Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presentation Title Data Protection The new EU Regulation Insert your logo here.

Published byPrimrose Kennedy Modified over 9 years ago

Similar presentations

Presentation on theme: "Presentation Title Data Protection The new EU Regulation Insert your logo here."— Presentation transcript:

1 Presentation Title Data Protection The new EU Regulation Insert your logo here

2 Presentation Title This presentation is intended to help you understand aspects of the new EU Data Protection Regulation and related legislation. It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.

3 Presentation Title What Data Protection is about: 1 Protecting people  Protecting data

4 Presentation Title What Data Protection is about: 2 Privacy & choice Give us more money! Support our campaign! But of course we told your social worker

5 Presentation Title What Data Protection is about: 3 Individual rights, such as:   Right to opt out of direct marketing  Right of Subject Access  Right to compensation for harm

6 Presentation Title The current legal framework EC Directive 95/46/EC  Data Protection Act 1998  Similar legislation in most other European countries Privacy & Electronic Communications (EC Directive) Regulations 2003 Non-statutory Guidance and Codes of Practice, including: Information Commissioner Institute of Fundraising

7 Presentation Title First draft January 2012 Extensive negotiations between Commission, Parliament and Council over nearly four years Final agreed draft December 2015 To be ratified imminently Coming into force 2018 It’s a Regulation, not a Directive The new Regulation

8 Presentation Title “The processing of personal data should be designed to serve mankind” (Recital 3a) More control over online services and large commercial organisations, especially multinationals Emphasis on reducing risk Limited extension of individual rights Data Controller evidence of compliance Themes

9 Presentation Title Main changes include: Definition of consent tightened up … but still not always required Tighter rules on children’s data (under 16), especially online More transparency requirements Data minimisation and pseudonymisation More rights to have data erased Provision for allocating responsibilities between joint Data Controllers Data Processors carry more direct responsibilities No registration: Data Controller has to keep records Requirement to notify serious breaches Bigger fines Additional responsibilities on large organisations and those doing riskier processing

10 Presentation Title Consent Consent is “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed” (Article 4(8)) “Where processing is based on consent, the controller shall be able to demonstrate that consent was given by the data subject to the processing of their personal data.” (Article 7(1)) “Silence, pre-ticked boxes or inactivity should … not constitute consent.” (Recital 25)

11 Presentation Title When is consent not required? Similar conditions to now, including: Processing is lawful [if it is] “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. …” (Article 6(f) ) “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” (Recital 38)

12 Presentation Title Where does this leave fundraising? Definitions unclear: when does a communication become marketing? How does the fundraising Code relate to the marketing provisions of the Regulation? New Regulation does not rescind PECR Therefore, consent is likely to remain the only reliable basis for direct unsolicited fundraising Consent has to involve “clear affirmative action” Therefore, are we looking at opting in only?

13 Presentation Title Tighter rules on children’ data Children deserve specific protection … as they may be less aware of risks, consequences, safeguards and their rights …. This concerns especially the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of child data when using services offered directly to a child. … (Recital 29) Where [consent] applies, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 16 years … shall only be lawful if … consent is given … by the holder of parental responsibility over the child.

14 Presentation Title More transparency requirements Data Subjects must usually be made aware of (Article 14): the identity and the contact details of the controller the purposes as well as the legal basis of the processing – where relevant the legitimate interests any recipient(s); any overseas transfers the storage period or criteria for deletion right of access to data and rectification or erasure right to withdraw consent at any time the right to lodge a complaint to a supervisory authority whether the provision of personal data is [contractually] required [or] the data subject is obliged to provide the data and … possible consequences of failure to provide [it]

15 Presentation Title Minimisation and pseudonymisation Principle 3 now says data must be: “adequate, relevant and limited to what is necessary … (“data minimisation”)” (previously ‘adequate, relevant and not excessive’) Data protection by design and by default (Article 23) stresses pseudonymisation as a security measure – especially for ‘big data’ analysis, for example Pseudonymisation means that the person is still identifiable but their identity can only be retrieved with the use of additional data which is held separately and securely

16 Presentation Title Rights to erasure, etc. Data Subjects have the rights to require: Rectification of inaccurate data (Article 16) Completion of incomplete data (Article 16) Erasure (“right to be forgotten”), with exceptions, but including removal of links (Article 17) Restriction of processing in certain cases (Article 17a) Compensation for “material or immaterial damage” (Article 77) Also have the right to complain to supervisory authority

17 Presentation Title Data Controller responsibilities Technical and organisational measures to ensure full compliance (Article 22) Appropriate policies (including Data Protection by design and by default) (Article 22) Records of processing – what, who, how, etc. (Article 28) Joint Controllers must transparently “determine their respective responsibilities” – but each can be “liable for the entire damage” caused by a breach (Articles 24 & 77)

18 Presentation Title Data Processor responsibilities Data Controller still has responsibility to select competent Processors More detailed rules about what has to be in the contract Standard contracts should be available Processor may be liable for breaches and other compliance (many obligations refer to the “controller or processor” – including processors based overseas)

19 Presentation Title Notification of serious breaches Must report (preferably within 72 hours) unless the breach is unlikely to result in a risk to individuals Individuals must usually be notified where the breach is likely to result in a high risk to them Processors must notify breaches to Controllers

20 Presentation Title Penalties Breaches subject to two levels of penalty, depending on the breach: €10 million or 2% of total worldwide turnover €20 million or 4% of total worldwide turnover (whichever is higher, in each case)

21 Presentation Title Large organisations & riskier activities Impact assessments before starting innovative processing Data Protection Officer, with specified competence and duties

22 Presentation Title Overseas transfers – slight loosening of the conditions that legitimise transfers Jurisdiction over multi-national companies operating into Europe (including web-based) Scope for national variations in a number of places Selected other changes

23 2 Old College Court, 29 Priory Street, Ware, Hertfordshire, SG12 0DE For more information, contact me at : 0116 273 8191 paul@paulticher.com www.paulticher.com THANK YOU FOR LISTENING CHASE2016 Sponsors

Download ppt "Presentation Title Data Protection The new EU Regulation Insert your logo here."

Similar presentations

Public Sector Information & Data Protection: A plea for personal privacy settings for the re-use of PSI Bart van der Sloot Institute for Information Law.

Public Sector Information & Data Protection: A plea for personal privacy settings for the re-use of PSI Bart van der Sloot Institute for Information Law.
PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR
Data Protection Billy Hawkes Data Protection Commissioner Irish Human Rights Commission 20 November 2010.

Data Protection Billy Hawkes Data Protection Commissioner Irish Human Rights Commission 20 November 2010.
DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
EU: Bilateral Agreements of Member States

EU: Bilateral Agreements of Member States
EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.

EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.
Lecture to Carleton University, Center for European Studies, December 1, 2010.

Lecture to Carleton University, Center for European Studies, December 1, 2010.
Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.

Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
Data Protection Act AS Module 1 10.8 Heathcote Ch. 12.

Data Protection Act AS Module Heathcote Ch. 12.
IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.

IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.
INTERNATIONAL E-DISCOVERY: WHEN CULTURES COLLIDE Alvin F. Lindsay Hogan & Hartson LLP.

INTERNATIONAL E-DISCOVERY: WHEN CULTURES COLLIDE Alvin F. Lindsay Hogan & Hartson LLP.
The Data Protection Act 1998. What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;

The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.

The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.
1 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.

1 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.

Similar presentations

Ads by Google