The EU General Data Protection Regulation (GDPR)

General Data Protection

General Data Protection

Regulation

Regulation

(GDPR)

(GDPR)

Richard Galley

Richard Galley

7 December 2017

7 December 2017

Today’s session

Today’s session

The purpose of this session is to help you

The purpose of this session is to help you

understand the key elements of the EU

understand the key elements of the EU

General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

and how you will need to prepare for

and how you will need to prepare for

implementation of the UK’s new Data

implementation of the UK’s new Data

Protection Act.

Protection Act.

Agenda

Agenda

•

Setting the scene

Setting the scene

•

DPA versus GDPR

DPA versus GDPR

•

GDPR’s scope

GDPR’s scope

•

The 6 Principles

The 6 Principles

•

Consent and other lawful bases

Consent and other lawful bases

•

Individuals’ rights

Individuals’ rights

•

Accountability & governance

Accountability & governance

•

Breaches

Breaches

•

The UK Data Protection Bill

The UK Data Protection Bill

•

‘Top Tips’ & Action Planning

‘Top Tips’ & Action Planning

•

GDPR in force from 

GDPR in force from 

25 May 2018

25 May 2018

•

Makes existing DP Directive (& UK Data Protection

Makes existing DP Directive (& UK Data Protection

Act) redundant

Act) redundant

•

Brexit??!

Brexit??!

•

UK’s decision to leave the EU will not affect GDPR’s

UK’s decision to leave the EU will not affect GDPR’s

implementation

implementation

“ … one way or another, GDPR

“ … one way or another, GDPR

is going to be an important

is going to be an important

part of the global data

part of the global data

protection landscape over the

protection landscape over the

years ahead, with great

years ahead, with great

relevance to UK organisations,

relevance to UK organisations,

the public and their data.”

the public and their data.”

Rob Luke

Deputy Commissioner, ICO

May 2017

GDPR

GDPR

GDPR = Data Protection Bill 2017

GDPR = Data Protection Bill 2017

“A new law will ensure

“A new law will ensure

that the United Kingdom

that the United Kingdom

retains its world-class

retains its world-class

regime protecting

regime protecting

personal data”

personal data”

The Queen’s Speech

21 June 2017

“Any legislation introduced into Parliament is

“Any legislation introduced into Parliament is

open to change so  once we have a clearer

open to change so  once we have a clearer

idea of its final form we will be able to make

idea of its final form we will be able to make

firmer plans and develop the structure and

firmer plans and develop the structure and

the content of the guidance. Our aim is to

the content of the guidance. Our aim is to

provide a suite of data protection guidance

provide a suite of data protection guidance

that is as comprehensive as possible by May

that is as comprehensive as possible by May

2018.”

2018.”

UK Information Commissioner

?

•

Unifies data regulations within the EU -  creates a

Unifies data regulations within the EU -  creates a

single regulatory framework across EU for DP

single regulatory framework across EU for DP

•

Gives you and me greater control over our

Gives you and me greater control over our

personal information

personal information

•

Protects the rights and interests of the individual –

Protects the rights and interests of the individual –

quantity and use of data

quantity and use of data

GDPR – 

GDPR – 

Why?!

Why?!

•

Principles based!

Principles based!

•

Applies to ‘controllers’ and ‘processors’

Applies to ‘controllers’ and ‘processors’



‘controller’ 

‘controller’ 

says how and why personal data is

says how and why personal data is

processed

processed



‘processor’

‘processor’

 acts on the controller’s behalf

 acts on the controller’s behalf

•

Applies to processing carried out by organisations

Applies to processing carried out by organisations

operating in EU and 

operating in EU and 

to organisations outside EU

to organisations outside EU

that offer goods or services to EU citizens

that offer goods or services to EU citizens

•

Places specific legal obligations on processors (e.g.

Places specific legal obligations on processors (e.g.

keep records of personal data and processing

keep records of personal data and processing

activities)

activities)

•

Significantly more legal liability if responsible for a

Significantly more legal liability if responsible for a

breach

breach

GDPR

GDPR

v.

v.

DPA

DPA

GDPR

GDPR

Scope

Scope

•

personal data

personal data



GDPR definition more detailed – makes clear

GDPR definition more detailed – makes clear

that information such as an online identifier –

that information such as an online identifier –

e.g. IP addresses – can be personal data

e.g. IP addresses – can be personal data

GDPR scope

GDPR scope

GDPR scope

GDPR scope

Personal data

Personal data

•

any information relating to an identified or identifiable

any information relating to an identified or identifiable

natural person ("data subject"); an identifiable person is

natural person ("data subject"); an identifiable person is

one who can be identified, directly or indirectly, in

one who can be identified, directly or indirectly, in

particular by reference to an identifier such as a name, an

particular by reference to an identifier such as a name, an

identification number, location data, online identifier or to

identification number, location data, online identifier or to

one or more factors specific to the physical, physiological,

one or more factors specific to the physical, physiological,

genetic, mental, economic, cultural or social identity of

genetic, mental, economic, cultural or social identity of

that person.

that person.

•

personal data

personal data



GDPR definition more detailed – makes clear

GDPR definition more detailed – makes clear

that information such as an online identifier –

that information such as an online identifier –

e.g. IP addresses – can be personal data

e.g. IP addresses – can be personal data

•

sensitive personal data

sensitive personal data



GDPR definition broadly same as DPA but

GDPR definition broadly same as DPA but

includes ‘genetic and biometric’ data

includes ‘genetic and biometric’ data

GDPR scope

GDPR scope

GDPR scope

GDPR scope

Sensitive Personal Data

Sensitive Personal Data

•

are personal data, revealing racial or ethnic

are personal data, revealing racial or ethnic

origin, political opinions, religious or

origin, political opinions, religious or

philosophical beliefs, trade-union membership;

philosophical beliefs, trade-union membership;

data concerning health or sex life and sexual

data concerning health or sex life and sexual

orientation; 

orientation; 

genetic data or biometric data

genetic data or biometric data

. Data

. Data

relating to criminal offences and convictions are

relating to criminal offences and convictions are

addressed separately (as criminal law lies outside

addressed separately (as criminal law lies outside

the EU's legislative competence)

the EU's legislative competence)

•

personal data

personal data



GDPR definition more detailed – makes clear

GDPR definition more detailed – makes clear

that information such as an online identifier –

that information such as an online identifier –

e.g. IP addresses – can be personal data

e.g. IP addresses – can be personal data

•

sensitive personal data

sensitive personal data



GDPR definition broadly same as DPA but

GDPR definition broadly same as DPA but

includes ‘genetic and biometric’ data

includes ‘genetic and biometric’ data

•

automated personal data and manual filing

automated personal data and manual filing

systems

systems

GDPR scope

GDPR scope

GDPR’s

GDPR’s

6 Principles

6 Principles

•

Must identify a lawful basis before processing

Must identify a lawful basis before processing

personal data (often referred to as the “conditions

personal data (often referred to as the “conditions

for processing” under DPA)

for processing” under DPA)

•

Document this

Document this

GDPR – The 6 Principles

GDPR – The 6 Principles

GDPR – The 6 Principles

GDPR – The 6 Principles

GDPR – The 6 Principles

GDPR – The 6 Principles

GDPR – The 6 Principles

GDPR – The 6 Principles

GDPR

GDPR

&

&

Consent

Consent

•

has to be “freely given, specific, informed and an

has to be “freely given, specific, informed and an

unambiguous indication of the individual’s wishes”

unambiguous indication of the individual’s wishes”

