New Data Protection law - Impact on the University LSBUs compliance - - PowerPoint PPT Presentation

new data protection law impact on the university
SMART_READER_LITE
LIVE PREVIEW

New Data Protection law - Impact on the University LSBUs compliance - - PowerPoint PPT Presentation

Jun 17, 2023 375 likes •478 views

New Data Protection law - Impact on the University LSBUs compliance roadmap Roadmap - continuity, change, uncertainty Data Protection Act 1998 GDPR 2016 Agreed Dec 2015 Approved Apr 2016 In force 25 May 2018 Still to be resolved

slide-1
SLIDE 1

New Data Protection law - Impact on the University

LSBU’s compliance roadmap

slide-2
SLIDE 2

Roadmap - continuity, change, uncertainty

GDPR 2016

Data Protection Act 1998

Agreed Dec 2015 Approved Apr 2016 In force 25 May 2018

Still to be resolved

  • Brexit – Article 50 triggered in March 2017
  • In Oct 2016 UK Government confirms that

GDPR will be binding

  • Great Repeal Act? - GDPR becomes a

domestic enactment, subject to amendments/repeal by Parliament

  • GDPR – unlikely to be repealed/

substantially amended

  • Dilution of GDPR principles threatens claim

to ‘adequacy’. Is there public appetite for it?

  • National derogations, exemptions, ICO

guidance, codes of conduct, certifications

1

slide-3
SLIDE 3

How GDPR will affect LSBU?

  • Accountability – documentation / evidence
  • Stronger Rights for Individuals

– Right to be forgotten – Portability – Profiling

  • Key changes on Access rights

– Timing – one month; prohibition on charging – Includes information about international transfers, logic of auto-decision making

  • Liability and compensation

– Data subject can make claims to controller or processor – Could pursue whichever has ‘deeper pockets’ – Compensation for financial and non financial loss – Processor can avoid liability if it has complied with its GDPR obligations and controller instructions – If both controller and processor responsible for damage- jointly liable; can seek to recover from each other

  • Data Security / Data breaches

– Mandatory breach reporting within 72hr unless unlikely to result in risk to individuals; notification to individuals when likely to result in high risk – Anonymisation and pseudonymisation

  • Penalties- €10/20MM, no reduced scale for public

authorities

  • Data Protection Officer – defined duties
  • Privacy notices – clear, plain, expanded
  • Lawfulness of processing- more restrictive

application. – Consent- Alumni, marketing, legacy data – Legitimate interest – no longer for public authorities – Performance of contract – must be necessary – Legal obligations (e.g. HESA, HEFCE) – Public interest – may cover limited data sharing e.g. voluntary cooperation with police investigation – Vital interests

  • Privacy by design / Impact Assessments
  • Data minimisation – limited to what is necessary (‘not

excessive’ removed), built into the concept of privacy by design

  • New obligations on controllers AND

processors

– Controller must impose specific duties on processors in contracts and be clearer about processing (info similar to that included within EU Model Clause Appendix) – Care required in determining whether processor or controller – joint liability risk

2

slide-4
SLIDE 4

Why LSBU needs to act

Risk of non-compliance

  • Business implications – our bottom line
  • Regulatory risk - €10/ 20MM fines
  • Litigation risk
  • Reputational risk, brand damage
  • Criminal liability

3

Our business is students

Employability Student experience Teaching and learning Research and Enterprise Access Internationalisation Resources and infrastructure People and organisation

Personal Data features

  • Student records system, HR system,

MIO, Learner analytics

  • Wellbeing (DDS, Student life centre,

Prevent)

  • Placements and apprenticeships
  • International collaboration
  • Marketing, Fundraising, Alumni
  • REI, Code of ethics / approvals
  • Social Media, Cloud computing, Big

data

slide-5
SLIDE 5

Where do we start?

GDPR Programme

Risk attitude Culture Budget

Factors influencing GDPR programme

4

LSBU

slide-6
SLIDE 6

Mind the gap!

First Data Protection Directive UK Data Protection Act E-Privacy Directive EC’s proposal to reform EU DP rules GDPR, in force May 2018

1995 1998 2002 2012

2016

Goal 2018 Expected gap Actual gap Is the journey longer than we thought?

Risks of non- compliance

  • Reputational

risk

  • Regulatory risk
  • Litigation risk

GDPR Start line

PWC, Conference of National Association of Data Protection Officers, Nov 2016

5

slide-7
SLIDE 7

GDPR compliance roadmap

Data Protection requires a collaborative effort

  • Compliance function
  • Design and planning
  • Gap analysis
  • Report to Audit Committee
  • Agree priorities, actions and

deadlines

  • Project managed

compliance programme

  • Privacy structure/mapping
  • Privacy notices and

consents

  • Privacy Impact

Assessment

  • Policies
  • Template contracts &

contract reviews

  • Training
  • Support materials
  • Internal and external

implementation

  • Regular review
  • Ongoing audits and

adjustments

Stage 1- Planning Stage 2- Delivery Stage 3- Review

Culture Behaviour

Awareness Best practice

6 May 17 Sept 17 Dec 17 May 18

slide-8
SLIDE 8

Planning

Awareness- modified mandatory DP training, awareness raising sessions, mandatory Data Protection induction to new employees

April 16-

Compliance function- current function, resource, responsibility, accountability

  • Data Protection Officer – role to be confirmed
  • Compliance board: Governance & Legal, HR, Finance, Admission, Marketing, Recruitment,

Academic Resources (IT and Library), 7 Schools (Deans + Exec Admin), International, Student Support & Employment, REI, Teaching Quality. Chair: LSBU Secretary and Clerk to the Board June 17-

  • DP Leads across Professional Services and Schools

June 17-

  • Board considerations- risk register, due diligence and oversight

June 17-

Gap analysis

June 17-

Report on options and recommendations to Executives and Audit Committee

June- 17

Agree on priorities, actions and deadlines

June-July 17 7

slide-9
SLIDE 9

Delivery

Data mapping – tools?

Who: are the categories of individuals impacted What: details we collect and process Why: do we use and collect their details Where: are those details stored and used How: are they used and secured When: will we stop using or delete the details July 17-May 18

Legal basis for processing while data mapping

June 17-May 18

Privacy notices – updated, layered and just in time approach

June 17-May 18

Consent forms – updated both for paper and electronically

June17-May 18

Transfers outside EEA- process and contracts

Jan 17-

Privacy by design, PIA- PIA embedded into all IT projects, PIA integrated into ethical reviews

Nov 16- May 18

Review of policies and procedures: SAR, Data Breach, New rights

June 17 -May 18

Register of joint data controllers and processors; Contract templates

June 17-

Updated training

Jan 18- 8

slide-10
SLIDE 10

Collaboration

Legal / Compliance Information Rights Privacy notices Consent Contracts PIA Retention Information Security/ Systems Policy / Process / Assurance Governance Breach management Certification Data transfers Privacy by design Record keeping Training and awareness

Marketing, Recruitment Admissions, PR and Comms Finance Human Resources Student Support & Employment Research, Enterprise, Innovation Seven Schools Academic Related Resources Estates Teaching Quality & Enhancement 9