SlideShare a Scribd company logo

Building a register of data processing

Download as PPT, PDF
T
Tim Gough

Content for a workshop to educate your colleagues on how to compile a register of personal data processing activities to enable GDPR compliance.

Law
1 of 19
Building a register of data processing activities
Workshop overview • Key requirements of the General Data Protection Regulation • What is personal data? • What personal data do you collect? • Why we are here today – to compile a record of data processing activities • What is lawful processing? • What are legitimate interests? • What is consent? • Mix and match exercise • What is a data processor? • What is a data controller? • Controller or processor? • How long should you keep data? • Privacy notices • Recording processing activities • Summary
What is data protection? Data protection law concerns the use of personal data from the time it is collected to the time it is disposed of (‘processing’). It addresses lawfulness of processing, rights of individuals (‘data subjects’), and expectations re security. The current UK law is the Data Protection Act 1998. What is the General Data Protection Regulation? -A new EU Regulation that governs the processing of personal data -It is an evolution of existing laws -It introduces a number of administrative burdens and documentation requirements – such as records of processing, and in high risk situations, data protection impact assessments -The rights of individuals in relation to their data have been enhanced -Organisations can be fined up to the higher of 4% of global annual turnover or 20 Million Euros for failing to comply with the administrative requirements, unlawful processing, not respecting rights, or losing personal data -Organisations must be in compliance by 25 May 2018 -In the UK, the supervisory authority is the Information Commissioner’s Office (ICO)
What is personal data? Personal data Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Special categories of personal data (AKA sensitive personal data) Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
What personal data do you collect? Personal data Special categories of personal data (AKA sensitive personal data)
Register of data processing activities The GDPR requires that detailed records are maintained on how personal data is processed, with specific rules on the data that must be gathered and made available to regulators. Controls 1.A register must be maintained that includes the following information: the name and contact details of the controller, the controller's representative (where entity is non-EU) and the data protection officer; the purposes of the processing; a description of the categories of data subjects and of the categories of personal data; the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations; where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation; the envisaged time limits for erasure of the different categories of data; a general description of the technical and organisational security measures applied to the data.
Record processing at activity level What processing activities do you do? Commercial activity: (add relevant examples of the types of processing that you conduct in your business activities) Recruitment: how people apply for jobs online, by email. Reference checking. Employment: paying wages, recording absences, PAYE returns to HMRC or equivalent, paying expenses, personnel file management, appraisals, grievances. Workplace: CCTV, reporting an accident, issuing a security card Communications: signing up for newsletters and other marketing communications Activity: What other processing activities do you do?
What information should you record? •Department; •Process owner; •Step by step process flow – from collection to disposal; •Categories of data collected (e.g. bank account data, NI number, home address, email); •Data subjects (e.g job applicants, contacts, employees, customers); •Link to the applicable privacy notice •Lawful grounds for processing (and this process will involve close scrutiny of these) of personal data and special categories of personal data; •Where data is stored and accessed from (taking into account data processors, data centre location) •Where there is an ex-EEA* transfer, what is the legal mechanism for this; •Suggested retention period if not already agreed; •Whether there is a statutory retention period (and if so, what is the law/regulation) •Who has access to the data; •Are there any data processors involved in the process (and who they are); •Is any data being shared with data controllers? •Has infosec due diligence been conducted on data processors involved?; •Check of the contract clauses to see if they meet Article 28 (Processor) requirements; •Notes on security measures (e.g. password standards, access controls, disposal standards, relevant training) Items in red will need to be confirmed by your data protection officer or other. * European Economic Area – EU plus Norway, Iceland and Liechteinstein.
What are lawful grounds for processing? Any activity involving personal data should have a lawful grounds for processing. The grounds available to chose from for a commercial organisation: -You have the individual’s consent to use their personal data in this way -It is strictly necessary for the performance of a contract with the individual -It is strictly necessary to fulfil a legal obligation -It is in the legitimate interests of your organisation to process personal data in this way – unless it impinges on the rights of the individual -It is for the vital interests of the individual (life and death). There are additional grounds that need to be met for the lawful processing of special categories of data. Let’s have a closer look at consent….
Conditions for consent 1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. 2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. 4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. Now let’s look at legitimate interests
What are your legitimate interests? Sounds like a way to make anything lawful? NO! Your organisation has to demonstrate compelling legitimate grounds for the processing which overrides the interests or fundamental rights and freedoms of subjects – i.e. it mustn’t invade privacy disproportionately, must be within their reasonable expectations and so on. Examples where legitimate interests might be considered: Limited use of CCTV for security purposes Limited analysis of data for marketing purposes Fraud prevention NB: Any uses of legitimate interests MUST be published as part of the relevant privacy notice. Now let’s ‘Mix and Match’
Mix and Match: fair processing conditions (use some relevant processing activities and ask delegates which grounds they would use)
What is a data processor? You are a ‘data controller’ for the personal data you collect when you decide how data will be processed. You are legally responsible for it. When you outsource the collection or use of personal data to another organisation, they will be acting as a data processor. As a processor, they can only use the personal data under your instruction and for no other purpose. E.g outsourcing payroll, email marketing management. Requirements -You must have a process to assess that the processor has the ability to protect data accordingly; -You must have a contract in place with the processor that contains appropriate provisions on data protection – and the GDPR contains specific requirements that must be included; -By May 2018 all contracts will need to be reviewed and amended according. In building the register we are identifying where data processors exist (and where they store our personal data) and so we can see where remediation might be required.
What is a data controller? A data controller has the ability to determine the purposes and means of the processing of personal data. Sharing your personal data with them therefore also needs to be assessed for lawfulness. Examples: •HMRC •Courts •Other group entities (depending on the purposes for data sharing) •Other corporates for their own marketing purposes Actions In the record keeping activity process we are identifying where data controllers exist and so we can check that the sharing is lawful.
Processor or Controller? (using examples that are relevant to your organization, ask delegates whether they would be acting as a data controller or a data processor)
How long should I keep data? GDPR Article 5.1a: (Personal data must be) be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed.. Considerations? •Is there a statutory record keeping period that would guide your retention period and at least confer a minimum retention period? •In the absence of a statutory requirement, how long do you need the personal data? •What is your rationale for keeping personal data, e.g. beyond the end of a relationship? What is your grounds for processing and does this influence the retention period? •Could the data be anonymised and still be useful? Truly anonymised data would fall outside the GDPR (and you will need a documented methodology for anonymization).
Privacy Notice requirements in GDPR Ideally provided at the time you collect personal data, a privacy notice explains: -The identity and contact details of the controller -Contact details for the data protection office(r) -The purposes of the processing for which the personal data are intended as well as the legal basis for the processing -Recipients and categories of recipients -Intention to transfer personal data to a recipient in a ‘third country’ -The period personal data will be stored for -Awareness of all of their rights and how they can be exercised -Where processing is consent based, the existence of the right to withdraw consent at any time -The right to complain to the supervisory authority (in the UK being the ICO) -Whether provision of data is a statutory or contractual requirement, whether provision is an obligation, and consequences if fail to provide
How else are we using the information that we will collect? Record retention: the process enables us to decide how long we will retain personal data – this is critical because the GDPR will require retention periods to be disclosed in privacy notices and if someone makes a request to access their data the retention period would also be disclosed. Legitimate interests: Any processing that is made lawful using legitimate interests will need to be explained in the applicable privacy notice. Consent: We can assess whether consent is being used appropriately, and if we are reliant upon consent that the conditions for consent have been met. We can also make sure we provide information on how consent can be withdrawn. International transfers: We need to know exactly where data is located and where it can be accessed from as there are rules that need to be followed where data leaves the European Economic Area, and we need to maintain a register of all international transfers. Now let’s try to fill in a form……. (provide a template for people to fill in)
Summary • Completing a register of data processing activities is a critical first step in compliance with the GDPR. • It provides us with information on lawful processing, involvement of data processors/third parties, make us think about how long we keep data, and provides pertinent information that we need to include in privacy notices and in response to requests for access to an individual’s personal data. • It is critical that new initiatives are discussed with your data protection adviser prior to inception so advice on lawfulness can be taken, and the register updated. A data protection impact assessment may also be required if the project is high risk.

