gdpr update
play

GDPR Update 3 October 2019 Phil Tompkins and Dean Murray Newcastle - PowerPoint PPT Presentation

Dec 07, 2022 •301 likes •808 views

GDPR Update 3 October 2019 Phil Tompkins and Dean Murray Newcastle | Leeds | Manchester 2 What we will look at today GDPR to date How to handle data subject access requests Data security and handling data breaches Whats

  1. GDPR Update 3 October 2019 Phil Tompkins and Dean Murray Newcastle | Leeds | Manchester

  2. 2 What we will look at today • GDPR to date • How to handle data subject access requests • Data security and handling data breaches • What’s new • Case law Newcastle | Leeds | Manchester

  3. 3 Why does data protection matter? • Legal obligations • Reputation and goodwill • Fines and enforcement • Other data protection liabilities • Compensation • Criminal penalties • Vicarious liability Newcastle | Leeds | Manchester

  4. 4 What data does the GDPR protect? • Personal data • What is personal data • Identifies living individual • Anything about the individual • Examples • Paper and digital/ Staff and customer records/ CCTV/ Website/photos/ Applications /biometrics/ location data/identifiers • Special category data (criminal offence/conviction data) Newcastle | Leeds | Manchester

  5. 5 Data protection principles • You must process personal data in accordance with the data protection principles: • Lawfulness, fairness & transparency • Specific, explicit and legitimate purpose -use for that purpose only (purpose limitation) • Adequate, relevant and limited (data minimisation) • Accurate and up to date (use every reasonable step) • Keep only as long as necessary (e.g. retail orders, ticket forms etc.) • Appropriate security • NB: Need to be able to demonstrate compliance with the above – "Accountability Principle" Newcastle | Leeds | Manchester

  6. 6 Accountability • Article 5(2) • “ The controller shall be responsible for, and be able to demonstrate compliance with paragraph 1 (accountability) .” • Organisations need to develop a proactive, systematic and ongoing approach to GDPR compliance • Risk based approach • How to demonstrate accountability • Policies and procedures (Information Governance Framework) • Other documentation Newcastle | Leeds | Manchester

  7. 7 GDPR to date – security breaches in 2018 2000 1800 1600 1400 1200 1000 800 600 400 200 0 March April May June Newcastle | Leeds | Manchester

  8. 8 GDPR to date – personal data breach reports to date Newcastle | Leeds | Manchester

  9. 9 GDPR to date – increase in exercise of information rights There has been an increase in individuals exercising their information rights 35% 30% 25% 20% 15% 10% 5% 0% Strongly agree Agree Neither agree nor Disagree Strongly disagree disagree Newcastle | Leeds | Manchester

  10. 10 GDPR to date – personal data breach reports to date • “ the public has woken up ” E Denham • 471,224 contacts via helpline, chat and written advice (66% increase) • Data protection complaints rose from 21,019 in 2017/18 to 41,661 in 2018/19 • 11 assessment notices issued • 2 intentions to fine announced Newcastle | Leeds | Manchester

  11. How to Handle Data Subject Access Requests Dean Murray Newcastle | Leeds | Manchester

  12. 12 Basics: What are data subject access requests and what must I provide? • Right of access to own personal data • Right of access is to:- • Confirmation personal data is being processed • Access copy of personal data • Supplemental information • Supplemental information • Purpose of processing/ categories of personal data/ recipients (including outside EEA)/ retention period (where possible)/ subject rights/ sources of data/ automated decision making or profiling/ safeguards for transfers outside EEA Newcastle | Leeds | Manchester

  13. 13 How do I provide information requested? • Provision of information:- • Provide in concise, transparent, intelligible and easily accessible format • Use plain and clear language • Provide in writing (orally if requested) Newcastle | Leeds | Manchester

  14. 14 What do data subjects get a right of access to? • Personal data held at the time the request is received • Held in paper or electronic records • Personal data which relates to the individual • No requirement to provide exempt information Newcastle | Leeds | Manchester

  15. 15 Some information is exempt… • Right of access is subject to a number of exemptions:- • Information already held by data subject • Impossible to provide or disproportionate effort • Third party data • Request for large volume of data • Can request data subject specifies information • UK derogations Newcastle | Leeds | Manchester

  16. 16 What specific exemptions are there and how do I use them? • Check if the personal data requested falls within an exemption • The exemptions include:- • Crime and taxation (prejudice) • Legal professional privilege • Management forecasts (prejudice) • Negotiations (prejudice) • Health/Social work/Education data (serious harm) Newcastle | Leeds | Manchester