•

requires some form of clear affirmative action –

requires some form of clear affirmative action –

silence, or inactivity does not constitute consent &

silence, or inactivity does not constitute consent &

pre-ticked boxes banned

pre-ticked boxes banned

•

consent must be verifiable – some form of record

consent must be verifiable – some form of record

must be kept of how and when consent was given

must be kept of how and when consent was given

•

may be withdrawn, easily, by individuals at any

may be withdrawn, easily, by individuals at any

time

time

•

If existing DPA consents don’t meet the GDPR

If existing DPA consents don’t meet the GDPR

standards or are poorly documented, need to seek

standards or are poorly documented, need to seek

fresh GDPR-compliant consent, identify a different

fresh GDPR-compliant consent, identify a different

lawful basis for your processing (and ensure

lawful basis for your processing (and ensure

continued processing is fair), or stop the processing

continued processing is fair), or stop the processing

GDPR & consent

GDPR & consent

•

If consent is difficult - consider using an alternative

If consent is difficult - consider using an alternative

basis

basis

•

Consent appropriate if people offered real choice

Consent appropriate if people offered real choice

and control over use of their data - if not consent is

and control over use of their data - if not consent is

inappropriate.

inappropriate.

•

If processing personal data without consent will

If processing personal data without consent will

happen anyway, asking for consent is misleading

happen anyway, asking for consent is misleading

and inherently unfair

and inherently unfair

•

If ‘consent’ a precondition of a service, consent is

If ‘consent’ a precondition of a service, consent is

unlikely to be the most appropriate lawful basis

unlikely to be the most appropriate lawful basis

GDPR & consent

GDPR & consent

Look out for ICO’s definitive guidance

Look out for ICO’s definitive guidance

‘early in 2018’

‘early in 2018’

(Draft version now available from ICO website)

(Draft version now available from ICO website)

GDPR & consent

GDPR & consent

IMPORTANT!

IMPORTANT!

Organisations can rely on other lawful bases

Organisations can rely on other lawful bases

apart from consent!

apart from consent!

Consent – the alternatives

Consent – the alternatives

•

Necessary for the performance of a contract with

Necessary for the performance of a contract with

the individual

the individual

•

Necessary for compliance with a legal obligation

Necessary for compliance with a legal obligation

•

Necessary to protect the vital interests of a data

Necessary to protect the vital interests of a data

subject or another person

subject or another person

•

Necessary for performance of a task carried out in

Necessary for performance of a task carried out in

the public interest / exercise of official authority

the public interest / exercise of official authority

Consent – the alternatives

Consent – the alternatives

Personal data can be processed on the following legal

Personal data can be processed on the following legal

bases, without consent:

bases, without consent:

•

Necessary for the purposes of legitimate

Necessary for the purposes of legitimate

interests: if there’s a genuine and legitimate

interests: if there’s a genuine and legitimate

reason (

reason (

including commercial benefit

including commercial benefit

), unless this

), unless this

is outweighed by harm to the individual’s rights

is outweighed by harm to the individual’s rights

and interests

and interests

Consent – ‘legitimate interests’

Consent – ‘legitimate interests’

“Private-sector organisations will often be able to

“Private-sector organisations will often be able to

consider the ‘legitimate interests’ basis if they find it

consider the ‘legitimate interests’ basis if they find it

hard to meet the standard for consent and no other

hard to meet the standard for consent and no other

specific basis applies. This recognises that you may

specific basis applies. This recognises that you may

have good reason to process someone’s personal

have good reason to process someone’s personal

data without their consent – but you must ensure

data without their consent – but you must ensure

there is no unwarranted impact on them, and that

there is no unwarranted impact on them, and that

you are still fair, transparent and accountable.”

you are still fair, transparent and accountable.”

ICO

Draft GDPR Consent Guidance

Consent – ‘legitimate interests’

Consent – ‘legitimate interests’

‘Legitimate interests’ 

‘Legitimate interests’ 

include:

include:

•

processing for direct marketing purposes or

processing for direct marketing purposes or

preventing fraud

preventing fraud

•

transmission of personal data within a group of

transmission of personal data within a group of

undertakings for internal admin purposes

undertakings for internal admin purposes

•

processing for ensuring network and information

processing for ensuring network and information

security

security

•

reporting possible criminal acts or threats to

reporting possible criminal acts or threats to

public security to a competent authority

public security to a competent authority

Marketing and GDPR

Marketing and GDPR

•

GDPR - Recital 47: direct marketing is a ‘legitimate

GDPR - Recital 47: direct marketing is a ‘legitimate

use’ of personal information

use’ of personal information

However!

However!

•

Other rules also apply e.g. Privacy and Electronic

Other rules also apply e.g. Privacy and Electronic

Communication Regulations 2003 (PECR).

Communication Regulations 2003 (PECR).

•

PECR restricts marketing by phone, text, email or

PECR restricts marketing by phone, text, email or

other electronic means.

other electronic means.

•

When sending electronic marketing messages

When sending electronic marketing messages

need to comply with data protection rules and

need to comply with data protection rules and

PECR

PECR

Marketing and GDPR

Marketing and GDPR

“We recommend that your marketing

“We recommend that your marketing

campaigns are always permission-based and

campaigns are always permission-based and

you explain clearly what a person's details will

you explain clearly what a person's details will

be used for. Provide a simple way for them to

be used for. Provide a simple way for them to

opt out of marketing messages and have a

opt out of marketing messages and have a

system in place for dealing with complaints.”

system in place for dealing with complaints.”

ICO – July 2017

Issues for you?

Issues for you?

GDPR & legal bases

GDPR & legal bases

Children

Children

GDPR & children

GDPR & children

Privacy Notice

Privacy Notice

•

Where services offered directly to a child - privacy

Where services offered directly to a child - privacy

notice must be written in a clear, plain way that a

notice must be written in a clear, plain way that a

child will understand

child will understand

•

Includes most internet services provided at user’s

Includes most internet services provided at user’s

request, normally for remuneration – GDPR

request, normally for remuneration – GDPR

emphasises protection is particularly significant

emphasises protection is particularly significant

child’s personal data is used for the purposes of

child’s personal data is used for the purposes of

marketing and creating online profiles

marketing and creating online profiles

GDPR & children

GDPR & children

Consent

Consent

•

Those offering online services to children may need

Those offering online services to children may need

to obtain consent from parent / guardian to process

to obtain consent from parent / guardian to process

child’s data

child’s data

•

If consent is basis for processing child’s personal

If consent is basis for processing child’s personal

data, a child under the age of 16 can’t give consent

data, a child under the age of 16 can’t give consent

themselves – consent required from a person

themselves – consent required from a person

holding ‘parental responsibility’

holding ‘parental responsibility’

Individual

Individual

Rights

Rights

1.

The right to be informed

The right to be informed

2.

The right of access

The right of access

3.

The right to rectification

The right to rectification

4.

The right to erasure

The right to erasure

5.

The right to restrict processing

The right to restrict processing

6.

The right to data portability

The right to data portability

7.

