General Data Protection Regulation (GDPR) 1. Background

Similar documents
Data Protection Officer: David Parkes

Data Protection Officer: Tracy Landon

Data Protection Officer: Phil Oakman

Our Intent. We are committed to safeguarding the privacy of users to our website and we will only use the information we collect about you lawfully.

The Data Processor. This eadmissions website is owned and operated by LGfL. The eadmissions support team can be contacted at:

Mersham Sports Club Flood Street, Mersham, Ashford, Kent, TN25 6NX

North Hockey Umpiring Association (NHUA) PRIVACY NOTICE FOR OUR MEMBERS

Privacy Notice. Read more. What information do we collect from you?

Mersham Sports Club Flood Street, Mersham, Ashford, Kent, TN25 6NX

References to we, our or us in this privacy notice are to The Joanne Banks Dancers, Studio 10, Durham Street, Spennymoor, Co.

Penketh Panther Netball Club

Sandra White MSP Data Protection Privacy Notice. This privacy notice explains how my office collects and uses personal information about individuals.

What You Should Know About GDPR. What is the GDPR?

What You Should Know About GDPR. What is the GDPR?

CHIPPING SODBURY GOLF CLUB PRIVACY NOTICE FOR VOLUNTEERS

1 The types of personal information we collect

The Grannies Cricket Club

OPM RFC PRIVACY NOTICE

CHERRYTREE FARM CAMPING WEBSITE AND MARKETING PRIVACY NOTICE

References to we, our or us in this privacy notice are to MIDLANDS NORDIC WALKING

HAMPSHIRE CRICKET BOARD LTD PRIVACY NOTICE

Lions Ski Club Privacy Policy (Version 1: 23/05/2018)

Guidance on the Privacy and Electronic Communications (EC Directive) Regulations

PRIVACY NOTICE - STUDENTS

St Albans Musical Theatre Company

BANBURY UNITED COMMUNITY FOOTBALL CLUB LTD

PRIVACY NOTICE FOR IMPERIAL COLLEGE LONDON EVENTS

PROCESSING NOTICE ALUMNI

Alumni and Supporters Privacy Notice

NORTHERN IRELAND JUDO FEDERATION PRIVACY NOTICE FOR VOLUNTEERS

GDPR FOR ACCOUNTANTS: YOUR QUESTIONS ANSWERED

Privacy Policy with regards to The General Data Protection Regulation

WILTSHIRE AND SWINDON SPORT (WASP) PRIVACY NOTICE 20 APRIL 2018

GENERAL PRIVACY NOTICE

PRIVACY POLICY. Last Modified: 23 rd of May, 2018

Privacy Notice Alumni Relations and Fundraising

OLA Privacy Policy for Australia

Recruitment Privacy Notice. Information we collect about you

Data subjects rights in the GDPR

Quality Hotel View is a full-service conference hotel located in Malmö, Sweden, and is a part of the hotel chain Nordic Choice Hotels.

HAYS INTERNAL RECRUITMENT PRIVACY POLICY

Processing of your personal data

A. Rational for change

Compliance with Canadian Data Protection Laws: Are Retailers Measuring Up?

BOWLS ENGLAND PRIVACY NOTICE FOR OUR MEMBERS

NEW LAWS REGARDING BUILDING PRODUCTS (QLD)

Pay policy programme for Lund University

Privacy notice policy for clients

IESBA Meeting (March 2013) Agenda Item

Please contact us if you have questions about our privacy practices that are not addressed in this Privacy Policy.

PRIVACY POLICY. We may collect, use, store and transfer different kinds of personal information about you which we have grouped together as follows:

The data controller is Edwards Coaches Ltd, The Courtyard, Parc Busnes Edwards, Llantrisant CF72 8QZ.

Secondment policy This document is intended to support managers and staff understand the use of secondment

Ctrl + click to go directly to any section in this Privacy Policy statement

Craw-Kan Telephone Cooperative Inc. CPNI / Privacy Policy

of approximately 140 Catholic primary and secondary schools and colleges within the Archdiocese of Brisbane.

