Getting Ready For GDPR Simon Marks Director Marks Investigation Services
Introduction Back to basics Significant changes Sanctions, enforcement and recent examples of breaches….. Disclaimer No reliance should be placed on the guidance given in this talk without first taking such detailed professional legal advice. Nevertheless, feel free to ask questions, I will do my best to answer them!
Data Protection is not a new concept Data Protection legislation has been in place for 20 years (DPA 1998) and the key principles of that legislation are still very much in place and will be post-GDPR: Fairly and lawfully processed. Processed for limited purposes. Adequate, relevant and not excessive. Accurate. Not kept for longer than is necessary. Processed in line with subject’s rights. Secure.
Data protection policy, responsibility, training Has your business established an appropriate data protection policy? Has it nominated a data protection lead? Has it provided awareness training to all staff?
Registration, privacy notices, subject access Has your organisation registered with the ICO?- you need to if you retain data on a computer Have you produced privacy notices that are readily available to individuals? Does it have a process in place to recognise and respond to Subject Access Requests (SAR)?
Subject Access Requests The Right to Access is a fundamental requirement under GDPR The Data Subject has the right to obtain confirmation that their data is being processed lawfully and securely, what information is being held and why? Will you be able to respond to a SAR (at no cost to the subject) at short notice? Your ability to respond to a SAR will be your acid test as to whether you have a process in place to understand and comply with your obligations under GDPR
Data quality, accuracy and retention Is the personal data your organisation holds of sufficient quality to make decisions about individuals? Is there a routine disposal of personal data that is no longer needed in line with agreed timescales?
Security Has your business established an information security policy that is supported by appropriate security measures? Does your business ensure an adequate level of protection for any personal data processed by others on your behalf (or transferred out of the EU)?
Privacy Impact Assessments (PIA’s) Has your business established a process to ensure that new projects or initiatives are privacy proofed at the planning stage?
“Data protection by design” The ICO describes PIA’s as follows: The purpose of the PIA is to minimise privacy risks while meeting the aims of the project. Organisations can identify and address risks at an early stage by analysing how the proposed uses of personal information and technology will work in practice. They can test this analysis by consulting people who will be working on, or affected by, the project….conducting a PIA does not have to be complex or time consuming but there must be a level of rigour in proportion to the privacy risks arising.
Data protection by default Key word: minimisation GDPR requires the organisation (data controller) to implement appropriate technical and organisational measures to ensure that, by default, only personal data that is necessary for each specific purpose of the processing is processed.
Data Protection Officer or lead The ICO says: It is important that someone in your organisation, or an external data protection adviser, takes proper responsibility for your data protection compliance and has the knowledge, support and authority to carry out the role effectively.
Increased rights for data subjects Right of data portability Right to be forgotten
Consent Consent must be freely given, specific, informed and unambiguous. It must involve clear and affirmative action. Pre-ticked boxes will not do. Consent cannot be inferred from silence or inactivity It must be kept separate from other terms and conditions and the individual must be notified of simple ways to withdraw it
Security Information may be stored on servers all over the world. There may be complex chains of contractors and subcontractors. The organisation may not know in which jurisdiction data is held. Current ICO guidance confirms that organisations must retain control of personal data sent to the Cloud. The Cloud must not expose the organisation to risks that would not have arisen if the data had remained in its possession. It is good practice to encrypt before transfer to the Cloud. Under the GDPR, data processors such as server providers based in the EU, will have similar legal obligations to data controllers.
Data Processors will have similar obligations to Data Controllers Data Processors will have similar obligations to Data Controllers. They must: Obtain consent from the Data Controller before they subcontract Maintain a record of processing activities like the Data Controller must do Ensure appropriate security measures are in place Train their staff in data protection compliance Notify the Data Controller of any breaches NB GDPR sets out guidance for the required content of data processing agreements
Reporting of data protection breaches TELL IT ALL, TELL IT FAST, TELL THE TRUTH
Sanctions and enforcement Two levels of fines: Up to 2% of global turnover (or 10 million euro whichever is the greater) Up to 4% of global turnover (or 20 million euro whichever is higher)
Cases Data breaches by: Sony (47,000 unique social security numbers stolen) Zurich (46,000 customers’ data compromised. FSA imposed a fine of £2.2million) Yahoo (3 billion users) eBay (145 million users compromised) Equifax (220,000 customers affected) RSA Security (40 million records stolen) Facebook/Cambridge Analytica????
GDPR – are you really going to be ready? Only 6 weeks to go But don’t panic…….. Any Questions? Simon Marks simon@marksinvestigations.com