Ian Bernhardt Head of Governance & Compliance GDPR: The Journey - - PowerPoint PPT Presentation

Data Protection. IT issues and Solutions

Ian Bernhardt

Head of Governance & Compliance

GDPR: The Journey Today

Privacy Notice

v What information is being collected? v Who is collecting it? v How is it collected? v Why is it being collected? v How will it be used? v Who will it be shared with? v How long you will keep it?

The GDPR provides the following rights for individuals:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and

profiling.

Data Subject rights

• Privacy Impact Assessments must be carried out when

specific risks occur to the rights and freedoms of data subjects

• Risk assessment and Accountability is one of the data

protection principles - and says that you must be able to demonstrate your compliance.

• You need to put in place appropriate technical and
• rganisational measures to meet the requirements of

accountability.

• Notices to the public must include retention time for

personal data and contact information for data controller

• r data protection officer

Accountability

• There are a number of measures that you can, and in

some cases must, take including: – adopting and implementing data protection policies – data protection by design and default – putting written contracts in place – maintaining documentation of your processing activities – implementing appropriate security measures – recording and, where necessary, reporting personal data breaches – carrying out data protection impact assessments

Accountability

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction

• f, or damage to, personal data.

Security of Personal Data

• Any device that holds personal data should have

encryption

• Create separate accounts for family members to prevent

data breaches and non-compliance with GDPR

• Backups should be encrypted and stored securely
• Cloud storage can be used but you have to ensure you

complete a DPIA

Personal Devices

Data Protection Act 2018

• Comes into force in January 2019
• Includes parts of the old DPA 2016
• Exemptions
• GDPR still applies (even after Brexit)

EXEMPTIONS

List of Exemptions

• Crime and Taxation
• Required by law or in connection with legal proceedings
• Legal professional privilege
• Self incrimination
• Disclosure prohibited or restricted by enactment
• Immigration
• Function designed to protect the public
• Audit functions
• Bank of England functions
• Regulatory functions relating to legal services, the health and children’s services
• Parliamentary privilege
• Judicial appointments, independence and proceedings
• Crown honours, dignities and appointments
• Journalism, academia, art and literature
• Research and statistics
• Health data – processed by a court
• Social work data – processed by a court

Required by Law

Information required to be disclosed by law or in connection with legal proceedings: The first part can apply if you are required by law to make personal data available to the public. It exempts you from the GDPR’s provisions on:

• the right to be informed;
• all the other individual rights, except rights related to automated

decision-making

• the lawfulness, fairness and transparency principle, except the

requirement for processing to be lawful;

• the purpose limitation principle;

But the exemption only applies to the extent that complying with these provisions would prevent you meeting your legal obligation to make personal data publicly available.

Required by Law

The second part of this exemption can apply if you are required by law, or court order, to disclose personal data to a third party. It exempts you from the same provisions as part 1, but

• nly to the extent that complying with those provisions

would prevent you disclosing the personal data.

Required by Law

The third part of this exemption can apply if it is necessary for you to disclose personal data for the purposes of, or in connection with:

• legal proceedings, including prospective legal proceedings;
• obtaining legal advice; or
• establishing, exercising or defending legal rights.

It exempts you from the same provisions as part 1 and 2 but only to the extent that complying with them would prevent you disclosing the personal data. If complying with these provisions would not prevent the disclosure, you cannot rely on the exemption.

Legal Professional Privilege

This exemption applies if you process personal data:

• to which a claim to legal professional privilege could be

maintained in legal proceedings; or

• in respect of which a duty of confidentiality is owed by a

professional legal adviser to his client. It exempts you from the GDPR’s provisions on:

• the right to be informed;
• the right of access; and
• all the principles, but only so far as they relate to the

right to be informed and the right of access.

Be prepared

• Ensure you have the right processes and procedures

in place

• Review your privacy notice
• Plan your communications to clients
• Read the data protection law handbook
• Delete old data
• Secure personal devices

www.sproutit.co.uk +44 (0) 207 036 8530 support@sproutit.co.uk

Thank you. Any questions?