General Data Protection Regulation (GDPR) What does it mean for us? - PowerPoint PPT Presentation

General Data Protection Regulation (GDPR) What does it mean for us?

This is not… • A full and comprehensive review of the GDPR • An overly legalistic session • An hours worth of “chalk and talk” • Somewhere you can sit and do your email

Hitchhikers Guide to the GDPR • Look at some of the changes • Look at what we are doing in Salford • Identify some of the work underway • Review some of the Myths • Identify some impacts on all of us in our areas • Clarify our roles DON’T PANIC

What is the GDPR? • The GDPR is Europe's new framework for data protection laws. It replaces the 1995 directive, which current UK law is based upon. • The new regulation starts on 25 May 2018. It will be enforced by the Information Commissioners Office • Brexit will not alter this. A new Data Protection Act will be passed by parliament.

What is the GDPR ? • Modernise Europe’s data protection laws by bringing them in line with today’s digital world. • Makes organisations accountable for how they collect, use and safeguard personal data • Gives citizens greater rights and control over how their personal data is used. • Third-party service providers and supply chains such as data storage & cloud services also directly responsible for certain data processing under GDPR.

Key changes under GDPR • Accountability & ownership of data protection at Board level • Records of Processing Activities • Data Protection Privacy Impact Assessments (DPIA)- mandated for high risk activities – focus on data minimisation/pseudonymisation • Data Protection Officer • Data breach notification • Increased rights for data subjects

Key changes under GDPR (cont’d) • Privacy Notices- lawful basis/consent • Fines & Enforcement- infringements of principles and rights higher fine • Requirement to consult ICO where high risk • Data Processor requirements

Salfords actions • Small team to co-ordinate • AGMA input to build templates and documents • Commitment to whole council ownership of information management • Established Corporate Risk and Information Group • Training and re-enforcement of responsibilities and roles

What are we doing now? • Implementation plan to review current data protection policy and practice. • The Corporate Information Assurance and Risk Group (CIARG) set up to give oversight and ownership • All Information Asset Owners (IAOs) identified • Personal data audit underway • Privacy notices created for Council and templates issued to CIARG and DSIRO’s for completion. • Data Breach Process ready to issue

Myth 1 • The biggest threat to organisations from GDPR is massive fines • Fact: This law is not about fines. It’s about putting the consumer and citizen first. • Under GDPR, the ICO has the power to fine companies up to £17m or 4pc of turnover. The ICO says that they will not be making early examples of organisations for minor infringements, or that maximum fines will become the norm.

Myth 2 You must have consent if you want to process personal data • Fact: The GDPR is raising the bar to a higher standard for consent. • The new rules clarify that pre-ticked opt-in boxes are not indications of valid consent. We must make it easy for people to exercise their right to withdraw consent. • Consent needs to be explained in clear and plain language, and we must ensure that existing consent meets the standards of GDPR. • Consent is one way to comply with the GDPR, but there are 6 ways to have lawful processing under GDPR. • Service specific Privacy Notices will need to have this identified.

Consent…and other lawful issues https://ico.org.uk/for-organisations/guide-to- the-general-data-protection-regulation- gdpr/lawful-basis-for-processing/#ib3

Myth 3 GDPR is an unnecessary burden on organisations • Fact: The new regulations do demand more of organisations in terms of accountability for their use of personal data, and it enhances the existing rights of individuals. • GDPR builds on foundations in place for the last 20 years. We comply with the terms of the Data Protection Act, and has an effective data governance programme in place. • Many of the fundamentals remain the same and have been known about for a long time – fairness, transparency, accuracy, security, minimisation and respect for the rights of the individual whose data we process.

Myth 4 All personal data breaches will need to be reported to the ICO • Fact: It will be mandatory to report a personal data breach under the GDPR IF it’s likely to result in a risk to people’s rights and freedoms. • SCC are drafting a data breach policy and a reporting process to be issued b4 GDPR Day. The DPO, Information Security Manager and SIRO will work with managers to decide.

Myth 5 All details need to be provided as soon as a personal data breach occurs • Fact: If a personal data breach needs to be reported, it needs to happen without delay and, where feasible, not later than 72 hours after having become aware of it. • Organisations will have to provide certain details when reporting, but the GDPR says that where the organisation doesn’t have all the details available, more can be provided later. • The ICO will not expect to receive comprehensive reports at the outset of the discovery or detection of an incident.

Myth 6 If you don’t report in time, a fine will always be issued and the fines will be huge • Fact: Fines under the GDPR will be proportionate and not issued in the case of every infringement. • Fines can be avoided if organisations are open and honest and report without undue delay, which works alongside the basic transparency principles of the GDPR. • “Tell it all, tell it fast, tell the truth,” says Elizabeth Denham.

Myth 7 Data breach reporting is all about punishing organisations • Fact: The new law is designed to push companies and public bodies to step up their ability to detect and deter breaches. What is foremost in regulators’ minds is not to punish the organisations, but to make them better equipped to deal with security vulnerabilities. • The ICO understands that there will be attempts to breach organisations’ systems, and that data breach reporting will not miraculously halt criminal activity. But the law will raise the level of security and privacy protections across the board.

Myth 8 GDPR compliance is focused on a fixed point in time, like the Y2K Millennium bug • Fact: GDPR compliance will be an ongoing journey and, unlike planning for the Y2K deadline, GDPR preparation doesn’t end on 25 May 2018 – it requires ongoing effort.

What do I need to do? • Understand that Data is a key resource that needs managing • Keep an eye on the Intranet, read 12 steps, Checklist and bulletins. • Understand the lawful basis for collecting and processing personal data IN YOUR AREA • Reassure your teams and make sure you understand your FAQ’s • DON’T PANIC

Me Learning • General Data Protection Regulation (GDPR) - Preparing for Change- aimed at practitioners . • New module now available - Information Governance for GDPR- May 2018 . All staff required to undertake. • If you already have a Me-Learning account visit https://salfordcc.melearning.university/user/login • If you need to create a Me-Learning account visit https://yourzone.salford.gov.uk/learning-zone/e- learning /

Any Questions? • Resources and contacts: � GDPR intranet pages https://yourzone.salford.gov.uk/knowledge- zone/how-we-do-things/general-data-protection- regulation-gdpr/ � Information Governance team infogovernance@salford.gov.uk � Information Governance Lead teresa.webb@salford.gov.uk � City Solicitor/SIRO/Monitoring Officer miranda.carruthers-watt@salford.gov.uk