Presentation is loading. Please wait.

Presentation is loading. Please wait.

GDPR – What’s it all about???

Similar presentations


Presentation on theme: "GDPR – What’s it all about???"— Presentation transcript:

1 GDPR – What’s it all about???
Date: 12th October 2017 GDPR – What’s it all about??? Phil Walden Global Data Protection Regulation

2 It will replace the UK’s Data Protection Act from 1998
The background stuff… The General Data Protection Regulation (GDPR) was developed with a focus on social media and cloud providers, but affects everyone. The aim is for the EU to strengthen and unify data protection to give control back to individuals It will replace the UK’s Data Protection Act from 1998 It comes into play on 25th May 2018 Large fines are threatened for non-compliance (4% of annual turnover or €20,000,000 whichever is greater) Not sure what happens re fines for small business or councils ……

3 2017 August: 44 fines totalling £3,107,500
ICO is not toothless 2010: 2 fines totalling £160,000 2011: 7 fines totalling £541,100 2012: 17 fines totalling £2,143,000 2013: 14 fines totalling £1,520,000 2014: 9 fines totalling £668,500 2015: 18 fines totalling £2,031,250 2016: 21 fines totalling £2,155,500 2017 August: 44 fines totalling £3,107,500 Biggest in DPA days was £400k against a max of £500k for an offence

4 Location targeted advertisers
Who is impacted? Predominantly… Network providers, device manufacturers, social platforms, ‘app’ developers, Location targeted advertisers But in fact… Any organisation (controllers or processors) that handles personal data of European individuals We are processors – council are controllers

5 What about brexit? The UK will not have left the EU before 25 May 2018 During the negotiation period the GDPR will apply for months if not years The UK are adopting many EU rules and regulations Assume GDPR will likely remain post brexit

6 Individuals will have – The right to access The right to be forgotten
Key areas of GDPR? Individuals will have – The right to access The right to be forgotten The right to data portability The right to be informed The right to have information corrected The right to restrict processing The right to object The right to be notified Why’d you want all your date moved from one supplier to another ?

7 The definition of personal data has been extended with GDPR
What is personal data? The definition of personal data has been extended with GDPR Any information that can be used to identify an individual Name & address address Photos Medical information Bank details Location data Now including online identifiers Computer IP addresses Cookie IDs Ip address and cookies – means that pretty much all online data is now part of GDPR

8 Identify what personal data is held Handlers
What can be done now? Information Audit - Identify what personal data is held Handlers Claimants & representatives (witnesses) Organisation contacts Where did it come from? Who has it been shared with? How accurate is it? What do you need to keep? Documentation review such as consent forms and privacy statements Establish procedures for handling personal data Any feedback from the group here?

9 Informing and consent – what do you need to do?
Organisations will be required to obtain individual’s consent to store and use their data, as well as, explain how it will be used This is not new but consent must be a positive indication i.e. no pre-ticked boxes Consent must be unambiguous Consent must be separate to other written agreements Consent must be easily revoked Consent for children under 16 must be got from a responsible person Public bodies may be able to base their processing on other legal grounds Last point – may be able to – in fact should actively look for other legal justifications.

10 Individual’s right to access – what do you need to do?
Current Privacy Notices will provide individuals with certain information such as your identity and how you intend to use their information GDPR requires you to explain your lawful basis for processing data and your retention periods. You must be able to provide electronic copies of private records to individuals, where it is stored and for what purpose. You cannot charge for providing these and you will have a month to comply You can refuse but they must be told why and that they have a right to complain

11 What actions will you be required to perform?
Data Cleansing (anonymisation) – What are the data retention periods? What are the conditions of when this period begins? Are there any exclusions? Right to be forgotten – Claims are active Claims still within the retention period Right to access – How much information should be provided? How will you confirm the individuals identity? This applies to the systems/processes you employee as well as the systems that you use. Group feedback?

12 Data cleansing - what should be anonymised?
Names and addresses and location information Dates of Birth/Age at incident NI numbers Phone numbers and addresses References (from claim/claimant other parties, payments, etc.) All diary information (actions, files, s) Group feedback

13 What features are planned for LACHS?
Individual and bulk record anonymisation What are the exceptions? Should there be any automation? Group feedback?

14 How could the GDPR affect JCAD?
Support – If we requested a copy of your database you would need to ensure that all individuals knew that it was a possibility that it could be given to a 3rd party Will NDAs cover GDPR compliance?

15 In Summary what does the GDPR mean for local government?
Consent not sufficient No need to register with IOC (Article 30) record keeping and evidence of compliance Privacy statements/policy will need revamping Subject access requests might increase as no longer a fee & more info required Council staff will need training on new policies Will systems cope with data isolation, anonymization, erasure? Data breaches should be reported to ICO & data subjects (sometimes). Internal systems required to detect, investigate & report DPOS (data protection officer) can be shared across organisations Data protection by design and default – proactive risk management rather than tick box exercise. Processors (JCAD) - Comply with DPP - Must record information - Processes & policies in place for security purposes

16 Thank you for your attention!
Any Questions?


Download ppt "GDPR – What’s it all about???"

Similar presentations


Ads by Google