New 2024 Cannabis Edibles Investor Pitch Deck Template
Members evening - data protection
1. Ten things you need
to know about the
Data Protection
Regulation
Presentation to MRS
Members Evening
10th February 2016
Dr Michelle Goddard
Director of Policy & Standards
2. Topics for tonight
Why is it important?
What do you need to know?
How should you prepare?
2
4. It’s been a long road
to get here ….
2012
• European Commission
GDPR proposals tabled
2014
• European Parliament
adopted a first reading
2015
• Council of the EU agreed
a general approach after
trialogues
Dec 2015
• Informal Agreement
reached on Compromise
Text
4
From
Directive to
Regulation
5. … but the end is
in sight
June 2018
Enforcement of GDPR begins
May to June 2016
GDPR enters into force in the UK
April 2016
Publication of Approved Text in Official Journal
February 2016
Translation of GDPR Compromise Text
5
6. Ten Things
1. Applies a harmonised regime directly in all Member States
2. Widens scope and application of data
3. Places liability on both data processors and controllers
4. Requires greater business accountability
5. Enhances individuals rights
6. Maintains exemption for research
7. Introduces notification of data breaches
8. Mandates appointment of Data Protection Officers
9. Raises standards for cross border transfers
10. Increases fines and strengthens the enforcement regime
6
7. 1. Directly applicable
and harmonised
From Directive to Regulation and no need for national
implementation
Built in consistency mechanisms such as European Data
Protection Board and the One-Stop Shop for enforcement
….but over 50 areas for national carve-outs and
modifications in Union and Member State Law
… and will this affect ICO’s enforcement approach
7
8. 2. Much wider scope
and application
Expanded categories of personal data (including online
identifiers) and special categories i.e. sensitive personal
data include biometric and genetic
New explicit category of pseudonymised data as a
security measure but an art not a science
Extra territorial scope to activities of controllers and
processors within and outside EU processing data of EU
citizens so need to consider appointment of
representative
8
9. 3. Significant culture
and risk shift for data
processors
Data Controller
•Determines purposes and
manner in which personal
data is collected/used e.g.
client companies
•New mandatory contract
terms inc security measures,
right of audit of DP, sub-
processor approvals
•Liability still includes full
range of enforcement action
and liability for breach of
contract
Joint Data Controller
•Determines (with other DC)
purposes and manner in
which personal data is
collected/used e.g. research
suppliers
•New mandatory contract
terms inc security of
measures, right of audit of
DP etc and how data subjects
can exercise rights and who
provides information
•Liability still includes full
range of enforcement action
and liability for breach of
contract
Data Processor
•Process data on behalf of
others e.g. any other
suppliers working on
research data e.g.
transcription, processing,
coding, analysing translation
•New mandatory contract
terms inc seek approval of
DC for appointment of sub-
processor and data transfer
out of EEA
•Direct liability now includes
full range of enforcement
action in addition to liability
for breach of contract
9
10. 4. Requires greater
business accountability
Reduction of administrative burdens e.g. no notifications to ICO but …
Accountability and transparency requirements to
entrench privacy by design and default
maintain good records inc privacy policies/notices and
detailed internal documentation on processing activities
undertake privacy impact assessments for riskier or large
scale activities
Implement technical and security measures
Some exemptions for SME’s but less useful for researchers
10
11. 5. Enhances rights
of individuals
Individual Right
Right to data portability New
Right to erasure New
Right to restrict processing* New but limited impact
Right of access to data* Strengthened –includes retention period
and possibly free and within 30 days
Right to information in notices Strengthened – clearer and greater detail
Right to object to different types of
processing (including profiling and
marketing)*
Strengthened – burden now on controller
to demonstrate compelling grounds
Right not to be evaluated on basis
of automated processing
Equivalent provision
Right to rectification (of inaccurate
data)*
Equivalent provision
Obligation on DC to notify third parties for rectification, erasure or restriction
Need to promote these rights to individuals
11
12. 6. Maintains an
exemption for research
EFAMRO/ESOMAR gains from EU advocacy/lobbying include
Broad definition of research:
Scientific research purposes should be interpreted in a
broad manner
Statistical research purposes include statistical surveys
and their results may be used for other purposes
Research is a compatible purpose for further processing
Segmentation is not considered as profiling under the GDPR
Research exemption available to Member States
12
13. Grounds for
processing research
data under GDPR
Research
exemption
Legitimate
Interests
Consent
13
… but remember obligations under MRS Code of Conduct
14. 7. Personal data
breaches must be
notified
When?
without undue delay or within 72 hours
To who?
Controllers, supervisory authorities and/or individuals
affected
Why?
Likelihood of risk/high risk to individuals but not if
unlikely to cause harm i.e. encrypted data breaches
14
15. 8. Need to appoint Data
Protection Officer
Who needs to appoint a data protection officer?
