GDPR Webinar 4: Data Protection Impact Assessments
|
|
- Angela Bennett
- 6 years ago
- Views:
Transcription
1 Webinar 4: Data Protection Impact Assessments T-Minus 365 Days (May 25, 2017) Presenters: Peter Blenkinsop Hilary Wandall General Counsel & Chief Data Governance Officer, TRUSTe
2 May 25, 2017 May 25, We re One Year Away! Drinker Biddle Reath LLP 2
3 Overview Written DPIAs required whenever processing sensitive data and whenever automated processing results in decisions having legal effect. DPIA may evaluate an entire category of processing operations if they are sufficiently similar. DPIA must identify specific risks and describe privacy and security measures implemented to mitigate them. Mandatory consultation with data protection authority where processing poses high level of risk to data subjects that cannot be adequately mitigated. Drinker Biddle Reath LLP 3
4 What Is a DPIA? DPIA is a process to describe the processing of personal data, assess the associated privacy and security risks, and identify risk mitigation measures. Under the, DPIA must be documented in writing so as to demonstrate compliance with data protection requirements. Drinker Biddle Reath LLP 4
5 When Is a DPIA Required? (I) DPIA is required when the processing is likely to result in a high risk to data subjects. This includes (but is not limited to): Automated processing, including profiling, on which decisions are based that produce legal effects concerning the data subject or which similarly significantly impact the data subject. This includes, in particular, analyzing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles. Drinker Biddle Reath LLP 5
6 When Is a DPIA Required? (II) Processing on a large scale of sensitive categories of personal data. Sensitive categories include personal data which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, genetic data, health data, data concerning sex life, and data concerning criminal convictions or offenses,. Systematic monitoring of a publicly accessible area on a large scale. Drinker Biddle Reath LLP 6
7 When Is a DPIA Required? (III) Article 29 Working Party draft guidance lists additional situations in which a DPIA may be required: Matching or combining datasets Processing of data concerning vulnerable data subjects, including whenever there is a power imbalance between controller and data subject (e.g., employees, children) Data transfers across borders outside the EU Deployment of new technology When data is processed on a large scale Any systematic monitoring of data subjects Any evaluation or scoring of data subjects where systematic or extensive Drinker Biddle Reath LLP 7
8 When Is a DPIA Required? (IV) Data protection authorities in each member state are required to publish lists of kinds of data processing operations (non-exclusive) for which DPIAs are required, as well as kinds of data processing for which DPIAs are not required. Exception to DPIA requirement is provided where processing is for performance of a task in the public interest or for compliance with a legal requirement, and such law regulates the specific processing. Single DPIA can be used to assess multiple processing operations that are similar in terms of risks presented, provided consideration is given to specific nature, scope, context, and purpose of processing. DPIA is required only for processing operations initiated on or after May 25,. But, significant change to processing operations after May 25,, can trigger requirement, even if processing originally initiated before then. Article 29 Working Party recommends that DPIAs are re-assessed every three years for ongoing or continuous processing activities. Drinker Biddle Reath LLP 8
9 Who Is Required to Conduct DPIA? Data controller is obliged to conduct the DPIA. If there are joint controllers, the respective obligations of each party should be precisely defined in advance. Controller must seek the input of the data protection officer, where DPO designated. Where data processing is conducted by a processor, processor should provide information and assistance. If controller is purchasing a new technology product, controller is obliged to carry out DPIA for its own deployment, but such DPIA would typically be informed by DPIA prepared by product provider. Drinker Biddle Reath LLP 9
10 Data Subject Input Where appropriate, controllers must seek the views of data subjects or their representatives on the intended processing. Article 29 Working Party suggests that documentation must be kept of this consultation or why it was determined unnecessary. Drinker Biddle Reath LLP 10
11 Examples of EU DPIA Frameworks Germany: Standard Data Protection Model, V.1.0 Trial version, Spain: Guía para una Evaluación de Impacto en la Protección de Datos Personales (EIPD), Agencia española de protección de datos (AGPD), mon/guias/guia_eipd.pdf France: Privacy Impact Assessment (PIA), Commission nationale de l informatique et des libertés (CNIL), UK: Conducting privacy impact assessments code of practice, Information Commissioner s Office (ICO), Drinker Biddle Reath LLP 11
12 Issues to Address in DPIA From ICO PIA Code of Practice Annex 3 Questions designed to ensure compliance with the privacy principles Lawfulness, fairness and transparency Purpose limitation Data minimization (Collection limitation) Accuracy Storage limitation (Retention) Data subject rights Security safeguards Drinker Biddle Reath LLP 12
