Upload
exove
View
408
Download
0
Embed Size (px)
Citation preview
Exove Mikä on EU:n uusi tietosuoja-asetus
GDPR, ja miksi se kannattaa huomioida ajoissa?
Jesper Nevalainen, Partner
New Data Protection Landscape in Europe
• After over 4 years of negotiations, the new EU data protection framework has finally been adopted
• Two-year transition period, applicable on 25 May 2018
• The GDPR is set to replace the national laws and regulations based on the EU Data Protection Directive (46/95/EC)
• The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations, nonetheless, Member States have retained significant rights to legislate in certain areas
Page 2
GDPR overview - Key changes Controllers and processors • Accountability
• Demonstrating compliance • Increased documentation obligations
• Risk-based approach • Privacy by design and default • Privacy Impact Assessment and
prior consultation where risk is high • Data Protection Officers
• New breach reporting obligations • Detailed prescription of what must be
included in outsourcing contracts Member states • Significant scope for derogations at MS
level
Data subjects • More extensive data subject rights
• Restriction • Erasure • Portability • "Profiling"
• Changing consent requirements (including in relation to children)
Supervisory authority • New enforcement architecture
• One-stop-shop • EDPB
• The stakes will be raised! • Fines up to €20,000,000 / 4% global
turnover
Page 3
Page 4
The answer to this problem
Many companies, growing amount of data, lots of resources
Authorities: Few resouces
1. Risk based approach 2. Pushing responsibility
to controllers/ processors
Page 5
Risked-based approach under the GDPR
● Core concept: Accountability ● Risk = mentioned 75 times ● Risk = risk in relation to rights and
freedoms of individuals = legal risk ● Examples:
• Recital 74: "appropriate and effective measure" • Article 24, 32: Technical and organisational measures relative to the risk • Article 25: Data protection by Design and by default according to the risks
involved • Article 33, 34: Notifications in data breach situations relevant to the risk • Article 35: DPIA • Article 39(2): Task of the DPO
• Incident Management • Subcontractor Management • International Data Transfers • Law Enforcement Access • Data Subject Access &
Complaint Management
• Internal Policies (high level) • Guidelines & Instructions • Privacy Requirements • Training and Awareness
• Privacy policy • Specific notifications (e.g.
description of files) • Notifications to authorities
Elements of a Privacy Program
Risk Management
Governance
Internal Instructions
Privacy Processes
• Documentation • Privacy Engineering (PbD) • Data Protection Impact
Assessments • Appropriate Security Measures
External Communication