1 / 21

General Data Protection Regulations (GDPR)

General Data Protection Regulations (GDPR). GDPR. Will apply in the UK from 25 May 2018 Main concepts and principles remain the same as current DP Act There are new elements and significant enhancements, so you will do some things for the first time and some things differently.

fpersinger
Download Presentation

General Data Protection Regulations (GDPR)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. General Data Protection Regulations (GDPR)

  2. GDPR Will apply in the UK from 25 May 2018 Main concepts and principles remain the same as current DP Act There are new elements and significant enhancements, so you will do some things for the first time and some things differently

  3. UK Data Protection Bill • Data Controllers will have to comply with the UK Law as well as GDPR • GDPR allows us to apply our own provisions to some parts of the regulations • The DP Bill details these provisions • Currently is at Committee stage in House of Commons Information Resilience & Transparency Team

  4. Consent under GDPR If you use consent as a basis for processing information: • Must be freely given, specific, informed and unambiguous indication of the individuals wishes • Clear affirmative action • Separate from other terms and conditions • Provide simple ways to withdraw consent Information Resilience & Transparency Team

  5. Information Society Services New provisions intended to enhance the protection of children’s personal data • Online services targeted to a child • Applies to children under the age of 13 • Privacy Notice must be child friendly • Consent must be given by a person with parental responsibility New provisions intended to enhance the protection of children’s personal data • Online services targeted to a child • Applies to children under the age of 13 • Privacy Notice must be child friendly • Consent must be given by a person with parental responsibility Information Resilience & Transparency Team

  6. The DPO • All public authorities must have a DPO • The DPO reports to the top management level • The DPO operates independently and is not dismissed or penalised for performing their task • Should have professional experience and knowledge of the DP law • DPO could be an existing employee as long as there is no conflict of interest

  7. ICO Registration No provision for notification under GDPR ICO expressed concerns about this as at least 80% of their income comes from these fees There will be a levy under the Data Protection Bill 3-tier system with top tier paying up to £2,900 for organisations with over 250 staff

  8. Personal Information Information which relates to a identifiable, living individual, who can be identified by • Name • Date of Birth • Address • An identification number • An online identifier Information Resilience & Transparency Team

  9. Special Categories of Personal Information (Sensitive) a. Racial or ethnic origin b. Political opinions c. Trade union membership d. Religious or similar beliefs • Health or sexual life • Genetic data • Biometric data Information Resilience & Transparency Team

  10. Data Processors • GDPR applies to both Data Controllers and Data Processors • Both are responsible for protecting the personal data • Both can be held liable and face penalties • Controller says how and why personal data is processed • Processor acts on the controller’s behalf Information Resilience & Transparency Team

  11. 6 Principles • Lawfulness, fairness & transparency • Purpose Limitation • Data minimisation • Accuracy • Storage limitation • Integrity & confidentiality Additional principle - Accountability Information Resilience & Transparency Team

  12. Lawfulness of ProcessingArticle 6 Before processing any personal data, you should identify a legal basis for doing so: • Consent has been given for the processing • Necessary for the performance of a contract • Necessary for compliance with a legal obligation • Necessary to protect the vital interests of data subject • Necessary to carry out tasks in the public interest • Necessary for the purposes of legitimate interests pursued by the data controller or a third party Information Resilience & Transparency Team

  13. Processing of Special Category DataArticle 9 • Explicit Consent • Employment, social security or social protection law • Vital interests of data subject or another individual • Not-for-profit bodies • Made public by the data subject • Exercise or defense of legal claims • Substantial public interest • Medicine, health or social care • Public health • Research and statistics Information Resilience & Transparency Team

  14. Privacy Notice Privacy notice to be more robust and should include: • Legal basis for the processing • Categories and recipients of personal information • How long the information will be kept • How to make a complaint to the ICO • Where the personal information originated from • Individuals rights • Automated decision making decision • The name and contact details of the DPO

  15. Individuals Rights • The right to be informed • The right of access • The right to rectification • The right to erasure • The right to restrict processing • The right to data portability • The right to object • Rights in relation to automated decision making and profiling

  16. Subject Access Requests • Free of charge • Can charge a ‘reasonable’ fee, if request is manifestly unfounded or excessive • Can charge for requests for further copies of the same information • Timeframe reduced – only one month to comply • Can extend the period of compliance by a further two months where requests are complex or numerous

  17. Data Breaches Must report certain types of breaches to the ICO within 72 hours: If breach is likely to result in a risk to the rights and freedoms of the individual Failure to report breach could result in a fine, as well as a fine for the breach itself Fine could be as much as 4% of annual turnover or £17 million!!

  18. Recent Breaches To see if your personal information has been compromised by a breach check: www.haveibeenpwned.com Information Resilience & Transparency Team

  19. Data Protection ImpactAssessments • DPIA’s will be mandatory for some processing • Build DPIAs into your normal business practice When you need to do a DPIA: • For any ‘high risk’ processing • Large scale processing of sensitive information Information Resilience & Transparency Team

  20. Review • Policies & Procedures • Privacy Notices • Information Asset Register • Information Sharing Agreements • Data Protection Impact Assessments (DPIA) • Data Breach Reporting Procedures • Contracts • Recording of Consent Information Resilience & Transparency Team

  21. Contact Details Information Commissioner Website: www.ico.org.uk Tel: 01625 545745 Email: mail@ico.gsi.gov.uk Michelle Hunt Information Governance Specialist Information Resilience & Transparency Team Sessions House Maidstone Kent, ME14 1XQ Tel: 03000 416286 Email: michelle.hunt@kent.gov.uk Information Resilience & Transparency Team

More Related