GDPR Webinar 4: Data Protection Impact Assessments

Size: px
Start display at page:

Download "GDPR Webinar 4: Data Protection Impact Assessments"

Transcription

1 Webinar 4: Data Protection Impact Assessments T-Minus 365 Days (May 25, 2017) Presenters: Peter Blenkinsop Hilary Wandall General Counsel & Chief Data Governance Officer, TRUSTe

2 May 25, 2017 May 25, We re One Year Away! Drinker Biddle Reath LLP 2

3 Overview Written DPIAs required whenever processing sensitive data and whenever automated processing results in decisions having legal effect. DPIA may evaluate an entire category of processing operations if they are sufficiently similar. DPIA must identify specific risks and describe privacy and security measures implemented to mitigate them. Mandatory consultation with data protection authority where processing poses high level of risk to data subjects that cannot be adequately mitigated. Drinker Biddle Reath LLP 3

4 What Is a DPIA? DPIA is a process to describe the processing of personal data, assess the associated privacy and security risks, and identify risk mitigation measures. Under the, DPIA must be documented in writing so as to demonstrate compliance with data protection requirements. Drinker Biddle Reath LLP 4

5 When Is a DPIA Required? (I) DPIA is required when the processing is likely to result in a high risk to data subjects. This includes (but is not limited to): Automated processing, including profiling, on which decisions are based that produce legal effects concerning the data subject or which similarly significantly impact the data subject. This includes, in particular, analyzing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles. Drinker Biddle Reath LLP 5

6 When Is a DPIA Required? (II) Processing on a large scale of sensitive categories of personal data. Sensitive categories include personal data which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, genetic data, health data, data concerning sex life, and data concerning criminal convictions or offenses,. Systematic monitoring of a publicly accessible area on a large scale. Drinker Biddle Reath LLP 6

7 When Is a DPIA Required? (III) Article 29 Working Party draft guidance lists additional situations in which a DPIA may be required: Matching or combining datasets Processing of data concerning vulnerable data subjects, including whenever there is a power imbalance between controller and data subject (e.g., employees, children) Data transfers across borders outside the EU Deployment of new technology When data is processed on a large scale Any systematic monitoring of data subjects Any evaluation or scoring of data subjects where systematic or extensive Drinker Biddle Reath LLP 7

8 When Is a DPIA Required? (IV) Data protection authorities in each member state are required to publish lists of kinds of data processing operations (non-exclusive) for which DPIAs are required, as well as kinds of data processing for which DPIAs are not required. Exception to DPIA requirement is provided where processing is for performance of a task in the public interest or for compliance with a legal requirement, and such law regulates the specific processing. Single DPIA can be used to assess multiple processing operations that are similar in terms of risks presented, provided consideration is given to specific nature, scope, context, and purpose of processing. DPIA is required only for processing operations initiated on or after May 25,. But, significant change to processing operations after May 25,, can trigger requirement, even if processing originally initiated before then. Article 29 Working Party recommends that DPIAs are re-assessed every three years for ongoing or continuous processing activities. Drinker Biddle Reath LLP 8

9 Who Is Required to Conduct DPIA? Data controller is obliged to conduct the DPIA. If there are joint controllers, the respective obligations of each party should be precisely defined in advance. Controller must seek the input of the data protection officer, where DPO designated. Where data processing is conducted by a processor, processor should provide information and assistance. If controller is purchasing a new technology product, controller is obliged to carry out DPIA for its own deployment, but such DPIA would typically be informed by DPIA prepared by product provider. Drinker Biddle Reath LLP 9

10 Data Subject Input Where appropriate, controllers must seek the views of data subjects or their representatives on the intended processing. Article 29 Working Party suggests that documentation must be kept of this consultation or why it was determined unnecessary. Drinker Biddle Reath LLP 10

11 Examples of EU DPIA Frameworks Germany: Standard Data Protection Model, V.1.0 Trial version, Spain: Guía para una Evaluación de Impacto en la Protección de Datos Personales (EIPD), Agencia española de protección de datos (AGPD), mon/guias/guia_eipd.pdf France: Privacy Impact Assessment (PIA), Commission nationale de l informatique et des libertés (CNIL), UK: Conducting privacy impact assessments code of practice, Information Commissioner s Office (ICO), Drinker Biddle Reath LLP 11

12 Issues to Address in DPIA From ICO PIA Code of Practice Annex 3 Questions designed to ensure compliance with the privacy principles Lawfulness, fairness and transparency Purpose limitation Data minimization (Collection limitation) Accuracy Storage limitation (Retention) Data subject rights Security safeguards Drinker Biddle Reath LLP 12

13 Lawfulness, Fairness, Transparency From UK Code of Practice, Annex 3 Have you identified the purpose of the project? How will individuals be told about the use of their personal data? Do you need to amend your privacy notices? Have you established which conditions for processing apply? If you are relying on consent to process personal data, how will this be collected and what will you do if it is withheld or withdrawn? Drinker Biddle Reath LLP 13

14 Purpose Limitation From UK Code of Practice, Annex 3 Does your project plan cover all of the purposes for processing personal data? Have potential new purposes been identified as the scope of the project expands? Drinker Biddle Reath LLP 14

15 Data Minimization From UK Code of Practice, Annex 3 Is the information you are using of good enough quality for the purposes it is used for? Which personal data could you not use, without compromising the needs of the project? Drinker Biddle Reath LLP 15

16 Accuracy From UK Code of Practice, Annex 3 If you are procuring new software does it allow you to amend data when necessary? How are you ensuring that personal data obtained from individuals or other organisations is accurate? Drinker Biddle Reath LLP 16

