Data Protection Reform preparing for the General Data Protection - - PowerPoint PPT Presentation
Data Protection Reform preparing for the General Data Protection Regulation By Philip Brining Data Protection People 18 th April 2016 Agenda Introduction Current Rules (DPA 98 & PECR) Overview of GDPR Business-wide impact Practical
… preparing for the General Data Protection Regulation
By Philip Brining Data Protection People 18th April 2016
Agenda
Introduction Current Rules (DPA 98 & PECR) Overview of GDPR Business-wide impact Practical Preparation
http://ec.europa.eu/avservices/video/player.cfm?sitelang=en&ref=I119067
Introduction – Data Protection People
Specialists DP company based in Leeds. Aim = to make data protection easy and understandable; to ease DP pain points. Services:
Audits, reviews, DP projects Managed Service Compliance Management tools
Data Protection Act 1998
Derived from Directive 95/46/EC 28 variations across Europe Drive for harmony of DP law Directive’s Aim = facilitate the free movement of data across the EU and uphold citizens’ right to privacy. Requirement to register 8 x DP Principles
http://www.information-age.com/technology/security/1687058/uk-ranks-21st-in-europe-for-privacy-protection http://ec.europa.eu/unitedkingdom/press/press_releases/2010/pr1097_en.htm http://amberhawk.typepad.com/amberhawk/2011/02/european-commission-explains-why-uks-data-protection-act-is-deficient.html
“Approved Countries” Andorra Argentina Canada Switzerland Faroe Islands Guernsey Isle of Man Jersey State of Israel New Zealand Eastern Republic of Uruguay USA via “Privacy Shield”
Privacy and Electronic Communications Regulations 2015
Implements Directive 2002/58/EC Concerning the processing of personal data and the protection
communications sector. Regulates marketing activities:
Telephone/SMS Mail Email Cookies, Pixels etc.
Regulates network providers:
Ofcom Breach notification
General Data Protection Regulation
Replaces DPA98 Enacted Spring 2016 A European Regulation Two cornerstones:
Data is “theirs” and not “ours” We need to be more responsible
Also
More comprehensive definitive “dos” and “don’ts” More interaction with the Regulator Larger fines and greater Regulatory powers
Aim is still free movement of data across the EU and right to privacy Data is not ours: we simply process it on behalf of data subjects in order to provide services that they have requested and on their instruction.
http://audiovisual.europarl.europa.eu/Assetdetail.aspx?id=a25be131-dce9-4e2e-89f1-a5e700ebd088 http://www.vieuws.eu/live-panel-debate/debate-can-the-next-eu-regulation-guarantee-data-protection-for-all/
Concepts
want us to be.
legitimate right to be processing an individuals’ data then it is a toxic liability – a time bomb in your organisation.
GDPR : business-wide paradigm shift
6 Principles
1. Fair, lawful & transparent 2. Specific, explicit & legitimate purposes 3. Limited to what is necessary 4. Accurate 5. Anonymised ASAP 6. Processed securely with integrity and confidentiality
Responsible for being able to demonstrate compliance Some Key Points
New definitions of “Personal Data” No more implied consent More transparency needed Balance DS rights with DC rights Anonymise data asap Need to keep records / audit Greater control of data processes Mandatory breach reporting Profiling DPO & privacy by design Data processors Reform of ICO powers and fines
Why is it a paradigm shift?
CURRENTLY ICO has few powers and small fines Law has plenty of wriggle room Who has a DPO? Who has DP audits? Who has a PIA process? GDPR Still some wriggle room BUT:
You need to evidence more You need to justify more You need to control processing In-house whistle blower Due consideration of DS rights Processors will influence you
New powers and bigger fines Consistency of application
Passive compliance through lack of breaches and minimum standards. Active compliance through risk management and balancing of rights. Big Stick too!
Data Lifecycle and GDPR interventions
Data Capture Sharing Transfer Disclosure Anonymisation Destruction Influences Data Processing Activities
Data Lifecycle and GDPR interventions
Data Capture Sharing Transfer Disclosure Anonymisation Destruction Influences Data Processing Activities GDPR Considerations:
Data Lifecycle and GDPR interventions
Sharing Transfer Disclosure Anonymisation Destruction Influences Data Processing Activities GDPR Considerations:
Data Capture
Data Lifecycle and GDPR interventions
Sharing Transfer Disclosure Anonymisation Destruction Influences Data Processing Activities GDPR Considerations:
Data Capture
Data Lifecycle and GDPR interventions
Data Capture Sharing Transfer Disclosure Anonymisation Destruction Influences Data Processing Activities GDPR Considerations:
Data Lifecycle and GDPR interventions
Data Capture Sharing Transfer Disclosure Anonymisation Destruction Influences Data Processing Activities GDPR Considerations:
Practice
Compensation
personal characteristics formed the basis for Defendant’s targeted advertisements, or from having learnt that such matters might have come to the knowledge of third parties who had used or seen their devices. The Cs’ claims were exclusively for distress and anxiety, not financial damage.
which would enable the tracking and collation of browser activity. The Cs pleaded that a Safari workaround operated by D allowed it to obtain and record information about their internet use and use it for the purposes of its AdSense advertising service. They pleaded that D collated their private and personal information and used it to serve adverts to them via Adsense.
under the Data Protection Act 1998 (DPA). The Cs claimed general and aggravated damages, an account of profits, an injunction and other relief.
GDPR Considerations
External Influences: Supervisory Authorty, Consistency Mechanism, Powers, Fines, Compensation, DS Rights/awareness, In- house DPO, Certification/Codes of Practice Destruction
Transfer Sharing Disclosure
Data Processing
Data Collection
Powers and Penalties
Powers Warnings Enter Premises/seize equipment Stop NOW! Fines Penalties Compensation Fines Fines €10m or 2%
(A8, 10, 23-39)
€20m or 4%
(A5, 6, 7, 9, 12-20, 40-44, 53)
GDPR Impact
IT – PIAs, policy and documentation, breach reporting, data sharing, retention, portability. HR – training and awareness, policy. Risk – risk assessment/PIA, audit, record keeping, retention. DPA/FOI DPO tasks/role, independence, SARs, ICO/EDPB, ICO powers. Brand/Image/Reputation - consent, profiling, right to be forgotten, privacy notices, bought-in data, retention. Contact Centre – ID verification, consent, privacy notices Operations – regulation and monitoring conformance to procedures Exec/Board – DPO, record keeping, fines, compensation, change in emphasis, management and control Customers – data portability, SARs, privacy notices, consent.
Responding to GDPR
More engaged ICO
Powers of inspection. In-house whistle-blower. Breach notification. Prior authorisation.
More prescriptive rules Needs proper management controls over processes.
Documentation Privacy by design Resources & budget
Suggested Response
Gap analysis GDPR strategy Early engagement of DPO Action plan
Practical examples of work you can do
Create information asset register Create data processes register Map data acquisition flows and consent flows Agree standard privacy notices Create register of data processors/sharing Implement data services procurement controls Implement PIA and Privacy by Design Fill documentation/policy gaps Implement internal audit process Implement secure data transfer protocols Review CRM system Implement near miss and breach reporting procedure Engage with suppliers/consumer groups Establish project team Get external assistance to monitor progress
Data Protection People
Services Gap Analysis Deep Dives Managed Service . How we can help
Assess where you are now Develop GDPR strategy Create action plan Engage as DPO on contract Implement what you need to do:
Fill policy gaps Create record keeping Review consent and sharing Training & awareness Audit regime
Data Protection People
MAKING DATA PROTECTION EASY
Phil Brining
Director of Consulting Operations Data Protection People Limited philip.brining@dataprotectionpeople.com 07775 660387
Dave Hendry
Director of Sales and Marketing Data Protection People Limited david.hendry@dataprotectionpeople.com 07736 155130
Data Protection People Limited
The Round Foundry Media Centre Foundry Lane, Leeds, LS11 5QP www.dataprotectionpeople.com
https://dpreformdotorgdotuk.files.wordpress.com/2016/03/preparing-for-the-gdpr-12-steps.pdf