SlideShare una empresa de Scribd logo

Gdpr powerpoint 15.01.18

Descargar como PPTX, PDF
J
Jon Rathbone

This document summarizes key provisions of the General Data Protection Regulation (GDPR) and actions businesses should take to prepare for compliance. It outlines requirements for data audits and accountability, including keeping records of processing activities. Consent under GDPR must be freely given, specific, informed and unambiguous. Legitimate interests can also justify processing if it passes tests of being necessary and balanced against individual rights. Privacy notices must provide full transparency about data collection and use. Contracts with data processors must impose security and confidentiality obligations. Businesses should seek legal advice to ensure GDPR readiness.

Derecho
1 de 19
GENERAL DATA PROTECTION REGULATION Key provisions and what your business should be doing to prepare
KEY TOPICS 1. Data audit and accountability 2. Consent 3. Legitimate interests 4. Transparency and privacy notices 5. Contractual terms
DATA AUDIT AND ACCOUNTABILITY Article 5 2. The controller shall be responsible for, and be able to demonstrate compliance with, the main principles relating to processing to personal data (‘accountability’) including: • Lawful, fair and transparent; • Collected for specified, explicit and legitimate purposes; • Adequate, relevant and limited to what is necessary; • Accurate and, where necessary, up to date; • Kept no longer than is necessary; • processed in a manner that ensures appropriate security.
DATA AUDIT AND ACCOUNTABILITY Article 30 (records of processing activities) Applies if you have over 250 employees, process sensitive personal data, or the processing is not occasional Controllers and processors must keep a record of processing activities under their responsibility, including: • Purpose of processing (controllers only); • Description of categories of data subject and data; • Categories of recipients; • Any transfers outside EEA; • Retention periods; • A description of the technical + organisational security measures.
Nature of data/document When was the data collected/received Is the data subject a client/customer/supplier/prospect Does the personal data reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or does it concern health or a natural person's sex life or sexual orientation? (Sensitive data) On what legal basis is the data being processed:  For the purpose of performing a contract with data subject  Data subject has consented to processing for that purpose  If consent is basis, what record do you have of consent? When and how was consent given?  In your legitimate interests, is necessary for purpose and on balance is fair taking into account rights and expectations of data subject  Processing is necessary for compliance with a legal or other obligation to which the controller is subject Is the data kept no longer than is necessary for the purposes for which the personal data are processed? Is the data being processed for the purpose it was originally collected? Is the data adequate, relevant and limited to what is necessary for the purpose? Is the data accurate and, where necessary, kept up to date? What (if anything) has the data subject been told about the processing of the information? Where is the data being processed (is any data processed outside EEA?) Are you the data controller (i.e. do you determine the purposes and means of the processing of personal data) or are you the processor (i.e. it processes the data on behalf of and on the instructions of someone else)? Is the data processed in a manner that ensures appropriate security of the personal data? Does the processing involve any automatic decision making or profiling? Is it possible for the data subject's data to be easily amended, transferred and/or deleted upon a request from them. Is the data shared with any third parties? Risk of non-compliance high/medium/ low Risk that data breach be likely to result in risk to rights and freedoms of data subject high/medium/ low
CONSENT 1. Article 29 Working Party Guidelines released in December 2. Expect updated guidelines from ICO 3. Definition ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
CONSENT 1. Controller has to be able to demonstrate consent 2. Request for consent must be distinguishable from other matters 3. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
CONSENT 1. Obtaining consent does not negate the controller’s obligations to observe GDPR principles, especially fairness, necessity and proportionality 2. Consent may cover different operations, as long as these operations serve the same purpose 3. Data subject has a right to withdraw consent as easily as giving consent 4. Controller is expected to make sure information is understandable for minors
CONSENT 1. Where explicit consent is required the guidance recommends a signed statement or if using electronic consent, a two stage process. Explicit consent is required for: a) Processing special categories of data (sensitive date); b) Transfer outside of EEA; c) Automated decision making. 2. After the processing activity ends, proof of consent should only be kept for as long as necessary to defend claims
