Members evening - data protection
•Télécharger en tant que PPTX, PDF•
1 j'aime•970 vues
Presented by Dr. Michelle Goddard
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (7)
Similaire à Members evening - data protection
Similaire à Members evening - data protection (20)
Plus de MRS
Plus de MRS (20)
Dernier
Dernier (20)
Members evening - data protection
- 1. Ten things you need to know about the Data Protection Regulation Presentation to MRS Members Evening 10th February 2016 Dr Michelle Goddard Director of Policy & Standards
- 2. Topics for tonight Why is it important? What do you need to know? How should you prepare? 2
- 4. It’s been a long road to get here …. 2012 • European Commission GDPR proposals tabled 2014 • European Parliament adopted a first reading 2015 • Council of the EU agreed a general approach after trialogues Dec 2015 • Informal Agreement reached on Compromise Text 4 From Directive to Regulation
- 5. … but the end is in sight June 2018 Enforcement of GDPR begins May to June 2016 GDPR enters into force in the UK April 2016 Publication of Approved Text in Official Journal February 2016 Translation of GDPR Compromise Text 5
- 6. Ten Things 1. Applies a harmonised regime directly in all Member States 2. Widens scope and application of data 3. Places liability on both data processors and controllers 4. Requires greater business accountability 5. Enhances individuals rights 6. Maintains exemption for research 7. Introduces notification of data breaches 8. Mandates appointment of Data Protection Officers 9. Raises standards for cross border transfers 10. Increases fines and strengthens the enforcement regime 6
- 7. 1. Directly applicable and harmonised From Directive to Regulation and no need for national implementation Built in consistency mechanisms such as European Data Protection Board and the One-Stop Shop for enforcement ….but over 50 areas for national carve-outs and modifications in Union and Member State Law … and will this affect ICO’s enforcement approach 7
- 8. 2. Much wider scope and application Expanded categories of personal data (including online identifiers) and special categories i.e. sensitive personal data include biometric and genetic New explicit category of pseudonymised data as a security measure but an art not a science Extra territorial scope to activities of controllers and processors within and outside EU processing data of EU citizens so need to consider appointment of representative 8
- 9. 3. Significant culture and risk shift for data processors Data Controller •Determines purposes and manner in which personal data is collected/used e.g. client companies •New mandatory contract terms inc security measures, right of audit of DP, sub- processor approvals •Liability still includes full range of enforcement action and liability for breach of contract Joint Data Controller •Determines (with other DC) purposes and manner in which personal data is collected/used e.g. research suppliers •New mandatory contract terms inc security of measures, right of audit of DP etc and how data subjects can exercise rights and who provides information •Liability still includes full range of enforcement action and liability for breach of contract Data Processor •Process data on behalf of others e.g. any other suppliers working on research data e.g. transcription, processing, coding, analysing translation •New mandatory contract terms inc seek approval of DC for appointment of sub- processor and data transfer out of EEA •Direct liability now includes full range of enforcement action in addition to liability for breach of contract 9
- 10. 4. Requires greater business accountability Reduction of administrative burdens e.g. no notifications to ICO but … Accountability and transparency requirements to entrench privacy by design and default maintain good records inc privacy policies/notices and detailed internal documentation on processing activities undertake privacy impact assessments for riskier or large scale activities Implement technical and security measures Some exemptions for SME’s but less useful for researchers 10
- 11. 5. Enhances rights of individuals Individual Right Right to data portability New Right to erasure New Right to restrict processing* New but limited impact Right of access to data* Strengthened –includes retention period and possibly free and within 30 days Right to information in notices Strengthened – clearer and greater detail Right to object to different types of processing (including profiling and marketing)* Strengthened – burden now on controller to demonstrate compelling grounds Right not to be evaluated on basis of automated processing Equivalent provision Right to rectification (of inaccurate data)* Equivalent provision Obligation on DC to notify third parties for rectification, erasure or restriction Need to promote these rights to individuals 11
- 12. 6. Maintains an exemption for research EFAMRO/ESOMAR gains from EU advocacy/lobbying include Broad definition of research: Scientific research purposes should be interpreted in a broad manner Statistical research purposes include statistical surveys and their results may be used for other purposes Research is a compatible purpose for further processing Segmentation is not considered as profiling under the GDPR Research exemption available to Member States 12
- 13. Grounds for processing research data under GDPR Research exemption Legitimate Interests Consent 13 … but remember obligations under MRS Code of Conduct
- 14. 7. Personal data breaches must be notified When? without undue delay or within 72 hours To who? Controllers, supervisory authorities and/or individuals affected Why? Likelihood of risk/high risk to individuals but not if unlikely to cause harm i.e. encrypted data breaches 14
- 15. 8. Need to appoint Data Protection Officer Who needs to appoint a data protection officer? Dependent on type of processing and risk but likely to be mandatory for all researchers Businesses should publish contact details and advise ICO What is their role? act independently reporting to highest level of management Should understand your business Liaison between business and data subjects/consumer champion? Employee (or outsourced) protected from dismissal 15
