GDPR Impacts on Digital Transformation

Transcription

1 GDPR Impacts on Digital Transformation

2

3

4 Is this another millennium bug? GDPR compliance will be an ongoing journey Unlike planning for the Y2K deadline, GDPR preparation doesn t end on 25 May 2018 it requires ongoing effort.

5 Is this another millennium bug? GDPR compliance will be an ongoing journey Unlike planning for the Y2K deadline, GDPR preparation doesn t end on 25 May 2018 it requires ongoing effort. The fines are huge and will be applied straight away? There will be no grace period there has been two years to prepare and we will be regulating from this date. But we pride ourselves on being a fair and proportionate regulator and this will continue under the GDPR, as I set out in my first myth busting blog. Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.

6 GDPR Quiz Run it yourself in your organisation You need a PC to run it and phones to answer Play against the ghosts of people at the event Go here to run it Use the software it works and its free just like engage process trial Kahoot.it - your kids probably are doing it!

7 Evolving legislation/guidance Case law will be the true test

8 Overview - Role of SMT/SLT/SMB. and the DPO Appoint a DPO if you are a public authority so yes us! Ensure the DPO reports to the highest level of management Ensure DPO operates independently and not a scapegoat (dismissed or penalised for doing their job Ensure adequate resources are provided to enable DPOs to meet GDPR obligations Is the DPO responsible for GDPR compliance in your organisations? Role of DPO To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws. To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits. To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

9 Overview - Role of Controllers and Processors The GDPR applies to controllers and processors. A controller determines the purposes and means of processing personal data. E.g. service managers Controllers need to set the standards under which processors process Controllers need to ensure data collected is appropriate Controllers need to identify risks Controllers need to ensure appropriate measures are in place Controllers need to safeguard individuals rights Controllers need to draft guidelines for processors A processor is responsible for processing personal data on behalf of a controller. E.g. outsourced ICT, cloud software providers, outsourced/shared services Process personal data in accordance with guidelines of controller

10 Overview GDPR Principles Article 5 of the GDPR requires that personal data shall be: a) processed lawfully, fairly and in a transparent manner in relation to individuals; b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes; c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

11 Overview Types of data Personal data The GDPR applies to personal data meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people. The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data. Personal data that has been pseudonymised eg key-coded can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual. Sensitive personal data The GDPR refers to sensitive personal data as special categories of personal data (see Article 9). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (see Article 10). Criminal Convictions To process personal data about criminal convictions or offences, you must have both a lawful basis under Article 6 and either legal authority or official authority for the processing under Article 10. The Data Protection Bill deals with this type of data in a similar way to special category data, and sets out specific conditions providing lawful authority for processing it.

12 Overview What is personal data?

13 Overview Individuals rights The GDPR provides the following rights for individuals: The right to be informed The right of access The right to rectification The right to erase The right to restrict processing The right to data portability The right to object Rights in relation to automated decision making and profiling.

14 Overview Lawful Basis for Processing The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data: (a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. (b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). (d) Vital interests: the processing is necessary to protect someone s life. (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

15 Digital Transformation Impacts Awareness/training ensure all staff are aware and trained in GDPR Document data you hold where, why, for how long and is it proportionate/appropriate Consider information audit for higher risk areas identified Identify lawful basis for processing personal data Review consent procedures Update policies and contracts to reflect GDPR enhancements Update privacy notices fair processing information

16 Digital Transformation Impacts Fair processing information What information must be supplied? The GDPR sets out the information that you should supply and when individuals should be informed. The information you supply is determined by whether or not you obtained the personal data directly from individuals. The information you supply about the processing of personal data must be: concise, transparent, intelligible and easily accessible; written in clear and plain language, particularly if addressed to a child; and free of charge.

17 Digital Transformation Impacts Fair processing information

18 Digital Transformation Impacts Fair processing information

19 Digital Transformation Impacts Awareness/training ensure all staff are aware and trained in GDPR Document data you hold where, why, for how long and is it proportionate/appropriate Consider information audit for higher risk areas identified Identify lawful basis for processing personal data Review consent procedures Update policies to reflect GDPR enhancements Update privacy notices and contracts Implement new Subject Access Request processes and consider demand increase potential Data breach process update Implement data protection by design and default DPIA processes A DPIA is required in situations where data processing is likely to result in high risk to individuals, for example: where a new technology is being deployed where a profiling operation is likely to significantly affect individuals where there is processing on a large scale of the special categories of data.

20 GDPR options for our customers GDPR processes and links to ICO emerging requirements/guidance GDPR Data Audit Capability using existing functionality

21 Its not all bad in fact its quite good We should be doing most of this already under DPA but GDPR highlights it and makes exposing the problems free Understanding our data and where it is is not a bad thing Good data management can have positive benefits - risk avoidance; reputational protection; good data governance; organisational change / awareness; process knowledge and tangible savings opportunities identified. Understanding and documenting our processes avoids additional risks and identifies opportunities Doing the above is the first step to doing digital transformation right If we understand our requirements better we can buy better solutions Who doesn t want their personal data to be better looked after? It is easy to cite the 4% of global turnover or 20m fines, clearly if you read the ICO blogs they are not going to jump in and fine the maximum, in fact they highlight they have never yet used the maximum allowed under data protection. Compliance should and can deliver positive outcomes.

22 GDPR Resources GDPR Threat or Opportunity Blog ICO 12 steps to take now - GDPR ICO Getting ready for GDPR checklist ICO What's New latest updates from ICO on guidance ICO GDPR Guide ICO Consent

23 Trying to convince people to change?

24 Lean and Agile Projects

25 Missed Bins As Is

26 Missed Bins As Is

27 Missed Bins As Is

28 Missed Bins To Be v1

29 Missed Bins v2 In Cab

30 Missed Bins an evolution Original missed bins process Missed bins To Be v1 online form Missed bins To Be v2 in Cab Future state evaluations (v3, v4, v5?) proactive notifications, bin alerts and removing/reducing override Version No. per annum Cost per process Total Cost As Is , To Be v1 web form , To Be v2 in cab connected , Digital does not reduce costs alone latent demand Non missed bins made up 66% of original reports Elastic band process creep

31 UK early adopters

32

33 Missed Bins To Be v1

34 You can thank Nick Hill digitaltransform.org.uk For talking us into the network offer! 10% to all if 5 sign up to the suite in Wales as new customers(or commit to it we won t penalise on the P2P process) by the end of March 2018 Wales Partnership Offer Un-cashable benefits Additional support from us Shared (free) follow ups Shared training Wales user group and event Potential to translate? Opportunity to start collaborating? Get ahead of English LA s! Join Rhondda, Carmarthenshire and Sport Wales already seeing the benefits and starting the culture change process

35 Andrew Sandford Director We are Lean and Agile