The right to object

The right to object

GDPR & individual’s rights

GDPR & individual’s rights

GDPR provides the following rights for individuals

GDPR provides the following rights for individuals

GDPR & individual’s rights

GDPR & individual’s rights

The right to be informed

The right to be informed

•

Requires transparency over how personal data is

Requires transparency over how personal data is

used and obliges data controllers to provide “fair

used and obliges data controllers to provide “fair

processing information”, typically through a 

processing information”, typically through a 

privacy

privacy

notice

notice

GDPR & individual’s rights

GDPR & individual’s rights

The right to be informed

The right to be informed

•

Doesn’t have to be a single statement

Doesn’t have to be a single statement

•

ICO recommends a ‘blended approach’ –

ICO recommends a ‘blended approach’ –

information can be provided in different, most

information can be provided in different, most

appropriate places / media

appropriate places / media

•

People unwilling to read lengthy statements but …

People unwilling to read lengthy statements but …

•

That doesn’t mean they’re not interested in what

That doesn’t mean they’re not interested in what

happens to their data

happens to their data

GDPR & individual’s rights

GDPR & individual’s rights

Privacy Notice

Privacy Notice

•

GDPR sets out information that should be supplied

GDPR sets out information that should be supplied

and when individuals should be informed

and when individuals should be informed

•

Determined by whether or not personal data

Determined by whether or not personal data

obtained directly from individuals

obtained directly from individuals

•

Much of the information is consistent with current

Much of the information is consistent with current

obligations under the DPA, but …

obligations under the DPA, but …

•

Some further information explicitly required

Some further information explicitly required

GDPR & individual’s rights

GDPR & individual’s rights

The right to be informed

The right to be informed

GDPR & individual’s rights

GDPR & individual’s rights

The right to be informed – new to GDPR

The right to be informed – new to GDPR

Individuals have the right to be informed about the:

Individuals have the right to be informed about the:

•

period for which data will be stored (or the criteria used to

period for which data will be stored (or the criteria used to

determine that period)

determine that period)

•

existence of the rights to erasure, to rectification, to

existence of the rights to erasure, to rectification, to

restriction of processing, to object to processing, to

restriction of processing, to object to processing, to

complaints to SA (ICO)

complaints to SA (ICO)

•

source of data where they were not collected from the

source of data where they were not collected from the

data subject

data subject

•

existence of, and an explanation of the logic involved in,

existence of, and an explanation of the logic involved in,

any automated processing

any automated processing

•

Information  supplied about processing of personal

Information  supplied about processing of personal

data must be:

data must be:



concise, transparent, intelligible and easily

concise, transparent, intelligible and easily

accessible

accessible



written in clear and plain language; and

written in clear and plain language; and



free of charge

free of charge

GDPR & individual’s rights

GDPR & individual’s rights

The right to be informed

The right to be informed

“Following the advice in this code about the use

“Following the advice in this code about the use

of language, about adopting innovative

of language, about adopting innovative

technical means for delivering privacy

technical means for delivering privacy

information such as layered and just in time

information such as layered and just in time

notices, and about user testing will help you to

notices, and about user testing will help you to

comply with the new provisions of the GDPR, as

comply with the new provisions of the GDPR, as

well as the current requirements of the DPA.”

well as the current requirements of the DPA.”

ICO

GDPR & individual’s rights

GDPR & individual’s rights

ICO Code of Practice - Privacy Notices

ICO Code of Practice - Privacy Notices

•

Issues covered include:

Issues covered include:

•

Where you should deliver privacy information

Where you should deliver privacy information

•

When you should actively communicate privacy

When you should actively communicate privacy

information

information

•

How you should write a privacy notice

How you should write a privacy notice

•

Test, roll out and review

Test, roll out and review

GDPR & individual’s rights

GDPR & individual’s rights

ICO Code of Practice - Privacy Notices

ICO Code of Practice - Privacy Notices

Issues for you?

Issues for you?

Privacy Notices

Privacy Notices

GDPR & individual’s rights

GDPR & individual’s rights

The right of access

The right of access

GDPR & individual’s rights

GDPR & individual’s rights

The right of access

The right of access

•

Reason for being – allows individuals access to

Reason for being – allows individuals access to

personal data so that they are aware of and can

personal data so that they are aware of and can

confirm the lawfulness and / or accuracy of data

confirm the lawfulness and / or accuracy of data

processing

processing

GDPR & individual’s rights

GDPR & individual’s rights

The right of access

The right of access

Individuals have the right to obtain:

Individuals have the right to obtain:

•

confirmation that their data is being processed;

confirmation that their data is being processed;

•

access to their personal data; and

access to their personal data; and

•

other supplementary information (i.e. info in the

other supplementary information (i.e. info in the

privacy notice)

privacy notice)

Similar to existing subject access rights under the

Similar to existing subject access rights under the

DPA.

DPA.

GDPR & individual’s rights

GDPR & individual’s rights

The right of access

The right of access

•

Information must be provided free of charge

Information must be provided free of charge

•

‘Reasonable fee’ may be charged when a request is

‘Reasonable fee’ may be charged when a request is

unfounded / excessive, or when asked to replicate

unfounded / excessive, or when asked to replicate

information

information

•

‘Reasonable fee’ – must be based on the

‘Reasonable fee’ – must be based on the

administrative cost of providing the information

administrative cost of providing the information

•

You may refuse if request ‘ manifestly unfounded

You may refuse if request ‘ manifestly unfounded

or excessive’ – give explanation

or excessive’ – give explanation

GDPR & individual’s rights

GDPR & individual’s rights

The right of access

The right of access

•

Information must be provided without delay and at

Information must be provided without delay and at

the latest within one month of request

the latest within one month of request

•

Two month extensions where requests are complex

Two month extensions where requests are complex

or numerous – individual must be told why

or numerous – individual must be told why

extension is necessary within one month of the

extension is necessary within one month of the

request being received

request being received

GDPR & individual’s rights

GDPR & individual’s rights

The right of access

The right of access

•

If request made electronically – information should

If request made electronically – information should

be provided in a commonly used electronic format

be provided in a commonly used electronic format

•

GDPR’s best practice recommendation 

GDPR’s best practice recommendation 

– where

– where

possible provide remote access to a secure self-

possible provide remote access to a secure self-

service system which provides the individual with

service system which provides the individual with

direct access to their information

direct access to their information

Issues for you?

Issues for you?

Right of access

Right of access

GDPR & individual’s rights

GDPR & individual’s rights

The right to rectification

The right to rectification

•

Individuals entitled to have their data rectified

Individuals entitled to have their data rectified

where it is inaccurate or incomplete

where it is inaccurate or incomplete

•

Must respond within one month – can be extended

Must respond within one month – can be extended

by two months where the request is complex

by two months where the request is complex

GDPR & individual’s rights

GDPR & individual’s rights

The right to rectification

The right to rectification

GDPR & individual’s rights

GDPR & individual’s rights

The right to erasure

The right to erasure

       …. a.k.a ‘the right to be forgotten’

       …. a.k.a ‘the right to be forgotten’

“Under the DPA, the right to erasure is limited

“Under the DPA, the right to erasure is limited

to processing that causes unwarranted and

to processing that causes unwarranted and

substantial damage or distress. Under GDPR,

substantial damage or distress. Under GDPR,

this threshold is not present.”

this threshold is not present.”

