Preparing for the EU General Data Protection Regulation Presented by Revd. Mark James Certified IBITGQ GDPR F & P. – CIPP-E – CIPM - DPO & PCI-DSS Consultant - (Also qualified ISO27001 Auditor)

Not conclusive but a good start!!! Top 10 Need to knows about GDPR Not conclusive but a good start!!!

Top 10 Background to the GDPR Scope & Definition Personal Data Data Subject, Controller & Processor The key Principles Consent & Documentation Rights of the Data Subject International Data Transfers Data Breaches Data Protection Officer & Fines

No. 1 Background to the GDPR

Background Where has it come from? The nature of European law • Two main types of legislation: – Directives o European Directive 95/46/EC is a Directive / 98 Act – Regulations o Immediately applicable in each Member State 25TH May is Deadline o Regualted by the Information Commisioner’s office ICO www.mojou.co.uk/

How is the GDPR different to the EU Data Protection Directive? Principles are very similar to EU Data Protection Directive However, the GDPR contains a number of changes including:  Enhanced documentation to be kept by data controllers Enhanced Privacy Notices More prescriptive rules on what constitutes consent Mandatory data breach notification requirement Enhanced Data Subject Rights New obligations on Data Processors Expanded territorial scope Appointment of Data Protection Officers Significant increase in the size of fines and penalties

No 2. Scope and Definitions under GDPR

Scope of GDPR Designed to protect any Natural person = a living individual (data subject) It applies to processing activities that are related to: Goods or services, irrespective of whether payment is required; or The monitoring of data subjects’ behaviour within the EU. www.mojou.co.uk/

No 3. Personal Data

What is personal data? ‘Personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

What is Sensitive Personal Data? Under GDPR, the term used is Special Categories of Personal Data… racial or ethnic origin political opinions religious or philosophical beliefs trade union membership physical or mental health or condition sex life or sexual orientation genetic data biometric data

Examples of personal data Online profile details Business email address Person’s health data Employee bank details

No 4. Processors & Controllers

What is a Data Controller? The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

What is a Data Processor? A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

No 5 The key Principles

Article 5 Processed lawfully, fairly and in a transparent manner 1 Processed lawfully, fairly and in a transparent manner 2 Collected for specified, explicit and legitimate purposes 3 Adequate, relevant and limited to what is necessary 4 Accurate and, where necessary, kept up to date 5 Retained only for as long as necessary 6 Processed in an appropriate manner to maintain security 7 Accountability www.mojou.co.uk/

No 6 Legal Basis for Processing Personal Data

Article 7: Conditions for consent • The following conditions apply for consent: – Controllers must be able to demonstrate that consent was given; – Written consent must be clear, intelligible, easily accessible, else not binding; – Consent can be withdrawn any time, and as easy to withdraw consent as give it; – Consent to processing data not necessary for the performance of a contract; – Ticking a box or choosing appropriate technical settings still valid. www.mojou.co.uk/

Others include: • A contract with the individual • Compliance with a legal obligation • Vital interests: • A public task: . • Legitimate interests:

Article 13.1: Information to be provided where personal data collected from the data subject • When obtaining personal data, the controller shall provide the data subject with all of the following information: – the identity and contact details of the controller and their representative; – the contact details of the data protection officer; – the purposes of the processing of as well as the legal basis for the processing; – the legitimate interests pursued by the controller or by a third party; – the recipients or categories of recipients of the personal data, if any; – the fact that the controller intends to transfer personal data to a third country and the existence of adequacy conditions. www.mojou.co.uk/

No 7. Rights of the Data Subject

Individual Rights Eight Rights of Data Subjects 1. The right to be informed 2. The right of access 3. The right to rectification 4. The right to erasure 5. The right to restrict processing 6. The right to data portability 7. The right to object 8. Rights in relation to automated decision making and profiling www.mojou.co.uk/

Article 13.2: When obtaining personal data the controller shall provide the data subject with the following further information to ensure fair and transparent processing: – the period of time that the data will be stored; – the right to rectification, erasure, restriction, objection; – the right to data portability; – the right to withdraw consent at any time; – the right to lodge a complaint with a supervisory authority; – the consequences of the data subject failure to provide data; – the existence of automated decision-making, including profiling, as well as the anticipated consequences for the data subject. Article 17: Right to erasure (‘right to be forgotten’) • Data subjects have the right to the erasure of personal data www.mojou.co.uk/

Enhanced documentation Ensure there are clear records of all data processing activities Purposes of processing Categories of Data Subjects and Personal Data Transfers to non-adequate countries and appropriate safeguards deployed General description of technical and organisational security measures BUT: requirement to notify EU Data Protection Authorities will cease

Article 12: Transparency and modalities The controller shall provide any information or communication referring to the data subject in a – concise, – transparent, – intelligible and – easily accessible form; – using clear and plain language; – in particular for any information addressed specifically to a child. • Time period reduced from 40 days to 1 month • Fees abolished www.mojou.co.uk/

Erasure (‘Right to be forgotten’) The ‘right to be forgotten’ Individuals will have the right to request that businesses delete their personal data in certain circumstances Examples Withdrawal of consent when consent was basis of collection No longer necessary for purposes collected No overriding legitimate grounds Each case must be judged on its merits May involve notifying third parties

Automated decision making, including profiling Individuals have the right to object to significant decisions, including profiling, made solely by automated means Exceptions: Necessary for entering into or performance of contract Authorised by Union or Member State Law Individual’s explicit consent

Compensation Individuals have a right to claim compensation for damages caused by infringement of the Regulation from the Data Controller or Data Processor

No 8 International Data Transfers

What constitutes a transfer of Personal Data? Personal Data is considered to be ‘transferred’ across borders when: It is physically transferred across borders OR It is accessed across borders