CONSENT 1. Duration of consent depends on context and scope of original consent and the expectation of the data subject. ICO draft guidance suggests 2 years as a default position 2. If consent is withdrawn then processing actions subject of the consent must stop. If there is no other lawful basis for retaining the data should be deleted or anonymised 3. You cannot silently switch to a different lawful basis (i.e. legitimate interests) or use that as a back up 4. Parental consent for children runs out when they come of age and so you need to send reminders to re-affirm consent
LEGITIMATE INTERESTS “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”
LEGITIMATE INTEREST 1. Purpose Test: Identify a legitimate interest: GDPR mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this is not an exhaustive list 2. Necessity test: is the processing necessary for that purpose? ‘Necessary’ means that the processing must be a targeted and proportionate way of achieving your purpose. You cannot rely on legitimate interests if there is another reasonable and less intrusive way to achieve the same result
LEGITIMATE INTEREST 1. Balancing test: do the individual’s interests override the legitimate interest? You must balance your interests against the individual’s interests. In particular, if they would not reasonably expect you to use data in that way, or it would cause them unwarranted harm, their interests are likely to override yours. However, your interests do not always have to align with the individual’s interests. If there is a conflict, your interests can still prevail as long as there is a clear justification for the impact on the individual 2. You can rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object – and if you don’t need consent under PECR
TRANSPARENCY AND PRIVACY NOTICES 1. If collected from data subject, at the time data is collected, controller shall provide the following: a) Identity of controller and data protection office where applicable b) Purpose of processing data and legal basis (including legitimate interests if applicable) c) Categories of data concerned d) Recipients or categories of recipients of the data e) If the data is going to be transferred outside EEA f) How long the data will be stored g) Rights of the data subject to rectification, erasure, restriction, portability and objection h) Right to withdraw consent (where applicable) i) Right to lodge a complaint with ICO j) Whether the provision of personal data is a statutory or contractual requirement k) The existence of any automated decision making
TRANSPARENCY AND PRIVACY NOTICES 1. If not collected from data subject, controller shall provide the privacy notice within a reasonable period but in any event on the earlier of one month and the first communication with data subject 2. Privacy notice should include a) Same as above plus: i. Categories of data ii. The source of the personal data 3. No need to provide privacy notice if: a) Data subject has the information already (i.e. from the original data controller) b) Provision of information proves impossible or would involve disproportionate effort c) The personal data must remain confidential subject to an obligation of professional secrecy d) Where it would render impossible or seriously impair the achievement of the objectives of the processing
TRANSPARENCY AND PRIVACY NOTICES 1. Key points from guidance: a) If you have a website then this is the recommended way to deliver privacy notice b) It should be clearly distinguishable from other non-privacy related information such as contractual provisions c) A link to the privacy notice should be each page of your website d) For apps the privacy notice should never be more than two taps away e) The first layer of a notice should include information on processing which has most impact or could surprise the data subject f) The purpose of, and legal basis for, processing personal data should be clear. It is not sufficient to say: i. “we may use your personal data to offer personalised services” ii. “we may use your data to develop new services” g) If you change your privacy notice, the changes should be communicated. You cannot just publish the new notice h) Threshhold for disproportionate effort is high, but not having contact details is a factor
CONTRACTS WITH DATA PROCESSORS 1. Processing by a processor must be governed by a contract 2. Must set out the nature and purpose of processing, types of data and categories of data subject and obligations and rights of the controller 3. Must include prescribed terms including: a) Process only on written instructions b) Confidentiality and security c) No engage sub-processors without prior consent d) Assist controller to meet obligations under GDPR e) Delete or return data at end of contract f) Submit to audits by controller
WHAT NEXT 1. Keep an eye on the link below for new guidance: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation- gdpr/whats-new 2. Ask your legal advisers for assistance to make sure you are GDPR ready.
For further information or legal advice on GDPR compliance, please contact: Jon Rathbone Director, Head of Corporate and Commercial Tel: 01242 586832 E-mail: jdr@hughes-paddison.co.uk

Recomendados

GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
Harrison Clark Rickerbys
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
Harrison Clark Rickerbys
 
General Data Protection Regulation or GDPR
General Data Protection Regulation or GDPRGeneral Data Protection Regulation or GDPR
General Data Protection Regulation or GDPR
Nupur Samaddar
 
