2. Where are we?
• Comes into force May 2018
• Addresses personal ‘information’ & ‘data’ and how it is used in the
21st century
• Gives new rights to data subjects
• Applies to both ‘controllers’ and ‘processors’
• Applies to organisations based in the EU and those that sell
goods and services into the EU or in EU currencies/languages.
3. Personal data
• Name
• ID numbers
• Location data
• Online identifiers (IP address/cookies etc)
• Physical, genetic, mental, economic, social or cultural identifiers
. . . . .of a natural person
. . . . .stored in computer or paper based filing systems
4. Special categories of data (sensitive)
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Under 16s
• Biometric data for the purpose of uniquely identifying a natural person
• Health data or data concerning a natural person's sex life or sexual
orientation
5. Basic GDPR Principles
• Fair, lawful and transparent processing
• Correct, stated purpose
• Data minimisation
• Accurate and up to date
• Kept no longer than necessary
• Secure
• Accountable. . . . . “the controller shall be responsible
for, and be able to demonstrate,
compliance with the principles”
6. How do we do this GDPR thing?
Identify a legal basis:
• Consent
• Performance of a contract
• Necessary for compliance
• Protection of vital interests (subject of another person)
• Public Interest/Official authority vested in the controller
• Legitimate interests
7. If using consent:
• Clear, affirmative action (no silence or pre-ticking)
• Auditable – record of consent needed
• Can be withdrawn
• Not a pre-condition of service
• Extensive information to be provided
• Special categories require additional conditions
• Consent can be explicit or implicit (i.e. visiting a Doctor) but must
be unambiguous
8. Rights of the data subject
• The right to be informed (Privacy notice)
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• The right not to be subject to automated decision making and
profiling
10. Governance considerations
• Processing records
• Consent records
• Data Protection impact assessments
• DPO requirements
• Information provision (Privacy notice/policy)
• Data policies (retention, destruction, backup etc etc)
• Security policies (access, passwords, etc etc)
• Regular review of measures/governance
11. DPO
• Required if:
• Public Authority
• Large scale processing (scope and schedule)
• Special categories
• More than 250FTE
• Qualifications
• Audit
• IT Security
• EU data protection law
• Company knowledge
• etc
12. Reporting
• Demonstrating compliance with GDPR
• Notify supervisory authority about unmitigated risks
• Breach
• Contacts (DPO, Processor etc)
• Demonstrating accountability
• DP Policies
• Staff training
• Auditing and processing activities
• Data minimisation
• Pseudonymising
• Security features (Identity and Access, Encryption, Classification, Rights, masking etc.)
• Data Protection Impact Assessments
13. What does Gydeline do?
• Checks for compliance against everything mentioned above
• Enables proof of accountability
• Changes as the regulation changes
• Identifies specific actions
• Makes GDPR simpler to understand
This presentation gives a brief overview of the major points contained in the GDPR, the Gydeline approach and some next steps to think about. It should be noted that the website of the Information Commissioners Office is a great resource and should be considered the primary source for organisations in the UK. Gydeline takes the GDPR regulation and guidance from the ICO and gives output specific to a single organisation.
Here are some key overview points and context to consider when thinking about GDPR.
In order to avoid confusion, the GDPR applies to personal data. Personal data is one of the following. Personal data relates to a natural person rather than any organisation. GDPR applies to the data irrespective of whether it is stored on electronic, paper or any other type of filing system. Filing implies that the data is structured and searchable in some way as opposed to random and unsearchable.
Some types of personal data attract special consideration under the GDPR and so are worth noting.
The GDPR enshrines some basic data protection principles. It also requires that organisations are able to demonstrate their compliance with the GDPR – the Gydeline software is one way of demonstrating an organisations compliance position.
The first step when looking at GDPR should be to understand the legal basis upon which you are processing personal data. Consent is one method which is getting a lot of attention, however contracts will negate the need for consent in many instances as will vital and legitimate interests. By understanding your legal basis, an organisation may free itself from some requirements under the GDPR – or at least understand more clearly the scope which applies to them.
If consent is used as the basis of processing it must follow the following rules:
The GDPR gives rights to the data subject. Organisations should be aware of, and have processes, to support all these rights.
This slide seeks to give a simple, easy to understand breakdown of the major areas of action organisations need to take. In terms of implementation, if an organisation does everything on this slide they will most likely be 99% compliant with the GDPR.
There are many overriding governance considerations within GDPR. These need to be available and documented should the supervisory authority (ICO in the UK) request information.
Finding the correct Data Protection Officer, if required, can be challenging as there are few individuals with the requisite IT AND legal skills and experience.
Building on the governance considerations there are specific reporting requirements under the GDPR which need to be met.
A basic overview of the Gydeline software. For more information go to https://www.gydeline.com or email hello@gydeline.com