17 Storage Limitation From UK Code of Practice, Annex 3 What retention periods are suitable for the personal data you will be processing? Are you procuring software which will allow you to delete information in line with your retention periods? Drinker Biddle Reath LLP 17

18 Data Subjects Rights From UK Code of Practice, Annex 3 Will the systems you are putting in place allow you to respond to subject access requests more easily? If the project involves marketing, have you got a procedure for individuals to opt out of their information being used for that purpose? Drinker Biddle Reath LLP 18

19 Security Safeguards From UK Code of Practice, Annex 3 Do any new systems provide protection against the security risks you have identified? What training and instructions are necessary to ensure that staff know how to operate a new system securely? Drinker Biddle Reath LLP 19

20 How to Assess Risks From CNIL PIA Methodology Severity + Likelihood = Risk Level Severity represents the magnitude of a risk. It essentially depends on the prejudicial effect of the potential impacts Likelihood represents the possibility for a risk to occur. It essentially depends on the level of vulnerabilities of the supporting assets facing threats and the level of capabilities of the risk sources to exploit them. Drinker Biddle Reath LLP 20

21 Presentation of DPIA Report From CNIL PIA Methodology Body of the PIA Define and describe the personal data concerned, their recipients and retention periods. Identify the data controller and the processors. Describe the processing(s) of personal data under consideration, its(their) purposes and stakes. Describe the personal data life cycle (from collection to erasure). Drinker Biddle Reath LLP 21

22 Presentation of DPIA Report List of legal controls Identify or determine the controls (existing or planned) selected to comply with the following legal requirements (it is necessary to explain how it is intended to implement them): purpose: specified, explicit and legitimate purpose minimization: limiting the amount of personal data to what is strictly necessary quality: preserving the quality of personal data retention periods: period needed to achieve the purposes, in the absence of another legal obligation imposing a longer retention period notice: respect for data subjects right to information consent: obtaining the consent of the data subjects or existence of another legal basis justifying the processing of personal data right to object: respect for the data subjects right of opposition right of access: respect for the data subjects right to access their data right to rectification: respect for the data subjects right to correct their data and erase them transfers: compliance with obligations relating to transfer of data outside the European Union Drinker Biddle Reath LLP 22

23 Presentation of DPIA Report List of risk-treatment controls Identify or determine the selected controls (existing or planned): organizational controls: organization, policy, risk management, project management, incident management, supervision, etc. logical security controls: anonymization, encryption, backups, data partitioning, logical access control, etc. physical security controls: physical access control, security of hardware, protection against non-human risk sources, etc. Drinker Biddle Reath LLP 23

24 Presentation of DPIA Report Risk map Risk sources Identify the relevant risk sources in the specific context under consideration Describe the capabilities of risk sources. Feared events For each feared event (illegitimate access to personal data, unwanted change of personal data, and disappearance of personal data): determine the potential impacts on the data subjects privacy if it occurred; estimate its severity, depending especially on the prejudicial effect of the potential impacts and, if applicable, controls likely to modify them; formally set out a justification of the estimation in view of the factors identified. Drinker Biddle Reath LLP 24

25 Presentation of DPIA Report Risk map Threats Identify threats to personal data supporting assets that could lead to each feared event For each identified threat: select the risk sources that could cause it; estimate its likelihood, particularly depending on the level of vulnerabilities of personal data supporting assets, the level of capabilities of the risk sources to exploit them and the controls likely to modify them; formally set out a justification of the estimation in view of the factors identified. Drinker Biddle Reath LLP 25

26 Presentation of DPIA Report Risk map Determine the risk level: its severity equals to that of the feared event concerned by the risk; its likelihood equals the highest likelihood value of the threats associated with the feared event. Present a map of all the risks depending on their level. Drinker Biddle Reath LLP 26

27 Presentation of DPIA Report Conclusion Rationale to validate the PIA Appendices Detailed description of the scope Detailed presentation of the controls Detailed description of the risks Action plan Drinker Biddle Reath LLP 27

28 Consultation with Data Protection Authorities Data controller must consult with DPA where DPIA indicates a high level of residual risk to data subjects after implementing available safeguards. Supervisory authority has 8 weeks, with a further 6 week extension available, to give an opinion on whether the risk mitigation controls are adequate. Drinker Biddle Reath LLP 28

29 TRUSTe-IAF DPIA Strategy Comprehensive DPIA / DIA / EIA Construct 2017 TRUSTe Proprietary and Confidential Information

30 TRUSTe-IAF DPIA Construct - DRAFT Part A Governance and Accountability 1. Organizational Accountability 2. Purpose 3. Data 4. Data Sources, Origins and Characteristics 5. Legal Basis of Processing Part B Risk, Impacts and Benefits 6. High Risk Processing 7. Value and Benefits of the Processing 8. Inherent Risk Assessment 9. Weighted Inherent Risk-Benefits Part C Mitigations and Safeguards 10. Data Necessity (DPbDesign/Default, Data Minimization) 11. Use, Retention and Disposal 12. Disclosure to Third Parties and Onward Transfer 13. Choice and Consent 14. Access and Individual Rights 15. Data Integrity and Quality 16. Security 17. Transparency Part D Risk Outcomes (Report) 18. Mitigations and Safeguard Effectiveness Evaluation (Scale) 19. Calculation of Residual Risk Severity and Likelihood 20. Legitimate Interests Balancing Test Outcomes 21. Where residual risks are high, consultation of DPA and data subjects TRUSTe Proprietary and Confidential Information

