Document Lifecycle Management Group - SCTP · Document Lifecycle Management Group According to GDPR… ZPersonal data' means any information relating to an identified or identifiable

Document Lifecycle Management Group

Getting to grips with GDPR –a practical guide

Presented by:

Owen CostenDLM Group

MD


Data Protection Bill 2018




Top 101. Background to the GDPR

2. Scope & Definition

3. Personal Data

4. Data Subject, Controller & Processor

5. The key Principles

6. Consent & Documentation

7. Rights of the Data Subject

8. International Data Transfers

9. Data Breaches

10. Data Protection Officer & Fines

Other Topics• 12 Steps towards compliance

• Vertical issues

• Q & A



Data breaches making headlines

Background to the GDPR







Background to GDPR

What is the GDPR?• The General Data Protection Regulation is a new, European-

wide law that replaces the Data Protection Act 1998 in theUK. It places greater obligations on how organisationshandle personal data. It comes into effect on 25 May 2018.

Where has it come from?• European Directive 95/46/EC• Immediately applicable in each Member State• Regualted by the Information Commisioner’s office ICO


Background to GDPR

Who does the GDPR apply to?

• ‘controllers’ and ‘processors’.•A controller determines the purposes and

means of processing personal data.•A processor is responsible for processing

personal data on behalf of a controller.


GDPR contains a number of changes from the DPA including:

▫ Enhanced documentation to be kept bydata controllers

▫ Enhanced Privacy Notices▫ More prescriptive rules on what

constitutes consent▫ Mandatory data breach notification

requirement▫ Enhanced Data Subject Rights▫ New obligations on Data Processors▫ Expanded territorial scope▫ Appointment of Data Protection

Officers▫ Significant increase in the size of fines

and penalties

Scope and definitions under GDPR

No 2.


• Designed to protect any Natural person = aliving individual (data subject)

• It applies to processing activities that arerelated to:

Goods or services, irrespective of whether payment is required; or The monitoring of data subjects’ behaviour within the EU.

Scope of GDPR

Personal Data

No 3.


According to GDPR…

‘Personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

What is personal data?



• racial or ethnic origin

• political opinions

• religious or philosophical beliefs

• trade union membership

• physical or mental health or condition

• sex life or sexual orientation

• genetic data

• biometric data

What is Sensitive Personal Data Data?Under GDPR, the term used is Special Categories of Personal Data…

Processors & Controllers

No 4.


According to the Data Protection Act 1998…

A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed


The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

What is a Data Controller?


According to the Data Protection Act 1998…

Any person (other than an employee of the data controller) who processes the data on behalf of the data controller.


A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

What is a Data Processor?

The key Principles

No 5


Article 5

1• Processed lawfully, fairly and in a transparent manner

2• Collected for specified, explicit and legitimate purposes

3• Adequate, relevant and limited to what is necessary

4• Accurate and, where necessary, kept up to date

5• Retained only for as long as necessary

6• Processed in an appropriate manner to maintain security

7• Accountability

Legal Basis for Processing Personal Data

No 6


The information below set out the lawful bases available for processing personal data and special categories of data.

• 6(1)(a) – Consent of the data subject

• 6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract

• 6(1)(c) – Processing is necessary for compliance with a legal obligation

• 6(1)(d) – Processing is necessary to protect the vital interests of a data subject or another person

• 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest

Note that this condition is not available to processing carried out by public authorities in the performance of their tasks.

Lawfulness of processing conditions


The following conditions apply for consent:• Controllers must be able to demonstrate that consent was given;• Written consent must be clear, logical, easily accessible, else not binding;• Consent can be withdrawn any time, and as easy to withdraw consent as give it;• Consent to processing data not necessary for the performance of a contract• Ticking a box or choosing appropriate technical settings still valid.

Article 7: Conditions for consent

Consent can be withdrawn any time, and as easy to withdraw consent as give it;

Rights of the Data Subject

No 7.


Eight Rights of Data Subjects

1. The right to be informed

2. The right of access

3. The right to rectification

4. The right to erasure

5. The right to restrict processing

6. The right to data portability

7. The right to object

8. Rights in relation to automated decision making and profiling

Individual Rights

Article 13.2Article 17: Right to erasure

(‘right to be forgotten’)

International Data Transfers

No 8


• The GDPR imposes restrictions on the transfer of personal data outside theEuropean Union, to third countries or international organisations.

• These restrictions are in place to ensure that the level of protection ofindividuals afforded by the GDPR is not undermined.

When can personal data be transferred outside the European Union?

• Personal data may only be transferred outside of the EU in compliance withthe conditions for transfer set out in Chapter V of the GDPR.

What constitutes a transfer of Personal Data?

• Personal Data is considered to be ‘transferred’ across borders when:

▫ It is physically transferred across borders OR

▫ It is accessed across borders

International transfers Example: Support agent in India who is given access to a physical device located in UK which contains Personal Data is considered a ‘transfer’ by EU Data Protection Authorities

Preventing or Managing Data Breaches

No 9


• The GDPR will introduce a duty on allorganisations to report certain types of databreach to the relevant supervisoryauthority.

• A personal data breach means a breach ofsecurity leading to the destruction, loss,alteration, unauthorised disclosure of, oraccess to, personal data. This means that abreach is more than just losing personaldata.

What is a Data breach?

DPO & Fines

Session 10


When does a Data Protection Officer need to be appointed under the GDPR?

You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size.

• Any organisation is able to appoint a DPO. Regardless of whetherthe GDPR obliges you to appoint a DPO, you must ensure that yourorganisation has sufficient staff and skills to discharge yourobligations under the GDPR.

Appointment of Data Protection Officers


• For (mainly) a breach of record keeping, contracting and securityclauses

▫ maximum fine of up to €10 million, or 2% of annual worldwideturnover, whichever is greater

• For (mainly) a breach of the basic principles, Data Subject rights,transfer to third countries, non-compliance with an EU DPA order

▫ maximum fine of up to €20 million, or 4% of annual worldwideturnover, whichever is greater

• GDPR intends to co-ordinate their supervisory and enforcementpowers across the Member States

Penalties and enforcement


1 Awareness

2 Information You Hold

3 Communicating Privacy Information

4 Individuals’ rights5 Subject access

requests

6 Lawful basis for processing personal

data

7 Consent

8 Children (U16)

9 Data Breaches

10 Data Protection by Design and Data Protection Impact

Assessments

11 Data Protection Officers (DPO)

12 International

Road to GDPR Compliance


Use plain language.

Tell them who you are whenyou request the data.

Say why you are processingtheir data, how long it will

be stored and who receives it.

What your company must do


Get their clear consent to process the data.

Collecting from children for social media? Check age limit for parental consent.



Let people access their data and give it to another company.



Inform people of data breachesif there is a serious risk to them.



Give people the ‘right to be forgotten’.Erase their personal data if they ask,

but only if it doesn’t compromise freedom of expression

or the ability to research.



If you use profiling to process applications for legally-binding agreements likeloans you must: • Inform your customers;• Make sure you have a person, not a

machine, checking the processif the application ends in a refusal;

• Offer the applicant the right to contest thedecision.



Give people the right to opt out of direct marketing that uses their

data.



Use extra safeguards for information on

• health,

• race,

• sexual orientation,

• religion and political beliefs.



Make legal arrangements when you transfer data to countries that

have not been approved by the EU authorities.



• Data Mapping

• Gap Analysis

• Policies Review

• Data Protection Officer

• Database

• Marketing Strategy

• Suppliers

• Terms of business

What else do we need to complete?

Documents

Document Lifecycle Management Group - SCTP · Document Lifecycle Management Group According to GDPR… ZPersonal data' means any information relating to an identified or identifiable