Presentation is loading. Please wait.

Presentation is loading. Please wait.

General Data Protection Regulation (GDPR)

Published byElvin Ferguson Modified over 6 years ago

Similar presentations

Presentation on theme: "General Data Protection Regulation (GDPR)"— Presentation transcript:

1 General Data Protection Regulation (GDPR)
21/07/2018 Andrew Cormack, Chief Regulatory Adviser Go to ‘View’ menu > ‘Header and Footer…’ to edit the footers on this slide (click ‘Apply’ to change only the currently selected slide, or ‘Apply to All’ to change the footers on all slides). To change the image on this slide: Click once on the image to select it, and then delete it Drag a replacement picture to the placeholder or click the icon in the centre of the placeholder to browse for & add another image Once you have added your replacement image, you may need to put it into the background so that it doesn’t cover other items on the slide. Do this by right-clicking on the new image and choosing ‘Arrange’ > ‘Send to Back’ from the contextual menu

2 Session Outline New Legislation Significant Changes How to Approach It
Examples

3 What it is Regulation of the European Union (2016/679/EU)
Applies directly to everyone/everyorg in Europe And beyond, to orgs providing services/collecting data for Europeans Replaces Data Protection Directive (1995/46/EC) ~3x longer In force from 25th May 2018

4 What is isn’t Finished…
Around 50 areas for each Member State to decide (e.g. research) Regulators will be drafting guidance for whole of 2017 Planned list doesn’t cover all issues (e.g. cloud) ePrivacy Regulation first draft for comments (as of September 2017) Expect uncertainty/change/contradiction well beyond May 2018

5 Does it cover me? Yes, if you are processing (including storing) personal data Including MAC/IP address (inc.dynamic), RFID tags, etc. (Breyer) Assume any per-user record may be personal data ePrivacy Regulation covers all data relating to communications Headers, content, location… Even when it’s not personal data

6 And…? Also, if you’re designing/building systems for processing PD
Operators/users will want to know about compliance features Especially types of data/processing that it’s not designed for

7 ePrivacy Regulation progress
Commission Draft (Jan 2017) Covers public network operators Also wifi/Bluetooth tracking; also browsers/cookies Processing only for service, security or by consent Art 29/EDPS suggestions (April 2017) Add hospitals, hotels, universities, … Add anyone processing same data European Parliament/Council (May/June 2017) Timetable “unrealistic” (Council) 400 pages of amendments (Parliament Committee)

8 Main GDPR Changes (Summary)
DPD: What personal data are we processing? GDPR: Why are we processing that personal data?

9 Main GDPR Changes (A Little More Detail)
Accountability Data Protection by Design/Default Consent User Rights Security

10 Accountability Need to understand/document
What you’re processing, why, where, how long for, who may obtain it Risks, and how they are managed Information lifecycles, not just asset registers How users can monitor processing of their data Different legal bases => different notices, duties and user rights If required, appoint a Data Protection Officer Public authorities (i.e. bodies with special legal powers), or Core activities involve large-scale monitoring/SPD of individuals

11 Data Protection by Design/Default
Data protection considered early in system/process design Data minimisation, anonymisation, pseudonyms, etc. Options default to privacy-protecting: users must choose to relax Formal Data Protection Impact Assessments (DPIA) Required for large-scale/risky processing Identify risks to individuals (not the organisation), mitigate, assess DPA approval needed if high risks remain Probably need to cover existing systems, too, by 2021

12 Consent New, tighter, conditions for consent to be valid
Free, informed, positive action, revocable (as easily) at any time In particular: not a condition of service, not under compulsion Must keep records of consent Who, when, how, to what Designed to be hard to obtain/manage (“reduce overuse”) Likely to have to consider other legal bases (see below)

13 User Rights to… (How different this is depends on your current national regime) Information (about processing) Subject Access (about their data) More metadata than current SAR Data Portability Is this (limited) SAR + digital format? Automated decision making Can insist on human intervention Rectification Correct wrong/incomplete data  Erasure When no lawful basis for processing Objection Depends on legal basis for processing Assess individual’s rights/interests Restrict processing Pending rectification/erasure/objection

14 Security Must use organisational & technical measures to protect data
E.g. (GDPR text) encryption, pseudonyms, authorisation, exercises, … Risk-based, expected to develop as technology does Data Protection by Design Breach notification (Unauthorised/accidental loss, alteration, disclosure or access to personal data) To regulator, within 72 hours, if risk to rights & freedoms To individuals, without delay, if high risk to rights & freedoms Explicit support for security & incident response

15 How to Approach it Information Lifecycles (Security)
Legal Basis for Processing (User Rights) Service Categories Localisation?

16 Information Lifecycles
More than just an “information audit” (what information). Also… Why we have that information, what we use it for Collection, processing, transfers, disclosure, deletion Information flows in “space” and time Basic information for quality and information security standards too Should improve organisation’s use of information Could also think about risks/security/breach requirements at same time

17 Legal Basis for Processing
Six bases available Necessary for: contract, law, life, public interest, legitimate interest Consent (may imply not “necessary”?) Different duties, rights, notice requirements for each Complex activities/services may well use more than one, e.g. Can’t provide service without it (contract) Can’t secure service without it (legitimate interest) Can make service prettier with it (consent)

18 Draft Service Categories
Risk-based guide to prioritisation/standardisation Risk level Relationship Example Privacy notice? T & C? Legal basis test? DPIA? 1 Service provider has direct interaction with user helpdesk X

19 Draft Service Categories
Risk-based guide to prioritisation/standardisation Risk level Relationship Example Privacy notice? T & C? Legal basis test? DPIA? 1 Service provider has direct interaction with user helpdesk X 2 Service provider has direct long-term relationship with user eduroam site contact ?