31 Automating the IAF-TRUSTe DPIA Privacy Insight Series v - truste.com/insightseries 31 TRUSTe Inc., 2017

32 Automating the IAF-TRUSTe DPIA Privacy Insight Series v - truste.com/insightseries 32 TRUSTe Inc., 2017

33 Automating the IAF-TRUSTe DPIA Privacy Insight Series v - truste.com/insightseries 33 TRUSTe Inc., 2017

34 Automating the IAF-TRUSTe DPIA Privacy Insight Series v - truste.com/insightseries 34 TRUSTe Inc., 2017

35 Integrating Privacy into Enterprise Risk Management Privacy Insight Series v - truste.com/insightseries 35 TRUSTe Inc., 2017

36 Q&A Drinker Biddle Reath LLP 36

37 Schedule (11:00 a.m. 12:30 p.m. U.S. Eastern Time) Through August June 22 Determining Your Lead Data Protection Authority: We will guide you in determining your lead data protection authority and discuss options for companies whose existing structures do not allow them to take advantage of this one-stop-shop mechanism. July 27 Data Portability August 24 Consent Drinker Biddle Reath LLP 37

38 Drinker Biddle Reath LLP 38

GDPR Webinar 1: Overview of Preparing for the GDPR. T-Minus 441 Days (March 9, 2017) Presenter: Peter Blenkinsop.

GDPR Webinar 1: Overview of Preparing for the GDPR. T-Minus 441 Days (March 9, 2017) Presenter: Peter Blenkinsop. Webinar 1: Overview of Preparing for the T-Minus 441 Days (March 9, 2017) Presenter: Peter Blenkinsop peter.blenkinsop@dbr.com Agenda Introduction (5 mins) Level setting: Brief overview of main provisions

More information

GDPR Webinar 9: Automated Processing & Profiling

GDPR Webinar 9: Automated Processing & Profiling Webinar 9: Automated Processing & Profiling T-Minus 210 Days (October 26, 2017) Presenter: Peter Blenkinsop peter.blenkinsop@dbr.com 1 Agenda for Today Brief update on status of guidance and implementation

More information

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER 1 What will the GDPR mean for your business/organisation? On the 25 th May 2018,

More information

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations Page 1 of 22 Your business and the new data protection laws Data protection and privacy

More information

THE PAINSLEY CATHOLIC ACADEMY. GDPR Data Protection Impact Assessment Policy

THE PAINSLEY CATHOLIC ACADEMY. GDPR Data Protection Impact Assessment Policy THE PAINSLEY CATHOLIC ACADEMY GDPR Data Protection Impact Assessment Policy 1 GDPR The General Data Protection Regulation (GDPR) is a piece of EU-wide legislation which will determine how people s personal

More information

General Personal Data Protection Policy

General Personal Data Protection Policy General Personal Data Protection Policy Contents 1. Scope, Purpose and Users...4 2. Reference Documents...4 3. Definitions...5 4. Basic Principles Regarding Personal Data Processing...6 4.1 Lawfulness,

More information

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT WHAT GDPR MEANS FOR RECORDS MANAGEMENT Presented by: Sabrina Guenther Frigo Overview Background Basic Principles Scope Lawful Processing Data Subjects Rights Accountability & Governance Data Transfers

More information

b. by a controller not established in EU, but in a place where Member State law applies by virtue of public international law.

b. by a controller not established in EU, but in a place where Member State law applies by virtue of public international law. Buzescu Ca>Romanian Business Law>Romanian Data Protection Laws 12. ROMANIAN DATA PROTECTION LEGAL REGIME Updated October 2018 The relevant Romanian data protection laws are: European Regulation no. 679

More information

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents Company Name: Document DP3 Topic: ( the Company ) Data Protection Policy Data Protection Date: April 2018 Version: 001 Contents Introduction Definitions Data processing under the Data Protection Laws 1.

More information

Foundation trust membership and GDPR

Foundation trust membership and GDPR 05 April 2018 Foundation trust membership and GDPR In the last few weeks, we have received a number of enquiries from foundation trusts concerned about the implications of the new General Data Protection

More information

Trinity is committed to protecting the privacy and security of personal data.

Trinity is committed to protecting the privacy and security of personal data. This privacy notice applies data processing activities undertaken by Trinity College for security and monitoring relating to staff, students and visitors to Trinity premises including CCTV, other security

More information

SCHOOLS DATA PROTECTION POLICY. Guidance Notes for Schools

SCHOOLS DATA PROTECTION POLICY. Guidance Notes for Schools SCHOOLS DATA PROTECTION POLICY Guidance Notes for Schools Please read this policy carefully and ensure that all spaces highlighted in the document are completed prior to publication. Please ensure that

More information

GENERAL DATA PROTECTION REGULATION Guidance Notes

GENERAL DATA PROTECTION REGULATION Guidance Notes GENERAL DATA PROTECTION REGULATION Guidance Notes What is the GDPR? Currently, the law on data protection requiring the handling of data which identifies people to be done in a fair way, is contained in

More information

DATA PROTECTION POLICY 2018

DATA PROTECTION POLICY 2018 DATA PROTECTION POLICY 2018 Amesbury Baptist Church is committed to protecting all information that we handle about people we support and work with, and to respecting people s rights around how their information

More information

The Society of St Stephen s House Site Security and Monitoring Privacy Notice

The Society of St Stephen s House Site Security and Monitoring Privacy Notice This privacy notice applies to data processing activities undertaken by The Society of St Stephen s House for security and monitoring relating to staff, students and visitors to College premises A summary

More information

Data Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents

Data Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents Company Name: Document: Topic: System People ( the Company ) Data Protection Policy Data protection Date: 28/4/2018 Version: 1 Contents Introduction Definitions Data processing under the Data Protection

More information

RSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company )

RSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company ) RSD Technology Limited - Data protection policy: Introduction Company Name: Document DP3 Topic: RSD Technology Limited ( the Company ) Data Protection Policy Data protection Date: 25 th May 2018 Version:

More information

EU GENERAL DATA PROTECTION REGULATION

EU GENERAL DATA PROTECTION REGULATION EU GENERAL DATA PROTECTION REGULATION GENERAL INFORMATION DOCUMENT This resource aims to provide a general factsheet to Asia Pacific Privacy Authorities (APPA) members, in order to understand the basic

More information

We reserve the right to update this privacy notice at any time. Please check our website from time to time for any changes we may make.