  17. 17 How do I handle third party requests? • Confirm identity of requestor • Requests by parent/carer/spouse/solicitor on behalf of data subject • Requests by others • Public authority - Freedom of Information Act 2000/ EIR 2004 • Not a public authority • Legal right of access (e.g. HMRC/police) Newcastle | Leeds | Manchester

  18. 18 Reviewing third party data requests • No need to supply personal data requested if it contains information about other people unless: • Have consent • Reasonable to supply without consent • Factors to take into account where you don’t have consent: • Type of information/ Any duty of confidentiality /Steps taken to obtain consent /Is individual capable of giving consent /Any express refusal of consent • What to do with third party data • Obligation is to provide information not documents • Redact or edit documents to exclude third party data Newcastle | Leeds | Manchester

  19. 19 Handling requests • Check identity of individual • Log the request • Timescales • Without undue delay and in any event, one month • Time extensions up to 3 months • Keeping the data subject informed • Must provide free of charge unless manifestly unfounded or excessive • Searching for data • Search systems and locations. Provide personal data requested unless exempt etc • Form of response Newcastle | Leeds | Manchester

  20. 20 Refusing requests • All refusals must be writing • Keep record of what sent and reasons why • Set out • Reason for refusal • Sufficient to say they aren’t entitled to information as it is exempt • No requirement for detailed explanation why refused • Right to complain to ICO Newcastle | Leeds | Manchester

  21. 21 Data subject access requests – case law • Metropolitan Police Service • Enforcement notice re handling of DSARs • On 17 April 2019 it was processing 1,535 DSARs and over 94% outside statutory time frame for a response • By 13 June 2019 – 1,727 DSARs with 1,169 overdue and 689 over 100 days old • ICO considers delay causes damage or distress • Met to use best endeavours to:- • Answer all DSARs by 30 September • Make changes to it internal systems so can answer future DSARs properly Newcastle | Leeds | Manchester

  22. Data Breaches and Data Security Phil Tompkins Newcastle | Leeds | Manchester

  23. 23 What do we mean by the term data security? • GDPR obligation • Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality) • Security should be appropriate to likelihood and severity of risks • Failure to keep data secure leads to personal data breaches Newcastle | Leeds | Manchester

  24. 24 The requirement to use technical and organisational measures…. • GDPR requires;- • Controllers to ensure a level of security appropriate to risk • Risk analysis • Proportionality test • Take into account • State of the art • Cost of implementation • Nature, scope, context and purposes of processing • Risk of varying likelihood and severity for the rights and freedoms of natural persons • Risks presented by processing Newcastle | Leeds | Manchester

  25. 25 What are appropriate measures? • What measures are appropriate? • Pseudonymisation and encryption • Managing, limiting and controlling access to personal data • Ensure the ongoing confidentiality, integrity, availability of data • Resilience of processing systems to restore availability and access to personal data in the event of an incident • Regular testing, assessment and evaluation of security measures • Approved codes of conduct and certification mechanisms • Record measures you take • Art 30(2)(d) – processing record (accountability) Newcastle | Leeds | Manchester

  26. 26 What do we mean by “organisational security”? • Governance • Contracts and data sharing • Training and awareness Newcastle | Leeds | Manchester

  27. 27 What is “Governance”? • Management structures • Policies, procedures and documentation • Compliance and assurance • Identify and manage risks • Use of data protection impact assessments • Data protection by design and default Newcastle | Leeds | Manchester

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

GDPR How does it apply to me? What is GDPR? It is the LAW! What is GDPR? The General Data

GDPR How does it apply to me? What is GDPR? It is the LAW! What is GDPR? The General Data

GDPR How does it apply to me? What is GDPR? It is the LAW! What is GDPR? The General Data Protection Regulation Came into force on May 25 th Replaces the current 1995 Data Protection Directive and Data Protection Act (1998). What is GDPR?

570 views • 18 slides
Data minimization & concentration: Intended and unintended consequences of the GDPR Garrett

Data minimization & concentration: Intended and unintended consequences of the GDPR Garrett

garjoh_canuck Data minimization & concentration: Intended and unintended consequences of the GDPR Garrett Johnson (Boston U) Scott Shriver (U Colorado Boulder) GDPR Impact GDPR General Data Protection Regulation EU EEA Brexit GDPR

833 views • 27 slides
Protection Regulation (GDPR) Presentation Structure What is the GDPR? When and where does

Protection Regulation (GDPR) Presentation Structure What is the GDPR? When and where does

Presentation by Michalis Mantzaris, PhD Introduction to General Data Protection Regulation (GDPR) Presentation Structure What is the GDPR? When and where does it apply? Consisting elements and Guideline provision Key changes and

605 views • 23 slides
Overview What is the GDPR? What are the main changes? Risks? What do you need to do

Overview What is the GDPR? What are the main changes? Risks? What do you need to do

Overview What is the GDPR? What are the main changes? Risks? What do you need to do to be compliant? Data Breaches How does the GDPR affect you? Steps to Compliance Summary What is the GDPR? q The EU's General Data

355 views • 17 slides
Welcome and In Introduction 13th Annual Nordic GRC/GDPR Summit Kersi F. Porbunderwala, CEO, The

Welcome and In Introduction 13th Annual Nordic GRC/GDPR Summit Kersi F. Porbunderwala, CEO, The

Welcome and In Introduction 13th Annual Nordic GRC/GDPR Summit Kersi F. Porbunderwala, CEO, The EUGDPR Institute Update of the GDPR, data Privacy and data Protection concerns and issues across the European Landscape.

323 views • 13 slides
PROTECTION REGULATIONS May 2018 GDPR What is GDPR What is different Principles

PROTECTION REGULATIONS May 2018 GDPR What is GDPR What is different Principles

GENERAL DATA PROTECTION REGULATIONS May 2018 GDPR What is GDPR What is different Principles of of GDPR How does it effect school How are school preparing How does it effect individual staff How can

475 views • 12 slides
News & Legislative Update April 2018 www.landlords.org.uk 1 Contents 1. MEES 2. GDPR

News & Legislative Update April 2018 www.landlords.org.uk 1 Contents 1. MEES 2. GDPR

News & Legislative Update April 2018 www.landlords.org.uk 1 Contents 1. MEES 2. GDPR What you need to know 3. New Housing Secretary Announced 4. Whats Coming Up for the PRS? I. HMO Minimum Room Sizes New Licence Conditions

650 views • 20 slides
Welcome Agenda GDPR is in force now and applies to Australian businesses What does GDPR require?

Welcome Agenda GDPR is in force now and applies to Australian businesses What does GDPR require?

Welcome Agenda GDPR is in force now and applies to Australian businesses What does GDPR require? How does an Australian business comply? Action Plan Section 1: GDPR is here Privacy in the digital age Historically, privacy was almost

513 views • 40 slides
Click to add title Click to add subtitle Before the GDPR: the great GDPR compliance panic The

Click to add title Click to add subtitle Before the GDPR: the great GDPR compliance panic The

Almost one year after the GDPR, where are we now? Click to add title Click to add subtitle Before the GDPR: the great GDPR compliance panic The first year of the GDPR can best be described as "quiet test run. What are the most striking

405 views • 8 slides
GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU

GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU

GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU General Data Protection 1995 Regulation 2016 Data Protection Act 1998 Data Protection Bill 2017-19 Fines DPA GDPR Maximum Fine 500k Two

622 views • 17 slides
GDPR Dont be scared Even if you cant answer all the questions on the form GDPR Dont

GDPR Dont be scared Even if you cant answer all the questions on the form GDPR Dont

GDPR Dont be scared Even if you cant answer all the questions on the form GDPR Dont be scared 60% of people welcome the rights under GDPR 48% of UK adults plan to activate their rights 56% welcome the right to object to marketing

1.32k views • 37 slides
Brokers Ireland Compliance Update September 2020 Linda Doyle Items Covered GDPR and

Brokers Ireland Compliance Update September 2020 Linda Doyle Items Covered GDPR and

Brokers Ireland Compliance Update September 2020 Linda Doyle Items Covered GDPR and outsourcing Brexit Central Bank and Cyber Fraud Consumer Insurance Contracts Act 2019 Covering PCF roles during COVID19 Assessing

666 views • 34 slides
GDPR Obligations & Rules Introduction to Privacy and the GDPR Simone Fischer-Hbner

GDPR Obligations & Rules Introduction to Privacy and the GDPR Simone Fischer-Hbner

GDPR Obligations & Rules Introduction to Privacy and the GDPR Simone Fischer-Hbner CC-BY-4.0 Advising, Monitoring, Enforcing European Data Protection Board Art. 68 - 73 (replacing the Art. 29 Working Party) advise Supervisory

626 views • 8 slides
GDPR Breach & Automated Decision Making Part 5 of our series on GDPR and its impact on the

GDPR Breach & Automated Decision Making Part 5 of our series on GDPR and its impact on the

GDPR Breach & Automated Decision Making Part 5 of our series on GDPR and its impact on the recruitment industry This webinar is provided for information purposes and is NOT intended to be legal advice pertaining to the subject matter. If you

617 views • 38 slides
GDPR Webinar Guide Overview and key points Part 1 of our series on GDPR and its impact on the

GDPR Webinar Guide Overview and key points Part 1 of our series on GDPR and its impact on the

1 GDPR Webinar Guide Overview and key points Part 1 of our series on GDPR and its impact on the recruitment industry 2 Introduction The rules which underpin the storage of personal data have changed dramatically. The new EU-US Privacy Shield

998 views • 35 slides
GDPR Rights and Consent Part 2 of our series on GDPR and its impact on the recruitment industry

GDPR Rights and Consent Part 2 of our series on GDPR and its impact on the recruitment industry

GDPR Rights and Consent Part 2 of our series on GDPR and its impact on the recruitment industry This webinar is provided for information purposes and is NOT intended to be legal advice pertaining to the subject matter. If you have specific

495 views • 35 slides
1. The potential of data sharing 2. An ideal professed but not practiced * 1. Researchers 2.

1. The potential of data sharing 2. An ideal professed but not practiced * 1. Researchers 2.

Perspectives on Academic Data Sharing Benedikt Fecher, German Institute for Economic Research Berlin, 19th April 2016 8,65 Data Sharing in Academia Agenda 1. The potential of data sharing 2. An ideal professed but not practiced * 1. Researchers

329 views • 22 slides
Internet Indirection Infrastructure Karthik Lakshminarayanan UC Berkeley Contrasting LNA, HIP,

Internet Indirection Infrastructure Karthik Lakshminarayanan UC Berkeley Contrasting LNA, HIP,

Internet Indirection Infrastructure Karthik Lakshminarayanan UC Berkeley Contrasting LNA, HIP, and i3 LNA = Layered Naming Architecture LNA, HIP, i3: All network architecture proposals Separate location and identity

257 views • 15 slides
How domestic regulation can respond to globalisation of business Session 2 - Domestic Data

How domestic regulation can respond to globalisation of business Session 2 - Domestic Data

How domestic regulation can respond to globalisation of business Session 2 - Domestic Data Regulation Peter Sheerin Executive Committee Member 20 June 2018. Sheerin.peter@mail.com Content Development of a borderless digital world.

247 views • 14 slides
INTERNET LAW SESSION 5 DR ANGELA DALY 15 NOVEMBER 2019 WELCOME BACK TO INTERNET LAW! PRIVACY

INTERNET LAW SESSION 5 DR ANGELA DALY 15 NOVEMBER 2019 WELCOME BACK TO INTERNET LAW! PRIVACY

INTERNET LAW SESSION 5 DR ANGELA DALY 15 NOVEMBER 2019 WELCOME BACK TO INTERNET LAW! PRIVACY AND PART I DATA PROTECTION OVERVIEW Privacy Data protection Surveillance Exercises Privacy the right to be let alone Warren and

611 views • 44 slides
Care Transitions Network Data Jam October 28, 2016 National Council for Behavioral Health

Care Transitions Network Data Jam October 28, 2016 National Council for Behavioral Health

Care Transitions Network Data Jam October 28, 2016 National Council for Behavioral Health Montefiore Medical Center Northwell Health New York State Office of Mental Health Netsmart Technologies Erica Van De Wal Anni Kramer Medical

709 views • 26 slides
NAMED DATA NETWORKING IN SCIENTIFIC APPLICATIONS Susmit Shannigrahi, Chengyu Fan and Christos

NAMED DATA NETWORKING IN SCIENTIFIC APPLICATIONS Susmit Shannigrahi, Chengyu Fan and Christos

NAMED DATA NETWORKING IN SCIENTIFIC APPLICATIONS Susmit Shannigrahi, Chengyu Fan and Christos Papadopoulos Colorado State University March 23, 2017 Work supported by NSF #1345236 and #13410999 CMIP5 Servers 2 2 3 Years of CMIP5 Data Access

937 views • 35 slides
Learning to Hash with its Application to Big Data Retrieval and Mining o Department of

Learning to Hash with its Application to Big Data Retrieval and Mining o Department of

Learning to Hash with its Application to Big Data Retrieval and Mining o Department of Computer Science and Engineering Shanghai Jiao Tong University Shanghai, China Joint work with h , , L Dec 21, 2013 Li (

760 views • 58 slides
CYBERSECURITY STRATEGIES TO MANAGE BUSINESS RISKS A C O N V E R S A T I O N W I T H H O R N E

CYBERSECURITY STRATEGIES TO MANAGE BUSINESS RISKS A C O N V E R S A T I O N W I T H H O R N E

CYBERSECURITY STRATEGIES TO MANAGE BUSINESS RISKS A C O N V E R S A T I O N W I T H H O R N E I T S P E C I A L I S T S P A N E L I S T S M I K E S K I N N E R , C PA , C I S A , C I T P S e n i o r M a n a g e r I T A s s u r a n

634 views • 18 slides

More recommend