gdpr update
play

GDPR Update 3 October 2019 Phil Tompkins and Dean Murray Newcastle - PowerPoint PPT Presentation

GDPR Update 3 October 2019 Phil Tompkins and Dean Murray Newcastle | Leeds | Manchester 2 What we will look at today GDPR to date How to handle data subject access requests Data security and handling data breaches Whats


  1. GDPR Update 3 October 2019 Phil Tompkins and Dean Murray Newcastle | Leeds | Manchester

  2. 2 What we will look at today • GDPR to date • How to handle data subject access requests • Data security and handling data breaches • What’s new • Case law Newcastle | Leeds | Manchester

  3. 3 Why does data protection matter? • Legal obligations • Reputation and goodwill • Fines and enforcement • Other data protection liabilities • Compensation • Criminal penalties • Vicarious liability Newcastle | Leeds | Manchester

  4. 4 What data does the GDPR protect? • Personal data • What is personal data • Identifies living individual • Anything about the individual • Examples • Paper and digital/ Staff and customer records/ CCTV/ Website/photos/ Applications /biometrics/ location data/identifiers • Special category data (criminal offence/conviction data) Newcastle | Leeds | Manchester

  5. 5 Data protection principles • You must process personal data in accordance with the data protection principles: • Lawfulness, fairness & transparency • Specific, explicit and legitimate purpose -use for that purpose only (purpose limitation) • Adequate, relevant and limited (data minimisation) • Accurate and up to date (use every reasonable step) • Keep only as long as necessary (e.g. retail orders, ticket forms etc.) • Appropriate security • NB: Need to be able to demonstrate compliance with the above – "Accountability Principle" Newcastle | Leeds | Manchester

  6. 6 Accountability • Article 5(2) • “ The controller shall be responsible for, and be able to demonstrate compliance with paragraph 1 (accountability) .” • Organisations need to develop a proactive, systematic and ongoing approach to GDPR compliance • Risk based approach • How to demonstrate accountability • Policies and procedures (Information Governance Framework) • Other documentation Newcastle | Leeds | Manchester

  7. 7 GDPR to date – security breaches in 2018 2000 1800 1600 1400 1200 1000 800 600 400 200 0 March April May June Newcastle | Leeds | Manchester

  8. 8 GDPR to date – personal data breach reports to date Newcastle | Leeds | Manchester

  9. 9 GDPR to date – increase in exercise of information rights There has been an increase in individuals exercising their information rights 35% 30% 25% 20% 15% 10% 5% 0% Strongly agree Agree Neither agree nor Disagree Strongly disagree disagree Newcastle | Leeds | Manchester

  10. 10 GDPR to date – personal data breach reports to date • “ the public has woken up ” E Denham • 471,224 contacts via helpline, chat and written advice (66% increase) • Data protection complaints rose from 21,019 in 2017/18 to 41,661 in 2018/19 • 11 assessment notices issued • 2 intentions to fine announced Newcastle | Leeds | Manchester

  11. How to Handle Data Subject Access Requests Dean Murray Newcastle | Leeds | Manchester

  12. 12 Basics: What are data subject access requests and what must I provide? • Right of access to own personal data • Right of access is to:- • Confirmation personal data is being processed • Access copy of personal data • Supplemental information • Supplemental information • Purpose of processing/ categories of personal data/ recipients (including outside EEA)/ retention period (where possible)/ subject rights/ sources of data/ automated decision making or profiling/ safeguards for transfers outside EEA Newcastle | Leeds | Manchester

  13. 13 How do I provide information requested? • Provision of information:- • Provide in concise, transparent, intelligible and easily accessible format • Use plain and clear language • Provide in writing (orally if requested) Newcastle | Leeds | Manchester

  14. 14 What do data subjects get a right of access to? • Personal data held at the time the request is received • Held in paper or electronic records • Personal data which relates to the individual • No requirement to provide exempt information Newcastle | Leeds | Manchester