Recommended

Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy
Amiit Keshav Naik
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data Security
WilmerHale
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
Naomi Holmes
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
DipanjanDey12
 
Data protection and privacy
Data protection and privacyData protection and privacy
Data protection and privacy
himanshu jain
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
Data protection
Data protectionData protection
Data protection
RaviPrashant5
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 

Recommended

Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy
Amiit Keshav Naik
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data Security
WilmerHale
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
Naomi Holmes
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
DipanjanDey12
 
Data protection and privacy
Data protection and privacyData protection and privacy
Data protection and privacy
himanshu jain
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
Data protection
Data protectionData protection
Data protection
RaviPrashant5
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
Data Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethicsData Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethics
AT Internet
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
Jane Lambert
 
Data breach
Data breachData breach
Data breach
Burhan Ahmed
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
Priyab Satoshi
 
Data Privacy and Data Protection: Rotary’s Compliance with GDPR
Data Privacy and Data Protection: Rotary’s Compliance with GDPRData Privacy and Data Protection: Rotary’s Compliance with GDPR
Data Privacy and Data Protection: Rotary’s Compliance with GDPR
Rotary International
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
SPIN Chennai
 
Data & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyData & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny Leroy
Thoughtworks
 
GDPR: Data Breach Notification and Communications
GDPR: Data Breach Notification and CommunicationsGDPR: Data Breach Notification and Communications
GDPR: Data Breach Notification and Communications
Charlie Pownall
 
Data protection
Data protectionData protection
Data protection
Lewis Silkin
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theft
Amber Gupta
 
WB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection BillWB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection Bill
TrustArc
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Kimberly Simon MBA
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
sp_krishna
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
GDPR Data Subject Rights - What You Need to Know
GDPR Data Subject Rights - What You Need to KnowGDPR Data Subject Rights - What You Need to Know
GDPR Data Subject Rights - What You Need to Know
Piwik PRO
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection Act
SaimaRafiq
 
GDPR
GDPRGDPR
GDPR
Gopi PD
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
Home
 
GDPR Demystified
GDPR Demystified GDPR Demystified
GDPR Demystified
Terence O'Sullivan - The Employment Lawyer
 
Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...
Forums financiers de Wallonie
 

More Related Content

What's hot

Data breach
Data breachData breach
Data breach
Burhan Ahmed
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection Act
SaimaRafiq
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 

What's hot (20)

Data Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethicsData Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethics
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
 
Data breach
Data breachData breach
Data breach
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
 
Data Privacy and Data Protection: Rotary’s Compliance with GDPR
Data Privacy and Data Protection: Rotary’s Compliance with GDPRData Privacy and Data Protection: Rotary’s Compliance with GDPR
Data Privacy and Data Protection: Rotary’s Compliance with GDPR
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
 
Data & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyData & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny Leroy
 
GDPR: Data Breach Notification and Communications
GDPR: Data Breach Notification and CommunicationsGDPR: Data Breach Notification and Communications
GDPR: Data Breach Notification and Communications
 
Data protection
Data protectionData protection
Data protection
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theft
 
WB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection BillWB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection Bill
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
GDPR Data Subject Rights - What You Need to Know
GDPR Data Subject Rights - What You Need to KnowGDPR Data Subject Rights - What You Need to Know
GDPR Data Subject Rights - What You Need to Know
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection Act
 
GDPR
GDPRGDPR
GDPR
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
 

Similar to Building a register of data processing

GDPRpresentationFeb-Apr2018.pptx
GDPRpresentationFeb-Apr2018.pptxGDPRpresentationFeb-Apr2018.pptx
GDPRpresentationFeb-Apr2018.pptx
pixvilx
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
Acquia
 
GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?
Sage HR
 

Similar to Building a register of data processing (20)

GDPR Demystified
GDPR Demystified GDPR Demystified
GDPR Demystified
 
Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...
 
GDPR: Key Article Overview
GDPR: Key Article OverviewGDPR: Key Article Overview
GDPR: Key Article Overview
 
GDPR for your Payroll Bureau
GDPR for your Payroll BureauGDPR for your Payroll Bureau
GDPR for your Payroll Bureau
 
Gdpr for business full
Gdpr for business fullGdpr for business full
Gdpr for business full
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentation
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
 
GDPRpresentationFeb-Apr2018.pptx
GDPRpresentationFeb-Apr2018.pptxGDPRpresentationFeb-Apr2018.pptx
GDPRpresentationFeb-Apr2018.pptx
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
 
GDPR Presentation
GDPR PresentationGDPR Presentation
GDPR Presentation
 
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)
 
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
 
Public sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, ExeterPublic sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, Exeter
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
 
GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?
 
GDPR master class accountable research organisations (january 2018)
GDPR master class accountable research organisations (january 2018)GDPR master class accountable research organisations (january 2018)
GDPR master class accountable research organisations (january 2018)
 

Recently uploaded

一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理
Airst S
 
一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理
Airst S
 
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
F La
 
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
e9733fc35af6
 
一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书
irst
 
一比一原版(Essex毕业证书)埃塞克斯大学毕业证学位证书
一比一原版(Essex毕业证书)埃塞克斯大学毕业证学位证书一比一原版(Essex毕业证书)埃塞克斯大学毕业证学位证书
一比一原版(Essex毕业证书)埃塞克斯大学毕业证学位证书
F La
 
一比一原版埃克塞特大学毕业证如何办理
一比一原版埃克塞特大学毕业证如何办理一比一原版埃克塞特大学毕业证如何办理
一比一原版埃克塞特大学毕业证如何办理
Airst S
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
Airst S
 
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
ss
 
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
bd2c5966a56d
 

Recently uploaded (20)

ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.
 
一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理
 
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy NovicesIt’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
 
Relationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdfRelationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdf
 
一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理
 
Chambers Global Practice Guide - Canada M&A
Chambers Global Practice Guide - Canada M&AChambers Global Practice Guide - Canada M&A
Chambers Global Practice Guide - Canada M&A
 
Career As Legal Reporters for Law Students
Career As Legal Reporters for Law StudentsCareer As Legal Reporters for Law Students
Career As Legal Reporters for Law Students
 
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam TakersPhilippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
 
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
 
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
 
一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书
 
一比一原版(Essex毕业证书)埃塞克斯大学毕业证学位证书
一比一原版(Essex毕业证书)埃塞克斯大学毕业证学位证书一比一原版(Essex毕业证书)埃塞克斯大学毕业证学位证书
一比一原版(Essex毕业证书)埃塞克斯大学毕业证学位证书
 
Navigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptxNavigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptx
 
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptxAnalysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
 
一比一原版埃克塞特大学毕业证如何办理
一比一原版埃克塞特大学毕业证如何办理一比一原版埃克塞特大学毕业证如何办理
一比一原版埃克塞特大学毕业证如何办理
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
 
Human Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptxHuman Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptx
 
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
 
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
 
Cyber Laws : National and International Perspective.
Cyber Laws : National and International Perspective.Cyber Laws : National and International Perspective.
Cyber Laws : National and International Perspective.
 

Building a register of data processing

  • 1. Building a register of data processing activities
  • 2. Workshop overview • Key requirements of the General Data Protection Regulation • What is personal data? • What personal data do you collect? • Why we are here today – to compile a record of data processing activities • What is lawful processing? • What are legitimate interests? • What is consent? • Mix and match exercise • What is a data processor? • What is a data controller? • Controller or processor? • How long should you keep data? • Privacy notices • Recording processing activities • Summary
  • 3. What is data protection? Data protection law concerns the use of personal data from the time it is collected to the time it is disposed of (‘processing’). It addresses lawfulness of processing, rights of individuals (‘data subjects’), and expectations re security. The current UK law is the Data Protection Act 1998. What is the General Data Protection Regulation? -A new EU Regulation that governs the processing of personal data -It is an evolution of existing laws -It introduces a number of administrative burdens and documentation requirements – such as records of processing, and in high risk situations, data protection impact assessments -The rights of individuals in relation to their data have been enhanced -Organisations can be fined up to the higher of 4% of global annual turnover or 20 Million Euros for failing to comply with the administrative requirements, unlawful processing, not respecting rights, or losing personal data -Organisations must be in compliance by 25 May 2018 -In the UK, the supervisory authority is the Information Commissioner’s Office (ICO)
  • 4. What is personal data? Personal data Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Special categories of personal data (AKA sensitive personal data) Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
  • 5. What personal data do you collect? Personal data Special categories of personal data (AKA sensitive personal data)
  • 6. Register of data processing activities The GDPR requires that detailed records are maintained on how personal data is processed, with specific rules on the data that must be gathered and made available to regulators. Controls 1.A register must be maintained that includes the following information: the name and contact details of the controller, the controller's representative (where entity is non-EU) and the data protection officer; the purposes of the processing; a description of the categories of data subjects and of the categories of personal data; the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations; where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation; the envisaged time limits for erasure of the different categories of data; a general description of the technical and organisational security measures applied to the data.
  • 7. Record processing at activity level What processing activities do you do? Commercial activity: (add relevant examples of the types of processing that you conduct in your business activities) Recruitment: how people apply for jobs online, by email. Reference checking. Employment: paying wages, recording absences, PAYE returns to HMRC or equivalent, paying expenses, personnel file management, appraisals, grievances. Workplace: CCTV, reporting an accident, issuing a security card Communications: signing up for newsletters and other marketing communications Activity: What other processing activities do you do?
  • 8. What information should you record? •Department; •Process owner; •Step by step process flow – from collection to disposal; •Categories of data collected (e.g. bank account data, NI number, home address, email); •Data subjects (e.g job applicants, contacts, employees, customers); •Link to the applicable privacy notice •Lawful grounds for processing (and this process will involve close scrutiny of these) of personal data and special categories of personal data; •Where data is stored and accessed from (taking into account data processors, data centre location) •Where there is an ex-EEA* transfer, what is the legal mechanism for this; •Suggested retention period if not already agreed; •Whether there is a statutory retention period (and if so, what is the law/regulation) •Who has access to the data; •Are there any data processors involved in the process (and who they are); •Is any data being shared with data controllers? •Has infosec due diligence been conducted on data processors involved?; •Check of the contract clauses to see if they meet Article 28 (Processor) requirements; •Notes on security measures (e.g. password standards, access controls, disposal standards, relevant training) Items in red will need to be confirmed by your data protection officer or other. * European Economic Area – EU plus Norway, Iceland and Liechteinstein.
  • 9. What are lawful grounds for processing? Any activity involving personal data should have a lawful grounds for processing. The grounds available to chose from for a commercial organisation: -You have the individual’s consent to use their personal data in this way -It is strictly necessary for the performance of a contract with the individual -It is strictly necessary to fulfil a legal obligation -It is in the legitimate interests of your organisation to process personal data in this way – unless it impinges on the rights of the individual -It is for the vital interests of the individual (life and death). There are additional grounds that need to be met for the lawful processing of special categories of data. Let’s have a closer look at consent….
  • 10. Conditions for consent 1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. 2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. 4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. Now let’s look at legitimate interests
