Brexit and the Future of Data Protection

Transcription

1 Brexit and the Future of Data Protection Max Todd Information Compliance Team, Council Secretariat Tuesday 27 September 2016

2 General Data Protection Regulation (GDPR) Applies throughout EU from 25 May 2018 No need for national legislation Aim is to update and harmonise DP legislation Imposes tougher requirements e.g. governance, accountability, rights of individuals, data breach notification, higher fines

3 Brexit and GDPR GDPR likely to take effect before Brexit UK member of European Free Trade Association (EFTA)/European Economic Area (EEA) GDPR will apply UK amends DPA in line with GDPR to ensure UK treated as adequate for purpose of data transfers from EU GDPR applies to bodies outside EU that offer goods and services to EU citizens i.e. GDPR will apply to EU students

4 GDPR Overlap with DPA Must be open and transparent (privacy notices) Must have a legitimate basis for processing data e.g. consent, contract Must not re-use data for incompatible purposes Must collect minimum data necessary Must not keep data longer than necessary Must keep data secure Must ensure data is accurate

5 Key Changes - Governance Privacy by design and default Pseudonymisation more relaxed rules for pseudonymised data Privacy Impact Assessments (PIAs) for high risk processing, particularly those using new technologies e.g. large-scale processing of sensitive data

6 Key Changes - Accountability New requirement to demonstrate compliance Keep records of processing activities, including data categories, data subjects, purposes, recipients, international transfers, legal basis for processing Records of data breaches irrespective of whether they are reported to the regulator (ICO) Onus to prove consent

7 Key Changes - Transparency Additional information in privacy notices Legal basis for processing Retention periods or criteria used for determining retention periods Data transfers outside EEA Rights of individuals In a concise and easily accessible form, using clear and plain language

8 Key Changes - Consent Must involve a clear affirmative act, and cannot be inferred from silence, pre-ticked boxes or inactivity i.e. no more opts-outs Must involve a genuine and free choice - providing a service cannot be conditional on consent if processing not necessary for service Consent will not be valid if there is a clear imbalance between the data subject and the data controller particularly if the controller is a public authority

9 Key Changes - Rights Strengthens existing rights and grants new rights Right to erasure of data ( right to be forgotten ) Right to erasure applies if: Individual withdraws consent for processing and there is no other justification for the processing; or Data is no longer needed for the purposes for which it was collected or otherwise processed; or The processing is otherwise unlawful

10 Key Changes Breach notification Must notify ICO of any breach within 72 hours if it poses a risk to rights of individuals Must notify people affected without undue delay if breach poses a high risk to rights to individuals No need to notify data subjects if data was encrypted or would require disproportionate effort Must keep a register of breaches irrespective of whether they are reported to ICO

11 Preparing for the future Despite uncertainty, doing nothing not an option Document what data is held, who it is held about, the purposes for which it is processed and legal basis for processing Assess compliance with existing DPA Assess compliance with ICO Codes of Practice and other guidance Identify further changes needed for compliance with possible new requirements

12 What should you do? New University Guidance on DPA: ion/policy Prepare information asset registers If processing data on basis of consent, review compliance with existing requirements i.e. must be informed, freely given and communicated by positive action (lack of opt-out not enough) Review retention practices against existing guidance

13 QUESTIONS?