An Introduction to GDPR and How To Prepare

Transcription

1 An Introduction to GDPR and How To Prepare Vincenzo Ardilio IRIS Data Protection Officer

2 What We Will Highlight What you need to know first about GDPR Privacy notices Data subject rights The data controller/processor relationship Summary of key changes: o Data protection by design and default o Data protection officer o What reporting breaches

3 What You Need to Know First The General Data Protection Regulation (GDPR) is replacing the Data Protection Act 1998 from 25 May 2018 Risk of very high fines of up to 20m/4% annual t/o and reputational damage if anything goes wrong It s all about accountability and being able to demonstrate it

4 Will It Really Happen? Timelines - UK remains part of EU for two years after triggering Article 50 UK heavily involved in creation of GDPR and committed to it - HMG has published UK Data Protection Bill Any replacement UK data protection law will probably be GDPR under a different name

5 What Does Data Protection Apply To? Personal data Anonymised data Pseudonymised data

6 Potential HR risk areas Recruitment process Employment screening Monitoring IT usage Monitoring employee use of company vehicles Article 29 Working Party Opinion Data Processing at Work Time and attendance Disclosures to third parties International transfers

7 Data Protection Fundamentals Data protection principles Article 5 Individual rights Articles 12-23

8 The 6 Data Protection Principles A B C D E F Lawfulness, fairness and transparency Purpose limitation Data minimisation Accuracy Storage limitation Integrity and confidentiality Controller is responsible for complying with these and must be able to demonstrate compliance

9 Privacy Notices You need to tell people a lot more about what you do with their personal data than you did under the data protection act it s all about transparency Privacy explanations must be easy to understand: concise, transparent, intelligible and easily accessible, using clear and plain language Explain any unexpected use of your client s data by you and your sub contractors ( data processors ) The ICO has a code of practice, Privacy notices, transparency and control a code of practice on communicating privacy information to individuals

10 Privacy Notices (2) Pharmacy2U privacy notice (extract) Occasionally we make details available to companies whose products or services we think may interest our customers. If you do not wish to receive such offers please login to your account and change the setting to indicate NO for Selected company data sharing Customers mostly elderly Information sold included various medical conditions Selling 20,000 customer details to lottery company and health supplements supplier Fined 130k for unfair processing

11 Data Subject Rights There are 10 rights you need to know about Fines up to 4% annual turnover or 20m for rights failures Subject access requests need to be dealt with quicker (within one month) and free of charge Electronic data should be provided in a common format (right to data portability) Individuals can ask for personal data to be: - rectified, - deleted, - Use-restricted, and can object to its use

12 Controller/Processor Service providers (processors) will have new obligations Controllers must carry out due diligence on the processors and make sure contract in place New requirements for the content of data controller/processor contracts (see Article 28) Controllers must inform clients of non obvious data processor activities Shared responsibility for security Personal data breaches

13 Data Protection act GDPR Real Impact iris.co.uk Summary of Key Changes Data protection by design and default No formal requirement Explicit requirement A challenge to evidence compliance - Will impact project management processes

14 Data Protection act GDPR Real Impact iris.co.uk Summary of Key Changes (2) Data protection officer No statutory requirement discretionary Role not defined Statutory requirement for public authorities and some other organisations Some organisations will need to designate a data protection officer Defined role

15 Reporting Breaches Your responsibilities: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; Must be reported to Regulator no later than 72 hours from discovery if likely to result in a risk to rights and freedoms Must inform affected individuals when the breach is likely to result in a high risk to their rights and freedoms

16 Summary So Far GDPR or its equivalent under UK law is happening Huge risks for non compliance reputational and financial Great commercial benefits for getting it right Crucial to comply with the data protection principles and handle your clients rights correctly

17 What are IRIS doing? 1. Appointment of Data Protection Officer in June GDPR included on our corporate risk register 3. Governance framework 4. Documenting all current processes and data flows 5. Carrying out a detailed gap analysis 6. Conducting risk assessments

18 Our Advice Raise GDPR at board level, include it on your risk register Appoint a data protection lead consider whether you need to appoint a DPO Get training and awareness underway in your business Make sure your organisation understands what it is doing with personal data Review your privacy notices do they give enough information? Are they clear and concise? Do you need to get more information from your service providers? If you rely on consent, review your mechanisms for obtaining it and your record-keeping in that area Health-check your relationships/contracts with your service providers/data processors Ensure you have a procedure for reporting breaches and that staff know about it

19 Thank You Next: Andy Nichols The Pension Regulator Managing the Auto Enrolment Re-enrolment Journey