General Data Protection Regulations
Overview Introduction (1) (2) Definitions (3) 10 Steps (4) Q&A
“ [GDPR] lays down rules relating to the protection of natural persons with regard to the processing of personal data and … the free movement of personal data … [The Regulation] protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data … ” Art.1, GDPR (Subject-matter and objectives)
“ Every morning when you put your mobile phone in your pocket, you make an implicit bargain… you make and receive calls (and use a range of other applications); in exchange you are subject to a very intimate form of surveillance … ”
“ Your mobile phone (and its applications) track where you live and where you work, it tracks where you like to spend your weekends and evenings, it tracks if you go to church (and, if so, which church), it tracks how much time you spend in a bar and whether you speed when you drive. It tracks (since devices are networked) whom you spend your days with, whom you meet for lunch and whom you sleep with… ” Bruce Schneier : ‘Data and Goliath – The Hidden Battles to Collect Your Data ’
“The world’s most valuable resource is no longer oil, but data…”
Implementation Effective 25 May 2018 No ‘grace period’ No transitional provisions
Key principles & definitions
Key Principles Principle Detail Accountability The data controller is responsible for, and must be able to demonstrate, compliance (Article 5(2)) Lawfulness, fairness and Personal data must be processed lawfully, fairly and in a transparency transparent manner in relation to the data subject (Article 5(1)(a)) Purpose limitation Personal data must be collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (Article 5(1)(b)) Data minimisation Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Article 5(1)(c))
Key Principles (Cont.) Principle Detail Accuracy Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate is erased or rectified without delay ( Article 5(1)(d) ) Storage limitation Personal data which is kept in a form which permits identification of data subjects must be kept for no longer than is necessary for the purposes for which the data is processed (Article 5(1)(e)) Integrity & Personal data must be processed in a manner that, through use Confidentiality of technical or organisational measures, ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (Article 5(1)(f))
Definitions 01 02 03 The natural or legal A natural or legal The data subject is person which, person, public the identified or determines the authority, agency or identifiable living purposes and means other body which individual to whom of the processing of processes personal personal data relates personal data data on behalf of the ( Art 4 (1) ) ( Art 4 (7) ) controller ( Art 4 (8) ) Data controller Data processor Data Subject
Definitions – personal data Personal data: A living individual who can be identified, directly or indirectly, by reference to either: name, an identification number, location data or an online identifier; or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
Risks Risk Detail Fines of up to € 20 million (or 4% of annual turnover) Penalty: top level Fines of up to €10 million (or 2% of annual turnover) Penalty: lower level Individual claims / class See for example: Various Claimants v WM Morrisons actions Supermarket PLC Litigation Litigants are likely to use the stricter regime to obtain a tactical advantage Regulators Ban on processing / suspension of data transfers
Overarching Data Policy Data Processor Data Processing Agreement(s) Data Data Controller Controller Data Privacy Notice(s) Subject
# 1. map and audit data
It’s impossible to know whether you’re compliant if you don’t know: What personal data you have Where it is stored and where it is sent How it is processed
# 2. identify third party processors
You need to be sure that third party processors are compliant, e.g. Health insurers Pension providers Payroll providers
# 3. identify cross border data transfers
Cross border data transfers The GDPR imposes restrictions on the transfer of personal data outside the European Union Personal data may only be transferred outside of the EU in compliance with Chapter V GDPR Creating an inventory will help you identify potential breaches
# 4. don’t rely on consent
Employers wishing to rely on consent must remember: Consent must be specific, informed and freely given Employees have the right to withdraw consent So don’t
What are the lawful bases for processing? 01 02 03 The processing is The processing is The individual has necessary for a necessary for you to given clear consent contract, or they comply with the law for you to process have asked you to (not including their personal data take specific steps contractual for a specific before entering into a obligations). purpose. contract Consent Contract Legal obligation
What are the lawful bases for processing? 04 05 06 The processing is The processing is The processing is necessary for you to necessary to protect necessary for your perform a task in the someone’s life. legitimate interests - public interest /your unless protection of official functions, and personal data the task / function overrides those has a basis in law. legitimate interests. Legitimate Vital interests Public task interests
What are the lawful bases for processing? 06 Identify the legitimate interest The processing is necessary for your Show how the processing is necessary to achieve it legitimate interests - unless protection of personal data overrides those legitimate interests. Balance it against the individual’s interests Legitimate interests
# 5. implement a GDPR policy No specific requirement But part of showing compliance Reasonable belief Remember – the privacy notice relates to the Does the worker have a reasonable belief that the information tends to show processing of employee, worker or contractor one of the “relevant failures”?
Implement a GDPR Policy Monitor compliance Keep updated You will need an overarching policy that deals with how you manage data generally. This will cut across functions and therefore is a detailed document
# 6. implement privacy noticies
Data subjects must be informed of their rights, including: The right to withdraw consent The right to access The right to object
Data subjects must be informed of their rights, including: The right to be informed about retention periods The right to be forgotten (aka erasure) The right to complain to the ICO
# 7. get ready for changes to DSAR
Data subject access requests: More awareness will increase one Standard process – who, how, dealing with third party data Systems up to the task?
Data subject access requests: £10 fee no longer applies Time limit is reduced from 40 days to 1 month Some flexibility to extend time limits
# 8. manage data breaches
Data breaches You must also keep a record of any personal data breaches, regardless of whether you are required to notify Duty to report personal data breach which are likely to harm data subject to the relevant supervisory authority without undue delay, or where feasible within 72 hours of awareness. Can make preliminary report and then follow-up. If the breach means ‘high risk’ of harm to data subject you must also inform those individuals without undue delay. Serious incident report?
Examples of data breaches access by an unauthorised third party sending data to the wrong recipient computing devices containing personal data being lost or stolen
Examples of data breaches alteration of personal data without permission loss of availability of personal data
# 9. conduct training
Conduct training You’ll need to raise awareness and understanding – across functions Identify a GDPR lead or team Induction and appraisals Refresher training
# 10. know your regulator(s)
Know your regulator(s) Principally the ICO But what other regulation applies to your organisation? Charity Commission
Status and Holiday Pay
• No holiday between 1999-2012 • Dismissed • Claimed 24 weeks holiday • Employer had benefited from lack of holiday • Not relevant employer thought self employed
• Worker can carry over until end of employment • Only 20 days euro leave • Fees abolished • Limitation Regulations won’t help • Employment status now far more important
Rest Breaks
Recommend
More recommend
