GDPR breakfast roundtable: legal grounds for use & data mapping. Jurriaan Jansen Nikolai de Koning Norton Rose Fulbright LLP 23 May 2017
|
|
- Kelly Chapman
- 6 years ago
- Views:
Transcription
1 GDPR breakfast roundtable: legal grounds for use & data mapping Jurriaan Jansen Nikolai de Koning Norton Rose Fulbright LLP 23 May 2017
2 Agenda Legal grounds for processing personal data Necessary for the performance of a contract Compliance with a legal obligation Legitimate interests Consent Other grounds Sensitive personal data Export of personal data Data mapping Why should you map the personal data flows in your organisation? Practical recommendations 2
3 EU data protection reform Replace current EU Directive (and Member State implementing legislation) with a directly effective EU Regulation Top fine higher of 20m or 4% of worldwide turnover Stricter & more onerous requirements Stricter consent rules; more extensive privacy notices New data subject rights: to be forgotten & data portability Strict rapid data breach reporting (already applicable in the Netherlands as of 1 January 2016) Accountability: must document processing, controls and audit same Processor liability Export some streamlining & some further restriction One stop shop 3
4 GDPR timeline GDPR published in the Official Journal of the EU 4 May 2016 Q Q Q Proposal for e-privacy Regulation by EU Commission Expected: Passing of MS data protection laws GDPR delegated acts Guidance by SAs Q Q Q Q Application of GDPR (Intended application of e-privacy Regulation) 25 May 2018 Repeal of EU Directive 4
5 Legal grounds for processing personal data
6 Processing grounds Processing of personal data is only lawful if and to the extent at least one legal ground is available The GDPR does not change the legal grounds for processing Most commonly used legal grounds: You have consent to do so It is necessary to do so under contract There is a legal obligation to do so There is a compelling, legitimate interest to do so 6
7 Necessary for the performance of a contract Data subject must be a party to the agreement and be aware of its participation Also covers the pre-contractual phase (at the request of the data subject) Involvement of third party personal data in performing a contract Example: instructing your bank to make a payment to a third party Examples Providing credit card and address details for ordering a book online? Credit reference checks prior to the grant of a loan? Marketing? 7
8 Legitimate interests processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child Requires a balancing of the legitimate interests of the controller, or any third parties to whom the data are disclosed, against the interests or fundamental rights and freedoms of the data subject Not just weighing of two easily quantifiable / comparable weights ; fully consider number of factors, including whether data subject reasonably expects processing The outcome of this balancing test determines whether this ground may be relied upon Burden of proof lies with controller Some scenarios Special offer by a sushi chain Using food orders to adapt health insurance premiums 8
9 Necessary for compliance with a legal obligation Controller must be subject to legal obligation with a basis in Union or Member State law i.e. no third country legislation (although legitimate interest grounds may be available in that case) No specific law required for each individual processing No explicit obligation required, but legal obligation itself must be sufficiently clear as to what processing of personal data it requires Necessity Examples Salary data reporting to tax and social security authorities Reporting suspicious transactions under AML legislation 9
10 Consent Specific and informed No imbalance freely given Unambiguous Not bundled Statement or affirmative action Consent Unnecessary data required as condition of service provision Intelligible Highlight right to withdraw Distinguishable 10
11 Consent (1) 11
12 When is consent appropriate? Consent is one lawful basis for processing, but there are alternatives. Always consider whether an alternative ground is available Should provide real choice and control over how you use their data, and want to build their trust and engagement Consent generally not be a precondition of a service Public authorities, employers and other organisations in a position of power over individuals to avoid relying on consent Existing consents? Recital 171 of the GDPR 12
13 Other grounds Other grounds that could make processing lawful: necessary in order to protect the vital interests of the data subject or of another natural person necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller Vital interests Some examples Performance of a task carried out in the public interest / exercise of official authority Some examples 13
14 Sensitive personal data Stricter regime (i.e. prohibition) applies to the processing of sensitive categories of personal data What data is considered sensitive personal data? GDPR provides for limited set of exceptions to prohibition to process sensitive personal data Explicit consent (except where Union or Member State law provides that prohibition may not be lifted) Employment and social security and social protection law purposes Vital interests Political, philosophical, religious or trade union purposes (under strict conditions) Data manifestly made public by the data subject Establishment, exercise or defence of legal claims Etc. 14
15 Transferring personal data outside the EEA EEA White List Iceland Andorra Faroe Islands Isle of Man Switzerland Lichtenstein Argentina Guernsey Israel Uruguay Norway Canada Jersey New Zealand USA The EU-U.S. (and Swiss- U.S.) Privacy Shield Otherwise: Certain narrow exemptions EU Model Clauses with importer Controller Binding Corporate Rules Processor Binding Corporate Rules 15
