May 25th 2018 is when the new GDPR becomes law in the UK.
Introduction to GDPR
The General Data Protection Regulations are the most significant development in data protection that Europe, possibly the world, has seen over the past twenty years. Unsurprisingly GDPR is designed to better take into account modern technologies, the way we work with them today and are likely to work in the future. In addition, there is a much greater emphasis on compliance following a widely-held belief that businesses, particularly in the UK, had not previously taken data privacy seriously enough. To reinforce this, penalties are considerably harsher and the compliance requirements are intended to spread a far wider net to include small and medium businesses and the third-party contractors they use.
THE 6 GDPR DATA PROTECTION PRINCIPLES:
1 (‘lawfulness, fairness and transparency’) processed lawfully, fairly and in a transparent manner in relation to the data subject
2 (‘purpose limitation’) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
3 (‘data minimisation’) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
4 (‘accuracy’) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
5 (‘storage limitation’) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
6 (‘integrity and confidentiality’) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss destruction or damage, using appropriate technical or organisational measures.
We provide you with
- Part I – Know Your Data Assessment
- Part II – Accountability: Questions For The Board
- Consultants/Presenter’s Guide
- Unbranded PowerPoint source file (with over 60 information slides)
With our pack you get all this, no branding on the material whatsoever (source files available on request) via email!
20 Q&A Drop Downs
REGULATION PROVIDE FULL HARMONISATION OR WILL THERE BE DIFFERENCES BETWEEN MEMBER STATES?
These are but a few of the numerous obligations that arise out of data protection regulation. Based on the broad definition of personal data as any information relating to an identified or identifiable individual, it is safe to assume that, effectively, every company will be affected by the GDPR.
The obligation to notify data processing activities will no longer exist under the GDPR. In general, there are fewer contacts with data protection authorities under the GDPR (except, among others, data breach notifications or negative data protection impact assessments). The European Commission considered that the notification obligation
had resulted in a formalistic approach towards data protection compliance. Instead of notifying to the public authorities, the GDPR will oblige companies to maintain up-to-date internal records on their processing of personal data, containing similar information to the current notifications. Hence, existing notification documents can provide a useful starting point for these internal records. Needless to say, the obligation to keep up-to-date internal records will place a significant burden on controllers.
However, and subject to certain conditions, SMEs will be exempt from this obligation.
The obligation to keep and update internal records must be read as part of the GDPR’s aim to ensure that companies install a data protection culture in their everyday operations. In the same vein, the “accountability” requirement obliges data controllers to demonstrate compliance with the data protection principles.
By specifically referring to accountability, the GDPR is likely to shift the manner in which organisations and DPAs approach data protection compliance, encouraging data controllers to do so in a more pro-active (and effective) manner. Actions to comply with the principle
of accountability include: (i) implementing internal and external policies and compliance procedures; (ii) keeping detailed and up-to-date documentation on the processing of personal data (see, Question 3); (iii) carrying out data protection impact assessments for high risk processing operations; (iv) applying data protection by design and by default; (v) ensuring security and confidentiality by all internal and external parties involved in data processing operations; (vi) carrying out audits and certification (see, Question 8); (vii) and appointing a Data Protection Officer (see, Question 17). Depending on the situation, these actions are obligatory under the GDPR.
For processors or controllers established in the EU, the GDPR applies to all processing of personal data in the context of the activities of EU establishments.
Controllers or processors that are not established in the EU may also be subject to the GDPR when they offer goods or services in the EU or monitor data subjects’ behaviour taking place in the EU.
To determine what is deemed to be “appropriate”, the controller must take account of the nature, scope, context and purposes of the processing as well as the risks, and their severity, in relation to the rights and freedoms of individuals. In other words, strict compliance measures will be required for high-risk processing, whereas lower standards can be applied to operations that are unlikely to pose any risk. For instance, controllers may be exempt from the obligation to notify data breaches if the risk is very low and data protection impact assessments are only required for high-risk operations.
While under Directive 95/46/EC consent could be inferred from an action or inaction, by requiring the data subject to make a statement or a clear affirmative action to express consent, the GDPR eliminates the possibility of implicit or ‘opt-out’ consent.
Furthermore, consent must be specific to each data processing operation, and “clearly distinguishable” from any other matters in a written document. The GDPR also allows data subjects to withdraw consent at any time, making it “as easy to withdraw consent as to give it”.