Dependent on type of processing and risk but
likely to be mandatory for all researchers
Businesses should publish contact details and
advise ICO
What is their role?
act independently reporting to highest level of
management
Should understand your business
Liaison between business and data
subjects/consumer champion?
Employee (or outsourced) protected from dismissal
15
16. 9. Raises standards for
cross border transfers
Current rules and mechanisms remain but will be kept under review
Safe Harbor invalidity decision remains (not
affected by this process)
Adequacy decisions can be made by EU
Commission for territories, sectors and states such
as EU-US Privacy Shields
Binding corporate rules still valid
Some procedural streamlining/flexibility
Model clauses favoured and no longer require DPAs
approval
DPAs may also create own model clauses
New avenue for transfers under approved codes of
conduct
16
17. 10. Higher legal risks of
non-compliance
Heavy sanctions for non-compliance up to €20m (£15m) or 4%
turnover
Increased powers for supervisory authorities and liaison with
European Data Protection Board
Data subject claims for compensation for breaches
“Class actions” by consumer associations
…. and also reputational risks …
17
18. Reputation at
risk
18
80%
of people would think
twice about giving their
business to an online
company that made
headlines for failing to
stop a data security
breach
You Gov 2016 poll for ICO
20. GDPR Compliance
Project should start
now
1. Assess business risk through understanding data use
2. Draw up compliance plan covering IT systems, staffing and
policies
3. Commit to best practice in research and data management
4. Keep up to date through MRS
20
21. Practical Tips
Obligation What your business needs to do
Adhere to data controller
or data processor
compliance obligations
• Audit and understand data use
• Review and strengthen existing data policies
o Review and revise legacy contracts to consider mandatory terms and
negotiations on apportionment of liability
o Establish appropriate technical and security measures for data
protection
o Consider adequacy of mechanisms for cross-border transfers i.e.
contracts with cloud providers
o Set up process for written record-keeping of all categories of personal
data
o Consult with ICO on riskier activities and privacy impact assessments
Respect individual rights • Use clearer language in privacy policies and fair processing notices
but cover off intended purposes
• Review getting consent and implement steps for recording
• Establish clear data retention and deletion policies and communicate
retention periods to individuals
• Review mechanisms for consent of children online
• Work with IT to set up procedures and systems for individuals to
exercise new rights of data portability and to be forgotten and
enhanced information and rectification rights etc
21
22. Practical Tips
Obligation Practical Tips
Promote accountability
across the business
• Set up demonstrable processes to ensure accountability
• Conduct individual and staff training
• Appoint a data protection officer considering outsourcing and
sharing role
Prepare for data breach
notifications
• Set up internal procedures/strategy for data breach identification
• Establish process for notification to DPA and individual
• Explore what “risk” to individuals means
• Build in effective ways of detecting breaches
Embed privacy by
design and default in
research projects
• Collect minimum information required for research projects
• Maintain accurate and up to date/current databases
• Client side need to engage with product teams earlier in process
• Use anonymisation, pseudonymisation and encryption security
techniques
22
23. Keep up to date
Guidance and tools
FAQ’s, webinars and guidance notes
But let us know how we can best help you
Training areas; webinar topics; new guidance
Follow guidance from ICO
Seek advice from CodeLine
Codeline@mrs.org.uk
Keep informed through MRS
www.mrs.org.uk
@tweetmrs
Morrison's (2014) - unusual example of the insider attack, the attacker published details of the firm’s entire workforce database online, 100,000 employees in all. Abuse of privileged access hard to lock down. Some employees later launched legal action against Morrison's
Talk Talk – Reported Feb 2016 that cost £60 million and loss of 95,000 customers. Publicised in October 2015, TalkTalk initially struggled to confirm how many of its four million customers were the rising number of breaches becomes both political and mainstream in the UK.
56 Dean Street - In September 2015 , it was found that London sexual health clinic, 56 Dean Street, revealed the names and contact details of almost 800 HIV positive patients. The clinic accidentally disclosed the information when an email newsletter for the clinic's Option-E online service was sent out en masse, rather than to individual recipients.
Charity sector generally – Daily Mail investigation
Alzheimer’s Society - ICO has found serious failings in the way volunteers at a national dementia support charity handled sensitive personal data. It has ordered The Alzheimer’s Society to take action after discovering that volunteers were using personal email addresses to receive and share information about people who use the charity, storing unencrypted data on their home computers and failing to keep paper records locked away. Furthermore, volunteers were not trained in data protection, the charity’s policies and procedures were not explained to them and they had little supervision from staff.
a 204-page document with more than 91 articles and 135 recitals.
Impetus for reform to take account of technological developments since 1995 including expansion in internet and mobile telephony
Heavily lobbied
Over 3000 amendments tabled
Comes into force 2 years and 20 days from publication in the Official Journal
Directly applicable but a lot still to be done
carve outs and discretion for Member States including consent of children; exemptions from individual rights for research processing
Guidance from supervisory authority
Art 29 WP to publish guidance
Definition of personal data: explicitly broadened to include any information ‘relating to’ an individual.
