Presentation is loading. Please wait.

Presentation is loading. Please wait.

Preparing for the EU General Data Protection Regulation

Published byEgbert Gray Modified over 6 years ago

Similar presentations

Presentation on theme: "Preparing for the EU General Data Protection Regulation"— Presentation transcript:

1 Preparing for the EU General Data Protection Regulation
Welcome to… Preparing for the EU General Data Protection Regulation Presented by Revd Mark James GDPRP I CIPP-E I CIPM I DPO I PCI-DSS I ISO27001 I Trainer I Prince2

2

3 Programme 80 Min overview to GDPR 10 min leg stretch 30 min Q&A

4 Overview Session – The Background

5 Background

6 Background 1950 European Human Rights 1995 EU DP Directive 95/46
1998 DPA – Live 2000 2016 The GDPR Regulation

7 Background Directive Regulation Uniformly applies
technologically neutral THE GENERAL DATA PROTECTION REGULATION will potentially repeal and replace THE DATA PROTECTION ACT 1998

8 GDPR Timeframe 2016 2017 2018 2019 March European Parliament votes on legislation March to April 2016 – Approved text is published 2 year transition period May 25th 2018 Becomes applicable May 2016 – Enters into force

9 How is the GDPR different to the EU Data Protection Directive?
Principles are very similar to EU Data Protection Directive However, the GDPR contains a number of changes including:  Enhanced documentation to be kept by data controllers Enhanced Privacy Notices More prescriptive rules on what constitutes consent Mandatory data breach notification requirement Enhanced Data Subject Rights New obligations on Data Processors Expanded territorial scope Appointment of Data Protection Officers Significant increase in the size of fines and penalties

10 Scope and Definitions under GDPR

11 The Objective Article 1 of the regulation sets out two key objectives
Protection of the fundamental rights and freedoms of individual persons , in particular, the protection of personal data Protection of the principle of free movement of personal data within the EU

12 What is personal data? According to GDPR…
‘Personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

13 Examples of personal data
HR records address Person’s health data/other sensitive Employee bank details

14 What is a Data Subject? According to the Data Protection Act 1998 and GDPR… A natural living person’s who is the subject of personal data This does not include Deceased individuals An individual who cannot be identified or distinguished from others

15 What is a Data Subject? Examples: Employee / Volunteer Congregation
Parishioner

16 What is a Data Controller?
According to the Data Protection Act 1998… A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed According to GDPR… The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

17 What is a Data Processor?
According to the Data Protection Act 1998… Any person (other than an employee of the data controller) who processes the data on behalf of the data controller. According to GDPR… A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

18 What is Sensitive Personal Data?
Under GDPR, the term used is Special Categories of Personal Data… racial or ethnic origin political opinions religious or philosophical beliefs trade union membership physical or mental health or condition sex life or sexual orientation genetic data biometric data

19 The Data Protection Principles

20 6 Principles Processed lawfully, fairly and in a transparent manner
Collected for specified, explicit and legitimate purposes Adequate, relevant and limited to what is necessary Accurate and, where necessary, kept up to date Retained only for as long as necessary Processed in an appropriate manner to maintain security Accountability

21 Transparency Identity and contact details of Data Controller
Purposes and legal basis If ‘legitimate interests’ used what those ‘legitimate interests’ are Retention period Individual rights under GDPR Whether a statutory or contractual requirement

22 The Purpose Limitation Principle
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

23 The Data Minimisation Principle
Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Not hold more information than is needed for the purpose(s) notified

24 The Accuracy Principle
Personal Data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

25 The Storage Limitation Principle
Personal Data shall be kept no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods for archiving purposes subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject.

26 The Integrity and Confidentiality Principle
Personal Data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

27 The Integrity and Confidentiality Principle
Keep secure from unauthorised or unlawful processing , accidental loss or destruction, or damage What is ‘appropriate’? Give regard to: Technological development Cost of implementing the security measures Nature, scope and context of the information in question Harm that might result from improper use, or from accidental loss or destruction Cyber Security goes Hand in Hand with the GDPR

28 Legal Basis for Processing Personal Data

29 Legal basis for processing
At least one of the conditions set out in Article 6 (1) must be met in the case of all processing of Personal Data except where a relevant exemption applies.

30 Consent The data subject has given his consent to the processing.
Consent must be ‘freely given, specific, informed and unambiguous’. Consent must be given by – a statement of consent, or a clear affirmative action Pre-ticked boxes or implicit consent are not allowed Consent may be withdrawn at any time Onus on Data Controller to demonstrate consent was given

31 Consent Special categories of data require additional ‘explicit’ consent. These categories are extended by GDPR. This means data that are ‘particularly sensitive in relation to fundamental rights and freedoms’ and deserve specific protection. They include: racial or ethnic origin political opinions religious or philosophical beliefs trade-union membership genetic data biometric data Health sex life sexual orientation

32 Consent Parental consent is required for children using online services GDPR sets the age of consent at 16 in the UK currently

33 Necessary for a contract
The processing is necessary – for the performance of a contract to which the data subject is a party; or  for the taking of steps at the request of the Data Subject with a view to entering into a contract Likely to be interpreted very narrowly

34 Legal obligations The processing is necessary to comply with any legal obligation to which the data controller is subject, other than an obligation imposed by contract

35 Vital interests The processing is necessary in order to protect the vital interests of the data subject or another person where the data subject is incapable of giving consent.

36 Public interest The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

37 Legitimate interests The processing is necessary for the purposes of legitimate interests pursued by Data Controller or Third Party except where overridden by Data Subject interests, rights and freedoms

38 Legal basis for processing
Under GDPR, the requirement to have documentary evidence of your legal basis for processing is significantly enhanced You must be able to demonstrate that comprehensive data protection compliance programmes, with policies, procedures and compliance infrastructure are in place You have risk assessed high risk data flows EU DPAs will have the right to audit

39 Rights of the Data Subject

40 Data Subject Rights Access Rectification
Erasure (‘Right to be forgotten’) Restriction of processing Portability Object to processing Automated decision making, including profiling Compensation

41 Access A fee is no longer payable for subject access requests
Information must now be supplied within 1 month Can include opinions, voice recordings and manual records Very few exemptions

42 Rectification An individual has the right to have inaccurate data rectified without undue delay Source of issue needs to be investigated Each case must be judged on its merits

43 Erasure (‘Right to be forgotten’)
The ‘right to be forgotten’ Individuals will have the right to request that businesses delete their personal data in certain circumstances Examples Withdrawal of consent when consent was basis of collection No longer necessary for purposes collected No overriding legitimate grounds Each case must be judged on its merits May involve notifying third parties

44 Restriction of processing
An individual has the right to obtain a restriction of processing when: Accuracy is contested Processing is unlawful but individual opposes deletion and requests restriction instead Data no longer needed by Data Controller but individual requires it for establishment, exercise or defence of legal claims Pending a right to object action

45 Data Portability The right to Data Portability
Individuals will have the right to obtain a copy of their personal data from the controller in a commonly-used format and have it transferred to another controller

46 Object to processing An individual has the right to object to processing on the basis of their particular situation, including profiling ‘Profiling’ is defined broadly and is likely to include most forms of online tracking and behavioural advertising Data Controller is obliged to consider the request but not necessarily comply Data Controller must respond with justifications for decision An individual has the right to object to direct marketing

47 Automated decision making, including profiling
Individuals have the right to object to significant decisions, including profiling, made solely by automated means Exceptions: Necessary for entering into or performance of contract Authorised by Union or Member State Law Individual’s explicit consent

48 Compensation Individuals have a right to claim compensation for damages caused by infringement of the Regulation from the Data Controller or Data Processor

49 International Data Transfers

50 What constitutes a transfer of Personal Data?
Personal Data is considered to be ‘transferred’ across borders when: It is physically transferred across borders OR It is accessed across borders Example: Support agent in India who is given access to a physical device located in UK which contains Personal Data is considered a ‘transfer’ by EU Data Protection Authorities

51 What constitutes a transfer of Personal Data?
Adequate Countries Outside the EEA Andorra Argentina Canada Switzerland Isle of Man Jersey New Zealand Uruguay Faroe Islands Guernsey Israel US if company signed to Safe Harbour/Privacy Shield