13 Lawfulness, Fairness, Transparency From UK Code of Practice, Annex 3 Have you identified the purpose of the project? How will individuals be told about the use of their personal data? Do you need to amend your privacy notices? Have you established which conditions for processing apply? If you are relying on consent to process personal data, how will this be collected and what will you do if it is withheld or withdrawn? Drinker Biddle Reath LLP 13
14 Purpose Limitation From UK Code of Practice, Annex 3 Does your project plan cover all of the purposes for processing personal data? Have potential new purposes been identified as the scope of the project expands? Drinker Biddle Reath LLP 14
15 Data Minimization From UK Code of Practice, Annex 3 Is the information you are using of good enough quality for the purposes it is used for? Which personal data could you not use, without compromising the needs of the project? Drinker Biddle Reath LLP 15
16 Accuracy From UK Code of Practice, Annex 3 If you are procuring new software does it allow you to amend data when necessary? How are you ensuring that personal data obtained from individuals or other organisations is accurate? Drinker Biddle Reath LLP 16
17 Storage Limitation From UK Code of Practice, Annex 3 What retention periods are suitable for the personal data you will be processing? Are you procuring software which will allow you to delete information in line with your retention periods? Drinker Biddle Reath LLP 17
18 Data Subjects Rights From UK Code of Practice, Annex 3 Will the systems you are putting in place allow you to respond to subject access requests more easily? If the project involves marketing, have you got a procedure for individuals to opt out of their information being used for that purpose? Drinker Biddle Reath LLP 18
19 Security Safeguards From UK Code of Practice, Annex 3 Do any new systems provide protection against the security risks you have identified? What training and instructions are necessary to ensure that staff know how to operate a new system securely? Drinker Biddle Reath LLP 19
20 How to Assess Risks From CNIL PIA Methodology Severity + Likelihood = Risk Level Severity represents the magnitude of a risk. It essentially depends on the prejudicial effect of the potential impacts Likelihood represents the possibility for a risk to occur. It essentially depends on the level of vulnerabilities of the supporting assets facing threats and the level of capabilities of the risk sources to exploit them. Drinker Biddle Reath LLP 20
21 Presentation of DPIA Report From CNIL PIA Methodology Body of the PIA Define and describe the personal data concerned, their recipients and retention periods. Identify the data controller and the processors. Describe the processing(s) of personal data under consideration, its(their) purposes and stakes. Describe the personal data life cycle (from collection to erasure). Drinker Biddle Reath LLP 21
22 Presentation of DPIA Report List of legal controls Identify or determine the controls (existing or planned) selected to comply with the following legal requirements (it is necessary to explain how it is intended to implement them): purpose: specified, explicit and legitimate purpose minimization: limiting the amount of personal data to what is strictly necessary quality: preserving the quality of personal data retention periods: period needed to achieve the purposes, in the absence of another legal obligation imposing a longer retention period notice: respect for data subjects right to information consent: obtaining the consent of the data subjects or existence of another legal basis justifying the processing of personal data right to object: respect for the data subjects right of opposition right of access: respect for the data subjects right to access their data right to rectification: respect for the data subjects right to correct their data and erase them transfers: compliance with obligations relating to transfer of data outside the European Union Drinker Biddle Reath LLP 22
23 Presentation of DPIA Report List of risk-treatment controls Identify or determine the selected controls (existing or planned): organizational controls: organization, policy, risk management, project management, incident management, supervision, etc. logical security controls: anonymization, encryption, backups, data partitioning, logical access control, etc. physical security controls: physical access control, security of hardware, protection against non-human risk sources, etc. Drinker Biddle Reath LLP 23
24 Presentation of DPIA Report Risk map Risk sources Identify the relevant risk sources in the specific context under consideration Describe the capabilities of risk sources. Feared events For each feared event (illegitimate access to personal data, unwanted change of personal data, and disappearance of personal data): determine the potential impacts on the data subjects privacy if it occurred; estimate its severity, depending especially on the prejudicial effect of the potential impacts and, if applicable, controls likely to modify them; formally set out a justification of the estimation in view of the factors identified. Drinker Biddle Reath LLP 24
25 Presentation of DPIA Report Risk map Threats Identify threats to personal data supporting assets that could lead to each feared event For each identified threat: select the risk sources that could cause it; estimate its likelihood, particularly depending on the level of vulnerabilities of personal data supporting assets, the level of capabilities of the risk sources to exploit them and the controls likely to modify them; formally set out a justification of the estimation in view of the factors identified. Drinker Biddle Reath LLP 25
