1 / 72

Topic 10 : Data Protection Communication

Topic 10 : Data Protection Communication. Guidance for using these slides ( remove before delivering ). These slides are meant to be eas ily adapt able to different audiences. To facilitate this, each slide is assigned to a specific audience ( see „ relevant for:” in the notes ) .

leog
Download Presentation

Topic 10 : Data Protection Communication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Topic 10: Data Protection Communication

  2. Guidance for using these slides (removebeforedelivering) These slides are meant to be easily adaptable to different audiences. To facilitate this, each slide is assignedto a specificaudience (see „relevant for:” in the notes). In the notes-section below each slide, you find an indication of the slide’s degree of difficulty [i.e. whether it is suited for data protection beginners or not], its target audience [everyone vs authorities, lawyers, data protection officers, etc.], and its degree of importance [whether it is essential that you deliver it, or if it can be removed without impacting the effectiveness of the training]. Prior to training delivery, please: Read the slides and the notesthoroughly Take a look at the readingmaterials – theyalsoservetoassistyou in your preparation Remove/hide the slides that you consider unnecessary [right click on the slide miniature on the left and click ‘hide slide’]. A provisionalcategorisation has beenmadebasedon the depth and importance of the respectivecontent Adjust slides to national or sectoral requirements Add content that you consider essential for your particular audience Feel free to replace the default layout with your organisation’s layout

  3. How to Read The Slides’ Colour Frames [Remove Before Delivering] Green – Is a basic slide: we encourage you to keep it Yellow – is a medium level slide: it is important, but does not jeopardise effectiveness if removed Red – is an advanced slide: consider adapting it to your audience, preparing your audience for it, or removing it if you deem it unnecessary Purple – advised adaptation: this slide should contain information regarding the national legislation complementing the EU Regulations; if the content regards a different Member State, we advise you replace it with the national, relevant content

  4. Speaker Name Title Department Contact details

  5. Rationale • Much of the GDPR regime involves requirements for communication • E.g., notifying affected parties and authorities in a data breach • E.g., providing information to data subjects so they can give consent • E.g., demonstrating compliance with the GDPR (and other laws) • This communication can be done well, or poorly. • This training guides trainees in: • Understanding their communication obligations • How to best execute these obligations.

  6. Table of contents • Introduction • Challenges in data protection communication • Principle of Transparency • Requesting consent • Rights of access • Automated processing and communication • Communicating with data protection authorities • Data breach notification • Prior Consultation and DPIA • Records of data processing • Codes of conduct • Data protection certification • Further resources • What is data protection communication? • Why is data protection communication hard? • Core principle of data protection communication • Giving people enough information to consent • Providing people with their data • Explaining how you are processing people’s data • How and when should you contact your DPA? • When things go wrong • Before high-risk personal data processing • Keeping proper records and demonstrating this • Communicating proper data protection through codes of conduct • Communicating proper data protection through certification

  7. Challenges in data protection communication • GDPR law sets high standards for communication • Methods for communication still immature. • Communication is not a priority for all data subjects • Click-through and just accept • Technical information to communicate is complex • High varied “information literacy” • That information is presented does not mean it has been communicated • Written for legal requirements, not always for user understanding

  8. Some principles of data protection communication • Data processing should be transparent to the data subject – they should have enough information to: • Understand what is being collected, and processed and why • Have sufficient information to exercise the rights and make informed decisions • Data controllers have a role in promoting and facilitating the exercise of data subject’s rights • They have to actively provide information on processing • And actively inform the data subjects about their rights

  9. Principle of transparency • It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. • Data subjects have legal rights to information about personal data concerning them being processed. • The principle requires: • Information about data processing should be • easily accessible, • easy to understand, and • clear and plain language should be used. • That the data subject be informed of the existence of the processing operation and its purposes • The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed.