Transfer ‘Rules’ Transfers of Personal Data not restricted within the 28 EU member plus 3 EEA countries (Iceland, Liechtenstein and Norway) Transfers of Personal Data to other countries are prohibited unless such country provides ‘an adequate level of data protection’ as determined by the European Commission or unless certain other conditions are fulfilled

Adequate Countries Outside the EEA Andorra Argentina Canada Switzerland Faroe Islands Guernsey Israel Isle of Man Jersey New Zealand Uruguay US if company signed to Safe Harbour/Privacy Shield

No 9 Preventing or Managing Data Breaches

What is a data breach? The GDPR contains a definition of a data breach, which was not present in the preceding legislation. A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed

Appropriate security measures under GDPR Pseudonymisation and encryption The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services Data Items Name, Address, Email Health data, Criminal records Biometrics, Location Data Formats Hardcopy, paper records Digital (USB) Database Transfer Methods Post, Telephone, Social Media Internal (within group) External (Data Sharing) Locations Office Cloud 3rd Party

Privacy Impact Assessments A PIA is an assessment that is undertaken to identify potential areas of non- compliance and minimise the risk Under GDPR, a PIA must be carried out before beginning any new ‘high-risk’ processing activity i.e. processing sensitive data or profiling activities PIAs should include the following as a minimum A description of the processing activity and the purpose An outline of the risks and the measures taken in response The formal advice of the DPO (if appointed) If unmitigated risk is identified, the Controller must notify the relevant Supervisory Authority

Data Breach Notification When a data breach occurs… Notify appropriate Supervisory Authority Where feasible within 72 hours Unless breach is unlikely to result in risk to individuals Requirement to notify individuals if breach is likely to result in high risk to the individuals affected

Session 10 DPO & Fines

Appointment of Data Protection Officers Organisations must appoint a data protection officer (DPO) where: They are a public authority or body The core activities of the controller or processor require regular and systematic monitoring of individuals on a large scale The core activities of the controller or processor include processing special categories of data on a large scale, including data relating to criminal convictions and offences; or Required by Member State law

Penalties and enforcement For (mainly) a breach of record keeping, contracting and security clauses maximum fine of up to €10 million, or 2% of annual worldwide turnover, whichever is greater For (mainly) a breach of the basic principles, Data Subject rights, transfer to third countries, non-compliance with an EU DPA order maximum fine of up to €20 million, or 4% of annual worldwide turnover, whichever is greater EU DPAs intend to co-ordinate their supervisory and enforcement powers across the Member States

360 Review - Stage 1 Gap Analysis Gap Analysis Data Discovery Using Article 5 review and plan for data Discovery Principle 1. How are data subjects made aware of the processing? How are they trained on updates, how do you ensure it is processed lawfully? Review Data subjects right to access Is there a defined subject access process? How are individuals making the request identified? How is information located? How is information provided to the individual? Review data transfers Is data sent outside the EU?, where is data, how is it stored? Review data processors Contract initiation process (e.g. supplier risk assessment)? Principle 2 Other examples: Uses of personal data within the organisation…. How is the data used? Principe 3 How is accuracy of the data maintained (how/when updated)? Principle 4 What is the criteria for determining the retention period? Principle 5 Is there an data protection policy? How is it enforced? Principle 6 Gap Analysis Data Discovery Risk Assessment Data Flow Mapping Evaluate Document processes Train / Deploy Monitor DPO www.mojou.co.uk/

Communication & Consultation Risk Process Identify Analysis Evaluate Treat Communication & Consultation Monitor & Review www.mojou.co.uk/

Data Mapping Process Name Describe process Volume of data Location of data Classification (Employee / Student) Data Type Purpose (why) Risk Owner Retention Period Disposal Who has access Is their an external 3rd party? Union Officials work very independently, sometimes not even sharing confidential information with colleagues. So, who is the data controller? The Union or the Official? Legal Basis Controller / Processor Perceived risks Sensitivity type. High-Risk or not

Risk Assessment (PIA’s) The Risk The Observation Remediation Union Officials work very independently, sometimes not even sharing confidential information with colleagues. So, who is the data controller? The Union or the Official?

Documentation / Training Data Protection Policy Training Policy Subject Access Request Procedure Retention of Records Procedure Privacy Impact Assessment Procedure Breach Notification Procedure Consent Procedure Managing Sub Contract Processing Subject Access Request Form Data Protection Policy Review Procedure Access Control Policy Storage Removal Procedure Union Officials work very independently, sometimes not even sharing confidential information with colleagues. So, who is the data controller? The Union or the Official? External Parties - Information Security Procedure Collection of Evidence Procedure Third Party Contracts Fair Processing Notice Register

High Level Plan Feb Mar Apr High Level Training Mid tier Training Grass roots Training Map data processes High Level DIA’s Sign off DIA’s Identify UK Processors Contact Processors Gather Processor evidence Identify Int. Processors Review Contracts Provide / receive revised contracts Identify existing policies Review Policies Sign off on new or amended Policies Review IT Infrastructures, focus on risks . Review security Policies / focus Privacy by design Documentation Review 2018 / 19 strategy - Processing Personal data. Understand the Impact of strategy in line with Map… Review and agree strategy Union Officials work very independently, sometimes not even sharing confidential information with colleagues. So, who is the data controller? The Union or the Official?

Guidance UK ICO has already produced ‘Preparing for the General Data Protection Regulation’ 11 page guide Available from UK ICO website ICO.org

The Not so good news Issues identified: 1 2 3 4 5 6 7

The better news What the Goal is: 1 2 3 4 5 6 7

The good news The proposal is: 1 2 3 4 5 6 7