1. General Data Protection Regulation (GDPR)

2. General Data Protection Regulation (GDPR)
Made 27 April 2016
Comes into force 25 May 2018
Similar to Data Protection Act 1998
Requirements added or expanded
No Brexit effect
Future legislation likely to remain in line with EU
We have a little more than 12 months to become compliant or at least show broad compliance and processes in place to ensure total compliance in a reasonable timeframe
Most of the DPA requirements remain but may have been expanded
It is likely that future UK legislation will remain in line with this Regulation, to ensure that trade etc can continue unhindered by Data Protection issues

3. Preparation ICO guidance EU Article 29 Working Party
“Buy in” at key levels
Increased documentation
Legal basis
Procedures
Data asset register
Local Information Governance/Data Protection officers/teams
The ICO has issued basic guidance and is trickling things out quietly – we would have expected more by this point in an ideal world!
An EU working party is also working on producing guidance for organisations
It is important that we have buy in at key levels in our organisations at an early stage – Senior management, Information Asset Owners should ideally already be aware, but information will need to be filtered down to all staff over the next 12 months
We will need to identify the legal basis for collecting information from clients in most cases
Procedures for collection and processing of information could be required
A Register of data types held will be required
Some of us may already have some of this in place
There will be corporate leads for implementation, and we are likely to have to feed in to this, but the responsibility and impact will affect all staff, not least managers and system administrators

4. The ICO’s 12 Steps Awareness Assess Information Held
Ensure that decision makers and key people are aware of the change the GDPR
Identify potential problem areas
Readiness for resource impacts
Assess Information Held
What personal information is held?
Where did we get it?
Do we share it and with whom?
Information Asset Register…..
Hopefully somebody in your organisation is already looking at this!
Working Groups, Information Asset Owner and Administrator involvement?
Preparation is likely to have resource impact across all staff involved
A “register” of information assets provides the opportunity to pull a lot of the information together to allow assessment of compliance and form a basis for work to be done

5. The ICO’s 12 Steps Communication Individual’s Rights
Review privacy notices
Explain Legal Basis for processing the data
Explain retention periods
Inform of the right to contact ICO
ICO is updating their Privacy Notices CoP to reflect GDPR
Individual’s Rights
Ensure the new and enhanced rights are covered in procedures
Subject Access
Correction of inaccuracy
Erasure of Information
Prevent Direct Marketing without explicit consent
Prevent automated decision making and profiling without explicit consent
Data Portability
Supply electronically in a common format
Privacy Notices will need to give more information than most of us currently provide – we will need to review forms, web forms etc
The ICO’s Code of Practice is in the process of being updated to provide guidance
Individual’s rights are similar to those under the DPA but are enhanced. It is worth checking procedures and processes and updating them at an early stage

6. The ICO’s 12 Steps Subject Access Requests Legal Basis No fee
1 Month to comply
Policies and procedures for refusal (unfounded or excessive)
Inform subject of retention and right to correct inaccuracy
Resource impact
ICO suggests cost/benefit analysis of online portal
Legal Basis
Document legal basis for processing data (Asset Register?)
Explain in SAR response and Privacy Notices
Changes to SARs are likely to have significant impact resource wise – the removal of a fee coupled with the reduction in timescales may encourage requests and provide additional pressure to produce them more quickly
Manifestly unfounded or excessive requests could be refused or charged for – procedures for dealing with these should be in place
The ICO suggests provision of an online portal for requestors to serve themselves – unlikely to be cost effective!
The aforementioned Information Asset register could be used to record the legal basis for collection of the data described
SARs and Privacy Notices should contain this information to inform consent

7. The ICO’s 12 Steps Consent Children
Review how consent is sought and recorded
Consent and Explicit Consent – await ICO!
Positive – not inferred. No pre-ticked boxes!
Needs to be verifiable – audit trail
Children
Verification of age
Gathering parental or guardians consent (under 13)
Privacy Notice understandable
The difference between explicit consent and consent is not clear at this stage!
Silence, pre-ticked boxes or inactivity cannot be inferred as consent
GDPR contains special protection for children’s data – advice (refer to Social Services?) is likely to be required!

8. The ICO’s 12 Steps Breaches
Procedures in place
Report to ICO within 72 hours
Resource implications
Fines – failure to notify and breach itself!
Data Protection by Design/Impact Assessments
ICO guidance on Privacy Impact Assessments
Data minimisation
Tightening up on reporting of breaches
May not provide time to investigate, so possible breaches are likely to need to be reported just in case!
Failure to notify can attract sanctions, not just the actions leading to a breach
Privacy Impact Assessments will be required for new implementations where data is collected
Express legal requirement for Data Protection by Design and minimising data to that which is required for processing (DPA was implied)

9. The ICO’s 12 Steps Data Protection Officers International
Designated officer
Requires “expert knowledge” and authority
Can be outsourced
Point of contact with ICO
International
If operating internationally
LAs should be ICO
Your current approach to the DPA may already include an individual or team with overall responsibility. Your IT provider may be able to provide this, but the processor remains the authority
Where the organisation operates across borders (unlikely in LAs?) then the relevant Supervisory Authority should be identified. In our case it would be the ICO

10. Sanctions Written warning Regular Data Protection Audits
Fines raised from max £500,000 to max €20 million or 4% annual global turnover
Ban or suspension on processing or transferring data
The ICO can impose various sanctions on the organisation if and when it investigates breaches or failures
In practice we do not know what sanctions they are likely to use on Local Authorities yet!

12. Further Information Information Commissioner’s Office – www.ico.org.uk
Your Information Governance/Data Protection team
Your authority should already be looking at this!
The ICO promises regular updates and guidance. This presentation is based on the “12 steps to take now” document
This should have been picked up somewhere in your authority – if you are not involved yet, make contact!
Implications for us as APP admins may involve data cleansing (retention, corrections etc), adding fields to record consent, extraction of data for SARs, investigation of breaches etc…….