Introducing the General Data Protection Regulation 2016 Information Governance Support Service
Basic Concepts DPA – Data Protection Act 1998 GDPR – General Data Protection Regulation 2016 Personal Data – identifies a living individual Sensitive Personal Data – Health, Religion, Sexuality, Ethnicity Data Controller – Decides how data is used and is accountable Data Processor – Uses the data under instruction from the Data Controller Processing – anything you do with data
What – Why - When? Repeals Directive 95/46/EC (on which our own Data Protection Act 1998 was built). The Regulation is directly applicable and does not require any domestic law to be written, it must be implemented ‘as is’. Current DPA not fit for digital age Enters into force on 25th May 2018
What is the key difference between DPA and GDPR? Compliant until proven not to be GDPR must prove compliance from day 1
Key Legislative Changes – Managing our Data No. of Principles reduce We must comply with any Code of Practice approved by the ICO The ICO can provide an accreditation scheme Public Bodies and organisations with more than 250 staff must appoint a Data Protection Officer (DPO). Introduces child consent for information society services
Key Legislative Changes – Managing our Data Records of Processing Activities [Article 30] This aligns to article 5 (2) and is the mechanism which requires organisations to evidence compliance with the GDPR RECORDS OF PROCESSING ACTIVITY ‘Privacy by Design’ elements Data Flow Mapping Information Asset Register Categories of Data Recipients/ Subjects Legal Basis/ Conditions for processing
Key Legislative Changes – Privacy by Design & Default Privacy Impact Assessments will have to be undertaken in some circumstances Some changes to condition for processing Addition to Special Categories of Data Data Subject Rights are increased and strengthened Higher bar set for privacy notices and consent processes
Key Legislative Changes – Privacy Notice For GDPR compliance add: The legal basis for the processing Contact details of the Data Protection Officer Automated decision-making, including profiling The right to withdraw consent at any time Is provision of personal data a statutory or contractual requirement? The right to data portability where applicable Transfers of personal data overseas Data Protection Act requirements for Privacy Notices
Key Legislative Changes – Privacy by Design & Default Consent must be freely given, explicit, specific, informed and an unambiguous indication of wishes. It must be: Consent will be required from a child aged 16 (UK law may lower this to 13) to process data in regard to information society services (online services). New category of sensitive data (Special Categories) Genetic data, biometric data requested using clear language intelligible accessible provided with the ability to withdraw provable that consent was given necessary
Key Legislative Changes – Data Subject Rights The right to restrict processing The right to data portability Rights in relation to profiling Right to rectification Right to erasure
Key Legislative Changes – Data Subject Rights Subject Access Rights (SARs) have been amended: Disclosure now must be within 20 working days Can claim an extra 40 working days for complex or numerous SARs, (but the requestor must be advised of this at the start of the process) Can’t charge for a SAR For ‘manifestly unfounded’ or excessive requests particularly where they are repetitive we are allowed to either: – Refuse the request explaining why, or; – Charge a reasonable amount for the SAR It is no longer a requirement for requestors to advise where their data might be held, (i.e. tell us which services they have received)
Key Legislative Changes – Data Protection Officer (DPO) All public Bodies must appoint a DPO This is a statutory position Must be experienced and qualified to take on the role Can be outsourced
Key Legislative Changes – Security Lauri Almond. Essex County Council January 2017 Key Legislative Changes – Security DPA GDPR the DPA it states that organisations must apply appropriate organisational and technical security The GDPR states consideration must be given to: the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. [Article 32]
Key Legislative Changes – Outsourcing ROPA Data Processors (i.e. third party contractors) will now have specific legal obligations to maintain records of personal data and processing activities. Fines Where we can prove that a breach resulted from a processor not following our instructions they will be held accountable for the breach and any resulting fine. Contracts All contracts will need to be reviewed prior to 25th May 2018 to ensure contract provisions meet GDPR requirements, e.g. No sub-contracting without explicit consent of Controller Ability to disclose pursuant to legal obligation on the processor (restricted to EU or member state)
Key Legislative Changes – Breaches A new requirement to report ‘High risk’ breaches: to the ICO and the relevant data subjects within 72 hours failure to notify a breach can result in a significant fine of up to 10 million euros The Data Subject is at the centre of claims for compensation. The Data Controller must pay up front and then recoup from the Data Processor where appropriate Medium breaches of data protection are subject to administrative fines: whichever is higher of the following: up to 10,000,000 EUR up to 2 % of the total worldwide annual turnover of the preceding financial year (in the case of an undertaking) Major breaches of data protection are subject to administrative fines: whichever is higher of the following: up to 20,000,000 EUR up to 4 % of the total worldwide annual turnover of the preceding financial year (in the case of an undertaking)
Key Legislative Changes – Breaches Medium Failings subject to €10,000,000 fine Major Failings subject to €20,000,000 fine Child consent Processing Processing not requiring identification Consent Data Protection by design & default Special categories of data Controllers & Processors Rights of the Data Subject Records of processing General principle for transfers, adequacy decisions & derogations Security of processing Non-compliance with investigative/ corrective powers Breach management Data Protection Impact Assessments (PIA) Data Protection Officer Codes of conduct & Certifications
Where do we start? Ensure you have an information Asset Register Map your data flows fully Add any additional data required to convert the data to your Records of Processing Activity Review your data and ensure that your privacy notices and other policies align (e.g. consent, PIA, outsourcing, risk etc.) Appoint a DPO Arrange training for staff (this must be refreshed annually to meet the requirements of the GDPR) Have a robust policy and process to manage security incidents Seek support and guidance when needed
Where can you get help? The next slide has links to the ICO website and relevant legislation ECC’s Information Governance Support service (IGS) has a range of services we can provide to support your implementation of the GDPR Cluster to share costs Use any other forums or Data Protection groups you may belong to for support
Guidance on the GDPR can be found at: Guidance type Web link GDPR – Full Text http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf ICO EU DP Reform Microsite https://ico.org.uk/for-organisations/data-protection-reform/ ICO 12 steps to preparing for the GDPR https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf Directive relating to the processing of personal data for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L0680&from=EN
Question/Discussion Time