Presentation is loading. Please wait.

Presentation is loading. Please wait.

General Data Protection Regulation May 25th 2018

Published byPhilipp Bösch Modified over 6 years ago

Similar presentations

Presentation on theme: "General Data Protection Regulation May 25th 2018"— Presentation transcript:

1 General Data Protection Regulation May 25th 2018

2 What is the General Data Protection Regulation?
GDPR is a new EU regulation that is set to radically change the way that companies and organisations manage individuals’ personal data. This will be the biggest change to data protection laws in over 20 years. When does this regulation come into effect? May 25th 2018

3 How does GDPR differ from previous laws?
Consent to data holding and processing: each organisation or business is required to be fully transparent about what data they hold and how they protect and process it. Individuals need to give consent to this. ‘Privacy by Design and Default.’: Everything done in regards to obtaining, retaining and processing data should be private from the offset. Accountability: each organisation or business must be able to demonstrate that they are following good data protection and processing procedures through documentation of these. Penalties: Penalties will be applied in cases of a breach or audit where the organisation/business could not demonstrate sufficient data protection processes or did not follow them. Each member state will be setting their own penalties in line with other laws. The most effective, proportionate and dissuasive corrective measures will be applied to respond to the breach.

4 Who does GDPR have implications for?
Any organisation or business that holds and processes data that can identify an individual. That includes FICTA, governing bodies, schools and individual therapists and businesses.

5 What is Data? Data is any personal information that can identify a natural person. This includes but is not limited to… Name, postal address, location data (as obtained via a mobile phone), membership numbers, anything relating to the physical/ physiological/genetic/mental/economic/ cultural/social identity of the individual, banking details, purchasing history, online browsing history, images.

6 Consent to Data holding and processing

7 The individual must provide clear, freely given, specific, informed and unambiguous consent for data processing. The individual must understand what you and your organisation means by processing of their data. The organisation or business must ensure that the individual is fully aware of who they are when giving consent. There must be no implied consent. ‘Privacy by Design and Default.’ The organisation or business must show that they have obtained the necessary consent.

8 Signed Consent For manually held data, you must have signed consent for any held by you or your organisation. We suggest therapy clients sign their consent to data holding along with consent to treatment on their initial intake form. For example…. “I agree to have my data held by (therapist/organisation) for the purpose of proceeding with my treatments only and understand that it will be held in accordance with the General Data Protection Regulations 2018 which have been explained to me.”

9 Back dating consent One of the questions we posed to the Data Commissioners Office was in relation to data already held and seeking consent for that. Their answer was a little vague, however, what they said was that “any data that you are processing on the basis of consent must meet GDPR standards or it will likely be invalid.” My understanding here and from reading the links they provided, is that the important word here is “processing”. Documentation you hold on previous clients that is stored correctly and not being referred to in any regard, is not being processed. Therefore, do not try to contact all these people to seek consent, but do so on the next visit. Destroy their files after the period of retention you have determined on.

10 Digital Consent If you use any digital marketing or booking systems, there are very strict rules. Individuals have the right to opt-in by default. Any tick-box option needs to be giving consent, not withholding consent. They should be able to opt out at any later date quickly and easily if they choose to.

11 Tick-box consent :– Privacy by Design and Default.
What NOT to do…

12 Meeting GDPR requirements for your business and organisation.
Accountability Meeting GDPR requirements for your business and organisation.

13 Becoming compliant… Know your obligations Set up appropriate protections and protocols. Document your protocols. Ensure everyone in your organisation is aware of these protocols. Follow these protocols.

14 Know your obligations…
Keep data safe and secure Gather only data that you need Destroy data when you no longer need it Seek consent to hold and process data Amend incorrect and outdated data Transfer data at individuals request Delete data at individuals request – right to be forgotten Identifying a breach Reacting to a breach to minimize risks

15 2. Protections Keep manual data under lock and key Have strong passwords on all electronic devices that hold data. Use password protected screen-savers when you are not using your device. Ensure any cloud-based information is stored with a reputable company which is compliant with GDPR. Check with them.

16 2. Protocols – need to be documented
Who is data controller? What data do you hold? Why do you obtain it? How do you obtain it? Why was it originally gathered? How do you store it? How is it protected: encryption and accessibility? How do you obtain consent? How do you use it/process it? Do you share data with 3rd parties? How long will you retain it? How will you amend incorrect data? How will you transfer data, at an individuals request? How will you destroy data? What to do in the case of a data breach.

