Understanding Data Protection Regulations and GDPR Overview

This insightful article delves into the essence of data protection, defining various terms like personal data, anonymized data, and profiling. It also discusses the implications of GDPR, how it applies within and outside the EU, and its impact on law enforcement and intelligence services. Furthermore, it explores the roles of controllers and processors in data handling, along with the concept of joint controllership. A comprehensive overview of key aspects related to data protection and privacy rights.

• Data Protection
• GDPR
• Personal Data
• Law Enforcement
• Controllership

emon291 Follow

Uploaded on Oct 09, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Data Protection What you need to know Tim Turner IRRV February 2018

2. Article 4: definition of data Any information relating to an identified or identifiable natural person data subject = identifiable person who can be identified by an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to person s physical, physiological, genetic, mental, economic, cultural or social identity

3. Anonymised Personal data Pseudonymised data

4. Profiling / automated decisions Profiling Analysis of person or prediction about behaviour In particular, performance at work, economic situation, health, interests and preferences, behaviour and reliability, location and movements Automated decisions A decision using personal data made by an automated process

5. GDPR Applies as normal Applied GDPR Applies to matters outside EU competence Part 3: Law Enforcement Implements directive Part 4: intelligence services Applies GDPR- style standards to intelligence

6. Law enforcement purpose Prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security

7. DP Bill: Public authorities 6) Any reference to public authorities or public bodies in the GDPR means: Freedom of Information Act 2000 Freedom of Information (Scotland) Act 2002 Anyone added by Secretary of State Implications: DPO, legitimate interests, manual processing

8. Controller Decides how and why data is used Processor Does as required under contract with Controller Responsible if they do anything outside the contract

9. Art 26: Joint Controllers Definition: two or more controllers jointly determine the purposes and means of processing Agreement should set out *transparently* how they will comply; in particular: rights of the data subject duties to provide fair processing

10. A5: Principles a) Lawfulness, fairness and transparency c) Data minimisation b) Purpose limitation e) Purpose limitation f) Integrity and confidentiality d) Accuracy Controller is responsible for and shall be able to demonstrate compliance

11. GDPR Conditions Necessary for contract Consent Legal obligation Official authority / public interest Legitimate interest Vital interests

12. Law enforcement Conditions Law Consent enforcement purpose

13. Law enforcement purpose Prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security

14. Law enforcement accuracy Controllers should distinguish between Suspects / potential subjects Those who have been convicted Victims / potential victims Witnesses and other interested parties

15. SPECIAL CATEGORIES

16. Article 9: Special categories Religious / philosophical beliefs Racial / ethnic origin Political opinions Trade union Biometric data Health Sex life / sexual orientation

17. Article 9: Special categories conditions Special Vital interests no consent Explicit consent Employment law category group use Public interest underpinned by law Establish / defend legal claims Made public by subject Health / social care Archiving / research with safeguards Public health

18. Substantial public interest AND Preventing or detecting unlawful acts Protecting public against dishonesty Government / legal Equality of treatment Disclosure for journalism Fraud / terror financing Counselling Insurance Elected Political parties representatives

19. CRIMINAL RECORDS DATA

20. Criminal records conditions Preventing or detecting unlawful acts Protecting public against dishonesty Government / legal Equality of treatment Disclosure for journalism Fraud / terror financing Counselling Insurance Elected Political parties representatives

21. Criminal records conditions (cont.d) Vital interests (subject cannot consent) Consent from data subject Political, religious / philosophical, religious or trade union groups Subject has put data in public domain

22. Article 13 & 14: fair processing Must use concise and transparent language Information must be reasonably accessible

23. TRANSPARENCY & RIGHTS

24. Article 13 Provide if subject gives you the data ID of data controller Contact of Data Protection Officer Purposes and legal basis of processing Legitimate interests Retention period or criteria Right to request rectification Recipients of data International transfers Existence of profiling and other automated decision making Right to withdraw consent Right to complain to ICO Consequences of failure to supply data

