Getting Ready for the GDPR

Similar documents
Guidance on the General Data Protection Regulation: (1) Getting started

A Parish Guide to the General Data Protection Regulation (GDPR)

Policy Document for: Data Protection (GDPR) Approved by Directors: September Due for Review: September Statement of intent

The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

EU General Data Protection Regulation (GDPR)

The Sage quick start guide for businesses

Preparing for the General Data Protection Regulation (GDPR)

GDPR Webinar : Overview & practical compliance steps. 23 October 2017

The General Data Protection Regulation: What does it mean for you?

ARTICLE 29 DATA PROTECTION WORKING PARTY

WSGR Getting Ready for the GDPR Series

GDPR Compliance Checklist

EU GENERAL DATA PROTECTION REGULATION

with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA Consulting

THE GENERAL DATA PROTECTION REGULATION: GUIDANCE ON THE ROLE OF THE DATA PROTECTION OFFICER

THE EU GENERAL DATA PROTECTION REGULATION AND INTERNATIONAL AIRLINES SPECIAL UPDATE

Data Flow Mapping and the EU GDPR

AmCham s HR Committee s

Data Protection Policy

GDPR Webinar 4: Data Protection Impact Assessments

Regulates the way data controllers process personal data

GDPR. The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council 27 April

TWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION

The (Scheme) Actuary as a Data Controller

New General Data Protection Regulation - an introduction

Customer Data Protection. Temenos module for the General Data Protection Regulation (GDPR)

General Data Privacy Regulation: It s Coming Are You Ready?

What is GDPR and Should You Care?

Accelerate Your Response to the EU General Data Protection Regulation (GDPR) with Oracle Cloud Applications

Data Protection Policy

This document is a how to guide, for website admins. It lists the steps that I think you need to take to support the GDPR.

Data Protection Policy

Data protection (GDPR) policy

Data Protection. Policy

Breaking the myth How your marketing activities can benefit from the GDPR December 2017

EU General Data Protection Regulation (GDPR) Tieto s approach and implementation

St Mark s Church of England Academy Data Protection Policy

Contents. Introduction 1. Territorial scope 3. Supervisory authority 4. Data governance and accountability 5. Export of personal data 14

EU data protection reform

Data Protection Policy

Conducting privacy impact assessments code of practice

Data Protection Policy and General Data Protection Regulations (GDPR)

The General Data Protection Regulation (GDPR): Getting in good shape for the deadline Copenhagen, 19 September 2017 Janus Friis Bindslev Partner,

Lords Bill Committee on Digital Economy Bill Information Commissioner s briefing

Conducting privacy impact assessments code of practice

The Top 10 Operational Impacts of the EU s General Data Protection Regulation

b2bmarketing.net Getting to grips with the GDPR: A B2B marketer s guide

General Optical Council. Data Protection Policy

Data Protection Policy & Procedures

Committee on Civil Liberties, Justice and Home Affairs WORKING DOCUMENT. Committee on Civil Liberties, Justice and Home Affairs

Information Governance Policy

The EU General Data Protection Regulation

General Data Protection Regulation (GDPR) Meeting the new requirements

Privacy governance survey. The state of privacy management in Belgian organisations

Guideline Leaflet L13: Data Protection

EU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations. For private circulation only.

Rexel Shredding. Why a paper security policy is integral to GDPR compliance.

Data Protection Audit Self-assessment toolkit

GDPR - HOW IS INDUSTRY ADDRESSING THE LEGISLATION

Humber Information Sharing Charter

GDPR A Catalyst to Drive Real Action around Privacy and Security

The New EU General Data Protection Regulation and its Consequences for IT Operations and Governance

Guidance on the use of Legitimate Interests under the EU General Data Protection Regulation

EU-GDPR and the cloud. Heike Fiedler-Phelps January 13, 2018

Information Governance Policy

Organisational Readiness for the European Union General Data Protection Regulation (GDPR)

EU General Data Protection Regulation (GDPR) Point of View for ERP and HRMS Operations. For private circulation only.

Information Governance Strategic Management Framework

The Committee of Ministers, under the terms of Article 15.b of the Statute of the Council of Europe,

General Data Protection Regulation and Episerver Learn how to leverage your organization s data to support GDPR compliance.

Preparing for GDPR 27th September, Reykjavik

DATA PROTECTION POLICY

Information Governance Strategic Management Framework

ARTICLE 29 Data Protection Working Party

DATA PROTECTION POLICY

Privacy Policy PURPOSE SCOPE POLICY. Data Collection

Discussion Paper on innovative uses of consumer data by financial institutions

Comments on Chapter IV Part I Controller and processor 25/08/2015 Page 1

Webinar: Deep Dive into the Role of the DPO under the GDPR

GDPR: Is it just another strict regulation or a great opportunity for operational excellence?