  10. Recital 39 Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data.

  11. Recital 58 The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand

  12. Information to be provided to the data subject “The rights of the data subject” • Identity and contact details of the controller • Where applicable, the controllers representative. • Contact details of the data protection officer • Purposes of the processing for which the personal data are intended • The legal basis for processing • The legitimate interest(s) as legal basis of the controller or third party • The recipients or categories of recipients of the personal data (if any) • Any intent to transfer personal data to a third country or international organisation • The period for which the data will be stored (or the criteria to determine that period) • That the subject has the right to request from the controller • Access to the data • Rectification of personal data • Erasure of personal data • Restriction of processing concerning the data subject • That the subject has the right to withdraw consent for processing at any time (where processing is based on consent), without affecting lawfulness of processing based on consent before withdrawal. • That the subject has the right to lodge a complaint to a supervisory authority “Administrative and practical details”

  13. Information to be provided to the data subject The rights of the data subject • Where the provision of personal data is: • a statutory requirement • a contractual requirement • a requirement necessary to enter into a contract • If the data subject is obliged to provide the personal data • And possible consequences of failure to provide such data • The existence of automated decision making or profiling • Meaningful information about the logic involved, the significance and envisaged consequences of such processing for the data subject • Where personal data have not been obtained from the data subject… • The categories of personal data concerned • The source from which the personal data originate • If the personal data came from publicly available sources (if applicable). “Obligations and Implications”

  14. Method of the provision of information • Timing for data not collected from the data subject (Art14(3)): • within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed; • if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or • if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.  • New purposes: Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information

  15. Exceptions IF the data subject already has the information; IF the provision of such information proves impossible or would involve a disproportionate effort; IF obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests; or Where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.  BUT: Controller then needs to take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests.

  16. Typical ways this information fails

  17. Layered information • Basic information in a first level • Summarised, At the moment data is collected, In the same medium the data is collected • Refer to more detailed information at second level • In greater detail and more appropriate medium for presentation and archiving.

  18. Going beyond the GDPR • Communicate non-GDPR requirements (e.g. self-regulatory programmes, certifications, contractual obligations etc). • Building data protection transparency into the user interface • Not just in a separate policy • Context-relevant notifications/explanations • Visually explain and guide the user through what is happening with their data • Granular consent models • Use of examples of data processing • Clearly understanding what data processing is occurring, and then using this clear understanding to communicate to the data subject. • Facts > Legal obligations > tell privacy story • Communicating Non-exploitative / non-extractive business models or User-centric data processing

  19. Special considerations in providing information Information to children Electronic formats

  20. Information to children Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.

  21. Electronic formats

  22. What contact information? • GDPR requires • Contact details of the data controller • Where applicable the controller’s representative • Contact details of the Data Protection Officer. (where applicable)

  23. Questions?

  24. Table of contents • Introduction • Challenges in data protection communication • Principle of Transparency • Requesting consent • Rights of access • Automated processing and communication • Communicating with data protection authorities • Data breach notification • Prior Consultation and DPIA • Records of data processing • Codes of conduct • Data protection certification • Further resources • What is data protection communication? • Why is data protection communication hard? • Core principle of data protection communication • Giving people enough information to consent • Providing people with their data • Explaining how you are processing people’s data • How and when should you contact your DPA? • When things go wrong • Before high-risk personal data processing • Keeping proper records and demonstrating this • Communicating proper data protection through codes of conduct • Communicating proper data protection through certification

  25. Rights of access - overview • The GDPR gives individuals the rights to access their own data • Commonly called a “subject access request”. • Helps data subjects understand how and why you are processing their data • And that it is being done legally. • Generally free of charge

  26. Article 15 GDPR – Right to access by the data subject • The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: • The purposes of processing • the categories of personal data concerned; • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; • Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; • the right to lodge a complaint with a supervisory authority; • where the personal data are not collected from the data subject, any available information as to their source; • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. •  Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer. • The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. • The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

  27. Subject access request process

  28. National guidance on the right of access (AU) - https://www.dsb.gv.at/at.gv.bka.liferay-app/web/datenschutzbehorde/fragen-und-antworten APD (BE) - https://www.autoriteprotectiondonnees.be/node/19246 BFDI (DE) - https://www.bfdi.bund.de/DE/Datenschutz/Ueberblick/MeineRechte/Artikel/Auskunftsrecht.html DPC (IE) - https://www.dataprotection.ie/en/organisations/know-your-obligations/access-and-portability ICO (UK) – https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/ CNIL (FR) - https://www.cnil.fr/fr/professionnels-comment-repondre-une-demande-de-droit-dacces

  29. Restrictions • Union or Member State law to which the data controller or processor is subject may restrict the scope of the obligations and rights when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard: • national security; • defence; • public security;  • the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; • other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security; • the protection of judicial independence and judicial proceedings; • the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions; • a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in case of national security, other important objectives of general public interest and the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions • the protection of the data subject or the rights and freedoms of others; • the enforcement of civil law claims. 

