Add to collection(s) Add to saved
  1. No category
Uploaded by Mick Chursin

GDPR NOTES

advertisement 
Explaining GDPR - General Data Protection Reaulation
•
GDPR - Became a law in ALL EU states from May 25, 2018
•
GDPR Gives better protection to EU citizens even where the data holder is outside of EU
•
DATA PROTECTION OFFICER - Even if organisations are not required in regulation will
have to appoint a DP Officer.
•
Some companies might be fined up to 20 Million euros or 4% of global
Definitions
•
A Natural Person - Identified, directly or indirectly, by reference to an identifier such as a
name, identification number, location data, online identifier or factors such as the
physical, physiological, genetic, mental, economic, cultural or social identity of that natural
person
•
Personal Data - any information related to a natural person or ‘Data Subject’, that can be
used to directly or indirectly identify the person
•
Processing - any operation performed on personal data, whether or not by automated
means, including collection, use, recording, etc.
•
Profiling - Is any automated processing of personal data intended to evaluate, analyse, or
predict data subject behaviour
•
Data Controller - the entity that determines the purposes, conditions and means of the
processing of personal data, he decided what information is collected, how it is collected,
and what to do with it.
•
Processor - the entity that processes data on behalf of the Data Controller processor
simply processes the data how they told
•
Supervisory Authority - a public authority which is established by a member state in
accordance with article 46. Such as the information Commisioners Office (ICO) in the UK.
The 6 Principles
1. All data collected must be for specific and explicit purposes
2. Data must be accurate and maintained
3. Data retained only for how long it is needed
4. Data must be processed lawfully, transparently & fairly
5. Data must be processed securely and you MUST be able to prove this (certification etc.)
6. Data held must be adequate, relevant and limited to what is needed
Takeaways
1. Your organisation is accountable and can be heavily penalised. It / YOU must adhere to
the Regulation including the 6 Principles
2. Consult with your Data Protection Officer (DPO) to make sure you work adheres to the 6
Principles and the GDPR
GDPR Fines
1. Lower level - Up to 10 Million euros, or 2% of the worldwide annual revenue of the prior
financial year, whichever is higher, shall be issued for infringements of:
•
Controllers and processors under Articles 8, 11, 25-39, 42, 43.
•
Certification body under Articles 42, 43
•
Monitoring body under Article 41(4)
2. Higher level - Up to 20 Million euros, on 4% of the worldwide annual revenue of the prior
financial year, whichever is higher, shall be issued for infringements of:
•
The basic principles for processing, including conditions for consent
•
The data subjects’ rights under Articles 12-22
•
The transfer of personal data to a recipient in a third country or an international
organisation
•
Any obligations pursuant to Member State law
•
Any non-compliance with an order by a supervisory authority
Why bother complying?
•
Big Fines
•
Legal Costs
•
Costs of putting things right
•
Loss of Goodwill
•
Loss of Customer Trust
GDPR Rights
1. Right to be Informed (Articles 13 and 14): Individuals have the right to be informed
about the collection and use of their personal data. This includes information about the
purposes of processing, the retention period, and the rights of the individual.
2. Right of Access (Article 15): Individuals have the right to access their personal data and
obtain information about how it is being processed. This includes the right to request a
copy of the data being processed.
3. Right to Rectification (Article 16): Individuals can request the correction of inaccurate
or incomplete personal data.
4. Right to Erasure (Right to be Forgotten) (Article 17): Individuals have the right to
request the deletion of their personal data under certain circumstances, such as when the
data is no longer necessary for the purpose for which it was collected.
5. Right to Restriction of Processing (Article 18): Individuals can request the restriction
of processing of their personal data in certain situations, such as when the accuracy of
the data is contested.
6. Right to Data Portability (Article 20): Individuals have the right to receive their personal
data in a structured, commonly used, and machine-readable format and have the right to
transmit that data to another controller.
7. Right to Object (Article 21): Individuals can object to the processing of their personal
data in certain circumstances, such as for direct marketing purposes.
8. Rights Related to Automated Decision Making, Including Profiling (Article 22):
Individuals have the right not to be subject to decisions based solely on automated
processing, including profiling, which have legal or similarly significant effects on them.