We reserve the right to update this privacy notice at any time. Please check our website from time to time for any changes we may make. What is the purpose of this document? NORTHERN IRELAND SCREEN COMMISSION (Company Number NI031997) whose registered office is at 3 rd Floor Alfred House, 21 Alfred Street, Belfast, BT2 8ED is committed

More information

Information Asset Register IAR. Guidance for Schools

Information Asset Register IAR. Guidance for Schools Information Asset Register IAR Guidance for Schools Contents 1. Introduction... 3 2. What is an Information Asset?... 4 3. What is an Information Asset Register?... 4 4. Why Do We Need an Information Asset

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Document Control History Title Data Protection Policy Version no. 1.0 Date of publication May 2018 Author(s) Amanda Cramb, HR Manager Next review date May 2021 Page 1 Introduction

More information

Nissa Consultancy Ltd Data Protection Policy

Nissa Consultancy Ltd Data Protection Policy Nissa Consultancy Ltd Data Protection Policy CONTENTS Section Title 1 Introduction 2 Why this Policy Exists 3 Data Protection Law 4 Responsibilities 5 6 7 8 9 10 Data Protection Impact Assessments (DPIA)

More information

Brasenose College is committed to protecting the privacy and security of personal data.

Brasenose College is committed to protecting the privacy and security of personal data. This privacy notice (v1.2) applies to data processing activities undertaken by Brasenose College for security and monitoring relating to staff, students and visitors to College premises including CCTV,

More information

CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR. Legal02# v1[RXD02]

CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR. Legal02# v1[RXD02] CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR Legal02#67236978v1[RXD02] CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR Notes: We recommend that any business looking to comply with the

More information

GDPR: What Every MSP Needs to Know

GDPR: What Every MSP Needs to Know Robert J. Scott GDPR: What Every MSP Needs to Know Speaker Robert J. Scott Agenda Purpose GDPR Intent & Obligations Applicability Subject-matter and objectives Material scope Territorial scope New Rights

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Version Date Revision Author Summary of Changes 1.0 21 st May 2018 Ashleigh Morrow EXECUTIVE STATEMENT At CASTLEREAGH NURSERY SCHOOL (the School ), we believe privacy is important.

More information

Brasenose College Data Protection Policy Statement v1.2

Brasenose College Data Protection Policy Statement v1.2 Brasenose College Data Protection Policy Statement v1.2 1. Introduction All documents referred to in this policy can be found online at the address below: https://www.bnc.ox.ac.uk/privacypolicies 1.1 Background

More information

Data Protection Policy

Data Protection Policy Data Protection Policy This policy will be reviewed by the Trust Board three yearly or amended if there are any changes in legislation before that time. Date of last review: Autumn 2018 Date of next review:

More information

UK Research and Innovation (UKRI) Data Protection Policy

UK Research and Innovation (UKRI) Data Protection Policy UK Research and Innovation (UKRI) Data Protection Policy Document Information Revision History Version Comment Date By 0.1 Draft Policy created July 2017 DH 0.2 Revision post review by information manager

More information

Getting Ready for the GDPR

Getting Ready for the GDPR Getting Ready for the GDPR Ann Cartwright Information Governance Lead Sefton Council for Voluntary Service (CVS) Registered Charity No. 1024546. Company Limited by Guarantee No. 2832920. Suite 3B, 3rd

More information

GDPR: An Evolution, Not a Revolution

GDPR: An Evolution, Not a Revolution GDPR: An Evolution, Not a Revolution Disclaimer This article does not constitute legal advice, nor is this information intended to create or rise to the level of an attorney-client relationship. You should

More information

Data Protection Policy Approved by: COG Approved: 9 August 2017 Review date: August 2019 Version: Statement of Intent

Data Protection Policy Approved by: COG Approved: 9 August 2017 Review date: August 2019 Version: Statement of Intent Data Protection Policy Approved by: COG Approved: 9 August 2017 Review date: August 2019 Version: 4 1. Statement of Intent 1.1 Radian 1 must collect, store and process information about its customers,

More information

The current version (July 2018) is derived from, and supersedes, the version published in February 2017 and earlier versions.

