Presentation is loading. Please wait.

Presentation is loading. Please wait.

GDPR 12 POINTS 679/2016 DATA LEX 2016.

Published byStephen Conley Modified over 7 years ago

Similar presentations

Presentation on theme: "GDPR 12 POINTS 679/2016 DATA LEX 2016."— Presentation transcript:

1 GDPR 12 POINTS 679/2016 DATA LEX 2016

2 What is the GDPR? The General Data Protection Regulation will come into force on the 25th May 2016 It replaces the existing data protection framework under the EU Data Protection Directive It will not generally require transposition into Irish law as regulations have ‘direct effect’ The GDPR emphasises transparency, security and accountability by data controllers and standardises/strengthens the right of European citizens to data privacy The ODPC is aware that the increased obligations that the GDPR places on companies might cause some anxieties for business planners. It is essential that all organisations immediately start preparing for the implementation of GDPR by carrying out a “review and enhance” The GDPR gives data protection authorities more robust powers against non- compliance, including administrative fining capabilities of ≤€20M (or 4% of global turnover, whichever is greater) for the most serious infringements GDPR also makes it easier for individuals to bring private claims GDPR allows data subjects who have suffered non-material damage as a result to sue for compensation DATA LEX 2016

3 GDPR 679/2016 1. Becoming Aware Key personnel must now be GDPR aware and start to identify areas that could cause compliance problems under the GDPR. Review and enhance their organisations risk management processes, evaluate costs of compliance. Delay may compromise compliance obligations. 2. Becoming Accountable Make an inventory of all personal data you hold and examine it under the following headings: • Why are you holding it? • How did you obtain it? • Why was it originally gathered? • How long will you retain it? • How secure is it, both in terms of encryption and accessibility? • Do you ever share it with third parties and on what basis might you do so? The inventory established will go a long way to provide good data quality and data tracking. DATA LEX 2016

4 GDPR 679/2016 3. Communicating with Staff and Service Users
Review all current data privacy notices alerting individuals to the collection of their data. Identify any gaps that exist between the level of data collection and processing your organisation engages in, and how aware you have made your customers, staff and services users of this fact. If gaps exist, set about redressing them using 2 above. Currently you must PROVIDE … o your identity, o your reasons for gathering the data, o the use(s) it will be put to, o who it will be disclosed to, and o if it’s going to be transferred outside the EU Under GDPR you will ALSO... Communicate additional information to individuals in advance of processing, such as…  The legal basis for processing the data  Retention periods  The right of complaint where customers are unhappy with your implementation of any of these criteria  Whether their data will be subject to automated decision making and  Their individual rights under the GDPR  The GDPR also requires that the information be provided in concise, easy to understand and clear language DATA LEX 2016

5 GDPR 679/2016 4. Personal Privacy Rights
Review your procedures to ensure they cover all the rights individuals have including…  subject access  to have inaccuracies corrected  to have information erased  to object to direct marketing  to restrict the processing of their information, including automated decision-making  data portability NOTE: Practice a scenario where you receive a DAR 5. How will access requests change? In most cases, you will not be able to charge for processing an access request, unless you can demonstrate that the cost will be excessive. The timescale for processing an access request will also shorten, dropping significantly from the current 40- day period. some grounds for refusing to grant an access request. Where a request is deemed manifestly unfounded or excessive. Have clear refusal policies and procedures in place. If your organisation handles a large number of access requests, the impact of the changes could be considerable DATA LEX 2016

6 GDPR 679/2016 6. What we mean when we talk about ‘Legal Basis’
You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it. Particularly important where consent is relied upon as the sole legal basis. It will no longer be possible to cite legitimate interests. Instead, there will be a general necessity to have specific legislative provisions in support. Time for data minimisation, anonymisation and pseudonymisation. 7. Using Customer Consent as grounds to process data How you seek, obtain and record that consent? Was the consent obtained ‘freely given, specific, informed and unambiguous.’ There can be no doubt that they are consenting. Record all consent information for any future audit or other matter. DATA LEX 2016

7 GDPR 679/2016 8. Processing Children’s Data
Have adequate systems in place to verify individual ages and gather consent from guardians. The GDPR introduces special protections for children’s data, particularly in the context of social media and commercial internet services. As of 2nd December 2016, the Irish Government will consider submissions from interested parties in respect of the ‘digital age of consent’ in the context of the GDPR 9. Reporting Data Breaches While there are obligations on companies currently the GDPR will be introducing mandatory breach reporting. Breaches will be reported within 72 hrs. unless data was secured. Where subject will likely be harmed by the breach they must also be informed. Categorisation of held data must now be assessed for compliance. Note: Failure to report a breach if required may attract a fine for both the breach and the failure to report same. DATA LEX 2016

8 GDPR 679/2016 10. Data Impact Assessments (DPIA) and Data Protection by Design and Default Measures the potential impact the project or system under consideration might have on the privacy of individuals. The assessment should assist with the foreseeability of issues so remedial actions can be considered. These assessments will be mandatory for some high- risk processing, e.g. large scale monitoring in a public area. Where risks cannot be fully mitigated then you must consult ODPC before commencing the project. Privacy by design principles means privacy matters are considered and integrated as appropriate at the starting point of a project and incorporated where possible to existing ones DATA LEX 2016

9 GDPR 679/2016 11. Data Protection Officers
Must be designated: Within a public authority, large scale processors of sensitive personal data and/or regularly and systematically monitoring subjects. Some organisations may use an external advisor who will take responsibility for your data protection compliance. Are you required to designate a DPO? 12. International Organisations and the GDPR Organisations will be wise to consider the location of their main establishment location as they will be required to liaise primarily with the authority there. The one-stop-shop provision encourages this. DATA LEX 2016

Download ppt "GDPR 12 POINTS 679/2016 DATA LEX 2016."

Similar presentations

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
Information Governance Support Information Governance Services

Information Governance Support Information Governance Services
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
Tony Sheppard Mobile Guardian

Tony Sheppard Mobile Guardian
General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)
Key changes with the GDPR

Key changes with the GDPR
Accountability & Structured Privacy Management

Accountability & Structured Privacy Management
Preparing for a data protection audit 28 September 2017

Preparing for a data protection audit 28 September 2017
Running a Privacy Impact Assessment (PIA)

Running a Privacy Impact Assessment (PIA)
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
GDPR – What’s it all about???

GDPR – What’s it all about???
General Data Protection Regulation (GDPR

General Data Protection Regulation (GDPR
General Data Protection Regulation

General Data Protection Regulation
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.

General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
GDPR Any impact on procurement? 16/11/2017.

GDPR Any impact on procurement? 16/11/2017.
KEY CHANGES TO THE DATA PROTECTION LANDSCAPE

KEY CHANGES TO THE DATA PROTECTION LANDSCAPE
Museums + Heritage webinar, 30 November 2017

Museums + Heritage webinar, 30 November 2017
GDPR Readiness Project

GDPR Readiness Project

Similar presentations

Ads by Google