  30. Right to data portability • Article 20 – Right to Data Portability • Give the data subject the right (in certain circumstances) to • Receive personal data concerning them they provided to a data controller • In a structured, commonly used and machine-readable format • And have the right to • Transmit those to a another data controller. • Example: a company selling fitness wearables, that track activity and health-related data for their users, must provide their users with the ability to obtain their personal data in a format suitable for their own use, or for taking to another health/activity data service.

  31. CAN WE ADD ANY SLIDES from the LATEST VERSION OF THE RIGHTS TRAINING MATERIAL?

  32. Restrictions • Union or Member State law to which the data controller or processor is subject may restrict the scope of the obligations and rights when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard: • national security; • defence; • public security;  • the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; • other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security; • the protection of judicial independence and judicial proceedings; • the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions; • a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in case of national security, other important objectives of general public interest and the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions • the protection of the data subject or the rights and freedoms of others; • the enforcement of civil law claims. 

  33. Questions?

  34. Table of contents What is data protection communication? Why is data protection communication hard? Core principle of data protection communication Giving people enough information to consent Providing people with their data Explaining how you are processing people’s data How and when should you contact your DPA? When things go wrong Before high-risk personal data processing Keeping proper records and demonstrating this Communicating proper data protection through codes of conduct Communicating proper data protection through certification • Introduction • Challenges in data protection communication • Principle of Transparency • Requesting consent • Rights of access • Automated processing and communication • Communicating with data protection authorities • Data breach notification • Prior Consultation and DPIA • Records of data processing • Codes of conduct • Data protection certification • Further resources

  35. Algorithmic transparency and communication • Given particular risks from profiling, controllers should be particularly aware of their transparency responsibilities • Safeguards for rights and freedoms of data subjects are necessary to use the exemptions to the general prohibition on fully automated decision making – these include the right to be informed • Article 13(2)f and 14(2)g require controller to provide data subject with: • The existence of automated decision making or profiling • (tell the data subject they are doing it) • Meaningful information about the logic involved, • The rationale behind the processing, or • Criteria involved in the decision making • Doesn’t require complex description of algorithm, or full disclosure of algorithm • Data subject should be able to understand the decision • the significance and envisaged consequences of such processing for the data subject • How might data processing affect the data subject? • Real, tangible examples should be given • Good practice to give this information (even if doesn’t meet technical definitions of Art22(1)

  36. Examples of algorithmic communication Rationale Criteria Sources of data Safeguards • A controller uses credit scoring to assess and reject an individual’s loan application. • The score may have been provided by a credit reference agency, or calculated directly based on information held by the controller. • If the controller is reliant upon this score (regardless of source) it must be able to explain it and the rationale, to the data subject. • The controller explains that this process helps them make fair and responsible lending decisions. • It provides details of the main characteristics considered in reaching the decision, the source of this information and the relevance. For example: • the information provided by the data subject on the application form; • information about previous account conduct , including any payment arrears; and • official public records information such as fraud record information and insolvency records. • The controller also includes information to advise the data subject that the credit scoring methods used are regularly tested to ensure they remain fair, effective and unbiased. • The controller provides contact details for the data subject to request that any declined decision is reconsidered, in line with the provisions of Article 22(3). How to exercise rights

  37. Example of “significance” and “envisaged consequences”. • An insurance company uses an automated decision making process to set motor insurance premiums based on monitoring customers’ driving behaviour. • To illustrate the significance and envisaged consequences it explains that • dangerous driving may result in higher insurance payments and • provides an app comparing fictional drivers, including one with dangerous driving habits such as fast acceleration and last-minute braking. • It uses graphics to give tips on how to improve these habits and consequently how to lower insurance premiums.

