Presentation is loading. Please wait.

Presentation is loading. Please wait.

GDPR Module 4:Other Significant Changes

Published bySuharto Makmur Modified over 5 years ago

Similar presentations

Presentation on theme: "GDPR Module 4:Other Significant Changes"— Presentation transcript:

1 GDPR Module 4:Other Significant Changes
1/47

2 Please select the required option…
To start the module, click on this box To resume from a previous session (or go back and revise a specific section) click this box. 2/47

3 International Transfers
Please click on the section from which you wish to resume Breach Notification Security International Transfers Data processors Administrative fines 3/47

4 Click on this box to continue
Module 4: Introduction In this final module we’ll cover some of the other key changes brought in by the GDPR… The subjects covered are… Breach Notification Security International transfers Data processors Administrative fines Click on this box to continue 4/47

5 In this first section we will look at the GDPR requirements around breach notification…
5/47

6 Supervisory authority
The GDPR contains a new requirement for data controllers to notify the supervisory authority of any data protection breach that is likely to result in a risk to the rights and freedoms of individuals… Data controller Supervisory authority (click on this box to continue) 6/47

7 Click on this box to continue
If unaddressed such breaches are likely to have a significant detrimental effect on individuals. For example if they result in… discrimination damage to reputation Financial loss Click on this box to continue 7/47

8 Supervisory authority
Data controller Supervisory authority If the breach is likely to result in a high risk to the rights and freedoms of individuals, then the data controller must also notify the data subjects concerned directly. Click on this box to continue Data subjects 8/47

9 Supervisory authority
The data controller has 72 hours to report the breach to the supervisory authority. However, the GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and so permits the data controller to provide information in phases. Data controller Supervisory authority So how long does the GDPR allow the data controller to inform the supervisory authority and the data subjects of a breach? Click on the clock faces for more information... Where the breach presents a high risk to the rights and freedoms of individuals, the GDPR states that the data controller must inform the affected data subjects without undue delay. Data subjects Click on this box when ready to continue 9/47

10 Click on this box when ready to continue
The nature of the personal data breach. The GDPR also outlines the information that must be included in a data protection breach notification. Click the images on the right to see some examples (the full list can be found in Article 33 of the GDPR). The categories and approximate number of individuals concerned (if known). The measures taken to deal with the breach and to mitigate any possible adverse effects. Click on this box when ready to continue 10/47

11 Proceed Back to section menu 11/47

12 This section looks at data security...
Article 32 of the GDPR sets out the requirements for keeping personal data secure. It is more explicit about organisations’ specific responsibilities than Principle 7 of the DPA… Click on this box to continue 12/47

13 Encryption and psuedonymisation.
It states that data controllers and processors must take technical and organisation measures to ensure a level of security appropriate to the risk… Encryption and psuedonymisation. Restoring availability and access in the event of an incident. Click on the padlock to continue The GDPR says that the measures taken to safeguard personal data should include, where appropriate,… System confidentiality, integrity, availability and resilience. Testing, assessing and evaluating security measures. The ability to restore the availability and access to personal data in a timely manner in the event of an incident. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures. Ability to ensure ongoing confidentiality, integrity, availability and resilience of systems. Encryption and Pseudonymisation Click on this box to continue 13/47

14 Click on this box to continue
One further way in which an organisation can help to demonstrate that it has an appropriate level of security is… Certified Click on this box to continue Adherence to an approved code of conduct or certification mechanism. 14/47

15 Accidental or unlawful destruction Unauthorised disclosure
The GDPR states that when assessing what is an appropriate level of security, the organisation should pay particular account to the risk of… Loss Alteration Accidental or unlawful destruction Unauthorised disclosure Click on this box to continue 15/47

16 Proceed Back to section menu 16/47

17 Continue to international transfers section
The next section covers what the GDPR has to say about international transfers… This part of the course is aimed at staff who have a good understanding of the current rules around international transfers and who routinely deal with Principle 8 issues as part of their role… …if you don’t have this level of understanding, because your role doesn’t require you to deal with international transfer related issues on a regular basis, then you may skip this section by clicking the red box below. Note that you will not be tested on your knowledge of this section in the end of module assessment. Skip this section Continue to international transfers section 17/47

