Raising Awareness of the General Data Protection Regulations - - PowerPoint PPT Presentation

Raising Awareness

• f the

General Data Protection Regulations (GDPR)

Workshop aims are to:

• Provide an introduction to the

GDPR

• Explore how the GDPR will impact
• n Early Years settings
• Highlight resources available to

support Early Years settings to prepare for the GDPR

• Discuss strategies for ensuring your

Early Years setting is compliant

GDPR Quiz

www.images.google.com

GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO

GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO

GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO

GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO

GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO

GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO

GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO

GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO

GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO

GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO

GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO

GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO

GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO

GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO

GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO

GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO

https://virtual-college.typeform.com/to/YHmCIO GDPR quiz - are you prepared for the changes

GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO

GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO

GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO

What is the GDPR?

• GDPR is the 'General Data Protection Regulation' -

a change in law that will be coming into force from 25th May 2018 (regardless of Brexit)

• EU legislation - extension of the Data Protection

Act 1998

• Implemented within Data Protection (DP) Bill
• About Capture, Storage, Processing, Transport,

Security and Removal of personal data

GDPR - What are the main changes?

• Increased accountability in processing of

personal data and demonstrating compliance .

• Changes to what personal data covers.
• Changes to time frames for Subject Access

Requests

• Extended rights to individuals.
• New rights for 13 year olds.
• The six lawful bases for processing personal

data.

The Information Commissioner's Office (ICO)

• The UK’s independent body

to uphold information rights.

• Enforce and regulate

freedom of information and data protection laws.

• Provide information and

advice.

• Promote good practice.

Minimise the risk

• Assess the risk – what personal data do

you process, and how?

• Policies
• Responsibilities
• Training and awareness

Where to start using ICO support

• Data Protection Self-assessment tool
• ICO Good Practice Guidance/Data Sharing Checklist
• Information Asset Audit
• What data do we process?
• For what purposes?
• What legal basis do we use?
• Who do we share data with?

GDPR principles

GDPR will condense the Data Protection Principles into six areas, which are referred to as the Privacy Principles.

They are:

• 1. You must have a lawful reason for collecting personal data

and must do it in a fair and transparent way.

• 2. You must only use the data for the reason it is initially
• btained.
• 3. You must not collect any more data than is necessary.
• 4. It has to be accurate and there must be mechanisms in place

to keep it up to date.

• 5. You cannot keep it any longer than needed.
• 6. You must protect the personal data.

These privacy principles are supported by a further principle – accountability.

• This means that your setting must not only do the right

thing with data but must also show that all the correct measures are in place to demonstrate how compliance is achieved.

• There is also an expectation that staff will be trained on data
• protection. Documentation on policies, procedures and

training is going to be a key part of any effective compliance programme.

Data Protection Officers (DPO)

• assist to monitor internal compliance, inform and advise on your

data protection obligations,

• act as a contact point for data subjects and the supervisory

authority.

• must be independent, an expert in data protection, adequately

resourced, and report to the highest management level. However, can be an existing employee or externally appointed.

• In some cases several organisations can appoint a single DPO

between them.

• can help you demonstrate compliance and are part of the

enhanced focus on accountability.

Roles and Responsibilities

Data Controller

• is a person who (either alone or jointly or in common with other

persons) determines the purposes for which and the manner in which any personal data are, or are to be processed Data Processor

• in relation to personal data, means any person (other than an

employee of the data controller) who processes the data on behalf of the data controller. “Processing”, in relation to information or data means obtaining, recording or holding the information or data or carrying out any

• peration or set of operations on the information or data

Roles and Responsibilities Cont....

…data which relate to a living individual who can be identified – (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller

Personal data

The Data Protection Act 1998

The six Principles of GDPR

• 1. Lawfully, fairly and

transparently

• Grounds, section 6 & 9
• Fair processing notice
• r privacy notice
• Being clear
• 2. Specific, explicit and

legitimate purpose

• Why?
• What is the purpose?
• Data mapping
• 3. Adequate, relevant and

limited to what is necessary

• Data minimisation

4. Accurate and, where necessary, kept up to date

• Reasonable steps

taken

• 5. For as long as is necessary

for the purpose 6. Appropriate technical and organisational measures

• Security measures

Privacy notice

• What information is being

collected?

• Who is collecting it?
• How is it collected?
• Why is it being collected?
• How will it be used?
• Who will it be shared with?

ico.org.uk/for-organisations/guide-to-data- protection/privacy-notices-transparency-and- control/

Data Breach

Breach notification

• You will be obligated to notify the Information

Commissioner's Office (ICO) of a data breach within 72 hours of becoming aware of the breach. Fines

• One of the key drivers of compliance is that
• rganisations can be fined significant amounts if they

are not. However, you should focus on the benefits

• f ensuring you are handling your data properly.

How will this impact on your Early Years setting?

• Early Years settings will need to assess their use of data and

look at how they gather, hold, and share any personally identifiable information, which includes anything that can be used to identify a specific person.

• This will include introducing a new policy, informing parents
• f the changes, informing parents how you use their data and

taking steps within your setting to make sure all data and information is secure.

Information Asset Audit

• What data do we

process?

• For what purposes?
• What legal basis do

we use?

• Who do we share

data with?

www.images.google.com

Start by…..

• Create a gap analysis
• Document an action plan and start check

list

• Update the settings Data Protection policy

and consider other policies and procedures that may need to be updated

• Arrange for staff training/ awareness

What next....

• Appointing a data protection officer — For most settings,

appointing an individual who takes the lead on data compliance will be enough, although for larger early years provider chains may need to appoint a Data Protection Officer (DPO).

• Privacy notices — When you collect any data you must tell people

exactly how you are going to use it, who might you share it with, how long you will keep it as well as information on consent and complaint.

• Individual rights — People will have new and enhanced rights on

the collection, access and deletion of their data so you must ensure your setting has mechanisms to allow individuals to exercise these rights.

• Consent — GDPR will require early years providers to

have a legitimate reason for processing any personal data. Where you rely on consent for processing data you must be able to demonstrate that the consent was freely given. Pre-ticked boxes or inactivity will no longer suffice. People will have to actively opt-in.

• Data agreements — Early years providers will now be
• bliged to have written arrangements with anybody

processing data for them. Providers must make sure that anyone processing data will meet GDPR requirements.

https://ico.org.uk/for-organisations/data-protection-reform/

Guidance for the education sector

ico.org.uk/for-organisations/education/

When the welfare of a child is at risk it’s important to continue to share information