  38. What is profiling? • ‘profiling’ means • any form of automated processing of personal data… • …consisting of the use of personal data… • …to evaluate certain personal aspects relating to a natural person, • in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements; (Article 4(4)). • Examples: • Using machine learning to identify insider threat for cybersecurity based upon email use. • Credit ratings • Online advertising auctions

  39. Approaches to algorithmic transparency • Explainable AI (xAI) • Counterfactual explanations • Best practices • Explain their decisions in terms that users can understand, and make it clear when a decision arises from an algorithm or a human supported by an algorithm. • Give users clear options when they are concerned about the decision an algorithm has made • Publish information that allows both effective auditing and support by third parties • Ensure that information about a service is published in a way that is accessible to experts

  40. Questions?

  41. Table of contents • Introduction • Challenges in data protection communication • Principle of Transparency • Requesting consent • Rights of access • Automated processing and communication • Communicating with data protection authorities • Data breach notification • Prior Consultation and DPIA • Records of data processing • Codes of conduct • Data protection certification • Further resources • What is data protection communication? • Why is data protection communication hard? • Core principle of data protection communication • Giving people enough information to consent • Providing people with their data • Explaining how you are processing people’s data • How and when should you contact your DPA? • When things go wrong • Before high-risk personal data processing • Keeping proper records and demonstrating this • Communicating proper data protection through codes of conduct • Communicating proper data protection through certification

  42. What is a personal data breach? breach of security leading to… …the accidental or unlawful… …. destruction, loss, alteration, unauthorised disclosure of, or access to… …personal data transmitted, stored or otherwise processed

  43. Example of data breach 4 laptops have been stolen from a hospital, where the health data of 200 children were stored • Integrity • Alteration • Confidentiality • Unauthorised disclosure of or access to personal data • Harming medical secrecy • Effect child’s environment (e.g. school) • Blackmail of children or parent • Accessibility • Accidental or unlawful destruction or loss • Most recent changes might be lost, only an old version recovered • Continuity of treatment disrupted • Could have been prevented by: • Up to date backups of data (accessibility and integrity) • Adequate encryptions (confidentiality)

  44. Informing the supervisory authority • Personal data breaches can cause damage • As soon as a controller is aware of a breach: • Must notify the supervisory authority • Without undue delay • Not later than 72 hours after becoming aware. • Unless you can demonstrate that the breach is unlikely to results in the risk to the rights and freedoms of natural persons.

  45. Informing the data subject(s) • When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons  • clear and plain language  • Who is managing this? - communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; • What is the impact? - describe the likely consequences of the personal data breach; • What are you doing about it? - describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

  46. Exception the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption; (b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise; (c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner. 

  47. National data breach reporting process [add national process]

  48. National guidance on data breach notification AEPD (ES) – Guide on personal data breach management and notification https://www.aepd.es/media/guias/Guide-on-personal-data-breach.pdf (available in English and Spanish) (SE) - https://www.datainspektionen.se/other-lang/in-english/the-general-data-protection-regulation-gdpr/notification-of-personal-data-breaches/ CNIL (FR) - https://www.cnil.fr/fr/notifications-dincidents-de-securite-aux-autorites-de-regulation-comment-sorganiser-et-qui-sadresser DPC (IE) - https://www.dataprotection.ie/en/organisations/know-your-obligations/breach-notification

  49. Prior Consultation in the DPIA • A Data Protection Impact Assessment is an assessment of risks to the rights and freedoms of data subjects from the processing of personal data. • It is conducted by the controller prior to processing • Required for certain categories of data processing • Where a DPIA indicates that processing operations • involve a high risk… • which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation… • a consultation of the supervisory authority should take place prior to the processing. • This is “Prior consultation”

  50. Table of contents • Introduction • Challenges in data protection communication • Principle of Transparency • Requesting consent • Rights of access • Automated processing and communication • Communicating with data protection authorities • Data breach notification • Prior Consultation and DPIA • Records of data processing • Codes of conduct • Data protection certification • Further resources • What is data protection communication? • Why is data protection communication hard? • Core principle of data protection communication • Giving people enough information to consent • Providing people with their data • Explaining how you are processing people’s data • How and when should you contact your DPA? • When things go wrong • Before high-risk personal data processing • Keeping proper records and demonstrating this • Communicating proper data protection through codes of conduct • Communicating proper data protection through certification

More Related