Download presentation
Presentation is loading. Please wait.
1
GDPR Module 3: Accountability and Governance
1/48
2
Please select the required option…
To start the module, click on this box To resume from a previous session (or go back and revise a specific section) click this box. 2/48
3
Maintaining records on processing activities
Please click on the section from which you wish to resume Requirement to implement appropriate technical and organisational measures Maintaining records on processing activities Data protection impact assessments Requirement to appoint a data protection officer Data protection by design and default Voluntary compliance schemes (general) Codes of conduct Certification 3/48
4
Click on this box to continue
Module 3: Introduction In Module 3 we’ll learn how the GDPR will introduce more explicit obligations around accountability and governance. The subjects covered are… The requirement to implement appropriate technical and organisational measures Maintaining records on processing activities Data protection impact assessments The requirement to appoint a data protection officer Data protection by design and default Codes of conduct Certification schemes Click on this box to continue 4/48
5
Click on this box to continue
You’ll recall from module 1 that the GDPR introduces a new ‘accountability’ principle (Article 5(2)) which makes it an explicit general requirement for data controllers to be responsible for, and demonstrate compliance with, the data protection principles… …but the GDPR also contains more specific provisions that aim to increase compliance and accountability. Click on this box to continue 5/48
6
To implement appropriate technical and organisational measures.
To maintain relevant records on processing. …these are… Click on this box to continue To use data protection impact assessments where appropriate. To appoint a data protection officer if appropriate. To Implement data protection by design and default. 6/48
7
reviews of internal HR policies staff training
…we’ll now look at each of these requirements in turn, starting with technical and organisational measures.. The GDPR requires the data controller to take measures to ensure and demonstrate that its processing complies with the legislation. This could include implementing internal data protection policies such as… reviews of internal HR policies staff training internal audits of processing activities Click on this box to continue 7/48
8
Proceed Back to section menu 8/48
9
Next we’ll take a look at the requirement to keep records of processing activities…
9/48
10
Click on this box when ready to continue
Click on the letters below for examples of the types of records a data controller is required to maintain under the GDPR. You may notice that there are some similarities between the information to be recorded under the GDPR and the ‘registrable particulars’ that have to be notified to the ICO under the DPA. Categories of recipients of personal data Transfers to third countries Purpose of processing Retention schedules T Click on this box when ready to continue R P C Records of processing 10/48
11
Click on this box to continue
The extent to which a data controller has to comply with the obligation to keep records of processing will depend on the number of staff it employs... Click on this box to continue 11/48
12
Click on this box to continue
The requirement to maintain a record of processing activities is obligatory for data controllers that employ 250 or more staff… 250 500 Click on this box to continue 12/48
13
…unless that processing…
However, if the data controller has fewer than 250 employees then it will be exempt from the requirement to maintain records of its processing… The requirement to maintain a record of processing activities is obligatory for data controllers that employ 250 or more staff… 250 500 …unless that processing… Click on this box to continue …or… …concerns special categories of data/data on convictions and offences… …could result in a risk to the rights and freedoms of individuals 13/48
14
Proceed Back to section menu 14/48
15
In this section we cover Data Protection Impact Assessments...
These assessments help organisations identify the most effective way to comply with their data protection obligations and meet data subjects’ expectations of privacy… …The ICO already encourages data controllers to use privacy impact assessments as part of a ‘privacy by design approach’, but they are not a mandatory requirement under the DPA…(click on this box to continue). 15/48
16
(click on this box to continue)
Under the GDPR, a data controller must carry out a data protection impact assessment if… …the processing is likely to result in a high risk to the rights and freedoms of individuals… …in particular where… …the processing activity involves the use of new technologies. (click on this box to continue) 16/48
17
Click on this box to continue.