26 Presentation of DPIA Report Risk map Determine the risk level: its severity equals to that of the feared event concerned by the risk; its likelihood equals the highest likelihood value of the threats associated with the feared event. Present a map of all the risks depending on their level. Drinker Biddle Reath LLP 26
27 Presentation of DPIA Report Conclusion Rationale to validate the PIA Appendices Detailed description of the scope Detailed presentation of the controls Detailed description of the risks Action plan Drinker Biddle Reath LLP 27
28 Consultation with Data Protection Authorities Data controller must consult with DPA where DPIA indicates a high level of residual risk to data subjects after implementing available safeguards. Supervisory authority has 8 weeks, with a further 6 week extension available, to give an opinion on whether the risk mitigation controls are adequate. Drinker Biddle Reath LLP 28
29 TRUSTe-IAF DPIA Strategy Comprehensive DPIA / DIA / EIA Construct 2017 TRUSTe Proprietary and Confidential Information
30 TRUSTe-IAF DPIA Construct - DRAFT Part A Governance and Accountability 1. Organizational Accountability 2. Purpose 3. Data 4. Data Sources, Origins and Characteristics 5. Legal Basis of Processing Part B Risk, Impacts and Benefits 6. High Risk Processing 7. Value and Benefits of the Processing 8. Inherent Risk Assessment 9. Weighted Inherent Risk-Benefits Part C Mitigations and Safeguards 10. Data Necessity (DPbDesign/Default, Data Minimization) 11. Use, Retention and Disposal 12. Disclosure to Third Parties and Onward Transfer 13. Choice and Consent 14. Access and Individual Rights 15. Data Integrity and Quality 16. Security 17. Transparency Part D Risk Outcomes (Report) 18. Mitigations and Safeguard Effectiveness Evaluation (Scale) 19. Calculation of Residual Risk Severity and Likelihood 20. Legitimate Interests Balancing Test Outcomes 21. Where residual risks are high, consultation of DPA and data subjects TRUSTe Proprietary and Confidential Information
31 Automating the IAF-TRUSTe DPIA Privacy Insight Series v - truste.com/insightseries 31 TRUSTe Inc., 2017
32 Automating the IAF-TRUSTe DPIA Privacy Insight Series v - truste.com/insightseries 32 TRUSTe Inc., 2017
33 Automating the IAF-TRUSTe DPIA Privacy Insight Series v - truste.com/insightseries 33 TRUSTe Inc., 2017
34 Automating the IAF-TRUSTe DPIA Privacy Insight Series v - truste.com/insightseries 34 TRUSTe Inc., 2017
35 Integrating Privacy into Enterprise Risk Management Privacy Insight Series v - truste.com/insightseries 35 TRUSTe Inc., 2017
36 Q&A Drinker Biddle Reath LLP 36
37 Schedule (11:00 a.m. 12:30 p.m. U.S. Eastern Time) Through August June 22 Determining Your Lead Data Protection Authority: We will guide you in determining your lead data protection authority and discuss options for companies whose existing structures do not allow them to take advantage of this one-stop-shop mechanism. July 27 Data Portability August 24 Consent Drinker Biddle Reath LLP 37
38 Drinker Biddle Reath LLP 38
GDPR Webinar 1: Overview of Preparing for the GDPR. T-Minus 441 Days (March 9, 2017) Presenter: Peter Blenkinsop.
Webinar 1: Overview of Preparing for the T-Minus 441 Days (March 9, 2017) Presenter: Peter Blenkinsop peter.blenkinsop@dbr.com Agenda Introduction (5 mins) Level setting: Brief overview of main provisions
More informationGDPR Webinar 9: Automated Processing & Profiling
Webinar 9: Automated Processing & Profiling T-Minus 210 Days (October 26, 2017) Presenter: Peter Blenkinsop peter.blenkinsop@dbr.com 1 Agenda for Today Brief update on status of guidance and implementation
More informationPREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER
PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER 1 What will the GDPR mean for your business/organisation? On the 25 th May 2018,
More informationGetting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations
Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations Page 1 of 22 Your business and the new data protection laws Data protection and privacy
More informationTHE PAINSLEY CATHOLIC ACADEMY. GDPR Data Protection Impact Assessment Policy
THE PAINSLEY CATHOLIC ACADEMY GDPR Data Protection Impact Assessment Policy 1 GDPR The General Data Protection Regulation (GDPR) is a piece of EU-wide legislation which will determine how people s personal
More informationGeneral Personal Data Protection Policy
General Personal Data Protection Policy Contents 1. Scope, Purpose and Users...4 2. Reference Documents...4 3. Definitions...5 4. Basic Principles Regarding Personal Data Processing...6 4.1 Lawfulness,
More informationINTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT
WHAT GDPR MEANS FOR RECORDS MANAGEMENT Presented by: Sabrina Guenther Frigo Overview Background Basic Principles Scope Lawful Processing Data Subjects Rights Accountability & Governance Data Transfers
More informationb. by a controller not established in EU, but in a place where Member State law applies by virtue of public international law.
Buzescu Ca>Romanian Business Law>Romanian Data Protection Laws 12. ROMANIAN DATA PROTECTION LEGAL REGIME Updated October 2018 The relevant Romanian data protection laws are: European Regulation no. 679
More informationTimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents
Company Name: Document DP3 Topic: ( the Company ) Data Protection Policy Data Protection Date: April 2018 Version: 001 Contents Introduction Definitions Data processing under the Data Protection Laws 1.
