Professional Documents
Culture Documents
Understanding The General Data Protection Regulation (GDPR) : A Short Walk Through of The Key Aspects
Understanding The General Data Protection Regulation (GDPR) : A Short Walk Through of The Key Aspects
Understanding The General Data Protection Regulation (GDPR) : A Short Walk Through of The Key Aspects
Introduction 03
Overview of the GDPR 04
GDPR obligations 12
One stop shop 20
Extra-territorial effect 21
Sanctions 22
EU-US Privacy shield will now replace 23
Safe Harbor: What will change?
Frequently asked questions 24
Managing your GDPR project 27
Deloitte’s approach to GDPR: 28
Compliant, yet innovative
Learn more 31
02
Understanding the General Data Protection Regulation (GDPR)
Introduction
Organisations must meet the demands of the complex
regulatory landscape, but be flexible enough that
the regulatory programme keeps pace with a rapidly
changing environment—all with an industry-focus.
Regulatory strategy
We develop regulatory strategies, structures, and processes that enable a proactive,
forward looking assessment of regulatory trends and their impact on business models.
Regulatory response
We help clients respond to specific breakdowns in their regulatory accountability and
compliance programmes which are often driven by actual, or the prospect of, regulatory
censure.
Regulatory compliance
We assist clients in designing, assessing, and transforming their enterprise compliance
programmes to preserve organisational value and create competitive advantage.
03
Understanding the General Data Protection Regulation (GDPR)
04
Understanding the General Data Protection Regulation (GDPR)
55k 7 72 250m
Thousands of words making up Core individual rights afforded Hours given to report a data Cost of 4% fine for a typical
the text of the GDPR under the GDPR breach FTSE 100 company
Estimated number of new Data Countries potentially in scope New requirements in the GDPR
Protection Officers required in of the regulation
Europe (IAPP study 2016)
Key risks
Breach of regulation
05
Understanding the General Data Protection Regulation (GDPR)
GDPR requirements fall into five areas The GDPR check points
Becoming aware
1. Data The tone on the top, policies,
Becoming accountable
governance roles, responsibilities, and
organisational structures support Communicating with staff
the protection of individuals’ Personal privacy rights
privacy. Access request change
2. Data subject Controllers gives individuals Legal basis
rights (“data subjects”) control over Consent
what data is processed about GDPR requirements that are
generally implemented centrally Children and minors
them and for what purpose.
and can be assessed once for the Breaches
3. Security of Personal data is processed entire organisation. Data protection impact assessments
personal data securely; authorities and where
applicable data subjects are Data protection officers
notified of high-risk breaches. International organisations
1
The EDPB will replace the Article 29 working group. It is yet to be set up.
In Malta this is the office of Information and Data Protection Commissioner (IDPC).
2
3
The country where the controller or processor are located. Where, however, the controller or processor have establishments in more than one Member State (MS).
a. Controller, the place of its central administration in the EU, unless the decision on the purposes and means of the processing of personal data are taken in another
establishment of the controller in the EU and the latter establishment has the power to have such decisions implemented, in which case the establishment having
taken such decisions is considered to be the main establishment.
b. As regards to a processor, the place of its central administration in the EU, or, if the processor has no central administration in the EU, the establishment of the
processor in the EU where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the
processor is subject to specific obligations under the CDPR.
4
Definitions can be found in Article 4 of the Regulation.
06
Understanding the General Data Protection Regulation (GDPR)
Key definitions
Personal data Any information relating to an identified or unidentified natural person (‘data subject’); an identifiable
Article 4(1) of GDPR natural person is one who can be identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of
that natural person.
Processing Any operation which is performed on personal data or nets of personal data, whether or not by
Article 4(2) of GDPR and automated means, such as collection, recording, organisation, structuring, storage, adaptation or
Article 4(7) of GDPR alteration, retrieval, consultation, use, disclosure or by transmission, dissemination, or otherwise
making available, alignment or combination, restriction, erasure or destruction or even mere storage.
(Data) controller The natural or legal person, public authority, agency or other body which, alone or jointly with others,
Article 4(8) of GDPR determines the purposes and means of the processing of personal data. Where the purposes and
means of such processing are determined by EU or MS law, the controller or the specific criteria for
its nomination may be provided for by a EU or MS law.
(Data) processor A natural or legal person, public authority, agency, or other body which processes personal data on
Article 4(8) of GDPR behalf of the controller.
When is the GDPR not applicable to the Article 5 of the GDPR: "Principles relating to processing of personal data"
processing of personal data? Personal data shall be:
A. Processed lawfully, fairly and in a transparent manner in relation to the data
•• By a natural person in the course of a
subject (‘lawfulness, fairness and transparency’);
purely personal or household activity (the
“household exemption”). B. Collected for specified, explicit and legitimate purposes and not further processed
in a manner that is incompatible with those purposes; further processing for archiving
•• Concerning the personal data of
purposes in the public interest, scientific or historical research purposes or statistical
deceased persons.
purposes shall, in accordance with Article 89(1), is not considered to be incompatible
•• By competent authorities for the with the initial purposes (‘purpose limitation’);
purposes of the prevention, investigation,
C. Adequate, relevant and limited to what is necessary in relation to the purposes for
detection or prosecution of criminal
which they are processed (‘data minimisation’);
offences or the execution of criminal
penalties, including the safeguarding D. Accurate and, where necessary, kept up to date; every reasonable step must be
against, and the prevention of threats to taken to ensure that personal data that are inaccurate, having regard to the purposes
public security. for which they are processed, are erased or rectified without delay (‘accuracy’);
•• By EU institutions where a unique E. Kept in a form which permits identification of data subjects for no longer than is
Regulation for processing personal data necessary for the purposes for which the personal data are processed; personal data
by EU institutions will continue to apply may be stored for longer periods insofar as the personal data will be processed solely
instead of the GDPR. for archiving purposes in the public interest, scientific or historical research purposes
or statistical purposes in accordance with Article 89(1) subject to implementation of the
•• In the course of an activity which falls
appropriate technical and organisational measures required by this Regulation in order
outside the scope of EU law (e.g. activities
to safeguard the rights and freedoms of the data subject (‘storage limitation’);
concerning national security).
F. Processed in a manner that ensures appropriate security of the personal data,
•• Relating to the EU’s common foreign and
including protection against unauthorised or unlawful processing and against
security policy.
accidental loss, destruction or damage, using appropriate technical or organisational
measures (‘integrity and confidentiality’).
07
Understanding the General Data Protection Regulation (GDPR)
Governance •• Document your Privacy Governance Model - e.g. with clear roles and 5, 27, 37-39
responsibilities and reporting lines to embed privacy, accountability and
compliance into the organisation.
Accountability •• Implement a global overarching data protection policy, which brings together 5, 24, 25, 30
all underlying related policies including processes for privacy by design, and the
creation and maintenance of a record of processing activities.
Fair processing and •• Review your existing grounds for lawful processing and confirm that these will 5, 6, 7, 9, 10, 81-91
consent still be sufficient under the GDPR - e.g. can you still rely on consent given by a
client under the Data Protection Act [CAP 440] (DPA).
•• If data relating to a child is processed, ensure that notices directed at that child are
“child-friendly” and if consent is relied upon, you have implemented a mechanism
to seek parental consent.
Privacy by design •• Ensure processes are in place to embed privacy by design into projects - e.g. 25, 35, 36
and default technical and organisational measures are in place to ensure data minimisation,
purpose limitation and security.
Compliant •• Develop compliant contract wording for customer agreement and third-party
contracting vendor agreements.
•• Identify all contracts that require relevant contract wording, prioritise and develop
process for amending.
Data breach •• Review and update (or develop where not in existence) a Data Breach Response 32-34
procedures Plan.
•• Review insurance coverage for data breaches and consider whether it needs to be
updated in light of the higher fines and penalties under the GDPR.
Data transfer •• Identify all cross-border data flows and review data export mechanisms
08
Understanding the General Data Protection Regulation (GDPR)
Rights of data subjects under the Examples of data subject’s rights: Right of Erasure
GDPR What needs to be done
01. A data retention policy should be
Right to object to profiling
•• Right to withdraw consent - Article 7 implemented to define the legal
01. Conduct an analysis of all current and regulatory reasons for retaining
•• Right to lodge a complaint - Article 13 (d)
profiling activities and determine which categories of personal data for
•• Right of access - Article 15 will require explicit consent (those specified periods of time. This policy
profiling activities which use special needs to be implemented into both
•• Right to rectification - Article 16
categories of data and those profiling new and existing systems.
•• Right of erasure - Article 17 activities which are not necessary for a
02. Policies and procedures should be put
contract or required by law).