16 Data mapping
17 Map data uses & flows why? (1) Specific obligation to maintain records of processing activities (Article 30 GDPR) name & contact details of any controller (or rep) and the DPO purpose of the processing categories of data subjects and personal data categories of recipients, including in third countries details of transfers to third countries (including documentation of suitable safeguards) where possible, envisaged time limits for erasure of the different categories of data where possible, a general description of the TOMs applied You won t be able to comply with the new privacy notice / privacy by design requirements without doing so (Articles 13/14/25 GDPR) legal basis for processing legitimate interests pursued if relying on legitimate interests ground export solution if exporting to third country (with means to obtain a copy) taking into account data protection when developing products or services source of data and whether it came from publicly available sources 17
18 Map data uses & flows why? Accountability! Abolition of the prior formal notification regime but counterpart: new accountability principle Accountability entails both (i) being compliant and (ii) being able to demonstrate compliance at any given moment Article 5(2) The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ( accountability ) Article 24 [ ] the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary. 18
19 Map data uses & flows why? (2) You will need this information to respond to data subject rights (Article 15 GDPR) recipients or categories of recipients to whom they are disclosed existence of automated decision making exceeding the thresholds 19
20 Specimen GDPR data uses register Title of Purpose Title of purpose - division of purposes should be such that differences in processing can be captured Processing Purpose Brief description of processing activ ities in purpose Department & Person Responsibl e for the Processing Person responsible must be consulted if any breaches or changes to processing Source of Data Data Subjects High lev el categories of data subjects (eg employ ees, contractors, customers) Categories of Personal Data High lev el categories of nonsensitiv e data Sensitive Personal Data or other data subject to specific rules Specif y if any health, sex lif e, criminal, ethnic, trade union, political, religious data Disclosures to processors Specif y any subcontract ors Disclosures to controllers (service recipients) Specif y if disclosed to any 3rd parties Storage location Specif y primary and secondary storage locations Any transfer to/access from outside EEA and export solution to legitimise Access is treated as transf er Specif y the location of the third country and/or the name of the international organisation to whom data is disclosed Add consent, EU MC, BCRs, other derogation (specif y ) Data Retention Period Specif y data retention period Security Where f easible, please prov ide f or a general description of the security measures in place (or insert a ref erence to the relev ant documentati on usually done on a legend basis) Processing Ground & FPI Specif y ground justif y ing processing and how f air processing inf ormation giv en Recruitment Application process up to successf ul hire HR, Applicants Vetting agencies Internet 3rd party ref erees Potential and existing employ ee and contractors HireRight employ ee screening Oracle HRIS hosting Law enf orcement Parent co f or senior hires Dutch primary Oracle HRIS US back up Oracle HRIS EU MC with Oracle f or US back up 6 months if unsuccessf ul Otherwise whilst employ ed + 6 y ears Employ ment obligations Consent FPI giv en in application f orms 20
21 Content of the Register Mandatory Article 30 (1) and 30 (2) GDPR requirements the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer the purposes of the processing a description of the categories of data subjects and of the categories of personal data the categories of recipients including recipients in third countries where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards the envisaged time limits for erasure of the different categories of data a general description of the technical and organisational security measures Additional recommendation We recommend supplementing Article 30 (1) requirements with information required to be included in privacy notices in Articles 13 and 14: The legal basis of the processing, and when the processing is based on the legitimate interests of the controller, identification of the legitimate interests invoked 21
22 Where to start within your organisation? Decide on the methodology that you will use Internal only or involving external advisers? Use of third party tools? Consider business as a whole and divide it up into areas of activity HR (including recruitment, pensions data, salary data, whistleblowing) Customer data (services and products, anti-fraud) Marketing Procurement IT Subdivide areas of activity into business processes with commonality of data use 22
23 Where to start within your organisation? (1) Who within your organisation will be responsible for data protection compliance? Appoint a business process owner? Ask stakeholders with knowledge in relevant areas of the business Ensuring business process owners are sufficiently knowledgeable regarding personal data use Relevant business process owners to complete questionnaires and participate in interviews 23
24 Questionnaires/interviews 24
25 Questionnaires/interviews (1) 25
26 Questionnaires/interviews (2) 26
27 What steps next? Follow-up meeting to discuss input questionnaires and outcome of interviews Verify with IT department? Time to populate the GDPR data uses register 27
