New Data Protection law - Impact on the University LSBU’s compliance roadmap
Roadmap - continuity, change, uncertainty Data Protection Act 1998 GDPR 2016 Agreed Dec 2015 Approved Apr 2016 In force 25 May 2018 Still to be resolved Brexit – Article 50 triggered in March 2017 GDPR – unlikely to be repealed/ - - substantially amended - In Oct 2016 UK Government confirms that GDPR will be binding - Dilution of GDPR principles threatens claim to ‘adequacy’. Is there public appetite for it? - Great Repeal Act ? - GDPR becomes a domestic enactment, subject to - National derogations , exemptions, ICO amendments/repeal by Parliament guidance, codes of conduct, certifications 1
How GDPR will affect LSBU? • Accountability – documentation / evidence • Data Protection Officer – defined duties • Stronger Rights for Individuals • Privacy notices – clear, plain, expanded – Right to be forgotten – Portability • Lawfulness of processing- more restrictive – Profiling application. • Key changes on Access rights – Consent- Alumni, marketing, legacy data – Timing – one month; prohibition on charging – Legitimate interest – no longer for public authorities – Includes information about international transfers, logic of – Performance of contract – must be necessary auto-decision making – Legal obligations (e.g. HESA, HEFCE) • Liability and compensation – Public interest – may cover limited data sharing e.g. – Data subject can make claims to controller or processor voluntary cooperation with police investigation – Could pursue whichever has ‘deeper pockets’ – Vital interests – Compensation for financial and non financial loss • Privacy by design / Impact Assessments – Processor can avoid liability if it has complied with its Data minimisation – limited to what is necessary (‘not • GDPR obligations and controller instructions – excessive’ removed), built into the concept of privacy by design If both controller and processor responsible for damage- jointly liable; can seek to recover from each other • • Data Security / Data breaches New obligations on controllers AND – processors Mandatory breach reporting within 72hr unless unlikely to result in risk to individuals; notification to individuals – Controller must impose specific duties on processors in when likely to result in high risk contracts and be clearer about processing (info similar – Anonymisation and pseudonymisation to that included within EU Model Clause Appendix) • Penalties- € 10/20MM, no reduced scale for public – Care required in determining whether processor or controller – joint liability risk authorities 2
Why LSBU needs to act Risk of non-compliance Business implications – our bottom line - - Reputational risk, brand damage Regulatory risk - € 10/ 20MM fines - - Criminal liability - Litigation risk Our business is students Employability - Student records system, HR system, Student experience MIO, Learner analytics Teaching and learning - Wellbeing (DDS, Student life centre, Research and Enterprise Prevent) Personal Access - Placements and apprenticeships Data Internationalisation features - International collaboration Resources and infrastructure People and organisation - Marketing, Fundraising, Alumni - REI, Code of ethics / approvals - Social Media, Cloud computing, Big data 3
Where do we start? Factors influencing GDPR programme LSBU Culture Risk Budget attitude GDPR Programme 4
Mind the gap! Is the journey longer than we thought? First Data Protection PWC, Conference of National Association of Data Protection Officers, Nov 2016 1995 Directive Actual gap UK Data Protection 1998 Act Risks of non- E-Privacy compliance 2002 Directive - Reputational EC’s Expected gap risk proposal to 2012 reform EU - Regulatory risk DP rules - Litigation risk GDPR Start line 2016 GDPR, in force May Goal 2018 2018 5
GDPR compliance roadmap Data Protection requires a collaborative effort Stage 1- Planning Stage 2- Delivery • Compliance function • Project managed Stage 3- Review • Design and planning compliance programme • Training • Gap analysis • Privacy structure/mapping • Support materials • • Report to Audit Committee Privacy notices and • Internal and external consents • Agree priorities, actions and implementation • deadlines Privacy Impact • Regular review Assessment • Ongoing audits and • Policies adjustments • Template contracts & contract reviews Awareness Best practice Culture Behaviour May 18 Sept 17 Dec 17 May 17 6
Planning Awareness - modified mandatory DP training, awareness raising sessions, mandatory April 16- Data Protection induction to new employees Compliance function - current function, resource, responsibility, accountability • Data Protection Officer – role to be confirmed • June 17- Compliance board : Governance & Legal, HR, Finance, Admission, Marketing, Recruitment, Academic Resources (IT and Library), 7 Schools (Deans + Exec Admin), International, Student Support & Employment, REI, Teaching Quality. Chair : LSBU Secretary and Clerk to the Board • June 17- DP Leads across Professional Services and Schools • Board considerations- risk register, due diligence and oversight June 17- Gap analysis June 17- Report on options and recommendations to Executives and Audit Committee June- 17 June-July 17 Agree on priorities, actions and deadlines 7
Delivery Data mapping – tools? July 17-May 18 Who : are the categories of individuals impacted What : details we collect and process Why : do we use and collect their details Where : are those details stored and used How : are they used and secured When : will we stop using or delete the details June 17-May 18 Legal basis for processing while data mapping Privacy notices – updated, layered and just in time approach June 17-May 18 Consent forms – updated both for paper and electronically June17-May 18 Transfers outside EEA- process and contracts Jan 17- Nov 16- May 18 Privacy by design, PIA- PIA embedded into all IT projects, PIA integrated into ethical reviews June 17 -May 18 Review of policies and procedures: SAR, Data Breach, New rights June 17- Register of joint data controllers and processors; Contract templates Updated training Jan 18- 8
Collaboration Policy / Process / Assurance Legal / Compliance Governance Marketing, Recruitment Information Rights Admissions, PR and Comms Breach management Privacy notices Certification Finance Consent Data transfers Contracts Academic Related Resources Privacy by design PIA Record keeping Student Support & Employment Retention Training and Research, Enterprise, Innovation awareness Human Resources Estates Information Security/ Systems Teaching Quality & Enhancement Seven Schools 9
Recommend
More recommend
