Presentation is loading. Please wait.

Presentation is loading. Please wait.

The EU General Data Protection Regulation

Published byMerryl Lee Modified over 6 years ago

Similar presentations

Presentation on theme: "The EU General Data Protection Regulation"— Presentation transcript:

1 The EU General Data Protection Regulation
WALES Cyber Security Clusters CYMRU Clwstwrau Seiberddiogelwch The EU General Data Protection Regulation Members of the UK Cyber Security Forum

2 WALES CYMRU It’s a “Regulation”, not an “Directive”…
Cyber Security Clusters CYMRU Clwstwrau Seiberddiogelwch It’s a “Regulation”, not an “Directive”… A “Directive” means that each country has to make up their own law that covers the controls that are being recommended (like our Data Protection Act). A “Regulation” is a European law in its own right which means the EU can enforce it regardless of the laws in the individual countries. Although enacted in May 2016, the GDPR will not be enforced until May yrs to prepare! Members of the UK Cyber Security Forum

3 WALES CYMRU Does GDPR apply to you?
Cyber Security Clusters CYMRU Clwstwrau Seiberddiogelwch Do you process, either as a controller or a processor, the personal data of any data subjects who are in the Union (regardless of whether the processing takes place in the Union or not)? ‘Processing’ means any operation which is performed on personal data whether or not by automated means such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination restriction, erasure or destruction ‘Data Subjects’ means an individual who is the subject of personal data. In other words, the individual whom particluar personal data is about. An individual who has died or who cannot be identified or distinguished from others is not a data subject. For the purposes of GDPR, a data subject is also a living person who is in an EU Member State Does GDPR apply to you? ‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law ‘Special Data’ means any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, data concerning health, data concerning sex life or sexual orientation ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. An organisation may be a controller or a processor depending on the circumstances of the data processing. A controller can contract mulitple processors and a processor can contract sub-processors ‘Personal Data’ means any information relating to an identified or identifiable natural person ('data subject'); who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person Members of the UK Cyber Security Forum

4 WALES Cyber Security Clusters CYMRU Clwstwrau Seiberddiogelwch If GDPR applies to you, then you have some legally binding obligations… You must abide by these Principles… You must protect these Rights… Processed lawfully, fairly and in a transparent manner Collected for specified, explicit and legitimate purposes Adequate, relevant and limited to what is necessary in relation to the purposes Accurate and kept up to date Kept for no longer than necessary Processed in a manner that ensures appropriate security Accountability (demonstrate compliance) Right to be Informed (provide information) Right of Access Right to Object to Processing Right to Restriction of Processing Right to Rectification Right to Erasure Right to Notification (of 3rd Parties) Right to not be Profiled Right to Portability Members of the UK Cyber Security Forum

5 WALES Cyber Security Clusters CYMRU Clwstwrau Seiberddiogelwch Do you have a legal basis for processing that personal data… the data subject has given consent for one or more specific purposes processing is necessary for the performance of a contract processing is necessary for compliance with a legal obligation to which the controller is subject processing is necessary in order to protect the vital interests of the data subject or of another natural person processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (except where such interests are overridden by the rights and freedoms of the data subject) - good luck trying to justify this! Consent (but only if I have to!) Members of the UK Cyber Security Forum

6 You must DELETE the data or get RE-CONSENT
WALES Cyber Security Clusters CYMRU Clwstwrau Seiberddiogelwch If you have to use consent, then make sure you get it right… For consent to be legal, it must… When gaining consent, you must give… be freely given (it cannot be conditional) be explicit (it cannot be implied) be demonstrable (if you cannot prove it, then it didn’t happen) if in writing, be clearly distinguishable from other content be in clear and plain language allow consent to be withdrawn at any time be as easy to withdraw consent as it was to give it have parental consent if under 16 years old identity and contact details of the Controller the purpose & legal basis for the processing details of any other recipients of the data details of any possible transfer of the data to a third country (see published list) how long the data will be needed/kept The data subject’s rights (access, rectification, erasure, restriction, object, portability, complain) Details of how to withdraw consent details of any automated decision-making If consent isn’t legal or you didn’t give all this information at the time… You must DELETE the data or get RE-CONSENT Members of the UK Cyber Security Forum

7 WALES CYMRU What do you need to do to make sure you are compliant…
Cyber Security Clusters CYMRU Clwstwrau Seiberddiogelwch What do you need to do to make sure you are compliant… Summary of what to do about Personal Data Identify what items of data you process Determine the legal basis for processing each item of data Sort out your consent processes (get re-consent if you have to) Erase data that you shouldn’t have or don’t need (including backups) Members of the UK Cyber Security Forum

8 Policy and/or Statement
WALES Cyber Security Clusters CYMRU Clwstwrau Seiberddiogelwch What policies & procedures are you going to need to be compliant… Data Protection Policy and/or Statement The amount of information you have to include in your privacy policy has increased. You are also required to be clear and concise, so bit of a challenge there! Website Cookies Remember the cookie law?  Well, it is now time to re-evaluate, because the game has changed again – GDPR has already tightened up the rules as well as increased the penalties for getting it wrong. Privacy Notices The GDPR introduces a more prescriptive framework about the information we must provide to people whose data we are processing and the penalties for contravention of these rules. Access Requests Organisations will have to deal with requests more quickly as well as providing additional information and individuals will be entitled to receive the information in an electronic format Right to be Forgotten Now called “erasure” Individuals can require data to be ‘erased’ when there is a problem with the legality of the processing or where they withdraw consent. Members of the UK Cyber Security Forum

9 WALES Cyber Security Clusters CYMRU Clwstwrau Seiberddiogelwch Your most visible ‘notice’ where you may capture the most personal data… “By using this site you accept cookies” If there is no genuine and free choice then there is no valid consent. You have to provide some service to those who don’t accept those terms. Advising people to adjust their browser settings Telling people to block cookies if they don’t consent is unacceptable It puts the onus on them and doesn’t make it “as easy as giving it” Implied consent Users are required to make an “affirmative action” to signal their consent Do Not Track browser requests You must have a mechanism to respond to ‘DNT:1’ browser settings It is a “right to object” to profiling Cookies can be “Personal Data” Certain cookies can be considered to be an “...online identifier...” Any persistent cookie that is unique to the device by virtue of its attributes or stored values Sites need an opt-out Even after getting valid consent, there must be a route for people to change their mind.  “Withdrawing consent must be as easy as giving it” Browser History Constitutes “processing” Some preference cookies may reveal “special category” data (e.g. sites with health related content) which means additional laws so the new laws of Consent will apply Different types of cookies with different processing purposes will need valid consent for each purpose Members of the UK Cyber Security Forum

10 WALES CYMRU What do you need to do to make sure you are compliant…
Cyber Security Clusters CYMRU Clwstwrau Seiberddiogelwch What do you need to do to make sure you are compliant… Summary of what to do about Personal Data Identify what items of data you process Determine the legal basis for processing each item of data Sort out your consent processes (get re-consent if you have to) Erase data that you shouldn’t have or don’t need Summary of what to do about Transparency Data protection policy and/or statement Privacy notices – s, documents, website cookies etc. Access requests – reveal, amend, update, restrict and/or delete Members of the UK Cyber Security Forum

11 WALES CYMRU The “must do’s” of Cyber Security… Compliance Training
Cyber Security Clusters CYMRU Clwstwrau Seiberddiogelwch The “must do’s” of Cyber Security… Compliance Training Risk Assessment what information or data, if it was tampered with, would put you at risk from reputational or financial loss Other Products & Services How do you know what offerings are right for your businesses unless you have done the 3 “Must Do’s” first? Best Practice Framework Use the UK Government’s Cyber Essentials Scheme to demonstrate you are securing your businesses Penetration Testing ask a hacker to attempt to get at that “risky” data to see what vulnerabilities exist at a point-in-time Security Monitoring set up ongoing monitoring to check if that “risky” data is threatened or becomes vulnerable through-time Members of the UK Cyber Security Forum