52 Preventing or Managing Data Breaches

53 What is a data breach? The GDPR contains a definition of a data breach, which was not present in the preceding legislation. A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed

54 When can a data breach occur?
Loss or theft of data or equipment on which data is stored Inappropriate access controls allowing unauthorised use Equipment failure Human error Unforeseen circumstances such as a fire or flood Hacking attack Blagging’ offences where information is obtained by deceiving the organisation who holds it

55 Data Breach Notification
When a data breach occurs… Notify appropriate Supervisory Authority Where feasible within 72 hours Unless breach is unlikely to result in risk to individuals Requirement to notify individuals if breach is likely to result in high risk to the individuals affected

56 Appointment of Data Protection Officers
Organisations must appoint a data protection officer (DPO) where: They are a public authority or body The core activities of the controller or processor require regular and systematic monitoring of individuals on a large scale The core activities of the controller or processor include processing special categories of data on a large scale, including data relating to criminal convictions and offences; or Required by Member State law

57 Penalties and enforcement
For (mainly) a breach of record keeping, contracting and security clauses maximum fine of up to €10 million, or 2% of annual worldwide turnover, whichever is greater For (mainly) a breach of the basic principles, Data Subject rights, transfer to third countries, non-compliance with an EU DPA order maximum fine of up to €20 million, or 4% of annual worldwide turnover, whichever is greater EU DPAs intend to co-ordinate their supervisory and enforcement powers across the Member States

58 Stretch your legs

59 What Next

60 Data Mapping Process Name Describe process Volume of data
Location of data Classification (Employee / Student) Data Type Purpose (why) Risk Owner Retention Period Disposal Who has access Is their an external 3rd party? Union Officials work very independently, sometimes not even sharing confidential information with colleagues. So, who is the data controller? The Union or the Official? Legal Basis Controller / Processor Perceived risks Sensitivity type. High-Risk or not

61 Risk Assessment (PIA’s)
The Risk The Observation Remediation Union Officials work very independently, sometimes not even sharing confidential information with colleagues. So, who is the data controller? The Union or the Official?

62 Documentation / Training
Data Protection Policy Training Policy Subject Access Request Procedure Retention of Records Procedure Privacy Impact Assessment Procedure Breach Notification Procedure Consent Procedure Managing Sub Contract Processing Subject Access Request Form Data Protection Policy Review Procedure Access Control Policy Storage Removal Procedure Union Officials work very independently, sometimes not even sharing confidential information with colleagues. So, who is the data controller? The Union or the Official? External Parties - Information Security Procedure Collection of Evidence Procedure Third Party Contracts Fair Processing Notice Register

63 High Level Plan Apr May June High Level Training Mid tier Training
Grass roots Training Map data processes High Level DIA’s Sign off DIA’s Identify UK Processors Contact Processors Gather Processor evidence Identify Int. Processors Review Contracts Provide / receive revised contracts Identify existing policies Review Policies Sign off on new or amended Policies Review IT Infrastructures, focus on risks . Review security Policies / focus Privacy by design Documentation Review 2018 / 19 strategy - Processing Personal data. Understand the Impact of strategy in line with Map… Review and agree strategy Union Officials work very independently, sometimes not even sharing confidential information with colleagues. So, who is the data controller? The Union or the Official?

64 Guidance UK ICO has already produced ‘Preparing for the General Data Protection Regulation’ 11 page guide Available from UK ICO website

Download ppt "Preparing for the EU General Data Protection Regulation"

Similar presentations

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.

Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
Data Protection Act 1998. The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.

Data Protection Act The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.
DATA PROTECTION ACT 1998. INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March 2000. It is more far reaching than its predecessor,

DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
© University of Reading 2007 www.reading.ac.uk/data_protection Lee Shailer 06 June 2016 Data Protection the basics.

© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.

Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
Key changes with the GDPR

Key changes with the GDPR
The future of data protection: General Data Protection Regulation

The future of data protection: General Data Protection Regulation
Issues of personal data protection in scientific research

Issues of personal data protection in scientific research
General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

Similar presentations

Ads by Google