APPLICABLE TO ALL DIRECTORS, SENIOR MANAGEMENT AND EMPLOYEES OF THE COMPANY

Management of Supplier Complaints and Feedback Procedure

Repton Hockey Club PRIVACY NOTICE FOR OUR JUNIOR MEMBERS

Self- certification criteria for signatories of the IAB Europe OBA Framework

PERSONAL DATA PROCESSING POLICY DURING BUSINESS ACTIVITY

SWIM IRELAND PRIVACY NOTICE SWIM IRELAND MEMBERS/VOLUNTEERS/CUSTOMERS/PARTICIPANTS

Request for Proposals. Develop a New Personnel Policy Manual. for the. Red Wing Housing and Redevelopment Authority

Guidance notes for completing the International Start-up Form

CORPORATE. Freedom to Speak Up Standard Operating Procedure. Document Control Summary Status:

Apprenticeship ERR Workbook

Finastra collects and processes the following types of personal data about you in connection with your job application.

Independent scientific review of claims by qualified bodies;

Executive Summary European Union s General Data Protection Regulation (EU GDPR) January 2018

HAAG-STREIT PRIVACY STATEMENT

Nomination for Merit Award or Contribution Points

Company Vision Our vision is to be valued as a digital, customer-focused, centre of excellence.

Complaints Policy.

THIRD SECTOR FIRST Working together to put the third sector first

Isetan Personal Data Protection Policy (PDPP)

OSPAR Regional Action Plan for Prevention and Management of Marine Litter in the North-East Atlantic

Records Management Policy

Company Policy Buying Additional Annual Leave

CDM Plan Submission and Review Criteria Rules

Acerta respects your privacy

HR Checklist for GDPR compliance

ASSESSMENT PRINCIPLES MAY 2012

BERRI BARMERA COUNCIL CHIEF EXECUTIVE OFFICER JOB & PERSON SPECIFICATION

Acerta respects your privacy

Aggregate LLC ( AGGREGATE LLC ) is committed to protecting your privacy. We have prepared

Sustainability Policy. Bupa Enterprise Policy

Career Entry and Development Profile Companion Guide. A Guide for ITT Tutors and Induction Tutors

Rainforest Alliance Privacy Policy May 2018

The E-Recruitment Process - Guide for Line Managers

Safer and Fair Recruitment Policy

The BLOOM Performance Review Decision Guide

HAAG-STREIT PRIVACY STATEMENT

SECTION I: RBC ROYAL BANK ONLINE APPLICATION TERMS AND CONDITIONS

Treatment Operations Engineer. Service Delivery for Customers. Environmental Operations. Manager Wastewater Treatment Operations

Induction procedure for new staff

BIRMINGHAM CITY COUNCIL STRATEGY FOR OPEN DATA

Position Description

Summary of the purposes for processing your personal data and the legal basis for doing so:

WHITE PAPER. A Practical Guide for GDPR Compliance. Published July An Osterman Research White Paper

Disciplinary Procedure

Transcription:

General Data Prtectin Regulatin (GDPR) 1. Backgrund The GDPR will apply in the UK frm 25 May 2018 and when it cmes int frce will replace all the data prtectin legislatin including the UK s Data Prtectin Act f 1998. The gvernment has cnfirmed that the UK s decisin t leave the EU will nt affect the implementatin f the GDPR. The text has nw been finalised and the Infrmatin Cmmissiner s Office (ICO) is prviding guidance t firms thrughut 2017 t enable them t cmply frm May 2018. Much f the current DPA regulatin will remain hwever GDPR enhances sme f the regulatin and brings in new regulatin. These are set ut in the sectins belw. 2. Data Cntrllers and Data Prcessrs The GDPR applies t cntrllers and prcessrs. The definitins are bradly the same as under the DPA i.e. the cntrller says hw and why persnal data is prcessed and the prcessr acts n the cntrller s behalf. If yu are currently subject t the DPA, it is likely that yu will als be subject t the GDPR. If yu are a prcessr, the GDPR places specific legal bligatins n yu; fr example, yu are required t maintain recrds f persnal data and prcessing activities. Yu will have significantly mre legal liability if yu are respnsible fr a breach. These bligatins fr prcessrs are a new requirement under the GDPR. Hwever, if yu are a cntrller, yu are nt relieved f yur bligatins where a prcessr is invlved the GDPR places further bligatins n yu t ensure yur cntracts with prcessrs cmply with the GDPR. The GDPR applies t prcessing carried ut by rganisatins perating within the EU. It als applies t rganisatins utside the EU that ffer gds r services t individuals in the EU. The GDPR des nt apply t certain activities including prcessing cvered by the Law Enfrcement Directive, prcessing fr natinal security purpses and prcessing carried ut by individuals purely fr persnal/husehld activities. 3. Principles The data prtectin principles, as set ut in the DPA, remain but they have been cndensed int six as ppsed t eight principles. Article 5 f the GDPR states that persnal data must be: 1. Prcessed fairly, lawfully and in a transparent manner in relatin t the data subject. 1

2. Cllected fr specified, explicit and legitimate purpses and nt further prcessed fr ther purpses incmpatible with thse purpses. 3. Adequate, relevant and limited t what is necessary in relatin t the purpses fr which data is prcessed. 4. Accurate and, where necessary, kept up t date. 5. Kept in a frm that permits identificatin f data subjects fr n lnger than is necessary fr the purpses fr which the persnal data is prcessed. 6. Prcessed in a way that ensures apprpriate security f the persnal data including prtectin against unauthrised r unlawful prcessing and against accidental lss, destructin r damage, using apprpriate technical r rganisatinal measures. Firms will need t review data retentin prcesses including electrnic data. The ICO has yet t prvide full guidance n retentin f data recrds. Once full guidance has been prvided firms will need t review n line data retentin. Changes may need t be made t this s nly base data is kept which cannt be used t identify a custmer. Cnsent Like the DPA, the GDPR will require data cntrllers t have a legitimate reasn fr prcessing persnal data. If they rely n the cnsent f the data subject, they must be able t demnstrate that it was freely given, specific, infrmed and unambiguus fr each purpse fr which the data is being prcessed. Cnsent can be given by a written, including electrnic r ral statement. This culd include the data subject ticking a bx when visiting a website, chsing technical settings fr scial netwrk accunts r by any ther statement r cnduct which clearly indicates their acceptance f the prpsed prcessing f persnal data. Silence, pre-ticked bxes r inactivity will n lnger cnstitute cnsent. There will need t be a change regarding marketing preferences. The marketing preferences will need t be pt in bxes rather than pt ut and it is likely they will need t be made separate fr email, scial media, pst, phne and text. Children The preamble t the GDPR states: Children deserve specific prtectin f their persnal data, as they may be less aware f risks, cnsequences, safeguards and their rights in relatin t the prcessing f persnal data. This cncerns especially the use f persnal data f children fr the purpses f marketing r creating persnality r user prfiles and the cllectin f child data when using services ffered directly t a child. Article 8 requires that where the persnal data f a child under 16 is being prcessed t prvide infrmatin sciety services (fr example, n-line businesses, scial netwrking sites, etc) cnsent must be btained frm the hlder f parental respnsibility fr the child. Member states are allwed t lwer this threshld where apprpriate but nt belw the age f 13 which the UK is likely t d. Firms need t review whether this applies t them. 2

4. Data subjects rights The list f rights that a data subject can exercise has been widened by sectin 2 f the GDPR. The GDPR prvides the fllwing rights fr individuals:- 1. The right t be infrmed; 2. The right f access; 3. The right t rectificatin; 4. The right t erasure; 5. The right t restrict prcessing; 6. The right t data prtability; 7. The right t bject; 8. Rights in relatin t autmated decisin making and prfiling. The subject access right, rectificatin and being able t bject t direct marketing remain. The right t have persnal data prcessed fr restricted purpses and the right t transfer data/have it transferred t anther data cntrller (data prtability) are new rights. In additin, article 17 intrduces a right t be frgtten, which means data subjects will be able t request that their persnal data is erased by the data cntrller and n lnger prcessed. This will be where the data is n lnger necessary in relatin t the purpses fr which it is prcessed, where data subjects have withdrawn their cnsent, where they bject t the prcessing f their data r where the prcessing des nt cmply with the GDPR. Hwever, the further retentin f such data will be lawful in sme cases where it is necessary fr cmpliance with a legal bligatin r fr reasns f public interest in the area f public health r fr the exercise r defence f legal claims. T strengthen the right t be frgtten nline, the GDPR requires that a data cntrller wh has made the persnal data public shuld infrm ther data cntrllers which are prcessing the data t erase any links t, r cpies r replicatins f, that data. Firms will need t review prcesses t ensure that they are able t delete data where the custmer requests it and meet the requirement where data has been shared r made public. 5. Accuntability and Gvernance The GDPR includes prvisins that prmte accuntability and gvernance. These cmplement the GDPR s transparency requirements. While the principles f accuntability and transparency have previusly been implicit requirements f data prtectin law, the GDPR s emphasis elevates their significance. 3

Yu are expected t put int place cmprehensive but prprtinate gvernance measures. Gd practice tls that the ICO has champined fr a lng time such as privacy impact assessments and privacy by design are nw legally required in certain circumstances. Ultimately, these measures shuld minimise the risk f breaches and uphld the prtectin f persnal data. Practically, this is likely t mean mre plicies and prcedures fr rganisatins, althugh many rganisatins will already have gd gvernance measures in place. Accuntability Principle The new accuntability principle in Article 5(2) requires yu t demnstrate that yu cmply with the principles and states explicitly that this is yur respnsibility. Firms must: Implement apprpriate technical and rganisatinal measures that ensure and demnstrate that they cmply. This may include internal data prtectin plicies such as staff training, internal audits f prcessing activities, and reviews f internal HR plicies. Maintain relevant dcumentatin n prcessing activities. Where apprpriate, appint a data prtectin fficer. Implement measures that meet the principles f data prtectin by design and data prtectin by default. Measures culd include: Data minimisatin; Pseudnymisatin; Transparency; Allwing individuals t mnitr prcessing; and Creating and imprving security features n an nging basis. Use data prtectin impact assessments where apprpriate. Recrds f prcessing activities (dcumentatin) As well as yur bligatin t prvide cmprehensive, clear and transparent privacy, if yur rganisatin has mre than 250 emplyees, yu must maintain additinal internal recrds f yur prcessing activities. If yur rganisatin has less than 250 emplyees yu are required t maintain recrds f activities related t higher risk prcessing, such as: prcessing persnal data that culd result in a risk t the rights and freedms f individual; r prcessing f special categries f data r criminal cnvictins and ffences. 4

Recrds that need t be kept Yu must maintain internal recrds f prcessing activities. Yu must recrd the fllwing infrmatin - there are sme similarities with registrable particulars under the DPA which must be ntified t the ICO. Name and details f yur rganisatin (and where applicable, f ther cntrllers, yur representative and data prtectin fficer); Purpses f the prcessing; Descriptin f the categries f individuals and categries f persnal data; Categries f recipients f persnal data; Details f transfers t third cuntries including dcumentatin f the transfer mechanism safeguards in place; Retentin schedules; Descriptin f technical and rganisatinal security measures. Yu may be required t make these recrds available t the relevant supervisry authrity fr purpses f an investigatin. Data prtectin by design Organisatins will be expected t include data prtectin cntrls at the design stage f new prjects invlving the prcessing f persnal data. Where they wish t prcess persnal data that pses ptentially high risks they will have t, prir t the prcessing, carry ut a data prtectin impact assessment. Data prtectin impact assessments (DPIAs) (als knwn as privacy impact assessments r PIAs) are a tl which can help rganisatins identify the mst effective way t cmply with their data prtectin bligatins and meet individuals expectatins f privacy. An effective DPIA will allw rganisatins t identify and fix prblems at an early stage, reducing the assciated csts and damage t reputatin which might therwise ccur. While nt a legal requirement under the DPA, the ICO has prmted the use f DPIAs as an integral part f taking a privacy by design apprach. Data prtectin fficer Sectin 4 f the regulatin intrduces a statutry rle f data prtectin fficer (DPO). Mst rganisatins handling persnal data, bth data cntrllers and data prcessrs, will require a DPO wh will have a key rle in ensuring cmpliance with the GDPR. A grup f undertakings may appint a single DPO prvided that s/he is easily accessible. Public bdies may als have a single DPO fr several such authrities r bdies, taking accunt f their rganisatinal structure and size. The DPO, wh can be a staff member r cntractr, shall be designated n the basis f prfessinal qualities and, in particular, knwledge f data prtectin law and practices, and the ability t fulfil the tasks referred t in article 37. These are:- 5

