Accountability and Governance evidence To what extent can an agreed - - PowerPoint PPT Presentation

accountability and governance evidence to what extent can
SMART_READER_LITE
LIVE PREVIEW

Accountability and Governance evidence To what extent can an agreed - - PowerPoint PPT Presentation

Sep 02, 2023 223 likes •363 views

RMPs and GDPR Accountability and Governance evidence To what extent can an agreed RMP act as evidence of compliance with GDPR obligations around accountability and governance? Article 5(2) Accountability Principle The

slide-1
SLIDE 1

RMPs and GDPR

‘Accountability and Governance’ evidence

slide-2
SLIDE 2

“To what extent can an agreed RMP act as evidence of compliance with GDPR

  • bligations around accountability and

governance?”

slide-3
SLIDE 3

Article 5(2) – Accountability Principle “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability').”

slide-4
SLIDE 4

Personal data shall be: (a) processed lawfully, fairly and in a transparent manner – ‘lawfulness, fairness and transparency’ (b) collected for specified, explicit and legitimate purposes; not further processed in a manner incompatible with those purposes – ‘purpose limitation’ (c) adequate, relevant and limited to what is necessary – ‘data minimisation’ (d) accurate and, where necessary, kept up to date; every reasonable step taken to ensure this – ‘accuracy’ (e) kept for no longer than necessary; may be stored for longer periods for archiving, research and statistical purposes – ‘storage limitation’ (f) processed with appropriate security; protected against unauthorised

  • r unlawful processing, and accidental loss, destruction or damage –

‘integrity and confidentiality’

Article 5(1) – GDPR Principles

slide-5
SLIDE 5

ICO guidance on measures you can take

  • adopting and implementing data protection policies (where

proportionate);

  • taking a ‘data protection by design and default’ approach - putting

appropriate data protection measures in place throughout the entire lifecycle of our processing operations;

  • putting written contracts in place with organisations that process

personal data on our behalf;

  • maintaining documentation of our processing activities;
  • implementing appropriate security measures;
  • recording and, where necessary, reporting personal data breaches;
  • carrying out data protection impact assessments for uses of personal

data that are likely to result in high risk to individuals’ interests;

  • appointing a data protection officer (where necessary);
  • adhering to relevant codes of conduct and signing up to certification

schemes (where possible).

slide-6
SLIDE 6

Article 30 – Records of Processing Activities

  • the name and contact details of your organisation (and where applicable,
  • f other controllers, your representative and your data protection officer).
  • the purposes of your processing.
  • a description of the categories of individuals and categories of personal

data.

  • the categories of recipients of personal data.
  • details of your transfers to third countries including documenting the

transfer mechanism safeguards in place.

  • retention schedules
  • a description of your technical and organisational security measures.
slide-7
SLIDE 7

Article 30(5) – Exemption

Organisation with fewer than 250 employees are exempt, but not if:

  • Processing that is likely to result in a risk to the rights and freedoms of

data subjects.

  • Processing that is not occasional.
  • Processing that includes special categories of data or personal data

relating to criminal convictions and offences. Working 29 Party – not a heavy burden ICO has produced templates

slide-8
SLIDE 8

ICO - other documentation

  • information required for privacy notices, such as:

– the lawful basis for the processing – the legitimate interests for the processing – individuals’ rights – the existence of automated decision-making, including profiling – the source of the personal data;

  • records of consent;
  • controller-processor contracts;
  • the location of personal data;
  • Data Protection Impact Assessment reports;
  • records of personal data breaches;
  • information required for processing special category data or criminal

conviction and offence data under the Data Protection Act 2018, covering: – the condition for processing in the Data Protection Act; – the lawful basis for the processing in the GDPR; and – your retention and erasure policy document.

slide-9
SLIDE 9

Keeper’s Model Plan: Element 9

Evidence currently required:

  • Privacy notice
  • Data protection policy or evidence of adequate processes

in place

  • Guide to submitting SARs
  • Registration with the ICO

The Keeper would not expect a detailed list of records that might be affected by data protection legislation

slide-10
SLIDE 10

Is a specific element on data protection required? Evidence of compliance will also appear under:

  • Element 5: Retention schedule
  • Element 6: Destruction arrangements
  • Element 8: Information security
  • Element 11: Audit Trail
  • Element 14: Shared information
slide-11
SLIDE 11

What additional evidence can the Keeper reasonably expect authorities to provide ?

slide-12
SLIDE 12
  • Data protection policy
  • Privacy notice
  • Registration with ICO
  • Guidance on making SAR and exercising other rights
  • Appointment of Data Protection Officer
  • Information Asset Register
  • Other records of processing activities
  • Retention and Disposal Schedule
  • Data sharing agreements
  • Contracts and data processing agreements
  • Data Protection Impact Assessments
  • Security measures
  • Recording data breaches

Possible evidence

slide-13
SLIDE 13

What are your views?