Data Protection. IT issues and Solutions Ian Bernhardt Head of Governance & Compliance
GDPR: The Journey Today
Privacy Notice v What information is being collected? v Who is collecting it? v How is it collected? v Why is it being collected? v How will it be used? v Who will it be shared with? v How long you will keep it?
Data Subject rights The GDPR provides the following rights for individuals: • The right to be informed • The right of access • The right to rectification • The right to erasure • The right to restrict processing • The right to data portability • The right to object • Rights in relation to automated decision making and profiling.
Accountability • Privacy Impact Assessments must be carried out when specific risks occur to the rights and freedoms of data subjects • Risk assessment and Accountability is one of the data protection principles - and says that you must be able to demonstrate your compliance. • You need to put in place appropriate technical and organisational measures to meet the requirements of accountability. • Notices to the public must include retention time for personal data and contact information for data controller or data protection officer
Accountability • There are a number of measures that you can, and in some cases must, take including: – adopting and implementing data protection policies – data protection by design and default – putting written contracts in place – maintaining documentation of your processing activities – implementing appropriate security measures – recording and, where necessary, reporting personal data breaches – carrying out data protection impact assessments
Security of Personal Data Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Personal Devices • Any device that holds personal data should have encryption • Create separate accounts for family members to prevent data breaches and non-compliance with GDPR • Backups should be encrypted and stored securely • Cloud storage can be used but you have to ensure you complete a DPIA
Data Protection Act 2018 • Comes into force in January 2019 • Includes parts of the old DPA 2016 • Exemptions • GDPR still applies (even after Brexit)
EXEMPTIONS
List of Exemptions Crime and Taxation • Required by law or in connection with legal proceedings • Legal professional privilege • Self incrimination • Disclosure prohibited or restricted by enactment • Immigration • Function designed to protect the public • Audit functions • Bank of England functions • Regulatory functions relating to legal services, the health and children’s services • Parliamentary privilege • Judicial appointments, independence and proceedings • Crown honours, dignities and appointments • Journalism, academia, art and literature • Research and statistics • Health data – processed by a court • Social work data – processed by a court •
Required by Law Information required to be disclosed by law or in connection with legal proceedings: The first part can apply if you are required by law to make personal data available to the public. It exempts you from the GDPR’s provisions on: • the right to be informed; • all the other individual rights, except rights related to automated decision-making • the lawfulness, fairness and transparency principle, except the requirement for processing to be lawful; • the purpose limitation principle; But the exemption only applies to the extent that complying with these provisions would prevent you meeting your legal obligation to make personal data publicly available.
Required by Law The second part of this exemption can apply if you are required by law, or court order, to disclose personal data to a third party. It exempts you from the same provisions as part 1, but only to the extent that complying with those provisions would prevent you disclosing the personal data.
Required by Law The third part of this exemption can apply if it is necessary for you to disclose personal data for the purposes of, or in connection with: • legal proceedings, including prospective legal proceedings; • obtaining legal advice; or • establishing, exercising or defending legal rights. It exempts you from the same provisions as part 1 and 2 but only to the extent that complying with them would prevent you disclosing the personal data. If complying with these provisions would not prevent the disclosure, you cannot rely on the exemption.
Legal Professional Privilege This exemption applies if you process personal data: • to which a claim to legal professional privilege could be maintained in legal proceedings; or • in respect of which a duty of confidentiality is owed by a professional legal adviser to his client. It exempts you from the GDPR’s provisions on: • the right to be informed; • the right of access; and • all the principles, but only so far as they relate to the right to be informed and the right of access.
Be prepared • Ensure you have the right processes and procedures in place • Review your privacy notice • Plan your communications to clients • Read the data protection law handbook • Delete old data • Secure personal devices
Thank you. Any questions? www.sproutit.co.uk +44 (0) 207 036 8530 support@sproutit.co.uk
Recommend
More recommend