Controllers must inform the data subjects of their right to withdraw consent before consent is actually given. In order to be “freely given”, there must be a genuine and free choice and the data subject must be able to withdraw or refuse consent without detriment. The recitals of the GDPR introduce a presumption that consent is not freely given if there is an imbalance of power between the data subject and the controller, especially where the controller is a public authority.
There are some more specific cases of consent. The processing of sensitive categories of data requires ‘explicit’ consent. Or, in the case of minors (below 16 years of age), parental consent is required. If provided for by national law, a lower age than 16 is acceptable, but not lower than 13.
DPAs shall encourage the development of codes to take account of the specific features of particular industries and sectors. Where a DPA approves a code, adherence can be relied upon by organisations to demonstrate compliance with other aspects of the GDPR. Controllers and processors that adhere to either an approved code of conduct or an approved certification mechanism may therefore use these tools to demonstrate compliance with the GDPR standards or specific obligations thereunder, such as the adoption of appropriate security measures.
Data protection seals and certification marks allow controllers to show their compliance to data subjects in a way which is objectively verifiable. For data processors, certification may be a means to show the controller that they are a trustworthy partner.
The list of information that needs to be given to data subjects is expanded under the GDPR. Controllers must for instance also disclose for how long data will be stored, and inform data subjects of their rights to withdraw consent (if applicable), their right to request access, rectification or erasure and restriction of processing, as well as their right to lodge a complaint with the DPA and the contact details of the DPO (if any). If the processing operation is based on the controller’s legitimate interest, the controller must also explain to the data subject for which legitimate interest it will use the data, and if the data are transferred to a third country which is not recognised as giving adequate protection through its national laws, the data subjects must be informed about the safeguards that the controller has put in place to protect the personal data. When the data have not been obtained directly from the data subject, the controller must explain how it obtained the personal data.
Vague or legalistic language will be banned under the GDPR. Information must be intelligible and easily accessible, using clear and plain language that is tailored to the appropriate audience. The GDPR also permits the use of standardised icons to inform data subjects.
Data subjects have the right to object to the use of profiling (depending on the legal basis of the processing and possible overriding interest of the controller). Automated profiling which significantly affects the data subject can, in most cases, only be possible when it is necessary for the performance of a contract, a legal obligation, or with the explicit consent of the data subject.
The GDPR also prohibits profiling decisions based on sensitive personal data, and systemic use of profiling will require a prior data protection impact assessment.
If the controller wishes to hire a processor, the controller must select one “providing sufficient guarantees to implement appropriate technical and organisational measures” to ensure the protection of the rights of the data subject and comply with the GDPR.
Next, the controller must sign a contract with the processor setting out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller, including the appropriate security measures.
The GDPR also gives controllers better insight on the use of subcontractors. The processor cannot outsource the processing to a sub-processor without the written consent of the controller.
Processing should be done in compliance with the instructions of the controller and the requirements set by law. The processor should keep records of their processing containing certain elements of information.
Should the processor call upon a sub-contracted processor. this party’s involvement will need to be agreed to by the controller. This party will also be subject to the same legal requirements incumbent upon the initial processor.
The processing of data should be governed by a contract (see, Question 11) or other legal act under EU or Member State law, binding the processor to the controller. This should take into account the specific tasks and responsibilities of the processor in the context of the processing, and the risk to the rights and freedoms of the data subject. After the processing activities have been done, the processor should either return the data to the controller, or erase it, as per the controller’s choice.
Moreover, in the case of any material or immaterial damages arising from violations of the GDPR with respect to data subjects, both controllers and processors can be held liable. A processor will only be exempt from liability if it can prove that it is not in any way responsible for the event giving rise to the damage.
Pseudonymous data is not exempt from the scope of the GDPR and thus remains subject to the data protection requirements. Nevertheless, due to its lower level of privacy intrusion, the GDPR foresees a less stringent regime for the processing of pseudonymous data, creating incentives for data controllers to use this technique. Amongst others, the GDPR provides that pseudonymisation may facilitate processing personal data beyond the original collection purposes; may constitute an important safeguard for processing personal data for scientific, historical and statistical purposes; and may facilitate compliance with the GDPR’s data security and data by design requirements.