The current version (July 2018) is derived from, and supersedes, the version published in February 2017 and earlier versions. Page 2 of 10 Data Protection Policy Chief Information Officer Chief Information Officer Data Protection Officer The current version (July 2018) is derived from, and supersedes, the version published in

More information

SAFFRON WALDEN COMMUNITY CHURCH DATA PROTECTION POLICY. Adopted: [ ]

SAFFRON WALDEN COMMUNITY CHURCH DATA PROTECTION POLICY. Adopted: [ ] SAFFRON WALDEN COMMUNITY CHURCH DATA PROTECTION POLICY Adopted: [17-04-2018] 1 SAFFRON WALDEN COMMUNITY CHURCH is committed to protecting all information that we handle about people we support and work

More information

Achieving Compliance with the GDPR

Achieving Compliance with the GDPR Achieving Compliance with the GDPR Ian Grey Information and Cyber Security consultant ian.grey@wadiff-consulting.co.uk https://www.linkedin.com/in/iangreyuk Russell McDermott Sales Engineer Russell.Mcdermott@netwrix.com

More information

St Michael s CE Primary School Data Protection Policy

St Michael s CE Primary School Data Protection Policy St Michael s CE Primary School Data Protection Policy We will prepare the children at St. Michael's school for life, by giving them the opportunity to fulfil their potential within a happy caring Christian

More information

EARLS HALL BAPTIST CHURCH DATA PROTECTION POLICY

EARLS HALL BAPTIST CHURCH DATA PROTECTION POLICY EARLS HALL BAPTIST CHURCH DATA PROTECTION POLICY Adopted: 5 June 2018 1 Earls Hall Baptist Church is committed to protecting all information that we handle about people we support and work with, and to

More information

Baptist Union of Scotland DATA PROTECTION POLICY

Baptist Union of Scotland DATA PROTECTION POLICY Baptist Union of Scotland DATA PROTECTION POLICY Adopted: May 2018 1 1.The Baptist Union of Scotland 48, Speirs Wharf, Glasgow G4 9TH (Charity Registration SC004960) is committed to protecting all information

More information

The EU GDPR: How Can Information. Governance Policies Help? The EU GDPR:

The EU GDPR: How Can Information. Governance Policies Help? The EU GDPR: The EU GDPR: How Can The EU GDPR: How Can Information Governance Policies Help? Information Governance Policies Help? ACC/IG Committee Webinar Jason R. Baron Peter Blenkinsop Daniel Miller Amie Taal June

More information

GDPR P4 Privacy Policy Statement & Guidance for Employees and External Providers

GDPR P4 Privacy Policy Statement & Guidance for Employees and External Providers Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate

More information

The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry

The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry 1 Contents Introduction 5 Brexit: GDPR or New UK Law? 8 The eprivacy Directive 10 The GDPR: 10 Key Areas

More information

Hendre Infants School DATA PROTECTION POLICY. Nurture, Believe, Achieve Headteacher: A. J. Brett-Harris

Hendre Infants School DATA PROTECTION POLICY. Nurture, Believe, Achieve Headteacher: A. J. Brett-Harris Hendre Infants School DATA PROTECTION POLICY Nurture, Believe, Achieve Headteacher: A. J. Brett-Harris Data Protection Policy OBJECTIVES Administration and delivery of quality services involves processing

More information

CHANNING SCHOOL DATA PROTECTION POLICY

CHANNING SCHOOL DATA PROTECTION POLICY CHANNING SCHOOL DATA PROTECTION POLICY The School may amend/change/update this Policy from time to time. 1. Background Data protection is an important legal compliance issue for Channing School. During

More information

Scottish Charity Number SC Dingwall Baptist Church DATA PROTECTION POLICY

Scottish Charity Number SC Dingwall Baptist Church DATA PROTECTION POLICY Dingwall Baptist Church DATA PROTECTION POLICY Adopted: By Trustees Dingwall Baptist Church May 2018 1 Dingwall Baptist Church is committed to protecting all information that we handle about people we

More information

This privacy notice applies to attendees, organisers and others involved in Merton College s conferences and events

This privacy notice applies to attendees, organisers and others involved in Merton College s conferences and events This privacy notice applies to attendees, organisers and others involved in Merton College s conferences and events A summary of what this notice explains Merton College is committed to protecting the

More information

Pensions Authority Data Protection Considerations for Trustees of Occupational Pension Schemes

Pensions Authority Data Protection Considerations for Trustees of Occupational Pension Schemes Pensions Authority Data Protection Considerations for Trustees of Occupational Pension Schemes 1 INTRODUCTION The General Data Protection Regulation (GDPR) comes into force in all EU Member States on 25.

More information

The Data Controller for all personal data stored and processed by Horiba MIRA Ltd is:

The Data Controller for all personal data stored and processed by Horiba MIRA Ltd is: Page 1 of 8 Owned By: Data Protection Officer Review Due: March 2020 DATA PRIVACY POLICY It is the policy of Horiba MIRA Ltd (MIRA) that it shall at all times respect the privacy of individuals by processing

More information

Conducting privacy impact assessments code of practice

Conducting privacy impact assessments code of practice ICO lo Conducting privacy impact assessments code of practice Data Protection Act Contents Data Protection Act... 1 About this code... 3 Chapter 1 - Introduction to PIAs... 5 What the ICO means by PIA...

More information

Guidance and Example of a Privacy Notice Form

Guidance and Example of a Privacy Notice Form The General Data Protection Regulation (GDPR) includes rules on giving privacy information to data subjects in Articles 12, 13 and 14. These are more detailed and specific than in the Data Protection Act

More information

Section a What this Policy is for Policy Statement. 2. Why this policy is important... 3

Section a What this Policy is for Policy Statement. 2. Why this policy is important... 3 Norwich Central Baptist Church DATA PROTECTION POLICY Adopted: May.2018 Norwich Central Baptist Church (NCBC) is committed to protecting all information that we handle about people we support and work

More information

Data Protection Impact Assessment Policy

Data Protection Impact Assessment Policy Data Protection Impact Assessment Policy Version 0.1 1 VERSION CONTROL Version Date Author Reason for Change 0.1 16.07.18 Debby Jones New policy 2 EQUALITY IMPACT ASSESSMENT Section 4 of the Equality Act

