Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Protection Impact Assessments Drop-in advice session

Published byΑελλαι Κοντόσταυλος Modified over 6 years ago

Similar presentations

Presentation on theme: "Data Protection Impact Assessments Drop-in advice session"— Presentation transcript:

1 Data Protection Impact Assessments Drop-in advice session
Charter 4 Data Protection Practitioners’ Conference 2018 #DPPC2018

2 Tell us what you think Go to slido.com/#DPPC2018/DPIA #DPPC2018
Data Protection Practitioners’ Conference 2018 #DPPC2018

3 Data Protection Impact Assessments
What are they & when are they required? Data Protection Practitioners’ Conference 2018 #DPPC2018

4 DPIA Awareness checklist DPIA Screening checklist
Guide to the GDPR DPIA Awareness checklist DPIA Screening checklist DPIA Process checklist Data Protection Practitioners’ Conference 2018 #DPPC2018

5 DPIA consultation- closes Friday
Tell us your ico.org.uk Data Protection Practitioners’ Conference 2018 #DPPC2018

6 #DPPC2018 A process for building and demonstrating compliance
Can be used for; a single processing operation, a group of similar operations and evaluating the impact of a technology product. Data Protection Practitioners’ Conference 2018 #DPPC2018

7 #DPPC2018 Assess the impact of envisaged processing
Describe processing Necessity/proportionality Assess level of risk Identify measures to address risk Data Protection Practitioners’ Conference 2018 #DPPC2018

8 #DPPC2018 Data Protection Practitioners’ Conference 2018
1: Identify need for a DPIA 2: Describe the processing 3: Consider consultation 4: Assess necessity and proportionality 5: Identify and assess risks 6: Identify measures to mitigate risk 7: Sign off and record outcomes 8: Integrate outcomes into plan 9: Keep under review Data Protection Practitioners’ Conference 2018 #DPPC2018

9 Article 35 Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. Data Protection Practitioners’ Conference 2018 #DPPC2018

10 Article 35 Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. Data Protection Practitioners’ Conference 2018 #DPPC2018

11 Article 35 Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. Data Protection Practitioners’ Conference 2018 #DPPC2018

12 Part 3 – Law enforcement purposes
Clause 64(1) – DP Bill Part 3 – Law enforcement purposes Where a type of processing is likely to result in a high risk to the rights and freedoms of individuals, the controller must, prior to the processing, carry out a data protection impact assessment. Data Protection Practitioners’ Conference 2018 #DPPC2018

13 Recital 77 “The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data…”. Data Protection Practitioners’ Conference 2018 #DPPC2018

14 Article 35(4) Article 35(3) New Technologies
Profiling/SPD access to services Profile individuals (large scale) Biometric data Genetic data Match/combine datasets Invisible processing Track location/behaviour Profile children/vulnerable Data which may endanger subjects in case of a breach Article 35(3) Systematic, extensive evaluation (ADM/profiling Large scale Art 9/10 processing Large scale monitoring, publically accessible area

15 ICO proposed list #DPPC2018 New technologies Denial of service
Large-scale profiling Biometric data Genetic data Risk of physical harm Data matching Invisible processing Tracking Targeting of children/vulnerable individuals Data Protection Practitioners’ Conference 2018 #DPPC2018

16 1, New Technologies #DPPC2018
Processing involving the use of new technologies, or the novel application of existing technologies (including AI). Data Protection Practitioners’ Conference 2018 #DPPC2018

17 2, Denial of service #DPPC2018
Decisions about an individual’s access to a product, service, opportunity or benefit which is based to any extent on automated decision-making (including profiling) or involves the processing of special category data. Data Protection Practitioners’ Conference 2018 #DPPC2018

18 3, Large-scale profiling
Any profiling of individuals on a large scale. Data Protection Practitioners’ Conference 2018 #DPPC2018

19 What does large scale mean? You should consider:
Number of individuals Geographical extent Volume of data Variety of data Duration of the processing Data Protection Practitioners’ Conference 2018 #DPPC2018

20 #DPPC2018 Tracking individuals using a city’s public transport system
Data Protection Practitioners’ Conference 2018 #DPPC2018

21 A hospital processing patient data (not an individual clinician)
Data Protection Practitioners’ Conference 2018 #DPPC2018

22 Want to ask us a question?
Go to slido.com/#DPPC2018/DPIA Data Protection Practitioners’ Conference 2018 #DPPC2018

23 4, Biometrics #DPPC2018 Any processing of biometric data.
Data Protection Practitioners’ Conference 2018 #DPPC2018

