Presentation is loading. Please wait.

Presentation is loading. Please wait.

GDPR Session 3 2018.

Published byUrho Ahola Modified over 5 years ago

Similar presentations

Presentation on theme: "GDPR Session 3 2018."— Presentation transcript:

1 GDPR Session 3 2018

2 ICO – Preparation – the 12 steps
03/06/2019 ICO – Preparation – the 12 steps STEP 1 – Awareness “You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.”

3 Step 2 - Information you hold
03/06/2019 Step 2 - Information you hold “You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.”

4 03/06/2019 The Information Audit Principle 1 requires that you process all personal data lawfully, fairly and in a transparent manner. See Handout 1. Processing is only lawful if you have a lawful basis under Article 6. See Handout 2. An excel spreadsheet can be used to record the information.

5 03/06/2019 Recommended: Information and Records Management Society Retention Guidelines for Schools The following link to the records management society re retention provides a starter for ten. %20Retention%20Schedule_Nov15.pdf Action – review and see what is relevant to your school, and begin to assign owners to each dataset.

6 STEP 3 – Communicating privacy information
“You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.”

7 The Privacy Notice (handouts 3 & 4)
See the ICO website for: A checklist: A copy of a Code of Conduct: A Data Sharing Code of Conduct:

8 Processing of special categories of personal data – Article 9
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be PROHIBTED.

9 Article 9 UNLESS one of ten exemptions apply. See – Gov.uk model documents; e.g. Handout 5

10 STEP 6 – Lawful basis for processing personal data
“You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.”

11 STEP 6 Step 1 – the information audit will include identifying the lawful basis upon which you are collecting personal data; Step 3 looks at communicating your privacy notices (including Article 9). = Step 6 completed.

12 Review your contracts with suppliers
Check and update relevant contracts Check the data protection clauses in all existing contracts that will still be live when the GDPR comes into force. They need to reflect the GDPR requirements. You will have to include certain information in contracts with suppliers (such as insurers, payroll and school club providers) where the school passes data to them, and they receive and store it.

13 03/06/2019 Carry out due diligence on any existing suppliers which hold personal data Ask suppliers: What action are they taking to prepare for GDPR? What technical and organisational security measures they have in place to protect data What policies and procedures they have in place How secure their systems are Whether they have any information management accreditation You could send a letter or questionnaire including these questions to all your suppliers. We will look at creating a template letter

14 STEP 4 - Individuals’ rights
03/06/2019 STEP 4 - Individuals’ rights “You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.”

15 The GDPR includes the following rights for individuals:
the right to be informed; the right of access; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object; and the right not to be subject to automated decision-making including profiling.

16 STEP 5 - Subject access requests (SAR)
03/06/2019 STEP 5 - Subject access requests (SAR) “You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.”

17 SAR In most cases you will not be able to charge for complying with a request. You will have a month to comply, rather than the current 40 days. You can refuse or charge for requests that are manifestly unfounded or excessive. If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month.

18 03/06/2019 Step 4 and 5 Think about whether you have established processes for people requesting access to their own information. For example: How can requests be made; Who will be the responsible officer; Holiday cover; How will you check the requester is who they say they are; Redaction. NB – Data incident v Data breach

19 DfE – Template Data Protection Policy
03/06/2019 DfE – Template Data Protection Policy Handout 6 Department for Education: Template for Data Protection Policy - Department of Education and

20 LTS – the story so far Click on: •. Services •
LTS – the story so far Click on: • Services • Governor Development Service • Browse Our Resources (right hand side menu) and select GDPR

21 Thank you for attending

Download ppt "GDPR Session 3 2018."

Similar presentations

GCSE ICT Data and you: The Data Protection Act. Loyalty cards Many companies use loyalty cards to encourage consumers to use their shops and services.

GCSE ICT Data and you: The Data Protection Act. Loyalty cards Many companies use loyalty cards to encourage consumers to use their shops and services.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
The Data Protection Act 1998

The Data Protection Act 1998
Tony Sheppard Mobile Guardian

Tony Sheppard Mobile Guardian
General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)
Accountability & Structured Privacy Management

Accountability & Structured Privacy Management
The future of data protection: General Data Protection Regulation

The future of data protection: General Data Protection Regulation
Processing for archiving purposes in the GDPR

Processing for archiving purposes in the GDPR
Issues of personal data protection in scientific research

Issues of personal data protection in scientific research
General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)
General Data Protection Regulation

General Data Protection Regulation
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.

General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
GDPR Overview Gydeline – October 2017

GDPR Overview Gydeline – October 2017
The Data Protection Act 1998

The Data Protection Act 1998
General Data Protection Regulation: Turning the black into white

General Data Protection Regulation: Turning the black into white
GDPR Overview GDPR - General Data Protection Regulations

GDPR Overview GDPR - General Data Protection Regulations
GDPR Overview Gydeline – October 2017

GDPR Overview Gydeline – October 2017
GDPR Road map to Compliance.

GDPR Road map to Compliance.
Data Protection & Freedom of Information- An Introduction

Data Protection & Freedom of Information- An Introduction

Similar presentations

Ads by Google