More information

Preparing for the GDPR Orla O Hannaidh - Womble Bond Dickinson

Preparing for the GDPR Orla O Hannaidh - Womble Bond Dickinson womblebonddickinson.com Preparing for the GDPR Orla O Hannaidh - Womble Bond Dickinson Agenda What is the GDPR? How Could it Apply to US companies? What are a Few Key Requirements? Share common challenges

More information

CNPD Training: Data Protection Basics

CNPD Training: Data Protection Basics CNPD Training: Data Protection Basics The obligations of controllers and processors Esch-sur-Alzette Mathilde Stenersen 7-8 February 2018 Legal service Outline 1. Introduction 2. Basic elements 3. The

More information

Information Commissioner s Office. Consultation: GDPR DPIA guidance

Information Commissioner s Office. Consultation: GDPR DPIA guidance Information Commissioner s Office Consultation: GDPR DPIA guidance Start date: 22 March 2018 End date: 13 April 2018 ICO GDPR guidance: Contents (for web navigation bar) At a glance About this detailed

More information

Brasenose College SCR Member Only Privacy Notice (v1.2)

Brasenose College SCR Member Only Privacy Notice (v1.2) Brasenose College SCR Member Only Privacy Notice (v1.2) A summary of what this notice explains Brasenose College is committed to protecting the privacy and security of personal data. This notice explains

More information

ACCENTURE BINDING CORPORATE RULES ( BCR )

ACCENTURE BINDING CORPORATE RULES ( BCR ) ACCENTURE BINDING CORPORATE RULES ( BCR ) EXECUTIVE SUMMARY INTRODUCTION Complying with data privacy laws is part of Accenture s Code of Business Ethics (COBE). In line with our COBE, we implement recognized

More information

GDPR is coming soon. Are you ready. Steven Ringelberg.

GDPR is coming soon. Are you ready. Steven Ringelberg. GDPR is coming soon. Are you ready. Steven Ringelberg steven@ringelberglaw.com 616 227 6403 Agenda Who am I Overview What data do you have that is covered and where is it? What rights do individual data

More information

Data Protection for Landlords. David Smith Anthony Gold Solicitors

Data Protection for Landlords. David Smith Anthony Gold Solicitors Data Protection for Landlords David Smith Anthony Gold Solicitors Why Protect Data at All? Personal data is key important in everyday life Internet allows information about people to be spread quickly

More information

RAW MARKETING DATA PROTECTION POLICY

RAW MARKETING DATA PROTECTION POLICY RAW MARKETING DATA PROTECTION POLICY Introduction We take your privacy very seriously and have updated our Privacy Statement in line with the upcoming GDPR regulation. Were absolutely committed to reflecting

More information

LEICESTER HIGH SCHOOL DATA PROTECTION POLICY

LEICESTER HIGH SCHOOL DATA PROTECTION POLICY LEICESTER HIGH SCHOOL DATA PROTECTION POLICY 1. Background Data protection is an important legal compliance issue for Leicester High School. During the course of the School's activities it collects, stores

More information

The template uses the terms students / pupils to refer to the children or young people at the institution.

The template uses the terms students / pupils to refer to the children or young people at the institution. This document is for advice and guidance purposes only. It is anticipated that schools / colleges will use this advice alongside their own data protection policy. This document is not intended to provide

More information

GDPR readiness for start-ups, technology businesses and professional practices Martin Cassey

GDPR readiness for start-ups, technology businesses and professional practices Martin Cassey www.nascenta.com GDPR readiness for start-ups, technology businesses and professional practices Martin Cassey Introduction GDPR Key Points GDPR/DPA Differences Start Up, Tech Business Professional Practice?

More information

NEW LIFE BAPTIST CHURCH NORTHALLERTON DATA PROTECTION POLICY. Adopted: 20 June 2018 To be reviewed: June 2021

NEW LIFE BAPTIST CHURCH NORTHALLERTON DATA PROTECTION POLICY. Adopted: 20 June 2018 To be reviewed: June 2021 NEW LIFE BAPTIST CHURCH NORTHALLERTON DATA PROTECTION POLICY Adopted: 20 June 2018 To be reviewed: June 2021 NEW LIFE BAPTIST CHURCH, NORTHALLERTON (referred to in this policy as NLBC) is committed to

More information

General Data Protection Regulation

General Data Protection Regulation General Data Protection Regulation Sofie van der Meulen Axon seminar 21 February 2018 Why and when GDPR Essentials Guidance Data Protection Officer Lead Authority Data Portability Data Protection Impact

More information

REDDISH VALE HIGH SCHOOL PRIMARY PRIVACY NOTICE

REDDISH VALE HIGH SCHOOL PRIMARY PRIVACY NOTICE REDDISH VALE HIGH SCHOOL PRIMARY PRIVACY NOTICE Overview Reddish Vale High School is committed to ensuring that we re transparent about the ways in which we use your personal information and that we have

More information

Data Protection. Document Detail Type of Document (Stat Policy/Policy/Procedure) Category of Document (Trust HR-Fin-FM-Gen/Academy) General

Data Protection. Document Detail Type of Document (Stat Policy/Policy/Procedure) Category of Document (Trust HR-Fin-FM-Gen/Academy) General Data Protection Document Detail Type of Document (Stat Policy/Policy/Procedure) Policy Category of Document (Trust HR-Fin-FM-Gen/Academy) General Index reference number Approved 26/04/18 Approved by Trust

More information

P Drive_GDPR_Data Protection Policy_May18_V1. Skills Direct Ltd ( the Company ) Data protection. Date: 21 st May Version: Version 1.

