This breakfast club focused on the new Data Protection regime covering what the new regime will entail and what to be thinking about now in order to be ready for the new regulations. https://www.brownejacobson.com/sectors-and-services/sectors/public-sector

1. Public sector breakfast club
October 2016, Exeter

2. General Data Protection Regulation
Megan Larrinaga
11 October 2016

3. GENERAL DATA PROTECTION
REGULATION (GDPR)
• New definitions
• New principles for Data Processing
• Data Subject Rights
• Consent
• Information to be provided to Data Subjects
• New Data Controller Obligations
• Data Processor Obligations
• Data Protection Officers
• Mandatory Breach Notification
• Increase in Liability and Sanctions

4. Aim of the Reform
• A uniform regime
• Greater rights for data providers
• Enhancing confidence in security
• Increased accountability
• Reduction in bureaucracy

5. Territorial Scope
• All data controllers and processors
– Operating within the EU – whether or not the
processing takes place in the EU
– Outside the EU that offer goods and services to data
subjects in the EU
– Outside the EU that monitor the behaviour of data
subjects to the extent that the behaviour takes
place in the EU

6. DEFINITIONS – PERSONAL DATA
Current
Data relating to a living individual who can be identified
from those data or from those data and other information
which is in the possession of, or likely to come into the
possession, of the data controller.
Future
An identifiable person who can be identified directly or
indirectly, in particular by reference to an identifier such
as name, identification number, location data, online
identifier or to one or more factors specific to the physical,
cultural, physiological, genetic, mental, economic, cultural
or social identity.

7. Special Categories of Data
• Data revealing-
 Race or ethnic origin
 Political Opinions
 Religious or Philosophical Beliefs
 Trade Union Membership
 Health or Sex Life and Sexual Orientation
 Genetic or Biometric data in order to uniquely identify
a person
• Processing of any/all of the above prohibited subject to
exceptions

8. DEFINITIONS – DATA PROCESSING
• Current – obtaining, recording or holding the
information or data or carrying out any operation
or set of operations on the information or data
including altering, retrieving, disclosing, blocking
erasing or destroying the information
• Future – any operation or set of operations which
is performed on personal data whether or not
automated including collecting, recording,
organising, structuring, storing, adapting, altering,
disclosure, erasure or destruction.

9. Principles for Data Processing
• Data must be processed lawfully, fairly and in a transparent
manner
• Data must only be collected for a specified, explicit and
legitimate purpose
• Data must only be processed to the extent that it is adequate,
relevant and limited to what is necessary in relation to the
purpose for which they are processed
• Data must be accurate and up to date. Data which is inaccurate
should be erased or rectified without delay
• Identifiable data should not be kept longer than is necessary
• Ensure appropriate security of the data
• Ensure compliance with the Regulations.

10. Lawful Basis of Processing
• Consent
• Contractual necessity
• Legal Obligation
• Vital Interests of the data subject or of another
natural person
• Public Interest or exercise of official authority
• Legitimate interests of data controller or third
party to whom data is disclosed (but not to a public
authority).

11. Consent
• Must be freely given, specific, informed and unambiguous
• Must be given by a statement or a clear affirmative action
• If written, should be distinguishable from any other
matter
• Withdrawal of consent should be as easy as grant of
consent
• Purpose limited – loses validity when the purpose ceases
to exist
• Burden of proof on the data controller to show consent
freely given

12. Data Subject Rights
• Data subjects can require:
 Inaccurate personal data be corrected or incomplete data be
completed including by way of supplementing a corrective
statement
 Personal data in a machine readable and structured format
commonly used by the data subject and allows for further
use
 The data controller to delete their personal data where
certain conditions are met

13. Data Subject Rights: continued
 Restriction of processing of personal data – so that this can
only be held by the controller and used for limited purposes
 Transfer of personal data from one data controller to
another (“data portability”)
 Processing of personal data not take place for direct
marketing, including profiling
 Not to be subject to a decision based solely on automated
processing, such as in connection with insurance premiums
The rights of access, rectification, erasure and the right to
object must be given effect free of charge

14. Information to be Provided
• Data controllers must provide the following to data subjects on
request:
 Identity and contact details of data controller and data protection
officer
 Intended purpose of processing and period for which data will be
stored
 Existence of rights: access, rectification, object and erasure
 Right to lodge a complaint internally and to a supervisory authority
 Recipient or categories of recipients to whom data will be disclosed
 Intention to transfer to another country or international organisation
• Information must be concise, transparent, intelligible and easily
accessible
• Must be provided in writing unless otherwise requested.