9. Right to Lodge a Complaint with a Supervisory Authority (Article 77): Individuals
have the right to file a complaint with a data protection authority if they believe that their
rights under the GDPR have been violated.
The Data Protection Officer:
1. Who must have one:
•
processing is carried out by a ‘public authority’
•
‘core activities’ need regular and systematic monitoring of data subjects on a ‘large scale’
•
‘core activities’ involve ‘large scale’ processing of ‘special categories’ of personal data,
relating to criminal convictions and offences.
2. Who doesn’t need one:
•
Its main activities seldom involve monitoring data subjects and with little infringement on
those data subjects’ rights
•
It does not process special category personal information
•
It is only processing the special category personal information of a small group of data
subjects
3. The role of the DPO
•
To assist data ‘Controllers’ and ‘Processors’ comply with data protection law and avoid the
risks that organisations face when processing personal data
•
The DPO is the data protection expert and the link with the public and the organisation’s
employees The DPO also acts as the person that data protection queries are directed to
•
Is the contact point for Supervisory Body
•
Gives advice of DP Impact Assessments
•
Monitors GDPR compliance
•
Informs & advises on Data Protection
•
Knowledge of national and European data protection laws/GDPR and practices
•
Understanding of data processing and data security
•
Good communication skills
•
Ability to promote a data protection culture within the organisation
DPO is a very critical role in any organisation, he gives both advice and guidance helps the
data control within the law and communicates with both information commissional office and
customers.
Privacy and Transparency
•
Transparent, accessible & fair in holding and using Personal Data
•
Taking account of customer reluctance to read through Privacy Notices/Terms &
Condition etc. Try to make it clear & Easy for them to understand!
There’s some information that you must tell the data subject, it is:
•
Who is the Data Controller? How to contact them?
•
Who is the organisation Data Protection Officer? How to contact them?
•
What use will you make of the personal data?
•
The legal basis of this data processing
•
The legitimate interests of the data controller (and Third Parties where appropriate)
•
What categories of data are held/ used and who gets this data?
•
If held/ transferred to another country what safeguard are in place
•
Length of data retention or criteria used to determine retention periods
•
Data subjects can withdraw consent and it should be as easily done as giving consent
•
They should be told how and who to complain to. This would include the Supervisory
authority
•
Remember to tell about any legal or contractual obligations to provide data
•
Remember to tell about any possible consequences of not providing data
Information of Privacy Notice Requirements of the GDPR can be found in my folder.
Data Held
•
You must document what you use the data held for
•
You must documents where data came from
•
Your DPO may provide a standard template to record the information
•
Record your data, what you use it for etc. YOU NEED THIS IN CASE YOU NEED TO
TELL THIRD PARTIES AND THE ‘REGULATOR’
•
Show how data comes into, moves through and exits your organisation.
•
Prove you comply with the 6 principles and the GDPR
A checklist:
1. Where did I get this information form?
2. What do I use it for?
3. Do I need it at all, or do I need it all?
4. Do I have explicit permission from the data subject to hold it and use it in this way?
5. Do I hold the data securely?
6. Do I pass this data on to others?
7. Do I have a legitimate right to pass that information on?
8. Do I record the above and can I justify my actions in relation to this data?
9. Do I meet the 6 principles of GDPR?
Lawful Data Processing:
•
The data subject must have given consent for data to be used for that specific purpose
•
You should only process data when you need to do so
•
You may need to process data for a legal reason such as pre-employment checks
•
For example collection household data or census data for public service plannings
Subject Data Access Requests
•
Confirmation that their data is being processed;
•
Access to their personal data;
•
Other supplementary information
Do SAR’s attract a fee?:
•
You must provide a copy of the information free of charge
•
You can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive,
particularly if it is repetitive
•
You may charge a reasonable fee for copies of the same information
•
This does not mean that you can charge for all subsequent access requests.
Time Line for SAR’s :
Information must be provided without delay and within one month of receipt. You will be able
to extend the period by a further two months where complex or numerous. If this is the case,
you must inform the individual within one month of the receipt of the request and explain why
the extension is necessary.
