4. Outcomes for this session
• Basic understanding of GDPR
• Basic understanding of the role of Data Protection
Officer
• Know the steps organisations should take now
6. Main features of the GDPR
• Same basic principles as DPA, but strengthened
• Accountability
• New rights for individuals
• Strengthening of existing rights
• Breach reporting
• Data protection impact assessments
• Higher penalties for non-compliance
7. Main features of GDPR
New definition of personal data
An identifiable person who can be identified directly or indirectly, in
particular by reference to an identifier such as name, identification
number, location data, online identifier or to one or more factors
specific to the physical, cultural, physiological, genetic, mental,
economic, cultural or social identity.
8. Main features of GDPR
Special categories of data
• Race or ethnic origin
• Political Opinions
• Religious or Philosophical Beliefs
• Trade Union Membership
• Health or Sex Life and Sexual Orientation
• Genetic or Biometric data in order to uniquely identify a person
9. Main features of GDPR
New definition of processing
Any operation or set of operations which is performed on personal
data whether or not automated including collecting, recording,
organising, structuring, storing, adapting, altering, disclosure,
erasure or destruction.
10. Main features of GDPR
New data protection principles
1. Data must be processed lawfully, fairly and in a transparent manner
2. Data must only be collected for a specified, explicit and legitimate
purpose
3. Data must only be processed to the extent that it is adequate,
relevant and limited to what is necessary in relation to the purpose
for which they are processed
4. Data must be accurate and up to date. Data which is inaccurate
should be erased or rectified without delay
5. Identifiable data should not be kept longer than is necessary
6. Ensure appropriate security of the data
• Demonstrate compliance with the Regulations
11. Main features of the GDPR
Conditions for processing personal data
• Consent (new provisions for consent)
• Contractual necessity
• Legal obligation
• Vital Interests of the data subject or of another natural person
• Public Interest or exercise of official authority
• Legitimate interests of data controller or third party to whom data is
disclosed (but not to a public authority)
12. Main features of GDPR
Conditions for processing special categories of data
• Explicit consent of the data subject, unless reliance on consent is
prohibited by EU or Member State law
• Processing is necessary for carrying out obligations under employment,
social security or social protection law, or a collective agreement
• Processing is necessary to protect the vital interests of a data subject
or another individual where the data subject is physically or legally
incapable of giving consent
13. Main features of the GDPR
Conditions for processing special categories of data (contd)
• Processing carried out by a not-for-profit body with a political,
philosophical, religious or trade union aim provided the processing
relates only to members or former members (or those who have
regular contact with it in connection with those purposes) and
provided there is no disclosure to a third party without consent
• Processing relates to personal data manifestly made public by the data
subject
• Processing is necessary for the establishment, exercise or defence of
legal claims or where courts are acting in their judicial capacity
14. Main features of the GDPR
Conditions for processing special categories of data (contd)
• Processing is necessary for reasons of substantial public interest on the
basis of Union or Member State law which is proportionate to the aim
pursued and which contains appropriate safeguards
• Processing is necessary for the purposes of preventative or
occupational medicine, for assessing the working capacity of the
employee, medical diagnosis, the provision of health or social care or
treatment or management of health or social care systems and
services on the basis of Union or Member State law or a contract with
a health professional
15. Main features of the GDPR
Conditions for processing special categories of data (contd)
• Processing is necessary for reasons of public interest in the
area of public health, such as protecting against serious cross-
border threats to health or ensuring high standards of
healthcare and of medicinal products or medical devices
• Processing is necessary for archiving purposes in the public
interest, or scientific and historical research purposes or
statistical purposes in accordance with Article 89(1)
16. Demonstrate compliance
Organisations will need to be able to show compliance in
• Requirement to implement appropriate technical and
organisational measures
• Maintaining records on processing activities
• Data protection impact assessments
• Requirement to appoint a data protection officer
• Data protection by design and default
• Codes of conduct and certification schemes
17. Information asset audit
If you are concerned about compliance, you should carry out an
information audit
• What data do you process?
• For what purposes?
• What legal basis do you use?
• Who do you share data with?
• Can you identify a specific individual’s data and provide it
within one month?
18. New rules for data processors
Who are data processors?
Third parties who process data on your behalf
• Contractors
• IT providers
• Payroll processors
• Archiving companies
19. New rules for data processors
New GDPR obligations on data processors
• Appoint a DPO?
• Consent needed from controller for subcontracting
• Maintain records of processing activity
• Notify data controller of any breach
• Liability for claims
• May also be subject to fines
20. New rules for data processors
What do you need to do?