28 Populating the GDPR data uses register GDPR Register Table Separate table to be completed in relation to each type of use of Personal Data in this area (e.g. a table for Personal Data processed to record employee absences, a table for Personal Data processed for disaster response purposes, etc.) (To be completed by stakeholders after completion of questionnaire and, w here applicable, after meeting w ith NRF LLP) Data Controller Processing Purpose Title [Free form] Source of data Source of Personal Data how is this Personal Data obtained by the organisation? Categories of non-sensitive personal data List types of non-sensitive Personal Data collected Categories of sensitive personal data List any Sensitive Personal Data (including card data, national ID numbers, social security numbers) collected [Free form] Category Tick if applicable Contact details [ ] IP address/device identifier [ ] Date of birth [ ] Work related information (eg. Performance [Free form] metrics) Non-w ork related information (eg. Personal [Free form] s) Others [Free form] Category Tick if applicable Racial or ethnic origin [ ] Political opinion [ ] Religious or philosophical beliefs [ ] Trade union membership [ ] Genetic data [ ] Biometric data [ ] Health data [ ] Sex life [ ] Sexual orientation [ ] Social security numbers [ ] Criminal offences [ ] 28
29 Populating the GDPR data uses register (1) GDPR Register Table Separate table to be completed in relation to each type of use of Personal Data in this area (e.g. a table for Personal Data processed to record employee absences, a table for Personal Data processed for disaster response purposes, etc.) Categories of data subjects (To be completed by stakeholders after completion of questionnaire and, w here applicable, after meeting w ith NRF LLP) Who does the Personal Data relate to? Purpose for w hich it is used Category Tick if applicable Customers [ ] Suppliers [ ] Employees [ ] Other [Free form] [Free form] What is it used for include brief description? Grounds for processing What grounds are being relied on to process the personal data for this purpose? Data storage Where is the data stored (state application/ service provider/ country if know n)? Recipients inside organisation Ground Tick if applicable Legitimate interest [ ] Consent [ ] Others [Free form] Application(s): Country: Role, department, country: Who inside organisation can access the data/ has the data transferred to them (specify if they access data / are transferred data, include role, department, country in w hich they are located (and if outside EEA the basis for transferring to that country))? Access/ transfer to: Please complete separately for each category of recipients Recipients outside organisation Organisation: Who outside organisation can access the data/ has data transferred to them (specify if they access data / are transferred data, if they use it to provide service to organisation or use for their ow n purposes, country in w hich they are located (and if outside EEA the basis for transferring to that country))? Please complete separately for each category of recipients To provide service/ use for ow n purpose (specify purpose): Access/ transfer to: 29
30 Populating the GDPR data uses register (2) GDPR Register Table Separate table to be completed in relation to each type of use of Personal Data in this area (e.g. a table for Personal Data processed to record employee absences, a table for Personal Data processed for disaster response purposes, etc.) Data retention (To be completed by stakeholders after completion of questionnaire and, w here applicable, after meeting w ith NRF LLP) [Free form] How long w ill the data be stored? Is the data destroyed at the end of the retention period or kept on a separate archive support w ith limited access? Security / confidentiality [Free form] 30
31 Questions 31
32
33 Disclaimer Norton Rose Fulbright US LLP, Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP an d Norton Rose Fulbright South Africa Inc are separate legal entities and all of them are members of Norton Rose Fulbright Verein, a Swiss verein. Norton Rose Fulbright Verein helps coordinate the activities of the members but does not itself provide legal services to clients. References to Norton Rose Fulbright, the law firm and legal practice are to one or more of the Norton Rose Fulbright members or to one of their respective affiliates (together Norton Rose Fulbright entity/entities ). No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not such individual is described as a partner ) accepts or assumes responsibility, or has any liability, to any person in respect of this communication. Any reference to a partner or director is to a member, employee or consultant with equivalent standing and qualifications of the relevant Norton Rose Fulbright entity. The purpose of this communication is to provide general information of a legal nature. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton Rose Fulbright entity on the points of law discussed. You must take specific legal advice on any particular matter which concerns you. If yo u require any advice or further information, please speak to your usual contact at Norton Rose Fulbright. 33
Foundation trust membership and GDPR
05 April 2018 Foundation trust membership and GDPR In the last few weeks, we have received a number of enquiries from foundation trusts concerned about the implications of the new General Data Protection
More informationEU GENERAL DATA PROTECTION REGULATION
EU GENERAL DATA PROTECTION REGULATION GENERAL INFORMATION DOCUMENT This resource aims to provide a general factsheet to Asia Pacific Privacy Authorities (APPA) members, in order to understand the basic
More informationThe EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry
The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry 1 Contents Introduction 5 Brexit: GDPR or New UK Law? 8 The eprivacy Directive 10 The GDPR: 10 Key Areas
More informationPREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER
PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER 1 What will the GDPR mean for your business/organisation? On the 25 th May 2018,
More informationHow employers should comply with GDPR
02 Mind your business Prepare for GDPR How employers should comply with GDPR Recommendations for employer compliance with GDPR The scope of the impact of the GDPR cannot be overstated. The GDPR will impact
More informationThe Sage quick start guide for businesses
General Data Protection Regulation (GDPR): The Sage quick start guide for businesses Contents Introduction 3 Infographic: GDPR at a Glance 4 The basics 5 The GDPR in summary 5 Individual rights and informing
More informationGeneral Personal Data Protection Policy
General Personal Data Protection Policy Contents 1. Scope, Purpose and Users...4 2. Reference Documents...4 3. Definitions...5 4. Basic Principles Regarding Personal Data Processing...6 4.1 Lawfulness,
More informationGDPR factsheet Key provisions and steps for compliance
GDPR factsheet Key provisions and steps for compliance Organisations hold vast amounts of personal data relating to customers, employees, and suppliers as well as within marketing databases. Compliance
More informationDepending on the circumstances, we may collect, store, and use the following categories of personal information about you:
Ignata Group Data Protection / Privacy Notice What is the purpose of this document? Ignata is committed to protecting the privacy and security of your personal information. This privacy notice describes
More informationWHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION
WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION REGULATION (GDPR) WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION REGULATION (GDPR) Published by: The
More informationWSGR Getting Ready for the GDPR Series
WSGR Getting Ready for the GDPR Series Overview, main concepts, principles and obligations Cédric Burton Of Counsel Laura De Boel Senior Associate Christopher Kuner Senior Privacy Counsel WSGR Webinar,
More informationGDPR Factsheet - Key Provisions and steps for Compliance
GDPR Factsheet - Key Provisions and steps for Compliance Organisations in the Leisure & Hospitality industry hold vast amounts of personal data relating to customers, employees, and suppliers as well as
More informationGDPR DATA PROCESSING NOTICE FOR FS1 RECRUITMENT UK LTD FOR APPLICANTS AND WORKERS
GDPR DATA PROCESSING NOTICE FOR FS1 RECRUITMENT UK LTD FOR APPLICANTS AND WORKERS What is the purpose of this document? FS1 Recruitment UK Ltd is committed to protecting the privacy and security of your
More informationContents. Introduction 1. Territorial scope 3. Supervisory authority 4. Data governance and accountability 5. Export of personal data 14
GDPR checklist Contents Introduction 1 Territorial scope 3 Supervisory authority 4 Data governance and accountability 5 Export of personal data 14 Joint controllers 16 Processors 17 Lawful grounds to process
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY APRIL 2018 Attendance Policy and Procedures (Pupils) (P3/Policies) Updated January 2018 Page 1 of 11 Title Summary Purpose Operational Date April 2018 Next Review Date April 2019
More informationEU General Data Protection Regulation
Guidance note EU General Data Protection Contents Introduction Guidance note aims and structure Summary Data basics Dealing with individuals Governance and risk management Concluding remarks Appendix 1
More informationData Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents
Company Name: Document: Topic: System People ( the Company ) Data Protection Policy Data protection Date: 28/4/2018 Version: 1 Contents Introduction Definitions Data processing under the Data Protection
More informationGeneral Data Protection Regulation (GDPR) Frequently Asked Questions
General Data Protection Regulation (GDPR) Frequently Asked Questions 26 March 2018 0 Contents Introduction... 3 What is GDPR?... 3 Who does the GDPR apply to?... 3 Are tax advisers data controllers or
More informationGeneral Data Protection Regulation
General Data Protection Regulation Draft Privacy Notice for employees November 2017 www.uk.coop/gdprtoolkit This is a draft document which provides a widely drafted privacy notice to allow data to be processed
More informationGeneral Data Protection Regulation (GDPR) A brief guide
General Data Protection Regulation (GDPR) A brief guide Document compiled by: Terence Clark & Dr. Nathan Matthews June 2017 Acknowledgements This document contains material from the Information Commissioner
More informationGeneral Data Privacy Regulation: It s Coming Are You Ready?
General Data Privacy Regulation: It s Coming Are You Ready? Presenters Tristan North Worldwide ERC Government Affairs Adviser, Moderator William R. Tehan General Counsel, Graebel Companies, Inc. Hank A.
More informationThe New EU General Data Protection Regulation 1
The New EU General Data Protection Regulation 1 Dear clients and friends, On 14 April 2016 the EU Parliament formally approved the General Data Protection Regulation ( the Regulation ). The Regulation
More informationA GDPR Primer For U.S.-Based Cos. Handling EU Data: Part 1
Portfolio Media. Inc. 111 West 19 th Street, 5th Floor New York, NY 10011 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com A GDPR Primer For U.S.-Based Cos. Handling
More informationGetting Ready for the. General Data Protection Regulation GDPR. A Guide by Mason Hayes & Curran. Dublin, London, New York & San Francisco. MHC.