18 The level of protection in the territory the data will be sent to;
Chapter V of the GDPR sets out the conditions in which personal data may be transferred outside the EU…. It addresses the same themes as Principle 8 and Schedule 4 of the DPA, namely: The level of protection in the territory the data will be sent to; the adequacy of the safeguards the organisation receiving the information has in place; derogations. But, as we shall see, it also introduces some new rules on international transfers… We’ll now look what the GDPR has to say on each of these themes in turn. (Click on this box to continue) 18/47

19 Click on this box to continue
With respect to assessing the adequacy of the territory to which the data has been sent, not much has changed from the DPA… The one notable change is that, in addition to third countries, the Commission will now have the power to confer adequacy decisions on … …transfers may still be made to countries which the European Commission has decided ensure an adequate level of protection. Specified industry sectors within countries outside the EU and… …international organisations… …meaning that data controllers will be able to make international transfers to sectors and organisations that are afforded adequacy status by the Commission. Click on this box to continue 19/47

20 An approved code of conduct
When it comes to demonstrating that a transfer is subject to appropriate safeguards, the GDPR continues to recognise Binding Corporate Rules and Standard Data Protection Clauses as valid ways to achieve this… But a key difference from the DPA is that the GDPR also allows the data controller (or processer) to demonstrate appropriate safeguards through signing up to… An approved code of conduct …However, it can only rely on these where the data controller (or processor) in the third country has made a binding and enforceable commitment to apply the appropriate safeguards and uphold data subjects' rights. Certified …or a certification mechanism… Click on this box to continue 20/47

21 …if the data subject has consented
So, for example, like the DPA, the GDPR has derogations which allow a data controller to transfer information outside the EU… …if the data subject has consented Just like the DPA, the GDPR contains a number of derogations that permit data controllers to transfer personal data outside the EU in specific circumstances… …the GDPR’s derogations largely correspond to the derogations in Schedule 4 of the DPA. …for the performance of a contract Click on this box to continue Click on the transmitter to continue… …if its in the data subject’s vital interests …for the exercise or defence of legal claims 21/47

22 However, the GDPR does also introduce some new rules around transfers…
…if the data subject has consented One key change is that public authorities won’t be able to rely on the consent or contract derogations to transfer data when exercising their public powers. …for the performance of a contract Click on this box to continue …if its in the data subject’s vital interests …for the exercise or defence of legal claims 22/47

23 A second key change introduces new rules around one-off (or infrequent) transfers of personal data concerning relatively few individuals… Under the GDPR, a data controller can make this type of transfer to a country without an adequate level of protection (such as Cuba as in this example)… even if… It isn’t possible to show that the data subjects’ rights will be protected by adequate safeguards. No derogations apply. However, such transfers will only be permitted on condition that they meet three specific criteria. (Click on this box to find out more about these criteria) 23/47

24 Click on this box when ready to continue
The transfer must satisfy all three of these criteria. (Click on the images to reveal the criteria). Click on this box when ready to continue The transfer must be made subject to suitable safeguards put in place by the data controller to protect the personal data. The transfer must be necessary for the purposes of the compelling legitimate interests of the data controller. The data controller must not be a public authority acting in the exercise of its public powers. 24/47

25 Proceed Back to section menu 25/47

26 In this next section we’ll look at how the new Regulation will impact on data processors…
26/47

27 …next we’ll take a look at some of these key new obligations…
Under the GDPR, data processors will be subject to certain statutory obligations… …next we’ll take a look at some of these key new obligations… 27/47

28 …unless they are processing
One of the data processor’s most significant new responsibilities is that it must maintain a record of all the processing activities it has carried out on behalf of the controller…. Data controller …as with the record keeping requirements for data controllers, this obligation won’t apply to organisations with less than 250 employees… Data processor 500 250 …unless they are processing special categories/criminal/convictions data, or the processing poses a risk to the rights and freedoms of individuals. Click on this box to continue 28/47