P Drive_GDPR_Data Protection Policy_May18_V1. Skills Direct Ltd ( the Company ) Data protection. Date: 21 st May Version: Version 1. Company Name: Document DP3 Topic: Skills Direct Ltd ( the Company ) Data Protection Policy Data protection Date: 21 st May 2018 Version: Version 1 Contents Introduction Definitions Data processing under

More information

General Data Protection Regulation (GDPR) Frequently Asked Questions

General Data Protection Regulation (GDPR) Frequently Asked Questions General Data Protection Regulation (GDPR) Frequently Asked Questions 26 March 2018 0 Contents Introduction... 3 What is GDPR?... 3 Who does the GDPR apply to?... 3 Are tax advisers data controllers or

More information

Preparing for the GDPR

Preparing for the GDPR Preparing for the GDPR Note: These slides and the accompanying presentation contain a general summary and are not legal advice. Niall Rooney 03/11/2017 (1) Data Protection The Right to Data Protection

More information

Tourettes Action Data Protection Policy

Tourettes Action Data Protection Policy Tourettes Action Data Protection Policy Effective date: 01/01/2018 Review date: 01/01/2020 Approved: Suzanne Dobson, CEO Tourettes Action Author: Pippa McClounan, Office Manager Tourettes Action Version

More information

PRIVACY NOTICE RNOH Trust Employees & Temporary workers

PRIVACY NOTICE RNOH Trust Employees & Temporary workers PRIVACY NOTICE RNOH Trust Employees & Temporary workers For further information about GDPR please contact: Data Protection Officer Tel: 020 3947 0419 rnoh.informationgovernance@nhs.net The Royal National

More information

GUIDANCE NOTES DATA PRIVACY IMPACT ASSESSMENT

GUIDANCE NOTES DATA PRIVACY IMPACT ASSESSMENT GUIDANCE NOTES DATA PRIVACY IMPACT ASSESSMENT A Data Privacy Impact Assessment (DPIA) helps the University to assess the necessity and proportionality of processing personal data. A DPIA will enable the

More information

PRIVACY NOTICE FOR JOB APPLICANTS

PRIVACY NOTICE FOR JOB APPLICANTS PRIVACY NOTICE FOR JOB APPLICANTS 1. General Information 1.1 Derby County Football Club are committed to protecting the privacy and security of your personal information. 1.2 Under data protection law,

More information

General Data Privacy Regulation: It s Coming Are You Ready?

General Data Privacy Regulation: It s Coming Are You Ready? General Data Privacy Regulation: It s Coming Are You Ready? Presenters Tristan North Worldwide ERC Government Affairs Adviser, Moderator William R. Tehan General Counsel, Graebel Companies, Inc. Hank A.

More information

Responsible Business Alliance. Data Privacy and GDPR Compliance Policy

Responsible Business Alliance. Data Privacy and GDPR Compliance Policy Responsible Business Alliance Data Privacy and GDPR Compliance Policy 1. INTRODUCTION 1.1 As a global non-profit membership organisation, the Responsible Business Alliance ( RBA ) has a responsibility

More information

PERSONAL DATA SECURITY GUIDANCE FOR MICROENTERPRISES UNDER THE GDPR

PERSONAL DATA SECURITY GUIDANCE FOR MICROENTERPRISES UNDER THE GDPR PERSONAL DATA SECURITY GUIDANCE FOR MICROENTERPRISES UNDER THE GDPR The General Data Protection Regulation ( the GDPR ) significantly increases the obligations and responsibilities of organisations and

More information

Data Protection Policy

Data Protection Policy Data Protection Policy General Data Protection Regulations (GDPR) Document control Version control / history Note: This policy requires to be reviewed at least annually from the publication of the last

More information

The (Scheme) Actuary as a Data Controller

The (Scheme) Actuary as a Data Controller The (Scheme) Actuary as a Data Controller Keith Webster and Ian Stevens Partners, CMS Cameron McKenna LLP June 2014 Discussion Areas New IFOA guidance Data Protection Act refresher Compliance obligations

More information

GENERAL DATA PROTECTION REGULATION (GDPR)

GENERAL DATA PROTECTION REGULATION (GDPR) GENERAL DATA PROTECTION REGULATION (GDPR) GUIDANCE FOR THE ONLINE GAMBLING INDUSTRY Guidance is to help licensed online gambling operators to comply with their obligations under GDPR www.rga.eu.com GENERAL

More information

Depending on the circumstances, we may collect, store, and use the following categories of personal information about you:

Depending on the circumstances, we may collect, store, and use the following categories of personal information about you: Ignata Group Data Protection / Privacy Notice What is the purpose of this document? Ignata is committed to protecting the privacy and security of your personal information. This privacy notice describes

More information

How employers should comply with GDPR

How employers should comply with GDPR 02 Mind your business Prepare for GDPR How employers should comply with GDPR Recommendations for employer compliance with GDPR The scope of the impact of the GDPR cannot be overstated. The GDPR will impact

More information

Our position. AmCham EU Comments on the Working Party 29 guidelines on data Protection Impact Assessment (DPIA)

Our position. AmCham EU Comments on the Working Party 29 guidelines on data Protection Impact Assessment (DPIA) AmCham EU Comments on the Working Party 29 guidelines on data Protection Impact Assessment (DPIA) AmCham EU speaks for American companies committed to Europe on trade, investment and competitiveness issues.