Providing the information:
•
You must verify the identity of the person making the request, using 'reasonable means’
•
Where possible, you should provide remote access to a secure self-service system where
individuals have direct access to their information
•
If the request is made electronically, you should provide the information in a commonly
used electronic format
•
The right to obtain a copy of information/ access personal data through a remotely
accessed system should not adversely affect the rights and freedoms of others
Right to restrict data use
•
When processing is restricted, you are permitted to store personal data, but not further
process it.
•
You can retain enough information about the individual to ensure that the restriction is
respected in future.
•
Where an individual has objected to the processing (where it was necessary for the
performance of a public interest task or purpose of legitimate interests), and you are
considering if you organistaion’s legitimate grounds override those of the individual
•
When processing is unlawful and the individual opposes erasure, requesting restriction
instead.
•
If you do not need the data but the individual needs it kept to establish, exercise or
defend a legal claim.
The right to rectification - Individuals are entitle to have personal data rectified if it is
inaccurate or incomplete
Responding to requests for rectification - You must response within one month. This can be
extended by two months where the request for rectification is complex.
Where you’re not taking action in response to a request for rectification, you must explain why
to the individual, informing them of their right to complain to the supervisory authority and to
judicial remedy.
The right to erasure is also knows as ‘the right to be forgotten’ - This right is to enable an
individual to request the deletion or removal of personal data where there is no real reason
for its continued processing.
Why data would be erased:
1. Data is no longer necessary for purpose for it which it was originally collected/ processed
2. When the individual withdraws consent… after considering need to retain
3. When the individual objects to processing and there’s no overriding legitimate interest to
continuing processing
4. The personal data was unlawfully processed ( in breach of the GDPR )
5. The personal data has to be erased to comply with a legal obligation
6. The personal data is processed in relation to the offer of information society services to a
child
No Erasure:
•
To exercise the right of freedom of expression and information. To comply with a legal
obligation or for the performance of a public interest task or exercise of official authority
•
For public health purposes in the public interest. Archiving purposes in the public interest,
scientific research historical research or statistical purposes
•
The exercise or defence of legal claims
Children’s Data
Pay attention to situations where a child has given consent and they later request erasure of
the data (regardless of age at the time of the request), especially on social networking sites
and internet forums. A child may no be fully aware of the risks in the processing at the time of
consent
Shared Data
•
Tell third parties about the erasure of the personal data, unless it is impossible or involves
disproportionate effort to do so.
•
Those in the online environment who make personal data public should inform others
who process the personal data to erase links to, copies or replication of the personal data
in question
Objection to Data Processing
•
You must inform individual of their right to object ‘at the point of first communication’ and
in your privacy notice.
•
This must be ‘explicitly brought to the attention of the data subject and shall be presented
clearly and separately from any other information’.
Data Subjects have the right to object to:
•
Processing based on legitimate interests or the performance of task in the public interest/
exercise of official authority (including profiling)
•
Direct marketing (including profiling)
•
Processing for purposes of scientific/historical research’s or statistics
If someone objects you’re using their data, stop, unless 1 or 2 applies:
1. You can demonstrate compelling legitimate grounds for the processing, overriding the
interests, rights and freedoms of the individual:
2. The processing is for the establishment, exercise or defence of legal claims.
Profiling:
•
is “any automated processing of personal data to evaluate personal aspects relating to a
natural person, to analyse or predict aspects about that person’s performance at work,
economic situations, health, personal preferences, interests, reliability, behaviour, location
or movement”
•
is just using personal information to build up a picture of who they are - whether for
analytics reporting (e.g. “25% of the visitors to out website are male, in professional jobs,
and in the 25-34 age bracket”), for some kind of evaluation (e.g. “This person presents a
low risk of defaulting on a loan”)
Individuals rights not to be subject to a decision when:
•
It is based on automated processing: and it produces a legal or a similarly significant
effect on the individual.
The right does not apply if the decision:
•
Is necessary for entering into or performance of a contract between you and the
individual;
•
is authorised by law (e.g. for the purposes of fraud or tax evasion prevention); or based
on explicit consent;
What is the Right of Portability?
•
The right to data portability allows individuals to get and reuse their personal data for their
purposes across different services.
•
They may move, copy or transfer personal data easily from one IT environment to another
in a safe secure way, without hindrance to usability.
MEMO - You give the personal data in a structured, commonly used machine readable form.
Open formats include CSV files. Machine readable means that the information is structured
so that software can extract specific elements of the data. This enables other organisations to
use the data.
