Presentation is loading. Please wait.

Presentation is loading. Please wait.

General Data Protection Regulations: Key Articles Overview Craig Clark Information Security & Compliance Manager UNIVERSITY OF EAST LONDON – LONDON’S LEADING.

Published byJustin Tobias Arnold Modified over 7 years ago

Similar presentations

Presentation on theme: "General Data Protection Regulations: Key Articles Overview Craig Clark Information Security & Compliance Manager UNIVERSITY OF EAST LONDON – LONDON’S LEADING."— Presentation transcript:

1 General Data Protection Regulations: Key Articles Overview Craig Clark Information Security & Compliance Manager UNIVERSITY OF EAST LONDON – LONDON’S LEADING UNIVERSITY FOR CIVIC ENGAGEMENT

2 Topics What is the GDPR European Law Landscape Key dates GDPR Structure What is Personally Identifiable Information? Territorial Scope - Articles 1-3 Remedies, Liabilities and Penalties - Articles 79, 82 & 83 Data Collection Principles - Article 5 Lawfulness Articles - 5 & 6 Consent - Articles 7-9 Transparency - Articles 12-18 Data Security - Article 32 Data Breach Notification - Articles 33 & 34 UNIVERSITY OF EAST LONDON – LONDON’S LEADING UNIVERSITY FOR CIVIC ENGAGEMENT

3 What is the GDPR A complete overhaul of data protection regulation with extensive updates of what can be considered identifiable information Applies across all member states of the European Union Applies to all organisations processing the data of EU data subjects – wherever the organisation is geographically based Specific and significant rights for data subjects to seek compensation, rights to erasure and accurate representation Compensation can be sought against organisations and individuals employed by them Fines of up €20,000,00 or 4% global annual turnover Significant reduction in that amount based on the implementation of technical, or organisational controls implemented UNIVERSITY OF EAST LONDON – LONDON’S LEADING UNIVERSITY FOR CIVIC ENGAGEMENT

4 European Law Landscape European Legislation can be separated into two main branches: Directives Require individual implementation in each Member State (Each State can implement rules in their own way) Implemented by the creation of national laws approved by the parliaments of each Member State European Directive 95/46/EC (The current Data Protection Act) is a Directive Sets out a goal that a member state must achieve –room for tailoring 28 different variations among Member States UNIVERSITY OF EAST LONDON – LONDON’S LEADING UNIVERSITY FOR CIVIC ENGAGEMENT

5 European Law Landscape Regulations: Immediately applicable in each Member State in a uniform manner Binding Legislative Act Derogations allow for fine tuning, examples include the age of a child, and the definition of large scale data processing EUGDPR is a Regulation Regulations are not negotiable by member states Regulations may apply to countries outside the EU if they affect EU subjects (people who are originally from the EU) UNIVERSITY OF EAST LONDON – LONDON’S LEADING UNIVERSITY FOR CIVIC ENGAGEMENT

6 Key Dates for GDPR 4 May 2016, the official text of the Regulation was published in the EU Official Journal in all the official languages. The Regulation entered into force on 24 May 2016, and applies from 00:01 25 May 2018. As it stands the United Kingdom will still be considered a Member State at the time of inception and will therefore be subject to the requirements of the EUGDPR This Regulation shall be binding in its entirety and directly applicable in all Member States. UNIVERSITY OF EAST LONDON – LONDON’S LEADING UNIVERSITY FOR CIVIC ENGAGEMENT

7 GDPR Structure UNIVERSITY OF EAST LONDON – LONDON’S LEADING UNIVERSITY FOR CIVIC ENGAGEMENT European Data Protection Board Lead Supervising Authority (Information Commissioners Office) Data Processor Data Controller (Organisation) Data Subject (Individuals) 3 rd Countries 3 rd Party

8 GDPR Structure The European Data Protection Board will issue guidance for controllers and processors They will facilitate the use of Data Protection Impact Assessments The ICO will oversee both Data Controllers and Data Processors Breaches and Notifications will be made to the ICO 3 rd Countries – countries to which data is transferred At the centre of the GDPR is the protection of Personally Identifiable Information UNIVERSITY OF EAST LONDON – LONDON’S LEADING UNIVERSITY FOR CIVIC ENGAGEMENT

9 Personally Identifiable Information Can be defined as Information that can be used to identify a living individual. Examples include (but are not limited to): UNIVERSITY OF EAST LONDON – LONDON’S LEADING UNIVERSITY FOR CIVIC ENGAGEMENT First & last name (combined)Home addressDate/place of birth Photos and videosUsername/passwordNational insurance/Social security Number Bank account detailsCredit card detailsPassport number Medical recordsFinancial recordsNon work related correspondence Personal email addresses/emailsBiometric dataCookies MAC AddressIP Address