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
GDPR: 3 Months On | Guest Speaker: Data Protection CommissionersGDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
BrightPay Payroll and Auto Enrolment Software
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in Malaysia
khenghoe
 
Personal Data Protection Bill 2018
Personal Data Protection Bill 2018Personal Data Protection Bill 2018
Personal Data Protection Bill 2018
Nanda Mohan Shenoy
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in Malaysia
MSC Malaysia Cybercentre @ Bangsar South City
 
Startups - data protection
Startups - data protectionStartups - data protection
Startups - data protection
Mathew Chacko
 

Recomendados

GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
Harrison Clark Rickerbys
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
Harrison Clark Rickerbys
 
General Data Protection Regulation or GDPR
General Data Protection Regulation or GDPRGeneral Data Protection Regulation or GDPR
General Data Protection Regulation or GDPR
Nupur Samaddar
 
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
GDPR: 3 Months On | Guest Speaker: Data Protection CommissionersGDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
BrightPay Payroll and Auto Enrolment Software
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in Malaysia
khenghoe
 
Personal Data Protection Bill 2018
Personal Data Protection Bill 2018Personal Data Protection Bill 2018
Personal Data Protection Bill 2018
Nanda Mohan Shenoy
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in Malaysia
MSC Malaysia Cybercentre @ Bangsar South City
 
Startups - data protection
Startups - data protectionStartups - data protection
Startups - data protection
Mathew Chacko
 
GDPR for your Payroll Bureau
GDPR for your Payroll BureauGDPR for your Payroll Bureau
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 
GDPR: What does it mean for your business?
GDPR: What does it mean for your business?GDPR: What does it mean for your business?
GDPR: What does it mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
GDPR: What does it mean for your business?
GDPR: What does it mean for your business?GDPR: What does it mean for your business?
GDPR: What does it mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill
Komal Gadia
 
GDPR and Analytics
GDPR and AnalyticsGDPR and Analytics
GDPR and Analytics
brunomase
 
GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?
Sage HR
 
GDPR webinar presentation | LawBite
GDPR webinar presentation | LawBiteGDPR webinar presentation | LawBite
GDPR webinar presentation | LawBite
Clive Rich
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Frank Dawson
 
Data Protection GDPR Basics
Data Protection GDPR BasicsData Protection GDPR Basics
Data Protection GDPR Basics
Elizabeth Dunne B.L. PC.dp
 
Gdpr for business full
Gdpr for business fullGdpr for business full
Gdpr for business full
Fionnuala Hendrick
 
Prep your app for gdpr compliance
Prep your app for gdpr compliancePrep your app for gdpr compliance
Prep your app for gdpr compliance
Asanka Nissanka
 
What does GDPR mean for your business?
What does GDPR mean for your business?What does GDPR mean for your business?
What does GDPR mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
GDPR webinar for business leaders
GDPR webinar for business leadersGDPR webinar for business leaders
GDPR webinar for business leaders
Deeson
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
dan hyde
 
Building a register of data processing
Building a register of data processingBuilding a register of data processing
Building a register of data processing
Tim Gough
 
Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITYFeedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
Nanda Mohan Shenoy
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_india
Altacit Global
 
Paul Stephen - GDPR The Opportunity & Sitecore Tool
Paul Stephen - GDPR The Opportunity & Sitecore ToolPaul Stephen - GDPR The Opportunity & Sitecore Tool
Paul Stephen - GDPR The Opportunity & Sitecore Tool
Sagittarius
 
Top 10 GDPR Requirements
Top 10 GDPR RequirementsTop 10 GDPR Requirements
Top 10 GDPR Requirements
Rusty Stanberry
 
Teleran Data Protection - Addressing 5 Critical GDPR Requirements
Teleran Data Protection - Addressing 5 Critical GDPR RequirementsTeleran Data Protection - Addressing 5 Critical GDPR Requirements
Teleran Data Protection - Addressing 5 Critical GDPR Requirements
Chris Doolittle
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 

Más contenido relacionado

La actualidad más candente

GDPR for your Payroll Bureau
GDPR for your Payroll BureauGDPR for your Payroll Bureau
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 
GDPR: What does it mean for your business?
GDPR: What does it mean for your business?GDPR: What does it mean for your business?
GDPR: What does it mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
GDPR: What does it mean for your business?
GDPR: What does it mean for your business?GDPR: What does it mean for your business?
GDPR: What does it mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?
Sage HR
 