Pseudonymised data is the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable person'.
If pseudonymised then data breach notification, subject access and profiling may not apply.
Wider responsibilities placed directly on data processors and much higher risk profile as previously there were no direct obligations but now responsibility for data transfers; direct action can be taken against
Mandatory terms included in contracts with data processors
processors must seek approval to appoint sub-processors and to transfer personal data out of the EEA;
controllers right to audit DP in the legislation rather than previously as matter of practice
Record keeping
Who controller is? Name? Location? Categories of processing? Data security measures in place?
lists things such as the purpose of the processing, the description of the categories of data subjects and personal data, the categories of recipients to whom personal data is disclosed and (where possible) the time limits for erasure and a description of the security measures taken by the controller.
Similar provisions for processors, although they are slightly less prescriptive
Privacy impact assessments
important for riskier or large scale activities – can be used currently but have a central role in new scheme. Process which assists you in identifying and minimising the privacy risks of new projects or policies. It involves working with people within your organisation, with partner organisations and with the people affected so that you can identify and reduce privacy risks. Describe the information flows
Adherence to code of conduct suggested as a way of controllers and processors demonstrating compliance
New rights
Legislates right to be forgotten (however can still process if compelling legitimate grounds for processing to continue) and data controllers are also obliged to inform other controllers who may be processing to delete if this request is received. Applies to data made public especially online
Right of data portability so that customers can request their data be provided in a usable, transferable format and allow them to move data between platforms or suppliers. Automated data collection. Applies if details collected by consent or contract
Right to restrict processing – where data cannot be deleted because required for legal reasons
Strengthened Rights
Right to object to profiling and not be subject to decisions based on automated processing e.g. Online behavioural advertising; assessing creditworthiness - . automated processing where decision made that has legal or significant effects on individual (not where necessary for contract or based on explicit consent) Cannot rely on legitimate interest for profiling
Right to object to certain types of processing inc processing for direct marketing and profiling for direct marketing (balancing test also in place). It is broader than before as can object to processing for legit interests or direct marketing without providing specific reasons. But note always right to object for research.
Right to be provided with greater fair processing information such as the source of the data and the retention period. Minimum and/or further information depending on what is required for full transparency. A lot of this is reflected in industry code of practices for research. Information has to be provided in an intelligible form using clear and plain language.
Subject rights access – free??
*n/a if using research exemption
Scientific research - inc technological development and demonstration, fundamental research, applied research and privately funded research; public health (recital 126)
Statistical purposes – definition to be set out in EU or MS law i.e. statistical content, control of access, specifications for processing, appropriate measures to safeguard rights and freedom of data subject and to guarantee statistical confidentiality. Statistical purpose implies that it is aggregate data.
Consent:
Specific, informed and freely given consent through clear affirmative action but explicit for sensitive personal data (provided does not override individual rights) significant shift in the burden of proof. You will need to be able to provide evidence that you obtained consent from specific data subjects, which is going to require much better record keeping for many organisations.
Legitimate interest - based on reasonable expectations and provided does not override the rights of individuals (research is a compatible purpose)
Research exemption - (if implemented) where impossible to conduct research otherwise research can be exempted from data subject access; rectification of inaccurate data; restriction of processing and right to object including right to object to data processed for research purposes but subject to adoption of technical and organisational measures to limit collection to the minimum and the use of methods that de-identify
Other grounds apply but less likely to be relied on are contract; compliance with legal obligation; vital interests of data subject; public interests
Personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Important to note that the definition of a personal data breach is wide and for example includes unlawful destruction but tied into the requirement for strong security obligations
Requirement to notify to the authorities without undue delay and not later than 72 hours … where there is a likelihood of risk … what exactly does that mean? Broad scope for discussion and may be an area where we can expect some guidance
In addition to DPA’s also need to notify to data subjects where there is a likelihood of high risk so for example
Mandatory DPO: compulsory for public authority or body; core activities “regular and systematic monitoring on large scale core activities consist of large scale processing of special categories of data”
Level 1 breaches include principles for processing including consent conditions; data subjects rights; conditions for lawful international data transfers, specific obligations under national law as permitted by GDPR; orders by data protection authorities including suspension of data flows. Criteria to be taken into account in fining set out and factors such as repeat breaches and gravity of breach will be taken into account. In addition to these high fines, additionally DPA’s now have greater investigative powers to compel information from DC’s and DP’s and gain access to premises etc
In considering level of fine DPO can also consider adherence to Code
If DPA’s do not act individuals can (on their own or with representation) and consumer protection groups can (if allowed by national law). So in addition to administrative fines can also be liable to pay compensation to individuals.
Current ICO maximum is £500,000 and highest penalty is £200,000 with average penalty of £104,773
You Gov Poll – 2039 Sample Size 20% would definitely stop using; 57%would consider; 8% would make no difference; 14% didn’t know