GDPR Workshop – Partnerships for Jewish Schools 7 March 2018 Sarah Rowley, Senior Associate
Sector data scandals and the fallout 1) Olive Cook and the aftermath too many mailings. new regime as a result. 2) ICO fines 13 charities trading data and wealth screening 3) Selling Barbara documentary charities accused on BBC over data swapping. 4) Age UK data breaches
What we’ll cover Intro and background The main changes under GDPR Processing by education organisations Lawful grounds for processing Direct marketing, fundraising and consent Agreements and data sharing with third parties Policies, notices and notifications
Intro and background Applicable laws: Regulatory guidance: General Data Protection Regulation – 25 May 2018 E-Privacy Regulation (repealing the E-Privacy Directive) – planned date for implementation – 25 May 2018? Data Protection Bill (Data Protection Act 2017/18) – 25 May 2018 Regulatory guidance: Information Commissioner’s Office - https://ico.org.uk/for- organisations/data-protection-reform/ Article 29 Working Party - http://ec.europa.eu/newsroom/just/item- detail.cfm?item_id=50083
Intro and background Key concepts: 6 data protection principles: ‘lawfulness, fairness and transparency’ ‘purpose limitation’ ‘data minimisation’ ‘accuracy’ ‘storage limitation’ ‘integrity and confidentiality’ GDPR, Art 5.1 “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” GDPR, Art 5.2 Organisations must act as either data controllers or data processors
The main changes under GDPR Extra territorial applicability Breach notification Data protection officer Data transfers Agreements with data processors Sanctions for non compliance
Processing by education organisations Various categories of data – although mostly relating to students and staff Parental consent Managing sensitive data “special categories of data” e.g. health records, classification of ethnicity or religious indicators Direct marketing to prospective parents
Issues for schools Notification Personal data Fair processing Information security Disposal Policies Subject access requests Sharing personal information Websites Photographs Processing by others Training
What are the lawful grounds for processing: Art. 6(1) GDPR Lawfulness of processing “Processing shall be lawful only if and to the extent that at least one of the following applies:” Comment a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes Only ground available for electronic direct marketing b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract c) processing is necessary for compliance with a legal obligation to which the controller is subject d) processing is necessary in order to protect the vital interests of the data subject or of another natural person e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden… Conduct a balancing test May be used for non electronic direct marketing Top tip: Document your balancing test for legit interests
Direct marketing, fundraising and consent
Direct marketing, fundraising and consent New donors: If your consent mechanism is not GDPR compliant, change it to something like: No longer permitted: Top tip: Use a separate tick boxes for email marketing (but leave off post)
Data mapping, lawful grounds and records Understanding what you do: Who? What? Why? Where? How long?
Agreements and data sharing with third parties Understand who you are sharing your data with, controller or processor? Who determines the purpose for which the data is processed and the means by which it is processed A good litmus test is whether there is any data for which you could expect, at the end of the agreement, to tell them to stop using/hand back If you are sharing with a data controller: (for example, other educational establishments or other organisations providing services directly to your students or staff): You do not abdicate responsibility for an end user’s personal data simply by sharing it with a third party data controller Put some controls in place: “where we share data with you, you shall not do or omit to do anything which would cause us to breach applicable data protection law” etc Top tip: Create a list of controllers and processors
Agreements and data sharing with third parties If you are sharing data with a data processor: (For example: external pay-roll providers, IT service providers, others providing back-office admin functions for you…) Binding written contract Under the DPA 1998: shall only act on instructions must ensure the security of the data Under the GDPR much more… Top tip: Write to your processors. Ask them how they’re complying?
Policies, notices and notifications What policies do you have in place? Data protection policy Information security (and data breach notification) policy Data retention policy Always good to have an instruction manual Demonstrates compliance with the accountability principle
Policies, notices and notifications Privacy notices / ‘fair processing info’ Tell people what you do with their data. Do you pass the ‘red-face test’? New – notices should be GDPR compliant Wide enough to cover all intended processing? Top tip: At the very least, pass the red-face test!
Policies, notices and notifications The obligation to register as a data controller (and pay a fee) will remain in place (although no longer need to provide detailed particulars) Don’t let your registrations lapse Not needed if you sit within an exemption (NB. the one below is v. narrow – schools should not rely on it!) Top tip: Keep up with your renewals – they will still last 12 months
Conclusion and questions Sarah Rowley, Senior Associate sarah.rowley@crsblaw.com +44 (0)20 7203 5370
104476285