GDPR webinar presentation | LawBite
GDPR webinar presentation | LawBiteGDPR webinar presentation | LawBite
GDPR webinar presentation | LawBite
Clive Rich
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Frank Dawson
 
What does GDPR mean for your business?
What does GDPR mean for your business?What does GDPR mean for your business?
What does GDPR mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_india
Altacit Global
 

La actualidad más candente (20)

GDPR for your Payroll Bureau
GDPR for your Payroll BureauGDPR for your Payroll Bureau
GDPR for your Payroll Bureau
 
GDPR: What does it mean for your business?
GDPR: What does it mean for your business?GDPR: What does it mean for your business?
GDPR: What does it mean for your business?
 
GDPR: What does it mean for your business?
GDPR: What does it mean for your business?GDPR: What does it mean for your business?
GDPR: What does it mean for your business?
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill
 
GDPR and Analytics
GDPR and AnalyticsGDPR and Analytics
GDPR and Analytics
 
GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?
 
GDPR webinar presentation | LawBite
GDPR webinar presentation | LawBiteGDPR webinar presentation | LawBite
GDPR webinar presentation | LawBite
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
 
Data Protection GDPR Basics
Data Protection GDPR BasicsData Protection GDPR Basics
Data Protection GDPR Basics
 
Gdpr for business full
Gdpr for business fullGdpr for business full
Gdpr for business full
 
Prep your app for gdpr compliance
Prep your app for gdpr compliancePrep your app for gdpr compliance
Prep your app for gdpr compliance
 
What does GDPR mean for your business?
What does GDPR mean for your business?What does GDPR mean for your business?
What does GDPR mean for your business?
 
GDPR webinar for business leaders
GDPR webinar for business leadersGDPR webinar for business leaders
GDPR webinar for business leaders
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
 
Building a register of data processing
Building a register of data processingBuilding a register of data processing
Building a register of data processing
 
Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITYFeedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_india
 
Paul Stephen - GDPR The Opportunity & Sitecore Tool
Paul Stephen - GDPR The Opportunity & Sitecore ToolPaul Stephen - GDPR The Opportunity & Sitecore Tool
Paul Stephen - GDPR The Opportunity & Sitecore Tool
 
Top 10 GDPR Requirements
Top 10 GDPR RequirementsTop 10 GDPR Requirements
Top 10 GDPR Requirements
 
Teleran Data Protection - Addressing 5 Critical GDPR Requirements
Teleran Data Protection - Addressing 5 Critical GDPR RequirementsTeleran Data Protection - Addressing 5 Critical GDPR Requirements
Teleran Data Protection - Addressing 5 Critical GDPR Requirements
 

Similar a Gdpr powerpoint 15.01.18

Managing Data Protection guide powerpoint presentation
Managing Data Protection guide powerpoint presentationManaging Data Protection guide powerpoint presentation
Managing Data Protection guide powerpoint presentation
silvereyez11
 
GDPR - 5 Months On!
GDPR - 5 Months On!GDPR - 5 Months On!
GDPR - 5 Months On!
BrightPay Payroll and Auto Enrolment Software
 

Similar a Gdpr powerpoint 15.01.18 (20)

GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
 
Managing Data Protection guide powerpoint presentation
Managing Data Protection guide powerpoint presentationManaging Data Protection guide powerpoint presentation
Managing Data Protection guide powerpoint presentation
 
My presentation- Ala about privacy and GDPR
My presentation- Ala about privacy and GDPRMy presentation- Ala about privacy and GDPR
My presentation- Ala about privacy and GDPR
 
The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
The General Data Protection Regulation (GDPR) in Ireland-What You Should KnowThe General Data Protection Regulation (GDPR) in Ireland-What You Should Know
The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
 
GDPR: the Steps Event Planners Need to Follow
GDPR: the Steps Event Planners Need to FollowGDPR: the Steps Event Planners Need to Follow
GDPR: the Steps Event Planners Need to Follow
 
Reddico GDPR Presentation
Reddico GDPR PresentationReddico GDPR Presentation
Reddico GDPR Presentation
 
