Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Document Lifecycle Management Group
Getting to grips with GDPR –a practical guide
Presented by:
Owen CostenDLM Group
MD
Document Lifecycle Management Group
Data Protection Bill 2018
Document Lifecycle Management Group
Document Lifecycle Management Group
Document Lifecycle Management Group
Top 101. Background to the GDPR
2. Scope & Definition
3. Personal Data
4. Data Subject, Controller & Processor
5. The key Principles
6. Consent & Documentation
7. Rights of the Data Subject
8. International Data Transfers
9. Data Breaches
10. Data Protection Officer & Fines
Other Topics• 12 Steps towards compliance
• Vertical issues
• Q & A
Document Lifecycle Management Group
Document Lifecycle Management Group
Data breaches making headlines
Background to the GDPR
Document Lifecycle Management Group
Document Lifecycle Management Group
Document Lifecycle Management Group
Document Lifecycle Management Group
Document Lifecycle Management Group
Document Lifecycle Management Group
Background to GDPR
What is the GDPR?• The General Data Protection Regulation is a new, European-
wide law that replaces the Data Protection Act 1998 in theUK. It places greater obligations on how organisationshandle personal data. It comes into effect on 25 May 2018.
Where has it come from?• European Directive 95/46/EC• Immediately applicable in each Member State• Regualted by the Information Commisioner’s office ICO
Document Lifecycle Management Group
Background to GDPR
Who does the GDPR apply to?
• ‘controllers’ and ‘processors’.•A controller determines the purposes and
means of processing personal data.•A processor is responsible for processing
personal data on behalf of a controller.
Document Lifecycle Management Group
GDPR contains a number of changes from the DPA including:
▫ Enhanced documentation to be kept bydata controllers
▫ Enhanced Privacy Notices▫ More prescriptive rules on what
constitutes consent▫ Mandatory data breach notification
requirement▫ Enhanced Data Subject Rights▫ New obligations on Data Processors▫ Expanded territorial scope▫ Appointment of Data Protection
Officers▫ Significant increase in the size of fines
and penalties
Scope and definitions under GDPR
No 2.
Document Lifecycle Management Group
• Designed to protect any Natural person = aliving individual (data subject)
• It applies to processing activities that arerelated to:
Goods or services, irrespective of whether payment is required; or The monitoring of data subjects’ behaviour within the EU.
Scope of GDPR
Personal Data
No 3.
Document Lifecycle Management Group
According to GDPR…
‘Personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What is personal data?
Document Lifecycle Management Group
Document Lifecycle Management Group
• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• physical or mental health or condition
• sex life or sexual orientation
• genetic data
• biometric data
What is Sensitive Personal Data Data?Under GDPR, the term used is Special Categories of Personal Data…
Processors & Controllers
No 4.
Document Lifecycle Management Group
According to the Data Protection Act 1998…
A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed
According to GDPR…
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
What is a Data Controller?
Document Lifecycle Management Group
According to the Data Protection Act 1998…
Any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
According to GDPR…
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
What is a Data Processor?
The key Principles
No 5
Document Lifecycle Management Group
Article 5
1• Processed lawfully, fairly and in a transparent manner
2• Collected for specified, explicit and legitimate purposes
3• Adequate, relevant and limited to what is necessary
4• Accurate and, where necessary, kept up to date
5• Retained only for as long as necessary
6• Processed in an appropriate manner to maintain security
7• Accountability
Legal Basis for Processing Personal Data
No 6
Document Lifecycle Management Group
The information below set out the lawful bases available for processing personal data and special categories of data.
• 6(1)(a) – Consent of the data subject
• 6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
• 6(1)(c) – Processing is necessary for compliance with a legal obligation
• 6(1)(d) – Processing is necessary to protect the vital interests of a data subject or another person
• 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest
Note that this condition is not available to processing carried out by public authorities in the performance of their tasks.
Lawfulness of processing conditions
Document Lifecycle Management Group
The following conditions apply for consent:• Controllers must be able to demonstrate that consent was given;• Written consent must be clear, logical, easily accessible, else not binding;• Consent can be withdrawn any time, and as easy to withdraw consent as give it;• Consent to processing data not necessary for the performance of a contract• Ticking a box or choosing appropriate technical settings still valid.
