GDPR Introduction and overview

Barrister en 4-5 Gray's Inn Square
23 de Mar de 2018

Más contenido relacionado


GDPR Introduction and overview

  1. GDPRIntroduction and Overview 16 March 2018 Jane Lambert
  2. Topics to be discussed ● What is the GDPR? ● What is data protection? ● Why we need data protection legislation ● Data Protection Principles ● Lawfulness of processing ● Consent to processing ● Law Enforcement Data Protection Directive ● Data Protection and Brexit ● Data Protection Bill ● Basic Preparation for Small Businesses
  3. What is the GDPR? ● “General Data Protection Regulation”. ● Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. ● Directive 95/46/EC is the present source of law ● GDPR will supersede Data Protection Act 1998 for 25 May
  4. What is Data Protection? ● Data protection is a set of rules for processing personal data. ● “Personal data” means any information relating to an identified or identifiable natural person (art 4 (1) GDPR) ● “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data (art 4 (2) GDPR). ● It includes collection, collation, storage and transmission.
  5. Why we need Data Protection Legislation? ● Younger report on privacy identified computers as a potential threat to privacy in 1972 ● Lindop recommended legislation to regulate this threat in further report ● Sweden enacted the first data protection law in 1973 ● Swedish data protection banned export of data to UK ● OECD Guidelines on Transborder Data Flow in 1980 ● Council of Europe Data Protection Convention in 1981
  6. Structure of GDPR Regulation consists of 173 recitals and 99 articles divided into the following chapters and sections: ● Chapter I: General Provisions ● Chapter II: Principles ● Chapter III: Rights of Data Subjects ○ §1 - Transparency and modalities ○ §2 - Information and access to personal data ○ §3 - Rectification and erasure ○ §4 - Right to object and automated decision making ○ §5 - Restrictions
  7. Structure of GDPR ● Chapter IV: Controller and Processor ○ §1 - General Obligations ○ S2 - Security of Personal Data ○ §3 - Data Protection Impact Assessment and Prior Consultation ○ §4 - Data Protection Officer ○ §5 - Codes of Conduct and Certification ● Chapter V: Transfers of Data to Third Countries and International Organzations ● Chapter VI: Independent Supervisory Authorities ○ Independent Status ○ Competence, Tasks and Powers
  8. Structure of GDPR ● Chapter VII: Cooperation and Consistency ○ §1 - Cooperation ○ §2 - Consistency ○ §3 - European Data Protection Board ● Chapter VIII: Remedies, Liabilities and Penalties ● Chapter IX: Provisions Relating to Specific Processing ● Chapter X: Delegated Acts and Implementing Acts ● Chapter XI: Final Provisions
  9. Data Protection Principles Art 5 of GDPR requires personal data to be: ● (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); ● (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; ….. (‘purpose limitation’);
  10. Data Protection Principles ● (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’); ● (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  11. Data Protection Principles ● (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; ……………………. (‘storage limitation’);
  12. Data Protection Principles ● (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)." Art 6 (2) provides: “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
  13. Lawfulness, Fairness and Transparency ● Art 6 (1) provides 6 grounds upon which data controllers can justify their processing of personal data. ● One of those grounds is tha the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes (art 6 (1) (a)). ● Data controllers tend to rely on that ground because it is easy to prove compliance. ● That is important because art 5(2) requires data controllers not only to comply with the data protection principles but to demonstrate compliance.
  14. Consent to Processing ● By definition, consent must be freely given, specific, informed and unambiguous (see art 4 (11) GDPR). ● Art 7 sets out the conditions for consent which must be complied with if it is to be binding. ● Consent need not be in writing but it probably must be recorded if it is be binding. ● Para 171 of recitals makes clear that consent obtained under existing law is effective so long as it meets the conditions of art 7
  15. Consent to Processing ● Consent can be obtained on a form that includes other matter but the provision relating to consent must be clear and cover all the purposes for which consent is required. ● Data subjects must be informed of their right to withdraw consent at any time and withdrawing consent should be as easy as giving it. ● If the data controller and data subject have unequal bargaining power the controller should not use (or give the impression of using) his leverage to extract consent. ● Parental consent is required for data subjects aged 16 or less,
  16. Law Enforcement Data Protection Directive Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA Art 63 (1) requires it to be implemented by 6 May 2018
  17. Data Protection and Brexit Art 50 (3) Treaty of European Union: “The Treaties shall cease to apply to the State in question from the date of entry into force of the withdrawal agreement or, failing that, two years after the notification referred to in paragraph 2, unless the European Council, in agreement with the Member State concerned, unanimously decides to extend this period.”
  18. Data Protection and Brexit Art 67 Draft Withdrawal Agreement: “Union law on the protection of personal data shall apply in the United Kingdom in respect of the processing of personal data of data subjects outside the United Kingdom, provided that the personal data: (a) were processed in accordance with Union law in the United Kingdom before the end of the transition period; or (b) are processed in the United Kingdom after the end of the transition period on the basis of this Agreement.”
  19. Data Protection Bill ● Makes consequential provision for the GDPR ● Repeals the Data Protection Act 1998 ● Implements the Data Protection Law Enforcement Directive ● Preserves the GDPR after 29 March 2019 or 31 Dec 2020 if a transition period after 29 March 2019 is agreed ● Passed the Lords and is now in committee in the Commons
  20. Basic Preparation for Small Businesses Information Commissioner published on 12 March 2018 “Getting ready for the new UK data protection law Eight practical steps for micro business owners and sole traders” ● “Know the law is changing – which you now do, so that’s one thing you’ve done already! ● Make sure you have a record of the personal data you hold and why.
  21. Basic Preparation for Small Businesses ● Identify why you have personal data and how you use it. ● Have a plan in case people ask about their rights regarding the personal information you hold about them. ● Ask yourself: before I collect their data, do I clearly tell people why I need it and how I will use it
  22. Basic Preparation for Small Businesses ● Check your security. This can include locking filing cabinets and password protecting any of your devices and cloud storage that hold your staff or customers’ personal data. ● Develop a process to make sure you know what to do if you breach data protection rules. ● Don’t panic: we’re here to help ………………”
  23. Further Information ● Office of the Information Commissioner ( ● Jane Lambert Another Data Protection Act! "You're joking! Not another one!" - A Short History of Data Protection Legislation in the UK 23 Sept 2017 ( ● NIPC Data Protection Blog ( Links to existing legislation, GDPR and Directive, Data Protection Bill, Commission, Department of Culture, Media and Sport and Information Commissioner’s Office
  24. Any Questions? Jane Lambert 4-5 Gray’s Inn Square London WC1R 5AH Tel 020 7404n 5252 Mob 07966 373922 E