190 likes | 201 Vues
GDPR – Data Protection Law on Steroids?. Benjamin White Head of Intellectual Property. Increasingly Political / Contentious Human Right. What is personal data?. Anything that allows you to identify a living individual Any opinion about an identifiable living person.
E N D
GDPR – Data Protection Law on Steroids? Benjamin White Head of Intellectual Property
What is personal data? • Anything that allows you to identify a living individual • Any opinion about an identifiable living person
Examples of Personal Data • Names • Addresses • Opinions on a named person • NI No / IP Address / Student Card No / Library Card No etc • A comment that allows you to discover who that person is. • “Not only has he been untruthful about the amount of money that can be paid weekly into the NHS; the pictures of him on that zip wire waiving the Union Jack – please!”
What is sensitive personal data? • Particularly sensitive data that relates to a living person.
Examples of Sensitive Personal Data • Religious / Philosophical • Political • Sexual / Sexuality • Trade Union Activities • Corporate or Industry • Illegal / Criminal / Bad Behaviour / Bullying / Malpractice • Race or ethnicity related • War / Violence / Northern Irish Troubles / Military Activity • Medical or Health Related • Scurrilous content / gossip / rumours etc
GDPR - Data Protection Law • Creates rights for people. • Obligations on those using your personal data of European citizens (anywhere in the world.) • You must have a legal basis for using sensitive personal data and personal data. • ICO Powers: Infringement can be fines up to €20,000,000 / public rulings from the ICO / cease and desist requirements etc. • Reputationally getting this wrong can be very damaging indeed.
GDPR – Grounds for Processing Personal Data (not sensitive personal data) • Permission from the person (consent). • Medical emergency (vital interests) • Legitimate interests of the organisation using personal information balanced with the interests of the person whose data is being used. • Contractual relationship (current or future contract). • Legal obligation. • Necessary for performing a task in the public interest, or in the exercise of official authority.
To Do List:1. Fees – smoke and mirrors? • Registration is no longer required by the GDPR but …
To Do List:Privacy Notices - Transparency • Need to be looked at to ensure: • 1. Plain English, easy to understand. • 2. They are short. • 3. No pre-populated tick boxes • 4. Clearly shows what is happening to personal data. • 5. Explain your grounds for processing data.
To Do List: • Must document your processes, what personal data you use, who you share it with, and how you protect people’s privacy throughout your organisation. (May have to supply to ICO). • Information Audit? • PIAs • Check your contracts and privacy notices are up to date • Retention schedules • Any IT procurements must be GDPR compliant (Privacy by Design) • Any activities such as marketing should be checked for grounds for processing as PAs lose legitimate interest grounds inside public task. • Can you anonymise the data? (Research)
To Do List:Legitimate Interests and Public Authorities • Your grounds to processing may have changed: • DCMS: • Outside the public task CHIs and universities according to DCMS indications will still be able to enjoy the legitimate interests grounds for processing. • Do you need to get consents again with the loss of the legitimate interests grounds?
Archiving in the public interest (API) / Research exemptions (RE) • Exemptions from: • Right to be informed of processing (API) (RE) • Right to be informed of safeguards for third party transfers (API) (RE) • Right to amendment (API) (RE) • Right to stop processing (API) (RE) • Right to move your data (API) • Right to object to processing (API) (RE) • Right that third parties are also informed of erasure (right to be forgotten) , amendment etc (API)
Legal Basis for Archiving in the Public Interest • Statute • Public Task statements • University constitutional documentation • Comply with codes of conduct
What is Research? • Scientific, Historical, Statistical
Codes of Conduct • Important as if you follow them less likely to have problems with the ICO. • e.g. Archiving (UK / EAG), Marketing etc. • There may be certification schemes.