Presentation is loading. Please wait.

Presentation is loading. Please wait.

General Data Protection Regulation

Published byDiane O’Connor’ Modified over 6 years ago

Similar presentations

Presentation on theme: "General Data Protection Regulation"— Presentation transcript:

1 General Data Protection Regulation
Preparing for the new General Data Protection Regulation Scottish Construction Safety Group 23 November 2017

2 General Data Protection Regulation (GDPR)
One unified law that applies directly to all EEA member states. Text of the Regulation - General Data Protection Regulation (GDPR)

3 UK Data Protection Bill
The UK Government introduced a new Data Protection Bill on 13 September The Bill will exercise some areas of discretion left to member states in the GDPR. You can find the latest details of the Bill on the UK Parliament website at UK Data Protection Bill

4 Recorded data Electronic Manual
Processed wholly or partly by automated means Manual Sets of personal data structured by specific criteria Articles 2 and 4, GDPR

5 Personal data definition
Personal data means any information relating to an identified or identifiable natural person. This can include direct or indirect identification. Article 4(1), GDPR gives the full definition

6 Special categories Race or ethnicity Political opinions
Religious or philosophical beliefs Trade union membership Physical or mental health Genetic or biometric Sexual life or orientation Article 9, GDPR Genetic and biometric data is added as a new class of special category data.

7 Criminal convictions data
Article 10, GDPR While not included as a special category, personal data about criminal convictions and offences is still regarded as sensitive and only to be used in accordance with national law. Criminal convictions data

8 Who is responsible? Data controllers Data processors
A data controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. Data processors are employed by data controllers to do something with the personal data but only on the controller’s instructions. They shouldn’t be making executive decisions.

9 The Data Protection Principles

10 Lawful, fair and transparent
Personal data shall be processed lawfully, fairly and in a transparent manner The ICO has published guidance on this principle at

11 Conditions for processing
Personal data Special category data Consent Contract with the individual Comply with a legal obligation Protecting vital interests Public function in the public interest Exercise of official authority Legitimate interests of the data controller, but not prejudicial to the person Explicit consent Employment, social security, social protection law Vital interests Not for profit religious, political or trade union bodies Put in public domain by the person Legal proceedings/advice Substantial public interest based on law Health, medical, social care Public health Archiving, research, statistical Additional conditions likely to be in the new UK DP Bill In order to use personal data lawfully, you need to be able to have a condition for processing. Other than consent, the conditions require that the processing is necessary. Consent has its own particular requirements. We consulted on draft guidance about consent earlier this year and will produce a final version in due course. The draft is available from the link above. All conditions have equal weighting: one does not carry any more status than any other. It is for the data controller to be satisfied that they are relying on the appropriate condition and it is recommended that a record is kept of the basis on which the use is being made. This is especially important when not relying on consent.

12 Purpose limitation Personal data shall be processed for specified, explicit and legitimate purposes This principle is intended to avoid mission creep. You can use personal information for more than one purpose, you can use it for different purposes but they must be compatible with the original purpose. If you need to use information for a new purpose, you must inform the individuals affected.

13 Data minimisation Personal data shall be adequate, relevant and necessary You are not allowed to collect information “just in case”. You must know what you want to do with the information at the point you obtain it and it must be relevant to the purpose(s).

14 Accuracy Personal data shall be accurate and, where necessary, kept up to date Accuracy relates to matters of fact i.e. something that can be proven one way or another.

15 Storage limitation Personal shall be kept in an identifiable form for no longer than is necessary for the purposes Think back to the original purpose(s). Has that purpose(s) been fulfilled? Is there a valid reason to retain the personal information any longer? If not, take steps to securely destroy the personal information. You should also take into account any legal or regulatory requirements, or industry good practice, when deciding on retention periods. Failing that, make a business case for why you need the information. If you can set a hard time limit, consider establishing criteria that help you decide whether or not the information is still relevant.

16 Integrity and confidentiality
Personal data shall be processed with appropriate security Organisations must take technical and organisational measures to ensure the security of the personal data they hold to protect it from unauthorised access or use, or from accidental loss, damage or destruction. This can include physical security (locks, alarms), electronic security (passwords, encryption, firewalls), reliability of staff or volunteers (references, PVG checks, training). If you are asking a data processor to process personal information on your behalf, then you must ensure there is a contract which specifies the processor’s obligations in terms of security.

