From 25 May 2018 all public bodies must have a Data Protection Officer (DPO). The DPO must have ‘expert’ knowledge of both data protection law and practice. This session is directed at individuals within public sector organisations who will be acting as DPO, their deputies and those advising them.
Visit our website for more useful resources - https://www.brownejacobson.com/sectors-and-services/sectors/public-sector
4. Key points
• Comes into effect on 25 May 2018 across Europe
• Data Protection Bill issued to supplement GDPR in UK
• Main concepts and principles remain the same, but new
elements of GDPR enhance the provisions under the
DPA
• Some hefty fines…
7. Who has to comply?
• Data controller or data processor established in one
or more Member State(s)
• Data controller or data processor established
outside the EU and either it
– offers goods and services to data subjects in the EU or
– monitors the behaviour of data subjects in the EU
8. Key issues
• Principles and accountability
• Data protection by design and by default
• Lawful basis for processing
• Transparency
• Responsibilities of controllers and processors
• International transfers
• Rights of data subjects
• Breach notification
• Enforcement and compensation
9. Personal Data
“means any information relating to an identified or identifiable
natural person (‘data subject’)
An identifiable natural person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that natural
person;”
This means that an IP address or roll number
can amount to personal data
10. Special Categories
Article 9 now refers to “Special Categories of Personal Data”
rather than Sensitive Personal Data. This category includes
personal data revealing :
• racial or ethnic origin,
• political opinions,
• religious or philosophical beliefs, or
• trade union membership, and
• the processing of genetic data, biometric data for the purpose of uniquely
identifying a natural person,
• data concerning health or
• data concerning a natural person's sex life or sexual orientation
11. Processing
• Will mean:
“any operation or set of operations which is
performed on personal data … whether or not
by automated means, such as collection,
recording, organisation, structuring, storage,
adaptation or alteration, retrieval,
consultation, use, disclosure by transmission,
dissemination or otherwise making available,
alignment or combination, restriction, erasure
or destruction;”
12. Principles
The GDPR requires:
a) Data to be processed lawfully, fairly and in a transparent
manner;
b) Data to be collected for specified, explicit and legitimate
purposes and not further processed in a manner that is
incompatible with those purposes;
c) Processing of data should be adequate, relevant and limited
to what is necessary in relation to the purposes for which
they are processed;
d) Data to be accurate and, where necessary, kept up to date;
inaccurate data should be erased or rectified without delay;
13. Principles (cont.)
e) Data to be kept in a form which permits identification
of data subjects for no longer than is necessary for the
purposes for which the personal data are processed;
f) Data to be processed in a manner that ensures
appropriate security of the personal data, including
protection against unauthorised or unlawful processing
and against accidental loss, destruction or damage,
using appropriate technical or organisational
measures.
The data controller will be responsible for, and must be
able to demonstrate, compliance with these principles as
well as accountability.
14. Accountability is the key
• Registration abolished – but see Digital Economy Act
2006 in relation to a new fee mechanism
• Implement compliant policies and procedures
• Privacy by design and by default
• Privacy impact assessments
• Data Protection Officer mandatory for public bodies
15. Lawful basis for processing
In order for Personal Data to be processed lawfully you must be able to satisfy one of
the processing conditions below:
• 6(1)(a) – Consent of the data subject (must be clear affirmation)
• 6(1)(b) – Processing is necessary for the performance of a contract with the data
subject or to take steps to enter into a contract
• 6(1)(c) – Processing is necessary for compliance with a legal obligation
• 6(1)(d) – Processing is necessary to protect the vital interests of a data subject or
another person
• 6(1)(e) – Processing is necessary for the performance of a task carried out in the
public interest or in the exercise of official authority vested in the controller
• 6(1)(f) – Necessary for the purposes of legitimate interests pursued by the
controller or a third party, except where such interests are overridden by the
interests, rights or freedoms of the data subject (this last one does not apply to
public authorities)
16. Lawful basis for processing special
categories
In order for special categories of data to be processed lawfully you must be
able to satisfy one of the following conditions below:
• 9(2)(a) – Explicit consent of the data subject, unless reliance on consent is
prohibited by EU or Member State law
• 9(2)(b) – Processing is necessary for carrying out obligations under
employment, social security or social protection law, or a collective
agreement
• 9(2)(c) – Processing is necessary to protect the vital interests of a data
subject or another individual where the data subject is physically or
legally incapable of giving consent
17. Lawful basis for processing special
categories
• 9(2)(d) – Processing carried out by a not-for-profit body with a
political, philosophical, religious or trade union aim provided the
processing relates only to members or former members (or those
who have regular contact with it in connection with those
purposes) and provided there is no disclosure to a third party
without consent
• 9(2)(e) – Processing relates to personal data manifestly made
public by the data subject
• 9(2)(f) – Processing is necessary for the establishment, exercise or
defence of legal claims or where courts are acting in their judicial
capacity
18. Lawful basis for processing special
categories
9(2)(g) – Processing is necessary for reasons of substantial public
interest on the basis of Union or Member State law which is
proportionate to the aim pursued and which contains appropriate
safeguards
9(2)(h) – Processing is necessary for the purposes of preventative or
occupational medicine, for assessing the working capacity of the
employee, medical diagnosis, the provision of health or social care or
treatment or management of health or social care systems and
services on the basis of Union or Member State law or a contract with
a health professional
19. Lawful basis for processing special
categories
9(2)(i) – -relates to public interest in the area of public health
9(2)(j) – Processing is necessary for archiving purposes in the
public interest, or scientific and historical research purposes or
statistical purposes in accordance with Article 89(1)
20. Consent and explicit consent
• Consent:
“Any freely given, specific, informed and unambiguous indication of
the data subject’s wishes by which he or she, by a statement or by a
clear affirmative action, signifies agreement to the processing of
personal data relating to him or her”
• Explicit consent
• Re-papering consents - recital 171
• Article 29 WP guidance
21. Consent
• As the consent must be freely given it cannot be bundled in with
other consents
• Withdrawal of consent should be as easy as grant of consent
• Purpose limited
• Demonstrate - Burden on authority to show consent freely given
Action - Review how you seek, obtain and record consent and whether
you need to make changes
22. Consent and Public Authorities
• Article 29 WP Guidance provides that public
authorities will find reliance on consent difficult
• Imbalance of power between the parties – lack of
freely given consent
• “No realistic alternatives to accepting the
processing”
• Potentially misleading where other lawful bases
exist
• Alternative lawful bases should be sought
24. Individuals’ rights (1)
1. Right to information (Articles 13 and 14)
• Fair processing notice
2. Subject access rights (Article 15)
• Free
• One month to comply (unless complex)
3. Right to rectification (Article 16)
• Data accuracy
25. Individuals’ rights (2)
4. Right to erasure (right to be forgotten) (Art 17)
• Right to erasure in certain circumstances
5. Right to restrict processing (Art 18)
6. Right to data portability (Art 20)
• Ability to move data
• Machine readable format
7. Right to object (Art 21)
8. Rights in relation to automated decision making and profiling (Art
22)
26. Right to Information
Must provide the following to data subjects on request:
• Identity and contact details of data controller and DPO
• Intended purpose of processing and period it will be stored
• Existence of rights: access, rectification, object and erasure
• Right to complain internally and to a supervisory authority
• Categories of recipients to whom data will be disclosed
• Information must be concise, transparent, intelligible and
easily accessible
27. Right to have inaccuracies
corrected
• Individuals can request records be rectified if inaccurate or
incomplete.
• This will include where you have shared incorrect personal data
with another organisations, as you will need to inform that other
organisation so that it can correct its records.
• Requests to be complied within 1 month (unless complex where it
can be extended by 2 months).
• If refusing to act on the request you must explain why to the data
subject.
28. Right to be forgotten
Request can be made in limited situations
• Where the personal data is no longer necessary in relation to the
purpose for which it was originally collected/processed.
• When the individual withdraws consent.
• When the individual objects to the processing and there is no
overriding legitimate interest for continuing the processing.
• The personal data was unlawfully processed (i.e. otherwise in breach
of the GDPR).
• The personal data has to be erased in order to comply with a legal
obligation.
• The personal data is processed in relation to the offer of information
society services to a child.
29. Right to be forgotten - continued
• If you made the personal data public and you are required to erase
it, taking account of the available technology and cost of
implementation – you need to take reasonable steps to inform
other controllers about the request for erasure.
• Rectification or erasure should also be communicated to anyone
else to whom the data was initially disclosed unless this proves
impossible or involves disproportionate effort.
• If the data subject asks for details of recipients, these should be
shared.
30. Right to be forgotten - continued
A request concerning the erasure of data does not need to be
complied with where the processing is necessary for:
• Exercising the right of freedom of expression and information
• Compliance with legal obligations or for performing tasks
carried out in the public interest or in the exercise of the
controllers official authority
• Reasons of public interest in the area of public health
• Archiving purposes in the public interest, scientific, or
historical research purposes or statistical purposes
• The establishment, exercise or defence of legal claims
31. Subject Access
• Currently 40 day time limit
– Reduced to one month under GDPR
– Review processes for handling requests
• No fee
• Supplemental information
• Manifestly unfounded or unreasonable requests
33. What does the Bill do? (1)
• Addresses data processing in law enforcement and the
intelligence services – Law Enforcement Directive
• Addresses permitted derogations from the GDPR
• Attempts to ensure that on leaving the EU the UK has
“adequate” data protection regime in respect of EU
requirements
• Formally repeals Data Protection Act 1998
• Addresses necessary amendments to other legislation
34. What does the Bill do? (2)
• Provides exemptions from some of the GDPR’s
requirements
• Complex drafting – requires careful consideration
• Largely reflects current position under the Data
Protection Act 1998 in substance
• Incorporates current subject access modification
orders relating to education, health and social care
data
35. What does the Bill do? (3)
• Provides additional detail as to the bases of processing of special
categories of personal data
• Processing for the performance of a task carried out in the public
interest or in the exercise of official authority includes processing
necessary for the exercise of a function conferred on a person by
an enactment or rule of law
• Employment, health and research conditions – Schedule 1, Part 1
• Substantial public interest conditions – Schedule 1, Part 2
• Appropriate policy documents and safeguards – Schedule 1, Part 4
37. 1. The role of a DPO
2. Monitoring, Compliance and DPIA’s
3. Working with Senior Leadership
4. Considering conflicts and referrals
5. Dealing with data breaches
38. The need for a DPO (Article 37)
• All public authorities/bodies must appoint a DPO
• The details of the DPO must be published and
communicated to any supervisory body.
• The DPO must have “expert knowledge of data
protection law and practices” and the ability to
fulfil the role outlined in Article 39
39. DPO as key point of contact
(Article 38)
• The DPO should be involved properly and in a timely manner with
all data protection issues
• They should be well supported, independent and cannot be
penalised for carrying out their role in accordance with the GDPR
• They are to be the key point of contact for data subjects and their
details should be shared at the point of collection and for the
purposes of raising complaints/exercising rights of the data subject
• DPO’s should be named on all processing records
• DPO’s should be the first point of contact for the ICO
40. The role of the DPO (Article 39)
• DPO is responsible for:
• Data protection compliance
• Informing and advising the public authority about GDPR obligations
and other DP laws
• Informing and advising employees who carry out processing of their
obligations
• Monitoring the implementation and application of the GDPR and the
data protection policies of the public authority
• Advising on privacy impact assessments and breaches
• Internal Audits
• Acting as point of contact with the ICO, and cooperating with the ICO
• DPO’s will not be personally responsible for non-compliance with the
GDPR as this is the responsibility of the controller or processor.
41. Monitoring Compliance
•The DPO should assist the organisation to monitor
internal compliance with the GDPR. This may involve
the DPO:
• Collecting information to identify processing
activities
• Analysing and checking the compliance of
processing activities
• Informing, advising, and issuing recommendations
to the controller or the processor
42. Monitoring Compliance – review
of policy
• One of the first jobs of the DPO is likely to be to review the
policies in place in relation to the GDPR
• Are they:
• Up to date?
• Relevant – consider definitions?
• Secure?
• Reviewed regularly?
• Have they been disseminated to all staff by way of training?
• Is there a record of compliance training?
• Are policies easily accessible? For example, a desktop link as
opposed to hidden in a hard to find part of an intranet site?
43. Monitoring Compliance – review
of contracts
• May need to seek legal advice
• Consider relationships with third parties
• Do all of your contracts impose equivalent obligations
as those set out in the GDPR?
