1 / 20

Getting Ready For GDPR

Learn about the basics of GDPR, significant changes, enforcement, and recent examples of breaches. Get guidance on data protection policies, subject access requests, data quality and retention, security measures, privacy impact assessments, consent, and more.

jstreeter
Télécharger la présentation

Getting Ready For GDPR

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Getting Ready For GDPR Simon Marks Director Marks Investigation Services

  2. Introduction • Back to basics • Significant changes • Sanctions, enforcement and recent examples of breaches….. Disclaimer No reliance should be placed on the guidance given in this talk without first taking such detailed professional legal advice. Nevertheless, feel free to ask questions, I will do my best to answer them!

  3. Data Protection is not a new concept • Data Protection legislation has been in place for 20 years (DPA 1998) and the key principles of that legislation are still very much in place and will be post-GDPR: • Fairly and lawfully processed. • Processed for limited purposes. • Adequate, relevant and not excessive. • Accurate. • Not kept for longer than is necessary. • Processed in line with subject’s rights. • Secure.

  4. Data protection policy, responsibility, training • Has your business established an appropriate data protection policy? • Has it nominated a data protection lead? • Has it provided awareness training to all staff?

  5. Registration, privacy notices, subject access • Has your organisation registered with the ICO?- you need to if you retain data on a computer • Have you produced privacy notices that are readily available to individuals? • Does it have a process in place to recognise and respond to Subject Access Requests (SAR)?

  6. Subject Access Requests • The Right to Access is a fundamental requirement under GDPR • The Data Subject has the right to obtain confirmation that their data is being processed lawfully and securely, what information is being held and why? • Will you be able to respond to a SAR (at no cost to the subject) at short notice? • Your ability to respond to a SAR will be your acid test as to whether you have a process in place to understand and comply with your obligations under GDPR

  7. Data quality, accuracy and retention • Is the personal data your organisation holds of sufficient quality to make decisions about individuals? • Is there a routine disposal of personal data that is no longer needed in line with agreed timescales?

  8. Security • Has your business established an information security policy that is supported by appropriate security measures? • Does your business ensure an adequate level of protection for any personal data processed by others on your behalf (or transferred out of the EU)?

  9. Privacy Impact Assessments (PIA’s) • Has your business established a process to ensure that new projects or initiatives are privacy proofed at the planning stage?

  10. “Data protection by design” • The ICO describes PIA’s as follows: • The purpose of the PIA is to minimise privacy risks while meeting the aims of the project. Organisations can identify and address risks at an early stage by analysing how the proposed uses of personal information and technology will work in practice. They can test this analysis by consulting people who will be working on, or affected by, the project….conducting a PIA does not have to be complex or time consuming but there must be a level of rigour in proportion to the privacy risks arising.

  11. Data protection by default • Key word: minimisation • GDPR requires the organisation (data controller) to implement appropriate technical and organisational measures to ensure that, by default, only personal data that is necessary for each specific purpose of the processing is processed.

  12. Data Protection Officer or lead • The ICO says: • It is important that someone in your organisation, or an external data protection adviser, takes proper responsibility for your data protection compliance and has the knowledge, support and authority to carry out the role effectively.

  13. Increased rights for data subjects • Right of data portability • Right to be forgotten

  14. Consent • Consent must be freely given, specific, informed and unambiguous. It must involve clear and affirmative action. • Pre-ticked boxes will not do. Consent cannot be inferred from silence or inactivity • It must be kept separate from other terms and conditions and the individual must be notified of simple ways to withdraw it

  15. Security • Information may be stored on servers all over the world. There may be complex chains of contractors and subcontractors. The organisation may not know in which jurisdiction data is held. • Current ICO guidance confirms that organisations must retain control of personal data sent to the Cloud. The Cloud must not expose the organisation to risks that would not have arisen if the data had remained in its possession. It is good practice to encrypt before transfer to the Cloud. • Under the GDPR, data processors such as server providers based in the EU, will have similar legal obligations to data controllers.

  16. Data Processors will have similar obligations to Data Controllers. They must: • Obtain consent from the Data Controller before they subcontract • Maintain a record of processing activities like the Data Controller must do • Ensure appropriate security measures are in place • Train their staff in data protection compliance • Notify the Data Controller of any breaches • NB GDPR sets out guidance for the required content of data processing agreements

  17. Reporting of data protection breaches • TELL IT ALL, TELL IT FAST, TELL THE TRUTH

  18. Sanctions and enforcement • Two levels of fines: • Up to 2% of global turnover (or 10 million euro whichever is the greater) • Up to 4% of global turnover (or 20 million euro whichever is higher)

  19. Cases • Data breaches by: • Sony (47,000 unique social security numbers stolen) • Zurich (46,000 customers’ data compromised. FSA imposed a fine of £2.2million) • Yahoo (3 billion users) • eBay (145 million users compromised) • Equifax (220,000 customers affected) • RSA Security (40 million records stolen) • Facebook/Cambridge Analytica????

  20. GDPR – are you really going to be ready? • Only 6 weeks to go • But don’t panic…….. • Any Questions? • Simon Marks • simon@marksinvestigations.com

More Related