1. INTRODUCTION TO GDPR
19/09/2018

2. GENERAL DATA PROTECTION REGULATIONS: AN INTRODUCTION
Background to the Regulations
Timescale for change
GDPR aims
Key changes
Actions to date
Future plans
Contacts and further information
19/09/2018

3. GENERAL DATA PROTECTION REGULATIONS BACKGROUND
UK Data Protection Act 1998 derives from EU Data Protection Directive 95/46/EC
Data Protection Act now almost 20 years old
Amendments and related law have been enacted, but fundamental review required
Potential changes discussed at EU level for 4 years
Reform consists of 2 instruments:
General Data Protection Regulations (GDPR)
Data Protection Directive (for police & criminal justice sector)
19/09/2018

4. GDPR approved by European Parliament on 14 April 2016
Entered into force on 25 May
Will apply in UK (potentially with changes) from May 2018
19/09/2018

5. GDPR AIMS To give citizens back control over of their personal data
To simplify the regulatory environment for business
To create a modern and harmonised data protection framework across the EU
Reform seen as ‘key enabler’ of Digital Single Market & EU Agenda on Security
19/09/2018

6. GENERAL DATA PROTECTION REGULATIONS KEY CHANGES
Fines – 2 tiers of fines for different offences, up to 20M EUR or 4% of global turnover Consent – more clearly defined, easier to withdraw, record keeping required Transparency – significantly more information to be provided where data are collected Right to be forgotten – new (limited) right for people to have their personal data erased without undue delay, controllers must also take reasonable steps to tell other controllers
19/09/2018

7. GDPR KEY CHANGES
Security – risk minimisation approach, move towards certification mechanisms Data Protection Impact Assessment – (Privacy Impact Assessment) required prior to high-risk processing Data breaches – ICO and affected individuals must be informed of significant breaches. ICO notification within 72 hours
19/09/2018

8. GENERAL DATA PROTECTION REGULATIONS KEY CHANGES
Data portability – (limited) right to receive personal data in interoperable format Subject Access Requests – no more fees, shorter 1 month timescale for response (exceptions apply to both) Data Protection Officer – required post, must have expert knowledge, be independent, report directly to ‘highest management’ Record keeping – must maintain records of processing activities, inc. storing, sharing and transfers
19/09/2018

9. GDPR AND DECISION TO LEAVE THE EU
On 23 June 2016, the UK voted to leave the EU
General view is: some short-term confusion, but GDPR will still apply (especially if UK remains a member of EEA)
GDPR still applies to our processing of EU citizen data
UK will still have powers to amend some parts of GDPR
19/09/2018

10. GENERAL DATA PROTECTION REGULATIONS WHAT WE’RE ALREADY DOING
Dedicating more SPC staff resource to improving data protection compliance across University:
Analysing the new legislation and its application to UEA
Mapping GDPR requirements to UEA work practices
Working with key contacts in departments & faculties
Identifying processing risks and opportunities
Identifying and reviewing privacy notices and data sharing agreements
Implementing standardised data breach investigations and Privacy Impact Assessments (PIAs)
Improving guidance and training materials
19/09/2018

11. GENERAL DATA PROTECTION REGULATIONS FUTURE DEVELOPMENTS
Monitor legislation developments and ICO guidance as published
Achieve certification in amended data protection practitioner training
Undertake data protection audits as appropriate
Work with IT Security project to ensure identified personal data is appropriately secured
19/09/2018

12. GENERAL DATA PROTECTION REGULATIONS CONTACTS AND FURTHER INFORMATION
Telephone: x2431 or 3523 Information Commissioner’s Office: reform/ GDPR text (PDF): content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN European Commission data protection reform blog: protection/reform/index_en.htm
19/09/2018
All images sourced from Pixabay, CC0 Public Domain