YOU HAVE TO RESPOND WITHOUT DELAY, AND WITHIN ONE MONTH. TWO MONTH
If requested, you are required to transmit the data directly to another organisation if this is
technically feasible. You need not adopt or maintain processing systems that are technically
compatible with other organisations
Transferring data outside of the EU:
•
Personal data may only be transferred outside of the EU in compliance with the
conditions for transfer set out in Chapter V of the General Data Protection Regulation.
•
Where the Commission has determined that a third country, a territory or one or more
specific sectors in the third country, or an international organisation ensures an adequate
level of protection.
•
A non-EU country, or territory or one or more specified sectors within a non-EU country
may provide an appropriate level of data protection. GDPR notes that adequacy
determinations may not necessarily last indefinitely.
•
The European Commission will review, at least every four years. The Commission shall
monitor on an ongoing basis, developments in third countries and international
organisations that could affect the functioning of adequacy decisions taken by the
Commission pursuant to the Directive or the GDPR.
•
You may only transfer personal data outside the EEA to a third country that has adequate
data protection. The European Commission approves countries as providing an adequate
level of data protection.
•
Businesses that infringe the GDPR regarding international transfers of personal data may
be subject to administrative fines up to 20.000.000 EUR or, up to 4% of the total
worldwide annual turnover of the preceding financial year, whichever is higher
Data Protection Impact Assessments:
•
DPIA’s are a tool which can help organisations identify the most effective way to comply
with their data protection obligations and meet individuals’ expectations of privacy
•
You must carry out a DPIA when: Using new technologies; and the processing is likely to
result in a high risk to the rights and freedoms of individuals.
•
A DPIA should be conducted as early as possible within any new project lifecycle, so that
its findings and recommendations can be incorporated into the design of the processing
operation known as privacy by design, the embedding of data privacy features into the
design of projects offers many benefits
Benefits of a DPIA
•
The process helps make informed decisions about the acceptability of data protection
risks, and communicate effectively with the individuals affected.
•
DPIA helps identify and mitigate against data protection risks, plan for implementation of
solution to those risks, and assess the viability of a project at an early stage.
•
Good record keeping during the DPIA process can allow you to demonstrate compliance
with the GDPR and minimise risk of a new project creating legal difficulties
DPIA process:
•
Identify DPIA Need
•
Describe the information flow
•
Identify data protection and related risks
•
Identify data protection solutions to reduce or eliminate risk
•
Sign off the outcomes of the DPIA
•
Integrate protection solutions into the project
DPIA Responsibility
•
The organisations (data controller) is responsible for ensuring the DPIA is carried out
•
The DPIA should be driven by people with appropriate expertise and knowledge of the
project in question.
•
If you don’t have sufficient expertise and experience internally, you may bring in external
specialists to consult on or to carry out the DPIA
DPIA content template
•
Is the process necessary in the first place
•
Do we require all the data that we’re going to collect to conduct the process
•
How long do we need to hold the data for before purchasing it from out storage
DPIA examples where it is appropriate
•
An organisation using an intelligent video analysis system to single out cars and
automatically recognise registration plates.
•
The gathering of public social media data for generating profiles
Breach Notification
•
Notify the relevant supervisory authority if it is likely to result in a risk to the rights and
freedoms of individuals.
•
The breach is likely to have a significant detrimental effect on individuals - for maple,
result in discrimination, damage to reputation, financial loss, loss of confidentiality or any
other significant economic or social disadvantage.
•
Where it may result in a high risk to the rights and freedoms of individuals, you must
notify those concerned directly.
•
Within 72 hours of the organisation becoming aware of it.
Related documents
GDPR Audit report
GDPR Audit report
gdpr
gdpr
Smart words
Smart words
Why does data protection in physical security systems matter?
Why does data protection in physical security systems matter?
Compliance checklist
Compliance checklist
ECONOMIC GROWTH NOTES
ECONOMIC GROWTH NOTES
- GDPRterritorial scope of application- FEDERICO MARENGO
- GDPRterritorial scope of application- FEDERICO MARENGO
GDPR Checklist PDF
GDPR Checklist PDF
How GDPR Will Transform Digital Marketing
How GDPR Will Transform Digital Marketing
Download
advertisement