Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jason Gaskell jasong@surreyca.org.uk 01483 447 100 GDPR – The Basics Jason Gaskell jasong@surreyca.org.uk 01483 447 100.

Published byMaximillian Cannon Modified over 6 years ago

Similar presentations

Presentation on theme: "Jason Gaskell jasong@surreyca.org.uk 01483 447 100 GDPR – The Basics Jason Gaskell jasong@surreyca.org.uk 01483 447 100."— Presentation transcript:

1 Jason Gaskell jasong@surreyca.org.uk 01483 447 100
GDPR – The Basics Jason Gaskell

2 About This Presentation
This presentation is an introduction to GDPR It provides links to some tools that may help you become GDPR compliant It will point you in the right direction, but might not contain everything you need to think about or do for your organization It is targeted at small charities and community organsation

3 About This Presentation
Caveats This presentation is for your information You need to make your own decisions about your own GDPR journey The most up to date and complete GDPR resources are found at the Information Commissioner’s Office

4 What is GDPR - 1 General Data Protection Regulations
New European framework for data protection laws Effectively replaces the Data Protection Act Designed to harmonise data privacy laws across the EU Gives greater protection and rights to individuals Starts 25 May 2018 Enforced by The Information Commissioner's Office Evolution not revolution

5 What is GDPR - 2 General Data Protection Regulations
New rights for people to access the information companies hold about them Obligations for better data management for organisations New regime of fines Will carry forward post Brexit Applies to all “organisations” whether staffed or volunteer run Applies to all personal data whether electronic or on paper

6 Key Stages - 1 The following are some of the stages you might go through to become GDPR ready: Make sure the right people know what is coming Identify data held and sources of data Update privacy notices Check processes meet new rights Decide how to deal with “Subject Access Requests” Identify “lawful basis” for processing data

7 Key Stages - 2 The following are some of the stages you might go through to become GDPR ready: Review how you get consent to use personal data Detect, report and investigate breaches Build data protection into new projects and services Agree who is responsible for data protection

8 What is Personal Data? “Information that relates to the identity of a natural person and can identify them directly or indirectly” Not just name and address. Could include: Online identifier Physical/Physiological Genetic Economic Cultural Social Digital

9 Key Stage: Share what is coming….
Board and staff/volunteers must be aware Need to be aware of effort involved, costs and consequences Suggest you reflect data protection in your risk register (if you have one) Consider letting all your members/beneficiaries/clients/parishioners know what’s happening

10 Key Stage: Identify data held, sources and storage
Identify what is stored and where, about anyone: Staff, volunteers, trustees, members, funders, donors, clients etc Think about computers, cloud, filing cabinets, tablets, mobile phones etc Consider if you pass data on to anyone else (eg printers or subcontractors)

11 Key Stage: Update privacy notices
Privacy notices (often found in footers or on websites) need to change: Add “lawful basis” for processing data, how long data will be kept, what it will be used for, and inform recipients about their new rights Need to ensure they are easy to read and understand by the reader Examples available through the Information Commissioners Office

12 Key Stage: Do processes meet new rights?
Individuals will have eight new rights: The right to be informed ie to know what organisations are doing with your data The right of access ie to see what data they hold about you The right to rectification ie the right to have your data corrected The right to erasure ie the right to have your data removed

13 Key Stage: Do processes meet new rights?
Individuals will have eight new rights: The right to restrict processing ie the right to limit what people can do with your data The right to data portability ie the right to have your data moved between organisations The right to object ie the right to object to damaging information being held Rights in relation to automated decision making and profiling ie computerised processing of your information with no human involvement

14 Key Stage: Dealing with Subject Access Requests
Individuals have the right to know what data you hold on them, why it is being used and whether it is shared with a third party Must be presented the same way it was requested (hard copy or electronic) Needs to be provided within one month Must be provided free of charge Might have to include copies of all correspondence with that person

15 Key Stage: Deciding the lawful basis for processing data
You can process individual data under the following conditions Consent of the data subject Contract performance eg sending you the joining instructions for this course Legal obligation eg PAYE information to HMRC Vital interest eg next of kin details for a client Public task eg carrying out a legal obligation (mainly public sector) Legitimate interest except where such legitimate interests are overridden by the interests, rights or freedoms of the subject

16 Key Stage: Deciding the lawful basis for processing data
For membership organisations, a lot might come under “contract” eg if you said you would send out some information to a member, then you obviously have to use their data to do so, and they would be upset not to receive it A lot will come under “legitimate interest” See later Explicit consent is probably the safest method, but also the most tricky to manage

17 What Is Legitimate Interest?
Activity which is “necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.” Note that Legitimate Interest does not apply to to public bodies including Parish Councils Using people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. Can be in your own interests or the interests of your beneficiaries, and can cover commercial interests, individual interests or broader societal benefits. Appears to be a catch-all for a lot of work, but the benefits to you must demonstrably outweigh the impact on the recipient You need a “Balance Test” to ensure that the benefit to you outweighs the inconvenience to the recipient.

