Download presentation
Presentation is loading. Please wait.
1
Presentation to GTMC on GDPR
2
What is the GDPR? Harmonised Data Protection regulation across the EU
ICO has indicated that Brexit will have no impact on adoption (one way or another…) Applies to organisations that hold data on EU citizens and residents Applies to Controllers (say how and why data is processed) and Processors (process data on behalf of controllers) Enhanced obligations over and above DPA, particularly on Processors
3
What data does GDPR apply to?
Personal Data Broader definition of personal data Can include online identifiers (e.g. and IP address) Sensitive Personal Data Generally, sensitive information about an individual Again, broader definition applies (e.g. genetic and biometric data) Special rules for processing children’s data
4
Principles of the GDPR Similar to DPA. Data shall be…
Lawful processing Data collected for a specific, legitimate purpose Adequate, relevant and limited to that purpose Accurate and kept up to date Kept for no longer than needed Kept secure Much enhanced principle of ACCOUNTABILITY
5
Accountability Critical new principle
Organisations must DEMONSTRATE compliance This means… Documenting processing activities Appoint a DPO? Data Protection Impact Assessments DP “by design and by default” Maintain records of processing activities Must actively demonstrate compliance
6
Basis for Processing Have to demonstrate a legal basis for processing
This can include: Consent Legitimate basis for processing (including performance of a contract) Public interest Importantly, consent is not the only acceptable basis for processing
7
Rights of Individuals Enhanced existing rights: Right to be informed
Right of access Right of rectification Right to object Rights regarding automated processing New rights Right to restriction Right to erasure Right to data portability
8
Consent Important – consent is not the only acceptable legal basis for processing personal data But – consent MUST be sought for processing sensitive personal data Consent requires “clear, affirmative action” (i.e. not a pre-ticked box) It must be freely given, informed, specific, and verifiable. It can be withdrawn at any time
9
Breach notification & enforcement
Breaches generally expected to be report within 72 hours (but also ‘without undue delay’) Extends mandatory breach reporting beyond ISPs and telcos to all controllers/processors Report to data controllers, regulators and – in some cases – affected data subjects FINES – up to €20m or 4% of global turnover for major breaches Up to €10m or 2% of global turnover for minor breaches
10
What are other companies doing?
Mapping stored data for GDPR applicability Reviewing data processing processes and documenting what they have in place Appointing a DPO if not in place Considering record keeping and responses to GDPR requests (particularly erasure, data portability) Projects are very much in progress or planning, not complete
11
Thank you
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.