More informationFoundation trust membership and GDPR
05 April 2018 Foundation trust membership and GDPR In the last few weeks, we have received a number of enquiries from foundation trusts concerned about the implications of the new General Data Protection
More informationTrinity is committed to protecting the privacy and security of personal data.
This privacy notice applies data processing activities undertaken by Trinity College for security and monitoring relating to staff, students and visitors to Trinity premises including CCTV, other security
More informationSCHOOLS DATA PROTECTION POLICY. Guidance Notes for Schools
SCHOOLS DATA PROTECTION POLICY Guidance Notes for Schools Please read this policy carefully and ensure that all spaces highlighted in the document are completed prior to publication. Please ensure that
More informationGENERAL DATA PROTECTION REGULATION Guidance Notes
GENERAL DATA PROTECTION REGULATION Guidance Notes What is the GDPR? Currently, the law on data protection requiring the handling of data which identifies people to be done in a fair way, is contained in
More informationDATA PROTECTION POLICY 2018
DATA PROTECTION POLICY 2018 Amesbury Baptist Church is committed to protecting all information that we handle about people we support and work with, and to respecting people s rights around how their information
More informationThe Society of St Stephen s House Site Security and Monitoring Privacy Notice
This privacy notice applies to data processing activities undertaken by The Society of St Stephen s House for security and monitoring relating to staff, students and visitors to College premises A summary
More informationData Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents
Company Name: Document: Topic: System People ( the Company ) Data Protection Policy Data protection Date: 28/4/2018 Version: 1 Contents Introduction Definitions Data processing under the Data Protection
More informationRSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company )
RSD Technology Limited - Data protection policy: Introduction Company Name: Document DP3 Topic: RSD Technology Limited ( the Company ) Data Protection Policy Data protection Date: 25 th May 2018 Version:
More informationEU GENERAL DATA PROTECTION REGULATION
EU GENERAL DATA PROTECTION REGULATION GENERAL INFORMATION DOCUMENT This resource aims to provide a general factsheet to Asia Pacific Privacy Authorities (APPA) members, in order to understand the basic
More informationWe reserve the right to update this privacy notice at any time. Please check our website from time to time for any changes we may make.
What is the purpose of this document? NORTHERN IRELAND SCREEN COMMISSION (Company Number NI031997) whose registered office is at 3 rd Floor Alfred House, 21 Alfred Street, Belfast, BT2 8ED is committed
More informationInformation Asset Register IAR. Guidance for Schools
Information Asset Register IAR Guidance for Schools Contents 1. Introduction... 3 2. What is an Information Asset?... 4 3. What is an Information Asset Register?... 4 4. Why Do We Need an Information Asset
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Document Control History Title Data Protection Policy Version no. 1.0 Date of publication May 2018 Author(s) Amanda Cramb, HR Manager Next review date May 2021 Page 1 Introduction
More informationNissa Consultancy Ltd Data Protection Policy
Nissa Consultancy Ltd Data Protection Policy CONTENTS Section Title 1 Introduction 2 Why this Policy Exists 3 Data Protection Law 4 Responsibilities 5 6 7 8 9 10 Data Protection Impact Assessments (DPIA)
More informationBrasenose College is committed to protecting the privacy and security of personal data.
This privacy notice (v1.2) applies to data processing activities undertaken by Brasenose College for security and monitoring relating to staff, students and visitors to College premises including CCTV,
More informationCHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR. Legal02# v1[RXD02]
CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR Legal02#67236978v1[RXD02] CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR Notes: We recommend that any business looking to comply with the
More informationGDPR: What Every MSP Needs to Know
Robert J. Scott GDPR: What Every MSP Needs to Know Speaker Robert J. Scott Agenda Purpose GDPR Intent & Obligations Applicability Subject-matter and objectives Material scope Territorial scope New Rights
More informationData Protection Policy
Data Protection Policy Version Date Revision Author Summary of Changes 1.0 21 st May 2018 Ashleigh Morrow EXECUTIVE STATEMENT At CASTLEREAGH NURSERY SCHOOL (the School ), we believe privacy is important.
