Funded by City Bridge Trust, the #CyberSafeLambeth initiative offers free GDPR training for charities in Lambeth
Individuals that lead in IT within charities will be able to attend free General Data Protection Regulation (GDPR) compliance and cybersecurity training, where they will be given expert guidance, support and instruction, thanks to new funding by City Bridge Trust.
#CyberSafeLambeth is a training programme that educates IT Manager level staff in local charities about GDPR and offers insight and knowledge to overcome cybersecurity threats and work more effectively.
The in-depth training programme will run across a number of days and will educate Lambeth-based charity IT professionals about key aspects of cybersecurity and the implications of GDPR, which comes into force from 25 May 2018.
The programme, which is being funded by City Bridge Trust, will require all trainees to commit to help at least one other, smaller Lambeth charity through The Integrate Agency CIC’s innovative ‘Hire a Volunteer’ platform.
This world class training opportunity will be available for Lambeth-based IT manager level charity professionals. Each will be taught about threats and trends within the industry, providing them with the skills and know how to confidently meet the requirements for GDPR.
Eoin Heffernan, Founder of Integrate said: “We are delighted to be able to offer cybersecurity training to local charities and reach out to train charity IT professionals working in the London Borough of Lambeth.
4. 4
Overview
‘How do we
collect data’
‘How do we process and
store data’
‘Who do we share
data with’
Where Does it
Come From?
Where Does
It Go?
What Do We
Do With It?
#CyberSafeLambeth | @IntegrateUK
5. 5
Article 24 –
Responsibility of
the Controller
consider
Article 6 –
Lawfulness of
Processing
Article 7 –
Condition for
Consent
Article 7 –
Contract
Rights of the Data Subject
Article 12 - Transparent information
Article 13 – Information to Be Provided (Privacy Statement)
Article 14 – Information to be Provided
Article 15– Right of Access
Article 16– Right to rectification
Article 17– Right of Erasure ‘To Be Forgotten’
Article 18– Right to Restriction of Processing
Article 19– Notification Obligation
Article 20– Right to Data Portability
Article 21– Right to Object
Article 22– Automated Decision Making & Profiling
Article 9 –
Special
Categories
consider
Point of Data
Capture
Data Type
Data Storage &
Processing
Article 32 -
Security of
processing
Article 35 -
Privacy Impact
Assessment
Article 25 -
Privacy by
Design / Default
Processor
Article 28 -
Processor
consider
Hosted
On
Premise
Article 13 – Privacy
Statement
GDPR Article Flow
#CyberSafeLambeth | @IntegrateUK
6. 6
Evidence
Article 5 (2)
‘The controller shall be responsible for, and
be able to demonstrate compliance’
#CyberSafeLambeth | @IntegrateUK
GDPR Article Flow
7. 7
Article 30
‘Each controller and, where applicable, the controller's
representative, shall maintain a record of processing activities
under its responsibility’
#CyberSafeLambeth | @IntegrateUK
GDPR Article Flow
Evidence
8. 8
EUROPEAN LAW
Directives lay down certain results that
must be achieved, but each Member
State is free to decide how to transpose
directives into national laws.
General Data Protection Regulation (EU) 2016/679 (GDPR) comes into effect 25th May 2018, replacing
EU Directive 95/46/EC - the
Data Protection Directive.
The UK ‘Data
Protection Act 1998’
Introduces a single set of rules to all EU member states and extends the scope of the EU data protection law
to all foreign companies processing data of EU residents
THE GOVERNMENT HAS CONFIRMED THAT THE UK’S DECISION TO LEAVE THE EU WILL NOT
AFFECT THE COMMENCEMENT OF THE GDPR.
#CyberSafeLambeth | @IntegrateUK
Background
Regulations have binding legal
force throughout every Member
State and enter into force on a set
date in all the Member States.
9. 9
It defines what is meant by
‘personal data’
It confers rights on ‘data
subjects’
It places obligations on ‘data
controllers’ and ‘data
processors’
It creates principles relating
to the processing of personal
data
It provides for penalties for
failure to comply with the
above.
So, what does GDPR
Actually Do?
Main Points
#CyberSafeLambeth | @IntegrateUK
General Data Protection Regulation
11. 11
173 Recitals of explanatory text
11 chapters covering 99 Articles:
General provisions
Data protection principles
Rights of the data subject
Obligations on controllers and processors
Transfer of personal data to third countries or international organisations
Independent supervisory authorities
Cooperation and consistency between member states
Remedies, liability and penalties
Provisions relating to specific processing situations
#CyberSafeLambeth | @IntegrateUK
GDPR Content Breakdown
13. 13
“The controller shall be responsible for, and be able
to demonstrate, compliance with the principles.”
The onus on data controllers & processors to
demonstrate compliance
Review all contracts
Review Privacy Statement (Web and Paper)
Joint responsibility through out the supply chain
Both must have robust security measures – regularly
tested and certified
Processors must report breaches to controllers and
must assist with investigations
Both could be subject to Penalties.
Article 5 (2) #CyberSafeLambeth | @IntegrateUK
GDPR General Provisions
14. European Commission Statement
"Personal data is any information relating to an individual, whether it
relates to his or her private, professional* or public life. It can be
anything from a name*, a photo*, an email address*, bank details,
posts on social networking websites, medical information, or even a
computer’s IP address."
14
Art.4(1)
"Personal data" means any information relating to an identified or
identifiable person ("data subject"); an identifiable person is one who
can be identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location data, online
identifier or to one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that person.
*staff information we publish on the web
Article 4 (1) #CyberSafeLambeth | @IntegrateUK
Personal Data Definition – Mostly Unchanged
16. 16
Fair and Lawful Processing
Specified and Lawful purposes
(and not incompatible)
Adequate, relevant and not excessive
Accurate and Up-to-date
Lawfully, fairly and in a transparent manner
Collected for specified, explicit and legitimate purposes (and not
incompatible)
further processing for archiving purposes in the public interest,
scientific or historical research purposes or statistical purposes shall
not be considered to be incompatible with the initial purposes
Adequate, relevant and limited to what is necessary (Data
Minimisation. Peudonymisation as soon as possible)
Accurate and, where necessary, kept up to date; every reasonable
step must be taken to ensure that personal data that are inaccurate,
having regard to the purposes for which they are processed, are
erased or rectified without delay
DPA GDPR
Article 5 #CyberSafeLambeth | @IntegrateUK
DPA vs GDPR Principles
17. 17
Not kept for longer than is necessary
Appropriate Security
Not transferred outside the EEA
Kept in a form which permits identification of data subjects for no
longer than is necessary: longer periods possible if processed solely
for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes subject to implementation of
the appropriate technical and organisational measures required by the
GDPR in order to safeguard the rights and freedoms of individuals;
Ensures appropriate security of the personal data, including protection
against unauthorised or unlawful processing and against accidental
loss, destruction or damage, using appropriate technical or
organisational measures.
Gone – GDPR compliance requirements should ensure that
any non EEA or cross border processing is secure and legal
and compliant.
DPA GDPR
Article 5 #CyberSafeLambeth | @IntegrateUK
DPA vs GDPR Principles
18. 18Article 9
“Sensitive Personal Data”
Racial or Ethnic Origin
Political Opinions
Religious or similar beliefs
Trade union membership
Physical or mental health
Sexual life
Offences and Criminal Proceedings
Not Included
Not included
“Special Conditions”
Racial or Ethnic Origin
Political Opinions
Religious or philosophical beliefs
Trade union membership
Health
Sex life or sexual orientation
Criminal convictions and offences or related security measures
are not sensitive and are treated separately
Biometric data for the purpose of uniquely identifying a natural individual
(A biometric is "A measurable physical characteristic or personal behavioural trait used to
recognise the identity of an enrolee or verify a claimed identity." ... Face is then a biometric. Scars
or tattoos can be if they are able to do the above. The same biometric can be in many forms -
photographs, digital images.)
Genetic Data
#CyberSafeLambeth | @IntegrateUK
DPA GDPR
Sensitive Personal Data
19. 19
Personal data shall be:
Processed lawfully, fairly and in a transparent manner in relation to the data
subject (‘lawfulness, fairness and transparency’);
Collected for specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes;;
Adequate, relevant and limited to what is necessary in relation to the
purposes for which they are processed (‘data minimisation’);
Accurate and, where necessary, kept up to date; every reasonable step must
be taken to ensure that personal data that are inaccurate, (‘accuracy’);
kept in a form which permits identification of data subjects for no longer than
is necessary for the purposes for which the personal data are processed;
(‘storage limitation’);
Processed in a manner that ensures appropriate security of the personal
data, including protection against unauthorised or unlawful processing and
against accidental loss, destruction or damage, using appropriate technical
or organisational measures (‘integrity and confidentiality’).
Article 5 #CyberSafeLambeth | @IntegrateUK
Principles
22. 22
What data is actually required?
Why is it held –
Legal Basis
Data minimisation – hold as little as is required to deliver the function
Who is processes it?
Capture and further processing
‘Need to know’ access - Potential impact on culture?
How is it Processed.
When is it Processed.
Data Return or Disposal?
Article 9
Define the lawful basis for processing data
#CyberSafeLambeth | @IntegrateUK
Processing Data
6(1)(a) – Consent of the data subject
6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take
steps to enter into a contract
6(1)(c) – Processing is necessary for compliance with a legal obligation
6(1)(d) – Processing is necessary to protect the vital interests of a data subject or another person
6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or
in the exercise of official authority vested in the controller
6(1)(f ) – Necessary for the purposes of legitimate interests pursued by the controller or a third party,
except where such interests are overridden by the interests, rights or freedoms of the
data subject.
23. 23
FREELY GIVEN, INFORMED, SPECIFIC AND EXPLICIT
Ability to withdraw consent - Intelligible and easily accessible
form, with clear and plain language
Not to be implied
Requires a clear
statement; or
Positive affirmative
action; and
Distinguished from
other matters
Article 7 #CyberSafeLambeth | @IntegrateUK
Consent
24. 24Article 7
(cont..)
CONTROLLER MUST:
DEMONSTRATE THAT DATA SUBJECT HAS GIVEN CONSENT
Must be as easy to withdraw,
as it is to give consent
If not appropriate, use
another lawful basis
Inform data subjects that they have the right to withdraw consent at any time
#CyberSafeLambeth | @IntegrateUK
Consent
26. 26
Privacy procedures – What changes are needed?
There is no one-size fits all, the
content of these procedures should
be based on an organisations’
processing operations and current
risk processes and procedures
You will need to consider how these
requirements will be met in the HR context
and document the measures taken to
ensure compliance in each case
The GDPR introduces new privacy concepts and requirements, for example:
1. Privacy
by design
and default
2. DPIAs
3. New data
subject rights
4. Mandatory
breach
notification
#CyberSafeLambeth | @IntegrateUK
Privacy
27. 27
Information (Articles
13 and 14)
Access
(Article 15)
Rectification
(Article 16)
Erasure (right to be
forgotten) (Article 17)
Restrict Processing
(Article 18)
Data Portability
(Article 20)
Object to Processing
(Article 20)
Automated decisions
and/or profiling
(Article 20)
DATA
SUBJECT
RIGHTS
#CyberSafeLambeth | @IntegrateUK
Rights of the Data Subject
28. 28
PRIVACY PROCEDURES – DATA SUBJECT RIGHTS
POINTS TO CONSIDER AND INCLUDE IN THE PROCEDURE:
New data subjects rights covered
Time periods for complying with requests
How to identify requests
How is a request processed
What is the criteria for approving or refusing a request
How are decisions documented
How are requests to extend the time period for responding
documented and what is the organisation’s criteria for
requesting an extension
Who should own this procedure
How often should this be reviewed and updated
How can compliance be monitored / demonstrated
#CyberSafeLambeth | @IntegrateUK
Rights of the Data Subject
29. 29
Obligation on the Controller to provide information in
a legible format usually by electronic means
Controllers can provide information verbally to a
verified data subject
Obligation to facilitate the rights of the data subject
Required to act upon SARs without undue delay or
within one month
Can extend a further 2 months but must notify the
reason for delay within one month
No charge for copies of data unless manifestly
unfounded or excessive
Article 12 #CyberSafeLambeth | @IntegrateUK
Transparency and Modalities
30. 30Article 13
Article 13 - Information to be Provided where Personal Data are Collected from the Data Subject
The identity and the contact details of the controller and, where
applicable, of the controller’s representative;
The contact details of the data protection officer, where applicable;
The recipients or categories of recipients of the personal data, if any;
a.
b.
c.
d.
e.
#CyberSafeLambeth | @IntegrateUK
Privacy Notices
1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time
when personal data are obtained, provide the data subject with all of the following information:
The purposes of the processing for which the personal data are
intended as well as the legal basis for the processing;
Where applicable, the fact that the controller intends to transfer
personal data to a third country or international organisation
31. 31
Article 13 - Information to be Provided where Personal Data are Collected from the Data Subject
2. In addition, the controller shall, at the time when personal data are obtained, provide the data subject with the
following further information necessary to ensure fair and transparent processing:
a. The period for which the personal data will be stored, or if that is not
possible, the criteria used to determine that period.
b. The existence of the right to request from the controller access to
and rectification or erasure of personal data or restriction of
processing concerning the data subject or to object to processing as
well as the right to data portability.
c. Where the processing is based on point (a) of Article 6(1) or point (a)
of Article 9(2), the existence of the right to withdraw consent at any
time, without affecting the lawfulness of processing based on
consent before its withdrawal.
Article 13 #CyberSafeLambeth | @IntegrateUK
Privacy Notices
32. 32Article 13
Article 13 - Information to be Provided where Personal Data are Collected from the Data Subject
a. The right to lodge a complaint with a supervisory authority.
b. Whether the provision of personal data is a statutory or contractual
requirement, or a requirement necessary to enter into a contract, as well
as whether the data subject is obliged to provide the personal data and of
the possible consequences of failure to provide such data.
c. The existence of automated decision-making, including profiling, referred
to in Article 22(1) and (4) and, at least in those cases, meaningful
information about the logic involved, as well as the significance and the
envisaged consequences of such processing for the data subject.
3. Where the controller intends to further process the personal data for a
purpose other than that for which the personal data were collected, the
controller shall provide the data subject prior to that further processing
with information on that other purpose and with any relevant further
information.
#CyberSafeLambeth | @IntegrateUK
Privacy Notices
33. 33
RIGHT OF ACCESS
The right exists now, but is
reduced to 1 month, down
from 40 days – But can be
extended if complex
Can no longer charge £10 for processing
- but can charge a ‘reasonable fee’ when a
request is manifestly unfounded or
excessive, particularly if it is repetitive
Responses must provide
context as to why the data
is held
Article 15 #CyberSafeLambeth | @IntegrateUK
Rights of the Data Subject
34. Purposes of processing
Categories of data
Source of data
Any automated decision making
Transfers of data
Storage period
Right to request rectification/erasure or
restriction of processing or objection
Right to complain to supervisory
authority and seek judicial remedy
34
NO FEE Recipient has 1 month
(not 40 days) to respond
Can refuse or charge for requests, if
manifestly unfounded or excessive
Article 15 #CyberSafeLambeth | @IntegrateUK
Subject Access Requests
CONTROLLER MUST
INFORM INDIVIDUAL OF:
35. 35Article 16
RIGHT TO RECTIFICATION
MUST BE ACTIONED
WITHIN 1 MONTH
#CyberSafeLambeth | @IntegrateUK
Rights of the Data Subject
36. 36Article 17
RIGHT TO ERASURE
Does not provide an absolute ‘right to be forgotten’ but allows for personal data to be
erased and to prevent processing in specific circumstances:
Under the DPA, the right to erasure is limited to processing that causes unwarranted and substantial
damage or distress. Under the GDPR, this threshold is not present. However, if processing causes
damage or distress, this is likely to strengthen the case for erasure
Where the data is no longer
necessary in relation to the
purpose for which it was
originally collected/
processed
When the individual
withdraws consent
The data was unlawfully
processed (i.e.
otherwise in breach of
the GDPR)
The data has to be
erased in order to
comply with a legal
obligation
#CyberSafeLambeth | @IntegrateUK
Rights of the Data Subject
37. 37
RIGHT TO RESTRICT
PROCESSING
Article 18 #CyberSafeLambeth | @IntegrateUK
Rights of the Data Subject
Accuracy is contested
Unlawful processing
No longer required but opposes erasure
Objects to processing (21/1)
39. 39 #CyberSafeLambeth | @IntegrateUK
Rights of the Data Subject
Article 20
Right to Data Portability
The right to data portability only applies:
DATA MUST BE AVAILABLE WITHIN 1 MONTH OF THE REQUEST
Allows individuals to obtain and reuse their personal data for their own
purposes across different services.
To personal data an
individual has provided to
a controller;
Where the processing is based on
the individual’s consent or for the
performance of a contract; and
When processing is carried
out by automated means
(not paper)
40. Rights of the Data Subject
40 #CyberSafeLambeth | @IntegrateUK
RIGHT TO OBJECT
Right to prevent
direct marketing
Immediate effect
upon receipt
No exemptions or
grounds to refuse
Article 21
41. Rights of the Data Subject
41 #CyberSafeLambeth | @IntegrateUKArticle 22
RIGHT PREVENT AUTOMATED DECISION-MAKING AND PROFILING
INDIVIDUALS HAVE
THE RIGHT NOT TO
BE SUBJECT TO A
DECISION WHEN:
MUST ENSURE
THAT INDIVIDUALS
ARE ABLE TO:
THE RIGHT DOES
NOT APPLY IF
THE DECISION:
It is based on automated
processing; and
Obtain human
intervention;
Is necessary for entering
into or performance of a
contract
Is authorised by law
(e.g. for the purposes of
fraud or tax evasion
prevention); or
Based on explicit
consent. (Article 9(2)).
Express their point of
view; and
It produces a legal effect
or a similarly significant
effect on the individual.
Obtain an explanation
of the decision and
challenge it.
42. Rights of the Data Subject
42 #CyberSafeLambeth | @IntegrateUK
GDPR DEFINES PROFILING AS ANY FORM OF AUTOMATED PROCESSING INTENDED TO EVALUATE
CERTAIN PERSONAL ASPECTS OF AN INDIVIDUAL, IN PARTICULAR TO ANALYSE OR PREDICT THEIR:
PROFILING MUST ENSURE THAT APPROPRIATE SAFEGUARDS ARE IN PLACE.
AUTOMATED DECISIONS MUST NOT:
Performance At Work
Economic Situation
Health
Personal Preferences
Reliability
Behaviour
Location
Movements
Fair and transparent -
providing information about
the logic involved, the
significance and the
envisaged consequences.
Concern a child; or Be based on the processing of special categories of data unless:
You have the explicit consent of the individual; or The processing is necessary for reasons of
substantial public interest on the basis of State law.
Technical and
organisational measures in
place to enable
inaccuracies to be
corrected and minimise the
risk of errors.
Secure personal data in a way
that is proportionate to the risk
to the interests and rights of
the individual and prevents
discriminatory effects.
Article 22
44. 44 #CyberSafeLambeth | @IntegrateUK
The Controller
Obliged to implement appropriate technical and organisational controls
Be able to demonstrate that processing is in accordance with the regulation
Appropriate data protection policies and procedures are in place
Must only use processors who provide sufficient guarantees they will comply with GDPR
Must ensure appropriate contracts are in place with processors
Records of processing
Cooperation with supervisory authorities
Things to consider:
Responsibilities
Article 24
45. 45 #CyberSafeLambeth | @IntegrateUK
The Processor
CONTROLLER SHALL ONLY
USE PROCESSORS
PROVIDING SUFFICIENT
GUARANTEES
Processor shall not engage
another party without prior
authorisation
CONTRACTS WITH PROCESSOR
MUST BE BINDING AND SET OUT:
Subject matter and duration of
processing
Nature and purpose
Type of personal data
Categories of data subjects
Obligations and rights of
controller
Specific terms to be included in
the contract (Article 28)
Article 28
57. 57
Security and Data Breaches
Security of personal data, key measures:
Pseudonymisation and encryption
Confidentiality, integrity, availability and resilience of
processing systems and services
Ability to restore availability and access in a timely manner
after an incident
Process for regularly testing the measures
Take into account the risks of:
Accidental/unlawful destruction
Loss
Alteration
Unauthorised disclosure of, or access to personal data
#CyberSafeLambeth | @IntegrateUKArticle 32
58. A personal data breach means a breach of security leading to the destruction,
loss, alteration, unauthorised disclosure of, or access to, personal data. This
means that a breach is more than just losing personal data.
#CyberSafeLambeth | @IntegrateUK
Mandatory Breach Notification
GDPR INTRODUCES A DUTY ON ALL ORGANISATIONS TO REPORT
WITHIN 72 HOURS CERTAIN TYPES OF DATA BREACH TO THE ICO,
AND IN SOME CASES TO THE INDIVIDUALS AFFECTED:
WHERE A BREACH IS LIKELY TO RESULT IN A HIGH RISK TO
INDIVIDUAL(S) THEY MUST BE NOTIFIED DIRECTLY.
A ‘HIGH RISK’ MEANS THE THRESHOLD FOR NOTIFYING
INDIVIDUALS IS HIGHER THAN FOR NOTIFYING THE RELEVANT
SUPERVISORY AUTHORITY.
Must review our internal
reporting procedures
and training
Must maintain records
of reports and
investigations
Article 33/34 58
59. Privacy Impact Assessments for all new systems or processes
where personal data is processed
#CyberSafeLambeth | @IntegrateUK
Privacy By Design
Regular Risk Assessments
Identify all overseas
processing
Documented Mitigation How is it justified?
Review Contracts
Determine the supervising
authority (local ICO
equivalents)
Pseudonymous data
Some sets of data can be amended in
such a way that no individuals can be
identified from those data (whether
directly or indirectly) without a "key"
that allows the data to be re-identified.
GDPR explicitly encourages
organisations to consider
pseudonymisation as a
security measure.
It can allow organisations to satisfy their
obligations of "privacy by design" and may
be used to justify processing that would
otherwise be deemed "incompatible" with
the purposes for which the data were
originally collected – Could help legitimate
interest problem.
Article 25
Justification for
accepting risk
59
60. 60
Privacy Impact Assessments for all new systems or
processes where personal data is processed
Regular Risk Assessments
Documented
Mitigation
Justification for
accepting risk
#CyberSafeLambeth | @IntegrateUK
DPIA
Article 35
61. 61 #CyberSafeLambeth | @IntegrateUK
Prior Consultation
THE CONTROLLER SHALL CONSULT THE SUPERVISORY AUTHORITY PRIOR TO
PROCESSING WHERE A DATA PROTECTION IMPACT ASSESSMENT UNDER ARTICLE 35
INDICATES THAT THE PROCESSING WOULD RESULT IN A HIGH RISK IN THE ABSENCE
OF MEASURES TAKEN BY THE CONTROLLER TO MITIGATE THE RISK.
Article 36
63. 63
Data Protection Officers (DPO)
Required in certain cases
Core activities of the controller or processor involve
Regular or systematic monitoring of data subjects on a
large scale; or
Large scale processing of special categories of data
Single DPO for a Group, provided he/she is easily accessible
Professional qualities, knowledge and ability required
Can be an employee, or contractor
#CyberSafeLambeth | @IntegrateUK
Other Requirements
Article 37/38/39
64. 64 #CyberSafeLambeth | @IntegrateUK
Data Protection Officer (DPO)
“I think the role of DPO can be one of the
toughest jobs around. You have to help your
organisations deliver, but you have to do it in
a privacy responsible and transparent way.
That’s really challenging in lots of varied
situations.”
- Elizabeth Denham, The Information Commissioner
Article 37/38/39
66. 66 #CyberSafeLambeth | @IntegrateUK
Data Breach
The data controller shall without undue delay and where feasible, and not
later than 72 hours notify the supervisory authority of a personal data breach
Exception: when the data breach is not High Risk to Data Subject
When notification is not made within 72 hour, this shall be accompanied with
reasons for delay
When the personal data breach is likely to result in a high risk to the rights
and freedoms of natural persons, the controller shall communicate the
personal data breach to the data subject without undue delay.
Article 33/34
Article 33
Article 34
67. 67 #CyberSafeLambeth | @IntegrateUK
Liabilities and Penalties
COMPENSATION
Article 82
For material and
non-material
damage
Liability of
controllers and
processors
68. 68 #CyberSafeLambeth | @IntegrateUK
Fines
Article 83
THIS WILL PROBABLY OPEN US UP TO MORE ACCESS
REQUESTS AND MORE COMPLAINTS
Fines up to €20 million or 4% of global turnover for
a data breach (deliberate or accidental loss)
Fines up to €10 million or 2% of global turnover for non
compliance of processing records or non appointment
of Data Protection Officer
70. 70 #CyberSafeLambeth | @IntegrateUK
Supervisory Authority
Each Member State shall provide for one or more independent public authorities to be
responsible for monitoring the application of this Regulation, in order to protect the
fundamental rights and freedoms of natural persons in relation to processing and to
facilitate the free flow of personal data within the Union (‘supervisory authority’).
Article 51
71. 71 #CyberSafeLambeth | @IntegrateUK
Supervisory Authority
Tasks
Each supervisory authority shall (sample of A.57)
Monitor and enforce the application of this Regulation;
Promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities
addressed specifically to children shall receive specific attention;
Promote the awareness of controllers and processors of their obligations under this Regulation;
Upon request, provide information to any data subject concerning the exercise of their rights under this Regulation and, if
appropriate, cooperate with the supervisory authorities in other Member States to that end;
Handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and
investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and
the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with
another supervisory authority is necessary;
Cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view
to ensuring the consistency of application and enforcement of this Regulation;
Conduct investigations on the application of this Regulation, including on the basis of information received from another
supervisory authority or other public authority;
Conduct the accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body
pursuant to Article 43;
Keep internal records of infringements of this Regulation and of measures taken in accordance with Article 58(2); and
Fulfil any other tasks related to the protection of personal data.
Article 57
72. 72 #CyberSafeLambeth | @IntegrateUK
Tasks
Each supervisory authority shall have all of the following investigative powers: (sample of A.58)
To order the controller and the processor, and, where applicable, the controller’s or the processor’s
representative to provide any information it requires for the performance of its tasks;
To carry out investigations in the form of data protection audits;
To notify the controller or the processor of an alleged infringement of this Regulation;
To obtain, from the controller and the processor, access to all personal data and to all information
necessary for the performance of its tasks;
To obtain access to any premises of the controller and the processor, including to any data processing
equipment and means, in accordance with Union or Member State procedural law.
Supervisory Authority
Article 58
73. 73 #CyberSafeLambeth | @IntegrateUK
Tasks
Each supervisory authority shall have all of the following corrective powers: (sample of A.58)
To issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this
Regulation;
To issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;
To order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to
this Regulation;
To order the controller or processor to bring processing operations into compliance with the provisions of this Regulation,
where appropriate, in a specified manner and within a specified period;
To order the controller to communicate a personal data breach to the data subject;
To impose a temporary or definitive limitation including a ban on processing;
To order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the
notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and
Article 19;
To withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43,
or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;
To impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph,
depending on the circumstances of each individual case;
To order the suspension of data flows to a recipient in a third country or to an international organisation.
Supervisory Authority
Article 58
75. 75 #CyberSafeLambeth | @IntegrateUK
Road to Compliance
Awareness – decision makers and key people
Information – document what you hold
Communicating privacy information –
privacy notices
Individuals’ rights – facilitate data subject rights
Subject access requests – update procedures
Legal basis for processing – identify
and document
Consent – review how you obtain and
record consent
Children – review consent processes for minors
Data breaches – processes for detecting
and reporting
Data protection by design and DPIA
Data protection officers – appoint one
if required
International transfers – ensure appropriate
legal basis
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
76. 76 #CyberSafeLambeth | @IntegrateUK
What Organisations Must Do (in a nutshell)
Implement “Privacy by Default” and “Privacy by Design”
Maintain appropriate data security
Notify of data breaches
Get appropriate consent for most personal data collection and provide
notification of personal data processing activities
Get a parent’s consent to collect data for children under 16?
Keep records of all processing of personal information
Appoint a Data Protection Officer (If applicable)
Take responsibility for the security and processing activities of
third-party vendors
Conduct Data Protection Impact Assessments on new
processing activities
Institute safeguards for cross-border data transfers
Consult with regulators before certain processing activities
Be able to demonstrate compliance on demand
Provide appropriate data protection training to personnel having
permanent or regular access to personal data
77. 77 #CyberSafeLambeth | @IntegrateUK
Next Steps
The GDPR – “accountability” and “demonstrating compliance”
What does this mean in practice?
“Just write stuff down...”
1.
2.
3.
4.
5.
6.
7.
Appropriate policies and procedures
Training and awareness
Record keeping
Auditing, testing and monitoring compliance
Internal reporting
Documenting risk decisions
Evidence in process and procedure
78. 78 #CyberSafeLambeth | @IntegrateUK
Next Steps
It is vital that understanding and awareness of data protection is live within
an organisation
All individuals and processor personnel who process or have access to personal
data must be trained on their obligations under the GDPR
Training must be monitored and tracked, completion rates set for compliance and
escalation processes put in place if training is not completed
Training should take place regularly, not just on induction
High risk or high volume processing should have specific bespoke training
provided, for example in relation to health data, diversity monitoring data and
criminal conviction checks
79. 79 #CyberSafeLambeth | @IntegrateUK
Next Steps
Recruitment - do you provide applicants with an appropriate privacy notice explaining how their personal data will
be used? Do you ensure that the personal data collected at each stage of the recruitment process is proportionate
and necessary? Do you have clear arrangements with recruitment agencies?
Background checks – are these proportionate and only carried out once a job offer has been made?
Legal basis for processing – do you ask for consent when you have another legal basis for processing (e.g. the
processing is necessary for you to comply with law or a duty on you as an employer)? Is your employee
monitoring lawful?
Privacy notice – do you provide employees with a clear and transparent privacy notice explaining how their
personal data is used and explaining their rights as a data subject?
Policies and processes - have you reviewed your data policies and processes for handling personal data?
Privacy assessments – do you carry out a privacy impact assessment prior to any new project?
Third party data processors - have you reviewed your contracts with third parties to ensure that they comply with
the requirements of GDPR?
Subject access requests – do you have sufficient resource to deal with a likely increase in data subject access
requests? Can you use technology to simplify findings and identifying information that may be disclosable?
Data minimisation – the scope of a subject access request can be reduced by minimising the amount of personal
data you hold. Do you have a records retention policy in place? Are HR personnel and line managers aware that
records they retain may be disclosable?
SPECIFIC ISSUES
80. 80 #CyberSafeLambeth | @IntegrateUK
Next Steps
Create an information asset register – what personal information and where, why, how and with
whom do you process it.
Review your recruitment processes and template documentation map out your processes and
procedures and align with GDPR Articles
Review your employee privacy notices to ensure they meet the new requirements.
Review your processes and systems for dealing with data subjects rights and
monitoring employees.
Implement data governance policies and measures and training to ensure your HR department
operates in
Accordance with the requirements of the GDPR.
Review your contracts with recruitment agencies and employment businesses.
Review your supply chain arrangements with data processors, such as IT and outsourced service
providers.
Review the data you hold and your data retention policies and practices.
WHAT YOU NEED TO DO NOW
81. WHAT
Source
WHEN
Retention Period
81 #CyberSafeLambeth | @IntegrateUK
Actions Required – Information Audit
Type
Name
Address
Contact Details
Health Details
CV
Reference
CRB Check
Passport Details
Work Permit
Appraisals
Annual Leave
Disciplinary
Tax/NI
Bank Account
Pension Details
Name
Contact Details
Names
Address
Email
Mobile
Phone
Names
Address
Email
Mobile
Phone
Names
Email
WHY
Staff Admin
Direct
Marketing
Individual
Third Party
Third Party
Individual
Individual/Third party
Individual/Third party
Individual
Individual/Third party
Individual/Third party
Individual
Not Sure - Find out
Individual/Third Party
Individual
Individual
Not Sure - Find out
Legal Basis
Contract
Legal Obligation
Legal Obligation
Legitimate Interests - Staff
Management
Contract
Contract
Contract
Vital Interests
Consent
Consent
Originally
Pre-Apointment
Not Sure find out
Appointment
Pre-Apointment
At the time
At Request
At the time
Appointment
Appointment
First Contact
First Contact
Web Enquiries
Updated
As required
Never
Never
Not Sure find out
Not Sure find out
Annually
Not Sure find out
Not Sure find out
As required
When notified
Annual Enrollment
Not Sure - Find
out
Not applicable
Termination of
Employment + 6
Copy not retained,
record of Number only
Termination of
Employment + 6
3 years
End of Financial year + 6
Not Sure find out
Termination of
employment + 70
Untill staff leave
End of relationship
unless enrolled in
Alumni or consent
withdrawn
End of relationship
or consent
withdrawn
Not Sure - Find
out
WHERE
HRMIS hosted on
premise NCG Data
Centre.
HRMIS hosted on premise
NCG Data Centre.
Held on a 3rd Party
cloud server hosted
in the US
WHO
Current staff
member
Emergency
Contact
Existing
Students
Potential
Students
Enquiries
Determined by
Employment
Law/Limitation Law
CRB Code of
Practice
Standard Practice
Tax Law
Employment Law
Durty of Care?
Data Protection
Data Protection
Data ProtectionNot Sure - Find
out
NCG Finance System
hosted on premise NCG
Data Centre
Not Sure - Find out
85. 85 #CyberSafeLambeth | @IntegrateUK
Obtaining Consent
Use Opt-In boxes
Specify methods of communication
Email
Text
Phone
Recorded Call
Post
Ask for Consent to pass details to third parties for
marketing and name or clearly describe those parties
Record when and how Consent was gained and
exactly what it covers
86. 86 #CyberSafeLambeth | @IntegrateUK
Bought in Lists
Check the seller is a member of a professional body or accredited in
some way
The product, service or ideals we are marketing are the same or similar to
those that the individuals originally consented to receive marketing for
We only use the information on the lists for marketing purposes
We delete any irrelevant or excessive personal information
We screen the names on bought-in lists against our own list of people
who say they don't want our calls (suppression list)
We carry out small sampling exercises to assess the reliability of the data
on the lists
We have procedures for dealing with inaccuracies and complaints.
When marketing by post, email or fax we include our company name
address and telephone number in the content
We tell people where we obtained their details
We provide people with a privacy notice (where it is practicable to do so)
We tie the seller into a contract which confirms the reliability of the list and
gives us the ability to audit
87. 71 #CyberSafeLambeth | @IntegrateUK
The seller can verify that the people on the list:
87 #CyberSafeLambeth | @IntegrateUK
Gave specific consent to receive marketing from us
Were provided with readily accessible, clear and intelligible
information about how their contact details would be used (e.g.
privacy notices were easy to find and understand)
Were offered a clear and genuine choice whether or not to have
their details used for marketing purposes
Took positive action to indicate their consent (e.g. ticked a box,
checked a button, double opt-in or subscribed to a service)
Gave their consent reasonably recently (within the last six
months): and
In the case of texts, emails or automated calls, gave specific
consent to receive marketing by those means.
88. 88 #CyberSafeLambeth | @IntegrateUK
Marketing by Email
The individuals on the list have at least given a
general statement that they are happy to receive
marketing from us
Where the individuals haven't given specific consent,
marketing is consistent with context in which the
information was provided and concerns a similar
product, service or ideal
We have screened the names and addresses against
the Mail Preference Service
89. 89 #CyberSafeLambeth | @IntegrateUK
Live Calls
We screen the numbers against the Telephone
Preference Service (TPS) (or for corporate
subscribers the Corporate Telephone Preference
Service (CTPS))
We keep our own do-not-call list of anyone who says
they don't want our calls
We screen against our do-not-call list
We display our number to the person we're calling
90. #CyberSafeLambeth | @IntegrateUK
Automated Calls
We only make recorded calls where we have opt-in
consent
We display our number to the person we are calling
90Article 57
91. 91 #CyberSafeLambeth | @IntegrateUK
Marketing by Email or Text
We only text or email with opt-in consent
We offer an opt-out by reply or unsubscribe
We keep a list of anyone who opts-out
We screen against our opt-out list
92. #CyberSafeLambeth | @IntegrateUK
Faxes
The individuals on the list have specifically consented
to receiving marketing faxes from us
We have screened their numbers against the Fax
Preference Service (FPS)
92