Article 7: Conditions for consent
Consent can be withdrawn any time, and as easy to withdraw consent as give it;
Rights of the Data Subject
No 7.
Document Lifecycle Management Group
Eight Rights of Data Subjects
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling
Individual Rights
Article 13.2Article 17: Right to erasure
(‘right to be forgotten’)
International Data Transfers
No 8
Document Lifecycle Management Group
• The GDPR imposes restrictions on the transfer of personal data outside theEuropean Union, to third countries or international organisations.
• These restrictions are in place to ensure that the level of protection ofindividuals afforded by the GDPR is not undermined.
When can personal data be transferred outside the European Union?
• Personal data may only be transferred outside of the EU in compliance withthe conditions for transfer set out in Chapter V of the GDPR.
What constitutes a transfer of Personal Data?
• Personal Data is considered to be ‘transferred’ across borders when:
▫ It is physically transferred across borders OR
▫ It is accessed across borders
International transfers Example: Support agent in India who is given access to a physical device located in UK which contains Personal Data is considered a ‘transfer’ by EU Data Protection Authorities
Preventing or Managing Data Breaches
No 9
Document Lifecycle Management Group
• The GDPR will introduce a duty on allorganisations to report certain types of databreach to the relevant supervisoryauthority.
• A personal data breach means a breach ofsecurity leading to the destruction, loss,alteration, unauthorised disclosure of, oraccess to, personal data. This means that abreach is more than just losing personaldata.
What is a Data breach?
DPO & Fines
Session 10
Document Lifecycle Management Group
When does a Data Protection Officer need to be appointed under the GDPR?
You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size.
• Any organisation is able to appoint a DPO. Regardless of whetherthe GDPR obliges you to appoint a DPO, you must ensure that yourorganisation has sufficient staff and skills to discharge yourobligations under the GDPR.
Appointment of Data Protection Officers
Document Lifecycle Management Group
• For (mainly) a breach of record keeping, contracting and securityclauses
▫ maximum fine of up to €10 million, or 2% of annual worldwideturnover, whichever is greater
• For (mainly) a breach of the basic principles, Data Subject rights,transfer to third countries, non-compliance with an EU DPA order
▫ maximum fine of up to €20 million, or 4% of annual worldwideturnover, whichever is greater
• GDPR intends to co-ordinate their supervisory and enforcementpowers across the Member States
Penalties and enforcement
Document Lifecycle Management Group
1 Awareness
2 Information You Hold
3 Communicating Privacy Information
4 Individuals’ rights5 Subject access
requests
6 Lawful basis for processing personal
data
7 Consent
8 Children (U16)
9 Data Breaches
10 Data Protection by Design and Data Protection Impact
Assessments
11 Data Protection Officers (DPO)
12 International
Road to GDPR Compliance
Document Lifecycle Management Group
Use plain language.
Tell them who you are whenyou request the data.
Say why you are processingtheir data, how long it will
be stored and who receives it.
What your company must do
Document Lifecycle Management Group
Get their clear consent to process the data.
Collecting from children for social media? Check age limit for parental consent.
What your company must do
Document Lifecycle Management Group
Let people access their data and give it to another company.
What your company must do
Document Lifecycle Management Group
Inform people of data breachesif there is a serious risk to them.
What your company must do
Document Lifecycle Management Group
Give people the ‘right to be forgotten’.Erase their personal data if they ask,
but only if it doesn’t compromise freedom of expression
or the ability to research.
What your company must do
Document Lifecycle Management Group
If you use profiling to process applications for legally-binding agreements likeloans you must: • Inform your customers;• Make sure you have a person, not a
machine, checking the processif the application ends in a refusal;
• Offer the applicant the right to contest thedecision.
What your company must do
Document Lifecycle Management Group
Give people the right to opt out of direct marketing that uses their
data.
What your company must do
Document Lifecycle Management Group
Use extra safeguards for information on
• health,
• race,
• sexual orientation,
• religion and political beliefs.
What your company must do
Document Lifecycle Management Group
Make legal arrangements when you transfer data to countries that
have not been approved by the EU authorities.
What your company must do
Document Lifecycle Management Group
• Data Mapping
• Gap Analysis
• Policies Review
• Data Protection Officer
• Database
• Marketing Strategy
• Suppliers
• Terms of business
What else do we need to complete?