29 …The information to be recorded by the data processor includes…
Name and contact details of the data processor, data controller and data protection officer. Data processor The categories of processing carried out on behalf of the data controller. Details of transfers outside the EU. Click on this box to continue Where possible, a general description of technical and organisational security measures. 29/47

30 …if the processor suffers a breach…
Another notable new rule is that the data processor cannot employ the services of another data processor… A third important new provision concerns the reporting of data breaches… Data controller …then it is under an obligation to inform the data controller of this without delay. Data processor …if the processor suffers a breach… …unless it has the data controller’s written approval to do so. Data processor Click on this box to continue Click on this box to continue 30/47

31 Click on this box to continue
Another significant change is that the data processor will be subject to the same obligations as the data controller in respect of… The requirement to take technical and organisation measures to ensure a level of security appropriate to the risk. The requirement to appoint a data protection officer. Click on this box to continue 31/47

32 Supervisory authority
One final point to note is that, because data processors will have their own statutory obligations, they can be held directly liable for failure to comply with those obligations… …This means that they can be subject to sanctions from the supervisory authority… Data processor Supervisory authority …including administrative fines… (more on these shortly) Click on this box to continue 32/47

33 Click on this box to continue
The GDPR also contains some new obligations regarding the information to be provided in the contract between the data controller and the data processor. If we Contract The data importer warrants and undertakes that: (a) It will have in place appropriate technical and organisational measures to protect the personal data against protected. provide a level of security appropriate to the risk represented by the processing and the nature of the data to be accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which (b) It will have in place procedures so that any third party it authorises to have access to the personal data, process the personal data only on instructions from the data importer. This provision does not apply to person acting under the authority of the data importer, including a data processor, shall be obligated to including processors, will respect and maintain the confidentiality and security of the personal data. Any data exporter (which will pass such notification on to the authority where required) if it becomes aware of any would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that persons authorised or required by law or regulation to have access to the personal data. such laws. concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data (e) It will identify to the data exporter a contact point within its organisation authorised to respond to enquiries warranties and fulfil the undertakings set out in these clauses. (d) It will process the personal data for purposes described in Annex B, and has the legal authority to give the with the provisions of clause I(e). (f) At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of to fulfil its responsibilities under clause III (which may include insurance coverage). or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent (g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with L 385/78 EN Official Journal of the European Union approval the data importer will attempt to obtain in a timely fashion. approval from a regulatory or supervisory authority within the country of the data importer, which consent or reasonable notice and during regular business hours. The request will be subject to any necessary consent or h: (h) It will process the personal data, at its option, in accordance wit these clauses (the data exporter shall have the burden to prove that it took reasonable efforts). Data controller Data processor Click on this box to continue 33/47

34 Click on this box when ready to continue
If we Contract Categories of data subjects. Type(s) of data concerned. Subject matter of data. Click on the images to reveal the information that should be provided in the contract. Nature and purpose of processing. Duration of processing. The rights and obligations of the data controller. 34/47

35 Proceed Back to section menu 35/47

36 Click on this box to continue
This section tackles administrative fines (the GDPR equivalent of the DPA’s monetary penalties)… Under the GDPR, where administrative fines are imposed they must be: effective proportionate dissuasive Click on this box to continue 36/47

37 At present, there is a wide variation in the approach different EU member states take to the imposition of fines… …so one of the key aims of the GDPR is to promote the more consistent application of fines across all EU member states… …although the individual supervisory authorities will still have discretion over the level of fine to be levied. We’ll now take a closer look at the new GDPR administrative fine regime. (click on this box to continue) 37/47

38 However, under the GDPR, the maximum possible fine has been substantially increased to…
20,000,000 …or… 4% The 20 million Euro maximum won’t apply in every case though. This is because, as we shall see, the GDPR operates on a two tier fine regime. 4% of the data controller’s annual worldwide turnover… (whichever figure is highest) Under the DPA, the ICO can impose fines up to a maximum of £500,000 Click on this box to continue 500,000 38/47