15. Controller vs Processor
• The GDPR applies to ‘controllers’ and ‘processors’
• Broadly the same as under DPA
Data controller says why and how personal data is
processed
Data processor acts on behalf of the controller
• Data processors now have direct obligations

16. Data Controller Obligations
• Designate a data protection officer (where required)
• Appoint a sub-processor
• Adopt policies and implement appropriate technical
and organisational measures to ensure and be able to
demonstrate compliance with GDPR
• Implement security requirements
• Deal with privacy impact assessments
• Comply with requirements of supervisory authority
• Report breaches to the supervisory authority and
affected data subjects

17. Data Processor Obligations
• Designate a data protection officer (where required)
• Appoint a sub-processor only with authorisation of a data
controller
• Adopt policies and implement appropriate technical and
organisational measures to ensure and be able to demonstrate
compliance with GDPR
• Implement security requirements
• Comply with requirements of supervisory authority
• Maintain a written record of all personal data processing carried
out on behalf of a data controller
• Notify data controllers without undue delay after becoming aware
of a breach

18. Non-Compliance by Data
Processors
• Sanctions by regulator
• Damages claims from data subjects
– failure to comply with lawful instructions of data
controller
– apportionment between data controller and data
processor
• Damages claims from data controllers

19. Data Protection Officer
• Data controllers and data processors must
designate a Data Protection Officer where:
– The processing is carried out by a public authority
– The processing requires regular and systematic
monitoring of data subjects on a large scale
– The core activities consist of processing large scale
special categories of personal data

20. Responsibilities of Data
Protection Officer
• Inform and advise the data controller/processor
• Monitor the implementation and application of the
Regulations and the data protection policies
• Monitor Impact Assessments and breaches
• Point of contact for Supervisory Authority

21. Mandatory Breach Notification
• Notify data protection authority without undue delay
and, where feasible, within 72 hours of awareness –
reasoned justification required where timeframe is not
met
• Notify the affected data subjects without undue delay –
where there is a “high risk” to their rights and
freedoms
• Not required if breach is unlikely to result in a risk to
the rights and freedoms of individuals
• Adopt internal procedures for data breaches

22. Consequences of a Data Breach
• Level 1: €10,000,000 or 2% total worldwide annual
turnover
• Level 2: € 20,000,000 or 4% total worldwide annual
turnover
• Factors taken into account when determining fine:
 Nature, gravity and duration of the breach
 Whether breach intentional or negligent
 Previous breaches by the data controller/processor
 Technical and organisational measures in place.

23. Next Steps
• Enforceable from 25 May 2018
• Where consent is relied upon as the basis for processing, consider
whether this is valid under the GDPR
• Review all communication and information to ensure all necessary
information is stated
• Review systems to ensure that new obligations can be met, such as
data portability
• Review processes and procedures for reviewing and reporting data
breaches, and implement appropriate policies
• Consider whether it is necessary to appoint a DPO

24. Next Steps
• Consider the relationship between various parties to an
agreement, who is the data controller/processor in relation to
what personal data, and the obligations on each
• Review agreement between controllers and processors to ensure
appropriate arrangements are in place
• Consider the rights of the data subject. How will you deal with
requests for erasure?
• Consider the impact of Brexit, including which parts of your
operations are within the UK or elsewhere
• Consider where personal data of individuals within the EU and
outside of the EU is processed and how this impacts on your
obligations

25. Contact us…
Megan Larrinaga
T: 020 7871 8504
E: Megan.Larrinaga@brownejacobson.com