Presentation is loading. Please wait.

Presentation is loading. Please wait.

Preparing for the EU General Data Protection Regulation

Published byIsaac Chambers Modified over 6 years ago

Similar presentations

Presentation on theme: "Preparing for the EU General Data Protection Regulation"— Presentation transcript:

1 Preparing for the EU General Data Protection Regulation
Presented by Revd. Mark James Certified IBITGQ GDPR F & P. – CIPP-E – CIPM - DPO & PCI-DSS Consultant - (Also qualified ISO27001 Auditor)

2 Not conclusive but a good start!!!
Top 10 Need to knows about GDPR Not conclusive but a good start!!!

3 Top 10 Background to the GDPR Scope & Definition Personal Data
Data Subject, Controller & Processor The key Principles Consent & Documentation Rights of the Data Subject International Data Transfers Data Breaches Data Protection Officer & Fines

4 No. 1 Background to the GDPR

5 Background Where has it come from? The nature of European law
• Two main types of legislation: – Directives o European Directive 95/46/EC is a Directive / 98 Act – Regulations o Immediately applicable in each Member State 25TH May is Deadline o Regualted by the Information Commisioner’s office ICO

6 How is the GDPR different to the EU Data Protection Directive?
Principles are very similar to EU Data Protection Directive However, the GDPR contains a number of changes including:  Enhanced documentation to be kept by data controllers Enhanced Privacy Notices More prescriptive rules on what constitutes consent Mandatory data breach notification requirement Enhanced Data Subject Rights New obligations on Data Processors Expanded territorial scope Appointment of Data Protection Officers Significant increase in the size of fines and penalties

7 No 2. Scope and Definitions under GDPR

8 Scope of GDPR Designed to protect any Natural person = a living individual (data subject) It applies to processing activities that are related to: Goods or services, irrespective of whether payment is required; or The monitoring of data subjects’ behaviour within the EU.

9 No 3. Personal Data

10 What is personal data? ‘Personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

11 What is Sensitive Personal Data?
Under GDPR, the term used is Special Categories of Personal Data… racial or ethnic origin political opinions religious or philosophical beliefs trade union membership physical or mental health or condition sex life or sexual orientation genetic data biometric data

12 Examples of personal data
Online profile details Business address Person’s health data Employee bank details

13 No 4. Processors & Controllers

14 What is a Data Controller?
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

15 What is a Data Processor?
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

16 No 5 The key Principles

17 Article 5 Processed lawfully, fairly and in a transparent manner
1 Processed lawfully, fairly and in a transparent manner 2 Collected for specified, explicit and legitimate purposes 3 Adequate, relevant and limited to what is necessary 4 Accurate and, where necessary, kept up to date 5 Retained only for as long as necessary 6 Processed in an appropriate manner to maintain security 7 Accountability

18 No 6 Legal Basis for Processing Personal Data

19 Article 7: Conditions for consent
• The following conditions apply for consent: – Controllers must be able to demonstrate that consent was given; – Written consent must be clear, intelligible, easily accessible, else not binding; – Consent can be withdrawn any time, and as easy to withdraw consent as give it; – Consent to processing data not necessary for the performance of a contract; – Ticking a box or choosing appropriate technical settings still valid.

20 Others include: • A contract with the individual
• Compliance with a legal obligation • Vital interests: • A public task: . • Legitimate interests:

21 Article 13.1: Information to be provided where personal
data collected from the data subject • When obtaining personal data, the controller shall provide the data subject with all of the following information: – the identity and contact details of the controller and their representative; – the contact details of the data protection officer; – the purposes of the processing of as well as the legal basis for the processing; – the legitimate interests pursued by the controller or by a third party; – the recipients or categories of recipients of the personal data, if any; – the fact that the controller intends to transfer personal data to a third country and the existence of adequacy conditions.