10 High Risk Personal Information Other information, while not individually useful as identifiable has been defined as high risk and as such breaches involving high risk data should be notified. High Risk data includes Racial and Ethnic OriginTrade Union Membership Religious BeliefsPolitical Opinion Healthcare DataGenetic Data Sexual OrientationLocation Data Disability InformationBiometric Data Mental Health Status Gender UNIVERSITY OF EAST LONDON – LONDON’S LEADING UNIVERSITY FOR CIVIC ENGAGEMENT

11 Territorial Scope Articles 1-3 cover the applicability of the Regulation Data Subjects = living individuals aka natural persons. They have rights associated with: - The protection of personal data - The protection of the processing of personal data - Unrestricted movement of personal data throughout the European Union (with consent) The scope of the GDPR includes personal data that is wholly or partly by automated means and personal data that is part of a filing system (or is intended to be) Any organisation that processes the data of EU citizens, are subject to the Regulation UNIVERSITY OF EAST LONDON – LONDON’S LEADING UNIVERSITY FOR CIVIC ENGAGEMENT

12 Remedies, Liabilities & Penalties Enforcement powers of ICO will be significantly enhanced with the issuing of measures, notices and monetary fines intended to be effective, proportionate and dissuasive Fines can be up to €10,000,000 for enterprise or 2% total worldwide turnover for the preceding year, whichever is greater Fines are calculated based on several factors : - Controls already in place - Nature, gravity, extent and duration of infringement - The types of personal data involved in the infringement - Actions taken by the controller or processor to mitigate, negate or notify affected parties (including the ICO) of a breach UNIVERSITY OF EAST LONDON – LONDON’S LEADING UNIVERSITY FOR CIVIC ENGAGEMENT

13 Remedies, Liabilities & Penalties Data Subjects have the right to effective judicial remedy against a controller or processor when the rights of the data subject has been infringed as a result of processing Action can be sought either: - In the courts of a Member state where the processor has an establishment - In the courts of a Member state where the subject habitually resides - Against a controller for the inadequate control of data or a processor for processing UNIVERSITY OF EAST LONDON – LONDON’S LEADING UNIVERSITY FOR CIVIC ENGAGEMENT

14 Data Collection Principles The GDPR sets out 7 key principles for the collection of data: Data must be processed lawfully fairly and in a transparent manner Data must only be collected for specified explicit and legitimate purposes Collected data must be adequate, relevant and limited to what is necessary Collected data must be accurate, and where necessary kept up to date Data must be retained only as long as necessary Data must be processed securely There must be accountably in all processing activity UNIVERSITY OF EAST LONDON – LONDON’S LEADING UNIVERSITY FOR CIVIC ENGAGEMENT

15 Lawfulness of Processing The Regulation introduces the concept of Lawfulness and places specific obligations on the controller and processor: Data must be secured against accidental loss, damage or destruction Processing must be lawful which means inter alia: - Data subject must provide explicit consent for processing for each service - The processing to be performed is necessary for the performance of a contract - processing is necessary for compliance with a legal obligation Controllers have one month to process Subject Access Requests – no charges (unless vexatious) UNIVERSITY OF EAST LONDON – LONDON’S LEADING UNIVERSITY FOR CIVIC ENGAGEMENT

16 Lawfulness of Processing The regulation seeks to clearly distinguish between the obligations placed upon controllers and processors. Processors and Controllers must now have a legally binding contract Controllers responsible for ensuring processors comply with contractual terms for processing information Processors, like controllers, are required to implement appropriate security measures The lead processor is required to reflect the same contractual obligations it has with the controller in a contract with any sub- processors and remains liable to the controller for the actions or inactions of any sub-processor. UNIVERSITY OF EAST LONDON – LONDON’S LEADING UNIVERSITY FOR CIVIC ENGAGEMENT

17 Consent Consent must be clear and affirmative – no action on behalf of the data subject no longer implies consent Controllers must be able to demonstrate that consent was given in a clear, intelligible and easily accessible way or else it is not binding It must be possible for data subjects to withdraw consent at any time and must be as easy to withdraw as it is to give. This has significant implications on how data is processed Special conditions for children under the age of 16 Separate, explicit consent must be given for high risk personal data along with an outline of what the controller intends to do with it in terms of processing (except in protecting the public interest) All information should be secured UNIVERSITY OF EAST LONDON – LONDON’S LEADING UNIVERSITY FOR CIVIC ENGAGEMENT

