INTRODUCTION TO GDPR 19/09/2018

GENERAL DATA PROTECTION REGULATIONS: AN INTRODUCTION Background to the Regulations Timescale for change GDPR aims Key changes Actions to date Future plans Contacts and further information 19/09/2018

GENERAL DATA PROTECTION REGULATIONS BACKGROUND UK Data Protection Act 1998 derives from EU Data Protection Directive 95/46/EC Data Protection Act now almost 20 years old Amendments and related law have been enacted, but fundamental review required Potential changes discussed at EU level for 4 years Reform consists of 2 instruments: General Data Protection Regulations (GDPR) Data Protection Directive (for police & criminal justice sector) 19/09/2018

GDPR approved by European Parliament on 14 April 2016 Entered into force on 25 May 2016 Will apply in UK (potentially with changes) from May 2018 19/09/2018

GDPR AIMS To give citizens back control over of their personal data To simplify the regulatory environment for business To create a modern and harmonised data protection framework across the EU Reform seen as ‘key enabler’ of Digital Single Market & EU Agenda on Security 19/09/2018

GENERAL DATA PROTECTION REGULATIONS KEY CHANGES Fines – 2 tiers of fines for different offences, up to 20M EUR or 4% of global turnover Consent – more clearly defined, easier to withdraw, record keeping required Transparency – significantly more information to be provided where data are collected Right to be forgotten – new (limited) right for people to have their personal data erased without undue delay, controllers must also take reasonable steps to tell other controllers 19/09/2018

GDPR KEY CHANGES Security – risk minimisation approach, move towards certification mechanisms Data Protection Impact Assessment – (Privacy Impact Assessment) required prior to high-risk processing Data breaches – ICO and affected individuals must be informed of significant breaches. ICO notification within 72 hours 19/09/2018

GENERAL DATA PROTECTION REGULATIONS KEY CHANGES Data portability – (limited) right to receive personal data in interoperable format Subject Access Requests – no more fees, shorter 1 month timescale for response (exceptions apply to both) Data Protection Officer – required post, must have expert knowledge, be independent, report directly to ‘highest management’ Record keeping – must maintain records of processing activities, inc. storing, sharing and transfers 19/09/2018

GDPR AND DECISION TO LEAVE THE EU On 23 June 2016, the UK voted to leave the EU General view is: some short-term confusion, but GDPR will still apply (especially if UK remains a member of EEA) GDPR still applies to our processing of EU citizen data UK will still have powers to amend some parts of GDPR 19/09/2018

GENERAL DATA PROTECTION REGULATIONS WHAT WE’RE ALREADY DOING Dedicating more SPC staff resource to improving data protection compliance across University: Analysing the new legislation and its application to UEA Mapping GDPR requirements to UEA work practices Working with key contacts in departments & faculties Identifying processing risks and opportunities Identifying and reviewing privacy notices and data sharing agreements Implementing standardised data breach investigations and Privacy Impact Assessments (PIAs) Improving guidance and training materials 19/09/2018

GENERAL DATA PROTECTION REGULATIONS FUTURE DEVELOPMENTS Monitor legislation developments and ICO guidance as published Achieve certification in amended data protection practitioner training Undertake data protection audits as appropriate Work with IT Security project to ensure identified personal data is appropriately secured 19/09/2018

GENERAL DATA PROTECTION REGULATIONS CONTACTS AND FURTHER INFORMATION Email: dataprotection@uea.ac.uk Telephone: x2431 or 3523 Information Commissioner’s Office: https://ico.org.uk/for-organisations/data-protection- reform/ GDPR text (PDF): http://eur-lex.europa.eu/legal- content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN European Commission data protection reform blog: http://ec.europa.eu/justice/data- protection/reform/index_en.htm 19/09/2018 All images sourced from Pixabay, CC0 Public Domain