1. General Data Protection Regulation
Dr Dean Eggitt
BMedSci(Hons), MBChB, FRCGP, PGCME, FHEA, CIPP/E
June 2018

2. European law
Applicable to identifiable natural persons of Europe
Ratified April 2016
Enforceable from 25th May 2018
Designed to give data subjects control over their personal data
Context

3. Information relating to a identifiable natural person
What is personal data?

4. Why should we care? Tier 1 Tier 2 Actual harm Reputational damage
2% of annual turnover, or 10,000,000 euros
Tier 2
4% of annual turnover, or 20,000,000 euros
Actual harm
Reputational damage
Why should we care?

5. Implement appropriate technical and organisational measures in relation to the nature, scope, context and purpose of handling and processing of personal data.
But, what does this mean???
What do we need to do?

6. Data Controller
Data Processor
Data Subject
terminology

7. responsibilities of the Controller
Practice according to the principles of private data processing
Be registered with ICO
Appoint and use a DPO
Create and use a data processing inventory
Create, use and educate about privacy policies
Create, use and advertise fair process notices
Create and use data processing agreements
Report data breaches
Data Protection Impact Assessments
responsibilities of the Controller

8. Privacy by design and by default “Accountability”
Principles of Data Processing
Lawful, fair and transparent
Purpose limitation
Data minimisation
Accuracy
Storage Limitation
Integrity and Confidentiality
Privacy by design and by default “Accountability”

9. DPO Data Protection Officer Necessary
regular and systematic monitoring of individuals on a large scale.
processing special categories of personal data on a large scale.
Uses
Creation, implementation, audit and education relating to privacy systems
Prior to undertaking new high risk processing projects
After a data breech
DPO

10. Data processing record
Data Processing Inventory for Data Controllers
Demonstrate compliance with the Regulation
Controller(s) name, contact details and DPO.
Purpose of processing
Categories of data subjects and categories of personal data
Categories of recipients
International transfers of data
Retention periods
Security measures
Template at
Data processing record

11. organisational policies
Privacy Policies
Have
Use
Educate
Audit
Templates at
organisational policies

12. fair process notices - 1 Fair Process Notices = Transparency
Outward facing
Easy to understand
Controller(s) name, contact details and DPO
Purpose AND legal basis of processing
Recipients of data
International transfers of data
Retention periods
Rights of the data subject
Templates at
= Transparency
fair process notices - 1

13. fair process notices - 2 Legal Bases for Processing of Personal Data
Consent
Contractual necessity
Compliance with legal obligation
Vital interests
Public interests
Legitimate interests
Processing sensitive personal data….
Summary table at
fair process notices - 2

14. fair process notices - 3 Processing Sensitive Personal Data
Explicit consent.
Manifestly made public by the data subject.
Necessary
For employment law, or laws relating to social security and social protection.
To protect vital interests of the data subject (or another person) where the data subject is incapable of giving consent.
For legitimate activities of a charity or not-for-profit body, with respect to its own members, etc.
For establishment, exercise or defence of legal claims.
For reasons of substantial public interest where proportionate to the aim pursued and protects the rights of data subjects.
For medical treatment undertaken by health professionals, including assessing the working capacity of employees and the management of health or social care systems and services.
For reasons of public interest in the area of public health(e.g., ensuring the safety of medicinal products).
For archiving purposes in the public interest, for historical, scientific, research or statistical purposes, subject to appropriate safeguards.
fair process notices - 3

15. fair process notices - 4 Rights of the Data Subject
Transparent information
Access
Rectification
Erasure
Restrict processing
Data portability
Object
Complaint
Not be subject to automated decision-making
fair process notices - 4

16. subcontracting Data Processing Agreement
Unambiguous agreement between controller(s) and processor(s)
Outlines permissions and limitations of data processing
Shared accountability
Template at
subcontracting

17. incident response Data Breeches Contact DPO for advice.
Enact organisational incident response protocols.
Report to the UK ICO within 72 hours of becoming aware.
Inform data subject(s), if high risk.
Keep a register of data breeches.
Template at
incident response

18. High risk data processing
Data Protection Impact Assessments
Structured assessment of issues related to processing personal data.
Required prior to undertaking risky processing activities.
Discuss with your DPO.
Consider contacting the ICO prior to undertaking the activity.
Template at
High risk data processing

19. Questions and comments
Doncaster Local Medical Committee
Masham Road
Cantley
Doncaster
DN4 6BU
Questions and comments