Presentation is loading. Please wait.

Presentation is loading. Please wait.

IMPLICATIONS OF GDPR ROBERT BELL.

Published byÊ Σαμαράς Modified over 5 years ago

Similar presentations

Presentation on theme: "IMPLICATIONS OF GDPR ROBERT BELL."— Presentation transcript:

1 IMPLICATIONS OF GDPR ROBERT BELL

2 Credit Services Association Director of Legal & Compliance
INTRODUCTION Robert Bell: Law background Credit Services Association Director of Legal & Compliance Qualified tutor Author Level 2-6 Courses Credit Excellence Awards Auditing / Training / Support Clear up the 25 years experience on the meeting brief COMPLIANCE INSIGHTS GDPR

3 CONTENT 1 2 3 4 Requirements – background / overview
Q&A We have a total of 1 hour 2 Changes brought by the Data Protection Bill 3 What to do if you are not fully compliant 4 DPIA COMPLIANCE INSIGHTS GDPR

4 GDPR - OVERVIEW Reasons for processing
BACKGROUND / MAJOR CHANGES Reasons for processing data: Consent Contractual / legal Vital interests / Public Int. Legitimate Interests New rules around obtaining consent: Positive action, freely given, unambiguous Informed Right to remove consent Information which must be included in Privacy Notices Internal rules: Supplier management Privacy by design DPIA DPO? Breach notification requirements and increased penalties Other rights: Access / object Rectification / restriction Right to be forgotten AP/DM Portability COMPLIANCE INSIGHTS GDPR

5 Is now the Data Protection Act 2018!
DATA PROTECTION BILL Is now the Data Protection Act 2018! Does not replace GDPR but addresses flexibility allowed by GPDR Does not ensure data protection post-Brexit Transposes the EU Data Protection Directive 2016/680 (Law Enforcement Directive) Elements impacting financial services…. COMPLIANCE INSIGHTS GDPR

6 Lawful basis under Article 6, plus
DATA PROTECTION ACT GDPR Art. 9 requires conditions to be met to process special category data: Lawful basis under Article 6, plus Separate category for processing special category data under Article 9 such as explicit consent, required by law, vital interests where they are unable to give consent, assessment of working capacity, public interest, etc. The special categories are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. COMPLIANCE INSIGHTS GDPR

7 DPA expands the potential for processing such data:
DATA PROTECTION ACT DPA expands the potential for processing such data: special category data can be processed for employment where an appropriate policy is in place or it is used for ensuring equal opportunity / treatment special category data can be processed in order to prevent fraud, terrorism (including funding) or money laundering Special category data can be processed for an insurance reason The special categories are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. COMPLIANCE INSIGHTS GDPR

8 DATA PROTECTION ACT GDPR Art. 10 requires conditions to be met to process criminal convictions data Article 10 requires that the processing of criminal convictions data is prohibited unless it is carried out under the control of official authority or if it is authorised by UK law. Member States may authorise the processing of criminal convictions personal data in specific circumstances and subject to appropriate safeguards The special categories are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. COMPLIANCE INSIGHTS GDPR

9 To protect vital interests
DATA PROTECTION ACT DPA expands the circumstances in which criminal convictions data may be processed, including: Consent To protect vital interests Necessary for making / defending legal claim For insurance purposes Required under employment law and you have an appropriate policy in place Where it is required for an occupational pension The special categories are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. COMPLIANCE INSIGHTS GDPR

10 Required under employment law:
DATA PROTECTION ACT Required under employment law: Opens criminal record checks where they are required by law, such as working with vulnerable people Opens to situations where required for regulatory compliance, such as the Senior Managers Regime However, it does not say we can routinely assume consent for all employees (unless they consent) COMPLIANCE INSIGHTS GDPR

11 DATA PROTECTION ACT An appropriate policy should:
explain how the controller complies with the data protection principles set out in Article 5 of the GDPR; explain the controller’s policies for the retention and erasure of personal data processed under the relevant condition; and be retained, reviewed and (if appropriate) updated by the controller and (if requested) made available to the Information Commissioner, for six months Where appropriate policy documentation is required, the controller’s records of processing activities (under Article 30 of the GDPR) must include:  details of the relevant condition relied on;  how processing satisfies Article 6 of the GDPR (lawfulness of processing); and  details of whether the personal data is retained and erased in accordance with the appropriate policy documentation (and if not the reasons why not). COMPLIANCE INSIGHTS GDPR

12 WHAT TO DO IF YOU ARE NOT COMPLIANT
1 ICO is not expecting to enforce full compliance from day one 2 Willing to accept a risk mitigation plan / action plan Ensure you understand the new rules – there have been many misconceptions 3 4 Prioritise actions COMPLIANCE INSIGHTS GDPR

13 GDPR - MISCONCEPTIONS 1 2 3 4 Extent of consent
4th only those which pose a risk to the rights and freedoms of data subjects, not all breaches. For example, where encrypted data was sent to the wrong person, there is no need to report this as there is no risk to the data subject. Remember its not only data breaches but also incorrect destruction of data where this poses a risk to a persons rights and freedoms. 2 Recording data in relation to vital interests 3 Right to be forgotten 4 All breaches must be reported to the ICO COMPLIANCE INSIGHTS GDPR

14 IMPORTANT ACTIONS Gap-analysis feeding a detailed action plan with
WHAT PEERS ARE DOING Consent for new data in relation to marketing and special category data. Consider need to re-obtain consent from current database Gap-analysis feeding a detailed action plan with priority given to: Communication with DS Major IS gaps Team awareness Privacy notices: Update Art List of processors? Options for “sending” to customers Internal rules: Processes for each right Breach notification Data retention Info security, etc. Processor contracts DPIAs: Stage 1 Record decision Stage 2 Obtain ICO consent COMPLIANCE INSIGHTS GDPR

15 SUMMARY Q&A COMPLIANCE INSIGHTS GDPR

16 CONTACT US Any questions/queries, please get in touch… 07849 774 401
COMPLIANCE INSIGHTS GDPR

Download ppt "IMPLICATIONS OF GDPR ROBERT BELL."

Similar presentations

DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Data Protection.

Data Protection.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection Overview

Data Protection Overview
Session 11 Data protection. 1 Contents Part 1: Introduction Part 2: Applicability and responsibility Part 3: Our procedures on data protection Part 4:

Session 11 Data protection. 1 Contents Part 1: Introduction Part 2: Applicability and responsibility Part 3: Our procedures on data protection Part 4:
© University of Reading 2007 www.reading.ac.uk/data_protection Lee Shailer 06 June 2016 Data Protection the basics.

© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Understanding Privacy An Overview of our Responsibilities.

Understanding Privacy An Overview of our Responsibilities.
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.

Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
Understanding Privacy An Overview of our Responsibilities.

Understanding Privacy An Overview of our Responsibilities.
Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.

Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.
Key changes with the GDPR

Key changes with the GDPR
The future of data protection: General Data Protection Regulation

The future of data protection: General Data Protection Regulation
Processing for archiving purposes in the GDPR

Processing for archiving purposes in the GDPR
Data Protection: The Law

Data Protection: The Law
Data Protection and Confidentiality

Data Protection and Confidentiality
General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
General Data Protection Regulations: what you really need to know

General Data Protection Regulations: what you really need to know
Data Protection The Current Regime

Data Protection The Current Regime

Similar presentations

Ads by Google