More information

GDPR & SMART PIA. Wageningen University Feb 2017

GDPR & SMART PIA. Wageningen University Feb 2017 GDPR & SMART PIA Wageningen University Feb 2017 Tips for Action: Anticipate on the new EU General Data Protection Regulation (GDPR) to determine the privacy standards GDPR has been adopted by EU Parliament

More information

Recruitment Privacy Notice France

Recruitment Privacy Notice France Recruitment Privacy Notice France Updated: June 18, 2018 Recruitment Privacy Notice About The Firm And This Recruitment Privacy Notice Cleary Gottlieb Steen & Hamilton LLP (the Firm ), a limited liability

More information

The Privacy Battlefield What does the GDPR Require?

The Privacy Battlefield What does the GDPR Require? The Privacy Battlefield What does the GDPR Require? 17:00 CET 9:00am PT 12:00pm ET Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com Agenda Mike Small KuppingerCole

More information

Personal data: By Personal data we understand all information about identified or identifiable natural ( data subject ) according to GDPR

Personal data: By Personal data we understand all information about identified or identifiable natural ( data subject ) according to GDPR PRINCIPLES OF PERSONAL DATA PROTECTION In these Principles of Personal Data Protection we inform the subjects of data whose personal data we process about all our activities regarding processing and principles

More information

Job applicant privacy notice (compliant with the General Data Protection Regulations (GDPR)

Job applicant privacy notice (compliant with the General Data Protection Regulations (GDPR) Job applicant privacy notice (compliant with the General Data Protection Regulations (GDPR) The Company is aware of its obligations under the General Data Protection Regulation (GDPR) and is committed

More information

General Data Protection Regulation

General Data Protection Regulation General Data Protection Regulation Draft Privacy Notice for employees November 2017 www.uk.coop/gdprtoolkit This is a draft document which provides a widely drafted privacy notice to allow data to be processed

More information

GDPR for whom it may concern

GDPR for whom it may concern GDPR for whom it may concern Margarita Dubovik 12-Oct-17 GENERAL REGULATION - BACKGROUND GDPR will replace national data protection laws of all 28 EU member states in May GDPR also has international reach

More information

//DATA INNOVATION FOR DEVELOPMENT GUIDE DATA INNOVATION RISK ASSESSMENT TOOL

//DATA INNOVATION FOR DEVELOPMENT GUIDE DATA INNOVATION RISK ASSESSMENT TOOL CHECKLIST Rationale for the checklist: Large-scale social or behavioural data may not always contain directly identifiable personal data and/or may be derived from public sources. Nevertheless, its use

More information

GDPR for Employers DUBLIN / BELFAST / LONDON / NEW YORK / SAN FRANCISCO / PALO ALTO

GDPR for Employers DUBLIN / BELFAST / LONDON / NEW YORK / SAN FRANCISCO / PALO ALTO GDPR for Employers DUBLIN / BELFAST / LONDON / NEW YORK / SAN FRANCISCO / PALO ALTO 1 Consent Things you need to know about consent and the processing of employees data The EU General Data Protection Regulation

More information

Training Manual. DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Data Protection Officer is Mike Bandurak

Training Manual. DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Data Protection Officer is Mike Bandurak PROFESSIONAL INDEPENDENT ADVISERS LTD DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Training Manual Data Protection Officer is Mike Bandurak GDPR introduction

More information

Vendor Agreements and the New EU GDPR Steps to Take Now

Vendor Agreements and the New EU GDPR Steps to Take Now Presenting a live 90-minute webinar with interactive Q&A Vendor Agreements and the New EU GDPR Steps to Take Now Complying With the EU General Data Protection and Privacy Regulation TUESDAY, JANUARY 30,

More information

Search Consultancy Limited Privacy Notice

Search Consultancy Limited Privacy Notice Search Consultancy Limited Privacy Notice Search Consultancy Limited and Search Consultancy Group Limited (hereinafter the Company ) is a recruitment business which provides work-finding services to its

More information

1 Privacy by Design: The Impact of the new European Regulation on Data protection. Introduction

1 Privacy by Design: The Impact of the new European Regulation on Data protection. Introduction Introduction On April 2016 the European Parliament approved the General Data Protection Regulation (GDPR). This new regulation, with mandatory implementation by Member States (MS) and businesses that have

More information

General Data Protection Regulation (GDPR) A brief guide

General Data Protection Regulation (GDPR) A brief guide General Data Protection Regulation (GDPR) A brief guide Document compiled by: Terence Clark & Dr. Nathan Matthews June 2017 Acknowledgements This document contains material from the Information Commissioner

More information

LIFE STYLE CARE PLC. Privacy Statement for Employees. August 2018

LIFE STYLE CARE PLC. Privacy Statement for Employees. August 2018 LIFE STYLE CARE PLC Privacy Statement for Employees August 2018 Key points Why we use your personal data: We typically use your personal information for purposes related to your employment relationship

More information

NOT PROTECTIVELY MARKED

NOT PROTECTIVELY MARKED Meeting Audit Committee Public Session Date and Time Location Pacific Quay, Glasgow Title of Paper General Data Protection Regulation (GDPR) SPA Preparedness Item Number 9.4 Presented By Catherine Topley

More information

Agenda. What is the GDPR? Who does GDPR apply to? Implications of Non-Compliance The Road to GDPR Compliance

Agenda. What is the GDPR? Who does GDPR apply to? Implications of Non-Compliance The Road to GDPR Compliance Agenda What is the GDPR? Who does GDPR apply to? Implications of Non-Compliance The Road to GDPR Compliance What is the GDPR? The General Data Protection Regulation(GDPR) is a European-wide regulation

More information

Project Title. Project Number. Privacy Impact Assessment

Project Title. Project Number. Privacy Impact Assessment Project Title Project Number Privacy Impact Assessment This document is classified as Official and is disclosable under the terms of the Freedom of Information Act. No part of the report should be disseminated

More information