17 Identifying a breach and what actions to take.
Security Breach Identifying a breach and what actions to take.

18 What is a data breach? A data breach is when your cloud-based systems have been accessed at the core, or if your account has been accessed at the level of administrator in your organisation/business, or if a person has got access to the premises and there is evidence or a risk of data having been copied, accessed, destroyed or removed from the premises. Most online, cloud-based systems are so locked down that cybercriminals are looking for human error to access data. They are looking for card details and identity theft. They are getting in through administrative access. Half or more of small to medium sized businesses are hacked at some point and nearly ¾ are unable to restore all information.

19 How to identify a data breach.
Card breaches are identified when clients all begin reporting fraudulent charges on their accounts coming from your payment facility. If you have card payment facilities there are specific Payment Card Industry Data Security Standard (PCI DSS) that you need to be compliant with. Physical break-ins: be on the look out for tampering signs at the door and windows accessing the premises, the internal doors, the safe, the filing cabinets where documents are stored. Online breaches have a number of signs to look out for. Cloud-based servers will notify you if they have had an issue. Look for unusually slow internet and computers – sign it may be exporting a lot of data. Look for high CPU cycle (slow in loading), memory usage or hard disk activity – sign it may be exporting a lot of data. Is your computer tampered with? Not on/off as you left it? Are there new/moved/deleted files? Are there pop-ups and redirected websites while browsing (lot of advertisements) – malware is trying to get you to slip up and grant access. Locked out of accounts on first passwords entry – someone else has been trying/succeeded in getting access. CPU cycle: the process by which a computer retrieves a programme, determines actions needed and carries out those actions. 19

20 What to do if there has been a breach.
Let the data controller of your organisation know. It would be good practice to have a data breach form to fill out so information can be recorded straight away. Within 72 hours of knowing something has happened, get in touch with the Data Protection Commissioners. Consider if clients affected need to be notified (risk of identity theft, card fraud or breach of confidentiality), so that they can take appropriate measures to mitigate the effects to their property, person or reputation. Notifying data subjects is a remedial measure intended to redress the balance and restore confidence. Let them know who to contact in your organisation if they need to know more details. 3rd parties may need to be contacted to help: i.e. An Garda Siochana, the financial institutes etc. It may be good practice to keep a diary of any data breaches or suspected data breaches.

21 Questions… Bare in mind this is new legislation and has wide ranging implications in many different industries. There are still grey areas of this legislation that will only be figured out as industry tries to implement it and comes across difficulties in their niche.

Download ppt "General Data Protection Regulation May 25th 2018"

Similar presentations

Data Protection.

Data Protection.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Audiences NI Data Protection Workshop

Audiences NI Data Protection Workshop
Health & Social Care Apprenticeships & Diploma

Health & Social Care Apprenticeships & Diploma
EU Data Protection IT Governance view Ger O’Mahony 12 th October 2011.

EU Data Protection IT Governance view Ger O’Mahony 12 th October 2011.
DATA PROTECTION & FREEDOM OF INFORMATION. What is the difference between Data Protection & Freedom of Information? The Data Protection Act allows you.

DATA PROTECTION & FREEDOM OF INFORMATION. What is the difference between Data Protection & Freedom of Information? The Data Protection Act allows you.
Why the Data Protection Act was brought in  The 1998 Data Protection Act was passed by Parliament to control the way information is handled and to give.

Why the Data Protection Act was brought in  The 1998 Data Protection Act was passed by Parliament to control the way information is handled and to give.
Www.ICT-Teacher.com. Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.

Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.
Canada’s Breach Reporting Law What you need to know Timothy M. Banks, CIPP/C Dentons Canada LLP July 21, 2015.

Canada’s Breach Reporting Law What you need to know Timothy M. Banks, CIPP/C Dentons Canada LLP July 21, 2015.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
GDPR 12 POINTS 679/2016 DATA LEX 2016.

GDPR 12 POINTS 679/2016 DATA LEX 2016.
Tony Sheppard Mobile Guardian

Tony Sheppard Mobile Guardian
Protecting PHI & PII 12/30/2017 6:45 AM

Protecting PHI & PII 12/30/2017 6:45 AM
Data Protection GCSE ICT Mrs N Steventon-2005.

Data Protection GCSE ICT Mrs N Steventon-2005.
What Does GDPR mean for you

What Does GDPR mean for you
Final Report.

Final Report.
Mysale Information Classification 101

Mysale Information Classification 101
Understanding EU GDPR from an Office 365 perspective

Understanding EU GDPR from an Office 365 perspective
Privacy principles Individual written policies

Privacy principles Individual written policies
Microsoft 365 Get help with regulatory compliance

Microsoft 365 Get help with regulatory compliance

Similar presentations

Ads by Google