The General Data Protection Regulations 2016 Autumn 2017

General Data Protection Regulation Session 1 By Kristie Marshman Policy & Assurance Team Leicestershire County Council

06/05/2019 What is the GDPR? Replaces our current Data Protection Act 1998 on the 25th May 2018. Takes the current legislation and adds considerable obligations in respect of accountability, transparency and data subjects rights. Legally requires privacy to be imbedded into all organisations who process personal data - through the very core of their operations. This means it is at the heart of every decision or project. Requires the data controller to be able to demonstrate compliance with the GDPR at a visible level in some instances and at request in all others. Introduces monetary penalty notices of substantial amounts, but more importantly widens the scope of where those penalties can be applied.

What changes does the GDPR bring? 06/05/2019 What changes does the GDPR bring? Accountability Being able to demonstrate compliance, some of which will need to be published online or reported to the ICO. What does this mean? Outside of this requirement, the data controller would need to produce compliance evidence at any time. In what circumstances?

Examples of some of the types of evidence required: Data protection policies, procedures and guidance Data protection training materials and records Information asset registers Information audits and reports Data subjects rights procedures Data protection impact assessments Contract compliance Consent recording Information security standards

What changes does the GDPR bring? Cont. 06/05/2019 What changes does the GDPR bring? Cont. Data Subjects Rights – Some of these exist under our current Act; others are introduced for the first time in the GDPR. All rights will have a legal deadline of 1 month for the organisation to respond to a request for information. Fair Processing Notices/Privacy Notices Information to be provided where personal data is collected from the data subject Information to be provided where personal data has not been obtained from the data subject.

Data Subject Rights cont. Right of access by the data subject Right to rectification Right to erasure (right to be forgotten) Right to restriction of processing Right to data portability Right to object to processing Right to object to automated decision making, including profiling

What changes does the GDPR bring? Tasks Organisations will need to undertake processes that need to be completed by an experienced data protection professional. Most of these are already a requirement under the current Data Protection Act 1998, however, they inherently change with the new requirements of the GDPR. Responding to complaints, from both the public and the ICO Information security incidents Responding to data subjects rights Completing data protection impact assessments

Tasks cont. Writing policies, procedures and guidance for the organisations Designing and delivering numerous training packages on data protection each year. Completing information audits Keeping an information asset register Keeping a retention schedule Ensuring any contracts are legally compliant with data protection Corresponding with the ICO

The Data Protection Officer (DPO) 06/05/2019 The Data Protection Officer (DPO) The original legislation made a DPO a legal requirement for schools. Where a DPO is a legal requirement – data controllers have to employ the services of one. Where a DPO is not a legal requirement – your organisation will need an individual with the same skill set in order to be compliant. Your organisation is unlikely to be legally compliant without the services of a DPO or someone with the relevant professional qualities.

The DPO DPO must not have a conflict of interest DPO cannot be fired for carrying out their tasks DPO must report to the highest level of management DPO cannot be given instructions on their tasks DPO informs, advises and monitors compliance with GDPR DPO is the contact point for the ICO and their details must be given to the ICO on or before 25th May 2018 if the organisation is legally required to have one.

What are the strategic requirements? Information Governance Framework Policies, procedures and guidance are in place and reviewed yearly Roles and responsibilities are clear and understood by all How data protection works with contractors, public sector organisations and 3rd parties Monitoring and reporting on performance Business continuity and disaster recovery Visible support and buy-in from senior management

What are the strategic requirements? Cont. 06/05/2019 What are the strategic requirements? Cont. Schools will need to understand, accept and embrace the importance of data protection and information security. Current laws have been in place since 1998. However, apart from universities who generally have DPO’s already in post, the education sector is widely uncompliant with data protection. Most organisations are now implementing GDPR on the back of nearly 20 years of data protection compliance, something schools are unlikely to be able to rely upon.

What to do next………. Determine how your school can be compliant with the Regulations. Determine whether you would like assistance from Leicestershire County Council. There are options which the Council can consider, these are; Provide you with a resource to work towards the schools compliance. Provide you with a resource to work towards the schools compliance and to provide continued support. Provide you with a recruitment service to recruit your own Data expert.

Finally……… Things you need to consider: Consider carefully before giving the Data role to someone already working in the school, they are unlikely to have the requisite knowledge (even if you do send them on a course) and it is a time consuming role. If there is a conflict of interest under the GDPR it will be unlawful. Don’t believe that the data protection levels you have implemented over the last 19 years can continue, if you wish to be legally compliant. One of the reasons that the GDPR has been introduced is because the world is changing, technology is moving forwards and people’s awareness of their privacy rights are rising.

Finally……… Don’t leave your data protection compliance decision too late, there will be a shortage of experienced Data experts come May next year, you will either not get one or be charged an extortionate amount for the services of one. If you wish Leicestershire County Council to help with any of the proposed options, you need to make this clear at the earliest opportunity.

Thank you for attending our briefing Thank you for attending our briefing. We will email the presentation to you in the next week. As always we welcome your feedback…… please take a moment to complete your evaluation form Governor Development Service Tel: 0116 305 6430 Email: governors@leics.gov.uk Twitter: @LeicsSchools