UX & GDPR - Building Customer Trust with your Digital Experiences
UX & GDPR - Building Customer Trust with your Digital ExperiencesUX & GDPR - Building Customer Trust with your Digital Experiences
UX & GDPR - Building Customer Trust with your Digital Experiences
 
UX & GDPR - Building Customer Trust with your Digital Experiences
UX & GDPR - Building Customer Trust with your Digital ExperiencesUX & GDPR - Building Customer Trust with your Digital Experiences
UX & GDPR - Building Customer Trust with your Digital Experiences
 
GDPR for your Payroll Bureau
GDPR for your Payroll BureauGDPR for your Payroll Bureau
GDPR for your Payroll Bureau
 
Part 3 - Data Protection Principles.pdf
Part 3 - Data Protection Principles.pdfPart 3 - Data Protection Principles.pdf
Part 3 - Data Protection Principles.pdf
 
GDPR in the Healthcare Industry
GDPR in the Healthcare IndustryGDPR in the Healthcare Industry
GDPR in the Healthcare Industry
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
 
EU data protection and security update COCIR annual meeting 2016
EU data protection and security update COCIR annual meeting 2016EU data protection and security update COCIR annual meeting 2016
EU data protection and security update COCIR annual meeting 2016
 
Key marketing impacts of the GDPR - Rosemary Smith, Director, Opt-4
Key marketing impacts of the GDPR - Rosemary Smith, Director, Opt-4Key marketing impacts of the GDPR - Rosemary Smith, Director, Opt-4
Key marketing impacts of the GDPR - Rosemary Smith, Director, Opt-4
 
GDPR Changing Mindset
GDPR Changing MindsetGDPR Changing Mindset
GDPR Changing Mindset
 
GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowGDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
GDPR - 5 Months On!
GDPR - 5 Months On!GDPR - 5 Months On!
GDPR - 5 Months On!
 

Último

Interpretation of statute topics for project
Interpretation of statute topics for projectInterpretation of statute topics for project
Interpretation of statute topics for project
VarshRR
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
bd2c5966a56d
 
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
bd2c5966a56d
 
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
Fir La
 
一比一原版埃克塞特大学毕业证如何办理
一比一原版埃克塞特大学毕业证如何办理一比一原版埃克塞特大学毕业证如何办理
一比一原版埃克塞特大学毕业证如何办理
Airst S
 
Code_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.pptCode_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.ppt
JosephCanama
 
一比一原版(Essex毕业证书)埃塞克斯大学毕业证学位证书
一比一原版(Essex毕业证书)埃塞克斯大学毕业证学位证书一比一原版(Essex毕业证书)埃塞克斯大学毕业证学位证书
一比一原版(Essex毕业证书)埃塞克斯大学毕业证学位证书
F La
 
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
Airst S
 

Último (20)

Performance of contract-1 law presentation
Performance of contract-1 law presentationPerformance of contract-1 law presentation
Performance of contract-1 law presentation
 
Interpretation of statute topics for project
Interpretation of statute topics for projectInterpretation of statute topics for project
Interpretation of statute topics for project
 
Understanding the Role of Labor Unions and Collective Bargaining
Understanding the Role of Labor Unions and Collective BargainingUnderstanding the Role of Labor Unions and Collective Bargaining
Understanding the Role of Labor Unions and Collective Bargaining
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
 
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
 
Human Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptxHuman Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptx
 
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURYA SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
 
Cyber Laws : National and International Perspective.
Cyber Laws : National and International Perspective.Cyber Laws : National and International Perspective.
Cyber Laws : National and International Perspective.
 
