Más contenido relacionado

Similar a Associates quick guide to gdpr v 1.0(20)


Associates quick guide to gdpr v 1.0

  1. A quick guide to GDPR for Associates 1April 2018
  2. A quick guide to GDPR Like everybody else, over the last few months we have been trying to read, understand, digest and interpret the new GDPR regulations. This is our take on it and hope it acts as a helpful guide. NB - we strongly advise that each associate take their own steps including thinking about legal advise if you are unsure of how these regulations affect you directly to ensure you are fully compliant. Remember these regulations will take time to settle and test cases are likely in the coming months. 2April 2018
  3. Areas in need of focus 1. The Headlines 2. ICO expectations 3. The 6 principles and Accountability 4. Data controllers vs. Data processors - which one are you? 5. Enhanced Data subjects’ rights 6. Dealing with Subject Access Requests (SARs) 7. Privacy statements 8. Keeping data safe 9. In the event of a breach 3April 2018
  4. The headlines GDPR went live on the 25th May 2018 • GDPR is new European-wide law that applies to every business in the UK and EEA - big or small, sole trader or big corporate - that collects personal data, even if you only undertake a few cases a year. • The previous legislation was the Data protection Act of 1998….. 20 years on, the world is a very different place due the explosion of technology and social media. This regulation reflects the changes now needed to keep data safe. • The key focus is giving data subjects back their/our privacy and reflecting the way they/we live our lives now. • There are enhanced rights for data subjects. 4April 2018
  5. The headlines • Despite Brexit and even though Article 50 has been triggered, it will take two years for our exit from the EU to be agreed therefore the UK Government have made it clear GDPR became fully enforceable on 25th May 2018. • The fines for breaches & non compliance are bigger- up to 4% of global turnover or up to £20 Million……….never mind the reputational damage! Tip - Make sure you have registered with the ICO- see link below for details on how and costs - 20180221.pdf TIP - Think about it as a cultural shift not just a tick box exercise. 5April 2018
  6. ICO expectations • That every business, big or small is taking it seriously – compliance is mandatory • That you are on route to GDPR compliance and can evidence what you are doing. You are not expected to have everything in place by the 25th May 2018 • That there is evidence of what you have done and intend to do and that your journey to GDPR compliance has begun The 3 big issues that ICO are likely to zoom in on are: 1. Handling a SAR 2. Managing and communicating a data breach 3. A Cyber attack 6April 2018
  7. The 6 Principles 1. Lawfulness, fairness and transparency - Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject 2. Purpose limitation - Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes 3. Data minimisation - Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed 4. Accuracy - personal data shall be accurate and, where necessary, kept up to date. 5. Storage limitation - Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed 6. Integrity and confidentiality - Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures 7April 2018
  8. And Accountability…….. • The accountability principle in Article 5 (2) means that controllers are responsible for and should be able to demonstrate their compliance with the GDPR data processing principles listed in Article 5 (1) 8April 2018
  9. Controller or processor? • “data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are to be processed. • “data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. • “processing”, in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including: a) organisation, adaptation or alteration of the information or data, b) retrieval, consultation or use of the information or data, c) disclosure of the information or data by transmission, dissemination or otherwise making available, or d) alignment, combination, blocking, erasure or destruction of the information or data • TIP – Familiarise yourself with the below: guidance.pdf Page 9 points 25-27 are important 9April 2018
  10. Enhanced Data subjects’ rights Data subjects have enhanced rights compared to the Data protection act 1998: 1. Right to be informed - can ask what information you are holding on them 2. Right to access - allows them to see what information you have on them 3. Right to rectification - allows them to have incorrect information corrected 4. Right to erasure/right to be forgotten (new**) - as it says, to have their information removed completely 5. Right to restriction - as it says, data subjects can request restrictions around what you share 6. Right to data portability (new**) - can request their information be transferred to another place/company 7. Right to object - to direct marketing, scientific research etc. TIP - Make sure you know what the new rights are so that you can respond quickly and effectively to any requests that come through. TIP - Ensure you know the new 6 principles and in particular the responsibilities within ‘accountability’ 10April 2018
  11. Dealing with a Subject Access Request (SAR) Requests can now be made via the phone as well as email or post but you should take reasonable steps to verify who they are first. 1. You must respond to their request should they wish their information to be removed, rectified or deleted – it is their right! 2. You must provide the info within 30 days of the request 3. You can not apply any charge to the request – For information see link below re medical records TIP - write yourself a simple process about how you would deal with this, documenting it is important TIP - Remember it is their right, don’t make it difficult for them to get hold of their information requests-to-end-under-gdpr/ 11April 2018
  12. Privacy policy A privacy policy is a statement or a legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. It fulfils a legal requirement to protect a customer or client's privacy. Being transparent and providing accessible information to individuals about how you will use their personal data is a key element of the Data Protection Act 1998 (DPA) and the EU General Data Protection Regulation (GDPR). The most common way to provide this information is in a privacy policy. The document must state clearly: 1. Who you are 2. What you are going to do with their information 3. Who it will be shared with 4. Whether you share information with third parties 5. How they contact you if they have concerns TIP - Write a simple, plain English document that says what information you receive, what you do with it and how they can contact you if they need to? 12April 2018
  13. Keeping data safe It’s your responsibility to take all reasonable steps to ensure any personal data you have access to is safe and secure - that applies to physical documents as well as electronic 13April 2018
  14. Keeping data safe Physical • Wherever you work in your home/office it should be lockable and so should any cupboards housing any physical personal data. • Be careful if you carry paper documents around with you /in your car on the train - are they safe? • Have a good filing system in place so you can find documents quickly. • Do you destroy paper documents securely? • TIP - Think about conducting a mini risk assessment and documenting things to show what you have been thinking about and are planning to do. Below is an interesting article on LinkedIn about a small business and their approach GDPR- a small business case study (mine) study-mine-janine-coombes Online • Don’t keep sensitive data/photos on your mobile. Transfer them to your PC asap • Have you got sufficient anti-virus and firewalls in place? Free versions are sometimes deemed un-safe • Are you password protecting documents when you transfer? 14April 2018
  15. In the event of breach It is your responsibility to inform the ICO of a breach as quickly as possible. 1. Call the ICO within 72 hours and advise them of what has occurred. 2. Be prepared with as much detail as possible i.e. what and how did the breach occur? 3. What measures you have taken to address the issue - be open and honest - The ICO do not take kindly to those who try and hide or are obstructive. 4. Be prepared to inform the data subject(s) who have been affected and provide them with the same info as you provide the ICO - remember their enhanced rights. TIP - Write an easy guide on how you will deal with a breach should one occur and include the contact telephone/email for the ICO, so you have it to hand easily. TIP - Be honest and transparent with the ICO, they don’t take kindly to obstructions . TIP - Don’t panic! 15April 2018
  16. Still got questions? • Check the ICO website organisations/guide-to-the-general-data-protection- regulation-gdpr/ • • Free webinars area available through webinar/webinar-dates/ 16April 2018