Raising Awareness of the General Data Protection Regulations (GDPR)
Workshop aims are to: • Provide an introduction to the GDPR • Explore how the GDPR will impact on Early Years settings • Highlight resources available to support Early Years settings to prepare for the GDPR • Discuss strategies for ensuring your Early Years setting is compliant
GDPR Quiz www.images.google.com
GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO
GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO
GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO
GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO
GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO
GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO
GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO
GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO
GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO
GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO
GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO
GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO
GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO
GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO
GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO
GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO
https://virtual-college.typeform.com/to/YHmCIO GDPR quiz - are you prepared for the changes
GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO
GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO
GDPR quiz - are you prepared for the changes: https://virtual-college.typeform.com/to/YHmCIO
What is the GDPR? • GDPR is the 'General Data Protection Regulation' - a change in law that will be coming into force from 25 th May 2018 (regardless of Brexit) • EU legislation - extension of the Data Protection Act 1998 • Implemented within Data Protection (DP) Bill • About Capture, Storage, Processing, Transport, Security and Removal of personal data
GDPR - What are the main changes? • Increased accountability in processing of personal data and demonstrating compliance . • Changes to what personal data covers. • Changes to time frames for Subject Access Requests • Extended rights to individuals. • New rights for 13 year olds. • The six lawful bases for processing personal data.
The Information Commissioner's Office (ICO) • The UK’s independent body to uphold information rights. • Enforce and regulate freedom of information and data protection laws. • Provide information and advice. • Promote good practice.
Minimise the risk • Assess the risk – what personal data do you process, and how? • Policies • Responsibilities • Training and awareness
Where to start using ICO support • Data Protection Self-assessment tool • ICO Good Practice Guidance/Data Sharing Checklist • Information Asset Audit What data do we process? For what purposes? What legal basis do we use? Who do we share data with?
GDPR principles GDPR will condense the Data Protection Principles into six areas, which are referred to as the Privacy Principles . They are: 1. You must have a lawful reason for collecting personal data and must do it in a fair and transparent way. 2. You must only use the data for the reason it is initially obtained. 3. You must not collect any more data than is necessary. 4. It has to be accurate and there must be mechanisms in place to keep it up to date. 5. You cannot keep it any longer than needed. 6. You must protect the personal data.
These privacy principles are supported by a further principle – accountability . • This means that your setting must not only do the right thing with data but must also show that all the correct measures are in place to demonstrate how compliance is achieved. • There is also an expectation that staff will be trained on data protection. Documentation on policies, procedures and training is going to be a key part of any effective compliance programme.
Roles and Responsibilities Data Protection Officers (DPO) • assist to monitor internal compliance, inform and advise on your data protection obligations, • act as a contact point for data subjects and the supervisory authority. • must be independent, an expert in data protection, adequately resourced, and report to the highest management level. However, can be an existing employee or externally appointed. • In some cases several organisations can appoint a single DPO between them. • can help you demonstrate compliance and are part of the enhanced focus on accountability.
Roles and Responsibilities Cont.... Data Controller • is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed Data Processor • in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. “Processing”, in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data
…data which relate to a living individual who can be identified – (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller Personal data
The Data Protection Act 1998
The six Principles of GDPR 3. Adequate, relevant and 1. Lawfully, fairly and 2. Specific, explicit and limited to what is transparently legitimate purpose necessary • Grounds, section 6 & 9 • Why? • Fair processing notice • What is the purpose? • Data minimisation • Data mapping or privacy notice • Being clear 6. Appropriate technical 4. Accurate and, where and organisational 5. For as long as is necessary necessary, kept up to date measures for the purpose • Reasonable steps • Security measures taken
Privacy notice What information is being collected? Who is collecting it? How is it collected? Why is it being collected? How will it be used? Who will it be shared with? ico.org.uk/for-organisations/guide-to-data- protection/privacy-notices-transparency-and- control/
Data Breach Breach notification • You will be obligated to notify the Information Commissioner's Office (ICO) of a data breach within 72 hours of becoming aware of the breach. Fines • One of the key drivers of compliance is that organisations can be fined significant amounts if they are not. However, you should focus on the benefits of ensuring you are handling your data properly.
How will this impact on your Early Years setting? • Early Years settings will need to assess their use of data and look at how they gather, hold, and share any personally identifiable information, which includes anything that can be used to identify a specific person. • This will include introducing a new policy, informing parents of the changes, informing parents how you use their data and taking steps within your setting to make sure all data and information is secure.
Information Asset Audit • What data do we process? • For what purposes? • What legal basis do we use? • Who do we share data with? www.images.google.com
Start by….. Create a gap analysis Document an action plan and start check list Update the settings Data Protection policy and consider other policies and procedures that may need to be updated Arrange for staff training/ awareness
What next.... • Appointing a data protection officer — For most settings, appointing an individual who takes the lead on data compliance will be enough, although for larger early years provider chains may need to appoint a Data Protection Officer (DPO). • Privacy notices — When you collect any data you must tell people exactly how you are going to use it, who might you share it with, how long you will keep it as well as information on consent and complaint. • Individual rights — People will have new and enhanced rights on the collection, access and deletion of their data so you must ensure your setting has mechanisms to allow individuals to exercise these rights.
Recommend
More recommend