ICO

•

enables individual to ask for personal data to be

enables individual to ask for personal data to be

deleted / removed where no compelling reason

deleted / removed where no compelling reason

for continued processing

for continued processing

•

Not absolute - can be refused e.g. where data is

Not absolute - can be refused e.g. where data is

processed for purposes in the public interest, or in

processed for purposes in the public interest, or in

legal claims, or in exercising the right of freedom

legal claims, or in exercising the right of freedom

of expression and information

of expression and information

GDPR & individual’s rights

GDPR & individual’s rights

The right to erasure

The right to erasure

•

Personal data no longer needed in relation to the

Personal data no longer needed in relation to the

purpose for which it was originally collected /

purpose for which it was originally collected /

processed

processed

•

Individual withdraws consent

Individual withdraws consent

•

Individual objects to processing & no overriding

Individual objects to processing & no overriding

legitimate interest for it continuing

legitimate interest for it continuing

•

Personal data unlawfully processed

Personal data unlawfully processed

•

Erasure needed to comply with legal obligation

Erasure needed to comply with legal obligation

GDPR & individual’s rights

GDPR & individual’s rights

The right to erasure - specific circumstances

The right to erasure - specific circumstances

Issues for you?

Issues for you?

Right to erasure

Right to erasure

GDPR & individual’s rights

GDPR & individual’s rights

The right to

The right to

restrict processing

restrict processing

•

Individuals can block / restrict processing e.g.

Individuals can block / restrict processing e.g.

where they contest the accuracy of the data

where they contest the accuracy of the data

•

Similar to DPA

Similar to DPA

GDPR & individual’s rights

GDPR & individual’s rights

The right to restrict processing

The right to restrict processing

•

Individual contests  accuracy of data - restrict

Individual contests  accuracy of data - restrict

processing until accuracy has been verified

processing until accuracy has been verified

•

Individual objects to processing and consideration

Individual objects to processing and consideration

is being given to whether legitimate grounds

is being given to whether legitimate grounds

override those of the individual

override those of the individual

•

Processing is unlawful – the individual opposes

Processing is unlawful – the individual opposes

erasure and requests restriction instead

erasure and requests restriction instead

•

Personal data no longer needed but individual

Personal data no longer needed but individual

requires it for a legal claim

requires it for a legal claim

GDPR & individual’s rights

GDPR & individual’s rights

The right to restrict processing

The right to restrict processing

GDPR & individual’s rights

GDPR & individual’s rights

The right to data portability

The right to data portability

•

An individual is entitled to obtain and reuse their

An individual is entitled to obtain and reuse their

personal data for their own purposes across

personal data for their own purposes across

different services

different services

•

Allows movement, copying or transferring personal

Allows movement, copying or transferring personal

data easily from one IT environment to another in

data easily from one IT environment to another in

a safe and secure way, without hindrance to

a safe and secure way, without hindrance to

usability

usability

GDPR & individual’s rights

GDPR & individual’s rights

The right to data portability

The right to data portability

Only applies:

Only applies:

•

to personal data an individual has provided;

to personal data an individual has provided;

•

where the processing is based on the individual’s

where the processing is based on the individual’s

consent or for the performance of a contract; and

consent or for the performance of a contract; and

•

when processing is carried out by automated

when processing is carried out by automated

means

means

GDPR & individual’s rights

GDPR & individual’s rights

The right to data portability

The right to data portability

•

Data must be in a structured, commonly used and

Data must be in a structured, commonly used and

machine readable form (e.g. CSV files)

machine readable form (e.g. CSV files)

•

‘Machine readable’ – data structured so that

‘Machine readable’ – data structured so that

software can extract specific elements of it

software can extract specific elements of it

•

Information must be provided free of charge

Information must be provided free of charge

•

May be required to transmit the data directly to

May be required to transmit the data directly to

another organisation – if technically feasible & no

another organisation – if technically feasible & no

need to adopt / maintain processing systems

need to adopt / maintain processing systems

technically compatible with other organisations

technically compatible with other organisations

GDPR & individual’s rights

GDPR & individual’s rights

The right to data portability

The right to data portability

“

“

What tools are recommended to answer data

What tools are recommended to answer data

portability requests?

portability requests?

1)

data controllers should offer a direct download

data controllers should offer a direct download

opportunity for the data subject and,

opportunity for the data subject and,

2)

they should allow data subjects to directly transmit

they should allow data subjects to directly transmit

the data to another data controller e.g. via an

the data to another data controller e.g. via an

Application Programming Interface”

Application Programming Interface”

Article 29 Working Party

FAQs

GDPR & individual’s rights

GDPR & individual’s rights

The right to data portability

The right to data portability

“Data subjects may also make use of a personal data

“Data subjects may also make use of a personal data

store, a trusted third party, to hold and store the

store, a trusted third party, to hold and store the

personal data and grant permission to data controllers

personal data and grant permission to data controllers

to access and process the personal data as required,

to access and process the personal data as required,

so data can be transferred easily from one controller

so data can be transferred easily from one controller

to another.”

to another.”

Article 29 Working Party

FAQs

GDPR & individual’s rights

GDPR & individual’s rights

The right to data portability

The right to data portability

“

“

To what extent  are data controllers responsible for

To what extent  are data controllers responsible for

the data transferred or received through the right to

the data transferred or received through the right to

data portability?

data portability?

Data controllers that answer data portability requests

Data controllers that answer data portability requests

are not responsible for the processing handled by the

are not responsible for the processing handled by the

data subject or by another company receiving

data subject or by another company receiving

personal data…”

personal data…”

Article 29 Working Party

FAQs

GDPR & individual’s rights

GDPR & individual’s rights

The right to data portability

The right to data portability

“… At the same time, the receiving data controller is

“… At the same time, the receiving data controller is

responsible for ensuring that the portable data

responsible for ensuring that the portable data

provided are relevant and not excessive with regard to

provided are relevant and not excessive with regard to

the new data processing, that they have clearly

the new data processing, that they have clearly

informed the data subject of the purpose of this new

informed the data subject of the purpose of this new

processing and, more generally, that they have

processing and, more generally, that they have

respected the data protection principles applying to

respected the data protection principles applying to

their processing in accordance with the GDPR

their processing in accordance with the GDPR

provisions”                                                  

provisions”                                                  

Article 29 Working Party

FAQs

GDPR & individual’s rights

GDPR & individual’s rights

The right to data portability

The right to data portability

Issues for you?

Issues for you?

Right to data portability

Right to data portability

GDPR & individual’s rights

GDPR & individual’s rights

The right to object

The right to object

•

Individuals can object to direct marketing

Individuals can object to direct marketing

(including profiling) and processing for statistical

(including profiling) and processing for statistical

purposes.

purposes.