22 No 7. Rights of the Data Subject

23 Individual Rights Eight Rights of Data Subjects
1. The right to be informed 2. The right of access 3. The right to rectification 4. The right to erasure 5. The right to restrict processing 6. The right to data portability 7. The right to object 8. Rights in relation to automated decision making and profiling

24 Article 13.2: When obtaining personal data the controller
shall provide the data subject with the following further information to ensure fair and transparent processing: – the period of time that the data will be stored; – the right to rectification, erasure, restriction, objection; – the right to data portability; – the right to withdraw consent at any time; – the right to lodge a complaint with a supervisory authority; – the consequences of the data subject failure to provide data; – the existence of automated decision-making, including profiling, as well as the anticipated consequences for the data subject. Article 17: Right to erasure (‘right to be forgotten’) • Data subjects have the right to the erasure of personal data

25 Enhanced documentation
Ensure there are clear records of all data processing activities Purposes of processing Categories of Data Subjects and Personal Data Transfers to non-adequate countries and appropriate safeguards deployed General description of technical and organisational security measures BUT: requirement to notify EU Data Protection Authorities will cease

26 Article 12: Transparency and modalities
The controller shall provide any information or communication referring to the data subject in a – concise, – transparent, – intelligible and – easily accessible form; – using clear and plain language; – in particular for any information addressed specifically to a child. • Time period reduced from 40 days to 1 month • Fees abolished

27 Erasure (‘Right to be forgotten’)
The ‘right to be forgotten’ Individuals will have the right to request that businesses delete their personal data in certain circumstances Examples Withdrawal of consent when consent was basis of collection No longer necessary for purposes collected No overriding legitimate grounds Each case must be judged on its merits May involve notifying third parties

28 Automated decision making, including profiling
Individuals have the right to object to significant decisions, including profiling, made solely by automated means Exceptions: Necessary for entering into or performance of contract Authorised by Union or Member State Law Individual’s explicit consent

29 Compensation Individuals have a right to claim compensation for damages caused by infringement of the Regulation from the Data Controller or Data Processor

30 No 8 International Data Transfers

31 What constitutes a transfer of Personal Data?
Personal Data is considered to be ‘transferred’ across borders when: It is physically transferred across borders OR It is accessed across borders

32 Transfer ‘Rules’ Transfers of Personal Data not restricted within the 28 EU member plus 3 EEA countries (Iceland, Liechtenstein and Norway) Transfers of Personal Data to other countries are prohibited unless such country provides ‘an adequate level of data protection’ as determined by the European Commission or unless certain other conditions are fulfilled

33 Adequate Countries Outside the EEA
Andorra Argentina Canada Switzerland Faroe Islands Guernsey Israel Isle of Man Jersey New Zealand Uruguay US if company signed to Safe Harbour/Privacy Shield

34 No 9 Preventing or Managing Data Breaches

35 What is a data breach? The GDPR contains a definition of a data breach, which was not present in the preceding legislation. A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed

36 Appropriate security measures under GDPR
Pseudonymisation and encryption The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services Data Items Name, Address, Health data, Criminal records Biometrics, Location Data Formats Hardcopy, paper records Digital (USB) Database Transfer Methods Post, Telephone, Social Media Internal (within group) External (Data Sharing) Locations Office Cloud 3rd Party

37 Privacy Impact Assessments
A PIA is an assessment that is undertaken to identify potential areas of non- compliance and minimise the risk Under GDPR, a PIA must be carried out before beginning any new ‘high-risk’ processing activity i.e. processing sensitive data or profiling activities PIAs should include the following as a minimum A description of the processing activity and the purpose An outline of the risks and the measures taken in response The formal advice of the DPO (if appointed) If unmitigated risk is identified, the Controller must notify the relevant Supervisory Authority

38 Data Breach Notification
When a data breach occurs… Notify appropriate Supervisory Authority Where feasible within 72 hours Unless breach is unlikely to result in risk to individuals Requirement to notify individuals if breach is likely to result in high risk to the individuals affected

39 Session 10 DPO & Fines

40 Appointment of Data Protection Officers
Organisations must appoint a data protection officer (DPO) where: They are a public authority or body The core activities of the controller or processor require regular and systematic monitoring of individuals on a large scale The core activities of the controller or processor include processing special categories of data on a large scale, including data relating to criminal convictions and offences; or Required by Member State law