• Do you have a record of all your processing agreements
/ do you have data sharing agreements in place?
•We’ll return to this in more detail later in the
presentation.
44. Monitoring Compliance – review
of processes
• Likely will require discussion with IT departments /
consultants
• Do your processes make it easy to comply with
GDPR? For example, consider:
• Do you have access to redaction software?
• Is data stored in a way where any member of staff can
access it or are there limitations so that only authorised
persons can access relevant data?
• Do you have processes in place for mandatory breach
reporting and compliance with individuals rights?
45. Monitoring Compliance – DPIA’s
• Should be undertaken before any processing of a
high risk nature, taking into account the nature,
scope, context and purpose of the processing.
• Whenever a controller carries out a DPIA there is a
requirement on the DPO to advise and support
• Consider –
• Do your policies refer to DPIA’s?
• Are your staff aware of the need to consider DPIA’s at an
early stage? Do they know who to contact?
46. Monitoring Compliance – DPIA’s
cont.
The DPO should be able to advise on the following in respect to the
Data Protection Impact Assessments:
• whether or not to carry out a DPIA;
• what methodology to follow when carrying out a DPIA;
• whether to carry out the DPIA in-house or whether to outsource it;
• what safeguards (including technical and organisational measures) to
apply to mitigate any risks to the rights and interests of the data
subjects;
• whether or not the DPIA has been correctly carried out and whether its
conclusions (whether or not to go ahead with the processing and what
safeguard(s) to apply) are in compliance with the GDPR
47. Working with Senior Leadership
•Need to ensure that the DPO:
• Performs duties and tasks in an independent manner
• Does not receive any instructions regarding the exercise of their
task
• Is given the opportunity to make any dissenting opinion clear to
the highest management level and to those making the
decisions.
• Is able to act as a facilitator with the Information Commissioner
48. Working with Senior Leadership
• Need to ensure working is supported without being
decisive of the actions of the DPO
• Suggest organisation of regular meetings to discuss
DPO strategy and identify whether wider
consultation is required on particular initiatives
• Getting senior staff on board with policy change is
going to be the first step in ensuring a compliance
culture
50. Managing a data breach
• Must have procedures in place to detect, report and
investigate a actual or potential personal data breach
• Breach must be reported unless breach is unlikely to result
in a risk to the rights and freedoms of natural persons
• 72 hours from the discovery of the breach to report to ICO
• Notify the affected data subjects
51. What must you tell the ICO?
1. Nature of the breach and where possible
a. Categories and number of data subjects concerned
b. Categories and number of personal data records concerned
2. Name and contacts details of your DPO
3. Describe likely consequences of the data breach
52. What must you tell the ICO cont.?
4. Describe measures taken/to be taken to address
the breach and mitigate possible adverse affects
• You can provide this information in stages, but
without undue delay
• What does this look like in practice?
53. Managing a data breach in
practice
• Taking steps to contain the breach as soon as possible, making this
a priority over any other tasks
• Follow your data breach procedures, including in relation to
reporting to the ICO
• Seek external legal support as appropriate, as well as any
appropriate technical support
• Business critical priority to manage quickly and effectively
54. Sanctions for non-compliance
• Supervisory Authorities
– Investigative powers
– Corrective powers
• Penalties
– 2% global turnover or €10m
– 4% global turnover or €20m
• Compensation
55. Crisis management
recommendations
• Ensure your staff know the importance of reporting
a data breach immediately
• Have a “crisis team” designated so that when a
breach comes in they know how to react, and the
steps that need to be taken
• Speak to the ICO as soon as you become aware
even if you haven’t got all the information yet
57. Third party relationships
1. Assess third party relationships
2. Data sharing agreements
3. Controlling the risk
58. Article 28 GDPR
Processing by a processor must be governed by a
contract that is binding on the processor with
regard to the controller and that sets out the
subject-matter and duration of the processing, the
nature and purpose of the processing, the type of
personal data, categories of individuals whose data
is being processed and the obligations and rights of
the controller.
59. Assess third party relationships
• Assess the status of third parties – are they a data processor or data
controller?
