Exove Mikä on EU:n uusi tietosuoja-asetus

GDPR, ja miksi se kannattaa huomioida ajoissa?

Jesper Nevalainen, Partner

New Data Protection Landscape in Europe

•  After over 4 years of negotiations, the new EU data protection framework has finally been adopted

•  Two-year transition period, applicable on 25 May 2018

•  The GDPR is set to replace the national laws and regulations based on the EU Data Protection Directive (46/95/EC)

•  The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations, nonetheless, Member States have retained significant rights to legislate in certain areas

Page 2

GDPR overview - Key changes Controllers and processors •  Accountability

•  Demonstrating compliance •  Increased documentation obligations

•  Risk-based approach •  Privacy by design and default •  Privacy Impact Assessment and

prior consultation where risk is high •  Data Protection Officers

•  New breach reporting obligations •  Detailed prescription of what must be

included in outsourcing contracts Member states •  Significant scope for derogations at MS

level

Data subjects •  More extensive data subject rights

•  Restriction •  Erasure •  Portability •  "Profiling"

•  Changing consent requirements (including in relation to children)

Supervisory authority •  New enforcement architecture

•  One-stop-shop •  EDPB

•  The stakes will be raised! •  Fines up to €20,000,000 / 4% global

turnover

Page 3

Page 4

The answer to this problem

Many companies, growing amount of data, lots of resources

Authorities: Few resouces

1.  Risk based approach 2. Pushing responsibility

to controllers/ processors

Page 5

Risked-based approach under the GDPR

●  Core concept: Accountability ●  Risk = mentioned 75 times ●  Risk = risk in relation to rights and

freedoms of individuals = legal risk ●  Examples:

•  Recital 74: "appropriate and effective measure" •  Article 24, 32: Technical and organisational measures relative to the risk •  Article 25: Data protection by Design and by default according to the risks

involved •  Article 33, 34: Notifications in data breach situations relevant to the risk •  Article 35: DPIA •  Article 39(2): Task of the DPO

•  Incident Management •  Subcontractor Management •  International Data Transfers •  Law Enforcement Access •  Data Subject Access &

Complaint Management

•  Internal Policies (high level) •  Guidelines & Instructions •  Privacy Requirements •  Training and Awareness

•  Privacy policy •  Specific notifications (e.g.

description of files) •  Notifications to authorities

Elements of a Privacy Program

Risk Management

Governance

Internal Instructions

Privacy Processes

•  Documentation •  Privacy Engineering (PbD) •  Data Protection Impact

Assessments •  Appropriate Security Measures

External Communication