GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data - PowerPoint PPT Presentation

GDPR T owards Compliance – 25 May 2018

Wha hat t is GDPR? EU Data Protection Directive EU General Data Protection 1995 Regulation 2016 Data Protection Act 1998 Data Protection Bill 2017-19

Fines DPA GDPR Maximum Fine £500k Two maximum levels • • depending on type of breach, • Only raised for serious or the higher of: repeated breaches • 2% of turnover or € 10m • 4% of turnover or € 20m

Principles DPA GDPR 8 Principles 6 Principles • 1. Lawfulness, transparency and fairness 2. Purpose limitation 3. Data minimisation 4. Accuracy 5. Storage limitation 6. Integrity and confidentiality

Principles New requirement for Data Controllers to be able to demonstrate, compliance with the principles including: Data protection by design • Staff and volunteer training • Policies and procedures • Requirement to carry out Privacy Impact Assessments where high • risk processing takes place Requirement to conduct audits, policy reviews and activity records • Result = Extensive added record keeping burden

Personal Data DPA GDPR Any data relating to living Any data which is capable of • • individual identifying an individual directly or indirectly, includes Sensitive data subject to • images added controls Sensitive data replaced with • special categories of data includes genetic and biometric data

Consent DPA GDPR Permitted opt out consents Consents must be: • • • Opt in • Unambiguous • Not presumed from inaction Presumption that consent • not valid unless separate consents for each activity Right to withdraw consent •

Transparency DPA GDPR Processing notices only Processing notices must be • • needed to be fair transparent Processing notice to be • provided at the time of collection of personal data If personal data obtained • indirectly, have to provide at first contact or within one month

Data Subject Rights DPA GDPR 40 days to comply with a One month to comply with a • • Subject Access Request Subject Access Request Right to be forgotten • Right to withdraw consent at • any time • Right to object to direct marketing • Right to data portability • Right to object to automated decision making

Data Breaches DPA GDPR Voluntary notification to the Obligation to notify within 72 • • ICO hours Obligation to notify data • subjects Definition of data breach also • includes accidental loss, alteration or destruction

Liability DPA GDPR Only data controller has Both data controller and data • • liability for fines processor have direct liability for fines Both have liability for • damages

Children’s Personal Data DPA GDPR No specific restrictions Children under 16 identified • • as ‘vulnerable individuals’ All processing notices • addressed to a child should be ‘child friendly’ Appropriate parental consent • mechanisms must be implemented

What are we doing about GDPR? Developing a secure data culture • ‘Champions’ from each area of the organisation to: • • Identify what data is being processed and by whom • Develop guidelines for processing data for their specific area • Source of knowledge for colleagues

Workstreams Discover Report Identify Compliance personal data & documentation where it & reports resides Protect Manage Security Governance of controls to how personal prevent data is used breaches

Discover All personal data being processed and does it fit into a special • category? Who is the Data Processor and who is Data Controller? • Review processing: • • What is covered by contract performance? • What is covered by legitimate business interests? • Do we have GDPR compliant consents for the rest?

Mana nage ge Develop retention policies • Delete or redact data which is not needed or compliant • • Update data policies and processing notices • Ensure separate consents for each activity where applicable Build in ability to easily withdraw any consents given • Deliver staff training and induction • Consider how to respond to data portability requests • • Make sure systems allow prompt cessation of direct marketing • Data Processing Agreement to document compliance when passing data to third parties

Certificate of Assurance British Rowing British Rowing 6 Lower Mall, Hammersmith London W6 9DJ Scope: Whole Company Complies with the requirements of the Cyber Essentials Scheme Date of Certification: 15th January 2018 Certification Body: Recertification Due: Jan 2019 Certificate Number: IASME-A-04961 Profile Published: February 2017 Marcus Dempsey Assessor: This Certificate certifies that the organisation nam ed was assessed as m eeting the Cyber Essentials im plem entation profile published in February 2017 and thus that, at the tim e of testing, the organisations ICT defences were assessed as satisfactory against com m odity based cyber attack. Accreditation Body: However, this Certificate does not in any way guarantee that the organisations defences will rem ain satisfactory against cyber attack.