• Review existing contracts to ensure they include GDPR clauses
• Review clauses relating to limitation of liability, insurance,
indemnities, warranties
• Update standard contracts
• Update procurement processes to include GDPR due diligence
21. The ICO’s key steps to take now
1. Awareness
Make sure decision makers aware of change and impact
• Nominate a responsible member of the senior management
team
• Organise a working group (IT, HR) and get meetings in the diary
• Add data protection to your risk register
22. The ICO’s key steps to take now
2. Information you hold
Document the information you hold
• Where it came from
• Who you share it with
• Do you need to carry out an information audit? (invariably - yes!)
23. The ICO’s key steps to take now
3. Communicating privacy notices
Review privacy notices and put in place changes for the GDPR
• New notices must include:
• Legal basis for processing
• Data retention periods
• Complaints
• Concise and easy to understand language
• ICO privacy notice code of practice reflects changes
24. The ICO’s key steps to take now
4. Individuals’ rights
Check your procedures to make sure they cover all new rights
• Subject access
• Inaccuracies corrected
• Information erased (‘right to be forgotten’)
• Prevent direct marketing
• Prevent automated decision-making and profiling
• Data portability
25. The ICO’s key steps to take now
4. Individuals’ rights (contd)
Data controllers must provide the following to data subjects on request:
• Identity and contact details of data controller and data protection
officer
• Intended purpose of processing and period for which data will be
stored
• Existence of rights: access, rectification, object and erasure
• Right to lodge a complaint internally and to a supervisory authority
26. The ICO’s key steps to take now
4. Individuals’ rights (contd)
Data controllers must provide the following on request (contd):
• Recipient or categories of recipients to whom data will be
disclosed
• Intention to transfer to another country or international
organisation
• Information must be concise, transparent, intelligible and
easily accessible
• Must be provided in writing unless otherwise requested.
27. The ICO’s key steps to take now
5.Subject access requests
• Must respond within one month but can extend for complex
requests
• No fee
• Requestor can ask for electronic format
• Manifestly unfounded or excessive requests may be charged for
or refused
• Train staff to recognise a subject access request
• Develop template response letters
• Online portal for accessing information?
28. The ICO’s key steps to take now
6. Legal basis for processing data
• Review the types of processing you are carrying out
• Identify legal basis for each type
• Document the legal basis
29. The ICO’s key steps to take now
7. Consent
• Review how you are seeking, obtaining and recording consent
and whether you need to make changes
• Consent must be freely given, specific, informed and
unambiguous, and a positive affirmation of the individual’s
agreement
• Burden on data controller to show consent freely given
• Withdrawal of consent should be as easy as grant of consent
• Purpose limited
30. The ICO’s key steps to take now
8. Children
• Where you do not have a different legal basis for processing,
parents will need to give consent
• Special protection for children’s data:
• Stronger ‘right to be forgotten’
• Limitations on legitimate interests condition for processing
• If you ask children to sign up to apps or online services think
about how you are going to get consent from parents
• Where services are offered directly to a child, you must ensure
privacy notice is written in a clear, plain way that a child will
understand
31. The ICO’s key steps to take now
9. Data breaches
Make sure you have procedures in place to detect, report and investigate
a personal data breach
• You have 72 hours to report a breach
• Only need to report breach where the individual is likely to suffer
some form of damage – such as identity theft or confidentiality breach
• Notify the affected data subjects
• Fines will be based on:
• nature gravity and duration of breach
• Whether intentional or negligent
• Previous breaches
• Technical and organisation measures in place
32. The ICO’s key steps to take now
10. Data protection by design and data protection impact
assessments (privacy impact assessments)
At the outset of every project think about personal data
• Consider how you can minimise personal data use and risk
• Legal requirement to carry out a privacy impact assessment
• ICO guidance on privacy impact assessments
33. The ICO’s key steps to take now
11. Data protection officers
You should designate a DPO
• Responsible for data protection compliance
• Inform and advise the organisation
• Monitor the implementation and application of the Regulations
and the data protection policies
• Monitor privacy impact assessments and breaches
• Point of contact for ICO
34. The ICO’s key steps to take now
11. Data protection officers (contd)
• Can allocate to role of existing employee as long as duties are
compatible with the duties of the DPO and do not lead to
conflict of interests
• Can appoint the role externally
• Can share a DPO over a number of data controllers
• No specified qualifications but must have experience and
knowledge of data protection law
35. The ICO’s key steps to take now
11. Data protection officers (contd)
You must ensure that:
• The DPO reports to the highest management level of your
organisation – ie board level
• The DPO operates independently and is not dismissed or
penalised for performing their task
• Adequate resources are provided to enable DPOs to
meet their GDPR obligations
36. The ICO’s key steps to take now
12. International
• Trips outside the EU?
• Subcontractors processing information outside the EU?
37. Other points
• ICO overview of the GDPR
• Some personal information not covered by the GDPR (policing and national
security). These areas are covered by the Data Protection Bill.
• Data Protection Bill also covers areas where the UK is given discretion and
exemptions by the GDPR.