24 5, Genetic data Any processing of genetic data other than that processed by an individual GP or health professional, for the provision of health care direct to the data subject. Data Protection Practitioners’ Conference 2018 #DPPC2018

25 6, Data matching Combining, comparing or matching personal data obtained from multiple sources. Data Protection Practitioners’ Conference 2018 #DPPC2018

26 7, Invisible processing #DPPC2018
Processing of personal data that has not been obtained direct from the data subject in circumstances where the controller considers that compliance with Article 14 would prove impossible or involve disproportionate effort. Data Protection Practitioners’ Conference 2018 #DPPC2018

27 8, Tracking Processing which involves tracking an individual’s geolocation or behaviour, including but not limited to the online environment. Data Protection Practitioners’ Conference 2018 #DPPC2018

28 9, Targeting of children or other vulnerable individuals
The use of the personal data of children or other vulnerable individuals for marketing purposes, profiling or other automated decision-making, or if you intend to offer online services directly to children. Data Protection Practitioners’ Conference 2018 #DPPC2018

29 10, Risk of physical harm #DPPC2018
Where the processing is of such a nature that a personal data breach could jeopardise the [physical] health or safety of individuals. Data Protection Practitioners’ Conference 2018 #DPPC2018

30 Data Protection Practitioners’ Conference 2018
#DPPC2018

31 DPIA consultation- closes Friday
Tell us your ico.org.uk Data Protection Practitioners’ Conference 2018 #DPPC2018

32 Guide to the GDPR DPIA Awareness checklist DPIA Screening checklist
DPIA Process checklist Data Protection Practitioners’ Conference 2018 #DPPC2018

Download ppt "Data Protection Impact Assessments Drop-in advice session"

Similar presentations

Confidentiality, Consent and Data Protection Elizabeth M Robertson Deputy Medical Director Grampian University Hospitals Trust.

Confidentiality, Consent and Data Protection Elizabeth M Robertson Deputy Medical Director Grampian University Hospitals Trust.
Use of Children as Research Subjects What information should be provided for an FP7 ethical review?

Use of Children as Research Subjects What information should be provided for an FP7 ethical review?
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Privacy Impact Assessments Iain Bourne, Group Manager, Policy Delivery Information Commissioner’s Office, UK Workshop on data protection and the internet:

Privacy Impact Assessments Iain Bourne, Group Manager, Policy Delivery Information Commissioner’s Office, UK Workshop on data protection and the internet:
Data Protection: Workplace, Health and Safety. Employers’ responsibilities Employer obliged to provide safe place of work. Health and Safety Act 2004.

Data Protection: Workplace, Health and Safety. Employers’ responsibilities Employer obliged to provide safe place of work. Health and Safety Act 2004.
Legal framework Look at the legal compliance and framework a business is subject to.

Legal framework Look at the legal compliance and framework a business is subject to.
CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.

CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.
Business Challenges in the evolution of HOME AUTOMATION (IoT)

Business Challenges in the evolution of HOME AUTOMATION (IoT)
GDPR 12 POINTS 679/2016 DATA LEX 2016.

GDPR 12 POINTS 679/2016 DATA LEX 2016.
Preparing for the GDPR Helping us to help you.

Preparing for the GDPR Helping us to help you.
Data Protection Officer’s Overview of the GDPR

Data Protection Officer’s Overview of the GDPR
Key changes with the GDPR

Key changes with the GDPR
3-MINUTE READ WORKING TOGETHER TO SAFEGUARD CHILDREN.

3-MINUTE READ WORKING TOGETHER TO SAFEGUARD CHILDREN.
Overview General Data Protection Regulation (GDPR)

Overview General Data Protection Regulation (GDPR)
GDPR Module 3: Accountability and Governance

GDPR Module 3: Accountability and Governance
Running a Privacy Impact Assessment (PIA)

Running a Privacy Impact Assessment (PIA)
Issues of personal data protection in scientific research

Issues of personal data protection in scientific research
General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)
Privacy Impact Assessments (PIAs)

Privacy Impact Assessments (PIAs)
3-MINUTE READ WORKING TOGETHER TO SAFEGUARD CHILDREN.

3-MINUTE READ WORKING TOGETHER TO SAFEGUARD CHILDREN.

Similar presentations

Ads by Google