Genera Data Protection Regulation and the Public Sector

Similar documents
GDPR for Charities. Tuesday 17 October 2017

Preparing for the GDPR

Dealing with the EU Data Protection Regulation in Practice. William Long, Partner Sidley Austin LLP February 11, 2016

CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR. Legal02# v1[RXD02]

The General Data Protection Regulation in health & social care. 6 October 2016 Leeds

GDPR factsheet Key provisions and steps for compliance

How employers should comply with GDPR

GDPR Factsheet - Key Provisions and steps for Compliance

What do companies need to do?

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT

General Data Protection Regulation (GDPR) A brief guide

Brexit and the Future of Data Protection

Getting Ready for the GDPR

Guidance on the General Data Protection Regulation: (1) Getting started

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

Data Privacy, Protection and Compliance From the U.S. to Europe and Beyond

GDPR: What Every MSP Needs to Know

GDPR Webinar : Overview & practical compliance steps. 23 October 2017

Getting ready for GDPR. A guide to General Data Protection Regulations

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

GENERAL DATA PROTECTION REGULATION Guidance Notes

Pensions Authority Data Protection Considerations for Trustees of Occupational Pension Schemes

GDPR is coming in 108 days: Are you ready?

EU General Data Protection Regulation (GDPR)

Introduction to the General Data Protection Regulation (GDPR)

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

ARTICLE 29 DATA PROTECTION WORKING PARTY

More information at cventconnect.com/europe/mobileapp

The Sage quick start guide for businesses

General Personal Data Protection Policy

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

b. by a controller not established in EU, but in a place where Member State law applies by virtue of public international law.

Preparing Your Vendor Agreements for the General Data Protection Regulation

GDPR POLICY. This policy complies with the requirements set out in the GDPR, which will come into effect on

The GDPR enforcement deadline is looming are you ready?

#RSAC TEN PITFALLS TO AVOID IN GDPR

WSGR Getting Ready for the GDPR Series

December 28, 2018, New Delhi, INDIA

Data Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents

EU General Data Protection Regulation in the digital age: Are you ready?

1 Privacy by Design: The Impact of the new European Regulation on Data protection. Introduction

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

Presenting a live 90-minute webinar with interactive Q&A. Today s faculty features:

GDPR. Guidance on Employee Personal Data

Data Protection (internal) Audit prior to May (In preparation for that date)

RSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company )

GDPR for Employers DUBLIN / BELFAST / LONDON / NEW YORK / SAN FRANCISCO / PALO ALTO

GENERAL DATA PROTECTION REGULATION (GDPR)

General Data Protection Regulation (GDPR) Key considerations and implications for brokers

EU GENERAL DATA PROTECTION REGULATION

Policy Document for: Data Protection (GDPR) Approved by Directors: September Due for Review: September Statement of intent

Whitepaper. What are the changes regarding data protection. in the future. General Data Protection Regulation? eprivacy GmbH, Hamburg, April 2017

New General Data Protection Regulation - an introduction

GDPR & SMART PIA. Wageningen University Feb 2017

FPSS GDPR Data Protection Policy

Agenda. What is the GDPR? Who does GDPR apply to? Implications of Non-Compliance The Road to GDPR Compliance

Nissa Consultancy Ltd Data Protection Policy

GDPR is coming soon. Are you ready. Steven Ringelberg.

Training Manual. DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Data Protection Officer is Mike Bandurak

Data Protection Policy

with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA Consulting

Data Protection Law: An Update

HEAVERS FARM PRIMARY SCHOOL. GDPR Data Protection Policy

The General Data Protection Regulation An Overview

EU General Data Protection Regulation: are you ready?

Foundation trust membership and GDPR

DATA PROTECTION OFFICER (DPO) Maria Maxim Partner Bucharest October 25, 2017

South Farnham Educational Trust. GDPR Data Protection Policy

The ICT Service:

Preparing for the General Data Protection Regulation (GDPR)

General Data Privacy Regulation: It s Coming Are You Ready?

General Data Protection Regulation Philippe Roggeband. Business Development, Manager, GSSO EMEAR

Vendor Agreements and the New EU GDPR Steps to Take Now

The European General Data Protection Regulation. A guide for the health and social care sector

DATA PROTECTION POLICY

GDPR Podbriefing Audio Transcript

EU General Data Protection Regulation

KYC & Data Protection: Friends or Foes?

