Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Governance Support Information Governance Services

Published byKristopher Stafford Modified over 7 years ago

Similar presentations

Presentation on theme: "Information Governance Support Information Governance Services"— Presentation transcript:

1 Information Governance Support Information Governance Services
Text placeholder for Powerpoint Introducing the General Data Protection Regulation 2016

2 Housekeeping Fire exit - Toilets -
Please put mobile phones on ‘silent’

3 What – Why - When? GDPR repeals Directive 95/46/EC on which our own Data Protection Act 1998 was built. The Regulation is directly applicable and does not require any domestic law to be written, it must be implemented ‘as is’. Current DPA not fit for digital age Enters into force on 25th May 2018 Brexit does not affect the implementation of this regulation

4 Compliant until proven not to be GDPR must prove compliance from day 1
What is the key difference between DPA and GDPR? DPA Compliant until proven not to be GDPR must prove compliance from day 1

5 Data Protection Officer
Key Legislative Changes 7 Principles Code of Practice Data Protection Officer Child Consent

6 Key Legislative Changes – Managing our Data
Records of Processing Activities [Article 30] This is the mechanism which requires organisations to evidence compliance with the GDPR RECORDS OF PROCESSING ACTIVITY Information Asset Register Data Flow Mapping ‘Privacy by Design’ elements Categories of Data Recipients/ Subjects Legal Basis/ Conditions for processing

7 Key Legislative Changes – Privacy by Design & Default
Privacy must be considered at the start of any work to amend or bring in new processes or systems Privacy Impact Assessments will have to be undertaken in some circumstances Need to understand statutory duties and what the law requires you to do with personal data Biometrics are a Special Category of Data Data Subject Rights are increased and strengthened Higher bar set for privacy notices and consent processes

8 Key Legislative Changes – Privacy Notices
Ensure you have an online privacy notice on your school website Ensure all points of data collection are signposted to your online notice To comply with GDPR you will need to add: Legal Basis Contact Details for your DPO Security arrangements for overseas transfers Profiling – where applicable Automated Decision-making – where applicable Meet accessibility requirements

9 Key Legislative Changes - Consent
Consent must be freely given, explicit, specific, informed and an unambiguous indication of wishes. It must be: requested using clear language intelligible accessible provided with the ability to withdraw provable that consent was given necessary Consent will be required from a child aged 16 (UK law may lower this to 13) to process data in regard to information society services (online services).

10 Key Legislative Changes – Data Subject Rights
The right to restrict processing The right to data portability Rights in relation to profiling Right to rectification Right to erasure

11 Key Legislative Changes – Data Subject Rights
Subject Access Rights (SARs) have been amended: Disclosure now must be within 20 working days Can claim an extra 40 working days for complex or numerous SARs, (but the requestor must be advised of this at the start of the process) Can’t charge for a SAR For ‘manifestly unfounded’ or excessive requests particularly where they are repetitive we are allowed to either: – Refuse the request explaining why, or; – Charge a reasonable amount for the SAR It is no longer a requirement for requestors to advise where their data might be held, (i.e. tell us which services they have received)

12 Key Legislative Changes – Data Protection Officer (DPO)
All public Bodies (incl. schools) must appoint a DPO This is a statutory position Must be experienced and qualified to take on the role Can be delivered: In-house Outsourced Clustered

13 Key Legislative Changes – Security
ENCRYPTION Ensure you have encryption activated on devices Extend to removable media Train your staff SERVICE CONTINUITY Make sure your business continuity plan covers IT Ensure your Disaster Recovery Plan is up to date PROTECTION Apply security patches quickly Ensure regular penetration testing

14 Key Legislative Changes – Outsourcing
ROPA Data Processors (i.e. third party contractors) will now have specific legal obligations to maintain records of personal data and processing activities. Fines Where we can prove that a breach resulted from a processor not following our instructions they will be held accountable for the breach and any resulting fine. Contracts All contracts will need to be reviewed prior to 25th May 2018 to ensure contract provisions meet GDPR requirements, e.g. No sub-contracting without explicit consent of Controller Ability to disclose pursuant to legal obligation on the processor (restricted to EU or member state)

15 Key Legislative Changes – Breaches
A new requirement to report ‘High risk’ breaches to the ICO and the relevant data subjects within 72 hours. Failure to notify a breach can result in a significant fine of up to 10 million euros Medium breaches of data protection are subject to administrative fines: whichever is higher of the following: up to 10,000,000 EUR up to 2 % of the total worldwide annual turnover of the preceding financial year (in the case of an undertaking) Focussed on process failures Major breaches of data protection are subject to administrative fines: whichever is higher of the following: up to 20,000,000 EUR up to 4 % of the total worldwide annual turnover of the preceding financial year (in the case of an undertaking) Focussed on incidents which are likely to cause damage and distress The Data Subject is at the centre of claims for compensation. The Data Controller must pay up front and then recoup from the Data Processor where appropriate

16 Where do we start? Requirement Activity
Know what data you use and how you use it Ensure you have an information Asset Register & Map your data flows fully to create your Records of Processing Activity Privacy by Design Review your data and ensure that your privacy notices and other policies align (e.g. consent, PIA, outsourcing, risk etc.) Roles & Responsibility Appoint a Data Protection Officer Training & Awareness Arrange training for staff to ensure their understanding of the requirements of the GDPR, an on-going requirement Incident Management Have a robust policy and process to manage security incidents

17 Where can you get help? WEISF.ESSEX.GOV.UK Templates & Guidance
ICO.org.uk Regulatory guidance & Codes of Practice Traded support Services

18 Questions/Discussion Time

19 Guidance on the GDPR can be found at:
Guidance type Web link GDPR – Full Text ICO EU DP Reform Microsite ICO 12 steps to preparing for the GDPR Whole Essex Information Sharing Framework (WEISF) portal Weisf.essex.gov.uk

20 Simplify We have the knowledge and experience to simplify your challenges

Download ppt "Information Governance Support Information Governance Services"

Similar presentations

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
GDPR 12 POINTS 679/2016 DATA LEX 2016.

GDPR 12 POINTS 679/2016 DATA LEX 2016.
Tony Sheppard Mobile Guardian

Tony Sheppard Mobile Guardian
General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)
Key changes with the GDPR

Key changes with the GDPR
Accountability & Structured Privacy Management

Accountability & Structured Privacy Management
Introducing the General Data Protection Regulation 2016

Introducing the General Data Protection Regulation 2016
Overview General Data Protection Regulation (GDPR)

Overview General Data Protection Regulation (GDPR)
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
GDPR – What’s it all about???

GDPR – What’s it all about???
GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E

GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E
General Data Protection Regulations: what you really need to know

General Data Protection Regulations: what you really need to know
General Data Protection Regulation

General Data Protection Regulation
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.

General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
KEY CHANGES TO THE DATA PROTECTION LANDSCAPE

KEY CHANGES TO THE DATA PROTECTION LANDSCAPE
International Regulatory Trends

International Regulatory Trends
Museums + Heritage webinar, 30 November 2017

Museums + Heritage webinar, 30 November 2017
GDPR Overview Gydeline – October 2017

GDPR Overview Gydeline – October 2017

Similar presentations

Ads by Google