The GDPR says that a data protection impact assessment will be particularly required where any of the following applies… Systematic and extensive evaluation of individuals’ personal aspects (based on automated processing) that’s used to make decisions which produce legal effects on, or significantly affect, those individuals. Large scale systematic monitoring of public areas (such as CCTV). Large scale processing of special categories of data, or personal data relating to criminal convictions or offences. Click on this box to continue. 17/48
18
Data protection impact assessment Data protection impact assessment
So what information should be included in a data protection impact assessment (or DPIA)…? Data protection impact assessment Data protection impact assessment Data protection impact assessment Data protection impact assessment Data protection impact assessment Data protection impact assessment Data protection impact assessment Data protection impact assessment Data protection impact assessment Data protection impact assessment Data protection impact assessment Contents Data protection impact assessment 18/48
19
Click on the images to reveal the information a DPIA should contain…
Data protection impact assessment Contents Contents Description and purposes of proposed processing, including (where applicable) the legitimate interests pursued by the data controller. The measures in place to address risk, including security and to demonstrate the data controller is complying. Click on this box when ready to continue An assessment of the necessity and proportionality of the processing in relation to the purpose. An assessment of the risks to data subjects' rights and freedoms. 19/48
20
Supervisory authority
The supervisory authority must then provide the data controller with its view as to whether the measures proposed in the DPIA to mitigate that risk are adequate…. What if the data protection impact assessment finds that the processing poses a high risk to data subjects…? Data controller Supervisory authority …in that event the data controller must consult the supervisory authority before beginning that processing. …this would be a significant new work stream for us here at the ICO, and the operational implications of this are being considered as part of the Change Programme. Click on this box to continue 20/48
21
Proceed Back to section menu 21/48
22
This section explores the new requirement for some data controllers and processors to appoint a data protection officer… 22/48
23
Click on this box when ready to continue
The GDPR sets out three specific circumstances in which an organisation must appoint a data protection officer. Only one of these has to be met for the obligation to apply… If the organisation is a public authority (except for courts acting in their judicial capacity). Click on the job openings signs to uncover them…. If the organisation’s processing involves regular and systematic monitoring of data subjects on a large scale. If the organisation carries out large scale processing of special categories of data/data on convictions and offences. 23/48
24
Position: Data Protection Officer
So what would the job description for a data protection officer appointed under the GDPR look like…? …click on the images to reveal the data protection officer’s duties… Job description: 1. Inform and advise the organisation about its obligations to comply with the GDPR. 2. Monitor compliance with the GDPR, including managing internal data protection activities. 3. Be first point of contact for supervisory authorities and data subjects. 4. Provide training to staff, advise on data protection impact assessments and conduct internal audits. Click on this box when ready to continue 24/48
25
Position: Data Protection Officer
What about the person themselves? What qualities does the GDPR say they will need? Person specification: Skills and experience: The GDPR says that this experience should be… Professional experience and knowledge of data protection law. …proportionate to the type of processing the data controller carries out. …but it doesn’t go into any further detail about the exact credentials the data protection officer should have (such as what qualifications they should hold). Click on this box to continue 25/48
26
Click on this box to continue
The GDPR says that a single data protection officer can be appointed to act for a group of companies or Public Authorities…. …taking into account their structure and size and the availability of that data protection officer. Click on this box to continue 26/48
27
…the organisation can appoint an existing member of staff to the role…
The data protection officer doesn’t have to be an external appointment… Chief executive Head of IT Sarah Farris Head of HR Ian Campbell Head of Finance Nadia Yilmaz …the organisation can appoint an existing member of staff to the role… Head of IT and Data Protection Sarah Farris Head of IT Sarah Farris …so long as they have the required experience and there won’t be a conflict of interests with their other duties. (click on this box to continue) 27/48
28
Click on this box to continue
…or, if it prefers, the organisation can contract out the role of data protection officer externally… Chief executive Head of IT Sarah Farris Head of HR Ian Campbell Head of Finance Nadia Yilmaz Click on this box to continue 28/48
29
Click on this box to continue
Chief executive Head of IT Sarah Farris Head of HR Ian Campbell Head of Finance Nadia Yilmaz …and whoever is appointed, the organisation must ensure that person reports to the highest management level (i.e. board level). Click on this box to continue 29/48