General Data Protection Regulation

guide to the General Data Protection Regulation

Data Protection Act Policy And Operational Procedures For the Trust, Its Academies, And Essa Nursery

Data Protection Policy

New model of governance and accountability of data protection by Union institutions and bodies

Prince Edward Island

The One Stop Shop Working in Practice

Automotive Retailing & Distribution - International. Dealer IT, Internet & Business Processes. Briefing No March

PRIVACY IMPACT ASSESSMENT (PIA) TEMPLATE

SME guide to the personal data protection act 2012

Compliance with South African POPI Acts

OFFICE OF THE DATA PROTECTION COMMISSIONER. Official Languages Act Language Scheme

Preparing for the GDPR: Attaining and Demonstrating Compliance

GUIDELINES FOR IMPLEMENTING A PRIVACY MANAGEMENT PROGRAM For Privacy Accountability in Manitoba s Public Sector

General comments on GDPR

Guidelines on the management body of market operators and data reporting services providers

The Essential Guide to the Public Sector Equality Duty

Quick guide to the employment practices code

Transcription:

Getting Ready for the GDPR Ann Cartwright Information Governance Lead Sefton Council for Voluntary Service (CVS) Registered Charity No. 1024546. Company Limited by Guarantee No. 2832920. Suite 3B, 3rd Floor, North Wing, Burlington House, Crosby Road North, Waterloo, L22 0LG Tel: (0151) 920 0726 Email: mail@seftoncvs.org.uk

What is the GDPR? The General Data Protection Regulation (GDPR) is new European legislation, replacing the existing European Directive 95/46/EC. Despite Brexit, GDPR will apply in the UK from 25 May 2018. Overview Same basic principles as current DP law, but strengthened Accountability New rights for individuals, and strengthening of existing rights Breach reporting Data Protection Impact Assessments Higher penalties for non-compliance 2

GDPR / Data Protection Compliance The Information Commissioners Office (ICO) will be the supervisory authority in the UK; responsible for enforcing compliance with the GDPR alongside existing data protection legislation. The ICO has issued 13 monetary penalties to the Charity & Voluntary Sector during 2016/17; with combined fines totalling 181,000. This is only likely to increase with the introduction of more rules and stiffer penalties! In order to ensure compliance and avoid potential issues and/or fines, organisations will need to review their current practice and implement new processes where required. 3

Minimise the risk Assess the risk what personal data do you process, and how? Policies Responsibilities Training and awareness 4

Where should I start? Initially you will need to make sure that your governing body and management team are aware of the requirements and impact of GDPR. Responsibility for Data Protection should be assigned to a responsible officer. Next, you will need to know what personal information your organisation holds An Information Audit will provide an overview of the data held, how it is collected, where it is stored, who has access and how it is shared. The Sefton CVS website has an Information Audit Template for you to download and populate. 5

Legal Basis for Processing As part of the Information Audit you should document the legal basis for processing any personal information held. Generally for the charity sector a) Consent, or f) Legitimate Interests will cover personal information collected in order to provide the data subject with a service; with Legitimate Interests potentially the simpler approach under GDPR. Where relying on legitimate interests as the legal basis, you must balance your interests against that of the data subject (balancing test) and demonstrate that the processing is necessary to achieve the purpose (necessity test). However, when SENSITIVE (SPECIAL CATEGORY) PERSONAL DATA is SHARED the individual must provide explicit informed CONSENT to this processing. 6

Review of Consent Processes When your Information Audit is complete and you have identified where you will rely on Consent as the legal basis for processing, you will need to review how you are Collecting Consent; considering the following: Fair Processing Notices (FPNs) under GDPR, FPNs must be clear and use plain language; spelling out why you want the data and what you re going to do with it. ICO has produced GDPR Fair Processing Notices guidance NOT using pre-ticked boxes or any other type of consent by default; people must positively opt in Giving granular options to consent to independent processing operations (eg: consent to share separated out from general consent to processing) Naming all parties who will/may have access to the data; it is no longer sufficient to say shared with partners Advising data subjects of their rights, including their right to withdraw consent 7

Consent to Direct Marketing Direct marketing covers the promotion of aims and ideals as well as the sale of products and services. This means that the rules will cover not-for-profit organisations (eg: charities, etc). The rules on calls, texts and emails are stricter than those on mail marketing, and consent must be more specific. In order to comply with the GDPR, you will need to: Contact all mailing lists / distribution groups asking them to confirm by reply that they are happy to receive your emails (specifying what these emails are likely to include). Ensure that you remove anyone who hasn t consented by 25 th May Record when you have received consent (names/ email addresses/ dates will suffice) Provide opt-out / unsubscribe option in subsequent mailings For further details refer to the ICO s Direct Marketing Guidance 8