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
 
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
 
一比一原版埃克塞特大学毕业证如何办理
一比一原版埃克塞特大学毕业证如何办理一比一原版埃克塞特大学毕业证如何办理
一比一原版埃克塞特大学毕业证如何办理
 
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptx
 
Code_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.pptCode_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.ppt
 
一比一原版(Essex毕业证书)埃塞克斯大学毕业证学位证书
一比一原版(Essex毕业证书)埃塞克斯大学毕业证学位证书一比一原版(Essex毕业证书)埃塞克斯大学毕业证学位证书
一比一原版(Essex毕业证书)埃塞克斯大学毕业证学位证书
 
Relationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdfRelationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdf
 
Chambers Global Practice Guide - Canada M&A
Chambers Global Practice Guide - Canada M&AChambers Global Practice Guide - Canada M&A
Chambers Global Practice Guide - Canada M&A
 
Navigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptxNavigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptx
 
Career As Legal Reporters for Law Students
Career As Legal Reporters for Law StudentsCareer As Legal Reporters for Law Students
Career As Legal Reporters for Law Students
 
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
 
Hely-Hutchinson v. Brayhead Ltd .pdf
Hely-Hutchinson v. Brayhead Ltd .pdfHely-Hutchinson v. Brayhead Ltd .pdf
Hely-Hutchinson v. Brayhead Ltd .pdf
 

