General Data Protection Regulations Overview Introduction (1) (2) - - PowerPoint PPT Presentation

General Data Protection Regulations

Overview

Introduction (1) Definitions (2) 10 Steps (3) Q&A (4)

“[GDPR] lays down rules relating to the protection of natural persons with regard to the processing of personal data and …the free movement of personal data… [The Regulation] protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data…”

Art.1, GDPR (Subject-matter and objectives)

“Every morning when you put your mobile phone in your pocket, you make an implicit bargain… you make and receive calls (and use a range of other applications); in exchange you are subject to a very intimate form of surveillance…”

“Your mobile phone (and its applications) track where you live and where you work, it tracks where you like to spend your weekends and evenings, it tracks if you go to church (and, if so, which church), it tracks how much time you spend in a bar and whether you speed when you drive. It tracks (since devices are networked) whom you spend your days with, whom you meet for lunch and whom you sleep with…”

Bruce Schneier: ‘Data and Goliath – The Hidden Battles to Collect Your Data’

“The world’s most valuable resource is no longer oil, but data…”

Implementation

Effective 25 May 2018 No ‘grace period’ No transitional provisions

Key principles & definitions

Key Principles

Principle Detail Accountability The data controller is responsible for, and must be able to demonstrate, compliance (Article 5(2)) Lawfulness, fairness and transparency Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject (Article 5(1)(a)) Purpose limitation Personal data must be collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (Article 5(1)(b)) Data minimisation Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Article 5(1)(c))

Key Principles (Cont.)

Principle Detail Accuracy Personal data must be accurate and, where necessary, kept up to

• date. Every reasonable step must be taken to ensure that

personal data that is inaccurate is erased or rectified without delay (Article 5(1)(d)) Storage limitation Personal data which is kept in a form which permits identification

• f data subjects must be kept for no longer than is necessary for

the purposes for which the data is processed (Article 5(1)(e)) Integrity & Confidentiality Personal data must be processed in a manner that, through use

• f technical or organisational measures, ensures appropriate

security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (Article 5(1)(f))

Definitions

The natural or legal person which, determines the purposes and means

• f the processing of

personal data (Art 4 (7))

01 Data controller

A natural or legal person, public authority, agency or

• ther body which

processes personal data on behalf of the controller (Art 4 (8))

02 Data processor

The data subject is the identified or identifiable living individual to whom personal data relates (Art 4 (1))

03 Data Subject

Definitions – personal data

Personal data: A living individual who can be identified, directly or indirectly, by reference to either: name, an identification number, location data or an

• nline

identifier;

• r
• ne
• r

more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

Risks

Risk Detail Penalty: top level Fines of up to €20 million (or 4% of annual turnover) Penalty: lower level Fines of up to €10 million (or 2% of annual turnover) Individual claims / class actions See for example: Various Claimants v WM Morrisons Supermarket PLC Litigation Litigants are likely to use the stricter regime to obtain a tactical advantage Regulators Ban on processing / suspension of data transfers

Data Processor Data Controller Data Subject

Data Controller

Data Processing Agreement(s) Privacy Notice(s) Overarching Data Policy

# 1. map and audit data

It’s impossible to know whether you’re compliant if you don’t know:

What personal data you have Where it is stored and where it is sent How it is processed

# 2. identify third party processors

You need to be sure that third party processors are compliant, e.g.

Health insurers Pension providers Payroll providers

# 3. identify cross border data transfers

Cross border data transfers

The GDPR imposes restrictions on the transfer of personal data outside the European Union Personal data may only be transferred outside of the EU in compliance with Chapter V GDPR Creating an inventory will help you identify potential breaches

# 4. don’t rely on consent

Employers wishing to rely on consent must remember:

Consent must be specific, informed and freely given Employees have the right to withdraw consent

So don’t

What are the lawful bases for processing?

The individual has given clear consent for you to process their personal data for a specific purpose.

01

Consent

The processing is necessary for a contract, or they have asked you to take specific steps before entering into a contract

02

Contract

The processing is necessary for you to comply with the law (not including contractual

• bligations).

03

Legal obligation

What are the lawful bases for processing?

The processing is necessary to protect someone’s life.

04

Vital interests

The processing is necessary for you to perform a task in the public interest /your

• fficial functions, and

the task / function has a basis in law.

05

Public task

The processing is necessary for your legitimate interests - unless protection of personal data

• verrides those

legitimate interests.

06

Legitimate interests

What are the lawful bases for processing?

The processing is necessary for your legitimate interests - unless protection of personal data

• verrides those

legitimate interests.

06

Legitimate interests Balance it against the individual’s interests Show how the processing is necessary to achieve it Identify the legitimate interest

Does the worker have a reasonable belief that the information tends to show

• ne of the “relevant failures”?

Reasonable belief

# 5. implement a GDPR policy

Remember – the privacy notice relates to the processing of employee, worker or contractor But part of showing compliance No specific requirement

Implement a GDPR Policy

You will need an overarching policy that deals with how you manage data generally. This will cut across functions and therefore is a detailed document Monitor compliance Keep updated

# 6. implement privacy noticies

Data subjects must be informed of their rights, including:

The right to withdraw consent The right to access The right to object

Data subjects must be informed of their rights, including:

The right to be informed about retention periods The right to be forgotten (aka erasure) The right to complain to the ICO

# 7. get ready for changes to DSAR

Data subject access requests:

More awareness will increase one Standard process – who, how, dealing with third party data Systems up to the task?

Data subject access requests:

£10 fee no longer applies Time limit is reduced from 40 days to 1 month Some flexibility to extend time limits

# 8. manage data breaches

Data breaches

You must also keep a record of any personal data breaches, regardless of whether you are required to notify Duty to report personal data breach which are likely to harm data subject to the relevant supervisory authority without undue delay, or where feasible within 72 hours of awareness. Can make preliminary report and then follow-up. If the breach means ‘high risk’ of harm to data subject you must also inform those individuals without undue delay. Serious incident report?

Examples of data breaches

access by an unauthorised third party sending data to the wrong recipient computing devices containing personal data being lost or stolen

Examples of data breaches

alteration of personal data without permission loss of availability of personal data

# 9. conduct training

Conduct training

You’ll need to raise awareness and understanding – across functions Identify a GDPR lead or team Induction and appraisals Refresher training

# 10. know your regulator(s)

Know your regulator(s)

Principally the ICO But what other regulation applies to your organisation? Charity Commission

Status and Holiday Pay

• No holiday between 1999-2012
• Dismissed
• Claimed 24 weeks holiday
• Employer had benefited from lack of holiday
• Not relevant employer thought self employed

• Worker can carry over until end of

employment

• Only 20 days euro leave
• Fees abolished
• Limitation Regulations won’t help
• Employment status now far more important

Rest Breaks

• 20 minutes every 6 hours
• Unable to take continuous 20 minutes
• Total over 20 minutes
• Employer said H&S
• Length of break critical
• Uninterrupted 20 minutes

Contact details: do not hesitate to ask follow-up questions by email

Paul Seath – Partner E-mail: p.seath@bwbllp.com Telephone: 020 7551 7703 Bates Wells Braithwaite 10 Queen Street Place London EC4R 1BE