  • 11. What are your legitimate interests? Sounds like a way to make anything lawful? NO! Your organisation has to demonstrate compelling legitimate grounds for the processing which overrides the interests or fundamental rights and freedoms of subjects – i.e. it mustn’t invade privacy disproportionately, must be within their reasonable expectations and so on. Examples where legitimate interests might be considered: Limited use of CCTV for security purposes Limited analysis of data for marketing purposes Fraud prevention NB: Any uses of legitimate interests MUST be published as part of the relevant privacy notice. Now let’s ‘Mix and Match’
  • 12. Mix and Match: fair processing conditions (use some relevant processing activities and ask delegates which grounds they would use)
  • 13. What is a data processor? You are a ‘data controller’ for the personal data you collect when you decide how data will be processed. You are legally responsible for it. When you outsource the collection or use of personal data to another organisation, they will be acting as a data processor. As a processor, they can only use the personal data under your instruction and for no other purpose. E.g outsourcing payroll, email marketing management. Requirements -You must have a process to assess that the processor has the ability to protect data accordingly; -You must have a contract in place with the processor that contains appropriate provisions on data protection – and the GDPR contains specific requirements that must be included; -By May 2018 all contracts will need to be reviewed and amended according. In building the register we are identifying where data processors exist (and where they store our personal data) and so we can see where remediation might be required.
  • 14. What is a data controller? A data controller has the ability to determine the purposes and means of the processing of personal data. Sharing your personal data with them therefore also needs to be assessed for lawfulness. Examples: •HMRC •Courts •Other group entities (depending on the purposes for data sharing) •Other corporates for their own marketing purposes Actions In the record keeping activity process we are identifying where data controllers exist and so we can check that the sharing is lawful.
  • 15. Processor or Controller? (using examples that are relevant to your organization, ask delegates whether they would be acting as a data controller or a data processor)
  • 16. How long should I keep data? GDPR Article 5.1a: (Personal data must be) be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed.. Considerations? •Is there a statutory record keeping period that would guide your retention period and at least confer a minimum retention period? •In the absence of a statutory requirement, how long do you need the personal data? •What is your rationale for keeping personal data, e.g. beyond the end of a relationship? What is your grounds for processing and does this influence the retention period? •Could the data be anonymised and still be useful? Truly anonymised data would fall outside the GDPR (and you will need a documented methodology for anonymization).
  • 17. Privacy Notice requirements in GDPR Ideally provided at the time you collect personal data, a privacy notice explains: -The identity and contact details of the controller -Contact details for the data protection office(r) -The purposes of the processing for which the personal data are intended as well as the legal basis for the processing -Recipients and categories of recipients -Intention to transfer personal data to a recipient in a ‘third country’ -The period personal data will be stored for -Awareness of all of their rights and how they can be exercised -Where processing is consent based, the existence of the right to withdraw consent at any time -The right to complain to the supervisory authority (in the UK being the ICO) -Whether provision of data is a statutory or contractual requirement, whether provision is an obligation, and consequences if fail to provide
  • 18. How else are we using the information that we will collect? Record retention: the process enables us to decide how long we will retain personal data – this is critical because the GDPR will require retention periods to be disclosed in privacy notices and if someone makes a request to access their data the retention period would also be disclosed. Legitimate interests: Any processing that is made lawful using legitimate interests will need to be explained in the applicable privacy notice. Consent: We can assess whether consent is being used appropriately, and if we are reliant upon consent that the conditions for consent have been met. We can also make sure we provide information on how consent can be withdrawn. International transfers: We need to know exactly where data is located and where it can be accessed from as there are rules that need to be followed where data leaves the European Economic Area, and we need to maintain a register of all international transfers. Now let’s try to fill in a form……. (provide a template for people to fill in)
  • 19. Summary • Completing a register of data processing activities is a critical first step in compliance with the GDPR. • It provides us with information on lawful processing, involvement of data processors/third parties, make us think about how long we keep data, and provides pertinent information that we need to include in privacy notices and in response to requests for access to an individual’s personal data. • It is critical that new initiatives are discussed with your data protection adviser prior to inception so advice on lawfulness can be taken, and the register updated. A data protection impact assessment may also be required if the project is high risk.