1. Introducing the General Data Protection Regulation 2016
Information Governance Support Service

2. Basic Concepts DPA – Data Protection Act 1998
GDPR – General Data Protection Regulation 2016
Personal Data – identifies a living individual
Sensitive Personal Data – Health, Religion, Sexuality, Ethnicity
Data Controller – Decides how data is used and is accountable
Data Processor – Uses the data under instruction from the Data Controller
Processing – anything you do with data

3. What – Why - When?
Repeals Directive 95/46/EC (on which our own Data Protection Act 1998 was built).
The Regulation is directly applicable and does not require any domestic law to be written, it must be implemented ‘as is’.
Current DPA not fit for digital age
Enters into force on 25th May 2018

4. What is the key difference between DPA and GDPR?
Compliant until proven not to be
GDPR must prove compliance from day 1

5. Key Legislative Changes – Managing our Data
No. of Principles reduce
We must comply with any Code of Practice approved by the ICO
The ICO can provide an accreditation scheme
Public Bodies and organisations with more than 250 staff must appoint a Data Protection Officer (DPO).
Introduces child consent for information society services

6. Key Legislative Changes – Managing our Data
Records of Processing Activities [Article 30]
This aligns to article 5 (2) and is the mechanism which requires organisations to evidence compliance with the GDPR
RECORDS OF PROCESSING ACTIVITY
‘Privacy by Design’ elements
Data Flow Mapping
Information Asset Register
Categories of Data
Recipients/ Subjects
Legal Basis/
Conditions for processing

7. Key Legislative Changes – Privacy by Design & Default
Privacy Impact Assessments will have to be undertaken in some circumstances
Some changes to condition for processing
Addition to Special Categories of Data
Data Subject Rights are increased and strengthened
Higher bar set for privacy notices and consent processes

8. Key Legislative Changes – Privacy Notice
For GDPR compliance add:
The legal basis for the processing
Contact details of the Data Protection Officer
Automated decision-making, including profiling
The right to withdraw consent at any time
Is provision of personal data a statutory or contractual requirement?
The right to data portability where applicable
Transfers of personal data overseas
Data Protection Act requirements for Privacy Notices

9. Key Legislative Changes – Privacy by Design & Default
Consent must be freely given, explicit, specific, informed and an unambiguous indication of wishes. It must be:
Consent will be required from a child aged 16 (UK law may lower this to 13) to process data in regard to information society services (online services).
New category of sensitive data (Special Categories)
Genetic data, biometric data 
requested using clear language
intelligible
accessible
provided with the ability to withdraw
provable that consent was given
necessary

10. Key Legislative Changes – Data Subject Rights
The right to restrict processing
The right to data portability
Rights in relation to profiling
Right to rectification
Right to erasure

11. Key Legislative Changes – Data Subject Rights
Subject Access Rights (SARs) have been amended:
Disclosure now must be within 20 working days
Can claim an extra 40 working days for complex or numerous SARs,
(but the requestor must be advised of this at the start of the process)
Can’t charge for a SAR
For ‘manifestly unfounded’ or excessive requests particularly where they are repetitive we are allowed to either:
– Refuse the request explaining why, or;
– Charge a reasonable amount for the SAR
It is no longer a requirement for requestors to advise where their data might be held, (i.e. tell us which services they have received)

12. Key Legislative Changes – Data Protection Officer (DPO)
All public Bodies must appoint a DPO
This is a statutory position
Must be experienced and qualified to take on the role
Can be outsourced

13. Key Legislative Changes – Security
Lauri Almond. Essex County Council
January 2017
Key Legislative Changes – Security
DPA
GDPR
the DPA it states that organisations must apply appropriate organisational and technical security
The GDPR states consideration must be given to:
the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; 
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
[Article 32]

14. Key Legislative Changes – Outsourcing
ROPA
Data Processors (i.e. third party contractors) will now have specific legal obligations to maintain records of personal data and processing activities.
Fines
Where we can prove that a breach resulted from a processor not following our instructions they will be held accountable for the breach and any resulting fine.
Contracts
All contracts will need to be reviewed prior to 25th May 2018 to ensure contract provisions meet GDPR requirements, e.g.
No sub-contracting without explicit consent of Controller
Ability to disclose pursuant to legal obligation on the processor (restricted to EU or member state)

15. Key Legislative Changes – Breaches
A new requirement to report ‘High risk’ breaches:
to the ICO and the relevant data subjects within 72 hours
failure to notify a breach can result in a significant fine of up to 10 million euros
The Data Subject is at the centre of claims for compensation.
The Data Controller must pay up front and then recoup from the Data Processor where appropriate
Medium breaches of data protection are subject to administrative fines: whichever is higher of the following:
up to 10,000,000 EUR
up to 2 % of the total worldwide annual turnover of the preceding financial year (in the case of an undertaking)
Major breaches of data protection are subject to administrative fines: whichever is higher of the following:
up to 20,000,000 EUR
up to 4 % of the total worldwide annual turnover of the preceding financial year (in the case of an undertaking)

16. Key Legislative Changes – Breaches
Medium
Failings subject to €10,000,000 fine
Major
Failings subject to €20,000,000 fine
Child consent
Processing
Processing not requiring identification
Consent
Data Protection by design & default
Special categories of data
Controllers & Processors
Rights of the Data Subject
Records of processing
General principle for transfers, adequacy decisions & derogations
Security of processing
Non-compliance with investigative/ corrective powers
Breach management
Data Protection Impact Assessments (PIA)
Data Protection Officer
Codes of conduct & Certifications

17. Where do we start? Ensure you have an information Asset Register
Map your data flows fully
Add any additional data required to convert the data to your Records of Processing Activity
Review your data and ensure that your privacy notices and other policies align (e.g. consent, PIA, outsourcing, risk etc.)
Appoint a DPO
Arrange training for staff (this must be refreshed annually to meet the requirements of the GDPR)
Have a robust policy and process to manage security incidents
Seek support and guidance when needed

18. Where can you get help?
The next slide has links to the ICO website and relevant legislation
ECC’s Information Governance Support service (IGS) has a range of services we can provide to support your implementation of the GDPR
Cluster to share costs
Use any other forums or Data Protection groups you may belong to for support

19. Guidance on the GDPR can be found at:
Guidance type
Web link
GDPR – Full Text
ICO EU DP Reform Microsite
ICO 12 steps to preparing for the GDPR
Directive relating to the processing of personal data for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

20. Question/Discussion Time