Gdpr powerpoint 15.01.18

  • 1. GENERAL DATA PROTECTION REGULATION Key provisions and what your business should be doing to prepare
  • 2. KEY TOPICS 1. Data audit and accountability 2. Consent 3. Legitimate interests 4. Transparency and privacy notices 5. Contractual terms
  • 3. DATA AUDIT AND ACCOUNTABILITY Article 5 2. The controller shall be responsible for, and be able to demonstrate compliance with, the main principles relating to processing to personal data (‘accountability’) including: • Lawful, fair and transparent; • Collected for specified, explicit and legitimate purposes; • Adequate, relevant and limited to what is necessary; • Accurate and, where necessary, up to date; • Kept no longer than is necessary; • processed in a manner that ensures appropriate security.
  • 4. DATA AUDIT AND ACCOUNTABILITY Article 30 (records of processing activities) Applies if you have over 250 employees, process sensitive personal data, or the processing is not occasional Controllers and processors must keep a record of processing activities under their responsibility, including: • Purpose of processing (controllers only); • Description of categories of data subject and data; • Categories of recipients; • Any transfers outside EEA; • Retention periods; • A description of the technical + organisational security measures.
  • 5. Nature of data/document When was the data collected/received Is the data subject a client/customer/supplier/prospect Does the personal data reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or does it concern health or a natural person's sex life or sexual orientation? (Sensitive data) On what legal basis is the data being processed:  For the purpose of performing a contract with data subject  Data subject has consented to processing for that purpose  If consent is basis, what record do you have of consent? When and how was consent given?  In your legitimate interests, is necessary for purpose and on balance is fair taking into account rights and expectations of data subject  Processing is necessary for compliance with a legal or other obligation to which the controller is subject Is the data kept no longer than is necessary for the purposes for which the personal data are processed? Is the data being processed for the purpose it was originally collected? Is the data adequate, relevant and limited to what is necessary for the purpose? Is the data accurate and, where necessary, kept up to date? What (if anything) has the data subject been told about the processing of the information? Where is the data being processed (is any data processed outside EEA?) Are you the data controller (i.e. do you determine the purposes and means of the processing of personal data) or are you the processor (i.e. it processes the data on behalf of and on the instructions of someone else)? Is the data processed in a manner that ensures appropriate security of the personal data? Does the processing involve any automatic decision making or profiling? Is it possible for the data subject's data to be easily amended, transferred and/or deleted upon a request from them. Is the data shared with any third parties? Risk of non-compliance high/medium/ low Risk that data breach be likely to result in risk to rights and freedoms of data subject high/medium/ low
  • 6. CONSENT 1. Article 29 Working Party Guidelines released in December 2. Expect updated guidelines from ICO 3. Definition ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
  • 7. CONSENT 1. Controller has to be able to demonstrate consent 2. Request for consent must be distinguishable from other matters 3. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
  • 8. CONSENT 1. Obtaining consent does not negate the controller’s obligations to observe GDPR principles, especially fairness, necessity and proportionality 2. Consent may cover different operations, as long as these operations serve the same purpose 3. Data subject has a right to withdraw consent as easily as giving consent 4. Controller is expected to make sure information is understandable for minors
  • 9. CONSENT 1. Where explicit consent is required the guidance recommends a signed statement or if using electronic consent, a two stage process. Explicit consent is required for: a) Processing special categories of data (sensitive date); b) Transfer outside of EEA; c) Automated decision making. 2. After the processing activity ends, proof of consent should only be kept for as long as necessary to defend claims
  • 10. CONSENT 1. Duration of consent depends on context and scope of original consent and the expectation of the data subject. ICO draft guidance suggests 2 years as a default position 2. If consent is withdrawn then processing actions subject of the consent must stop. If there is no other lawful basis for retaining the data should be deleted or anonymised 3. You cannot silently switch to a different lawful basis (i.e. legitimate interests) or use that as a back up 4. Parental consent for children runs out when they come of age and so you need to send reminders to re-affirm consent
  • 11. LEGITIMATE INTERESTS “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”
  • 12. LEGITIMATE INTEREST 1. Purpose Test: Identify a legitimate interest: GDPR mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this is not an exhaustive list 2. Necessity test: is the processing necessary for that purpose? ‘Necessary’ means that the processing must be a targeted and proportionate way of achieving your purpose. You cannot rely on legitimate interests if there is another reasonable and less intrusive way to achieve the same result
  • 13. LEGITIMATE INTEREST 1. Balancing test: do the individual’s interests override the legitimate interest? You must balance your interests against the individual’s interests. In particular, if they would not reasonably expect you to use data in that way, or it would cause them unwarranted harm, their interests are likely to override yours. However, your interests do not always have to align with the individual’s interests. If there is a conflict, your interests can still prevail as long as there is a clear justification for the impact on the individual 2. You can rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object – and if you don’t need consent under PECR
  • 14. TRANSPARENCY AND PRIVACY NOTICES 1. If collected from data subject, at the time data is collected, controller shall provide the following: a) Identity of controller and data protection office where applicable b) Purpose of processing data and legal basis (including legitimate interests if applicable) c) Categories of data concerned d) Recipients or categories of recipients of the data e) If the data is going to be transferred outside EEA f) How long the data will be stored g) Rights of the data subject to rectification, erasure, restriction, portability and objection h) Right to withdraw consent (where applicable) i) Right to lodge a complaint with ICO j) Whether the provision of personal data is a statutory or contractual requirement k) The existence of any automated decision making
  • 15. TRANSPARENCY AND PRIVACY NOTICES 1. If not collected from data subject, controller shall provide the privacy notice within a reasonable period but in any event on the earlier of one month and the first communication with data subject 2. Privacy notice should include a) Same as above plus: i. Categories of data ii. The source of the personal data 3. No need to provide privacy notice if: a) Data subject has the information already (i.e. from the original data controller) b) Provision of information proves impossible or would involve disproportionate effort c) The personal data must remain confidential subject to an obligation of professional secrecy d) Where it would render impossible or seriously impair the achievement of the objectives of the processing
  • 16. TRANSPARENCY AND PRIVACY NOTICES 1. Key points from guidance: a) If you have a website then this is the recommended way to deliver privacy notice b) It should be clearly distinguishable from other non-privacy related information such as contractual provisions c) A link to the privacy notice should be each page of your website d) For apps the privacy notice should never be more than two taps away e) The first layer of a notice should include information on processing which has most impact or could surprise the data subject f) The purpose of, and legal basis for, processing personal data should be clear. It is not sufficient to say: i. “we may use your personal data to offer personalised services” ii. “we may use your data to develop new services” g) If you change your privacy notice, the changes should be communicated. You cannot just publish the new notice h) Threshhold for disproportionate effort is high, but not having contact details is a factor
  • 17. CONTRACTS WITH DATA PROCESSORS 1. Processing by a processor must be governed by a contract 2. Must set out the nature and purpose of processing, types of data and categories of data subject and obligations and rights of the controller 3. Must include prescribed terms including: a) Process only on written instructions b) Confidentiality and security c) No engage sub-processors without prior consent d) Assist controller to meet obligations under GDPR e) Delete or return data at end of contract f) Submit to audits by controller
  • 18. WHAT NEXT 1. Keep an eye on the link below for new guidance: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation- gdpr/whats-new 2. Ask your legal advisers for assistance to make sure you are GDPR ready.
  • 19. For further information or legal advice on GDPR compliance, please contact: Jon Rathbone Director, Head of Corporate and Commercial Tel: 01242 586832 E-mail: jdr@hughes-paddison.co.uk