18 Transparency New obligations placed on controllers on how they interact with data subjects Any communications need to be concise, transparent and intelligible Controllers must provide clear unambiguous information about how and why a subjects’ data is collected and processed Controllers have an obligation to proactively provide information about individuals within the organisation including the Data Controller and the Data Protection Officer and the specific rights a subject has If data has been obtained indirectly (e.g. a mailing list), Controllers must take specific steps to notify affected subjects All data subjects have rights to access their data including the right of erasure, the right of transfer and the right of accuracy UNIVERSITY OF EAST LONDON – LONDON’S LEADING UNIVERSITY FOR CIVIC ENGAGEMENT

19 Data Security A requirement on controllers and processors to implement a level of security appropriate to the risk. Techniques: Pseudonymisation - Separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately. Encryption - Conversion of electronic data into another form, called ciphertext, which cannot be easily understood by anyone except authorised parties. Minimisation - Reducing the data collection to the minimum required to deliver the service agreed by the data subject Penetration Testing - Agreeing a process for regularly testing assessing and evaluating the effectiveness of security measures Ensuring ongoing application of confidentiality, integrity and availability controls UNIVERSITY OF EAST LONDON – LONDON’S LEADING UNIVERSITY FOR CIVIC ENGAGEMENT

20 Data Breach Notification The GDPR stipulates specific requirements for breach notification The legislation defines a breach as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Processors must notify Controllers of any breach Controllers must notify the Lead Supervisory Authority of high risk breaches without undue delay and where feasible not later than 72 hours after becoming aware of it How and when a notification is made has a significant impact on mitigation from the Lead Supervisory Authority UNIVERSITY OF EAST LONDON – LONDON’S LEADING UNIVERSITY FOR CIVIC ENGAGEMENT

21 Notification Requirements Notification to the ICO without undue delay (within 72 Hours) Description of the nature of breach Specify categories of data subjects (gender, adult or child, patient, student etc.) The number of data subjects affected The number of personal records breached The likely implications of the breach Details of Data Protection Officer The measures taken to mitigate Currently no requirement to notify if the breach is not considered high risk and the breach is unlikely to impact the rights and freedoms of data subject (guidance on what constitutes high risk to be confirmed) UNIVERSITY OF EAST LONDON – LONDON’S LEADING UNIVERSITY FOR CIVIC ENGAGEMENT

22 Notification Requirements When a high risk breach has occurred, the data controller has specific obligations regarding communication to affected data subjects Communication can be mandated by the supervisory authority Communication must be carried out without undue delay Communication must be in clear, plain language Exceptions if appropriate measures have been implemented to minimise risk Exceptions if communication would involve disproportionate effort compared to risk UNIVERSITY OF EAST LONDON – LONDON’S LEADING UNIVERSITY FOR CIVIC ENGAGEMENT

23 Why this is Important Between January – March 2016 the ICO was notified of 448 significant data breaches. Now more than ever before, the ethos needs to be that we will be breached eventually, and we need to prepare for that eventuality. UNIVERSITY OF EAST LONDON – LONDON’S LEADING UNIVERSITY FOR CIVIC ENGAGEMENT

Download ppt "General Data Protection Regulations: Key Articles Overview Craig Clark Information Security & Compliance Manager UNIVERSITY OF EAST LONDON – LONDON’S LEADING."

Similar presentations

Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
The Data Protection Act 1998. What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;

The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
The Data Protection Act 1998. What the Act covers The misuse of personal data by organisations and businesses.

The Data Protection Act What the Act covers The misuse of personal data by organisations and businesses.
Data Protection Act 1998. The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.

Data Protection Act The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.
DATA PROTECTION ACT 1998. INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March 2000. It is more far reaching than its predecessor,

DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.

CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.
Presentation Title Data Protection The new EU Regulation Insert your logo here.

Presentation Title Data Protection The new EU Regulation Insert your logo here.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.

Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
The Data Protection Act 1998

The Data Protection Act 1998
The Data Protection Act 1998

The Data Protection Act 1998
GDPR 12 POINTS 679/2016 DATA LEX 2016.

GDPR 12 POINTS 679/2016 DATA LEX 2016.
General Data Protection Regulations: The Key Changes

General Data Protection Regulations: The Key Changes
The future of data protection: General Data Protection Regulation

The future of data protection: General Data Protection Regulation

Similar presentations

Ads by Google