Introduction to GDPR 09/11/2018

GENERAL DATA PROTECTION REGULATIONS: AN INTRODUCTION Background to the Regulations Timescale for change GDPR and Brexit GDPR aims Key changes Areas of uncertainty Contacts and further information 09/11/2018

GENERAL DATA PROTECTION REGULATIONS BACKGROUND UK Data Protection Act 1998 derives from EU Data Protection Directive 95/46/EC Data Protection Act now almost 20 years old Amendments and related law have been enacted, but fundamental review required Potential changes discussed at EU level for 4 years Reform consists of 2 instruments: General Data Protection Regulations (GDPR) Data Protection Directive (for police & criminal justice sector) 09/11/2018

GDPR approved by European Parliament on 14 April 2016 Entered into force on 25 May 2016 Will apply in UK (potentially with changes) from May 2018 09/11/2018

GDPR AND BREXIT GDPR will still apply from May 2018, at least for the duration of the Article 50 process UK will still have powers to amend some parts of GDPR GDPR will still apply to our processing of EU citizen data 09/11/2018

GDPR AIMS To give citizens back control over of their personal data To simplify the regulatory environment for business To create a modern and harmonised data protection framework across the EU Reform seen as ‘key enabler’ of Digital Single Market & EU Agenda on Security 09/11/2018

GENERAL DATA PROTECTION REGULATIONS KEY CHANGES: Governance Accountability – need to be able to demonstrate compliance with main Principles (similar to DPA Principles) (Art. 5) Record Keeping – must maintain records of processing activities, inc. storing, sharing and transfers (Art. 30) Data Protection Officer – required post, must have expert knowledge, be independent, report directly to ‘highest management’ (Art. 37-39) Data sharing agreements – no longer just for Data Processors (Art. 28), ‘Joint controllers’ now covered (Art. 26) No more annual notification to ICO (Recital 89) 09/11/2018

GENERAL DATA PROTECTION REGULATIONS KEY CHANGES: Rights (1) Consent – more clearly defined, easier to withdraw, record keeping required (Art. 7) Right of Access – 30 (instead of 40) day response, no more £10 fees (exceptions apply) (Art. 15) Transparency – significantly more information to be provided where data are collected (Art. 12-14) ‘Right to be forgotten’ – new (limited) right for people to have their personal data erased without undue delay, controllers must also take reasonable steps to tell other controllers (Art. 17) 09/11/2018

GENERAL DATA PROTECTION REGULATIONS KEY CHANGES: Rights (2) Data Portability – limited right to have data provided in ‘structured, commonly-used and machine readable format’ (Art. 20) Automated decision making, including profiling – new rights and rules, designed to provide additional safeguards for people subject to decisions which produce ‘legal effects’ (Art. 21-22)  Profiling = ‘Any form of automated processing intended to evaluate certain personal aspects of an individual, in particular to analyse or predict their: performance at work; economic situation; health; personal preferences; reliability; behaviour; location; or movements.’ (ICO GDPR overview) 09/11/2018

KEY CHANGES: When things go wrong Fines – 2 tiers of fines for different offences, up to 20M EUR or 4% of global turnover (Art. 83) Data breaches – ICO and affected individuals must be informed of significant breaches. ICO notification within 72 hours (Art. 33) 09/11/2018

GENERAL DATA PROTECTION REGULATIONS KEY CHANGES: Privacy by Design Data Protection by Design and by Default – ‘general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities’ (ICO overview) (Art. 25) Risk minimisation approach – e.g. pseudonymisation, encryption, data minimisation, testing, ensuring systems can cope with new data subject rights (Art. 25 & 32) Data Protection Impact Assessment – (a.k.a. Privacy Impact Assessment) required prior to high-risk processing (Art. 35-36) Codes of Conduct – approved codes of conduct and certification mechanisms to demonstrate compliance (Art. 40- 43) 09/11/2018

(SOME) AREAS OF UNCERTAINTY Processing conditions applicable to UEA (no ‘legitimate interests’?) International data transfers – will depend on UK position National derogations – don’t yet know what Gov. plans to do Crime Directive, and what we can / cannot do with data on criminal offences 09/11/2018

GENERAL DATA PROTECTION REGULATIONS CONTACTS AND FURTHER INFORMATION Email: dataprotection@uea.ac.uk Telephone: x2431 UEA Data Protection Reform webpage: http://bit.ly/2jXodsX Information Commissioner’s Office: http://bit.ly/22voBM1 GDPR text (PDF): http://bit.ly/1TtxgbB 09/11/2018 All images sourced from Pixabay, CC0 Public Domain