When a controller becomes aware of a data breach, it must notify the competent DPA without undue delay and ultimately within 72 hours (except where reasonably justified). Notification to the DPA is not required when the breach is “unlikely to result in a risk for the rights and freedoms of individuals”. When required, the notification must:
(i) describe the nature of the personal data breach, including the number and categories of data subjects and data records affected;
(ii) provide the data protection officer’s contact details;
(iii) describe the likely consequences of the data protection breach; and
(iv) describe how the breach will be addressed, including any mitigation measures taken or proposed.
When the breach is “likely to result in a risk for the rights and freedoms of individuals”, and subject to limited exceptions, the controller must also communicate information relating to the breach to the data subject without undue delay.
Controllers should prepare for this obligation by adopting clear policies for the management of data breaches, which allocate responsibilities and set out the procedures to be followed. This facilitates taking important decisions within the strict timelines imposed by the GDPR in case of a data breach.
This right builds upon the right to be forgotten identified by the European Court of Justice in the Google Spain v AEPD and Mario Costeja Gonzales case in 2014. The Court in that case required search engines to remove links to webpages that appear when searching a person’s name, at that person’s request. The search engine could only refuse to comply with this request if it was in the “preponderant interest of the general public” to have access to the information in question.
The GDPR codifies this right, which will apply to all controllers (and not only to online search engines). Under the GDPR, controllers must erase data “without undue delay” if the data is no longer needed, the data subject objects to processing, or the processing was unlawful.
This right will, however, have to be balanced against freedom of expression, public health interests, scientific and historical research, and the exercise or defence of legal claims as well as regulatory requirements for reporting and record keeping.
Importantly, the right to data portability only applies when processing was originally based on the user’s consent or on a contract, and does not apply to processing based on a public interest or the controller’s legitimate interests.
The GDPR also sets out a profile description of the DPO: he or she must be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices. The DPO may be a staff member or external consultant and may have other (internal or external) tasks in addition to the role of DPO.
The DPO must ensure compliance within the company and therefore may need to defend the interests of data subjects against the (economic) interests of the company. Therefore, the DPO must be independent in the company’s organisation, and report to the highest level of management. The DPO is also protected against dismissal or other sanctions for performing his or her tasks.
The data protection officer’s tasks include:
(i) informing and advising the company on data protection compliance;
(ii) advising as regards data protection impact assessments;
(iii) monitoring compliance with relevant data protection provisions which includes, for instance, training of staff member and related audits;
(iv) and cooperating and acting as a contact point for DPAs.
If the recipient of personal data is not established in such a “safe” third country, the transfer will only be permitted if the parties to the transfer provide adequate safeguards. For transfers between private companies,
these measures can still take the form of model contracts adopted by the European Commission or the national DPAs, as well as approved Binding Corporate Rules for intra-group transfers. In addition, the GDPR allows safeguards to be adduced by an approved code of conduct or certification mechanism. However, any selected safeguard must ensure that data subjects can enforce their rights and that effective legal remedies are available to the data subjects in relation to the transfer.
The DPA of the main establishment of a multinational group of companies will determine the lead authority which will act as a one-stop-shop for the group’s data protection enforcement. However, there are some significant limitations to the one-stop-shop principle. The lead authority will cooperate with other concerned authorities on the basis of mutual assistance. Joint operations have been put in place, for instance, to monitor the implementation of a measure concerning a controller or processor established in another Member State.
In specific cases, the EDPB must issue an opinion to a DPA, or act as a dispute resolution body by adopting binding decisions, for instance when a DPA expresses an objection to a draft decision of the lead authority.
On the operational level, preparation begins with assessing your current situation in order to become familiar with your data processing activities. Based on these findings, which may require conducting a data protection audit, you will need to assess the impact of the GDPR – for each obligation – on your data processing activities and identify the gaps. Next, you will need to set your priorities in addressing the gaps, taking into account the relevant risks.
Data protection compliance is an ongoing exercise. This means that policies, procedures and security measures will have to be monitored and regularly reviewed, and also the changes in processing of personal data will have to be captured and documented, with, amongst other things, staff awareness being raised and maintained.