•

Their right to object must be brought to their

Their right to object must be brought to their

attention “at the first point of communication” e.g.

attention “at the first point of communication” e.g.

via privacy notice

via privacy notice

•

“explicitly brought to the attention of the data

“explicitly brought to the attention of the data

subject and shall be presented clearly and

subject and shall be presented clearly and

separately from any other information”

separately from any other information”

GDPR & individual’s rights

GDPR & individual’s rights

The right to object

The right to object

•

Objection must be on “grounds relating to his or

Objection must be on “grounds relating to his or

her particular situation”

her particular situation”

•

Processing  of data must stop unless compelling

Processing  of data must stop unless compelling

legitimate grounds for it, which override the

legitimate grounds for it, which override the

interests, rights and freedoms of the individual

interests, rights and freedoms of the individual

GDPR & individual’s rights

GDPR & individual’s rights

The right to object

The right to object

•

Processing personal data for direct marketing

Processing personal data for direct marketing

purposes must stop as soon as objection received -

purposes must stop as soon as objection received -

no exemptions or grounds to refuse

no exemptions or grounds to refuse

•

Objections to processing for direct marketing must

Objections to processing for direct marketing must

be dealt with at any time and free of charge

be dealt with at any time and free of charge

•

Similar to existing DPA

Similar to existing DPA

GDPR & individual’s rights

GDPR & individual’s rights

The right to object

The right to object

Individuals have the right not to be subject to a

Individuals have the right not to be subject to a

decision when:

decision when:

•

it is based on automated processing; and

it is based on automated processing; and

•

it produces a legal effect or a similarly significant

it produces a legal effect or a similarly significant

effect on the individual

effect on the individual

GDPR & individual’s rights

GDPR & individual’s rights

Automated decision making and profiling

Automated decision making and profiling

The right does not apply if the decision:

The right does not apply if the decision:

•

is necessary for entering into or performance of a

is necessary for entering into or performance of a

contract between the organisation and the

contract between the organisation and the

individual;

individual;

•

is authorised by law (e.g. for the purposes of fraud

is authorised by law (e.g. for the purposes of fraud

or tax evasion prevention); or

or tax evasion prevention); or

•

based on explicit consent

based on explicit consent

GDPR & individual’s rights

GDPR & individual’s rights

Automated decision making and profiling

Automated decision making and profiling

Profiling – automated processing to evaluate certain personal

Profiling – automated processing to evaluate certain personal

aspects of an individual, in particular to analyse or predict

aspects of an individual, in particular to analyse or predict

their:

their:

•

    performance at work

    performance at work

•

    economic situation

    economic situation

•

    health

    health

•

    personal preferences

    personal preferences

•

    reliability

    reliability

•

    behaviour

    behaviour

•

    location

    location

•

    movements

    movements

GDPR & individual’s rights

GDPR & individual’s rights

Automated decision making and profiling

Automated decision making and profiling

•

Ensure processing is fair and transparent – provide

Ensure processing is fair and transparent – provide

meaningful information about logic involved & the

meaningful information about logic involved & the

significance and envisaged consequences

significance and envisaged consequences

•

Use appropriate mathematical or statistical procedures for

Use appropriate mathematical or statistical procedures for

profiling

profiling

•

Appropriate technical and organisational measures to

Appropriate technical and organisational measures to

enable inaccuracies to be corrected and minimise risk of

enable inaccuracies to be corrected and minimise risk of

errors

errors

•

Secure personal data – proportionate to the risk to the

Secure personal data – proportionate to the risk to the

interests and rights of the individual

interests and rights of the individual

GDPR & individual’s rights

GDPR & individual’s rights

Automated decision making and profiling

Automated decision making and profiling

Issues for you?

Issues for you?

Automated decision making & profiling

Automated decision making & profiling

Accountability

Accountability

Required to show how compliance with

Required to show how compliance with

the principles is achieved – for example

the principles is achieved – for example

by documenting the decisions taken

by documenting the decisions taken

about a processing activity

about a processing activity

GDPR accountability principle

GDPR accountability principle

Reporting

Reporting

DP Key Priority

DP Key Priority

ICO

ICO

Data Subjects

Data Subjects

DP Key Priority

DP Key Priority

Organisations must:

Organisations must:

•

implement technical and organisational measures that

implement technical and organisational measures that

ensure and demonstrate compliance (e.g. DP policies, staff

ensure and demonstrate compliance (e.g. DP policies, staff

training, internal audits of processing activities etc.)

training, internal audits of processing activities etc.)

•

maintain relevant documentation on processing activities

maintain relevant documentation on processing activities

•

where appropriate, appoint a data protection officer

where appropriate, appoint a data protection officer



public authority

public authority



carrying out large scale systematic monitoring of

carrying out large scale systematic monitoring of

individuals (for example, online behaviour tracking)

individuals (for example, online behaviour tracking)



carrying out large scale processing of special categories

carrying out large scale processing of special categories

of data or data relating to criminal convictions and

of data or data relating to criminal convictions and

offences

offences

GDPR accountability principle

GDPR accountability principle

p

p

s

s

e

e

u

u

d

d

o

o

n

n

y

y

m

m

i

i

s

s

a

a

t

t

i

i

o

o

n

n

-

-

“

“

t

t

h

h

e

e

p

p

r

r

o

o

c

c

e

e

s

s

s

s

i

i

n

n

g

g

o

o

f

f

p

p

e

e

r

r

s

s

o

o

n

n

a

a

l

l

d

d

a

a

t

t

a

a

i

i

n

n

s

s

u

u

c

c

h

h

a

a

w

w

a

a

y

y

t

t

h

h

a

a

t

t

t

t

h

h

e

e

d

d

a

a

t

t

a

a

c

c

a

a

n

n

n

n

o

o

l

l

o

o

n

n

g

g

e

e

r

r

b

b

e

e

a

a

t

t

t

t

r

r

i

i

b

b

u

u

t

t

e

e

d

d

t

t

o

o

a

a

s

s

p

p

e

e

c

c

i

i

f

f

i

i

c

c

d

d

a

a

t

t

a

a

s

s

u

u

b

b

j

j

e

e

c

c

t

t

w

w

i

i

t

t

h

h

o

o

u

u

t

t

t

t

h

h

e

e

u

u

s

s

e

e

o

o

f

f

a

a

d

d

d

d

i

i

t

t

i

i

o

o

n

n

a

a

l

l

i

i

n

n

f

f

o

o

r

r

m

m

a

a

t

t

i

i

o

o

n

n

…

…

a

a

d

d

d

d

i

i

t

t

i

i

o

o

n

n

a

a

l

l

i

i

n

n

f

f

o

o

r

r

m

m

a

a

t

t

i

i

o

o

n

n

m

m

u

u

s

s

t

t

b

b

e

e

k

k

e

e

p

p

t

t

s

s

e

e

p

p

a

a

r

r

a

a

t

t

e

e

l

l

y

y

a

a

n

n

d

d

s

s

u

u

b

b

j

j

e

e

c

c

t

t

t

t

o

o

t

t

e

e

c

c

h

h

n

n

i

i

c

c

a

a

l

l

a

a

n

n

d

d

o

o

r

r

g

g

a

a

n

n

i

i

s

s

a

a

t

t

i

i

o

o

n

n

a

a

l

l

m

m

e

e

a

a

s

s

u

u

r

r

e

e

s

s

t

t

o

o

e

e

n

n

s

s

u

u

r

r

e

e

n

n

o

o

n

n

-

-

a

a

t

t

t

t

r

r

i

i

b

b

u

u

t

t

i

i

o

o

n

n

t

t

o

o

a

a

n

n

i

i

d

d

e

e

n

n

t

t

i

i

f

f

i

i

e

e

d

d

o

o

r

r

i

i

d

d

e

e

n

n

t

t

i

i

f

f

i

i

a

a

b

b

l

l

e

e

p

p

e

e

r

r

s

s

o

o

n

n

”

”

…

…

in short it’s a privacy-enhancing technique!

in short it’s a privacy-enhancing technique!

