General Data Protection Regulation (GDPR) Mandy E Peters Legal Manager Sailability Conference 2018
Presentation aims…… Overview of the GDPR How it applies to your organisation What your organisation needs to do Resources – where to get help
The GDPR New Data Protection law – 25th May 2018. Brexit does not affect the GDPR coming into effect so you cannot ignore it. It applies to sailing clubs, class associations, and recognised training centres. Fines for getting it wrong are huge!
Data Subject and Personal Data A data subject is an identifiable natural person(s). The GDPR applies to 'personal data' meaning any information relating to an identifiable living person who can be directly or indirectly identified in particular by reference to an identifier. Examples: Name Address Date of Birth Phone Numbers(s) Email Birthplace
Special Category Data Types of sensitive personal information include but not limited to: Medical Records Genetic Data Biometric Data Racial or Ethnic Data Political Opinions Religious or Philosophical beliefs Trade Union Memberships Data for Minors Health Data Financial Information Passport Details
Processing Data Processing data means: “Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, determination or otherwise making available, alignment or combination, restriction, erasure or destruction”.
Data Controller / Data Processor Natural or legal person e.g. individuals, organisations, unincorporated or incorporated bodies of persons. Responsible for determining the purposes and means of processing data. Responsible for taking appropriate technical and organisational measures for the protection of data subjects and their rights and for demonstrating compliance with this. Data Processor Natural or legal person (as above). Responsible for processing data on behalf of a Data Controller pursuant to a contractual relationship. Responsibilities under the GDPR limited compared to those of DCs. Responsible for processing in accordance with the data processing principles and protecting the rights and freedoms of data subjects and demonstrating compliance with this.
The GDPR Most, if not all, the information you request on your membership application forms, event entry forms and information you collect from visitors, suppliers, staff and volunteers will be personal data. This includes names, addresses, dates of birth, telephone numbers, e-mail addresses and emergency contact details. Information about health and disabilities is special category data (sensitive personal data) to which additional safeguards apply.
Lawful, fair & transparent The 6 GDPR Principles Lawful, fair & transparent Purpose Limitation Relevant & Limited Accurate & Updated Retention Security
The GDPR - Accountability The most significant addition to the law is the accountability principle. The GDPR requires you to show how you comply with the principles – for example by documenting the decisions you take about a processing activity. You will have significantly more legal liability if you are responsible for a breach. These obligations are a new requirement under the GDPR.
Lawfulness of Data Processing Required for performance of a contract Legitimate interests of the Data Controller To protect interests of the Data Subject Legal obligation Data subject has given Consent In the public interest
Key Changes Definition of personal data has been expanded New rules/terminology around when and how you are permitted to process data – “legal basis for processing” Opt out/deemed consent can’t be relied upon New “right to be forgotten” Data subjects are entitled to much more information. Accountability - more documentation necessary in respect of policies/procedures. No longer a requirement to register with ICO, but may still be a cost. The fines may be substantial! Territorial scope – GDPR extends to the processing of PD of data subjects in the EU by a controller/processor who is not established or located in the EU if they offer goods or services to data subjects in the EU or if they monitor the behaviour of data subjects where that behaviour takes place in the EU.
Getting Ready for The GDPR The GDPR is more extensive than the existing Data Protection Act. However, if you are already complying with the Data Protection Act you are likely to be well on the way to compliance with the GDPR. You should establish whether your current policies and procedures are suitable to comply with the GDPR. If not, you must alter them. Data life-cycle management – a team effort – governance drives policy and people responsible for specific areas ensure compliance.
Getting Ready for The GDPR DO YOU KNOW WHAT INFORMATION YOU HAVE RELATING TO YOUR MEMBERS / COACHES / INSTRUCTORS / VOLUNTEERS / EMPLOYEES / BUSINESS CONTACTS / VISITORS? WHY ARE YOU KEEPING IT?
Steps to compliance Prepare Audit Analyse Deliver Manage Know GDPR / appoint Data Protection Officer / create working group Audit Data / systems / policies Analyse Policy updates / system changes / state of our data Deliver Action plan / company wide training Manage Ongoing compliance / keeping up to date
DATA AUDIT Start with a review to assess: when and how you destroy it what personal data you hold whether you need it where it came from and the legal basis on which it was collected what you do with it and are planning to do with it (e.g. is it passed onto third parties) where and how you store it when and how you destroy it Keep a written record of this.
What is it likely to mean in practice (post audit)? Prune/de-personalise/get consent for existing personal data Amend or create a privacy/data policy Needs to cover: Collection of Data, Using Data, Storing Data, Data Retention Periods Access to Data (Subject Access Requests), Individuals Rights, Data Breaches Review governing documents (remove deemed consents) Adopt a process for consent changes/request to be removed Make sure you have written agreements in place (covering the prescribed areas) with those you share personal data with. Document everything! It gives you an opportunity to make sure we’re doing things right before the May 2018 deadline
The GDPR – Individual’s Rights Right to be informed Privacy Notices: Setting out the legal basis upon which the data will be processed. How long the data will be retained. Data subject rights including: How to make a data subject access request; and How to request the deletion/rectification of data. If and the extent to which it will be transferred overseas/outside of the EEA appropriate safeguards in place to protect it. Right to be Forgotten (NEW) Request to be forgotten can be made: When the use of the data is no longer necessary. Consent is withdrawn and there is no other legal basis for processing. Data unlawfully processed. To comply with legal obligations.
The GDPR – Individual’s Rights Right of Access Subject Access Request (DP) Right to Rectification Data that is inaccurate/incomplete (DP) Right to Restrict Block/supress the processing of personal data in certain circumstances. Right to Data Portability (NEW) Obtain and use personal data for own purposes across different services under certain circumstances.
The GDPR – Individual’s Rights Right to Object processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics. Rights relating to automated decision making including profiling
The GDPR – Insurance Cover It is possible to obtain cyber insurance to cover data protection breaches and resultant fines. Cover is not currently incorporated as part of the RYA Club Policy with Arthur J Gallagher, although it is expected to be added to as an optional extension in near future, in the meantime it can be arranged separately. Arthur J Gallagher contact Ben Bennett Tel: 01384 822279 or ben.bennett@ajg.com
The GDPR - Enforcement The GDPR will be enforced by the Information Commissioner (ICO). The ICO website (ICO.org.uk) contains useful information and is constantly being updated. The fines may be substantial!
The GDPR – Risk to Clubs ICO likely to be concerned with enforcing against larger organisations initially, however, smaller organisations still need to comply. Risk to clubs may come from disgruntled members reporting to the ICO.
The GDPR - Resources Further Information: We have produced Guidance on the GDPR, Subject Access Requests, Data Time Period for Clubs, Data Audit Template, Data Privacy Policy and suggested wording for Membership Application/Renewal Forms Information Commissioners Office website GDPR helpline - 0303 123 1113 Can be obtained from the Legal Team – Email: legal@rya.org.uk Tel: 023 8060 4223