More informationBrasenose College Data Protection Policy Statement v1.2
Brasenose College Data Protection Policy Statement v1.2 1. Introduction All documents referred to in this policy can be found online at the address below: https://www.bnc.ox.ac.uk/privacypolicies 1.1 Background
More informationData Protection Policy
Data Protection Policy This policy will be reviewed by the Trust Board three yearly or amended if there are any changes in legislation before that time. Date of last review: Autumn 2018 Date of next review:
More informationUK Research and Innovation (UKRI) Data Protection Policy
UK Research and Innovation (UKRI) Data Protection Policy Document Information Revision History Version Comment Date By 0.1 Draft Policy created July 2017 DH 0.2 Revision post review by information manager
More informationGetting Ready for the GDPR
Getting Ready for the GDPR Ann Cartwright Information Governance Lead Sefton Council for Voluntary Service (CVS) Registered Charity No. 1024546. Company Limited by Guarantee No. 2832920. Suite 3B, 3rd
More informationGDPR: An Evolution, Not a Revolution
GDPR: An Evolution, Not a Revolution Disclaimer This article does not constitute legal advice, nor is this information intended to create or rise to the level of an attorney-client relationship. You should
More informationData Protection Policy Approved by: COG Approved: 9 August 2017 Review date: August 2019 Version: Statement of Intent
Data Protection Policy Approved by: COG Approved: 9 August 2017 Review date: August 2019 Version: 4 1. Statement of Intent 1.1 Radian 1 must collect, store and process information about its customers,
More informationThe current version (July 2018) is derived from, and supersedes, the version published in February 2017 and earlier versions.
Page 2 of 10 Data Protection Policy Chief Information Officer Chief Information Officer Data Protection Officer The current version (July 2018) is derived from, and supersedes, the version published in
More informationSAFFRON WALDEN COMMUNITY CHURCH DATA PROTECTION POLICY. Adopted: [ ]
SAFFRON WALDEN COMMUNITY CHURCH DATA PROTECTION POLICY Adopted: [17-04-2018] 1 SAFFRON WALDEN COMMUNITY CHURCH is committed to protecting all information that we handle about people we support and work
More informationAchieving Compliance with the GDPR
Achieving Compliance with the GDPR Ian Grey Information and Cyber Security consultant ian.grey@wadiff-consulting.co.uk https://www.linkedin.com/in/iangreyuk Russell McDermott Sales Engineer Russell.Mcdermott@netwrix.com
More informationSt Michael s CE Primary School Data Protection Policy
St Michael s CE Primary School Data Protection Policy We will prepare the children at St. Michael's school for life, by giving them the opportunity to fulfil their potential within a happy caring Christian
More informationEARLS HALL BAPTIST CHURCH DATA PROTECTION POLICY
EARLS HALL BAPTIST CHURCH DATA PROTECTION POLICY Adopted: 5 June 2018 1 Earls Hall Baptist Church is committed to protecting all information that we handle about people we support and work with, and to
More informationBaptist Union of Scotland DATA PROTECTION POLICY
Baptist Union of Scotland DATA PROTECTION POLICY Adopted: May 2018 1 1.The Baptist Union of Scotland 48, Speirs Wharf, Glasgow G4 9TH (Charity Registration SC004960) is committed to protecting all information
More informationThe EU GDPR: How Can Information. Governance Policies Help? The EU GDPR:
The EU GDPR: How Can The EU GDPR: How Can Information Governance Policies Help? Information Governance Policies Help? ACC/IG Committee Webinar Jason R. Baron Peter Blenkinsop Daniel Miller Amie Taal June
More informationGDPR P4 Privacy Policy Statement & Guidance for Employees and External Providers
Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate
More informationThe EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry
The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry 1 Contents Introduction 5 Brexit: GDPR or New UK Law? 8 The eprivacy Directive 10 The GDPR: 10 Key Areas
More informationHendre Infants School DATA PROTECTION POLICY. Nurture, Believe, Achieve Headteacher: A. J. Brett-Harris
Hendre Infants School DATA PROTECTION POLICY Nurture, Believe, Achieve Headteacher: A. J. Brett-Harris Data Protection Policy OBJECTIVES Administration and delivery of quality services involves processing
More informationCHANNING SCHOOL DATA PROTECTION POLICY
CHANNING SCHOOL DATA PROTECTION POLICY The School may amend/change/update this Policy from time to time. 1. Background Data protection is an important legal compliance issue for Channing School. During
More informationScottish Charity Number SC Dingwall Baptist Church DATA PROTECTION POLICY
Dingwall Baptist Church DATA PROTECTION POLICY Adopted: By Trustees Dingwall Baptist Church May 2018 1 Dingwall Baptist Church is committed to protecting all information that we handle about people we
More informationThis privacy notice applies to attendees, organisers and others involved in Merton College s conferences and events
This privacy notice applies to attendees, organisers and others involved in Merton College s conferences and events A summary of what this notice explains Merton College is committed to protecting the
More informationPensions Authority Data Protection Considerations for Trustees of Occupational Pension Schemes
Pensions Authority Data Protection Considerations for Trustees of Occupational Pension Schemes 1 INTRODUCTION The General Data Protection Regulation (GDPR) comes into force in all EU Member States on 25.
More informationThe Data Controller for all personal data stored and processed by Horiba MIRA Ltd is:
Page 1 of 8 Owned By: Data Protection Officer Review Due: March 2020 DATA PRIVACY POLICY It is the policy of Horiba MIRA Ltd (MIRA) that it shall at all times respect the privacy of individuals by processing
More informationConducting privacy impact assessments code of practice
ICO lo Conducting privacy impact assessments code of practice Data Protection Act Contents Data Protection Act... 1 About this code... 3 Chapter 1 - Introduction to PIAs... 5 What the ICO means by PIA...