Data retention

Data retention

•

Create Data Retention Policy

Create Data Retention Policy



assess what data currently stored & list all personal

assess what data currently stored & list all personal

data types handled

data types handled



identify and log where data is held (e.g. servers,

identify and log where data is held (e.g. servers,

databases, emails, company computers and backups

databases, emails, company computers and backups

etc.)

etc.)



define the storage period for each type of data – take

define the storage period for each type of data – take

account of legal and regulatory requirements (e.g.

account of legal and regulatory requirements (e.g.

Employer’s Liability insurance etc.)

Employer’s Liability insurance etc.)



Implement and enforce policy – include summary in

Implement and enforce policy – include summary in

Privacy Notice

Privacy Notice

Data retention periods

Data retention periods

•

Legal and Regulatory stipulations take priority

Legal and Regulatory stipulations take priority

SYSC 9.1.5:

SYSC 9.1.5:

“With respect to retention periods, the general principle is

“With respect to retention periods, the general principle is

that records should be retained for as long as is relevant

that records should be retained for as long as is relevant

for the purposes for which they are made”

for the purposes for which they are made”

•

General ‘rule of thumb’ = 

General ‘rule of thumb’ = 

6 years

6 years

(e.g. from claim)

(e.g. from claim)

•

Policies that cover any loss that happened during the

Policies that cover any loss that happened during the

policy term, no matter when the claim is made – 

policy term, no matter when the claim is made – 

retain

retain

indefinitely

indefinitely

Data retention - HR

Data retention - HR

•

HR records included

HR records included



Terms of Employment (Information) Act, 1994

Terms of Employment (Information) Act, 1994

employee’s terms and conditions of employment -

employee’s terms and conditions of employment -

retain for duration of their employment

retain for duration of their employment



Safety, Health and Welfare at Work (General

Safety, Health and Welfare at Work (General

Applications) Regulations 1993 - 

Applications) Regulations 1993 - 

10 year retention 

10 year retention 

from

from

the date of an accident

the date of an accident



The Companies Acts and Taxes Consolidation Act, 1997

The Companies Acts and Taxes Consolidation Act, 1997

- 

- 

8 year retention 

8 year retention 

of tax records

of tax records



Parental Leave Acts 1998-2006 - 

Parental Leave Acts 1998-2006 - 

8 year retention

8 year retention

of

of

records showing the dates and times an employee took

records showing the dates and times an employee took

parental leave

parental leave

Data retention - HR

Data retention - HR

•

HR records included

HR records included



National Minimum Wage Act, 2000 - 

National Minimum Wage Act, 2000 - 

3 year retention

3 year retention

to

to

show compliance with the Act’s provisions

show compliance with the Act’s provisions



Organisation of Working Time Act, 1997 & Organisation

Organisation of Working Time Act, 1997 & Organisation

of Working Time (Records) Prescribed Form and

of Working Time (Records) Prescribed Form and

Exemptions) Regulations 2001 - 

Exemptions) Regulations 2001 - 

3 year retention

3 year retention

for

for

records of weekly working hours, the name and

records of weekly working hours, the name and

address of employee, the employee’s PPS numbers and

address of employee, the employee’s PPS numbers and

a statement of their duties

a statement of their duties

Data retention - HR

Data retention - HR

•

HR records included

HR records included



Protection of Young Persons (Employment) Act, 1996,  -

Protection of Young Persons (Employment) Act, 1996,  -

3 year retention

3 year retention

of employment records relating to

of employment records relating to

persons under 18 years of age

persons under 18 years of age



Protection of Employment Acts, 1977-2007 - where an

Protection of Employment Acts, 1977-2007 - where an

employer has collective redundancies, must retain

employer has collective redundancies, must retain

records to show that Act’s provisions complied with for

records to show that Act’s provisions complied with for

a 

a 

3 year period

3 year period



Employment Equality Acts - records relating to

Employment Equality Acts - records relating to

recruitment process should be retained for 1 year

recruitment process should be retained for 1 year

Data retention - HR

Data retention - HR

•

Statute of Limitations 1957

Statute of Limitations 1957



Personal injury actions - recommended 

Personal injury actions - recommended 

3 years

3 years

(mandatory 2 years) from date of cause of action

(mandatory 2 years) from date of cause of action



Breach of contract actions - contracts retained for at

Breach of contract actions - contracts retained for at

least 

least 

7 years

7 years

from the date of termination of the

from the date of termination of the

employment

employment

GDPR accountability principle

GDPR accountability principle

 Data Protection Officer

 Data Protection Officer

Any organisation can appoint a DPO:

Any organisation can appoint a DPO:

•

Inform / advise organisation about obligations to

Inform / advise organisation about obligations to

comply with the data protection law

comply with the data protection law

•

Monitor compliance with data protection law – e.g.

Monitor compliance with data protection law – e.g.

advise on data protection impact assessments and

advise on data protection impact assessments and

conduct internal audits

conduct internal audits

•

First point of contact for supervisory authorities

First point of contact for supervisory authorities

and for individuals whose data is processed

and for individuals whose data is processed

GDPR accountability principle

GDPR accountability principle

 Data Protection Officer

 Data Protection Officer

•

Reports to the highest management level of the

Reports to the highest management level of the

organisation – i.e. board level

organisation – i.e. board level

•

Operates independently and is not dismissed or

Operates independently and is not dismissed or

penalised for performing their task

penalised for performing their task

•

Adequate resources provided to enable DPO to

Adequate resources provided to enable DPO to

meet their obligations

meet their obligations

 Data protection impact assessments

 Data protection impact assessments

GDPR accountability principle

GDPR accountability principle

DPIA must be carried out when:

DPIA must be carried out when:

•

using new technologies; 

using new technologies; 

and

and

•

the processing is likely to result in a high

the processing is likely to result in a high

risk to the rights and freedoms of

risk to the rights and freedoms of

individuals

individuals

 Data protection impact assessments

 Data protection impact assessments

GDPR accountability principle

GDPR accountability principle

‘High risk’ includes:

‘High risk’ includes:

•

systematic & extensive processing,

systematic & extensive processing,

including profiling and where decisions

including profiling and where decisions

have legal or significant effects on

have legal or significant effects on

individuals

individuals

•

large scale processing data relating to

large scale processing data relating to

criminal convictions or offences

criminal convictions or offences

 Data protection impact assessments

 Data protection impact assessments

GDPR accountability principle

GDPR accountability principle

Should include:

Should include:

•

Description of processing operations and

Description of processing operations and

purposes, including legitimate interests

purposes, including legitimate interests

•

Assessment of the necessity and proportionality

Assessment of the necessity and proportionality

of processing in relation to the purpose

of processing in relation to the purpose

•

Assessment of the risks to individuals.

Assessment of the risks to individuals.