•• Right to restrict processing - Article 18 in place documenting how erasure
02. Implement or update privacy notices requests are to be handled.
•• Right of portability - Article 20
to refer to profiling activities. These will
03. Prioritise transition of personal
•• Right to object to processing - Article 21 need to be tailored to the particular
data from historic systems onto
profiling in order to specify any likely
•• Rights in relation to automated new systems which can be built
effect on the data subject.
processing - Article 22 to incorporate data retention and
destruction rules.
•• Right to an effective judicial remedy - Right of Data Portability
Article 78
01. Review personal data on systems to Access, Notification, and Restriction,
•• Right to representation of data subject establish how they can be provided to and Direct Marketing
- Article 80 the data subject and third parties on
01. Implement subject access request
request.
•• Right to compensation - Article 82 policies and procedures.
02. Review systems to ensure that these
02. Develop new policies for prompt
enable the deletion of personal data
rectification of personal data and a
that is no longer required.
procedure to cease processing where
03. Establish policies and procedures for applicable.
responding to requests from data
03. Implement a policy for dealing with
subjects.
marketing objections and maintain a
suppression list.
09
Understanding the General Data Protection Regulation (GDPR)
The contact
The data
details of the data
retention period
controller
A reference to
The purpose of What a Privacy Notice the data subject’s
the processing must contain rights under the
GDPR
Information
The identity on international
of the data transfers and the
controller safeguards applied
to such transfers
A controller must provide detailed Where the personal data is not obtained
information to data subjects regarding directly from the data subject, the
any intended processing of personal notice should also identify the source of
data. This information is usually the personal data.
given in a “fair processing notice”, or
“privacy notice”. Controllers must
have transparent and easily accessible
notices and provide information in
a concise form, using clear and plain
language.
10
Understanding the General Data Protection Regulation (GDPR)
Within a reasonable
At the time data is
When should information be provided? period from when data is
obtained
obtained
If disclosure to another
recipient envisaged, at the
latest before disclosure is
made
11
Understanding the General Data Protection Regulation (GDPR)
GDPR obligations
Obligations placed on processors Mandatory obligations for processor •• The processor must assist the
contracts controller to comply with requests
•• Appoint a representative if based outside
from individuals exercising their rights
of the EU : Article 27 •• The contract must contain a description
to access, rectify, erase, or object to
of (i) scope, nature, and purpose
•• Ensure certain minimum provisions in the processing of their personal data.
of processing; (ii) duration of the
contracts with controllers. Article 28(3) Article 23(3)
processing; and (iii) types of personal
•• Do not appoint sub-processors without data and categories of data subjects. •• The processor must assist the
specific or general authorisation of the Article 28(3) controller with their security and data
controller and to ensure that there breach obligations, including notifying the
•• The processor may only process
is a contract with the sub-processor controller of any personal data breach.
personal data on the documented
containing certain minimum provisions. Article 28(3)(f) and Art. 33(2)
instructions of the controller, including
Article 28(2) and (4)
as regards international transfers. There •• The processor must assist the
•• Process personal data only on the is an exception for obligations under controller should the controller need
instructions of the controller unless EU or MS law, but the processor must to carry out a privacy impact assessment.
required to process for other purposes inform the controller. Article 28(3)(a) Article 28(3)(f)
by EU or MS law. This will be a major Recital 81
•• The processor must return or delete
headache for many foreign processors.
•• The personnel used by the processor personal data at the end of the
Article 29
are under a statutory obligation of agreement, save to the extent the
•• Keep a record of processing carried out confidentiality. Article 28(3)(b) processor must keep a copy of the
on behalf of controller. Article 30 personal data under EU or MS law.
•• The processor must keep the personal
Article 28(3)(g)
•• Cooperate with the IDPC. Article 31 data secure. Article 28(3)(c)
•• The processor must demonstrate its
•• Implement appropriate security •• The processor may only use a sub-
compliance with these obligations and
measures. Article 32 processor with the consent of the
submit to audits by the controller
controller . That consent may be specific
•• Notify the controller of any personal (or by a third party mandated by the
to a particular sub-processor or general.
