Download presentation
Presentation is loading. Please wait.
1
General Data Protection Regulation
Dr Dean Eggitt BMedSci(Hons), MBChB, FRCGP, PGCME, FHEA, CIPP/E June 2018
2
European law Applicable to identifiable natural persons of Europe Ratified April 2016 Enforceable from 25th May 2018 Designed to give data subjects control over their personal data Context
3
Information relating to a identifiable natural person
What is personal data?
4
Why should we care? Tier 1 Tier 2 Actual harm Reputational damage
2% of annual turnover, or 10,000,000 euros Tier 2 4% of annual turnover, or 20,000,000 euros Actual harm Reputational damage Why should we care?
5
Implement appropriate technical and organisational measures in relation to the nature, scope, context and purpose of handling and processing of personal data. But, what does this mean??? What do we need to do?
6
Data Controller Data Processor Data Subject terminology
7
responsibilities of the Controller
Practice according to the principles of private data processing Be registered with ICO Appoint and use a DPO Create and use a data processing inventory Create, use and educate about privacy policies Create, use and advertise fair process notices Create and use data processing agreements Report data breaches Data Protection Impact Assessments responsibilities of the Controller
8
Privacy by design and by default “Accountability”
Principles of Data Processing Lawful, fair and transparent Purpose limitation Data minimisation Accuracy Storage Limitation Integrity and Confidentiality Privacy by design and by default “Accountability”
9
DPO Data Protection Officer Necessary
regular and systematic monitoring of individuals on a large scale. processing special categories of personal data on a large scale. Uses Creation, implementation, audit and education relating to privacy systems Prior to undertaking new high risk processing projects After a data breech DPO
10
Data processing record
Data Processing Inventory for Data Controllers Demonstrate compliance with the Regulation Controller(s) name, contact details and DPO. Purpose of processing Categories of data subjects and categories of personal data Categories of recipients International transfers of data Retention periods Security measures Template at Data processing record
11
organisational policies
Privacy Policies Have Use Educate Audit Templates at organisational policies
12
fair process notices - 1 Fair Process Notices = Transparency
Outward facing Easy to understand Controller(s) name, contact details and DPO Purpose AND legal basis of processing Recipients of data International transfers of data Retention periods Rights of the data subject Templates at = Transparency fair process notices - 1
13
fair process notices - 2 Legal Bases for Processing of Personal Data
Consent Contractual necessity Compliance with legal obligation Vital interests Public interests Legitimate interests Processing sensitive personal data…. Summary table at fair process notices - 2
14
fair process notices - 3 Processing Sensitive Personal Data
Explicit consent. Manifestly made public by the data subject. Necessary For employment law, or laws relating to social security and social protection. To protect vital interests of the data subject (or another person) where the data subject is incapable of giving consent. For legitimate activities of a charity or not-for-profit body, with respect to its own members, etc. For establishment, exercise or defence of legal claims. For reasons of substantial public interest where proportionate to the aim pursued and protects the rights of data subjects. For medical treatment undertaken by health professionals, including assessing the working capacity of employees and the management of health or social care systems and services. For reasons of public interest in the area of public health(e.g., ensuring the safety of medicinal products). For archiving purposes in the public interest, for historical, scientific, research or statistical purposes, subject to appropriate safeguards. fair process notices - 3
15
fair process notices - 4 Rights of the Data Subject
Transparent information Access Rectification Erasure Restrict processing Data portability Object Complaint Not be subject to automated decision-making fair process notices - 4
16
subcontracting Data Processing Agreement
Unambiguous agreement between controller(s) and processor(s) Outlines permissions and limitations of data processing Shared accountability Template at subcontracting
17
incident response Data Breeches Contact DPO for advice.
Enact organisational incident response protocols. Report to the UK ICO within 72 hours of becoming aware. Inform data subject(s), if high risk. Keep a register of data breeches. Template at incident response
18
High risk data processing
Data Protection Impact Assessments Structured assessment of issues related to processing personal data. Required prior to undertaking risky processing activities. Discuss with your DPO. Consider contacting the ICO prior to undertaking the activity. Template at High risk data processing
19
Questions and comments
Doncaster Local Medical Committee Masham Road Cantley Doncaster DN4 6BU Questions and comments
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.