- 16. 9. Raises standards for cross border transfers Current rules and mechanisms remain but will be kept under review Safe Harbor invalidity decision remains (not affected by this process) Adequacy decisions can be made by EU Commission for territories, sectors and states such as EU-US Privacy Shields Binding corporate rules still valid Some procedural streamlining/flexibility Model clauses favoured and no longer require DPAs approval DPAs may also create own model clauses New avenue for transfers under approved codes of conduct 16
- 17. 10. Higher legal risks of non-compliance Heavy sanctions for non-compliance up to €20m (£15m) or 4% turnover Increased powers for supervisory authorities and liaison with European Data Protection Board Data subject claims for compensation for breaches “Class actions” by consumer associations …. and also reputational risks … 17
- 18. Reputation at risk 18 80% of people would think twice about giving their business to an online company that made headlines for failing to stop a data security breach You Gov 2016 poll for ICO
- 20. GDPR Compliance Project should start now 1. Assess business risk through understanding data use 2. Draw up compliance plan covering IT systems, staffing and policies 3. Commit to best practice in research and data management 4. Keep up to date through MRS 20
- 21. Practical Tips Obligation What your business needs to do Adhere to data controller or data processor compliance obligations • Audit and understand data use • Review and strengthen existing data policies o Review and revise legacy contracts to consider mandatory terms and negotiations on apportionment of liability o Establish appropriate technical and security measures for data protection o Consider adequacy of mechanisms for cross-border transfers i.e. contracts with cloud providers o Set up process for written record-keeping of all categories of personal data o Consult with ICO on riskier activities and privacy impact assessments Respect individual rights • Use clearer language in privacy policies and fair processing notices but cover off intended purposes • Review getting consent and implement steps for recording • Establish clear data retention and deletion policies and communicate retention periods to individuals • Review mechanisms for consent of children online • Work with IT to set up procedures and systems for individuals to exercise new rights of data portability and to be forgotten and enhanced information and rectification rights etc 21
- 22. Practical Tips Obligation Practical Tips Promote accountability across the business • Set up demonstrable processes to ensure accountability • Conduct individual and staff training • Appoint a data protection officer considering outsourcing and sharing role Prepare for data breach notifications • Set up internal procedures/strategy for data breach identification • Establish process for notification to DPA and individual • Explore what “risk” to individuals means • Build in effective ways of detecting breaches Embed privacy by design and default in research projects • Collect minimum information required for research projects • Maintain accurate and up to date/current databases • Client side need to engage with product teams earlier in process • Use anonymisation, pseudonymisation and encryption security techniques 22
- 23. Keep up to date Guidance and tools FAQ’s, webinars and guidance notes But let us know how we can best help you Training areas; webinar topics; new guidance Follow guidance from ICO Seek advice from CodeLine Codeline@mrs.org.uk Keep informed through MRS www.mrs.org.uk @tweetmrs
Notes de l'éditeur
- Morrison's (2014) - unusual example of the insider attack, the attacker published details of the firm’s entire workforce database online, 100,000 employees in all. Abuse of privileged access hard to lock down. Some employees later launched legal action against Morrison's Talk Talk – Reported Feb 2016 that cost £60 million and loss of 95,000 customers. Publicised in October 2015, TalkTalk initially struggled to confirm how many of its four million customers were the rising number of breaches becomes both political and mainstream in the UK. 56 Dean Street - In September 2015 , it was found that London sexual health clinic, 56 Dean Street, revealed the names and contact details of almost 800 HIV positive patients. The clinic accidentally disclosed the information when an email newsletter for the clinic's Option-E online service was sent out en masse, rather than to individual recipients. Charity sector generally – Daily Mail investigation Alzheimer’s Society - ICO has found serious failings in the way volunteers at a national dementia support charity handled sensitive personal data. It has ordered The Alzheimer’s Society to take action after discovering that volunteers were using personal email addresses to receive and share information about people who use the charity, storing unencrypted data on their home computers and failing to keep paper records locked away. Furthermore, volunteers were not trained in data protection, the charity’s policies and procedures were not explained to them and they had little supervision from staff.
- a 204-page document with more than 91 articles and 135 recitals. Impetus for reform to take account of technological developments since 1995 including expansion in internet and mobile telephony Heavily lobbied Over 3000 amendments tabled
- Comes into force 2 years and 20 days from publication in the Official Journal Directly applicable but a lot still to be done carve outs and discretion for Member States including consent of children; exemptions from individual rights for research processing Guidance from supervisory authority
- Art 29 WP to publish guidance
- Definition of personal data: explicitly broadened to include any information ‘relating to’ an individual. Pseudonymised data is the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable person'. If pseudonymised then data breach notification, subject access and profiling may not apply.