12 WALES Cyber Security Clusters CYMRU Clwstwrau Seiberddiogelwch How to demonstrate your commitment to information security and data protection… IT Systems IT Processes Personal Data Cyber Essentials Scheme 68 Questions Firewalls Configuration Patches Malware User Accounts The Government wants every company in the UK to be Cyber Essentials Certified by 2020 IASME 80 Questions Data Assets Risk Assessment People Policy Disaster Recovery Internationally recognised alternative to ISO27001 for smaller businesses EU GDPR 27 Questions Legal Basis Consent Privacy Notices Requests Breach Reporting Any company in the world holding personal data of a European Citizen must be compliant by 2018 Members of the UK Cyber Security Forum

13 WALES CYMRU What do you need to do to make sure you are compliant…
Cyber Security Clusters CYMRU Clwstwrau Seiberddiogelwch What do you need to do to make sure you are compliant… Summary of what to do about Personal Data Identify what items of data you process Determine the legal basis for processing each item of data Sort out your consent processes (get re-consent if you have to) Erase data that you shouldn’t have or don’t need Summary of what to do about Transparency Data protection policy and/or statement Privacy notices – s, documents, website cookies etc. Access requests – reveal, amend, update, restrict and/or delete Summary of what to do about Cyber Security Improve cyber security - make breaches much less likely Create incident response and data breach reporting processes Gain certifications which prove that you take cyber security seriously Members of the UK Cyber Security Forum

14 WALES CYMRU Meetings 2pm – 4pm www.southwalescyber.net 3rd Tuesday
Cyber Security Clusters CYMRU Clwstwrau Seiberddiogelwch Where can you find help? 400 People 300 Organisations 200 Cyber Companies Aberystwyth Aberystwyth Meetings 2pm – 4pm 3rd Tuesday 3rd Thursday FREE to join Members of the UK Cyber Security Forum

15 WALES CYMRU The EU General Data Protection Regulation any questions?
Cyber Security Clusters CYMRU Clwstwrau Seiberddiogelwch The EU General Data Protection Regulation any questions? But that’s just these examples… What about the rest?!? Pervade Software John Davies Tel: (0) Mob: +44 (0) Website: Members of the UK Cyber Security Forum

Download ppt "The EU General Data Protection Regulation"

Similar presentations

Data Protection & Privacy in the Information Age COMNET – Legal Frameworks for ICTs Malta 2013 Dr Antonio Ghio Dr Jeanine Rizzo.

Data Protection & Privacy in the Information Age COMNET – Legal Frameworks for ICTs Malta 2013 Dr Antonio Ghio Dr Jeanine Rizzo.
DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
DATA PROTECTION ACT 1998. INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March 2000. It is more far reaching than its predecessor,

DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
© University of Reading 2007 www.reading.ac.uk/data_protection Lee Shailer 06 June 2016 Data Protection the basics.

© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Protection of Personal Information Act An Analysis on the impact.

Protection of Personal Information Act An Analysis on the impact.
TRANSBORDER DATA FLOWS INA MEIRING. THE PROTECTION OF PERSONAL INFORMATION ACT (“POPI”) > 'personal information' means information relating to an identifiable,

TRANSBORDER DATA FLOWS INA MEIRING. THE PROTECTION OF PERSONAL INFORMATION ACT (“POPI”) > 'personal information' means information relating to an identifiable,
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.

Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.

Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
Key changes with the GDPR

Key changes with the GDPR
The future of data protection: General Data Protection Regulation

The future of data protection: General Data Protection Regulation
Issues of personal data protection in scientific research

Issues of personal data protection in scientific research

Similar presentations

Ads by Google