GDPR Annual Refresher Training
Annual refresher training - intro It is a legal requirement that all staff and volunteers have GDPR refresher training on an annual basis. Logistically, it makes sense to offer refresher training electronically to ensure that all staff are able to complete it within a reasonable timescale that fits with everyone’s busy schedules. Please ensure that you complete the training by the deadline given.
GDPR Annual Refresher Training
The Information Commissioner’s Office • The UK’s independent body set up to uphold information rights • Enforce and regulate freedom of information and data protection laws • Provide information and advice • Promote good practice • We are registered with the ICO
3 key definition of terms • Personal data • Processing • Data controller v data processor
What is personal data? Data which relate to a living individual who can be identified – (a) from those data, or – (b) from those data and other information in the possession of the data controller/ processor It includes names, addresses, contact info, medical info, employment status, etc. Also, how you describe someone that clearly identifies an individual! Not business contact details.
What is data processing? Processing’ refers to anything an organisation does with personal data collecting using analysing sharing disposal
Data controller vs data processor “The GDPR data controller is the organisation that decides how and why customers’ personal data is processed. They control the data but do not necessarily hold or process it, however, they are responsible for how it’s used, stored and deleted.” e.g. us, Cornwall Council, NHS Kernow “A data processor … is a company or person who processes personal data on behalf of the controller. This could include something as simple as storing the data on a third party’s server but also includes, for example, payroll services, commissioned services and market research businesses.” i.e. us! www.cybersmart.co.uk
What is GDPR? • General Data Protection Regulations - law from 25 May 2018 • Organisations must be able to demonstrate compliance with the principles – Same basic principles as old data protection law but strengthened – Greater accountability – New rights for individuals and strengthening of existing rights – Breach reporting – Data Protection Impact Assessments – Higher penalties for non-compliance
Brexit BREXIT does not affect UK compliance with GDPR – Data Protection Bill is in effect from 25 May 2018. “ While the GDPR will not be directly applicable post-Brexit, the Data Protection Bill (which will become the Data Protection Act 2018) will ensure continuity with the legislation set out in the GDPR ” https://ico.org.uk/for-organisations/data-protection-and- brexit/
What is the key difference between DPA and GDPR? DPA Compliant until proven not to be GDPR Must prove compliance from day 1
Comparing Principles! Personal data shall be … DPA Principles GDPR principles 1. Processed fairly and lawfully 1. Processed lawfully, fairly and in 2. Obtained for specified and lawful a transparent manner purposes 2. Collected for specified, explicit 3. Adequate, relevant and not legitimate purposes excessive 3. Adequate, relevant and limited 4. Accurate and kept up-to-date to what is necessary 5. Not be processed for any 4. Accurate and kept up-to-date purpose, shall not be kept for 5. Kept in a form which permits longer than is necessary identification of data subjects for 6. Processed in line with the rights no longer than is necessary of data subjects 6. Processed in a manner that 7. Secure and protected against ensures appropriate security, unauthorised or unlawful including protection against processing, loss, destruction or unauthorised or unlawful damage processing, accidental loss, 8. Not be transferred to any country destruction or damage . without adequate protection 7. Not be transferred to any country without adequate protection
Why is GDPR necessary? Data storage and How we use technology has technology for evolved rapidly since work has changed the 1990s how information is collected, stored, Mobile technology is used, etc, and much more versatile: changed risk mobile phones, factors . tablets, etc Legislation across Social media means Europe has been personal information is complex and much more publicly disjointed. GDPR available; we are also imposes more sharing much more consistency and private information. stronger requirement for compliance
Consent Where we are requesting an individual to give us any of their personal data, active consent must be sought . We must ask for Consent must be on an opt-in Consent forms consent basis (not opt-out). must make it without offering absolutely clear any incentive what to do so. information is needed, why it is needed and how it will be used (including Individuals who it might be must be told shared with e.g. how to other services or withdraw their organisations ). consent. Evidence of consent must be Consent forms must use clear, recorded. plain language.
Consent to use personal data Consent must be freely given, explicit, specific, informed, and an unambiguous indication of wishes requested using accessible intelligible clear language provable that provided with the consent was necessary ability to withdraw given
Children’s data Children need particular • protection when you are collecting and processing their personal data - may not understand the risks. For online services offered • directly to child : – in the UK children aged 13+ able to provide own consent. Children under 13, you need – parental consent - unless the online service you offer is a preventive or counselling service. You should write clear privacy • notices for children so that they are able to understand what will happen to their personal data and what rights they have.
Data Subject Rights The rights of the individual are central to data processing The right to restrict processing The right to data portability Rights in relation to profiling Right to rectification Right to erasure
Data Subject Rights Right to Restrict Processing • Individuals have a right to ‘block’ or suppress processing of personal data. • When processing is restricted, you are permitted to store the personal data, but not further process it. E.g. keeping a list of people • who have requested their data is removed
Data Subject Rights The Right to Data Portability • Allows individuals to obtain and re-use their personal data for own purposes across different services. • To move, copy or transfer personal data from one IT environment to another in a safe and secure way Enables consumers to take • advantage of applications and services which can use this data to find them a better deal, or help them understand their spending habits
Data Subject Rights Rights in Relation to Profiling The GDPR includes provisions on: • ‘automated individual decision - making’ (making a decision solely by automated means without any human involvement) • profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process. • E.g. • an online decision to award a loan; and • a recruitment aptitude test which uses pre-programmed algorithms and criteria. (ICO)
Data Subject Rights Right to Rectification Individuals have right to have personal data rectified where is inaccurate • or incomplete. E.g. criminal records, medical information • Right to Erasure Also known as ‘the right to be forgotten’. • To enable an individual to request the deletion or removal of personal • data where there is no compelling reason for its continued processing. Google and ‘right to be forgotten’ case NB In order to administer this a ‘request to be forgotten’ list needs to be maintained. Examples: trainee not wanting to know of other course or a carer who has had support does not want newsletter
Demonstrating compliance “The controller shall be responsible for, and be able to demonstrate compliance with the Principles” Article 5(2) Some of this applies to data processors too. Requirement to implement Requirement to appoint a • • appropriate technical and data protection officer organisational measures (all) (controllers) Maintaining records on Data protection by design • • processing activities (all) and default (all) Data protection impact Codes of conduct and • • assessments (all) certification schemes (all)
What happens if we don’t comply?
What is a data breach? A data breach is any situation where an individual can be identified by someone other than who is ‘authorised’ to have access to that data
Data Breaches Requirement to report ‘high risk’ breaches to the ICO and the relevant data subjects within 72 hours. Failure to notify a breach can result in a significant fine of up to 10 million euros
Recommend
More recommend