30
Click on this box when ready to continue
The organisation also has two additional obligations…(click on the images for more information).) The data protection officer must be allowed to operate independently and can’t be dismissed or penalised for performing their job. The organisation must provide the necessary resources for the data protection officer to meet their GDPR obligations. Click on this box when ready to continue 30/48
31
Proceed Back to section menu 31/48
32
Click on this box to continue
In this next section we’ll take a look at what the GDPR has to say about data protection by design and default… Data protection by design and default was always an implicit requirement of the DPA data protection principles, for example relevance and non excessiveness… …however, under the GDPR data controllers will be explicitly required to incorporate data protection by design and default into their processing. Click on this box to continue 32/48
33
Pseudonymising personal data as soon as possible
The GDPR suggests that appropriate measures to help fulfil the requirement for data protection by design and default could include…(click on the images) Pseudonymising personal data as soon as possible Transparency of processing of personal data to enable the data subject to monitor the data processing. Minimising the processing of personal data Click on this box when ready to continue 33/48
34
Minimising the processing of personal data
…in the case of data protection by default, the implementation of data minimisation measures is a mandatory requirement… Minimising the processing of personal data ...this is because Article 25 of the GDPR explicitly states that data controllers must take appropriate measures to ensure that, ‘…by default, only the personal data necessary for each specific purpose of processing are processed…’ Click on this box to continue 34/48
35
Click on this box to continue
The GDPR also states that, when considering which measures to adopt, the data controller should take into account factors such as: available technology… the cost of implementation… the nature, scope, context and purposes of the processing... the risk to the rights and freedoms of the data subjects... Click on this box to continue 35/48
36
Proceed Back to section menu 36/48
37
We’ve now covered all of the specific accountability requirements we set out at the beginning of the module… …next we’ll move on to voluntary schemes that are aimed at encouraging compliance… 37/48
38
The GDPR introduces two voluntary schemes that data controllers (or processors) can sign up to in order to demonstrate compliance with the legislation. These are… Certified Approved codes of conduct Certification mechanisms Click on this box to continue Signing up to these schemes offers a number of advantages... 38/48
39
Click on this box when ready to continue
Click on the numbers to reveal three of the main advantages to an organisation of signing up to a scheme. Certified It can improve transparency and accountability so data subjects can see which organisations are complying with the GDPR and can be trusted with their personal data. 1 2 It can provide mitigation against enforcement action. 3 It can improve standards by establishing best practice. Click on this box when ready to continue 39/48
40
Proceed Back to section menu 40/48
41
In this next section we’ll take a more detailed look at codes of conduct…
41/48
42
The code must be approved by the relevant supervisory authority…
A code of conduct can be drawn up by trade associations or representative bodies. The code must be approved by the relevant supervisory authority… Click on the blue arrows to continue… Click on this box to continue It has powers to exclude a controller or processor that is claiming adherence to the code. Any data controller (or processor) that adopts the code will be subject to mandatory monitoring by the accredited body. This is an organisation accredited by the supervisory authority which has an appropriate level of expertise in the subject matter of the code…(more) However, the responsibility for monitoring the code lies with the ‘accredited body’…(more) 42/48
43
Data transfers outside the EU
Codes of conduct will set out sector specific guidelines on how to comply with the GDPR. They may cover topics such as…; Data transfers outside the EU Appropriate technical and organisational measures. Fair and transparent processing Breach notification Click on this box to continue 43/48
44
Proceed Back to section menu 44/48
45
Click on this box to continue
In this final section we’ll look at certification schemes in more detail… Certification offers another means for a data controller to demonstrate that it is complying with the GDPR. In particular it can be used to show that the data controller is implementing appropriate technical and organisational measures… Click on this box to continue 45/48
46
1.The supervisory authority
The data controller/data processor must provide the supervisory authority or certification body with sufficient information and access to its processing activities to conduct the certification procedure. A certification can be awarded by… Certification lasts for a maximum of… …or… Data controller/data processor 1 2 3 Years …and it can be renewed or withdrawn by the supervisory authority or certification body. 2.A certification body accredited by the supervisory authority Click on this box to continue 46/48
47
Proceed Back to section menu 47/48
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.