Getting Ready for the General Data Protection Regulation GDPR 2018 Dublin, London, New York & San Francisco A Guide by Mason Hayes & Curran MHC.ie The contents of this publication are to assist access
More informationData Protection Policy
Reference: Date Approved: April 2015 Approving Body: Board of Trustees Implementation Date: August 2015 Supersedes: 2.0 Stakeholder groups Governance Committee, Board of Trustees consulted: Target Audience:
More informationGDPR readiness for start-ups, technology businesses and professional practices Martin Cassey
www.nascenta.com GDPR readiness for start-ups, technology businesses and professional practices Martin Cassey Introduction GDPR Key Points GDPR/DPA Differences Start Up, Tech Business Professional Practice?
More informationPolicy Document for: Data Protection (GDPR) Approved by Directors: September Due for Review: September Statement of intent
Policy Document for: Data Protection (GDPR) Approved by Directors: September 2017 Due for Review: September 2020 1. Statement of intent Timu Academy Trust is required to keep and process certain information
More informationDealing with the EU Data Protection Regulation in Practice. William Long, Partner Sidley Austin LLP February 11, 2016
Dealing with the EU Data Protection Regulation in Practice William Long, Partner Sidley Austin LLP February 11, 2016 Do you need to comply? The Regulation will apply to a business processing personal data:
More informationData Protection. Policy
Data Protection Policy Why do we need this policy? What does the policy apply to? Which parts of SQA are affected? SQA is committed to adopting best practice in protecting the personal information of all
More informationEU Regulation 2016/679, GDPR. GDPR, the DPA98 on Steroids
EU Regulation 2016/679, GDPR GDPR, the DPA98 on Steroids 1 RECAP TITLE Full title REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 What it s about on the protection
More informationThe General Data Protection Regulation An Overview
The General Data Protection Regulation An Overview Published: May 2017 Brunel House, Old Street, St.Helier, Jersey, JE2 3RG Tel: (+44) 1534 716530 Guernsey Information Centre, North Esplanade, St Peter
More informationTHE EU GENERAL DATA PROTECTION REGULATION AND INTERNATIONAL AIRLINES SPECIAL UPDATE
OCTOBER 2017 EU, COMPETITION, TRADE AND REGULATORY THE EU GENERAL DATA PROTECTION REGULATION AND INTERNATIONAL AIRLINES SPECIAL UPDATE The EU General Data Protection Regulation (GDPR) becomes effective
More informationACADEMIC AFFAIRS COUNCIL ******************************************************************************
ACADEMIC AFFAIRS COUNCIL AGENDA ITEM: 4 D (3) DATE: February 21, 2018 ****************************************************************************** SUBJECT EU Data Protection Regulations CONTROLLING STATUTE,
More informationEU General Data Protection Regulation (GDPR)
A Brief Overview of the EU General Data Protection Regulation (GDPR) November 2017 What is the GDPR? After several years in the making, on 8 April 2016 the European Council finally adopted Regulation
More informationGDPR: Is it just another strict regulation or a great opportunity for operational excellence?
GDPR: Is it just another strict regulation or a great opportunity for operational excellence? Xenofon Liapakis General manager CIO & Services of Interamerican group Chairman of Hellenic CIO forum November
More informationARTICLE 29 DATA PROTECTION WORKING PARTY
ARTICLE 29 DATA PROTECTION WORKING PARTY 17/EN WP 256 Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules (updated) Adopted on 29 November 2017 INTRODUCTION
More informationGDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges
GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges Cyber Risk 1 GDPR and Canadian organizations: Addressing key challenges The regulation
More informationHuman Resources. Data Protection Policy IMS HRD 012. Version: 1.00
Human Resources Data Protection Policy IMS HRD 012 Version: 1.00 Disclaimer While we do our best to ensure that the information contained in this document is accurate and up to date when it was printed
More informationARTICLE 29 Data Protection Working Party
ARTICLE 29 Data Protection Working Party 17/EN WP264 rev.01 Recommendation on the Standard Application for Approval of Controller Binding Corporate Rules for the Transfer of Personal Data Adopted on 11
More informationEuropean Union General Data Protection Regulation 2016 (Effective 25 May 2018)
European Union General Data Protection Regulation 2016 (Effective 25 May 2018) European Union General Data Protection Regulation 2016 (Effective 25 May 2018) CONTENTS Why is the GDPR relevant to Hong
More informationTWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION
TWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION Awareness Data Stream Map Communication Rights of the subject Legal basis Consent Data Breaches Privacy by design and PIA
More informationThe Data Protection Regulation for Europe
The Data Protection Regulation for Europe Magnus Stenbeck, Karolinska Institutet Dept of Clinical Neuroscience and The Research Data Inquiry (U 2016:04) The data protection regulation in the EU Old system
More informationcloser look at Definitions The General Data Protection Regulation
A closer look at Definitions The General Data Protection Regulation September 2017 V1 www.inforights.im Important This document is part of a series, produced purely for guidance, and does not constitute
More informationGuidance on the General Data Protection Regulation: (1) Getting started
Guidance on the General Data Protection Regulation: (1) Getting started Guidance Note IR03/16 20 th February 2017 Gibraltar Regulatory Authority Information Rights Division 2 nd Floor, Eurotowers 4, 1
More informationAmCham s HR Committee s
AmCham s HR Committee s GDPR / Data Privacy Roundtable 19. SEPTEMBER 2017 THE REGULATION REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural
More informationGDPR: An Overview for Public Sector Communicators
GDPR: An Overview for Public Sector Communicators Live webinar 16 August uk.granicus.com @GranicusUK #Granicus17 Granicus Annual Public Sector Communications Conference Tuesday 26 Sept RIBA Venues, London
More informationGeneral Data Protection Regulation. The changes in data protection law and what this means for your church.
General Data Protection Regulation The changes in data protection law and what this means for your church. 1 Contents Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 18 Page 20 Page 23
More informationThe Top 10 Operational Impacts of the EU s General Data Protection Regulation
The Top 10 Operational Impacts of the EU s General Data Protection Regulation www.iapp.org IAPP - International Association of Privacy Professionals The Top 10 Operational Impacts of the EU s General Data
More informationTourettes Action Data Protection Policy
Tourettes Action Data Protection Policy Effective date: 01/01/2018 Review date: 01/01/2020 Approved: Suzanne Dobson, CEO Tourettes Action Author: Pippa McClounan, Office Manager Tourettes Action Version
More informationPersonal data: By Personal data we understand all information about identified or identifiable natural ( data subject ) according to GDPR
PRINCIPLES OF PERSONAL DATA PROTECTION In these Principles of Personal Data Protection we inform the subjects of data whose personal data we process about all our activities regarding processing and principles
More informationData Privacy Bootcamp: GDPR
Data Privacy Bootcamp: GDPR preparing for the general data protection regulation Data Privacy Bootcamp: GDPR Preparing for the General Data Protection Regulation Rebecca Eisner Partner Mayer Brown Oliver
More informationTEL: +44 (0)
EU General Data Protection Regulation FAQs Cordery GDPR Navigator This note is part of the Cordery GDPR Navigator. Technical terms are used in this document which are explained in the glossary. Edition
More informationTHE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)
THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*) The first IBM Personal Computer was introduced just over 35 years ago, on August 12, 1981. The first-generation iphone was introduced in the
More informationGDPR. Guidance on Employee Personal Data
GDPR Guidance on Employee Personal Data Introduction The General Data Protection Regulation (GDPR), due to come into force on 25 May 2018, will impose significant new burdens on organisations across Europe
More informationThe (Scheme) Actuary as a Data Controller
The (Scheme) Actuary as a Data Controller Keith Webster and Ian Stevens Partners, CMS Cameron McKenna LLP June 2014 Discussion Areas New IFOA guidance Data Protection Act refresher Compliance obligations
More informationUK Research and Innovation (UKRI) Data Protection Policy
UK Research and Innovation (UKRI) Data Protection Policy Document Information Revision History Version Comment Date By 0.1 Draft Policy created July 2017 DH 0.2 Revision post review by information manager
More informationSt Mark s Church of England Academy Data Protection Policy
St Mark s Church of England Academy Data Protection Policy 1 Contents Purpose:... Error! Bookmark not defined. Scope:... Error! Bookmark not defined. Procedure:... Error! Bookmark not defined. Definitions:...
More informationSyntel Human Resources Privacy Statement
Syntel Human Resources Privacy Statement August 24, 2016 Privacy Statement highlights: Syntel is committed to protecting your privacy. This Privacy Statement ("Statement") addresses prospective, current,
More informationGDPR Compliance Checklist
GDPR Compliance Checklist GDPR Compliance Checklist This GDPR Compliance Checklist sets out the key requirements that the General Data Protection Regulation will introduce into EU Privacy law on 25 May
More informationBreaking the myth How your marketing activities can benefit from the GDPR December 2017
www.pwc.be Breaking the myth How your marketing activities can benefit from the GDPR December 2017 1. Introduction As opposed to a widespread belief, the GDPR aims to reinforce customers rights, whilst
More informationCustomer Data Protection. Temenos module for the General Data Protection Regulation (GDPR)
Customer Data Protection Temenos module for the General Data Protection Regulation (GDPR) Contents Glossary 03 GDPR Geographical Scope 03 GDPR implementation status 03 Overview of GDPR 03 Financial Institutions
More informationGDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry
GDPR Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry Who are we? Dillistone Group Plc, a public company listed on the AIM market of the London stock
More informationSupplemental guide to the GDPR for HR professionals
Supplemental guide to the GDPR for HR professionals Version 1.0, January 2018 The General Data Protection Regulation (GDPR) will come into force on 25 May 2018, representing the most significant change
More informationWhat you need to know. about GDPR. as a Financial Broker. Sponsored by
What you need to know about GDPR as a Financial Broker Dear Partner The regulatory and compliance environment is ever changing and the burden and requirements on financial services professionals continues
More informationData protection (GDPR) policy
Data protection (GDPR) policy January 2018 Version: 1.0 NHS fraud. Spot it. Report it. Together we stop it. Version control Version Name Date Comment 1.0 Trevor Duplessis 22/01/18 Review due Dec 2018 OFFICIAL
More informationEU General Data Protection Regulation (GDPR) Tieto s approach and implementation
EU General Data Protection Regulation (GDPR) Tieto s approach and implementation GDPR roles and positions Data subjects Information on processing Consent or other basis for processing Right requests High
More informationIQ Data Protection Policy
IQ Data Protection Policy Statement of purpose IQ Ltd is registered on the Data Protection register as a statutory requirement for organisations that hold personal data. Registration was first completed
More informationRegulates the way data controllers process personal data
GUIDANCE NOTE ON THE DATA PROTECTION ACT 1998 This guidance note gives an overview of how the Data Protection Act 1998 (the Act ) applies to clubs (including class associations) and recognised training
More informationThe General Data Protection Regulation: What does it mean for you?
