1 / 19

GDPR – Data Protection Law on Steroids?

This comprehensive guide covers GDPR regulations, sensitive personal data, legal grounds for processing, compliance protocols, and practical to-do lists for businesses. It emphasizes the importance of clear privacy notices, documentation of processes, and adherence to legitimate interests in data processing to avoid fines and reputational damage. Essential topics include archiving in the public interest, research exemptions, and legal bases for data processing.

franklinv
Download Presentation

GDPR – Data Protection Law on Steroids?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. GDPR – Data Protection Law on Steroids? Benjamin White Head of Intellectual Property

  2. Increasingly Political / Contentious Human Right

  3. What is personal data? • Anything that allows you to identify a living individual • Any opinion about an identifiable living person

  4. Examples of Personal Data • Names • Addresses • Opinions on a named person • NI No / IP Address / Student Card No / Library Card No etc • A comment that allows you to discover who that person is. • “Not only has he been untruthful about the amount of money that can be paid weekly into the NHS; the pictures of him on that zip wire waiving the Union Jack – please!”

  5. What is sensitive personal data? • Particularly sensitive data that relates to a living person.

  6. Examples of Sensitive Personal Data • Religious / Philosophical • Political • Sexual / Sexuality • Trade Union Activities • Corporate or Industry • Illegal / Criminal / Bad Behaviour / Bullying / Malpractice • Race or ethnicity related • War / Violence / Northern Irish Troubles / Military Activity • Medical or Health Related • Scurrilous content / gossip / rumours etc

  7. Damage and Distress

  8. GDPR - Data Protection Law • Creates rights for people. • Obligations on those using your personal data of European citizens (anywhere in the world.) • You must have a legal basis for using sensitive personal data and personal data. • ICO Powers: Infringement can be fines up to €20,000,000 / public rulings from the ICO / cease and desist requirements etc. • Reputationally getting this wrong can be very damaging indeed.

  9. GDPR – Grounds for Processing Personal Data (not sensitive personal data) • Permission from the person (consent). • Medical emergency (vital interests) • Legitimate interests of the organisation using personal information balanced with the interests of the person whose data is being used. • Contractual relationship (current or future contract). • Legal obligation. • Necessary for performing a task in the public interest, or in the exercise of official authority.

  10. To Do List:1. Fees – smoke and mirrors? • Registration is no longer required by the GDPR but …

  11. To Do List:Privacy Notices - Transparency • Need to be looked at to ensure: • 1. Plain English, easy to understand. • 2. They are short. • 3. No pre-populated tick boxes • 4. Clearly shows what is happening to personal data. • 5. Explain your grounds for processing data.

  12. To Do List: • Must document your processes, what personal data you use, who you share it with, and how you protect people’s privacy throughout your organisation. (May have to supply to ICO). • Information Audit? • PIAs • Check your contracts and privacy notices are up to date • Retention schedules • Any IT procurements must be GDPR compliant (Privacy by Design) • Any activities such as marketing should be checked for grounds for processing as PAs lose legitimate interest grounds inside public task. • Can you anonymise the data? (Research)

  13. To Do List:Legitimate Interests and Public Authorities • Your grounds to processing may have changed: • DCMS: • Outside the public task CHIs and universities according to DCMS indications will still be able to enjoy the legitimate interests grounds for processing. • Do you need to get consents again with the loss of the legitimate interests grounds?

  14. Archiving in the public interest (API) / Research exemptions (RE) • Exemptions from: • Right to be informed of processing (API) (RE) • Right to be informed of safeguards for third party transfers (API) (RE) • Right to amendment (API) (RE) • Right to stop processing (API) (RE) • Right to move your data (API) • Right to object to processing (API) (RE) • Right that third parties are also informed of erasure (right to be forgotten) , amendment etc (API)

  15. Legal Basis for Archiving in the Public Interest • Statute • Public Task statements • University constitutional documentation • Comply with codes of conduct

  16. What is Research? • Scientific, Historical, Statistical

  17. Codes of Conduct • Important as if you follow them less likely to have problems with the ICO. • e.g. Archiving (UK / EAG), Marketing etc. • There may be certification schemes.

  18. Questions

More Related