Legal implications and consequances of GDPR
-
Upload
mindaugas-kiskis -
Category
Law
-
view
232 -
download
2
Transcript of Legal implications and consequances of GDPR
Legal implications andconsequences of GDPR
Prof. dr. Mindaugas Kiškis
Partner, FORT Vilnius
http://www.fortlegal.com
Why GDPR matters for business?
• FACT: there are no businesses, which do not process personal data
• FACT: on average GDPR introduces more obligations on businesses, compared to existing rules
• FACT: GDPR shifts active responsibility for the supervision of the data processing onto businesses themselves
• FACT: GDPR introduces draconic sanctions
• FACT: GDPR introduces major uncertainties and unequal rules
2© Mindaugas Kiškis, 2017; shall not be reproduced or used in
any way without prior approval of, and reference to the author
All businesses process personal data
• Personal data is increasingly broadly interpreted
• Publicity does not prejudice personal data protection
• Employee data or supplier/customer/partner employee data ispersonal data
3© Mindaugas Kiškis, 2017; shall not be reproduced or used in
any way without prior approval of, and reference to the author
Shift of responsibilities under the GDPR
• NOW: Regulatory authorities supervise businesses, maintan data controller registries, prescribe registration forms and otherformalities, etc. (usiness obligations are relatively passive)
• GDPR: Business have active obligations of data protection –maintaining detailed records, data protection by design, performingimpact assesments, the Data Protection Officer, notification ofbreaches, training
• Some formalities are formally dropped – no formal DC registration forbusinesses, which do not process personal data on a large scale
4© Mindaugas Kiškis, 2017; shall not be reproduced or used in
any way without prior approval of, and reference to the author
Benefits for multinationals
• The ability to choose a single supervisory authority in one EU country
• Whole group of companies is considered one entity
• Transfers between the group companies - as internal data transfers.
• Local businesses stuck with supervisory authority at home
• Consumer complaints ?
5© Mindaugas Kiškis, 2017; shall not be reproduced or used in
any way without prior approval of, and reference to the author
Example of uncertainty – large scaleprocessinglarge-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk, for example, on account of their sensitivity, where in accordance with the achieved state of technological knowledge a new technology is used on a large scale as well as to other processing operations which result in a high risk to the rights and freedoms of data subjects, in particular where those operations render it more difficult for data subjects to exercise their rights
6© Mindaugas Kiškis, 2017; shall not be reproduced or used in
any way without prior approval of, and reference to the author
7© Mindaugas Kiškis, 2017; shall not be reproduced or used in
any way without prior approval of, and reference to the author
Businesses consider data protectionimportant, but..
• How significant is fireprotection?
• How many of you have a fireextingquisher at home?
8
Duomenų apsaugai
teikiame didelę
reikšmę72%
Duomenų apsaugai
teikiame vidutinę
reikšmę22%
Duomenų apsaugai neteikiame didelės
reikšmės6%
How significant, in the opinion of our company, is personal data protection ?
© Mindaugas Kiškis, 2017; shall not be reproduced or used in any way without prior approval of, and reference to the author
In LT most businesses use new technology ona large scale
84
78
66
32
22
16
6
8
El. paštas
Įmonės informacinės sistemos įmonės serveryje
Debesų saugyklos (Dropbox, Google Drive ir pan.)
Mobilieji įrenginiai, per kuriuos galima prisijungti prieįmonės IT sistemų
Nutolusios saugyklos (failų serveriai)
Išorinės laikmenos (USB ir pan.)
Mūsų įmonės duomenis tvarko išorinis paslaugų tiekėjas(SaS) (pvz. Office 365)
Kiti elektroniniai būdai
Kuriais iš išvardintų būdų Jūsų įmonė tvarko (renka, saugo, perduoda) asmens duomenis? 9© Mindaugas Kiškis, 2017; shall not be reproduced or used in
any way without prior approval of, and reference to the author
LT businesses know no GDPR
• Įmonės nežino Reglamento privalumų ir įmonių darbą palengvinančių taisyklių
• Įmonės nesinaudoja specialistų pagalba
• Mažai įmonių mokosi apie asmens duomenų apsaugą
Taip, mažiausiai
kartą per metus
22%
Taip, rečiau
negu kartą per
metus4%
Ne74%
Ar Jūsų įmonė vykdo darbuotojų mokymus (arba skiria tam biudžetą) duomenų apsaugos klausimais?
Taip, žinome
apie atsirasiančias
naujovės
8%
Taip, bet nežinome
jame numatytų pasikeitimų…
Ne
22%
Do you know about GDPR?
10© Mindaugas Kiškis, 2017; shall not be reproduced or used in
any way without prior approval of, and reference to the author
Privacy by Design & Impact Assesments v. REALITY
Taip, teko, ir
taikome jį savo veikloje
6% Taip, teko, bet
netaikome jo savo veikloje…
Neteko apie tai
girdėti84%
Have you heard about „privacy by design“?
Taip, teko, mes tokius
vertinimus atl iekame
6%Taip, teko, bet
mes tokių vertinimų
neatliekame
14%
Neteko apie tai girdėti
80%
Have you heard about impact asessments?
11© Mindaugas Kiškis, 2017; shall not be reproduced or used in
any way without prior approval of, and reference to the author
Hard v. Soft data protection
Businesses are fixed on Hard protection
• Privacy boredom and double standards
• Požiūris į asmens duomenų apsaugą kaip įadministracinę pareigą, nesuteikiančiąkonkrečios naudos verslui
• Nepakankamas švietimas duomenųapsaugos klausimais
• Fiksacija į „kietąjį“ saugumą
Įgyvendinant Reglamentą dauguma įmoniųplanuoja išsiversti investicijomis į „kietąsias“– technines duomenų apsaugos priemones,nors Reglamentas būtent akcentuoja„minkštąsias“ priemones
Taip74%
Ne
10%
Nežinau
16%
Ar šiuo metu Lietuvoje galiojantis duomenų apsaugos teisinis
reguliavimas yra pakankamas?
12© Mindaugas Kiškis, 2017; shall not be reproduced or used in
any way without prior approval of, and reference to the author
Discussion
• GDPR may be more useful for multinationals
• In the short term there are major uncertainties
• GDPR compliance is not easy and is going to be costly
• In the long terms the competitiveness may be negatively affected
• What is the purpose of administrative protection, if civil protection is neglected?
13© Mindaugas Kiškis, 2017; shall not be reproduced or used in
any way without prior approval of, and reference to the author
Thank you [email protected]
14© Mindaugas Kiškis, 2017; shall not be reproduced or used in
any way without prior approval of, and reference to the author