18 Gaining consent Consent must be freely given, specific and freely withdrawn Consent must be an active opt-in, not opt out (ie no pre- ticked boxes) Consent may be verbal – as long as it is recorded Consent is not indefinite eg if someone uses your service as a one off, you can’t assume that you still have consent to use their data several month later. You can contact an individual to ask whether they still want to hear from you, if you already have a relationship with them and they haven't previously opted out The Information Commissioner’s Officer suggests considering other lawful bases before looking at consent

19 Key Stage: Deciding how to Deal with Breaches
A data breach is Anything leading to accidental or unlawful loss, alteration, unauthorised disclosure of, or access to, personal data. Breaches have to be reported to the Information Commissioners Office within 72 hours of becoming aware of the breach Need to have physical and technical security in place to prevent breaches

20 Key Stage: Decide who is responsible
“Large” organisations and those carrying out “large scale” processing of sensitive data (such as DBS checking) will need a dedicated “Data Protection Officer” (DPO), reporting to the Board and outside line management control Unfortunately, “Large scale” is undefined! Parish Councils, as public bodies, must appoint a DPO. Few small to medium charities and community groups are likely to need a DPO but a Board champion is a good idea, as responsibility rests with the Board. We need to ensure our third parties are also compliant – their actions are our responsibility. Unfortunately, “Large scale” is undefined! Parish Councils, as public bodies, must appoint a DPO.

21 Special Categories Special category data is personal data which the GDPR says is more sensitive, and so needs more protection Includes race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life, sexual orientation In order to lawfully process special category data, you need to identify a lawful basis and a separate condition for processing special category data There are ten conditions for processing special category data in the GDPR so far, similar to the Data Protection Act. If you handle special category data and are currently complying with the Data Protection Act, then you may only need to add your GDPR lawful basis for processing the data

22 Children Only children aged 13 or over are able provide their own consent Children under 13 need consent from whoever holds parental responsibility for the child Children merit specific protection when you use their personal data for marketing purposes or creating personality or user profiles. Adapt privacy notices for children so that they are able to understand what will happen to their personal data, and what rights they have. Children have the same rights as adults over their personal data.

23 Other Considerations If in doubt, seek consent
If still in doubt, consult the Information Commissioner’s Office If still in doubt, delete! Document all decisions and actions to show that you are trying your best to become compliant, then you can justify your actions if challenged

24 “Record of Processing Activity”
You should create a “Record of Processing Acticity”, including: The results of your data audit The results of a review your policies, procedures (eg retention, security and data sharing, etc) Information required for privacy notices Records of consent (if used) Where and how data is stored Data Protection Impact Assessment reports Records of personal data breaches. Electronic form is better so it can be updated centrally and easily.

25 Checklist Inform key stakeholders of GDPR
Audit the information you hold and need Update privacy notices Understand and prepare for new rights Decide how to deal with access requests Decide on your lawful bases for processing data Review how you get consent and refresh consent Think about how you process children’s data Decide how to handle data breaches Build data protection into all new activities Create your “Record of Processing Activity”

26 Final Thoughts If… you avoid angering people…
you are transparent about what you are doing with data… you take it seriously, but proportionate to the size of your organisation and the risks you face… you avoid angering people… Then you are on your way.

27 Further Information Information Commissioner’s Office NCVO, NAVCA etc
The definitive source. Lots of guidance Helpline – be prepared to hold for 30 minutes! NCVO, NAVCA etc Surrey Community Action Remember: Some people are trying to sell you a service and might want to make it sound more complex than it appears.

Download ppt "Jason Gaskell jasong@surreyca.org.uk 01483 447 100 GDPR – The Basics Jason Gaskell jasong@surreyca.org.uk 01483 447 100."

Similar presentations

Data Protection.

Data Protection.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
The Data Protection Act 1998. What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;

The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.

Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
Tony Sheppard Mobile Guardian

Tony Sheppard Mobile Guardian
General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)
Key changes with the GDPR

Key changes with the GDPR
What Does GDPR mean for you

What Does GDPR mean for you
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
GDPR – What’s it all about???

GDPR – What’s it all about???
General Data Protection Regulations: what you really need to know

General Data Protection Regulations: what you really need to know
Data Protection The Current Regime

Data Protection The Current Regime
General Data Protection Regulation

General Data Protection Regulation
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.

General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
Museums + Heritage webinar, 30 November 2017

Museums + Heritage webinar, 30 November 2017
GDPR Overview Gydeline – October 2017

GDPR Overview Gydeline – October 2017
Data Protection Update – GDPR or bust

Data Protection Update – GDPR or bust

Similar presentations

Ads by Google