Deciphering GDPR

Gwendal Le Grand

glegrand@cnil.fr

Director of technology and innovation, CNIL

CNIL’s activity (2017)

2CNIL

Personal data

3

Any information relating to an identified or identifiable

natural person

Directly of indirectly

Take into account all the means likely reasonably to be used

Opinion 4/2007 of WP29 (June 2007) on personal data

Opinion 5/2014 on anonymisation techniques

Who

When

Where

New powers

TITRE DE LA PRESENTATION4

Online inspections (2014)

Freedom of expression / Blocking websites

(since 2015)

- Pedopornography / terrorism

- redirecting in DNS or removing search results

Right to delisting (2014) :

Currently implemented on all TLD if IP

address is in the country of the plaintiff

Some open questions to be clarified by

CJEU

5

GDPR chronology

EU comProposal

TRILOGUE

EP

vote

Council

vote

Political

agreement

GPDR is

applicable

and repeals

95/46/CE

1er lecture

Adoption

6

GDPR applies if

- data controller or processor is established in the EU

- The processing activities are related to the offering of goods or services to persons in the EUmonitoring of persons in the EU

Territorial scope

New tools for compliance

7

DPO compulsory if

Public authority or body

Regular and systematicmonitoring of data subjects on a large scaleOR processing on a large scale of sensitive data

7

Security of processingArt.32

804/06/2018

Risks

Security measures

Controller

+

Processor

> Technical or organizational

> Takes into account state of the

art and costs of implementation

> Proportional to risks

> Aim to treat the risk

Processing

> Nature, scope,

context, purposes

> Varying likehood

and severity

Guiding principlesArt.32

904/06/2018

Achieving a secure processing

> Ensure confidentiality,

integrity, availability and

resilience of processing

systems and services

> Able to restore the

availability and access to

personal data in a timely

manner in the event of

physical or technical

incident

Goals> Pseudonymisation

> Encryption

> Ensure that any natural

person having access to

personal data shall not

process them otherwise than

what the controller or

processor has authorised him

to

Measures

> Regularly check the

measures used to ensure

the security of the

processing by testing

them, assessing them

and evaluating their

effectiveness

Continuous

improvement

> Approved code of

conduct (art.40)

> Approved certification

mechanism (art.42)

Compliance

1004/06/2018

DPIA

Process for building

and demonstrating

compliance

Goals

Carried out by the data

controller with the help

of the DPO and data

processor

Who

Before the processing

Should be updated each time

the risks change

or every 3 years

When

Created after May 2018

A DPIA can apply for

a group of similar

processings

Processing

14 GDPR Guidelines adopted

1212

Personal data

breach

Destruction

Loss

Alteration

Unauthorized

disclosure

Unauthorized access

Accidental or

unlawful

DPIA

Process for building

and demonstrating

compliance

Goals

Carried out by the

data controller with

the help

of the DPO and data

processor

WhoBefore the

processing

Should be updated

each time the risks

change

or every 3 years

When

Created after May

2018

A DPIA can apply for

a group of similar

processings

Processing

1304/06/2018

Portability in practice

Store

Personal storage

Trust service provider

Data subject

Data controller 1 Data controller 2

Provides personal data in a

structured, commonly used

and machine-readable format

Store data and help

to prove data subject

identity as well as

data integrity

Share

Directly share with

authorized controller

Provides data

subject’s data

Share with controller

authorized by the

data suject

1404/06/2018

Eligible data

1Is it personal data

concerning the

data subject?

2Is the data

processing carried

out by automated

means?

3Is the legal basis

for data collection

consent or

contract ?

4Is it data provided

by the data

subject?

5Would the

portability

adversely affect

the rights and

freedoms of

others?

If yes to all, then the data are portable

Some challenges

1504/06/2018Gwendal Le Grand – Director of Technology

and Innovation

17

Conclusion

Continuity of the principles

GDPR restores the balance with GAFAFines up to 4% of annual turnover

Regulation scales with one stop shop

14 guidelines adopted by GDPR and endorsed by EDPB

CNILAcompanies (information, opinion, DPO, authorisations, compliance packs…)

Enforces

National law still to be promulgated