Data Protection Policy

The General Data Protection Regulation and associated legislation. Part 1: Guidance for Community Pharmacy. Version 1: 25th March 2018

ARTICLE 29 Data Protection Working Party

General Data Protection Regulation (GDPR) Frequently Asked Questions

A Parish Guide to the General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) and Data Protection Act (DPA) 2017

TWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION

Brasenose College Data Protection Policy Statement v1.2

GDPR readiness for start-ups, technology businesses and professional practices Martin Cassey

General Data Protection Regulation Guide

Welcome. Chair s address Barry Warne, hlw Keeble Hawson. GDPR Seminar- Sarah Power, hlw Keeble Hawson

The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry

CELESTYAL CRUISES LIMITED SUBJECT ACCESS REQUEST POLICY

GDPR a legal overview

Accountability under the GDPR: What does it mean for Boards & Senior Management?

General Data Protection Regulation (GDPR) Business Guide

Preparing for the GDPR Orla O Hannaidh - Womble Bond Dickinson

Transcription:

Genera Data Protection Regulation and the Public Sector Tuesday 30 May 2017 @mhclawyers

Welcome Edward Gleeson Partner & Head of Public & Administrative Law Mason Hayes & Curran

GDPR for Public Bodies Robert McDonagh Partner Mason Hayes & Curran

Data protection reform GDPR applies from 25 May 2018 DPC expect move towards compliance now implementing Bill published (with provision for SIs) exclusion for CAs preventing, investigating, detecting and prosecuting criminal activities eprivacy Regulations remain applicable, but Directive is to be replaced by a new EU Regulation (25 May 2018) New Data Sharing and Governance Bill published 4

Increased exposure Shift in burden of proof must be able to demonstrate compliance Significant fines up to 20 million or 4% of annual worldwide turnover must be effective and dissuasive as well as proportionate Bill only if public body acting as commercial undertaking Data subject claims: explicit right to compensation for damage, both material and non-material (pecuniary loss?) possible joint and several liability Data mapping and GDPR gap analysis 5

Data protection principles Same basic concepts and principles but generally tighter controls and greater emphasis on data subject rights Privacy by design implement appropriate technical / organisational measures e.g. pseudonymisation / data minimisation Privacy by default - only process data necessary for specific purpose: amount of data extent of processing period of storage accessibility 6

Profiling / big data Can still undertake profiling and big data analysis Can object to profiling based upon public interest test Can object to automated decision making if has legal effect or significantly affects individuals unless: necessary for contract; data subject has explicitly consented; or is authorised by law Absolute right to object to profiling for direct marketing 7

Data protection assessments Must do a documented DPA if high risk processing, e.g. systematic and extensive automated evaluation with legal effect / similarly significant affects DS large scale processing of sensitive data systematic monitoring of public areas Where appropriate, seek views of data subjects representatives Exclusion if based upon law that specifically regulates processing operations and DPA already carried out for that law 8

Consulting DPC Must consult DPC if: DPA shows high risks not mitigated legislative / regulatory measure relates to processing State may also require consultation for public interest tasks, e.g. social protection and public health depends on Bill 9

Security Similar test but should specifically consider: pseudonymisation encryption ability to ensure confidentiality, integrity, availability and resilience ability to restore availability and access a process for regular testing 10

Security breach Notify DPC without undue delay and, where feasible, within 72 hours, unless unlikely to result in a risk Processor must notify controller without undue delay Must notify data subjects if likely to result in a high risk to privacy / rights (with some exceptions) Must document breaches Should have security breach response plan in place 11

Using data processors More extensive requirements for data processor contracts Data transfer rules broadly the same Safe Harbour invalid replaced by Privacy Shield model clauses and adequacy decisions still valid ongoing legal challenges transparency requirements in privacy policy Need to audit supplier contracts and transfers 12

Greater accountability Must be able to demonstrate compliance Notable shift in burden of proof, particularly in light of increased fines and higher risk of data subject claims 13

Accountability measures Must implement appropriate technical and organisational measures to ensure and demonstrate compliance Where proportionate, this should include implementation of appropriate data protection policies 14

Documenting compliance DC / DP must document all processing activities, e.g.: categories of data subjects, recipients and data data transfers (including details of safeguards) retention / erasure period DC also must document purposes and (indirectly) legal bases Should be consistent with privacy policy Need to undertaking a data mapping exercise 15

Key points 1. Core principles broadly the same, but tighter controls 2. Greater accountability and shift in burden of proof 3. Increased records and compliance burden 4. Increased financial exposure 1 year to get it right, but time to start preparing is now 16

What to do now step 1 (what are we doing)? 1. Data mapping exercise - data flows and disclosures - purpose and legitimisation mapping 2. Audit of data transfers (remember Brexit) 3. Audit of data related contracts 4. GDPR gap analysis and prioritisation 17

What to do now step 2 (moving forward)? 1. Use gap analysis to decide on key action points 2. Create internal accountability records 3. Update internal and external policies 4. Create any necessary new policies and templates, e.g. 1. privacy by design / default playbook 2. DPA protocol and templates 3. security breach response plan 5. Update contracts 18

Thank you Insert headshot here Robert McDonagh Partner Mason Hayes & Curran e: rmcdonagh@mhc.ie t: +353 1 614 5077

GDPR for public bodies Catherine Allen Partner Mason Hayes & Curran

Tighter controls on processing Consent is more tightly defined (Rec. 32, 42, 43; Art. 6(1)(a)) Not valid if data subject has no genuine/free choice If a clear imbalance presumed not to have been freely given Advisable to base processing on other grounds Legitimate interests ground does not apply to public authorities (Rec. 47, 48; Art. 6(1)(f)) 21

What grounds are available? Compliance with legal obligations (Rec. 45; Art. 6(1)(c)) Public interest (Rec. 45; Art. 6(1)(e)) Additional powers for Member States (Art. 6(2)) Processing special categories of personal data Substantial public interest (Art. 9(2)(g)) 22

What is the impact? Impact for the public sector? Existing consents may become invalid and new consents may therefore need to be obtained Advisable to base processing on grounds other than consent If you currently rely on legitimate interests, you will need to find alternative grounds to justify processing 23

Data protection officer Must appoint a DPO (Art. 37(1)(a)) Smaller public authorities can share a DPO Must be expert in data protection law and practices Can perform other tasks provided no conflict of interest Can be employee or outsourced 24

Data protection officer Must be properly involved in all issues which relate to protection of personal data inform and advise on compliance monitor compliance advise re DPAs act as contact point 25

Data protection officer Must report directly to highest management level Must be independent no instructions regarding exercise of function Must provide DPO with sufficient resources Protected role cannot be removed or penalised for performing tasks 26

What is the impact? Impact for public sector? Not significant for those who already have employees/teams responsible for compliance For others, an onerous new obligation Need to understand the rules relating to the appointment and role of DPOs Consider if you can share the burden with another public authority 27

Data subject rights Subject access requests more information Generally no fees Right to charge or refuse request if manifestly unfounded or excessive or repetitive One month time frame but can be extended to maximum of two further months 28

What is the impact? Impact for the public sector? Risk that many more subject access requests will be received Need to ensure compliance with the detailed rules in Articles 12 and 15 29

Other Data subject rights Right of erasure (right to be forgotten) Right to object to and stop processing New data portability right (where rely on consent or contract) 30

What is the impact? Impact for the public sector? Staff need to be trained on the new rights New internal policies and procedures to aid compliance Can your data processing systems cope with the new rights (e.g. be able to isolate and permanently erase data?) Data subjects can object to processing that is claimed to be in the public interest/necessary for the exercise of official authority 31

Privacy Notices Must have transparent, clear, concise and easily accessible privacy policy Intelligible language adapted to data subject More information must be provided, e.g. contact details of DPO how long you will keep data legal basis you are relying upon to legitimise processing 32

What is the impact? Impact for the public sector? Privacy notices will need to be revamped to comply with the new requirements 33

Takeaways 1. Review grounds for processing 2. Appoint a DPO 3. Get staff and systems ready to deal with new data subject rights 4. Review privacy notices 1 year to get it right, but the time to start preparing is now 34

Thank you Catherine Allen Partner Mason Hayes & Curran e: callen@mhc.ie t: +353 1 614 5254

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback