Data Protection Officer’s Overview of the GDPR

1. Data Protection Officer’sOverview of the GDPR Hugh Jones Sytorus

2. Sytorus – who we are • Data Protection Consultancy • Training • Introductory • DPO Primer • Modular training • Tailored to sector • Data Management Assessments • Privacy Impact Assessments • Interim Data Protection Officer • Liaison with Office of the DP Commissioner • Online Knowledge Base at www.privacyengine.io

3. Proposed legislation • Wording agreed in early January, 2016 • Due to come into effect in mid-2018 • Objective is to harmonise EU legislation • ‘Catch up’ with new technologies • Accommodate current business models • Recognise the global business market • Scope – • Where DC or DP are within the EU, regardless of where the processing takes place • Where Data Subject is an EU citizen, regardless of where DC or DP is based • Includes provision of goods and services, monitoring of behaviour within EU

4. Key Principles • Data Processing must involve: • Lawful, Fair and Transparent processing • Purpose Limitation (specified purposes) • Data Minimisation (adequate, relevant and limited) • Accurate and Up-to-date processing • Limitation of storage in a form that permits identification • Confidential and Secure – protects integrity and privacy • Accountability and Liability – demonstration of compliance • Specific Categories of Processing

5. Lawful, Fair and Transparent • Fair Processing Notice • Reference to Lawful Processing Conditions • Additional considerations for Sensitive Personal Data • Burden of Justification rests with Data Controller • Not about the data the Subject is willing to disclose • Assumption that consent is necessary • Distinction between Mandatory and Optional fields • Reminder of Data Subject Rights • To opt out from marketing • To object to processing • To have data rectified or removed • Right to request restriction of processing • “Right to be Forgotten”

6. Implications for DC and DP • No future obligation to register as DC or DP • Proactive assessment of processing • Logging and recording of incidents • Notification of processing in some circumstances • Controller obligation to maintain log of processing • Processor obligation to maintain log of processing • Identification of categories of data being processed • Identification of categories of processors to be engaged • Envisaged time limit for retention • Breach Notification • Within 72 hours of becoming known • Describe implications, measures taken to prevent recurrence • Outline steps taken to minimise impact on Data Subject

7. Selection of Jurisdiction • Referred-to as ‘The One-Stop Shop’ • Data Controller reports to the Supervisory Authority where the Controller is established / mainly operational • Where Controller is active in several EU jurisdictions, they can indicate a preferred jurisdiction • That authority will then be responsible for the Controller’s compliance

8. Overseas Transfer • EEA countries (EU + EFTA) - 31 • ‘Safe’ Countries – 10 • ‘Privacy Shield’ Scheme (being drafted) • Adequacy of Destination • Rule of Law • Respect for Human Rights and Fundamental Freedoms • Appropriate legislation and security measures • Specific DP legislation • Enforcement by a Supervisory Authority • Model Contracts • Code of Conduct with Enforceable Commitments • Binding Corporate Rules

9. Why comply? • ‘It’s the law of the land!’ • Protection of brand • Avoid risk to reputation • Protection of trust • Employees • Suppliers • Customers • Enables better decision-making • Makes good business sense • Delivers business value