Upload
vantram
View
245
Download
3
Embed Size (px)
Citation preview
GDPR and DPODPO and DPM
Michel Gerdes – DPO
DFN-CERT Services GmbH
27.09.2017
© 2017 DFN-CERT Services GmbH | GDPR and DPO: Slide 1
ToC
The DPO Role according to GDPR
Data Protection at research institutions and universities
Remaining challenges
© 2017 DFN-CERT Services GmbH | GDPR and DPO: ToC Slide 2
GDPR and DPO
The DPO Role according to GDPR
© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 3
GDPR and National Adjustments
• No national adaption required• Member States may adjust and define within certain boundaries• National law for public bodies
© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 4
DPO by GDPR, legal grounds
Article 37 – DPO• 5. Professional qualities,• expert knowledge of data protection law and practices and• the ability to fulfill the tasks• 7. Controller shall publish contact details to supervisory authority
Article 38 – Position• 1. involved, properly and in a timely manner, in all issues which relate to the protection of
personal data• 2. support by controller,• 3. no instructions regarding DPO related tasks by controller
© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 5
Accountability
• Article 5 (2)• Article 24 (1)• requires Data Protection Management
© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 6
Data Protection at DFN-CERT
DFN-CERT• 50 employees, 5 teams, backoffice• various topics, all focus information security• awareness• separation of duties
DPO• Since July 2015, part time (20 %, real 15 %)• Trainings• Preparations for GDPR• Register of processing activities and Getting it
done• Issues brought up by colleagues• Identifying issues and check with persons in
charge
© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 7
Selecting a DPO
Personal suitability• No conflict of interests• Speak the language of the employees• Time slot
Skill set• Collaboration• Question superiors and seniors• Scrutinize every data processing activity• Dedication to the role• Self organization• Tasks may not be handled straight forward
© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 8
Challenges & Achievements
Challenges• Getting persons in charge getting things done• It’s about the time they have to dedicate to the
tasks or teaching them how to do it (fast butaccurately)
Achievements• Birthdays of employees in calendar
application• Access to email account for invoice during
vacation of the employee• Login timestamps in world-readable log file
© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 9
Framework for Data Protection Management
• Responsibilities• Awareness• Policies• Processes• Ressources
© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 10
Responsibilities
Controller• implement Data Protection Management• define responsibilities• raise awareness• define policies• define processes• provide ressources• fulfill Article 38 (Position of DPO)• Records of processing activities• Consider data protection in contractual
aggreements/contracts• Data protection impact assessment (Article
35)• Information systems security
DPO (Art. 39)• inform and advise controller• monitor compliance• cooperation with supervisory authority• contact point for supervisory authority• obviously not limited to these• report directly to board
© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 11
Awareness
• periodic trainings for employees• regular communication campaigns on data protection• data protection coordinator per team/faculty/. . .• project initiation should/may require consultation of DPO/DPM• highlight compliance to data protection principles (Article 5)
© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 12
Policies
• commitment of top level management• define responsibilities• define processes• sharing responsibilies if joint controller
© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 13
Processes
• Ensure data subjects’ rights• Article 12 clause 3• Notification of data breach• Communication of data breach• Re-assessment of DPM• changemanagement• access to data on DPO’s computer
© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 14
Ressources
• further training and networking for DPO and DPM officials• projects: documentation overhead and adjustments for data protection compliance• appropriate technical and organisational measures to ensure security of processing, data
protection by design and by default, data processing system security
© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 15
Links
• http://www.goodcorporation.com/wp-content/uploads/2015/11/GC_DataProtection-Framework-160811.pdf
• https://www.maastrichtuniversity.nl/events/data-protection-governance-data-protection-governance-enterpriseorganisation-risk-management
Danish vs. English version of GDPR• http://eur-lex.europa.eu/legal-content/EN-DA/TXT/?uri=CELEX:32016R0679&from=EN
© 2017 DFN-CERT Services GmbH | GDPR and DPO: The DPO Role according to GDPR Slide 16
GDPR and DPO
Data Protection at research institutions and universities
© 2017 DFN-CERT Services GmbH | GDPR and DPO: Data Protection at research institutions and universities Slide 17
Scientific research
legal grounds for processing• Art. 5 (1) b• Art. 89• beware of special law e.g. telecommunication law
© 2017 DFN-CERT Services GmbH | GDPR and DPO: Data Protection at research institutions and universities Slide 18
Different set of challenges
Administration• centralized• employment• local DP coordinator• standardized data
processing activities• may be based on
state/national law (publicbody)
Teaching• Freedom of teaching (Art. 5
German Grundgesetz)• eLearning → Data
Protection!• evaluations• consent• awareness• may be based on
state/national law as well• Guideline: If and only if
required for evaluation
Research• decentralized• time-constraints• data protection measures
conflict with researchprogress/interests
• local DP coordinator• awareness• enforce policy• cooperation with other
bodies
© 2017 DFN-CERT Services GmbH | GDPR and DPO: Data Protection at research institutions and universities Slide 19
GDPR and DPO
Remaining challenges
© 2017 DFN-CERT Services GmbH | GDPR and DPO: Remaining challenges Slide 20
Interpretation of laws
• Court decisions affecting interpretations• commented printed versions
© 2017 DFN-CERT Services GmbH | GDPR and DPO: Remaining challenges Slide 21
Dealing with older or other laws
• data protection sections may not be applied anymore• e.g. private bodies or section is regulated by Union law• contrary public bodies or section not regulated by Union law
© 2017 DFN-CERT Services GmbH | GDPR and DPO: Remaining challenges Slide 22
ePrivacy Regulation 2018
• into force May 25 2018• still in draft• extends GDPR with regards to information security• specify legal situation for electronic communication data• refers to GDPR principles and regulations
© 2017 DFN-CERT Services GmbH | GDPR and DPO: Remaining challenges Slide 23
Adequacy Decisions
EU-US-Privacy-Shield• In evaluation after first year• New US administration disagrees with privacy
regulations for EU citizens
Brexit• UK government plans to adapt the GDPR
after the Brexit• Allows an adequacy decision• Ruling of ECJ?
© 2017 DFN-CERT Services GmbH | GDPR and DPO: Remaining challenges Slide 24
Further trainings
CertificationGDDcert.EU Certification as data protection
officer, focus on data protectionorganisation and data protectionmanagement (in German)
TÜV.IT Certification as data protectionofficer with technical focus (inGerman)
DFN-CERTConference https://www.dfn-cert.de/
veranstaltungen/201711Datenschutzkonferenz.html Conference organised byDFN-CERT for DFN with focus ondata protection (in German)
Tutorials https://www.dfn-cert.de/veranstaltungen/201710EU-Datenschutzgrundverordnung.html Tutorial highlightingDifferences between BDSG andGDPR (in German)
© 2017 DFN-CERT Services GmbH | GDPR and DPO: Remaining challenges Slide 25
Person of contact
Michel GerdesDPO DFN-CERT Services [email protected]@dfn-cert.dehttps://www.dfn-cert.de/
© 2017 DFN-CERT Services GmbH | GDPR and DPO: Remaining challenges Slide 26