Children s Data / Consent The GDPR contains new provisions intended to enhance the protection of children s personal data the ICO has updated their section on Children Fair Processing Notices for Children where services are offered directly to a child, you must ensure that your privacy notice is written in a clear, plain way that a child will understand. Online services offered to children if you offer an online service to children, you may need to obtain consent from a parent or guardian to process the child s data. The GDPR states that a child under the age of 16 can t give consent themselves and instead consent is required from a person holding parental responsibility. However, the new Data Protection Bill stipulates that parental consent is only required from under 13 s in the UK. Parental/guardian consent is not required where processing is related to preventative or counselling services offered directly to a child. 9

Review of Consent Processes Recording Consent is also a requirement of GDPR; you must document when consent is secured for each client. In addition you must be able to evidence what they were told at the time; this can be managed using Fair Processing Notice version control. You must also ensure you are properly Managing Consent; this includes: regularly reviewing consent to ensure it remains relevant and appropriate introducing a process to refresh consent as required making withdrawal of consent easy and acting promptly when consent is withdrawn The ICO has released GDPR Consent Guidance including Checklist 10

Individual s Rights The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA. The GDPR provides the following rights for individuals: The right to be informed The right of access The right to rectification The right to erasure The right to restrict processing The right to data portability The right to object Rights in relation to automated decision making and profiling. 11

The Right of Access What information is an individual entitled to request? confirmation that their data is being processed; access to their personal data; and other supplementary information this largely corresponds to the information that should be provided in a Fair Processing Notice. The key changes under the GDPR are: The Data Subject is required to provide proof of their identity. Information must be provided free of charge, though you can charge a reasonable fee for unfounded or excessive requests. Information must be provided without delay and at the latest within one month of receipt of an access request. Organisations should consult the GDPR/ICO when a Subject Access Request is received to ensure they are fully complying with all the requirements. 12

Individual s Rights - other key changes The GDPR creates broader rights for individuals and particularly children when it comes to: Rectification; Erasure (the right to be forgotten ); Restricting Processing; and Objecting to Processing (including direct marketing / research purposes) NB: data subjects have additional rights under the eprivacy Directive. Organisations must implement systems and procedures for notifying affected third parties (eg: any recipients of data previously shared) when any of the above rights have been exercised. The GDPR establishes the Right of Data Portability, allowing individuals to obtain and reuse their personal data for their own purposes across different services (eg: to move account details from one online platform to another). 13

The Accountability Principle The new GDPR accountability principle requires you to demonstrate that you comply with the DP principles; stating explicitly that this is your responsibility. Evidence of compliance can include: Appropriate technical and organisational measures (eg: data protection policies, staff training, internal audits, etc). Maintaining relevant documentation on processing activities. Assigning responsibility for Data Protection to a (trained) member of staff. Implementing measures that support data protection by design and data protection by default; including: Data minimisation; Pseudonymisation; Transparency; Allowing individuals to monitor processing; and Creating and improving security features on an ongoing basis. Using Data Protection Impact Assessments where appropriate. 14

Maintaining relevant documentation If your organisation has over 250 employees, you must maintain internal records of processing activities including the following information: Name and details of your organisation (and where applicable, of other controllers, your representative and data protection officer). Purposes of the processing. Description of the categories of individuals and categories of personal data. Categories of recipients of personal data and details of the circumstances, what was shared and why the disclosure took place. Details of transfers to third countries including documentation of the transfer mechanism safeguards in place. Retention schedules. Description of technical and organisational security measures. If your organisation has fewer than 250 employees you must maintain the above records for higher risk processing, such as: processing that could result in a risk to the rights and freedoms of individuals; or processing of special categories of data or criminal convictions and offence. 15

Contracts with Processors/Third Parties It is your responsibility to take appropriate measures to protect information for which you are the Data Controller. You are a Data Controller if you determine the purposes and means of processing personal data; and a Data Processor if you process personal data on behalf of a controller. The GDPR requires you to have a written contract in place with any Data Processors you engage. A helpful Contract Checklist is on the ICO website. Cloud services are data processors and you must ensure that they are compliant with GDPR / EU-US Privacy Shield. In addition, it is good practice to formalise arrangements with third parties who have regular or potential access to your data (eg: IT Provider / archive company / cleaning firm / etc). You should ensure they understand their responsibilities and liabilities in relation to the security and confidentiality of your data. 16

