GDPR Awareness. Kevin Styles. Certified Information Privacy Professional - Europe Member of International Association of Privacy professionals

Transcription

1 GDPR Awareness Kevin Styles Certified Information Privacy Professional - Europe Member of International Association of Privacy professionals

2 Introduction Privacy and data protection are fundamental rights protected by EU law providing a legal basis to support the rights of data subjects under the GDPR What is GDPR? General Data Protection Regulation Will supersede existing Data Protection Act 1998 Fundamental rights of privacy and data protection

3 What is Data Protection? Aims to protect the privacy of individuals and prevent misuse of their information Natural Persons, Data Subjects Categories of data Personal data Name, address, address, DOB, mobile number, passport number, NI number etc. Also now includes IP address and cookies Special categories of data Specific categories of personal data that require extra protection under data protection law e.g. Ethnicity, race, health, sexual orientation, Trade union, biometric, religious beliefs, political opinions

4 Who enforces data protection? Supervisory authorities in member states In the UK, Information Commissioners Office (ICO). To what does the GDPR apply? Processing of personal data Processing any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

5 Data Processing Principles (Article 5) Controllers and Processors are responsible for, and must take action to, demonstrate compliance

6 To whom does GDPR apply? Data subjects Controllers and Processors established in the EU, regardless of where any processing takes place Controllers and Processors not in the EU Offering goods or services in the EU Monitoring behavior of data subjects Controllers not established in the EU, but in a place where member state law applies via international law

7 Data Controllers and Processors Controllers Natural or legal person, public authority, agency or other body which alone, or jointly with others, determines the purposes and means of the processing of personal data Controllers determine: What data is required; what data will be used for; how data will be used/processed; how data will be stored; how data will be protected; how data will be disposed; who can process the data. Joint Controllers Alone or jointly with others, determines the purposes and means of personal data processing Must have arrangement in place between them to apportion data protection compliance responsibilities of each Controller

8 Responsibilities of the Controller include: Providing information to the data subjects Ensuring the process has a legitimate basis Ensuring data subjects rights are honoured Carrying out Data Protection Impact Assessments (DPIA) Ensuring appropriate security for data Notifying Supervisory Authorities and data subjects of breaches What is a Personal Data Breach? a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, transmitted, stored or otherwise processed

9 Processors natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller Works under contract for the controller Obligations under the Regulation include: Act only on the instructions of the controller Ensure appropriate security to protect personal data is in place Can subcontract the work only on written agreement from controller Shares liability for data breaches with controller Can be legally pursued by data subjects for data breaches

10 Lawful Basis for Processing (Article 6) Consent Performance of a contract Legal obligation Vital interests Public interest or exercise of official authority vested in Controller Legitimate interest Most appropriate depends on purpose and relationship with the data subject Only need one of the above. No single lawful basis is best or more important than the others. If you cannot demonstrate a lawful basis for processing personal data you should not be processing it

11 Data Subject Rights (Articles 12 23) Right to be informed Right of access Right of rectification Right to erasure Right to restriction of processing Right to data portability Right to object Automated decision making / profiling

12 Demonstrating Compliance Accountability delivering demonstrable compliance via risk management. Privacy notice Data Protection Impact Assessment (DPIA) Privacy by Design and Default Documentation Training DPO

13 International Data Transfers Article 45(1) A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection Adequate countries EU-US Privacy Shield Standard contractual clauses Binding Corporate Rules (BCR Article 47) Explicit consent Approved codes of conduct (Article 40) Approved certification (Article 42)

14 Considerations for PSCM Practitioners Review supplier contracts where personal data transfer occurs Determine relationship with suppliers and clients Supplier compliance Contracts between Controllers and Processors Contracts between Controllers and Controllers Model Clauses Controller to Controller Controller to Processor International data transfers Inclusion in tenders LOGIC Ts&Cs? FPAL?

15 Any questions?