Presentation is loading. Please wait.

Presentation is loading. Please wait.

The EU General Data Protection Regulation Frank Rankin.

Published byPhilip Weaver Modified over 8 years ago

Similar presentations

Presentation on theme: "The EU General Data Protection Regulation Frank Rankin."— Presentation transcript:

1 The EU General Data Protection Regulation Frank Rankin

2 No substitute for reading it… http://static.ow.ly/docs/Regulation_consolidated_text_EN_47uW.pdf 200 pages (But first half is preamble)

3 Regulation not Directive Automatically in force across Europe EU-wide consistency (up to a point)

4 Regulation Scope – outside EU Regulation applies to organisations outside the EU when they process personal data, about EU citizens Or, if they are monitoring EU citizens Non-EU bodies have to appoint representative in EU

5 Subject rights include Access (now free!) Rectification Erasure Restriction of processing, Data Portability - Common formats, interoperability Right to object (to marketing, profiling, research) Right to object to automated individual decision marking (including profiling).

6 New definitions PseudonymisationProfiling GeneticBiometric

7 Principles – Now we are six 1. Processed fairly, lawfully and in a transparent manner. 2. Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with the original purpose. 3. Adequate, relevant and limited to what is necessary in relation to the purposes. 4. Accurate & kept up to date. 5. Kept in a form that permits identification no longer than is necessary. 6. Processed in a way that ensure appropriate security of the personal data

8 Conditions for processing Consent must be freely given, specific and informed and unambiguous A service cannot depend on consent where the processing is not necessary for the service “Legitimate interests” remains in place but must be within individuals' “reasonable expectations” Broad right to objection without specific grounds Organisations need to be more specific about nature of processing and the interests

9 No more notification End to the register of Data Controllers No more £35/£500 fee Controllers and processors to maintain comparable documentation Income stream for ICO?

10 Expanded documentation Prescribed set of documents to replace registration For controllers and processors Detailed data processor agreementsPrivacy notices to provide much more detail Contacts/Data Protection Officer, rights of complaints/appeal, detail on processing

11 Mandatory breach notification Processor to controllerController to supervisory authority Within 72 hours – unless unlikely to cause harm Authority to keep register of breaches Report to individuals If “high risk” to privacy

12 Privacy by Design Privacy by Default Data minimisatio n Mandatory PIAs

13 Data Protection Officer (The power! The power!) DPO mandatory for Public authorities Regular and systematic monitoring of data subjects on a large scale Large scale processing of “special categories” Can be shared. Can be contracted out.

14 DPO (continued) Tasks... Inform and advise Monitor compliance Awareness/training DP Impact Assessments Contact point Involved in all issues Support - resources and maintaining expert knowledge Report directly to highest management No conflicts of interests

15 Codes of Conduct and Certification Fair and transparent processing Legitimate interests Data collection Pseudonymisation Data subject rights Protection of children Breach notification Transfer to third countries Dispute resolution Option of Certification Monitoring by accredited bodies Codes of Practice

16 Remedies and Liability Right to complain to supervisory authority Right to judicial remedy against supervisory authority Right to judicial remedy against controller or processor Right to compensation from controller or processor Controller always liable for non-compliance Processor liable where it hasn’t complied with a specific obligation on processors, or has acted outside or contrary to instructions of controller

17 Administrative fines Catching the headlines

18 For breaches of these articles… Consent for children’s data (8) Processing not requiring identification (10) Data Protection by Design (23) Joint Controllers (24) Representatives of the controller within the EU (25) Processors (article 26) Processing under the authority of the controller and processor (27) Records of processing activities (28) Co-operation with the supervisory authority (29) Security of processing (30) Notification of the breach (31) Communication to data subject of the breach (article 32) Data Protection Impact Assessment (article 33) Prior consultation (article 34) Designation of the Data Protection Officer (article 35) Position of the Data Protection Officer (article 36) Tasks of the Data Protection Officer (article 37) Certification (article 39)

19 Fines of up to... 10m Euro 2% GTO

20 For breaches of these articles… Principles of Data Protection (article 5) Lawfulness of processing (article 6) Conditions for Consent (article 7) Processing special categories of personal data (article 9) Rights of the Data Subject (articles 12-20) Transfer of personal data to third countries (article 40-44) Powers of the Supervisory Authority (article 53)

21 Fines of up to... 20m Euro 4% GTO

22 People get ready... EU Data Protection Regulation

23 ICO - Getting ready for GDPR Consent and control True control for customers/service users Consent – explicit? Withdrawable? Accountability Effective compliance procedures Can individuals find out about your data handling? Staffing

24 ICO – Getting ready for GDPR Systems and processes compliant as a matter of course “Data minimisation” and Privacy Impact Assessment Privacy by design Effective breach response procedures Notification of individuals? ICO? Breach management

Download ppt "The EU General Data Protection Regulation Frank Rankin."

Similar presentations

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.

Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
GDPR 12 POINTS 679/2016 DATA LEX 2016.

GDPR 12 POINTS 679/2016 DATA LEX 2016.
Tony Sheppard Mobile Guardian

Tony Sheppard Mobile Guardian
Data Protection Officer’s Overview of the GDPR

Data Protection Officer’s Overview of the GDPR
Key changes with the GDPR

Key changes with the GDPR
Accountability & Structured Privacy Management

Accountability & Structured Privacy Management
The future of data protection: General Data Protection Regulation

The future of data protection: General Data Protection Regulation
GDPR Module 3: Accountability and Governance

GDPR Module 3: Accountability and Governance
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
General Data Protection Regulation

General Data Protection Regulation
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.

General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
Museums + Heritage webinar, 30 November 2017

Museums + Heritage webinar, 30 November 2017

Similar presentations

Ads by Google