data breach without undue delay. Article controller). Some processors will
Where the consent is general, the
33 want to agree a “mandated” third party
processor must inform the controller
auditor to allow their existing process of
•• Appoint a DPO in certain cases. Article of changes and give them a chance to
independent third party certification to
37 object. Article 28(2) and Article 28(3)
continue. Article 28(3)(h)
(d)
•• Comply with the rules on transfers of
•• The processor must inform the
personal data outside of the EU. Article •• The processor must ensure it flows
controller if, in its opinion, the
34 down these obligations to any sub-
controller ’s instructions would breach
processor. The processor remains
EU or MS law. Article 28(3)
responsible for any processing by the
sub-processor. Article 28(4)
12
Understanding the General Data Protection Regulation (GDPR)
Categories of recipients,
Retention periods for different
including recipients in third
categories of personal data
countries, or international
(where possible)
organisations
13
Understanding the General Data Protection Regulation (GDPR)
Sensitive Information
Sensitive personal data has been expanded to also include:
14
Understanding the General Data Protection Regulation (GDPR)
Privacy by Design
07. Respect user privacy— Keep things user-centric; individual privacy interests must be
keep it user-centric supported by strong privacy defaults, appropriate notice, and user-
friendly options.
15
Understanding the General Data Protection Regulation (GDPR)
Need for a pragmatic, holistic approach Protect yourself from common pitfalls
Information
tagging
Data protection principles Data Governance
Access
•• Accountability •• Risk methodology controls
Information
•• Storage limitation •• Third party management classification
Legal pitfalls
•• Purpose limitation •• Privacy
•• International transfers
Strategy and processes
•• Training and awareness
•• Limited or no formal
accountability
•• Incident/breach
management
Technology
•• Documentation
•• Heterogeneous approach
Data Subject Rights •• Lack of coordination and
•• Transparency oversight
•• Handling requests
•• Automated decision-
making and profiling
16
Understanding the General Data Protection Regulation (GDPR)
GDPR is not only about legal GDPR is not only about technical
aspects of data protection aspects of data protection
Unclear
privacy Right to be
statement forgotten
Data
exfiltration
Unclassified
information
Publication
without purpose
Logical
Authentication
application
bypass
errors
Legacy data
Outdated in storage
data invenoty
GDPR calls for a combined approach GDPR calls for a combined approach
Data •• Information
classification
•• Information tagging Procedures
•• Data (lifecycle)
governance
17
Understanding the General Data Protection Regulation (GDPR)
Secure software
Is a continuous concern
for all organizations
SDLC is the
Software Development SSDLC will raise
Lifecycle: It defines the Secure SDLC awareness of security
tasks in each step of the Develop and maintain considerations by
software development software in a consistent and stakeholders
process efficient way with predefined
security quality, in line with
the organizational risks.
SSLDC causes
SSLDC will cause an early detection of
overall risk reduction for vulnerabilities in an early
the organization stage of the development
lifecycle
Capture high-level business Formalize functional Detailed technical design Roll-out and run the solution.
requirements and establish requirements and conceptual and solution development/
solution vision. design of solution. product installation and
configuration.
18
Understanding the General Data Protection Regulation (GDPR)
Capture high-level business Formalize functional Detailed technical design Roll-out and run the solution.
requirements and establish requirements and conceptual and solution development/
solution vision. design of solution. product installation and
configuration.
•• Privacy impact assessment •• Security and privacy aware •• During technical design: •• Data retention & backup
•• Confidentiality impact data modelling –– Segregation of policies
assessment •• Security aware process responsibility •• Security monitoring
•• Data integrity impact modelling –– Security on all layers •• Security configuration
assessment •• Security services •• During development: management
•• Availability impact integration design (logging/ –– Use of code (style) •• Key lifecycle management
assessment proxying/authentication/…) checkers. •• Privileged access
•• Exposure impact •• Low level security controls –– Define anti-patterns and management
assessment checklist patterns •• Account lifecycle
•• High level security controls –– External code-review management
checklist •• During continuous/nightly •• Security patch
build: management
–– Automated code •• Security release
analysis in nightly build management
environment •• Vulnerability management
–– Vulnerability assessments •• Availability management
Obligation to appoint a Data Protection Officer (DPO) Risk analysis and Data Protection Impact Assessments
The Regulation now states that all public authorities will have to (DPIA)
appoint a DPO. There may now be an obligation to conduct a privacy risk analysis
when setting up new business processes.
In the private sector, companies that:
The personal data management lifecycle should be considered
and focus on the controls that protect the accuracy, confidentiality,
integrity, physical security and deletion of personal data.
OR OR
Where the risk analysis indicates a high risk organisations will be
obligated to conduct a DPIA.
