An Overview of the new GDPR regulations including:
• Data Protection Frame Work
• GDPR – Responsibilities
• GDPR – Changes
• GDPR - Exemptions
• GDPR – Rights
• Penalty
• Ten High Level Steps
1. AN OVERVIEW OF GDPR
MASOOD BUTT – COMMERCIAL & REGULATORY LAWYER
AHSAN HUSAIN – HEAD OF MIS & IT AND [DATA COMPLIANCE]
2. DISCLAIMER
The information contained herein and the statements
expressed are of a general nature and are not intended to
address the circumstances of any particular individual or
entity. Although we endeavour to provide accurate and timely
information and use sources we consider reliable, there can be
no guarantee that such information is accurate as of the date
it is received or that it will continue to be accurate in the
future. No one should act on such information without
appropriate professional advice after a thorough examination
of the particular situation.
3. Some Research based FACTS
1. 98% of the UK private sector is not ready for the GDPR
2. 84% of the small and medium sized businesses and 43% of
the large companies are unaware of the implications of the
GDPR.
3. 75% of the data held by companies shall become unuseable
or risky after GDPR.
4. 48% of the adults surveyed in the UK confirmed they shall
exercise their rights to Data protection afforded under GDPR.
4. Contents
Data Protection Frame Work
GDPR – Responsibilities
GDPR – Changes
GDPR - Exemptions
GDPR – Rights
Penalty
TEN HIGH LEVEL STEPS
5. Data Protection Framework
1. Data Protection Directive EU 95/46
2. Data Protection Act 1998.
3. Information Commissioner’s Office (ICO).
3. A 2008 Council Framework Decision applies to the cross-
border processing of personal data in police and judicial
cooperation in criminal matters.
4. Criminal Justice and Data Protection (Protocol No. 36)
Regulations 2014.
6. Data Protection framework
1. The EU’s Charter of Fundamental Rights and Freedoms.
2. In January 2012, a new EU legislative framework for data
protection.
In its now finalised form, this has two elements:
• The General Data Protection Regulation (“GDPR”) EU
2016/679
• The Police and Criminal Justice Directive (the “Law
Enforcement Directive” (LED), also known as the “PCJ
Directive”) EU 2016/680
7. The General Data Protection Regulation (GDPR)
Passed on 24 May 2016
Coming into force on 25th May 2018
Duty Holders:
Data controllers - the persons or bodies that determine the purposes and means of processing of personal
data) and
Data processors - those who process personal data on behalf of a controller.
Right Holders:
Data subjects - (the individuals whose personal data is being processed).
Data – any information relating to an identifiable natural person –Art 4 (1)
Personal Data Breach means breach of security accidental or unlawful destruction,
loss, alteration, unauthorised disclosure of or access to personal data stored,
processed or transmitted. (Art 4 (12)
8. Changes made by GDPR
•Territorial scope
•Data protection by design and default
•A European Data Protection Board
•Increased penalties
•Data protection officers
•A “one-stop shop” principle
• Enhanced transparency duties when communicating with
data subjects
9. Exemption - Art 9
Exempted for data subjects, where processing does not include data on;
Racial;
Ethnic;
Political opinions;
Religious or philosophical beliefs;
Trade union membership;
Genetic data;
Biometric data;
Health data;
Sex life or sexual orientation data;
10. Exemptions – Art 30(5)
•Organisation employs less than 250 staff;
• unless
•Likely to result in a risk to the rights or freedoms;
•Occasional processing;
•Special categories as above;
•Data relating to criminal conviction and offences.
11. Data subject rights
Lawful processing – express and specific consent - Art 6
Right to withdraw consent at any time - Art 7
Right of access - Art 15
Right to rectification - Art 16
Right to erasure (forgotten) - Art 17
Right to restriction - Art 18
Right to be notified Art - 19
Right to data portability - Art 20
Right to object - Art 21
Right for not to be profiled automatically - Art 22
Right to lodge a complaint to supervisory authority - Art 77
Right to an effective judicial remedy against controller or processor - Art 79
Right to compensation for damages - Art 82
12. The General Data Protection Regulation (GDPR)
Strengthened consent is one of the major changes that the GDPR will make for data subjects.
Article 4 (11) defines consent as follows:
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data
subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the
processing of personal data relating to him
or her.
The definition’s references to “unambiguous” and “clear affirmative action”
are new.
A data controller must be able to demonstrate that a data subject has consented to the processing of their
personal data. It must be possible to withdraw consent at any time.
Article 7 (conditions for consent) states:
1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has
consented to processing of his or her personal data.
13. PENALTY
Non compliance with an Order of
supervisory body be subject to
20,000 000 EUR or 4% global
annual turn over - Art 83
14. Further costs
• In addition to the sanctions, fines and reputational damage.
• Problems which are only identified after the project has launched are more
likely to require expensive fixes.
• The use of biometric information or potentially intrusive tracking technologies
may cause increased concern and cause people to avoid engaging with the
organisation.
• Information which is collected and stored unnecessarily, or is not properly
managed so that duplicate records are created, is less useful to the business.
• Public distrust about how information is used can damage an organisation’s
reputation and lead to loss of business.
• Data losses which damage individuals could lead to claims for compensation.
15. Ten HIGH LEVEL STEPS
Here are ten high-level steps to help you prepare.
1 be aware and be accountable;
2 Create/Renew Data Policy;
3 Classify Risk & Retention;
4 Evaluate and actively manage existing contracts with third
party service providers;
5 Establish, embed and test a procedure to handle personal
data incidents • Increase internal privacy-awareness;
16. Ten HIGH LEVEL STEPS –cont.
6 Ensure how to recognise and respond appropriately to requests
from data subjects;
7 Determine and document Privacy Impact Assessment and
appointment of Data Protection Officer;
8 Review and amend and document privacy policy and statements
and notices to meet the enhanced transparency requirements;
9 Document and identify the main causes of any potential data
breach;
10. Would you be able to notify the regulator of any data breach
within 72 hours?
17. AN OVERVIEW OF GDPR
MASOOD BUTT – COMMERCIAL & REGULATORY LAWYER
AHSAN HUSAIN – HEAD OF MIS & IT AND [DATA COMPLIANCE]