•

Measures in place to address risk & to

Measures in place to address risk & to

demonstrate that you compliance

demonstrate that you compliance

Suggestion –

Suggestion –

Consider adopting DPIA on all IT, operational

Consider adopting DPIA on all IT, operational

& business development projects as best

& business development projects as best

practice …

practice …

… Privacy by design

… Privacy by design

Breach

Breach

notification

notification

•

Must notify the supervisory authority of a breach

Must notify the supervisory authority of a breach

likely to result in a risk to the rights and freedoms

likely to result in a risk to the rights and freedoms

of individuals, and in some cases to the individuals

of individuals, and in some cases to the individuals

affected for example:

affected for example:



damage to reputation

damage to reputation



financial loss

financial loss



loss of confidentiality

loss of confidentiality



any other significant economic or social

any other significant economic or social

disadvantage

disadvantage

•

report these breaches within 72 hours

report these breaches within 72 hours

GDPR & notification of breach

GDPR & notification of breach

REMEMBER!

REMEMBER!

Failure to notify a breach when

Failure to notify a breach when

required to do so may result in a fine of

required to do so may result in a fine of

up to £17 million or 4% of global

up to £17 million or 4% of global

turnover

turnover

GDPR & notification of breach

GDPR & notification of breach

Data

Data

Protection

Protection

Bill

Bill

2017

2017

UK Data Protection Bill 2017

UK Data Protection Bill 2017

“

T

h

e

B

i

l

l

i

s

a

c

o

m

p

l

e

t

e

d

a

t

a

p

r

o

t

e

c

t

i

o

n

s

y

s

t

e

m

,

s

o

a

s

w

e

l

l

a

s

g

o

v

e

r

n

i

n

g

g

e

n

e

r

a

l

d

a

t

a

c

o

v

e

r

e

d

b

y

G

D

P

R

,

i

t

c

o

v

e

r

s

a

l

l

o

t

h

e

r

g

e

n

e

r

a

l

d

a

t

a

,

l

a

w

e

n

f

o

r

c

e

m

e

n

t

d

a

t

a

a

n

d

n

a

t

i

o

n

a

l

s

e

c

u

r

i

t

y

d

a

t

a

.

F

u

r

t

h

e

r

m

o

r

e

,

t

h

e

B

i

l

l

e

x

e

r

c

i

s

e

s

a

n

u

m

b

e

r

o

f

a

g

r

e

e

d

m

o

d

i

f

i

c

a

t

i

o

n

s

t

o

t

h

e

G

D

P

R

t

o

m

a

k

e

i

t

w

o

r

k

f

o

r

t

h

e

b

e

n

e

f

i

t

o

f

t

h

e

U

K

i

n

a

r

e

a

s

s

u

c

h

a

s

a

c

a

d

e

m

i

c

r

e

s

e

a

r

c

h

,

f

i

n

a

n

c

i

a

l

s

e

r

v

i

c

e

s

a

n

d

c

h

i

l

d

p

r

o

t

e

c

t

i

o

n

.

”

Department for Digital, Culture, Media & Sport

UK Data Protection Bill 2017

UK Data Protection Bill 2017

•

I

m

p

l

e

m

e

n

t

s

t

h

e

G

D

P

R

s

t

a

n

d

a

r

d

s

a

c

r

o

s

s

a

l

l

g

e

n

e

r

a

l

d

a

t

a

p

r

o

c

e

s

s

i

n

g

•

P

r

o

v

i

d

e

s

c

l

a

r

i

t

y

o

n

t

h

e

d

e

f

i

n

i

t

i

o

n

s

u

s

e

d

i

n

t

h

e

G

D

P

R

i

n

t

h

e

U

K

c

o

n

t

e

x

t

•

E

n

s

u

r

e

s

t

h

a

t

s

e

n

s

i

t

i

v

e

h

e

a

l

t

h

,

s

o

c

i

a

l

c

a

r

e

a

n

d

e

d

u

c

a

t

i

o

n

d

a

t

a

c

a

n

c

o

n

t

i

n

u

e

t

o

b

e

p

r

o

c

e

s

s

e

d

t

o

e

n

s

u

r

e

c

o

n

t

i

n

u

e

d

c

o

n

f

i

d

e

n

t

i

a

l

i

t

y

i

n

h

e

a

l

t

h

a

n

d

s

a

f

e

g

u

a

r

d

i

n

g

s

i

t

u

a

t

i

o

n

s

c

a

n

b

e

m

a

i

n

t

a

i

n

e

d

UK Data Protection Bill 2017

UK Data Protection Bill 2017

•

P

r

o

v

i

d

e

s

a

p

p

r

o

p

r

i

a

t

e

r

e

s

t

r

i

c

t

i

o

n

s

t

o

r

i

g

h

t

s

t

o

a

c

c

e

s

s

a

n

d

d

e

l

e

t

e

d

a

t

a

t

o

a

l

l

o

w

c

e

r

t

a

i

n

p

r

o

c

e

s

s

i

n

g

c

u

r

r

e

n

t

l

y

u

n

d

e

r

t

a

k

e

n

t

o

c

o

n

t

i

n

u

e

w

h

e

r

e

t

h

e

r

e

i

s

a

s

t

r

o

n

g

p

u

b

l

i

c

p

o

l

i

c

y

j

u

s

t

i

f

i

c

a

t

i

o

n

,

i

n

c

l

u

d

i

n

g

f

o

r

n

a

t

i

o

n

a

l

s

e

c

u

r

i

t

y

p

u

r

p

o

s

e

s

•

S

e

t

s

t

h

e

a

g

e

f

r

o

m

w

h

i

c

h

p

a

r

e

n

t

a

l

c

o

n

s

e

n

t

i

s

n

o

t

n

e

e

d

e

d

t

o

p

r

o

c

e

s

s

d

a

t

a

o

n

l

i

n

e

a

t

a

g

e

1

3

UK Data Protection Bill 2017

UK Data Protection Bill 2017

•

K

e

y

G

D

P

R

d

e

r

o

g

a

t

i

o

n

s

i

n

t

h

e

B

i

l

l

…

a

l

l

o

w

s

t

h

e

p

r

o

c

e

s

s

i

n

g

o

f

s

e

n

s

i

t

i

v

e

a

n

d

c

r

i

m

i

n

a

l

c

o

n

v

i

c

t

i

o

n

d

a

t

a

i

n

t

h

e

a

b

s

e

n

c

e

o

f

c

o

n

s

e

n

t

w

h

e

r

e

j

u

s

t

i

f

i

c

a

t

i

o

n

e

x

i

s

t

s

,

i

n

c

l

u

d

i

n

g

a

l

l

o

w

i

n

g

e

m

p

l

o

y

e

r

s

t

o

f

u

l

f

i

l

o

b

l

i

g

a

t

i

o

n

s

o

f

e

m

p

l

o

y

m

e

n

t

l

a

w

a

n

d

t

o

s

u

p

p

o

r

t

i

n

s

u

r

a

n

c

e

p

r

o

c

e

s

s

i

n

g

.