Process personal Are active in regular Process data
data of more than and systematic which is sensitive, While organisations’ are not required to perform Privacy Impact
5,000 individuals monitoring of location, relating Assessments (PIA), it is suggested that a risk analysis or PIA is
within a year individuals to children, or performed.
employee data
19
Understanding the General Data Protection Regulation (GDPR)
20
Understanding the General Data Protection Regulation (GDPR)
Extra-territorial effect
When assessing if a business established
Caught by
outside of Europe offers goods or services Caught by
Situation the DPA 2001
to data subjects in Europe, consideration GDPR?
[CAP440]
is to be given to whether the business is:
US social media company with no European
•• Offering services in a language or
presence, targeting the Service at individuals No Yes
currency of an MS;
in Europe
•• Enabling European residents to place
Chinese e-commerce retailer with website in
orders in such other language;
English, accessible by European citizen, but No No
•• Referencing European customers in its does not provide delivery to EU MS
publications.
Chinese e-commerce retailer with website in
English, accessible by European citizen, and No Yes
If one or more of these conditions are
allows E-purchase by citizens of EU MS
present, this may make it “apparent that
the data controller envisages offering Japanese website uses cookies which monitors
goods or services” to European residents behaviour and sends targeted marketing to IP
No Yes
and it is likely to be considered to be addresses, which include those from citizens of
subject to the GDPR. EU MS
21
Understanding the General Data Protection Regulation (GDPR)
Sanctions
€20 million, or 4% of
€10 million, or 2% of worldwide
worldwide annual turnover
annual turnover in preceding
in preceding FY in case of an
FY in case of an undertaking
(whichever is the greater).
undertaking
(whichever is the greater).
•• 27. Representatives of controllers/processors not established •• 12-22 Data subject’s rights (information, access, rectification,
in the EU etc.)
•• 31. Co-operation with the IDPC •• 58(1) Requirements to provide access to the IDPC
•• 33. Notification of breaches to the IDPC •• 58(2)(f) and 58(2)9i) and 58(2)(j): Orders/Limitations on
processing or the suspension of data flows
•• 34. Communication of breaches to data subjects
•• Obligations adopted under MS law
•• 35. DPIA
•• 37-39. DPOs
22
Understanding the General Data Protection Regulation (GDPR)
23
Understanding the General Data Protection Regulation (GDPR)
Frequently asked
questions
My business operates in Italy as well. As I operate in Malta and Italy do Does the ‘one stop shop’ mean I am
Do I still have to get advice on how the I need to nominate a supervisory just subject to the supervision of my
GDPR is implemented in Italy? authority? home regulator?
It depends on what processing you carry Given that you operate from both Malta If you carry out cross border processing,
out. There still are national variations in and Italy the lead supervisor will be the you will be primarily regulated by
some areas, which will require review under competent authority were you have the supervisory authority based in the
Italian law. One example is processing ‘main establishment’ located. The ‘main jurisdiction of your main establishment.
of information about employees: MS established’ is determined by considering The “one stop shop” does not apply
can introduce additional protections where the central administration is, where where processing is based on the legal
for employees. There is also overlap the decisions on processing personal obligation or public function condition
with national labour laws and there may data are taken, and where the main and other supervisory authorities can
be differences in the way the rules are processing activities take place. If the ask to take control where the processing
interpreted and enforced. The differences main establishment is located in Malta then mainly relates to their jurisdiction. The lead
will narrow over time, and the GDPR the lead supervisory authority is the IDPC supervisory authority can refuse to cede
contains a consistency mechanism to help in Malta. control, but must co-ordinate its activities
do that. closely with other ‘concerned’ supervisory
authorities.
24
Understanding the General Data Protection Regulation (GDPR)
Has the GDPR changed at all from the What does the right to portability The need for consent doesn’t just
DPA 2001 (CAP 440)? mean? arise from the GDPR but also in a
The core rules are broadly the same. Individuals already have a right to access number of other laws. Will this result
The GDPR looks familiar to experienced their personal data through a subject in confusion?
privacy practitioners. This does not mean access request. The data portability Correct. If you are subject to bank secrecy
that there is no change. Rather, there are enhances this right, giving the individual laws, it is very likely you will need consent
some significant changes. The GDPR adds the right to get that personal data in a to disclose customer information. You may
a number of important new obligations. machine readable format. Individuals can find that you ask for, and obtain, a valid
Finally, there is a significant increase in the also ask for the data to be transferred consent for the purposes of bank secrecy
sanctions for getting it wrong. directly from one controller to another. laws, but that consent is not valid for data
There is no right to charge fees for this protection purposes (e.g. because it is tied
Do I have to get consent from an service. to performance of the banking contract).