- Wider responsibilities placed directly on data processors and much higher risk profile as previously there were no direct obligations but now responsibility for data transfers; direct action can be taken against Mandatory terms included in contracts with data processors processors must seek approval to appoint sub-processors and to transfer personal data out of the EEA; controllers right to audit DP in the legislation rather than previously as matter of practice
- Record keeping Who controller is? Name? Location? Categories of processing? Data security measures in place? lists things such as the purpose of the processing, the description of the categories of data subjects and personal data, the categories of recipients to whom personal data is disclosed and (where possible) the time limits for erasure and a description of the security measures taken by the controller. Similar provisions for processors, although they are slightly less prescriptive Privacy impact assessments important for riskier or large scale activities – can be used currently but have a central role in new scheme. Process which assists you in identifying and minimising the privacy risks of new projects or policies. It involves working with people within your organisation, with partner organisations and with the people affected so that you can identify and reduce privacy risks. Describe the information flows Adherence to code of conduct suggested as a way of controllers and processors demonstrating compliance
- New rights Legislates right to be forgotten (however can still process if compelling legitimate grounds for processing to continue) and data controllers are also obliged to inform other controllers who may be processing to delete if this request is received. Applies to data made public especially online Right of data portability so that customers can request their data be provided in a usable, transferable format and allow them to move data between platforms or suppliers. Automated data collection. Applies if details collected by consent or contract Right to restrict processing – where data cannot be deleted because required for legal reasons Strengthened Rights Right to object to profiling and not be subject to decisions based on automated processing e.g. Online behavioural advertising; assessing creditworthiness - . automated processing where decision made that has legal or significant effects on individual (not where necessary for contract or based on explicit consent) Cannot rely on legitimate interest for profiling Right to object to certain types of processing inc processing for direct marketing and profiling for direct marketing (balancing test also in place). It is broader than before as can object to processing for legit interests or direct marketing without providing specific reasons. But note always right to object for research. Right to be provided with greater fair processing information such as the source of the data and the retention period. Minimum and/or further information depending on what is required for full transparency. A lot of this is reflected in industry code of practices for research. Information has to be provided in an intelligible form using clear and plain language. Subject rights access – free?? *n/a if using research exemption
- Scientific research - inc technological development and demonstration, fundamental research, applied research and privately funded research; public health (recital 126) Statistical purposes – definition to be set out in EU or MS law i.e. statistical content, control of access, specifications for processing, appropriate measures to safeguard rights and freedom of data subject and to guarantee statistical confidentiality. Statistical purpose implies that it is aggregate data.
- Consent: Specific, informed and freely given consent through clear affirmative action but explicit for sensitive personal data (provided does not override individual rights) significant shift in the burden of proof. You will need to be able to provide evidence that you obtained consent from specific data subjects, which is going to require much better record keeping for many organisations. Legitimate interest - based on reasonable expectations and provided does not override the rights of individuals (research is a compatible purpose) Research exemption - (if implemented) where impossible to conduct research otherwise research can be exempted from data subject access; rectification of inaccurate data; restriction of processing and right to object including right to object to data processed for research purposes but subject to adoption of technical and organisational measures to limit collection to the minimum and the use of methods that de-identify Other grounds apply but less likely to be relied on are contract; compliance with legal obligation; vital interests of data subject; public interests
- Personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Important to note that the definition of a personal data breach is wide and for example includes unlawful destruction but tied into the requirement for strong security obligations Requirement to notify to the authorities without undue delay and not later than 72 hours … where there is a likelihood of risk … what exactly does that mean? Broad scope for discussion and may be an area where we can expect some guidance In addition to DPA’s also need to notify to data subjects where there is a likelihood of high risk so for example
- Mandatory DPO: compulsory for public authority or body; core activities “regular and systematic monitoring on large scale core activities consist of large scale processing of special categories of data”
- Level 1 breaches include principles for processing including consent conditions; data subjects rights; conditions for lawful international data transfers, specific obligations under national law as permitted by GDPR; orders by data protection authorities including suspension of data flows. Criteria to be taken into account in fining set out and factors such as repeat breaches and gravity of breach will be taken into account. In addition to these high fines, additionally DPA’s now have greater investigative powers to compel information from DC’s and DP’s and gain access to premises etc In considering level of fine DPO can also consider adherence to Code If DPA’s do not act individuals can (on their own or with representation) and consumer protection groups can (if allowed by national law). So in addition to administrative fines can also be liable to pay compensation to individuals. Current ICO maximum is £500,000 and highest penalty is £200,000 with average penalty of £104,773
- You Gov Poll – 2039 Sample Size 20% would definitely stop using; 57%would consider; 8% would make no difference; 14% didn’t know