25. Article 14 Fair processing if you get data from 3rd party ID of data controller ID of Data Protection Officer Purposes and legal basis of processing Categories Retention period or criteria Recipients of data International transfers Legitimate interests* Right to request rectification / restriction Right to withdraw consent* Right to complain to ICO Source of data Existence of profiling and other automated decision making

26. RIGHTS FOR SUBJECTS Subject access Rectification Right to be Forgotten Restriction Portability Objection to optional processing Limitations on automated processing

27. Rights Rights disapplied when relevant personal data is processed in the course of a criminal investigation or criminal proceedings, including proceedings for the purpose of executing a criminal penalty

28. Other processing EXEMPTIONS for avoid obstructing an official or legal inquiry, investigation or procedure avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties protect public security protect national security protect the rights and freedoms of others

29. Other rights Subject access Rectification (fairly unrestricted) Erasure (AKA RTBF) Breach of principles Processing data without condition where personal data must be erased in order to comply with a legal obligation restriction of processing in limited circs

30. Rights (cont.d) 46: limitations on automated significant decisions (only where authorised by law) Definition of significant decision is producing an adverse legal effect concerning the data subject or significantly affects the data subject.

31. EXEMPTIONS

32. Exemptions Exemption identifies a subject area (e.g. prevention / detection of crime) All principles, rights and obligations apply at start Exemption then identifies provisions that can be set aside First group of exemptions set aside the most provisions At the end, only transparency and SAR are covered Each group after that sets aside less

33. Main exemptions Removes Crime prevention, detection, imposition of taxes, duties etc transparency, rights including SAR, purpose limitation Legal obligations to publish / disclose, legal proceedings Immigration controls

34. Additional exemptions Removes transparency / rights Regulation of complaints in health, legal and children s services Functions to protect public Parliamentary privilege, courts, honours Other regulators

35. SECURITY AND BREACH NOTIFICATION

36. Processed with appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

37. Article 4 Security breach definition Personal data breach is: INCIDENT i.e.

38. Article 33 34 Breach notification REPORT TO ICO Unless unlikely to cause risk to rights and freedoms of data subjects IN 72 HOURS If likely to cause high risk to rights of data subjects REPORT TO SUBJECTS ICO can order you to report

39. Article 33(3): ICO report Nature of breach Numbers & categories of subjects Numbers of records Provide name & contact details of DPO Likely consequences of breach Measures taken to address / mitigate breach

40. General controller obligations

41. Art 24: Ability to demonstrate compliance with GDPR GENERAL CONTROLLER REQUIREMENTS Art 26: arrangements / agreements with joint controllers Art 25: Data Protection by design and by default

42. DATA PROTECTION OFFICER

43. a) Public authorities & public bodies Art 37(1): DPO is required by three sector; org can be controller or processor c) Core activities involve large scale processing of special categories / criminal convictions & offences b) Core activities involve regular and systematic monitoring of subjects on a large scale www.actnow.org.uk

44. a) Public authorities & public bodies Art 37(1): DPO is required by three sector; org can be controller or processor c) Core activities involve large scale processing of special categories / criminal convictions & offences b) Core activities involve regular and systematic monitoring of subjects on a large scale www.actnow.org.uk

45. A37(5): DPO designated on basis of: professional qualities expert knowledge of data protection law and practice ability to fulfil tasks set out in Article 39 www.actnow.org.uk

46. Article 38(6): Conflict of interest DPO can carry out other tasks as long as no conflict of interest Case by case decision depending on organisation s structure LIKELY CONFLICTS: senior management, other role involved in determination of purposes

47. Article 39: TASKS Advise the organisation and staff on obligations under GDPR Monitor compliance with GDPR, UK DP laws, org s own policies and procedures Provide advice on impact assessments and monitor performance Cooperate with ICO on GDPR issues and act as contact point with them

48. Article 38: DPOs position Must be properly and in timely manner involved in all issues which relate to protection of personal data Org must support DPO with necessary resources, access to data and systems DPO cannot be given instructions on how to carry out tasks; cannot be dismissed for performing those tasks; must report to senior management Must be available to be contacted by data subjects

49. Impact assessments

50. IMPACT ASSESSMENTS

Load More ...