individual? You must, therefore, make it clear which
Not necessarily. Consent is only one of a The right only applies: processing condition you are relying
number of justifications for processing
•• To personal data “provided to” the
the individual’s personal data. Other Can a customer object to direct
controller. This will clearly apply to
justifications, such as the so-called marketing?
photos posted to a social network or
legitimate interests condition, are available. When an individual exercises the right
content stored on a cloud service.
to object to direct marketing, you must
What happens if someone withdraws •• Where the controller is processing not only stop sending direct marketing
consent? personal data in reliance on the material to the individual, but also stop any
It is likely that you will have to stop processing conditions of consent or processing of that individual’s personal
processing that individual’s personal performance of a contract. data for such marketing. For example,
data, although in some cases you may be if you receive an objection, you should
able to rely on an alternative processing Is consent given under the DPA 2001 stop profiling that individual to the extent
condition. Withdrawal of consent may also (CAP440) still valid? related to direct marketing. The ePrivacy
give the individual the right to be forgotten, Where consent is given under the DPA2001 Directive contains additional restrictions
i.e. have their data erased. Withdrawal of (CAP440), it will continue to be valid under on marketing and in some cases requires
consent does not affect the lawfulness of the SDPR if it also meets the requirements the consent of the individual. The ePrivacy
any processing that takes place prior to of the GDPR. Directive will continue to apply in parallel
that withdrawal. with the GDPR.
Will the definition of consent under
A customer has asked to be the ePrivacy Directive remain the
“forgotten” and for all his data to be same?
deleted. Do I have to comply? The ePrivacy Directive currently defines
It depends. Assuming the customer is consent by reference to the 45/96/
an individual, they do have a right to be EC Directive. This will automatically be
forgotten but that right is not absolute. superseded by a reference to the GDPR
In particular, you would need to confirm from May 2018 onwards. In other words,
a range of issues such as whether you obtaining consent to market by email will
were just relying on consent to process become a whole lot harder as well.
his or her data and whether you have
a continuing need to hold the relevant
personal data. In some cases, you may
need to quarantine his or her personal
data rather than delete it. The position
is complex. You need to put a process in
place to manage these requests.
25
Understanding the General Data Protection Regulation (GDPR)
Our school sends and requests What policies do I need? What is the role of the DPO?
coursework from its primary and It depends on your business. You would The DPO is a means to ensure
secondary students on line – which expect a large business to have a general accountability and compliance with the
means all students must have access data protection policy and policies that GDPR without external intervention by
to email and the Internet? address the data protection issues the IDPC. The DPO monitors compliance,
The SDPR contains specific protections for arising out of marketing, data security, provides information and advice, and liaise
children. You can only get consent from recruitment, record retention and with the IDPC. The DPO must report to the
a child in relation to online services if it is monitoring. These do not have to be stand- highest level of management within your
authorised by a parent. A child is someone alone policies and the data protection business. The DPO must be able to operate
below the age of 16, though MS can reduce issues might be built into a wider policy. independently and not be dismissed or
this age to 13 years. penalised for performing their tasks.
How can I “demonstrate” I am
The GDPR does not apply this restriction complying with the GDPR? Should the DPO form part or lead
when obtaining consent from a child offline, You will need to update or create suitable a company’s privacy compliance
but given the tight controls on consent, policies that set out how you process function?
you may still wish to obtain parental personal data. You should also consider The DPO is responsible for monitoring
authorisation. other compliance measures, including compliance with the GDPR, providing
setting up a clear compliance structure, information and advice, and liaising with
The GDPR adds: allocating responsibility for compliance, the IDPC. There are good arguments
staff training, and audit. It might also for the DPO to be separate from the
•• Privacy policies must be very clear and
involve technical measures such as compliance unit and instead operates as
simple if they are aimed at children.
minimising processing of personal data, a form of third line of defence. This avoids
•• Profiling and automated decision making pseudonymisation, giving individuals the risk of the DPO “marking their own
is not to be applied to children. greater control and visibility, and applying homework”.
suitable security measures.
•• The right to be forgotten applies very
A person must be qualified to assume
strongly to children.
Is it mandatory to appoint a DPO? the role of DPO and if so what
The GDPR establishes the appointment of qualification should s/he hold?