Data Protection Impact Assessments Data Protection Impact Assessments (DPIAs) help organisations comply with their data protection obligations and meet individuals expectations of privacy. Effective use of DPIAs allows organisations to identify and mitigate risks at an early stage, reducing associated costs and potential reputational damage. Under the GDPR you must carry out a DPIA when using new technologies to facilitate processing which is likely to result in a high risk to the rights and freedoms of individuals. This includes (but is not limited to): systematic and extensive processing activities, including profiling. large scale processing of special categories of data or personal data relating to criminal convictions or offences. processing that affects a large number of individuals and involves a high risk to rights and freedoms large scale, systematic monitoring of public areas (CCTV). 17

Breach Notification The GDPR introduces a duty on all organisations to report certain types of data breach to the relevant supervisory authority (ICO), and in some cases to the individuals affected. A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data; ie: a breach is more than just losing personal data. You only have to notify the Information Commissioners Office of a breach where it is likely to result in a risk to the rights and freedoms of individuals. This has to be assessed on a case by case basis. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must also notify those concerned directly. 18

Breach Notification A breach notification must contain the following: the nature of the personal data breach including, where possible: the categories and number of individuals concerned; and the categories and number of personal data records concerned; the name and contact details of the Data Protection Officer or other contact point where more information can be obtained; a description of the likely consequences of the personal data breach; and a description of measures taken and/or proposed to mitigate any possible adverse effects. A notifiable breach has to be reported to the ICO within 72 hours of the organisation becoming aware of it. Failing to report a breach can carry large monetary penalties - it is important to have robust breach detection, investigation and internal reporting procedures in place; ie: staff training and breach reporting policy/procedure. 19

Other GDPR Considerations The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations. Personal data may only be transferred outside of the EU in compliance with the conditions set out in Chapter V of the GDPR. The Information Commissioners Office will continue to release and/or update guidance in the run up to the May 2018 deadline. The person in your organisation with responsibility for Data Protection should refer back to the ICO website periodically: https://ico.org.uk/ REMEMBER: Despite Brexit, the GDPR will apply in the UK from 25 May 2018. 20

Key Compliance Actions Give an employee responsibility for Data Protection Complete Information Audit for higher risk processing (include a line for each set of special category / sensitive data as a minimum) Identify and document a legal basis for each processing purpose Develop a Privacy Notice and ensure it is available to clients / staff Review consent processes and record when consent is secured get opt-in consent to any general mailings / direct marketing Embed breach reporting this should be seen as a learning tool, identifying weaknesses and enabling improved procedures Review written contracts with Data Processors specify their compliance with GDPR & associated UK Data Protection legislation 21

References Overview of the General Data Protection Regulation (GDPR), Information Commissioner s Office (September 2017): https://ico.org.uk/for-organisations/data-protection-reform/overview-of-thegdpr/ GDPR Fair Processing Notices Guidance, Information Commissioner s Office (September 2017): https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-andcontrol/privacy-notices-under-the-eu-general-data-protection-regulation/ Direct Marketing Guidance, Information Commissioner s Office (February 2018): https://ico.org.uk/media/for-organisations/documents/1555/direct-marketing-guidance.pdf Children, Information Commissioner s Office (February 2018): https://ico.org.uk/fororganisations/guide-to-the-general-data-protection-regulation-gdpr/applications/children/ GDPR Consent Guidance (including Checklist), Information Commissioner s Office (September 2017): https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consentguidance-for-consultation-201703.pdf Data Processor Contract Guidance, Information Commissioner s Office (February 2018): https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulationgdpr/accountability-and-governance/contracts/ Conducting Privacy Impact Assessments Code of Practice, Information Commissioner s Office (September 2017): https://ico.org.uk/media/for-organisations/documents/1595/pia-code-ofpractice.pdf 22

Useful Resources The Information Commissioners Office provides a wealth of guidance, templates, etc: https://ico.org.uk/. Specifically, GDPR myth-busting blogs and the self assessment toolkit can be particularly helpful. The ICO also provides helpline, live chat, email and online facilities 23

Copyright & Disclaimer The information contained in this briefing is the intellectual property of Sefton CVS. Copyright Sefton CVS 2017. All rights reserved. Unless stated otherwise you may use the information in this briefing only for noncommercial, personal use. You may not use the information in this briefing for any unlawful purpose. Except as expressly set out above, you may not reproduce, publish, broadcast, transmit, modify, adapt, creative derivative works of, or in any way commercially exploit any of the content. Whilst every effort has been made to ensure that the information in this briefing is accurate, neither Sefton CVS, its Board of Directors nor the contributors accept any liability for any errors or omissions. In addition Sefton CVS does not accept any liability for the content of, or issues arising from the use of, websites quoted. 24

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback