GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data - - PowerPoint PPT Presentation

gdpr
SMART_READER_LITE
LIVE PREVIEW

GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data - - PowerPoint PPT Presentation

Jul 02, 2023 443 likes •626 views

GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU General Data Protection 1995 Regulation 2016 Data Protection Act 1998 Data Protection Bill 2017-19 Fines DPA GDPR Maximum Fine 500k Two

slide-1
SLIDE 1

GDPR

T

  • wards Compliance – 25 May 2018
slide-2
SLIDE 2

Wha hat t is GDPR?

EU Data Protection Directive 1995 Data Protection Act 1998 EU General Data Protection Regulation 2016 Data Protection Bill 2017-19

slide-3
SLIDE 3

Fines

DPA

  • Maximum Fine £500k
  • Only raised for serious or

repeated breaches

GDPR

  • Two maximum levels

depending on type of breach, the higher of:

  • 2% of turnover or €10m
  • 4% of turnover or €20m
slide-4
SLIDE 4

Principles

DPA

  • 8 Principles

GDPR

6 Principles 1. Lawfulness, transparency and fairness 2. Purpose limitation 3. Data minimisation 4. Accuracy 5. Storage limitation 6. Integrity and confidentiality

slide-5
SLIDE 5

Principles

New requirement for Data Controllers to be able to demonstrate, compliance with the principles including:

  • Data protection by design
  • Staff and volunteer training
  • Policies and procedures
  • Requirement to carry out Privacy Impact

Assessments where high risk processing takes place

  • Requirement to conduct audits, policy reviews and activity records

Result = Extensive added record keeping burden

slide-6
SLIDE 6

Personal Data

DPA

  • Any data relating to living

individual

  • Sensitive data subject to

added controls

GDPR

  • Any data which is capable of

identifying an individual directly or indirectly, includes images

  • Sensitive data replaced with

special categories of data includes genetic and biometric data

slide-7
SLIDE 7

Consent

DPA

  • Permitted opt out consents

GDPR

  • Consents must be:
  • Opt in
  • Unambiguous
  • Not presumed from

inaction

  • Presumption that consent

not valid unless separate consents for each activity

  • Right to withdraw consent
slide-8
SLIDE 8

Transparency

DPA

  • Processing notices only

needed to be fair

GDPR

  • Processing notices must be

transparent

  • Processing notice to be

provided at the time of collection of personal data

  • If personal data obtained

indirectly, have to provide at first contact or within one month

slide-9
SLIDE 9

Data Subject Rights

DPA

  • 40 days to comply with a

Subject Access Request

GDPR

  • One month to comply with a

Subject Access Request

  • Right to be forgotten
  • Right to withdraw consent at

any time

  • Right to object to direct

marketing

  • Right to data portability
  • Right to object to automated

decision making

slide-10
SLIDE 10

Data Breaches

DPA

  • Voluntary notification to the

ICO

GDPR

  • Obligation to notify within 72

hours

  • Obligation to notify data

subjects

  • Definition of data breach also

includes accidental loss, alteration or destruction

slide-11
SLIDE 11

Liability

DPA

  • Only data controller has

liability for fines

GDPR

  • Both data controller and data

processor have direct liability for fines

  • Both have liability for

damages

slide-12
SLIDE 12

Children’s Personal Data

DPA

  • No specific restrictions

GDPR

  • Children under 16 identified

as ‘vulnerable individuals’

  • All processing notices

addressed to a child should be ‘child friendly’

  • Appropriate parental consent

mechanisms must be implemented

slide-13
SLIDE 13

What are we doing about GDPR?

  • Developing a secure data culture
  • ‘Champions’ from each area of the organisation to:
  • Identify what data is being processed and by whom
  • Develop guidelines for processing data for their specific area
  • Source of knowledge for colleagues
slide-14
SLIDE 14

Workstreams

Discover Identify personal data & where it resides Manage Governance of how personal data is used Protect Security controls to prevent breaches Report Compliance documentation & reports

slide-15
SLIDE 15

Discover

  • All personal data being processed and does it fit into a special

category?

  • Who is the Data Processor and who is Data Controller?
  • Review processing:
  • What is covered by contract performance?
  • What is covered by legitimate business interests?
  • Do we have GDPR compliant consents for the rest?
slide-16
SLIDE 16

Mana nage ge

  • Develop retention policies
  • Delete or redact data which is not needed or compliant
  • Update data policies and processing notices
  • Ensure separate consents for each activity where applicable
  • Build in ability to easily withdraw any consents given
  • Deliver staff training and induction
  • Consider how to respond to data portability requests
  • Make sure systems allow prompt cessation of direct marketing
  • Data Processing Agreement to document compliance when

passing data to third parties

slide-17
SLIDE 17

Certificate

  • f

Assurance

British Rowing

British Rowing 6 Lower Mall, Hammersmith London W6 9DJ

Scope: Whole Company

Complies with the requirements of the Cyber Essentials Scheme

Date of Certification: 15th January 2018 Recertification Due: Jan 2019 Certificate Number: IASME-A-04961 Profile Published: February 2017

This Certificate certifies that the organisation nam ed was assessed as m eeting the Cyber Essentials im plem entation profile published in February 2017 and thus that, at the tim e of testing, the

  • rganisations ICT defences were assessed as satisfactory against com

m

  • dity based cyber attack.

However, this Certificate does not in any way guarantee that the organisations defences will rem ain satisfactory against cyber attack.

Certification Body: Assessor: Marcus Dempsey Accreditation Body: