Embed Size (px)
Citation preview
Preparing for and complying with the GDPR
Andrew Rose, Senior Policy Officer, ICO
LeedsJanuary 2017
Contents• Demonstrating compliance • Role of the DPO• Responsibilities of controllers and processors• Breach notification• Preparation and further information
Chapter I: Key definitions and scope of Act.
Chapter II: Contains the data protection principles, covers the bases (equivalent of DPA conditions) for processing and outlines the special categories of data.
Chapter VI: – Sets out the powers and duties of supervisory authorities.
Chapter IV: – Outlines the responsibilities of data controllers and processors (including security), for example around breach notification and employing Data Protection Officers.
Chapter III: Sets out the Rights of the Data Subject (similar to part II of DPA).
Chapter VIII: – Outlines the right to Judicial remedy and conditions for imposing penalties.
Chapter VII: Covers co-operation and consistency between different supervisory authorities.
Chapter V: International transfers.
Chapter IX: Sets out provisions relating to specific processing situations.
Chapter X: Delegated acts and implementing acts.
Chapter XI: Final provisions.
GDPR contents
Demonstrating compliance• The controller shall be responsible for,
and be able to demonstrate compliance with the Principles (Art 5(2))
• The requirement to appoint a data protection officer
• Data protection by design and default
• Codes of conduct• Certification schemes
• The requirement to implement appropriate technical and organisational measures
• Maintaining records on processing activities
• Data protection impact assessments
To maintain relevant records on processing (Art 30).
To implement appropriate technical and organisational
measures (Art 24).
Demonstrating compliance
Role of the DPO (Arts 35-37)
• Inform and advise the organisation about its obligations to comply with the GDPR
• Monitor compliance with the GDPR, including managing internal data protection activities
• Provide training to staff, advise on data protection impact assessments and conduct internal audits
• First point of contact for supervisory authority
Responsibilities
• Directly report to the highest management level of the controller or processor
• Not be given instructions on how to carry out duties and can’t be dismissed for carrying out duties
• Can combine duties if no conflict of interest• Be contactable by data subjects• Be provided with necessary resources
Position
Role of the DPOAppointed on the basis of professional qualities :-
• Expert knowledge of DP• Ability to fulfil tasks
Can be a staff member or contracted
May be designated to act for several authorities depending on size and structure
Demonstrating compliance
Lawfulness of processing (Art 6).
Processing special categories of personal data (Art 9).
Responsibilities of controllers and
processorsSecurity responsibilitiesArts (32-34)
Pseudonymisation and encryption – specifically mentioned as security measures.
You must be able to ensure the confidentiality, integrity, availability and resilience of your systems.
The ability to restore the availability of and access to data in a timely manner.
Have a process to test, assess and evaluate the effectiveness of the measures you have in place.
Responsibilities of controllers and
processorsJoint controllers(Art 26)
Transparently determine respective responsibilities
• Compliance with regulations• Exercising rights of data subjects• Provide information required for
Arts 13&14
DS can exercise rights against each controller
Responsibilities of controllers and
processorsProcessors(Art 28)
Processors must provide sufficient guarantees that processing will:
• Meet the requirements of the regulation
• Ensure the protection of the rights of the data subject
No sub-processors without specific agreement of controller
Processing subject to contract
Responsibilities of controllers and
processorsContracts(Art 28 (3))
Binding contract to cover:
• Process data only on instructions of controller
• People authorised to access data are subject to confidentiality
• Ensure security of processing• Assist the controller in complying
with data subjects rights (where possible)
• Assist the controller with regard to security measures, breach reporting and DPIAs
Mandatory to report to ICO where likely to result in a risk to the rights and freedoms of the individual.
Without undue delay and no later than 72 hours of discovery (can add detail later).
Risks include: -
• Loss of control of personal data• Discrimination• Identity theft• Financial loss• Damage to reputation• Loss of confidentiality
Breach reporting (Arts 33-34)
What can you do to prepare?
• Published guidance • 12 steps• Overview of the GDPR• Privacy notices code of
practice
• A29 guidance• Right to data portability• DPOs• Identifying a lead
supervisory authority
https://ico.org.uk/for-organisations/data-protection-reform/
What’s the ICO doing?
• Working with DCMS and A29
• Further guidance
• Internal change programme