More informationGuidance and Example of a Privacy Notice Form
The General Data Protection Regulation (GDPR) includes rules on giving privacy information to data subjects in Articles 12, 13 and 14. These are more detailed and specific than in the Data Protection Act
More informationSection a What this Policy is for Policy Statement. 2. Why this policy is important... 3
Norwich Central Baptist Church DATA PROTECTION POLICY Adopted: May.2018 Norwich Central Baptist Church (NCBC) is committed to protecting all information that we handle about people we support and work
More informationData Protection Impact Assessment Policy
Data Protection Impact Assessment Policy Version 0.1 1 VERSION CONTROL Version Date Author Reason for Change 0.1 16.07.18 Debby Jones New policy 2 EQUALITY IMPACT ASSESSMENT Section 4 of the Equality Act
More informationPreparing for the GDPR Orla O Hannaidh - Womble Bond Dickinson
womblebonddickinson.com Preparing for the GDPR Orla O Hannaidh - Womble Bond Dickinson Agenda What is the GDPR? How Could it Apply to US companies? What are a Few Key Requirements? Share common challenges
More informationCNPD Training: Data Protection Basics
CNPD Training: Data Protection Basics The obligations of controllers and processors Esch-sur-Alzette Mathilde Stenersen 7-8 February 2018 Legal service Outline 1. Introduction 2. Basic elements 3. The
More informationInformation Commissioner s Office. Consultation: GDPR DPIA guidance
Information Commissioner s Office Consultation: GDPR DPIA guidance Start date: 22 March 2018 End date: 13 April 2018 ICO GDPR guidance: Contents (for web navigation bar) At a glance About this detailed
More informationBrasenose College SCR Member Only Privacy Notice (v1.2)
Brasenose College SCR Member Only Privacy Notice (v1.2) A summary of what this notice explains Brasenose College is committed to protecting the privacy and security of personal data. This notice explains
More informationACCENTURE BINDING CORPORATE RULES ( BCR )
ACCENTURE BINDING CORPORATE RULES ( BCR ) EXECUTIVE SUMMARY INTRODUCTION Complying with data privacy laws is part of Accenture s Code of Business Ethics (COBE). In line with our COBE, we implement recognized
More informationGDPR is coming soon. Are you ready. Steven Ringelberg.
GDPR is coming soon. Are you ready. Steven Ringelberg steven@ringelberglaw.com 616 227 6403 Agenda Who am I Overview What data do you have that is covered and where is it? What rights do individual data
More informationData Protection for Landlords. David Smith Anthony Gold Solicitors
Data Protection for Landlords David Smith Anthony Gold Solicitors Why Protect Data at All? Personal data is key important in everyday life Internet allows information about people to be spread quickly
More informationRAW MARKETING DATA PROTECTION POLICY
RAW MARKETING DATA PROTECTION POLICY Introduction We take your privacy very seriously and have updated our Privacy Statement in line with the upcoming GDPR regulation. Were absolutely committed to reflecting
More informationLEICESTER HIGH SCHOOL DATA PROTECTION POLICY
LEICESTER HIGH SCHOOL DATA PROTECTION POLICY 1. Background Data protection is an important legal compliance issue for Leicester High School. During the course of the School's activities it collects, stores
More informationThe template uses the terms students / pupils to refer to the children or young people at the institution.
This document is for advice and guidance purposes only. It is anticipated that schools / colleges will use this advice alongside their own data protection policy. This document is not intended to provide
More informationGDPR readiness for start-ups, technology businesses and professional practices Martin Cassey
www.nascenta.com GDPR readiness for start-ups, technology businesses and professional practices Martin Cassey Introduction GDPR Key Points GDPR/DPA Differences Start Up, Tech Business Professional Practice?
More informationNEW LIFE BAPTIST CHURCH NORTHALLERTON DATA PROTECTION POLICY. Adopted: 20 June 2018 To be reviewed: June 2021
NEW LIFE BAPTIST CHURCH NORTHALLERTON DATA PROTECTION POLICY Adopted: 20 June 2018 To be reviewed: June 2021 NEW LIFE BAPTIST CHURCH, NORTHALLERTON (referred to in this policy as NLBC) is committed to
More informationGeneral Data Protection Regulation
General Data Protection Regulation Sofie van der Meulen Axon seminar 21 February 2018 Why and when GDPR Essentials Guidance Data Protection Officer Lead Authority Data Portability Data Protection Impact
More informationREDDISH VALE HIGH SCHOOL PRIMARY PRIVACY NOTICE
REDDISH VALE HIGH SCHOOL PRIMARY PRIVACY NOTICE Overview Reddish Vale High School is committed to ensuring that we re transparent about the ways in which we use your personal information and that we have
More informationData Protection. Document Detail Type of Document (Stat Policy/Policy/Procedure) Category of Document (Trust HR-Fin-FM-Gen/Academy) General
Data Protection Document Detail Type of Document (Stat Policy/Policy/Procedure) Policy Category of Document (Trust HR-Fin-FM-Gen/Academy) General Index reference number Approved 26/04/18 Approved by Trust
More informationP Drive_GDPR_Data Protection Policy_May18_V1. Skills Direct Ltd ( the Company ) Data protection. Date: 21 st May Version: Version 1.