Is the right not to be subject to
a DPO if: The DPO must have the right professional
profiling and automated decision
qualities and expert knowledge of data
making a blanket one? •• You are a public authority – a government
protection law. There is no express
An customer has the right not to be subject entity, authority, or body other than a
requirement for them to hold any particular
to decisions made automatically that court.
qualification or certification. However,
produce legal effects or significantly affect
•• Your core activities consist of regular and obtaining appropriate qualifications will
him / her. This right, however, does not
systematic monitoring of data on a large be an effective way to demonstrate expert
apply where the decision is:
scale. knowledge (and may help them to do their
job properly).
•• Your core activities consist of processing
•• Based on explicit consent from the
sensitive personal data on a large scale
individual, subject to suitable safeguards Does the breach notification obligation
(including criminal offences).
including a right for a human review of relate to the obligations in the Cyber
the decision. Security Directive?
The national MS law may establish the
The obligations in the GDPR apply in
•• Necessary for a contract, subject to appointment of a DPO as mandatory. No
parallel with those in the Network and
suitable safeguards including a right for a such notice has been given to data by the
Information Security Directive and the
human review of the decision. IDPC.
ePrivacy Directive.
•• Authorised by EU or MS law.
26
Understanding the General Data Protection Regulation (GDPR)
Managing your
GDPR project
For most organisations, Interaction and input will be
GDPR involves a wholly new needed from business lines
approach to managing data. especially Human Resources,
This is therefore a change Marketing, and others coming
Governance, Legal,
management project. Data Inventories into contact with personal data
and Compliance
Readiness
Technological
Assessment
27
Understanding the General Data Protection Regulation (GDPR)
Deloitte’s approach:
Compliant, yet innovative
Today’s business climate is characterised by disruption and volatility.
At Deloitte, we help businesses gain a new view of risk—seeing
risk management as a vital performance lever, revealing untapped
opportunities to create competitive advantage.
There are lines you cannot cross. There are Our point of view on critical elements of the GDPR
rules to the game. But within the lines and When GDPR comes into effect on 25 May 2018 the European privacy landscape will be
following the rules, you are only limited by transformed which will mean a number of changes for organisations. We outline some
your own creativity to achieve your goals. major points from our experience that can help organisations getting the most from these
changes.
We are dedicated to help organisations
01. Proper data management is essential to comply with the GDPR.
navigate privacy risk, staying within the
rules of the game, while allowing privacy to 02. GDPR compliance will help build trust with clients and safeguard personal data.
be a business enabler and to use personal
03. Make GDPR compliance your top priority for the coming months.
data to increase customer trust.
Following these principles will greatly help you getting the most value from processing
personal data, while minimizing the risk.
Competitive
advantage Contracts
Strategic
28
Understanding the General Data Protection Regulation (GDPR)
29
Understanding the General Data Protection Regulation (GDPR)
Learn more
To learn more about how your organisation can
successfully implement GDPR, please contact:
www.deloitte.com/mt/gdpr
30
Deloitte refers to one or more of Deloitte Touché Tohmatsu Limited, a UK private company
limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL
and each of its member firms are legally separate and independent entities. DTTL (also
referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.
com/about to learn more about our global network of member firms.
Deloitte Malta refers to a civil partnership, constituted between limited liability companies,
and its affiliated operating entities: Deloitte Services Limited, Deloitte Technology Solutions
Limited, Deloitte Digital and Technology Limited, Alert Communications Limited, Deloitte
Technology Limited, and Deloitte Audit Limited. The latter is authorised to provide audit
services in Malta in terms of the Accountancy Profession Act. A list of the corporate partners,
as well as the principals authorised to sign reports on behalf of the firm, is available at www.
deloitte.com/mt/about.
Cassar Torregiani and Associates is a firm of advocates warranted to practise law in Malta and
is exclusively authorised to provide legal services in Malta under the Deloitte Legal sub-brand.
Deloitte provides audit, consulting, financial advisory, risk advisory, tax and related services to
public and private clients spanning multiple industries. Deloitte serves four out of five Fortune
Global 500® companies through a globally connected network of member firms in more than
150 countries and territories bringing world-class capabilities, insights, and high-quality service
to address clients’ most complex business challenges. To learn more about how Deloitte’s
over 260,000 professionals make an impact that matters, please connect with us on Facebook,
LinkedIn, or Twitter.