Download presentation
Presentation is loading. Please wait.
1
GDPR Overview Gydeline – October 2017
This presentation gives a brief overview of the major points contained in the GDPR, the Gydeline approach and some next steps to think about. It should be noted that the website of the Information Commissioners Office is a great resource and should be considered the primary source for organisations in the UK. Gydeline takes the GDPR regulation and guidance from the ICO and gives output specific to a single organisation.
2
Where are we? Comes into force May 2018
Addresses personal ‘information’ & ‘data’ and how it is used in the 21st century Gives new rights to data subjects Applies to both ‘controllers’ and ‘processors’ Applies to organisations based in the EU and those that sell goods and services into the EU or in EU currencies/languages. Here are some key overview points and context to consider when thinking about GDPR.
3
Personal data Name ID numbers Location data
Online identifiers (IP address/cookies etc) Physical, genetic, mental, economic, social or cultural identifiers of a natural person stored in computer or paper based filing systems In order to avoid confusion, the GDPR applies to personal data. Personal data is one of the following. Personal data relates to a natural person rather than any organisation. GDPR applies to the data irrespective of whether it is stored on electronic, paper or any other type of filing system. Filing implies that the data is structured and searchable in some way as opposed to random and unsearchable.
4
Special categories of data (sensitive)
Racial or ethnic origin Political opinions Religious or philosophical beliefs Trade union membership Genetic data Under 16s Biometric data for the purpose of uniquely identifying a natural person Health data or data concerning a natural person's sex life or sexual orientation Some types of personal data attract special consideration under the GDPR and so are worth noting.
5
Basic GDPR Principles Fair, lawful and transparent processing
Correct, stated purpose Data minimisation Accurate and up to date Kept no longer than necessary Secure Accountable The GDPR enshrines some basic data protection principles. It also requires that organisations are able to demonstrate their compliance with the GDPR – the Gydeline software is one way of demonstrating an organisations compliance position. “the controller shall be responsible for, and be able to demonstrate, compliance with the principles”
6
How do we do this GDPR thing?
Identify a legal basis: Consent Performance of a contract Necessary for compliance Protection of vital interests (subject of another person) Public Interest/Official authority vested in the controller Legitimate interests The first step when looking at GDPR should be to understand the legal basis upon which you are processing personal data. Consent is one method which is getting a lot of attention, however contracts will negate the need for consent in many instances as will vital and legitimate interests. By understanding your legal basis, an organisation may free itself from some requirements under the GDPR – or at least understand more clearly the scope which applies to them.
7
If using consent: Clear, affirmative action (no silence or pre-ticking) Auditable – record of consent needed Can be withdrawn Not a pre-condition of service Extensive information to be provided Special categories require additional conditions Consent can be explicit or implicit (i.e. visiting a Doctor) but must be unambiguous If consent is used as the basis of processing it must follow the following rules:
8
Rights of the data subject
The right to be informed (Privacy notice) The right of access The right to rectification The right to erasure The right to restrict processing The right to data portability The right to object The right not to be subject to automated decision making and profiling The GDPR gives rights to the data subject. Organisations should be aware of, and have processes, to support all these rights.
9
Implications of GDPR This slide seeks to give a simple, easy to understand breakdown of the major areas of action organisations need to take. In terms of implementation, if an organisation does everything on this slide they will most likely be 99% compliant with the GDPR.
10
Governance considerations
Processing records Consent records Data Protection impact assessments DPO requirements Information provision (Privacy notice/policy) Data policies (retention, destruction, backup etc etc) Security policies (access, passwords, etc etc) Regular review of measures/governance There are many overriding governance considerations within GDPR. These need to be available and documented should the supervisory authority (ICO in the UK) request information.
11
DPO Required if: Qualifications Public Authority
Large scale processing (scope and schedule) Special categories More than 250FTE Qualifications Audit IT Security EU data protection law Company knowledge etc Finding the correct Data Protection Officer, if required, can be challenging as there are few individuals with the requisite IT AND legal skills and experience.
12
Reporting Demonstrating compliance with GDPR
Notify supervisory authority about unmitigated risks Breach Contacts (DPO, Processor etc) Demonstrating accountability DP Policies Staff training Auditing and processing activities Data minimisation Pseudonymising Security features (Identity and Access, Encryption, Classification, Rights, masking etc.) Data Protection Impact Assessments Building on the governance considerations there are specific reporting requirements under the GDPR which need to be met.
13
What does Gydeline do? Checks for compliance against everything mentioned above Enables proof of accountability Changes as the regulation changes Identifies specific actions Makes GDPR simpler to understand A basic overview of the Gydeline software. For more information go to or
14
End
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.