Company Name: Document DP3 Topic: Skills Direct Ltd ( the Company ) Data Protection Policy Data protection Date: 21 st May 2018 Version: Version 1 Contents Introduction Definitions Data processing under
More informationGeneral Data Protection Regulation (GDPR) Frequently Asked Questions
General Data Protection Regulation (GDPR) Frequently Asked Questions 26 March 2018 0 Contents Introduction... 3 What is GDPR?... 3 Who does the GDPR apply to?... 3 Are tax advisers data controllers or
More informationPreparing for the GDPR
Preparing for the GDPR Note: These slides and the accompanying presentation contain a general summary and are not legal advice. Niall Rooney 03/11/2017 (1) Data Protection The Right to Data Protection
More informationTourettes Action Data Protection Policy
Tourettes Action Data Protection Policy Effective date: 01/01/2018 Review date: 01/01/2020 Approved: Suzanne Dobson, CEO Tourettes Action Author: Pippa McClounan, Office Manager Tourettes Action Version
More informationPRIVACY NOTICE RNOH Trust Employees & Temporary workers
PRIVACY NOTICE RNOH Trust Employees & Temporary workers For further information about GDPR please contact: Data Protection Officer Tel: 020 3947 0419 rnoh.informationgovernance@nhs.net The Royal National
More informationGUIDANCE NOTES DATA PRIVACY IMPACT ASSESSMENT
GUIDANCE NOTES DATA PRIVACY IMPACT ASSESSMENT A Data Privacy Impact Assessment (DPIA) helps the University to assess the necessity and proportionality of processing personal data. A DPIA will enable the
More informationPRIVACY NOTICE FOR JOB APPLICANTS
PRIVACY NOTICE FOR JOB APPLICANTS 1. General Information 1.1 Derby County Football Club are committed to protecting the privacy and security of your personal information. 1.2 Under data protection law,
More informationGeneral Data Privacy Regulation: It s Coming Are You Ready?
General Data Privacy Regulation: It s Coming Are You Ready? Presenters Tristan North Worldwide ERC Government Affairs Adviser, Moderator William R. Tehan General Counsel, Graebel Companies, Inc. Hank A.
More informationResponsible Business Alliance. Data Privacy and GDPR Compliance Policy
Responsible Business Alliance Data Privacy and GDPR Compliance Policy 1. INTRODUCTION 1.1 As a global non-profit membership organisation, the Responsible Business Alliance ( RBA ) has a responsibility
More informationPERSONAL DATA SECURITY GUIDANCE FOR MICROENTERPRISES UNDER THE GDPR
PERSONAL DATA SECURITY GUIDANCE FOR MICROENTERPRISES UNDER THE GDPR The General Data Protection Regulation ( the GDPR ) significantly increases the obligations and responsibilities of organisations and
More informationData Protection Policy
Data Protection Policy General Data Protection Regulations (GDPR) Document control Version control / history Note: This policy requires to be reviewed at least annually from the publication of the last
More informationThe (Scheme) Actuary as a Data Controller
The (Scheme) Actuary as a Data Controller Keith Webster and Ian Stevens Partners, CMS Cameron McKenna LLP June 2014 Discussion Areas New IFOA guidance Data Protection Act refresher Compliance obligations
More informationGENERAL DATA PROTECTION REGULATION (GDPR)
GENERAL DATA PROTECTION REGULATION (GDPR) GUIDANCE FOR THE ONLINE GAMBLING INDUSTRY Guidance is to help licensed online gambling operators to comply with their obligations under GDPR www.rga.eu.com GENERAL
More informationDepending on the circumstances, we may collect, store, and use the following categories of personal information about you:
Ignata Group Data Protection / Privacy Notice What is the purpose of this document? Ignata is committed to protecting the privacy and security of your personal information. This privacy notice describes
More informationHow employers should comply with GDPR
02 Mind your business Prepare for GDPR How employers should comply with GDPR Recommendations for employer compliance with GDPR The scope of the impact of the GDPR cannot be overstated. The GDPR will impact
More informationOur position. AmCham EU Comments on the Working Party 29 guidelines on data Protection Impact Assessment (DPIA)
AmCham EU Comments on the Working Party 29 guidelines on data Protection Impact Assessment (DPIA) AmCham EU speaks for American companies committed to Europe on trade, investment and competitiveness issues.
