Presentation is loading. Please wait.

Presentation is loading. Please wait.

GDPR Overview GDPR - General Data Protection Regulations

Published byEdgar Andrews Modified over 6 years ago

Similar presentations

Presentation on theme: "GDPR Overview GDPR - General Data Protection Regulations"— Presentation transcript:

1 GDPR Overview GDPR - General Data Protection Regulations
Replaces Data Protection Act 1998 Effective from 25th May 2018 Will happen regardless of Brexit It’s a ‘Regulation’ – so we have the Articles (the law itself) and Recitals (explanatory note within the body of GDPR) Article 29 Working Party – EU central guidance body Where GDPR mentions ‘Supervisory Authority’ – this means the Information Commissioner’s Office (ICO) for the UK (

2 Definitions Personal Data
Any information relating to an identified or identifiable living person HR records CCTV images of a student Photograph of Margaret Thatcher with me cc’d Confidential opinions written about me by my manager Anonymised Equality monitoring data Automated and manual filing systems ‘relating’ - Look at scope

3 Definitions Sensitive Personal Data
Now known as Special Category Personal Data Racial / ethnic origin Political opinions Religious / Philosophical beliefs Trade Union membership Genetic or biometric data Health Sex life / sexual orientation Criminal offences / convictions not now included but separated out and similar extra safeguards put in place at Article 10

4 Definitions Controllers & Processors
Controller says how and why personal data is processed Processor acts on controller’s behalf The University is a Data Controller ‘relating’ - Look at scope

5 Definitions Processing
Basically assume any activity with personal data will be processing including: Collecting Storing Using Deleting Sharing

6 Principles Data shall be: Processed lawfully, fairly and transparently
Lawful – mustn’t be in breach of other laws (e.g. HRA, PECR, common law duty of confidentiality) & must be lawful in accordance with Article 6 & 9 – Lawfulness of processing Fair & transparent – data subjects made aware (privacy notices etc); must ‘feel’ fair. I’ll pick up on the Article 6 issues in a few slides

7 Principles Data shall be:
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation) Get the data for a specific purpose (which we should tell them about) and we don’t go and use it for something else Transparency (privacy notices) So we collect data at an open day for the purposes of sending info on a course – we don’t go and send info on conference facilities for example

8 Principles Data shall be:
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)

9 Principles Data shall be:
Accurate and, where necessary, kept up to date… (accuracy) e.g. if a student updates name (married) we should ensure all records are updated

10 Principles Data shall be:
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation) Retention schedule But also more granular Length of time to keep stuff? We need to justify that (and record it)

11 Principles Data shall be:
Processed with appropriate security, including protection against Unauthorised or unlawful processing Accidental loss, destruction or damage (Integrity and confidentiality) Big area! Preventing accidental / intentional disclosure / loss Technical issues (encryption, 2FA) Or physical issues (locked offices/cupboards, stuff left on desk, shoulder surfing, screen by windows)

12 Lawfulness – Conditions (Art 6)
Lawful – mustn’t be in breach of other laws (e.g. HRA, PECR, common law duty of confidentiality) & must be lawful in accordance with Article 6 – Lawfulness of processing Consent Unambiguous, freely given, informed, specific, demonstrable Necessary for contract Between controller and data subject Legal obligation Law requires… Vital interests Life & death… Lawful authority / public interest Law allows, benefits public at large Legitimate interest Not available to public authorities!! Back to the 1st principle – this start to get a bit technical, so at this point I just want to get across the broad message

13 Lawfulness – Conditions (Art 9)
Special categories also require at least 1 from: Explicit consent (what’s the difference?) Necessary … in the field of employment or social security … with safeguards; To protect vital interests… Carried out by not-for-profit body with a political, philosophical, religious or trade union aim Data made manifestly public by subject Related to Legal claims Substantial public interest (basis in law, proportionate…) Preventive or occupational medicine… Public health… Archiving, scientific or historical research…

14 Accountability Must: Implement appropriate technical & organisational measure to ensure and demonstrate compliance (e.g. training, policies, audits etc) Maintain relevant documentation (controller info, Purposes of processing, categories of data subjects / personal data, recipients of data, transfers to 3rd countries, retention schedules, security measures.) Implement data protection by design (e.g. minimisation, pseudonymisation, transparency, security) Use Data Protection Impact Assessments / Risk Assessments Appoint a Data Protection Officer Often called the 7th Principle!

15 Data Subject Rights New rights Right to be forgotten Data portability
Be informed (transparency) Access (subject access requests) Restrict processing Object Automated decision making / profiling

16 Breach Reporting Personal data breach is a breach of security leading to the destruction, alteration, unauthorised disclosure or, or access to, personal data. Need to notify the ICO where it is likely to result in a risk to the rights and freedoms of individuals (within 72 hours of being aware of the breach) Need to notify individuals where it is likely to result in a high risk to the rights and freedoms of individuals

17 Transfers of Data GDPR imposes restrictions on the transfer of personal data outside the EEA, to third countries or international organisations. The commission may designate non-EEA countries as having adequate level of data protection Otherwise must ensure appropriate safeguards Agreements (standard clauses) EU-US Privacy shield Requirements around ‘data share agreements (controller – controller or controller – processor)

18 Requests for Personal Data
Subject Access Requests (not to be confused with FOI!) Request from 3rd parties (Police, tax authorities, Parents…) See website

19 Roles Senior Information Risk Owner (SIRO)
Information Asset Owners (IAO) Information Asset Managers/Administrators

20 Information Lifecycle Management
Information Asset Registers (IAR) Data Flow Mapping (DFM) Risk Assessment(s) Privacy Notice(s) System Level Security Policy (SLSP)

Download ppt "GDPR Overview GDPR - General Data Protection Regulations"

Similar presentations

Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
The Data Protection Act 1998 The Eight Principles.

The Data Protection Act 1998 The Eight Principles.
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.

Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
Data Protection for Church of Scotland Congregations.

Data Protection for Church of Scotland Congregations.
Data Protection Act 1998. The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.

Data Protection Act The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.
DATA PROTECTION ACT 1998. INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March 2000. It is more far reaching than its predecessor,

DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
© University of Reading 2007 www.reading.ac.uk/data_protection Lee Shailer 06 June 2016 Data Protection the basics.

© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.

Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Getting data sharing right for every child Maureen H Falconer Senior Policy Officer Information Commissioner’s Office.

Getting data sharing right for every child Maureen H Falconer Senior Policy Officer Information Commissioner’s Office.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)

Similar presentations

Ads by Google