20 Draft Service Categories
Risk-based guide to prioritisation/standardisation Risk level Relationship Example Privacy notice? T & C? Legal basis test? DPIA? 1 Service provider has direct interaction with user helpdesk X 2 Service provider has direct long-term relationship with user eduroam site contact ? 3 User has relationship with third party eduroam user

21 Draft Service Categories
Risk-based guide to prioritisation/standardisation Risk level Relationship Example Privacy notice? T & C? Legal basis test? DPIA? 1 Service provider has direct interaction with user helpdesk X 2 Service provider has direct long-term relationship with user eduroam site contact ? 3 User has relationship with third party eduroam user 4 User may be unaware of service’s existence incident response

22 Localisation? Users may well want storage in specific places
And/or avoid others Even within EU… (proposed free-flow law excludes personal data) Worth thinking about how service might implement Federated storage (i.e. multiple, localised databases) Per-country directory/service options (if that makes sense) If design supports it, can cost/implement if/when it’s asked for

23 Examples Federated AAI Security & Incident Response Location Data

24 Federated AAI R&E federations have done data minimisation for years 
Attributes, pseudonyms, etc. Legitimate interests basis for necessary data Necessary to provide service user has requested Now covers “ad hoc” exports, too: good fit for AAI request/response Consent basis for additional data E.g. to have interface address you by friendly name

25 Security & Incident Response
Explicit support in GDPR recital 49  Breyer case effectively backdates this to current Directive Likely to be essential to deliver breach notification duty Legitimate interests basis (as in Rec.49) provides lots of useful guidance Necessary/Proportionate, balance of interests Paper at Largely compatible with existing Incident Response practice 

26 Location Data No special treatment under GDPR. So could be
Necessary for service provision (e.g. cell site) Necessary for value-added service (e.g. find my X) Necessary for public interest (e.g. find badguy’s X) Consent… i.e. wider than current ePrivacy Directive ePrivacy Regulation debate seems conflicted Want service-necessary or consent (i.e. connected users only) But like, e.g., queue monitoring applications

27 References Regulators
Implementing the GDPR References Regulators (EU) (UK) Regulation (2016/679/EU): Me: Protection-Regulation under-the-general-data-protection-regulation/ (GDPR webinar)

28 Thanks Andrew Cormack Chief Regulatory Adviser, Jisc Technologies
Go to ‘View’ menu > ‘Header and Footer…’ to edit the footers on this slide (click ‘Apply’ to change only the currently selected slide, or ‘Apply to All’ to change the footers on all slides). Except where otherwise noted, this work is licensed under CC-BY-NC-ND

29 Twelve (UK ICO) Steps Project Plan
Awareness Data Protection by Design/Impact Assessments Information Lifecycle Audit Breach Notification Process Legal Basis for Processing Privacy Notices Individual Rights Processes (inc. Subject Access) Consent Processes (inc. Children)

30 GÉANT and GDPR Nicole Harris Budapest October 3rd 2017

31 GÉANT Community Facing Activities and GDPR
IAMonline GÉANT Code of Conduct eduGAIN GDPR Review REFEDS Attribute Release Policies SIG-NOC (upcoming) TF-CSIRT presentation SIG-ISM (upcoming SIG-MSP presentation eduGAIN GDPR consultation AARC Policy on Personal Data

32 Leading to TF-DPR “The Task Force proposes to gather information, discuss and develop tools and best practices to be able to deal with the requirements of data protection regulation, with a focus on the General Data Protection Regulation (GDPR) and how NRENs and our shared services can prepare for the GDPR. Other relevant legislation with an impact on data protection – like the upcoming e-privacy Regulation – is also in scope. The results of the task force will yield documentation and tools for NRENs.”

33 GÉANT Organisational Approach to GDPR
Shaun Cairns - Responsible Owner Pete Janusz GDPR Lead Ana Alves GDPR Project Manager Evangelos Spatharas Security Officer Nicole Harris Community Liaison

34 Talk to us! What Can You Do? Where you are processing personal data.
Think about: Where you are processing personal data. The reasons why you are processing. Are you asking for too much information? Where is it stored? Who has access? How long do you need to keep it? Talk to us!

Download ppt "General Data Protection Regulation (GDPR)"

Similar presentations

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
František Nonnemann Skopje, 10th October 2012 JHA 48785 Data protection and re-use of PSI as a tool for public control–CZ approach.

František Nonnemann Skopje, 10th October 2012 JHA Data protection and re-use of PSI as a tool for public control–CZ approach.
Information Governance Support Information Governance Services

Information Governance Support Information Governance Services
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
GDPR 12 POINTS 679/2016 DATA LEX 2016.

GDPR 12 POINTS 679/2016 DATA LEX 2016.
Tony Sheppard Mobile Guardian

Tony Sheppard Mobile Guardian
General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)
Accountability & Structured Privacy Management

Accountability & Structured Privacy Management
CoCo and R&S in the UK federation

CoCo and R&S in the UK federation
GDPR Module 3: Accountability and Governance

GDPR Module 3: Accountability and Governance
Understanding EU GDPR from an Office 365 perspective

Understanding EU GDPR from an Office 365 perspective
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
GDPR – What’s it all about???

GDPR – What’s it all about???
General Data Protection Regulations: what you really need to know

General Data Protection Regulations: what you really need to know
General Data Protection Regulation (GDPR

General Data Protection Regulation (GDPR
General Data Protection Regulation

General Data Protection Regulation
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.

General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
Museums + Heritage webinar, 30 November 2017

Museums + Heritage webinar, 30 November 2017

Similar presentations

Ads by Google