41 Penalties and enforcement
For (mainly) a breach of record keeping, contracting and security clauses maximum fine of up to €10 million, or 2% of annual worldwide turnover, whichever is greater For (mainly) a breach of the basic principles, Data Subject rights, transfer to third countries, non-compliance with an EU DPA order maximum fine of up to €20 million, or 4% of annual worldwide turnover, whichever is greater EU DPAs intend to co-ordinate their supervisory and enforcement powers across the Member States

42 360 Review - Stage 1 Gap Analysis Gap Analysis Data Discovery
Using Article 5 review and plan for data Discovery Principle 1. How are data subjects made aware of the processing? How are they trained on updates, how do you ensure it is processed lawfully? Review Data subjects right to access Is there a defined subject access process? How are individuals making the request identified? How is information located? How is information provided to the individual? Review data transfers Is data sent outside the EU?, where is data, how is it stored? Review data processors Contract initiation process (e.g. supplier risk assessment)? Principle 2 Other examples: Uses of personal data within the organisation…. How is the data used? Principe 3 How is accuracy of the data maintained (how/when updated)? Principle 4 What is the criteria for determining the retention period? Principle 5 Is there an data protection policy? How is it enforced? Principle 6 Gap Analysis Data Discovery Risk Assessment Data Flow Mapping Evaluate Document processes Train / Deploy Monitor DPO

43 Communication & Consultation
Risk Process Identify Analysis Evaluate Treat Communication & Consultation Monitor & Review

44 Data Mapping Process Name Describe process Volume of data
Location of data Classification (Employee / Student) Data Type Purpose (why) Risk Owner Retention Period Disposal Who has access Is their an external 3rd party? Union Officials work very independently, sometimes not even sharing confidential information with colleagues. So, who is the data controller? The Union or the Official? Legal Basis Controller / Processor Perceived risks Sensitivity type. High-Risk or not

45 Risk Assessment (PIA’s)
The Risk The Observation Remediation Union Officials work very independently, sometimes not even sharing confidential information with colleagues. So, who is the data controller? The Union or the Official?

46 Documentation / Training
Data Protection Policy Training Policy Subject Access Request Procedure Retention of Records Procedure Privacy Impact Assessment Procedure Breach Notification Procedure Consent Procedure Managing Sub Contract Processing Subject Access Request Form Data Protection Policy Review Procedure Access Control Policy Storage Removal Procedure Union Officials work very independently, sometimes not even sharing confidential information with colleagues. So, who is the data controller? The Union or the Official? External Parties - Information Security Procedure Collection of Evidence Procedure Third Party Contracts Fair Processing Notice Register

47 High Level Plan Feb Mar Apr High Level Training Mid tier Training
Grass roots Training Map data processes High Level DIA’s Sign off DIA’s Identify UK Processors Contact Processors Gather Processor evidence Identify Int. Processors Review Contracts Provide / receive revised contracts Identify existing policies Review Policies Sign off on new or amended Policies Review IT Infrastructures, focus on risks . Review security Policies / focus Privacy by design Documentation Review 2018 / 19 strategy - Processing Personal data. Understand the Impact of strategy in line with Map… Review and agree strategy Union Officials work very independently, sometimes not even sharing confidential information with colleagues. So, who is the data controller? The Union or the Official?

48 Guidance UK ICO has already produced ‘Preparing for the General Data Protection Regulation’ 11 page guide Available from UK ICO website ICO.org

49 The Not so good news Issues identified: 1 2 3 4 5 6 7

50 The better news What the Goal is: 1 2 3 4 5 6 7

51 The good news The proposal is: 1 2 3 4 5 6 7

Download ppt "Preparing for the EU General Data Protection Regulation"

Similar presentations

Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
DATA PROTECTION ACT 1998. INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March 2000. It is more far reaching than its predecessor,

DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.

Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
Data Protection Officer’s Overview of the GDPR

Data Protection Officer’s Overview of the GDPR
Key changes with the GDPR

Key changes with the GDPR
The future of data protection: General Data Protection Regulation

The future of data protection: General Data Protection Regulation
Issues of personal data protection in scientific research

Issues of personal data protection in scientific research
General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E

GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E
Data Protection The Current Regime

Data Protection The Current Regime
General Data Protection Regulation (GDPR

General Data Protection Regulation (GDPR

Similar presentations

Ads by Google