  15. 15 Some information is exempt… • Right of access is subject to a number of exemptions:- • Information already held by data subject • Impossible to provide or disproportionate effort • Third party data • Request for large volume of data • Can request data subject specifies information • UK derogations Newcastle | Leeds | Manchester

  16. 16 What specific exemptions are there and how do I use them? • Check if the personal data requested falls within an exemption • The exemptions include:- • Crime and taxation (prejudice) • Legal professional privilege • Management forecasts (prejudice) • Negotiations (prejudice) • Health/Social work/Education data (serious harm) Newcastle | Leeds | Manchester

  17. 17 How do I handle third party requests? • Confirm identity of requestor • Requests by parent/carer/spouse/solicitor on behalf of data subject • Requests by others • Public authority - Freedom of Information Act 2000/ EIR 2004 • Not a public authority • Legal right of access (e.g. HMRC/police) Newcastle | Leeds | Manchester

  18. 18 Reviewing third party data requests • No need to supply personal data requested if it contains information about other people unless: • Have consent • Reasonable to supply without consent • Factors to take into account where you don’t have consent: • Type of information/ Any duty of confidentiality /Steps taken to obtain consent /Is individual capable of giving consent /Any express refusal of consent • What to do with third party data • Obligation is to provide information not documents • Redact or edit documents to exclude third party data Newcastle | Leeds | Manchester

  19. 19 Handling requests • Check identity of individual • Log the request • Timescales • Without undue delay and in any event, one month • Time extensions up to 3 months • Keeping the data subject informed • Must provide free of charge unless manifestly unfounded or excessive • Searching for data • Search systems and locations. Provide personal data requested unless exempt etc • Form of response Newcastle | Leeds | Manchester

  20. 20 Refusing requests • All refusals must be writing • Keep record of what sent and reasons why • Set out • Reason for refusal • Sufficient to say they aren’t entitled to information as it is exempt • No requirement for detailed explanation why refused • Right to complain to ICO Newcastle | Leeds | Manchester

  21. 21 Data subject access requests – case law • Metropolitan Police Service • Enforcement notice re handling of DSARs • On 17 April 2019 it was processing 1,535 DSARs and over 94% outside statutory time frame for a response • By 13 June 2019 – 1,727 DSARs with 1,169 overdue and 689 over 100 days old • ICO considers delay causes damage or distress • Met to use best endeavours to:- • Answer all DSARs by 30 September • Make changes to it internal systems so can answer future DSARs properly Newcastle | Leeds | Manchester

  22. Data Breaches and Data Security Phil Tompkins Newcastle | Leeds | Manchester

  23. 23 What do we mean by the term data security? • GDPR obligation • Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality) • Security should be appropriate to likelihood and severity of risks • Failure to keep data secure leads to personal data breaches Newcastle | Leeds | Manchester

  24. 24 The requirement to use technical and organisational measures…. • GDPR requires;- • Controllers to ensure a level of security appropriate to risk • Risk analysis • Proportionality test • Take into account • State of the art • Cost of implementation • Nature, scope, context and purposes of processing • Risk of varying likelihood and severity for the rights and freedoms of natural persons • Risks presented by processing Newcastle | Leeds | Manchester

  25. 25 What are appropriate measures? • What measures are appropriate? • Pseudonymisation and encryption • Managing, limiting and controlling access to personal data • Ensure the ongoing confidentiality, integrity, availability of data • Resilience of processing systems to restore availability and access to personal data in the event of an incident • Regular testing, assessment and evaluation of security measures • Approved codes of conduct and certification mechanisms • Record measures you take • Art 30(2)(d) – processing record (accountability) Newcastle | Leeds | Manchester

  26. 26 What do we mean by “organisational security”? • Governance • Contracts and data sharing • Training and awareness Newcastle | Leeds | Manchester

  27. 27 What is “Governance”? • Management structures • Policies, procedures and documentation • Compliance and assurance • Identify and manage risks • Use of data protection impact assessments • Data protection by design and default Newcastle | Leeds | Manchester

Recommend


More recommend