The General Data Protection Regulation: What does it mean for you? We are here to help The changes being introduced in the EU General Data Protection Regulation 2016 (GDPR) will be the biggest shake-up
More informationGROUP DATA PROTECTION POLICY
GROUP DATA PROTECTION POLICY Conducting business the right way Safeguarding our customer and employee personal data Version 1 [August 2016] CONDUCTING BUSINESS THE RIGHT WAY Our Values, Doing the Right
More informationGetting Ready for the GDPR
Getting Ready for the GDPR Ann Cartwright Information Governance Lead Sefton Council for Voluntary Service (CVS) Registered Charity No. 1024546. Company Limited by Guarantee No. 2832920. Suite 3B, 3rd
More informationBreakthrough Data Protection Policy Approved by Lead Organisation: November 2017 Next Review Date: November 2018
Breakthrough Data Protection Policy Approved by Lead Organisation: November 2017 Next Review Date: November 2018 Introduction The Partner organisations within the Breakthrough Programme need to collect
More informationData Protection Policy
Data Protection Policy StCH Data Protection Policy - POL 53 vs1 - July 2016 1 Document Control Table Document Title: Data Protection Policy Document Ref: POL 53 Author (name and job title): Karen Anderson,
More informationData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR Adrian Ross LLB (Hons), MBA GRC Consultant IT Governance Ltd 29 September 2016 www.itgovernance.co.uk Introduction Adrian Ross GRC Consultant Infrastructure services Business
More informationVendor Agreements and the New EU GDPR Steps to Take Now
Presenting a live 90-minute webinar with interactive Q&A Vendor Agreements and the New EU GDPR Steps to Take Now Complying With the EU General Data Protection and Privacy Regulation TUESDAY, JANUARY 30,
More informationDATA PROTECTION POLICY
1. Introduction This policy is intended to provide information about how the School will use (or process ) personal data about individuals including: Current, past and prospective pupils; Parents, carers
More informationPERSPECTIVE. GDPR - An industry and geography agnostic regulation. Abstract
PERSPECTIVE GDPR - An industry and geography agnostic regulation Abstract As the deadline to comply with the General Data Protection Regulation (GDPR) draws near, many organizations are unaware of what
More informationData Privacy Policy for Employees and Employee Candidates in the European Union
Data Privacy Policy for Employees and Employee Candidates in the European Union This Data Privacy Policy is effective as of February 1, 2014 1. Data Privacy Policy Overview 1.1 Under Armour, Inc. (the
More informationSIGBI DATA PROTECTION PROTOCOLS 2018
SIGBI DATA PROTECTION PROTOCOLS 2018 For the purpose of this document, references to Soroptimist International Great Britain and Ireland (SIGBI) Limited and Soroptimist International may be written as
More informationGDPR Webinar 4: Data Protection Impact Assessments
Webinar 4: Data Protection Impact Assessments T-Minus 365 Days (May 25, 2017) Presenters: Peter Blenkinsop peter.blenkinsop@dbr.com Hilary Wandall General Counsel & Chief Data Governance Officer, TRUSTe
More informationGeneral Optical Council. Data Protection Policy
General Optical Council Data Protection Policy Authors: Lisa Sparkes Version: 1.2 Status: Live Date: September 2013 Review Date: September 2014 Location: Internet / Intranet Document History Version Date
More informationCANDIDATE DATA PROTECTION STANDARDS
CANDIDATE DATA PROTECTION STANDARDS I. OBJECTIVE The aim of these Candidate Data Protection Standards ( Standards ) is to provide adequate and consistent safeguards for the handling of candidate data by
More informationGuide to the GDPR. Contents. dbsdata.co.uk
Guide to the GDPR Guide to the GDPR Contents 03 What does the new GDPR say? 04 The GDPR Principles 04 Organisational & Technical Measures 05 GDPR at a glance 06 From May 2018 each of us have some new awesome
More informationA Parish Guide to the General Data Protection Regulation (GDPR)
A Parish Guide to the General Data Protection Regulation (GDPR) What s happening and why is it important? The law is changing. Currently, the Data Protection Act 1998 governs how you process personal data
More informationTHE HEATH ACADEMY TRUST DATA PROTECTION POLICY
THE HEATH ACADEMY TRUST DATA PROTECTION POLICY inspire transform together Summary Policy Reference Number: 024 Category: Authorised By: Committee Responsible: Data Protection Board Of Directors Board Of
More informationWhat is GDPR and Should You Care?