17 The Accountability Principle
The controller shall be responsible for, and be able to demonstrate compliance. Article 5(2), GDPR

18 Data protection by design and default
Article 25, GDPR Data protection by design and default

19 Data Protection Impact Assessments
Article 35, GDPR The ICO has promoted Privacy Impact Assessments as good practice for a number of years: European DPAs have issued guidance on Data Protection Impact Assessments under GDPR:

20 Data processors and contracts
The ICO has published draft guidance on contracts and liabilities under GDPR: Data processors and contracts

21 Record of processing activities
Article 30, GDPR requires organisations with more than 250 employees to keep a record of their processing activities. Smaller organisations must do so if their data processing activities present a risk to individuals, is not occasional or includes special categories of data or criminal conviction data. The record must include: the name and contact details of the data controller (and the Data Protection Officer if one has been appointed), A description of the categories of data subjects and the categories of personal data The categories of recipients to whom the data have been or will be disclosed Details of any transfers to countries outside the EEA or to international organisations The time limits for erasure of the different categories of personal data A general description of the security measures

22 Data security breach notification
Articles 33 and 34, GDPR Only applies to breaches likely to result in a risk to the rights and freedoms of the individuals concerned. In that circumstance, you will be required to inform the ICO within 72 hours and also inform the data subjects. This should be part of your incident management plans. You can find more information on how to report a data security breach to us at The European DPAs have published draft guidelines for consultation on data breach notification: Data security breach notification

23 Data Protection Officer
Articles 37-39, GDPR A DPO is required where the core activities of the organisation include regular and systematic monitoring of a large number of people, or the core activities consist of the processing of a large amount of special category data (including criminal conviction data). A DPO can be a member of staff or could be a contracted service. But they must have a good working knowledge of data protection and how it applies to the business. European DPAs guidance -

24 International transfers
Organisations must make sure that any transfer of personal data beyond the European Economic Area (EEA) is subject to additional measures to ensure that it is treated as if it were in the EEA. This is particularly important when using cloud computing or any other online service. International transfers

25 Individuals’ Rights

26 Data subject rights Right to be informed Right of subject access
Right of data portability Right to object to processing Rights to rectification, erasure or restriction Right to prevent automated decision-making Most of these rights are qualified. The data controller will not have to accede to a request if they can demonstrate that what they are doing is legitimate and outweighs the individual’s concerns. The rights are often linked to the condition for processing so it is important to consider these together.

27 UK Information Commissioner’s Office
The ICO is expected to continue as the data protection authority for the UK. Our main functions will continue to be: Promoting awareness amongst the public and controllers and processors Handling complaints from data subjects Monitoring, investigating and enforcing data protection law, UK Information Commissioner’s Office

28 Enforcement powers Warnings or reprimands Data protection audits
Powers of entry and inspection Order compliance Ban or limit processing

29 Data protection authorities, such as the ICO, will be able to issue administrative fines of up to €20 million (or 4% of global turnover for international companies) for the most serious breaches. For the more procedural breaches, the fines will be limited to €10 million (or 2% of global turnover for international companies). Any enforcement action taken must be effective, dissuasive and proportionate. Administrative fines

30 Data protection compliance in relation to specific subjects
Guidance documents Data protection compliance in relation to specific subjects All our guidance documents are available at These are largely in respect of the Data Protection Act 1998 but will nevertheless help organisations as they prepare for GDPR. The Article 29 Working Party, which comprises each European data protection authority, is preparing Europe-wide guidance on various aspects of GDPR. These can be found online at

31 The Data Protection Reform pages on the ICO website are being updated with our own guidance and that from the European Data Protection Authorities’ Working Party as they become available. Check the website regularly or subscribe to our monthly e-newsletter to hear the latest news.

32 For regular updates on GDPR implementation, as well as other ICO news, you can subscribe to our monthly e-newsletter.

Download ppt "General Data Protection Regulation"

Similar presentations

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Getting data sharing right for every child

Getting data sharing right for every child
Data Protection.

Data Protection.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
The Information Commissioner’s Office David Evans.

The Information Commissioner’s Office David Evans.
Data Protection and You Your Rights & The Law Registration Basics Other Activities Disclaimer: This presentation only provides an introductory info. Please.

Data Protection and You Your Rights & The Law Registration Basics Other Activities Disclaimer: This presentation only provides an introductory info. Please.
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.

Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.

Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
The Data Protection Act 1998. What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;

The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
Data Protection Act 1998. The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.

Data Protection Act The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.
DATA PROTECTION ACT 1998. INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March 2000. It is more far reaching than its predecessor,

DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
© University of Reading 2007 www.reading.ac.uk/data_protection Lee Shailer 06 June 2016 Data Protection the basics.

© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.

Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Getting data sharing right for every child Maureen H Falconer Senior Policy Officer Information Commissioner’s Office.

Getting data sharing right for every child Maureen H Falconer Senior Policy Officer Information Commissioner’s Office.

Similar presentations

Ads by Google