Top 10

Top 10

Tips

Tips

•

Review data protection policies

Review data protection policies

and procedures – ensure that

and procedures – ensure that

these are compliant with the

these are compliant with the

GDPR

GDPR

•

Policies and procedures should

Policies and procedures should

include what actions need to

include what actions need to

happen in the event of a data

happen in the event of a data

breach

breach

Top Ten Tips

Top Ten Tips

1

•

Consider what breaches might

Consider what breaches might

do harm to customers/clients

do harm to customers/clients

and pay particular attention to

and pay particular attention to

mitigating these risks

mitigating these risks

•

Most serious are either financial

Most serious are either financial

fraud or identity fraud – pay

fraud or identity fraud – pay

particular attention to personal

particular attention to personal

information stored on servers

information stored on servers

Top Ten Tips

Top Ten Tips

2

•

Train all staff involved in

Train all staff involved in

collecting and processing data

collecting and processing data

•

Try to automate as many

Try to automate as many

processes as possible in order

processes as possible in order

to reduce the risk of human

to reduce the risk of human

error

error

Top Ten Tips

Top Ten Tips

3

•

Be clear about your legal bases

Be clear about your legal bases

for processing data – document

for processing data – document

and communicate

and communicate

•

Set clear, fair and transparent

Set clear, fair and transparent

rules for obtaining customer

rules for obtaining customer

consent

consent

Top Ten Tips

Top Ten Tips

4

•

Don’t keep data forever unless

Don’t keep data forever unless

it’s needed

it’s needed

Top Ten Tips

Top Ten Tips

5

& enforce it!

& enforce it!

•

Recognise the importance of

Recognise the importance of

handling DP complaints as

handling DP complaints as

quickly, efficiently and

quickly, efficiently and

accurately as you would do any

accurately as you would do any

others

others

Top Ten Tips

Top Ten Tips

7

•

Integrate data protection fully

Integrate data protection fully

into all business processes

into all business processes

•

Do not treat this as an add-on

Do not treat this as an add-on

or side issue

or side issue

Top Ten Tips

Top Ten Tips

8

•

Ensure that Data Protection and

Ensure that Data Protection and

Information Security are seen as

Information Security are seen as

being a priority issues for the

being a priority issues for the

Board / senior management

Board / senior management

•

If you’re not required to appoint

If you’re not required to appoint

a DPO, ensure that someone in

a DPO, ensure that someone in

authority is assigned oversight

authority is assigned oversight

of DP

of DP

Top Ten Tips

Top Ten Tips

9

•

Treat customers fairly  and

Treat customers fairly  and

respect  their right to privacy

respect  their right to privacy

Top Ten Tips

Top Ten Tips

10

•

ICO Helpline for small organisations:

ICO Helpline for small organisations:

Dial 

Dial 

0303 123 1113

0303 123 1113

and 

and 

select 

select 

option 4

option 4

•

Covers:

Covers:



GDPR

GDPR



Current data protection rules and other

Current data protection rules and other

legislation regulated by the ICO including

legislation regulated by the ICO including

electronic marketing and Freedom of

electronic marketing and Freedom of

Information

Information

Fewer than 250 employees?

Fewer than 250 employees?

Data protection self assessment tools

Data protection self assessment tools

https://ico.org.uk/for-organisations/resources-

https://ico.org.uk/for-organisations/resources-

and-support/data-protection-self-assessment/

and-support/data-protection-self-assessment/

•

What must happen?

What must happen?

•

When must it happen by?

When must it happen by?

•

Names in frames

Names in frames

•

How will others be engaged (e.g. staff /

How will others be engaged (e.g. staff /

customers)?

customers)?

•

How is success defined and measured?

How is success defined and measured?

Next steps & action plan

Next steps & action plan

Knowledge

Knowledge

Test

Test

A. General Data Protection Regime

A. General Data Protection Regime

B. General Data Protection Rules

B. General Data Protection Rules

C. General Data Protection Regulation

C. General Data Protection Regulation

D. General Data Protection Requirements

D. General Data Protection Requirements

A. 23 February 2018

A. 23 February 2018

B. 1 April 2018

B. 1 April 2018

C. 25 May 2018

C. 25 May 2018

D. 25 December 2018

D. 25 December 2018

A.

Fine up to £500,000 or 4% of annual turnover

Fine up to £500,000 or 4% of annual turnover

B.

Fine up to £10 million or 4% of annual turnover

Fine up to £10 million or 4% of annual turnover

C.

Fine up to £17 million or 4% of annual turnover

Fine up to £17 million or 4% of annual turnover

D.

Fine up to €500,000 or 4% of annual turnover

Fine up to €500,000 or 4% of annual turnover

A.

6

6

B.

8

8

C.

11

11

D.

12

12

A. Consent

A. Consent

B. Compliance with a legal obligation

B. Compliance with a legal obligation

C. Performance of a contract with the individual

C. Performance of a contract with the individual

D. All of the above

D. All of the above

A.

Right to eradication

Right to eradication

B.  Right to erasure

B.  Right to erasure

C.  Right to extermination

C.  Right to extermination

D.  Right to extinction

D.  Right to extinction

A.

Right of data portability

Right of data portability

B.

Right of access

Right of access

C.

Right to rectification

Right to rectification

D.

Right to be informed

Right to be informed

A.

It is necessary for entering into or performance

It is necessary for entering into or performance

of a contract between the organisation and the

of a contract between the organisation and the

individual

individual

B.

It is authorised by law

It is authorised by law

C.

It is based on explicit consent

It is based on explicit consent

D. It is based on automated processing

D. It is based on automated processing

A.

Data Protection Implementation Assessment

Data Protection Implementation Assessment

B.

Data Protection Impact Assessment

Data Protection Impact Assessment

C.

Data Protection Implications Assessment

Data Protection Implications Assessment

D.

Data Protection Imperfection Assessment

Data Protection Imperfection Assessment

A.

24

24

B.

48

48

C.

72

72

D.

96

96

Answers

Answers

A. General Data Protection Regime

B. General Data Protection Rules

C. General Data Protection Regulation

C. General Data Protection Regulation

D. General Data Protection Requirements

A. 23 February2018

B. 1 April 2018

C. 25 May 2018

C. 25 May 2018

D. 25 December 2018

A.

Fine up to £500,000 or 4% of annual turnover

B.

Fine up to £10 million or 4% of annual turnover

C.

Fine up to £17 million or 4% of annual turnover

Fine up to £17 million or 4% of annual turnover

D.

Fine up to €500,000 or 4% of annual turnover

A.

6

6

B.

8

C.

11

D.

12

A. Consent

B. Compliance with a legal obligation

C. Performance of a contract with the individual

D. All of the above

D. All of the above

A.

Right to eradication

B.

Right to erasure

Right to erasure

C.

Right to extermination

D.

Right to extinction

A.

Right of data portability

Right of data portability

B.

Right of access

C.

Right to rectification

D.

Right to be informed

A. It is necessary for entering into or performance

of a contract between the organisation and the

individual

B. It is authorised by law

C. It is based on explicit consent

D. It is based on automated processing

D. It is based on automated processing

A.

Data Protection Implementation Assessment

B.

Data Protection Impact Assessment

Data Protection Impact Assessment

C.

Data Protection Implications Assessment

D.

Data Protection Imperfection Assessment

A.

24

B.

48

C.

72

72

D.

96

Thank you!

Thank you!

Richard Galley

Senior Associate

Searchlight Insurance Training

Riverbridge House

Guildford Road

Leatherhead

Surrey

KT22 9AD

Telephone   01372 361177

Mobile         07712 789187

Mail            richard@richardgalley.co.uk

www.searchlightsolutions.co.uk