A ready made presentation with notes, handouts and PPT format for only
Just a quick note to let you know that our affiliate scheme for consultants, advisers and contractors has been increased to 50% for all affiliates with immediate effect – so if you know anyone needing policies, procedures, Presentations or a Compliance Manual – you can earn up to 50% back!
new data,eu pdf,iso toolkit,data protection maximum fine,gdp r,regulation data protection 2016,dpa europe,new eu,european dpa,general data protection regulation european commission,pia data protection,data protection act changes 2016,data protection act european union,gdpr final,eu regulations 2016,eu protection,data protection 2016 changes,eu dpa regulation,data protection authority uk,gdpr allen and overy,eu law on data protection,eu dpa,data protection clause,gd pr,data protection regulation text,data protection directive 2016,2018 data protection act,general data protection regulation data protection officer,general data protection regulation deutsch,top 10 operational impacts of the gdpr,eu data protection reform,data protection eu directive 2016,general data protection regulation ico,eu privacy regulation,iso 27001 version 2013 pdf download,data privacy officer,new eu regulations,eu personal data protection,eu data security directive,data protection fines 2016,gdpr entry into force,european commission gdpr,data protection changes 2016,data regulation,general data privacy regulation,general data protection directive,gdpr uk brexit,eu data protection officer,eu data law,general data protection regulation text 2016,european union data protection,allen and overy gdpr,data privacy regulation,european commission general data protection regulation,the gdpr,when does the gdpr come into force,gdpr accountability principle,european data laws,gdpr official text,accountability gdpr,new eu data protection regulation 2016,gdpr regulation text,gdpr 25 may 2018,eu data compliance,personal data protection regulations,it governance template document,eu data protection act 2016,gdpr dpa,general data protection regulation full text,gdpr vs dpa,when will gdpr come into force,gdpr adoption,gdpr supervisory authority,gdpr model clauses,gdpr applicability,general data protection regulation consent,general data protection,the general data protection regulation 2016,eu data protection act,new regulation on data protection,when does gdpr come into effect,european data protection board,general data protection regulation 2016 pdf,data protection regulation 2016,dpa gdpr,gdpr european commission,general data protection regulation fines,eu data protection law,eu data protection legislation,eu data privacy,eu gdpr text,data retention gdpr,2018 data protection,article 30 gdpr,data protection agreement,gdpr data breach,gdpr marketing consent,general directive data protection,general data protection legislation,eu data protection regulation 2016,european union data protection regulation,gdpr what is it,what does gdpr mean,data protection legislation 2018,gdpr approved,gdpr sensitive data,gdpr main changes,oracle gdpr,gdpr key changes,gdpr accountability,gdpr in force,eu data privacy regulation,data security ppt,european data protection act,general data regulation,who does gdpr apply to,european data protection authorities,eu data regulation,eu data protection regulation summary,gdpr dpia,data minimisation gdpr,gdpr directive,what is eu gdpr,new eu legislation on data protection,data protection toolkit,general data protection regulation final text,data protection regulations uk,eu data protection rules,european data protection legislation,new eu data protection regulation,european data regulation,gdpr 2016,data protection 2016,gdpr data retention,2018 data protection changes,gdpr final version,gdpr direct marketing,gdpr iso 27001,gdpr impact,general data protection regulation changes,gdpr controller processor,data protection regulation 2015,eu data protection directive 2018,gdpr privacy,dpia gdpr,gdpr eu regulation,gdpr and marketing,gdpr key points,fines under gdpr,data protection 2018 changes,gdpr act,when will the general data protection regulation come into force,eu general data protection regulation 2016,eu general data protection,the eu gdpr,gdpr processor,new eu privacy regulation,eu data protection framework,european data privacy laws,data protection regulation update,new european data protection regulation,information security policy template iso 27001,data processor gdpr,european data privacy,european union general data protection regulation,dpa breach,eu data,nymity,eu regulations,data protection act penalties,ig toolkit functions,eu regulations examples,data protection meaning,data protection number,gdpr full text,gdpr final text,data protection directive,data protection act 2016,gdpr text,what does data protection mean,data protection law,data protection requirements,data protection legislation,gdpr wiki,gdpr meaning,what does gdpr stand for,data protection breach fine,the general data protection regulation,when does gdpr come into force,gdpr article 30,data protection regulation,data protection rules,new data protection act,data protection act 2018,eu data protection regulation,general data protection regulation text,gdpr date,global data protection regulation,