General Data Protection Regulation (GDPR) Kate Belinis CDA Herts East Herts Village Halls Conference 05 December 2017 Little Hadham Village Hall

What is it? New European Legislation (replacing existing European Directive 95/46/EC) It will apply from 25 May 2018! Overview: Same basic principles as current Data Protection Law Accountability New rights for individuals and strengthening of existing rights Breach reporting Data Protection Impact Assessments Higher penalties for non-compliance

Preparing for this: 12 steps Awareness: ensure decision makers and key people are aware. Need to appreciate the impact Information you hold: document what personal data you hold, where it came from and who you share it with. You will need an information audit Communicating privacy information: review your current privacy notices and put a plan in place for making any necessary changes in time for implementation Individual’s rights: check procedures to ensure rights are covered, including how you would delete personal data or provide data electronically and in a commonly used format Subject access requests: update your procedures and play how you will handle requests within the new timescales and provide any additional information Legal basis for processing personal data: look at the various types of data processing you carry out, identify your legal basis for doing this and record it.

Preparing for this 7. Consent: review how you are seeking, obtaining and recording consent and whether you need to make any changes. Children: start thinking now about putting systems in place to verify individuals’ ages and to gather parental/guardian consent Data breaches: ensure you have right procedures to detect, report and investigate a personal data breach Data Protection by Design & Impact Assessments: familiarise yourself now with guidance from ICO and work out how and when to implement them Data Protection Officer: designate someone to take responsibility and assess where this role will sit within structure and governance International: if you do then determine which is the protection supervisory authority

Where do I start? Governing body and management team Responsibility of designated Officer What personal information is held? Carry out Information Audit: Overview How is it collected? Where is it stored? Who has access? How is it shared?

Legal basis for processing ICO due to issue guidance: GDPR lawful Processing (Article 6, Section 1) Consent Contractual Obligation Legal Obligation Protect a person In the public interest Legitimate interests of the controller But currently it is either: Consent or Legitimate interests NOTE: when personal data is SHARED or Sensitive Personal Data is COLLECTED, the Individual must explicitly CONSENT to processing of Personal

Review of Consent processes Fair Processing Notices People must opt in Recording and managing consent Fair Processing Notice for children under 16 Individual’s Rights Right to Access Accountability principle – YOU need to show Maintaining relevant documentation Privacy Impact Assessments Breach notification

References Overview of GDPR: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr Fair Processing Notices Guidance: https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/privacy-notices-under-the-eu-general-data-protection-regulation/ Consent Guidance (includes checklist): https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf Conducting Privacy Impact Assessments Code of Practice: https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf

Resources Information Commissioners Office: Guidance and templates: https://ico.org.uk GDPR myth-busting blogs: https://iconewsblog.org.uk/tag/gdprmyths/ Thanks to Sefton CVS for this information and presentation 