t infrm and advise the cntrller r the prcessr and the emplyees wh are prcessing persnal data f their bligatins pursuant t the GDPR; t mnitr cmpliance with the GDPR, including the assignment f respnsibilities, awareness-raising and training f staff invlved in the prcessing peratins, and the related audits; t prvide advice where requested as regards the data prtectin impact assessment and mnitr its perfrmance pursuant t article 33; t c-perate with the supervisry authrity (the ICO); and t act as the cntact pint fr the supervisry authrity n issues related t the prcessing f persnal data. Cdes f cnduct and certificatin mechanisms The GDPR endrses the use f apprved cdes f cnduct and certificatin mechanisms t demnstrate that yu cmply. The specific needs f micr, small and medium sized enterprises must be taken int accunt. Signing up t a cde f cnduct r certificatin scheme is nt bligatry. But if an apprved cde f cnduct r certificatin scheme that cvers yur prcessing activity becmes available, yu may wish t cnsider wrking twards it as a way f demnstrating that yu cmply. Adhering t cdes f cnduct and certificatin schemes brings a number f benefits ver and abve demnstrating that yu cmply. It can: imprve transparency and accuntability - enabling individuals t distinguish the rganisatins that meet the requirements f the law and they can trust with their persnal data; prvide mitigatin against enfrcement actin; and imprve standards by establishing best practice. When cntracting wrk t third parties, including prcessrs, yu may wish t cnsider whether they have signed up t cdes f cnduct r certificatin mechanisms. Review current prcess t ensure that it meets GDPR requirements. 6. Security breaches Under the current DPA, even in the mst serius data breaches, there is n requirement t infrm the ICO. Article 31 f the GDPR requires that, as sn as the rganisatin becmes aware a persnal data breach has ccurred, it shuld, withut undue delay and, where feasible, nt later than 72 hurs after becming aware f it, ntify the persnal data breach t the ICO, unless the rganisatin is able t demnstrate that the breach is unlikely t result in a risk fr the rights and freedms f individuals. Where this cannt be achieved within 72 hurs, an explanatin f the reasns fr the delay shuld accmpany the ntificatin t the ICO and infrmatin may be prvided in phases withut undue further delay. 6

Furthermre, data subjects shuld be ntified withut undue delay if the persnal data breach is likely t result in a high risk t their rights and freedms t allw them t take the necessary precautins. This ntificatin shuld describe the nature f the persnal data breach as well as recmmendatins fr the individual cncerned t mitigate ptential adverse effects. This shuld be dne as sn as reasnably feasible, and in clse cperatin with the ICO and respecting guidance prvided by it r ther relevant authrities (fr example, law enfrcement authrities). Firms will need t review current data breach prcesses t assess when a ntificatin t ICO is required. There will need t be a prcess in place t make the ntificatin within the 72 hur deadline. 7. Transfers f Data The GDPR impses restrictins n the transfer f persnal data utside the Eurpean Unin, t third cuntries r internatinal rganisatins, in rder t ensure that the level f prtectin f individuals affrded by the GDPR is nt undermined. 8. Fines Currently, the ICO can issue a mnetary penalty ntice f up t 500,000 fr serius breaches f the DPA. The GDPR intrduces much higher fines. Fr sme breaches f the GDPR, rganisatins can receive a fine f up t 4% f glbal annual turnver fr the preceding year (fr undertakings) r 20m. Fr ther breaches (fr example, failing t keep recrds r cmplying with security bligatins) the fine can be up t 10m r 2% f glbal annual turnver (fr undertakings). Brank Ltd prvides general insurance FCA cmpliance cnsultancy, supprt services, general management cnsultancy and prject management. Fr FCA wrk all advice given is based upn ur current understanding f the regulatins and the regulatrs nrmal practice as at the date f any reprt r recmmendatins. As regulatin is a dynamic prcess, any advice given must be reviewed frm time t time t ensure that it remains apprpriate and up t date. Current ht tpics include evaluatin f Cnduct Risk, implementatin f the Insurance Distributin Directive and effective cmplaints management. Please cntact us t discuss yur wn individual needs. 7

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback