informs and advises the data controller or the processor and the employees on
data protection
Monitors compliance with the GDRP and other laws, policies
Provides advice where requested in relation with data protection impact
assesment
Cooperates with supervisory authority
Acts as a contact point to the data subjects and supervisory authority
Data Controller or Data Processor is responsible for the compliance of
the DPO with requirements set out in the GDPR (!) and shall involve the
DPO in all issues which relate to the processing activities
14

15
PRINCIPLES & GDPR
Lawfulness, fairness, transparency Information to data subjects is provided in
a transparent manner
Purpose limitation Data is collected for specified and
legitimate purposes
Data minimization Data is limited to the necessary amount to
fulfil the purpose
Accuracy Precise and up-to-date data
Storage limitation Not for longer period that is needed for
the defined purpose
Integrity & confidentiality Appropriate level of safety by
implementing reasonable technical and
organisational measures (TOR)
Accountability Data controller is responsible for and must
be able to demonstrate compliance wit the
aforesaid principles

Accountability
16
Data protection
impact assessment
• Pre-impact
assessment
• Only if «high risk
to rights and
freedoms of
natural persons»
Records of processing
activities
• No compulsory
registration of data
processing with
DVI
• Replaced by
internal records of
processing
activities
• Not always
applicable
Internal privacy policy
and training
• «Must have» to
ensure compliance
• Covers all
company’s privacy
aspects
• Included technical
and organizational
measures (TOM)

Data protection impact assessment
Article 35 of GDPR «Where a type of processing in particular using new technologies, and
taking into account the nature, scope, context and purposes of the processing, is likely to
result in a high risk to the rights and freedoms of natural persons»
High risk areas:
a systematic and extensive automated personal data processing, including profiling;
large scale processing of special categories of data, or personal data relating to criminal convictions and
offences;
a systematic monitoring of a publicly accessible area on a large scale.
DVI shall establish and publish a list of the kind of processing operations which are/are not
subject to the requirement for a data protection impact assessment
Decision not to perform the assessment must be documented
Aim - to assess the impact of the envisaged processing operations on the protection of
personal data:
description, purpose and legitimate interest (if applicable) of data processing;
necessity and proportionality of processing operations;
risks to the rights and freedoms of data subjects;
measures to address the risks, including safeguards, security measures and mechanisms to ensure the
protection of personal data and to demonstrate compliance.
17

Records of processing activities
18
Are there more than
250 employees in the
organization?
Is the processing more
than occasional (more
than once or twice per
year)
Are there any special
categories of data?
Is any data related to
criminal convictions or
offences processed
Would the processing
be likely to result in
risk to the rights and
freedoms of
individuals?
Not
applicable
No No
No
No

Records of processing activities (2)
19
Controller Operator Officer Purpose Data
categories
Data
subject
categories
Data
recipients
Transfers
outside
EU/EEZ
Term of
storage
TOM general
description
SIA AAA SIA BBB Jānis
Bērziņš
Payroll Name,
personal
code, home
address,
bank
account,
family
status
Employees Employees,
SRS, VSAA,
banks
USA 75 years Privacy shield,
Binding
Corporate
Rules, operator
agreement, IT
audit, training
Article 30 of GDPR: «Each controller and, where applicable, the controller's representative,
shall maintain a record of processing activities under its responsibility»

What else can/must be done?
Data controller (together with data processor) is responsible for compliance with the
aforesaid personal data protection principles and demonstration of such compliance to
DVI
Each data controller/processor determines how to ensure compliance:
If required by GDPR – data protection impact assessment and records of processing activities in
compliance with GDPR requirements;
Otherwise – compliance measures not directly governed GDPR:
data protection audit (in-house or independent);
GDPR compliance achievement plan;
Practical implementation of GDPR requirements:
Internal Data Privacy Policy (taking data protection impact assessment and records of processing activities as a
benchmark),
Technical data protection measures;
Data subject’s consent and Privacy Policy
Privacy clauses of existing employment/client/supplier agreements;
Model agreements with data processors;
General and specialized personal data protection training
Procedure of responses to data subject’s requests
Procedure of notifications of personal data breaches
20

Liability
21
Administrative
• Up to EUR 20
million or
• 4% of previous
year worldwide
revenue
• Whichever is
higher
Criminal
• Illegal personal
data processing
which causes
material damage
Civil
• Right to receive
full and effective
compensation for
material or non-
material damage

GDPR and startups
22
PROS:
- Enter market with GDPR compliant
business;
- Easier to achieve compliance from a
scratch;
- GDPR creates new business
opportunities!
CONS:
- High penalties can kill a young
business;
- Data protection issues as a high risk
area for investors and in M&A
transactions
- Legal and IT costs (albeit possibly
lower than for existing businesses)

GDPR implementation
Transforming GDPR requirements into compliant business operations
Startin.lv, 28 March 2018

Achieving GDPR compliance|Collaboration
24
Legal
ITBussiness
Legal
Understanding regulation
Code of conduct
Contract addendums for existing relationships
…
IT
IT systems enhancements
Information Security
…
Business
Required data, purpose
Policies
Risk assessment
… DPO – appointed either from legal or
cyber security team… / outsourced for
smaller organizations…

GDPR compliance journey
25
Build internal awareness
Current situation audit (compliance and procedures)
Identify GDPR requirements
Existing policies update / new policies development
IT changes implementation
People training
+ Continuous improvement/monitoring

Current situation audit – key aspects
26
Legal aspect e.g., lawfulness basis …
Personal Data stored/processed vs ”really required”
Electronic documents
Paper documents
Data acquiring channel/method
Involved people, IT systems, partners (data access)
Possible data anonymization
Document flow / Information flow
Existing policies

IT system enhancements
27
Getting all information about data subject stored
Personal Data
Data stored
Where it has been passed
Possibility to ensure data subject request for:
data correction
suspending processing
exclusion from automated processing(decision
making)
Possibility to extract data subject data for transfer
to other processor
Auditing data access
Who has accessed which Personal data and how
Consent management
Data encryption

IS Security Policy development
-> Procedures -> Instructions
28
IS resources, classification, ownership and responsibilities
IT Risk assessment
IS security incidents management
Information classification
Relationship with other vendors(outsourcing,…)
PC (and other HW usage) usage
Anti-Viruses SW maintenance
IS resources physical security
IS resources logical security
Business continuity plan
…

GDPR Compliant Business Operations
29
After GDPR compliance journey…
Operate
Justify and record lawfulness and Processing mechanisms
Process and record Data Subject requests (as per rights)
Validate and record Third Country data transfers
Report and manage Personal Data Breach incidents
Maintain
Evidence Data Protection policies understanding within organisation
Ensure Personal Data Processing register maintenance
Trigger risk assessments for business change events
Verify Partners / Third Party Data Processing activities compliance

Vineta Čukste-Jurjeva
Partner
Certified Personal Data Protection Officer
KRONBERGS ČUKSTE DERLING
vineta.cukste@kcderling.lv
Tel: +371-67043803, +371-29247097
Reinis Papulis
Associate
Certified Personal Data Protection Officer
KRONBERGS ČUKSTE DERLING
reinis.papulis@kcderling.lv
Tel: +371-67043803, +371-25666574

Aivars Belis
Partner / Principal Consultant
SIA VEDICARD
aivars.belis@vedicard.eu
Tel: +371-29446951
Indra Kešāne
Partner / Principal Consultant
SIA VEDICARD
Indra.kesane@vedicard.eu
Tel: +371-29221332
https://vedicard.eu

GDPR - are you ready for the challenge?

More Related Content

What's hot

Similar to GDPR - are you ready for the challenge?

More from Sage HR

Recently uploaded

GDPR - are you ready for the challenge?