Presentation is loading. Please wait.

Presentation is loading. Please wait.

The General Data Protection Regulation (GDPR)

Published byPaulina Fields Modified over 6 years ago

Similar presentations

Presentation on theme: "The General Data Protection Regulation (GDPR)"— Presentation transcript:

1 The General Data Protection Regulation (GDPR)
Jo Welham, Senior Information Governance Manager

2 An Introduction to the GDPR

3 An Introduction to the GDPR
The GDPR will come into force on 25 May 2018 It will repeal and replace the Data Protection Act 1998 The GDPR puts Data Subjects at the heart of data processing

4 Key themes within the GDPR
Revised definition of “personal data” Data Protection by Design and Default Transparency and accountability Demonstrating compliance Breach reporting Increased penalties for breaching the GDPR

5 What is personal data?

6 What is personal data? “…any information relating to an identified or identifiable natural person ‘data subject’; an identifiable person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

7 ‘Identifiable’ If an individual can be identified from the information by using “all means reasonably likely to be used”, the information will be personal data. Names are not necessarily required

8 Special Category (sensitive) data
Racial or ethnic origin Political opinions Religious or philosophical beliefs Trade union membership Health or sex life and sexual orientation Genetic data Biometric data, where processed to uniquely identify a person

9 Data Protection by Design and Default

10 Data Protection by Design and Default
Promotes privacy and data protection compliance from the start Implementing appropriate technical and organisational measures both prior to and during processing. E.g. Pseudonymisation Ensuring that by default only personal data which is necessary for each specific purpose is processed Conducting Privacy Impact Assessments

11 Processing personal data

12 Principles of processing, Art 5 GDPR
Personal data shall be: Processed lawfully, fairly and in a transparent manner Collected for specified, explicit and legitimate purposes Adequate, relevant and limited to what is necessary Accurate Kept in a form which permits identification for no longer than is necessary Processed in a manner that ensures appropriate security of the personal data

13 Lawfulness of processing
A legal basis must be identified in order for the processing of data to be lawful: Consent of the data subject Contract Compliance with a legal obligation Necessary to protect vital interests Necessary for the performance of a task in the public interest Necessary for legitimate interests (Not applicable to public authorities “in the performance of their tasks”) Note: Special conditions apply to processing sensitive personal data

14 Consent “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by wish he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

15 Unambiguous indication…by a clear affirmative action
Consent freely given Genuine choice. Able to refuse consent without detriment and withdraw consent easily Specific and informed Granular, unbundled, transparent Unambiguous indication…by a clear affirmative action Deliberate action to “opt in”, verifiable, documented Right to withdraw As easy to withdraw as it was to give

16 Transparency and accountability – Privacy Notices
Data obtained from data subject: University’s details Contact details of Data Protection Officer Purposes of processing Legal basis for processing Legitimate Interests (if applicable) Right to withdraw consent (if applicable) Where data is required for statutory or contractual necessity, consequences of non-provision Retention period Data Subjects’ rights Recipients of data Overseas transfers Automated decision making

17 Transparency and accountability – Privacy Notices
Where data is not obtained from data subject, also provide: Categories of personal data Source of the data

18 Transparency and accountability – Demonstrating compliance
Written record of processing activities detailing: Purposes Categories of data Categories of recipients Overseas transfers Retention period Security measures Data protection policies/ procedures/ codes of conduct Training Data Protection Impact Assessments

19 Data Subjects’ Rights

20 Data Subjects’ Rights Subject Access
What does the University hold about me? Rectification Rectification of inaccurate data without undue delay. Completion of incomplete data Erasure Where data is no longer necessary given the purposes, individual withdraws consent and no other legal basis exists, data unlawfully possessed Portability Objection Restriction

21 When things go wrong…

22 Data Breaches “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”

23 Breach reporting All personal data breaches should be documented and reported to the Governance Team – don’t hide a breach! Facts, effects, remedial action The ICO will be notified when: There is a risk to the data subject The data subject will be notified when: There is a high risk to the data subject

24 Sanctions/ Remedies for non-compliance
Fines Up to 2% of annual global turnover or up to 10 Million Euro (whichever greater for non-compliance relating to record keeping, processor contracts, data protection by design and default Up to 4% of annual global turnover or up to 20 Million Euro (whichever is greater) for non-compliance related to breaches of the data protection principles, data subjects’ rights, third-country transfers Compensation Damage as a result of a breach Compensation for distress

25 What can I do?

26 What can I do to be GDPR compliant?
Be aware when you are handling personal data and the implications of this Know where the personal data you process is, who you share it with and how they treat it Ensure that you are using personal data how it was originally intended to be used Ensure that personal data is secure – consider pseudonymisation, password protection, encryption, use secure systems Ask!

27 Getting ready for GDPR – actions flowcharts
Do you share personal data? Yes, only within the University Is it looked after properly? See… What is this? See… Yes, with organisations outside the University Data sharing/processing agreements in place? No Is it looked after properly? See… Is it held securely? See…

28 GDPR Workspace – in the near future!
Key Policy links Template agreements and clauses Overseas campuses data sharing map GDPR Workspace and FAQs GDPR Factsheets Guidance for key GDPR areas

29 The support we offer The Data Protection team can provide support for: Privacy Impact Assessments Privacy Notices Data Breach Reporting General data protection enquiries

30 Further Information If you require data protection advice, the Information Compliance Team can be contacted via The GDPR Workspace page includes links to the University’s Data Protection Policy, its Records Retention Schedule and guidance documents related to the application of GDPR.

Download ppt "The General Data Protection Regulation (GDPR)"

Similar presentations

DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
Data Protection Act 1998. The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.

Data Protection Act The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.
DATA PROTECTION ACT 1998. INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March 2000. It is more far reaching than its predecessor,

DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
Presentation Title Data Protection The new EU Regulation Insert your logo here.

Presentation Title Data Protection The new EU Regulation Insert your logo here.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.

Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
Key changes with the GDPR

Key changes with the GDPR
The future of data protection: General Data Protection Regulation

The future of data protection: General Data Protection Regulation
Issues of personal data protection in scientific research

Issues of personal data protection in scientific research
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
General Data Protection Regulation

General Data Protection Regulation

Similar presentations

Ads by Google