Overview General Data Protection Regulation (GDPR) 26th September 2017 Indi Viknaraja
GDPR So what is it?
The Data Protection Bill was introduced into the House of Lords on 13 September 2017. It will replace the Data Protection Act 1998 and implement the EU General Data Protection Regulation (GDPR).
So who regulates the GDPR in this country?
The Information Commissioner’s Office The UK’s independent body set up to uphold information rights Enforce and regulate freedom of information and data protection laws Provide information and advice Promote good practice
Regulation Applies across the EU Directive Implemented locally
Do Governors work with personal data? Examples: Pupil learning and progress -pupil applications, admissions, attendance, and exclusions Staff deployment, absence, recruitment, retention, morale, and performance The quality of teaching
DEFINITIONS
personal & special categories data Any information relating to an identified or identifiable natural person ‘data subject’ = identifiable person who can be identified by an identifier such as a name, address, an identification number, location data, online identifier or To one or more factors specific to a person’s physical, health, psychological, genetic, mental, economic, cultural or social identity personal & special categories data
Principles The 8 DPA principles are replaced by 6 GDPR principles which are broadly similar but more detailed and include the addition of the ‘Accountability’.
RIGHTS
Data Subjects rights have been broadened
GDPR Data Controller Data Processor Decides how and why data processed Does as required under contract with controller
Other Key Changes Data Protection Privacy Impact Assessments Privacy by Design Data Protection Officer
Breaches A new requirement to report ‘High risk’ breaches: to the ICO and the relevant data subjects within 72 hours failure to notify a breach can result in a significant fine of up to 10 million euros Medium breaches of data protection are subject to administrative fines: whichever is higher of the following: up to 10,000,000 EUR up to 2 % of the total worldwide annual turnover of the preceding financial year (in the case of an undertaking) Major breaches of data protection are subject to administrative fines: up to 20,000,000 EUR up to 4 % of the total worldwide annual turnover of the preceding financial year (in the case of an undertaking) The Data Subject is at the centre of claims for compensation. The Data Controller must pay up front and then recoup from Data Processor where appropriate
Breaches £20,000,000 or 4% of turnover % applies only to private sector £10,000,000 or 2% of turnover AMONG OTHER THINGS Consent & other conditions Rights inc. subject access and fair processing International transfers Failure to have DPO Failure to report breaches Failure to do impact assessment
So what we need to do now! Increase awareness Training As a starting point we suggest governors: Visit the GDPR section on the ICO website Look at the ICO’s overview of the GDPR - a good place to start Look at the 12 steps to take towards compliance which the ICO has published Raise awareness of GDPR at all levels within their school At this moment in time the GDPR is still undergoing ‘change’. So we suggest Governors and Head teachers read the information to familiarise themselves with the requirements.