Presentation is loading. Please wait.

Presentation is loading. Please wait.

GDPR Road map to Compliance.

Published byEustace Harrison Modified over 5 years ago

Similar presentations

Presentation on theme: "GDPR Road map to Compliance."— Presentation transcript:

1 GDPR Road map to Compliance

2 Introducing David David Miller Partner T: 01332 226 466
E:

3 Purpose of the session To provide high level review of the legal framework around data protection Identify the key areas of the new data protection regime that you will need to comply with Help build a defensive shield against regulatory action and litigation Increase confidence that your policies and approach are in line with requirements

4 Data Protection Regime
Quick re-cap on basic principles of data protection which continue under the new regime Applies whenever personal data of a data subject is processed and imposes obligations on data controllers and data processors What is ‘data’? Information that is processed electronically Information that is recorded as part of a ‘relevant filing system’ which is a system of organising information that makes it easy to find - jotted notes do not constitute an organised filing system

5 What is personal data? What is covered? Personal data includes:
Any information that relates to an identifiable living individual and is processed as data Personal data includes: Name and address Date of birth address National Insurance Number

6 What is ‘sensitive’ personal data?
Sensitive personal data is information that relates to: Race & ethnicity Political opinions Religious beliefs Membership of trade unions Physical or mental health Sexuality Criminal offences

7 What is “Processing”? Collecting, storing, using, disclosing or destroying personal data

8 The Data Controller The person or organisation that decides what personal data should be processed, how it should be processed and why Can be more than one in relation to the same data

9 The Data Processor Someone who processes personal data on behalf of the data controller Examples include external payroll providers The obligation to comply with the Act is on the controller who must make sure that the processor processes data fairly and lawfully- under GDPR Data Processor has some direct obligations

10 The New Regime: UK implementation
UK will implement this as a new Data Protection Act, which will directly implement the GDPR to bring EU law into our domestic law... with a twist Three main objectives of the new Data Protection Act: Maintain public trust in how personal data is handled Ensure uninterrupted data flows between the UK and EU and globally for future purposes Maintain the ability to share, receive and protect data for security and law enforcement purposes following Brexit

11 What does the new landscape look like?

12 Data protection principles
Personal data must be: processed lawfully, fairly and in a transparent manner; collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; accurate and, where necessary, kept up to date;

13 Data protection principles
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

14 Rights of Data Subjects
Eight key rights of individuals Right to be informed (dealt with through data protection policies) Right of access to data – SARs Right of rectification of errors in personal data Right to erasure- right to be forgotten

15 Rights of Data Subjects
The right to restrict processing The right to data portability The right to object to processing Rights in relation to automated decision making

16 Subject Access Requests
Reduction in time from 40 calendar days to ‘within 1 month’ Free in nearly all cases (used to be £10) If you want to refuse a SAR, you will need to have policies and procedures in place to demonstrate why a refusal of a request meets your criteria Additional information needs to be provided to those making a SAR, including your data retention period and the right to have inaccurate data corrected.

17 Right to be forgotten In certain circumstances, individuals can request that the personal data is erased without undue delay – e.g. where they withdraw consent and no other legal ground for processing applies Must therefore inform third parties that data subject has requested erasure of any links to, or copies of, data

18 Data Portability This is essentially an enhanced form of subject access, and means that data must be provided in a commonly used, electronic format to enable the data subject to capture all their data and provide this to a third party

19 New and changed requirements
Privacy by design Pseudonymisation Data protection officers Data breach notification Data processor obligations ICO notification requirements Sanctions

20 Privacy by Design Privacy impact assessments:
Not of themselves completely new, but required under GDPR if: You are planning a new initiative which involves ‘high risk’ data processing activities – such as monitoring individuals, systematic evaluations or processing special categories of personal data

21 Pseudonymisation This new term refers to the technique of processing personal data without cross-referencing it with other information The further information must be kept separate and subject to ‘technical and organisational security measures’ so as to be sure that the data subject cannot be identified Pseudonymisation information is still a form of personal data, but GDPR promotes its usage to enhance privacy

22 Data Protection Officers
Must be appointed: where the processing is carried out by a public authority or body (irrespective of what data is being processed); where the core activities of the controller or the processor require regular and systematic monitoring of data subjects on a large scale; and where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.

23 Data Breach Notification
Data controllers to notify data breaches to DPA without undue delay (within 72 hours of awareness)

24 Data Processors Data processors to have direct obligations:
implementing technical and organisational measures appointing a DPO (if required) Have a suitable contract in place

25 Notification Removal of requirement to notify but there will still be registration fees payable Emphasis now on data controllers to put in place effective procedures and carry out impact assessments (consider likelihood and severity of risk)

26 Sanctions Tiered approach on penalties for breach, enabling the DPAs to impose fines: Fines of up to 4% annual worldwide turnover (e.g. breaching the basic principles of processing data – obtaining consent) Fines up to 2% of annual worldwide turnover (depending on nature, and gravity of infringement – e.g. failure to implement appropriate technical and organisational measures to ensure that the level of security implemented, is appropriate to the risk)

27 Practical steps towards compliance
Carry out a GDPR Impact Assessment on your current practices to identify relevant data, networks and systems that need to be secure Develop a compliance plan…

28 Practical Steps to Compliance
The plan should cover: Data mapping – understanding your systems, create a record of what personal data you hold, where it came from and who it is shared with Review and update your Privacy/Data Protection Policies- Your data protection policy and privacy notices need to be specific to your business and need to be clear, setting out your legal basis for processing data, the length of data retention periods and an individual’s right to complain to the ICO.

29 Practical steps towards compliance
Privacy by design – ensure privacy is embedded into any new processing /product that is deployed to support the new risk-based approach to data protection Create a governance framework to put data security high on the board agenda and to create a management chain of accountability so processes and policies flow down and news of potential breaches flow up

30 Practical steps towards compliance
Accountability framework – monitor, review and assess your data processing procedures. Are staff trained to understand obligations? Conduct privacy impact assessments Rights of data subjects – be prepared for data subjects to access their rights (e.g. right to erase). Consider legitimate grounds for retention of personal data

31 Practical steps towards compliance
Legal basis – do you have a legitimate interest to process the data or do you need to obtain consent? Are your forms to obtain consent adequate? Is consent freely given, specific and informed? Obligations on suppliers - is your contractual documentation adequate? Who bears the costs of making changes to services to comply with the changes in law?

32 Practical steps towards compliance
Cross-border data transfers – with any international data transfers, you must show you have a legitimate basis for transferring personal data to jurisdictions that are not recognised as having adequate data protection regulations – fine up to 4% of annual turnover on failure to comply

33 Check list What personal data do you have? What do you do with it?
Do you have policies, technology and contracts to protect you? Are relevant people trained? Is someone ultimately responsible?

34 Thank You!

Download ppt "GDPR Road map to Compliance."

Similar presentations

Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.

Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.

Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
Data Protection - Rights & Responsibilities Information Commissioner’s Office Orkney Practice Forum 4 th July 2007.

Data Protection - Rights & Responsibilities Information Commissioner’s Office Orkney Practice Forum 4 th July 2007.
Data Protection Act 1998. The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.

Data Protection Act The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.
DATA PROTECTION ACT 1998. INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March 2000. It is more far reaching than its predecessor,

DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
Key changes with the GDPR

Key changes with the GDPR
Accountability & Structured Privacy Management

Accountability & Structured Privacy Management
The future of data protection: General Data Protection Regulation

The future of data protection: General Data Protection Regulation

Similar presentations

Ads by Google