GDPR Road map to Compliance

Introducing David David Miller Partner T: 01332 226 466 E: david.miller@flintbishop.co.uk

Purpose of the session To provide high level review of the legal framework around data protection Identify the key areas of the new data protection regime that you will need to comply with Help build a defensive shield against regulatory action and litigation Increase confidence that your policies and approach are in line with requirements

Data Protection Regime Quick re-cap on basic principles of data protection which continue under the new regime Applies whenever personal data of a data subject is processed and imposes obligations on data controllers and data processors What is ‘data’? Information that is processed electronically Information that is recorded as part of a ‘relevant filing system’ which is a system of organising information that makes it easy to find - jotted notes do not constitute an organised filing system

What is personal data? What is covered? Personal data includes: Any information that relates to an identifiable living individual and is processed as data Personal data includes: Name and address Date of birth Email address National Insurance Number

What is ‘sensitive’ personal data? Sensitive personal data is information that relates to: Race & ethnicity Political opinions Religious beliefs Membership of trade unions Physical or mental health Sexuality Criminal offences

What is “Processing”? Collecting, storing, using, disclosing or destroying personal data

The Data Controller The person or organisation that decides what personal data should be processed, how it should be processed and why Can be more than one in relation to the same data

The Data Processor Someone who processes personal data on behalf of the data controller Examples include external payroll providers The obligation to comply with the Act is on the controller who must make sure that the processor processes data fairly and lawfully- under GDPR Data Processor has some direct obligations

The New Regime: UK implementation UK will implement this as a new Data Protection Act, which will directly implement the GDPR to bring EU law into our domestic law... with a twist Three main objectives of the new Data Protection Act: Maintain public trust in how personal data is handled Ensure uninterrupted data flows between the UK and EU and globally for future purposes Maintain the ability to share, receive and protect data for security and law enforcement purposes following Brexit

What does the new landscape look like?

Data protection principles Personal data must be: processed lawfully, fairly and in a transparent manner; collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; accurate and, where necessary, kept up to date;

Data protection principles kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Rights of Data Subjects Eight key rights of individuals Right to be informed (dealt with through data protection policies) Right of access to data – SARs Right of rectification of errors in personal data Right to erasure- right to be forgotten

Rights of Data Subjects The right to restrict processing The right to data portability The right to object to processing Rights in relation to automated decision making

Subject Access Requests Reduction in time from 40 calendar days to ‘within 1 month’ Free in nearly all cases (used to be £10) If you want to refuse a SAR, you will need to have policies and procedures in place to demonstrate why a refusal of a request meets your criteria Additional information needs to be provided to those making a SAR, including your data retention period and the right to have inaccurate data corrected.

Right to be forgotten In certain circumstances, individuals can request that the personal data is erased without undue delay – e.g. where they withdraw consent and no other legal ground for processing applies Must therefore inform third parties that data subject has requested erasure of any links to, or copies of, data

Data Portability This is essentially an enhanced form of subject access, and means that data must be provided in a commonly used, electronic format to enable the data subject to capture all their data and provide this to a third party

New and changed requirements Privacy by design Pseudonymisation Data protection officers Data breach notification Data processor obligations ICO notification requirements Sanctions

Privacy by Design Privacy impact assessments: Not of themselves completely new, but required under GDPR if: You are planning a new initiative which involves ‘high risk’ data processing activities – such as monitoring individuals, systematic evaluations or processing special categories of personal data

Pseudonymisation This new term refers to the technique of processing personal data without cross-referencing it with other information The further information must be kept separate and subject to ‘technical and organisational security measures’ so as to be sure that the data subject cannot be identified Pseudonymisation information is still a form of personal data, but GDPR promotes its usage to enhance privacy

Data Protection Officers Must be appointed: where the processing is carried out by a public authority or body (irrespective of what data is being processed); where the core activities of the controller or the processor require regular and systematic monitoring of data subjects on a large scale; and where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.

Data Breach Notification Data controllers to notify data breaches to DPA without undue delay (within 72 hours of awareness)

Data Processors Data processors to have direct obligations: implementing technical and organisational measures appointing a DPO (if required) Have a suitable contract in place

Notification Removal of requirement to notify but there will still be registration fees payable Emphasis now on data controllers to put in place effective procedures and carry out impact assessments (consider likelihood and severity of risk)

Sanctions Tiered approach on penalties for breach, enabling the DPAs to impose fines: Fines of up to 4% annual worldwide turnover (e.g. breaching the basic principles of processing data – obtaining consent) Fines up to 2% of annual worldwide turnover (depending on nature, and gravity of infringement – e.g. failure to implement appropriate technical and organisational measures to ensure that the level of security implemented, is appropriate to the risk)

Practical steps towards compliance Carry out a GDPR Impact Assessment on your current practices to identify relevant data, networks and systems that need to be secure Develop a compliance plan…

Practical Steps to Compliance The plan should cover: Data mapping – understanding your systems, create a record of what personal data you hold, where it came from and who it is shared with Review and update your Privacy/Data Protection Policies- Your data protection policy and privacy notices need to be specific to your business and need to be clear, setting out your legal basis for processing data, the length of data retention periods and an individual’s right to complain to the ICO.

Practical steps towards compliance Privacy by design – ensure privacy is embedded into any new processing /product that is deployed to support the new risk-based approach to data protection Create a governance framework to put data security high on the board agenda and to create a management chain of accountability so processes and policies flow down and news of potential breaches flow up

Practical steps towards compliance Accountability framework – monitor, review and assess your data processing procedures. Are staff trained to understand obligations? Conduct privacy impact assessments Rights of data subjects – be prepared for data subjects to access their rights (e.g. right to erase). Consider legitimate grounds for retention of personal data

Practical steps towards compliance Legal basis – do you have a legitimate interest to process the data or do you need to obtain consent? Are your forms to obtain consent adequate? Is consent freely given, specific and informed? Obligations on suppliers - is your contractual documentation adequate? Who bears the costs of making changes to services to comply with the changes in law?

Practical steps towards compliance Cross-border data transfers – with any international data transfers, you must show you have a legitimate basis for transferring personal data to jurisdictions that are not recognised as having adequate data protection regulations – fine up to 4% of annual turnover on failure to comply

Check list What personal data do you have? What do you do with it? Do you have policies, technology and contracts to protect you? Are relevant people trained? Is someone ultimately responsible?

Thank You!