• Data Controller
• Third party data controllers are subject to the same GDPR obligations as the
public authority
• Best practice to have data sharing agreements / protocol / memorandum of
understanding
• Consider – do you have a lawful basis for sharing the information?
• Data processor
• Data sharing agreement must be in place under the GDPR
• That agreement must be compliant with specific provisions
60. Sub-processors
• A data processor can only appoint a sub-processor
with the permission of the data controller
• Data controllers should request details from any
current data processor as to whether they share
any personal data with a sub-processor
• If so they should be required to provide details as
to how that sub-processor ensures equivalent
security of data as the processor, as well as
securing appropriate indemnities
61. Data sharing agreements – Article
28
• The below are legally required to be included as part of
any data sharing agreement under Article 28:
• a. Subject matter and duration of processing;
• b. Nature and purpose of processing;
• c. Type of personal data;
• d. Categories of data subjects; and
e. Obligations and rights of the controller.
62. Data sharing agreements cont.
• Article 28 also specifies provisions which must be included in a
data sharing agreement:
• Processing must be in line with the instructions of the data
controller;
• Commitment to confidentiality;
• Requirement to meet all measures under Article 32 (security) (see
below);
• Assists the controller where possible, including with investigation
of breaches and audits; and
• Securely destroy or return personal data to the controller at the
end of the agreement.
63. Data sharing agreements cont.
• Consider – are your data sharing agreements compliant?
• If not, contact the data processor and query how they
intend to make the agreement GDPR compliant?
• Seek advice on proposed changes
64. Clauses
•Indemnities
• Consider the new level of fines and the level of
indemnity
•Definitions
• GDPR terminology differs from previous data
protection law and it is likely that amendments will
be required
65. Controlling risk – Article 32
• Article 32 of the GDPR relates to the security of
personal data.
• Taking into account the state of the art, cost of implementation and the
nature, scope context and purposes of processing as well as the risk of
varying likelihood and severity of any breach, data controllers must
implement appropriate technical and organisational measures to ensure a
level of security appropriate to the risk.
• In determining whether a controller has suitable processes in place the
controller should undertake appropriate due diligence of third party
processors to ensure they are satisfied with the third party’s security
measures.
• This may require input from IT managers, consultants and legal advisors.
66. Minimise and pseudonimise
• Specific duty to minimise the processing of personal
data. This may require a full review of the amount of
data currently transferred to processors.
• Pseudonymisation may be preferable when the amount
of data transferred cannot be minimised to ensure that
the data cannot be attributed to a specific data subject
without use of additional information.
68. Expert knowledge
•The EU Article 29 WP Guidance on the DPO provides that
the necessary skills and expertise include:
• expertise in national and European data protection laws and
practices including an in-depth understanding of the GDPR
• understanding of the processing operations carried out
• understanding of information technologies and data security
• knowledge of the business sector and the organisation
• ability to promote a data protection culture within the
organisation
69. DPO Training
• Keeping up to date throughout the role will be
important
• Email updates, webinars, conferences, etc – sign up
to these to show steps in keeping up to date
• Annual refresher training will be required – secure
budget
70. Ongoing Training
General Data Protection Regulation (‘GDPR’)
From 25 May 2018 all public bodies must have a Data Protection Officer (‘DPO’).
The DPO must have ‘expert knowledge’ of both data protection law and practice.
September 2018 – two days – two exams – ongoing updates - £2,500 + VAT
72. Key Steps (1)
1. Information audit – develop Article 30 record of
processing activities, and keep this under review
2. Update policies and privacy notices
3. Ensure processes are in place to comply with data
subjects rights
4. Ensure processes are in place to secure
confidentiality of communications
5. Consider level of resource required – keep this
under regular review
73. Key Steps (2)
•6. Consider whether any DPIAs are required and take steps to
complete these
• 7. Ensure processes are in place to be involved properly and in a
timely manner in data processing activities
• 8. Consider the issue of any conflicts as and when they arise and
whether this requires amendment to your existing role
• 9. Publicise yourself and your role to the organisation
• 10. Notify the ICO of your appointment and contact details
• 11. Keep a regular eye on the development of matters relating to
the GDPR, particularly in the period following implementation
74. Talk to us
Charlotte Harpin
T: 0330 045 2405
charlotte.harpin@brownejacobson.com