GDPR Annual Refresher Training Annual refresher training - intro - - PowerPoint PPT Presentation
GDPR Annual Refresher Training Annual refresher training - intro It is a legal requirement that all staff and volunteers have GDPR refresher training on an annual basis. Logistically, it makes sense to offer refresher training electronically
It is a legal requirement that all staff and volunteers have GDPR refresher training on an annual basis. Logistically, it makes sense to offer refresher training electronically to ensure that all staff are able to complete it within a reasonable timescale that fits with everyone’s busy schedules. Please ensure that you complete the training by the deadline given.
uphold information rights
information and data protection laws
Data which relate to a living individual who can be identified
– (a) from those data, or – (b) from those data and other information in the possession of the data controller/ processor
It includes names, addresses, contact info, medical info, employment status, etc. Also, how you describe someone that clearly identifies an individual! Not business contact details.
“The GDPR data controller is the organisation that decides how and why customers’ personal data is processed. They control the data but do not necessarily hold or process it, however, they are responsible for how it’s used, stored and deleted.”
e.g. us, Cornwall Council, NHS Kernow
“A data processor… is a company or person who processes personal data on behalf of the controller. This could include something as simple as storing the data on a third party’s server but also includes, for example, payroll services, commissioned services and market research businesses.”
i.e. us!
www.cybersmart.co.uk
2018
compliance with the principles
– Same basic principles as old data protection law but strengthened – Greater accountability – New rights for individuals and strengthening of existing rights – Breach reporting – Data Protection Impact Assessments – Higher penalties for non-compliance
BREXIT does not affect UK compliance with GDPR – Data Protection Bill is in effect from 25 May 2018. “ While the GDPR will not be directly applicable post-Brexit, the Data Protection Bill (which will become the Data Protection Act 2018) will ensure continuity with the legislation set out in the GDPR”
https://ico.org.uk/for-organisations/data-protection-and- brexit/
DPA Compliant until proven not to be GDPR Must prove compliance from day 1
Personal data shall be…
DPA Principles
purposes
excessive
purpose, shall not be kept for longer than is necessary
unauthorised or unlawful processing, loss, destruction or damage
without adequate protection GDPR principles
a transparent manner
legitimate purposes
to what is necessary
identification of data subjects for no longer than is necessary
ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage.
country without adequate protection
Data storage and technology has evolved rapidly since the 1990s Mobile technology is much more versatile: mobile phones, tablets, etc Social media means personal information is much more publicly available; we are also sharing much more private information. How we use technology for work has changed how information is collected, stored, used, etc, and changed risk factors. Legislation across Europe has been complex and
imposes more consistency and stronger requirement for compliance
Where we are requesting an individual to give us any of their personal data, active consent must be sought.
We must ask for consent without offering any incentive to do so. Consent forms must make it absolutely clear what information is needed, why it is needed and how it will be used (including who it might be shared with e.g.
Consent must be on an opt-in basis (not opt-out). Individuals must be told how to withdraw their consent. Consent forms must use clear, plain language. Evidence of consent must be recorded.
Consent must be
requested using clear language intelligible accessible
provided with the ability to withdraw
provable that consent was given necessary
freely given, explicit, specific, informed, and an unambiguous indication of wishes
protection when you are collecting and processing their personal data - may not understand the risks.
directly to child: –
in the UK children aged 13+ able to provide own consent. – Children under 13, you need parental consent - unless the
preventive or counselling service.
notices for children so that they are able to understand what will happen to their personal data and what rights they have.
The right to restrict processing The right to data portability Rights in relation to profiling Right to rectification Right to erasure
The rights of the individual are central to data processing
Right to Restrict Processing
processing of personal data.
restricted, you are permitted to store the personal data, but not further process it.
who have requested their data is removed
The Right to Data Portability
environment to another in a safe and secure way
advantage of applications and services which can use this data to find them a better deal, or help them understand their spending habits
Rights in Relation to Profiling The GDPR includes provisions on:
solely by automated means without any human involvement)
evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
a loan; and
which uses pre-programmed algorithms and criteria. (ICO)
Right to Rectification
Right to Erasure
data where there is no compelling reason for its continued processing. Google and ‘right to be forgotten’ case NB In order to administer this a ‘request to be forgotten’ list needs to be maintained. Examples: trainee not wanting to know of other course or a carer who has had support does not want newsletter
“The controller shall be responsible for, and be able to demonstrate compliance with the Principles” Article 5(2)
data protection officer (controllers)
and default (all)
certification schemes (all)
appropriate technical and
processing activities (all)
assessments (all)
Some of this applies to data processors too.
A data breach is any situation where an individual can be identified by someone other than who is ‘authorised’ to have access to that data
Medium breaches of data protection are subject to administrative fines: whichever is higher of the following:
financial year (in the case of an undertaking)
The Data Subject Individual) is at the centre of claims for compensation. The Data Controller must pay up front and then recoup from the Data Processor where appropriate
the public or visitors to the building, including computer screens
not have consent or legal basis (information sharing protocol)
need for that day.
In your car
holder/case or folder (doesn’t have to be lockable).
info relating to other clients).
aren’t visible to anyone you’re with. Please see IT for help with this if you don’t know how.
could see them!
Any sensitive information, e.g. client files & documents, must be stored in a lockable box! Please see Jane S/ Adam if you need
Do not store work-related information on a personal laptop.
contain information that can identify clients?
additional sensitive information? E.g. address, phone number, medical information?
accountable for its security and the information it contains!
as possible to hold information, as it’s password protected
reduce immediate identification of information – e.g. using initials for client names
you actually need to have on you.
fall out so be aware of what notes you are carrying in it.
data must be locked away at the end of each day.
for a period of time, be aware
your screen and what is displayed.
addresses, put these in the BCC field so that recipients can’t see other people’s email addresses.
drives, not on a local hard drive (C: drive of a laptop or PC)
being collected
information held
None of this is meant to make your job more difficult; we have to take a proportionate approach. If you think any of the above will be tricky to implement, let’s have a chat and see if we can work out a solution. If you spot any other data protection issues not mentioned here, by all means let me know.
GDPR compliance is compulsory by law!
equally to individuals and organisations
policies and procedures is individually accountable.
– It is mandatory. It will be updated annually.
If there is anything you are unsure of, please ask your line manager
nicki.sweeney@cornwallrcc.org.uk 07715 799395
Please now complete the GDPR Refresher Training Workbook that accompanied this presentation. Please ensure you submit the workbook by the deadline given. If you are unable to submit it by the deadline, please either speak to your line manager or contact Nicki Sweeney to explain why. Thank you!