What is GDPR and Should You Care? Ingram Micro Inc. 1 Overview of Privacy Climate & Concerns 2 2 Today We Live In A World Where Advertisers read key words in your Facebook posts and emails and decide what
More informationGDPR Webinar : Overview & practical compliance steps. 23 October 2017
GDPR Webinar : Overview & practical compliance steps 23 October 2017 1 Dr Michelle Goddard Director Policy & Communication, EFAMRO Mattias Strandberg Skribent, dagensanalys.se copyright efamro 2010 2 About
More informationWill Your Company Pass a Privacy Audit?
Will Your Company Pass a Privacy Audit? by Tammi K. Franke The Issue - Companies that collect personal information are under increasing scrutiny by both consumers and governments in the United States and
More informationMind your business: Prepare for GDPR
Mind your business: Prepare for GDPR Practical tips for small businesses www.sfa.ie/advice Contents Foreword 1 Section 1: Setting the scene 2 Section 2: How to implement GDPR 4 Step 1: Plan and resource
More informationColleges and public authority status under data protection legislation
Colleges and public authority status under data protection legislation Introduction 1. This paper sets outs the likelihood that Colleges (and the University) will be designated as public authorities under
More informationData Protection Audit Self-assessment toolkit
Data Protection Audit Self-assessment toolkit online preferences security passport details emergency contact details blood group email account number accuracy CCTV images tax records rights payroll number
More informationGDPR: keeping data processing records
GDPR: keeping data processing records Fit4DataProtection Keeping data processing records under the GDPR 1. Why? 2. Who? 5. 3. 4. What? How? Sanctions? 6. What can we recommend? 1. Why? new data quality
More informationGUIDELINES CONCERNING THE PROCESSING OPERATIONS IN THE FIELD OF STAFF RECRUITMENT
GUIDELINES CONCERNING THE PROCESSING OPERATIONS IN THE FIELD OF STAFF RECRUITMENT A/ INTRODUCTION These guidelines concern processing operations on staff recruitment carried out by the Community institutions
More informationOpus2 or an Opus2 Affiliate within the Group (as applicable), shall be the Data Controller in respect of the Personal Data covered in this Notice.
Introduction Your privacy is important to Opus2. We have drafted this Privacy Notice (also referred to as Notice in this document) to help you understand who we are, what Personal Data we collect about
More informationARTICLE 29 Data Protection Working Party
ARTICLE 29 Data Protection Working Party 05/EN WP108 Working Document Establishing a Model Checklist Application for Approval of Binding Corporate Rules Adopted on April 14 th, 2005 This Working Party
More informationwith Xavier Darmstaedter Managing Partner GEDAPRE DACOTA Consulting
with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA Consulting xada@gedapre.eu tel 0475-41.03.22 xavier.darmstaedter@dacota.eu Gent, 3 October 2017 4 facts 1. We are not really in control of our personal
More informationPREPARING FOR THE GENERAL DATA PROTECTION REGULATION. Digest
PREPARING FOR THE GENERAL DATA PROTECTION REGULATION Digest 1 Preparing for the General Data Protection Regulation Digest December 2016 READERSHIP CISOs, senior business representatives, information security
More informationIntroduction Why is data protection important? How does it apply to volunteers? What volunteers need to do?...
Data Protection Guidance for Volunteers Last update 26/11/17 Contents Introduction... 2 1. Why is data protection important?... 2 2. How does it apply to volunteers?... 2 3. What volunteers need to do?...
More informationNew General Data Protection Regulation - an introduction
New General Data Protection Regulation - an introduction Netnod spring meeting 2017 Johan Hübner, Partner, Advokat Erika Hammar, Associate Agenda Background Why you need to care about the new data privacy
More informationGuidelines on the protection of personal data in IT governance and IT management of EU institutions
Guidelines on the protection of personal data in IT governance and IT management of EU institutions Postal address: rue Wiertz 60 - B-1047 Brussels Offices: rue Montoyer 30 - B-1000 Brussels E-mail : edps@edps.europa.eu
More information