39 20,000,000 10,000,000 Maximum fine: Maximum fine:
Click on this box when ready to continue Lower tier Lets look at the lower tier first… Higher tier Maximum fine: Maximum fine: The lower tier infringements are mainly concerned with the failure to meet organisational obligations… 10,000,000 20,000,000 Infringements around the obligation to appoint data protection officers. Infringement of the obligation to maintain written records. …or… …or… So which types of offences will fall under which tier of fines? Click on this box to continue. 2% …there are too many categories of infringement to list here, but the following are examples of contraventions that could attract the lower tier fine (click on the images to continue). 4% 2% of the data controller’s annual worldwide turnover (whichever figure is highest) 4% of the data controller’s annual worldwide turnover… (whichever figure is highest) Infringement of the obligation to co-operate with the supervisory authority. Infringement of the obligation to report breaches where required to do so. 39/47

40 20,000,000 10,000,000 Maximum fine: Maximum fine: Lower tier …or…
4% of the data controller’s annual worldwide turnover… (whichever figure is highest) 4% Higher tier Maximum fine: The higher tier covers infringements around the obligations on… Maximum fine: 10,000,000 …or… …consent Now lets look at the higher tier of fines… …processing of special categories of personal data… 2% …international transfers… 2% of the data controller’s annual worldwide turnover (whichever figure is highest) Click on this box to continue …lawful processing… … the data subjects' rights. 40/47

41 The number of people involved
Next we will look at the criteria that must be assessed before imposing a fine… Any damage to the data subjects Many of the GDPR criteria are similar to those we would consider when determining whether to impose a penalty under the DPA. (click on this box to continue). The negligent or intentional character of the infringement Action taken by the data controller to mitigate the damage For example… Click on this box to continue 41/47

42 Nevertheless, the GDPR does also introduce some new criteria, such as…
Certified The data controller’s level of adherence to codes of conduct and approved certification mechanisms . The extent to which the data controller notified the supervisory authority of the infringement and co-operated with them. Click on this box to continue The complete list of criteria is set out in Article 83 of the GDPR. 42/47

43 Proceed Back to section menu 43/47

44 That concludes the course…
…but before we proceed to the Module 4 assessment, a brief word on keeping up to date with new developments and managing stakeholder expectations… Click on this box to continue 44/47

45 Click on this box to continue
Keeping up to date To keep up to date with the latest developments on the GDPR you should regularly check the Change Programme pages on ICON and the ICO’s Data protection reform microsite… You should also keep in contact with your department’s Change Network Representative and look out for any relevant Knowabout sessions. Click on this box to continue 45/47

46 Managing stakeholder expectations
When dealing with stakeholders you should refer them to the Data protection reform microsite for the latest information and ICO plans… If stakeholders have specific GDPR related queries that you can’t answer because the required policy work hasn’t yet been done, then you should tell them that their query will be logged and fed into any planned policy work. You should then refer the query to the Change Programme Team who will log it and, if appropriate provide a holding response via the EUDPR knowledgebase on the ICON change pages. Further work to develop the EUDPR knowledgebase is planned. Click on this box to continue 46/47

Download ppt "GDPR Module 4:Other Significant Changes"

Similar presentations

Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
The Information Commissioner’s Office David Evans.

The Information Commissioner’s Office David Evans.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.

Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
DATA PROTECTION ACT 1998. INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March 2000. It is more far reaching than its predecessor,

DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.

CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.
© University of Reading 2007 www.reading.ac.uk/data_protection Lee Shailer 06 June 2016 Data Protection the basics.

© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
Information Security TechLink Seminar, 17 April 2013 James Knapton, Information Compliance Officer, Registrary’s Office.

Information Security TechLink Seminar, 17 April 2013 James Knapton, Information Compliance Officer, Registrary’s Office.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
The Data Protection Act 1998

The Data Protection Act 1998
Data Protection Officer’s Overview of the GDPR

Data Protection Officer’s Overview of the GDPR
The future of data protection: General Data Protection Regulation

The future of data protection: General Data Protection Regulation

Similar presentations

Ads by Google