More informationGDPR & SMART PIA. Wageningen University Feb 2017
GDPR & SMART PIA Wageningen University Feb 2017 Tips for Action: Anticipate on the new EU General Data Protection Regulation (GDPR) to determine the privacy standards GDPR has been adopted by EU Parliament
More informationRecruitment Privacy Notice France
Recruitment Privacy Notice France Updated: June 18, 2018 Recruitment Privacy Notice About The Firm And This Recruitment Privacy Notice Cleary Gottlieb Steen & Hamilton LLP (the Firm ), a limited liability
More informationThe Privacy Battlefield What does the GDPR Require?
The Privacy Battlefield What does the GDPR Require? 17:00 CET 9:00am PT 12:00pm ET Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com Agenda Mike Small KuppingerCole
More informationPersonal data: By Personal data we understand all information about identified or identifiable natural ( data subject ) according to GDPR
PRINCIPLES OF PERSONAL DATA PROTECTION In these Principles of Personal Data Protection we inform the subjects of data whose personal data we process about all our activities regarding processing and principles
More informationJob applicant privacy notice (compliant with the General Data Protection Regulations (GDPR)
Job applicant privacy notice (compliant with the General Data Protection Regulations (GDPR) The Company is aware of its obligations under the General Data Protection Regulation (GDPR) and is committed
More informationGeneral Data Protection Regulation
General Data Protection Regulation Draft Privacy Notice for employees November 2017 www.uk.coop/gdprtoolkit This is a draft document which provides a widely drafted privacy notice to allow data to be processed
More informationGDPR for whom it may concern
GDPR for whom it may concern Margarita Dubovik 12-Oct-17 GENERAL REGULATION - BACKGROUND GDPR will replace national data protection laws of all 28 EU member states in May GDPR also has international reach
More information//DATA INNOVATION FOR DEVELOPMENT GUIDE DATA INNOVATION RISK ASSESSMENT TOOL
CHECKLIST Rationale for the checklist: Large-scale social or behavioural data may not always contain directly identifiable personal data and/or may be derived from public sources. Nevertheless, its use
More informationGDPR for Employers DUBLIN / BELFAST / LONDON / NEW YORK / SAN FRANCISCO / PALO ALTO
GDPR for Employers DUBLIN / BELFAST / LONDON / NEW YORK / SAN FRANCISCO / PALO ALTO 1 Consent Things you need to know about consent and the processing of employees data The EU General Data Protection Regulation
More informationTraining Manual. DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Data Protection Officer is Mike Bandurak
PROFESSIONAL INDEPENDENT ADVISERS LTD DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Training Manual Data Protection Officer is Mike Bandurak GDPR introduction
More informationVendor Agreements and the New EU GDPR Steps to Take Now
Presenting a live 90-minute webinar with interactive Q&A Vendor Agreements and the New EU GDPR Steps to Take Now Complying With the EU General Data Protection and Privacy Regulation TUESDAY, JANUARY 30,
More informationSearch Consultancy Limited Privacy Notice
Search Consultancy Limited Privacy Notice Search Consultancy Limited and Search Consultancy Group Limited (hereinafter the Company ) is a recruitment business which provides work-finding services to its
More information1 Privacy by Design: The Impact of the new European Regulation on Data protection. Introduction
Introduction On April 2016 the European Parliament approved the General Data Protection Regulation (GDPR). This new regulation, with mandatory implementation by Member States (MS) and businesses that have
More informationGeneral Data Protection Regulation (GDPR) A brief guide
General Data Protection Regulation (GDPR) A brief guide Document compiled by: Terence Clark & Dr. Nathan Matthews June 2017 Acknowledgements This document contains material from the Information Commissioner
More informationLIFE STYLE CARE PLC. Privacy Statement for Employees. August 2018
LIFE STYLE CARE PLC Privacy Statement for Employees August 2018 Key points Why we use your personal data: We typically use your personal information for purposes related to your employment relationship
More informationNOT PROTECTIVELY MARKED
Meeting Audit Committee Public Session Date and Time Location Pacific Quay, Glasgow Title of Paper General Data Protection Regulation (GDPR) SPA Preparedness Item Number 9.4 Presented By Catherine Topley
More informationAgenda. What is the GDPR? Who does GDPR apply to? Implications of Non-Compliance The Road to GDPR Compliance
Agenda What is the GDPR? Who does GDPR apply to? Implications of Non-Compliance The Road to GDPR Compliance What is the GDPR? The General Data Protection Regulation(GDPR) is a European-wide regulation
More informationProject Title. Project Number. Privacy Impact Assessment
Project Title Project Number Privacy Impact Assessment This document is classified as Official and is disclosable under the terms of the Freedom of Information Act. No part of the report should be disseminated
More information