Data Protection RegulationsJames Davies and Steve Lorber23 April 2013
Crystal ball
Cheap data• Statistics/visual imagery about how workplace has changedover last 15 years re collection and use of data
Data Protection – a brief historyLate 1960s Firstelectronic messaging
1969 First email
The UK in October 1969
Data Protection – a brief historyLate 1960s Firstelectronic messaging 1984 Original Data Protectionlaw (minimal impact)
1984 First Data Protection legislation
Data Protection – a brief historyLate 1960s Firstelectronic messaging 1984 Original Data Protectionlaw (minimal impact)199...
1998 Act – key principles
What has this meant over last 15 years?• Data subject requests• Data protection policies - consent• Transfer overseas espe...
Data Protection – a brief historyLate 1960s Firstelectronic messaging 1984 Original Data Protectionlaw (minimal impact)199...
Who is this?Christopher Graham, Information Commissioner
2005 ICO employment practices code
Data Protection – a brief historyLate 1960s Firstelectronic messaging 1984 Original Data Protectionlaw (minimal impact)199...
2007 ICO Personal Data Guidance
Data Protection – a brief historyLate 1960s Firstelectronic messaging 1984 Original Data Protectionlaw (minimal impact)199...
2010 Increase sanction to £500k
Data Protection – a brief historyLate 1960s Firstelectronic messaging 1984 Original Data Protectionlaw (minimal impact)199...
2013 ICO BYOD guidance
Data Protection – a brief historyLate 1960s Firstelectronic messaging 1984 Original Data Protectionlaw (minimal impact)199...
TODAY Draft Regulation
Data Protection Regulation – introduction• What’s the problem?• Commission solution• Strategy• Particular measures propose...
Data protection – the need for change• Change in nature and extent of processing• GlobalisationDifferent rules in differe...
Commission solution – a Data ProtectionRegulation• What is a regulation?• Aimone-stop shopgreater legal certainty - and ...
Strategy proposed• Strategysimilar to current rules....but morestricter data protection principlesmore specific and gra...
Policy, process...and documentation (1)• Internal documentationadopt policiesimplement measures to ensurecompliance with...
Policy, process...and documentation (2)• Documentation for data subjectsExtensive information including> purposes of proc...
Policy, process...and documentation (3)• Very granular..... underscored by new data protectionprinciplefor each processin...
Right to be forgotten• Right to have personal dataerased ifno longer necessary inrelation to purposes forwhich collected...
Right to be forgotten• If personal data has beenmade public, controller shalltake all reasonable steps totell third partie...
Data security (1)• Controller and processor mustdo risk assessmentimplement technical and organisations measures to ensu...
Data security (2)• Duty to notify• Duty to document breaches• If breach is likely to affect privacy of data subjects, cont...
Data protection by design• "Data protection by design" ...if developing business in waysthat impinge on personal data (e.g...
Data protection officer• Controller and processor must establisha DPO if 250 employees or more• What are the roles/functio...
Data protection officer• Controller and processor must establisha DPO if 250 employees or more• What are the roles/functio...
Data protection officerMonitoring data protectionbreachesContact point for supervisoryauthorityInforming controller andpro...
Remedies and sanctions• Up to 2% of turnover• Enforcement by "main establishment" regulatorIn EU - where purposes of proc...
Special rules on employment• Regulation allows members states to adopt special rules foremployment....but upwards onlyExt...
What to do now?• Proposals will change............• Share your thoughts with MoJ?• Processing operationsidentify and reco...
Thank you
Upcoming SlideShare
Loading in …5
×

Data protection

838 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
838
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Data protection

  1. 1. Data Protection RegulationsJames Davies and Steve Lorber23 April 2013
  2. 2. Crystal ball
  3. 3. Cheap data• Statistics/visual imagery about how workplace has changedover last 15 years re collection and use of data
  4. 4. Data Protection – a brief historyLate 1960s Firstelectronic messaging
  5. 5. 1969 First email
  6. 6. The UK in October 1969
  7. 7. Data Protection – a brief historyLate 1960s Firstelectronic messaging 1984 Original Data Protectionlaw (minimal impact)
  8. 8. 1984 First Data Protection legislation
  9. 9. Data Protection – a brief historyLate 1960s Firstelectronic messaging 1984 Original Data Protectionlaw (minimal impact)1998 DataProtection Act
  10. 10. 1998 Act – key principles
  11. 11. What has this meant over last 15 years?• Data subject requests• Data protection policies - consent• Transfer overseas especially to US• “Light touch” enforcement• Globalisation and other less lighttouch data protection laws
  12. 12. Data Protection – a brief historyLate 1960s Firstelectronic messaging 1984 Original Data Protectionlaw (minimal impact)1998 DataProtection Act2005 EmploymentPractices Code
  13. 13. Who is this?Christopher Graham, Information Commissioner
  14. 14. 2005 ICO employment practices code
  15. 15. Data Protection – a brief historyLate 1960s Firstelectronic messaging 1984 Original Data Protectionlaw (minimal impact)1998 DataProtection Act2005 EmploymentPractices Code2007 ICO PersonalData guidance
  16. 16. 2007 ICO Personal Data Guidance
  17. 17. Data Protection – a brief historyLate 1960s Firstelectronic messaging 1984 Original Data Protectionlaw (minimal impact)1998 DataProtection Act2005 EmploymentPractices Code2010 Sanctionsincrease to £500k2007 ICO PersonalData guidance
  18. 18. 2010 Increase sanction to £500k
  19. 19. Data Protection – a brief historyLate 1960s Firstelectronic messaging 1984 Original Data Protectionlaw (minimal impact)1998 DataProtection Act2005 EmploymentPractices Code2010 Sanctionsincrease to £500k2013 ICO BYOD guidance2007 ICO PersonalData guidance
  20. 20. 2013 ICO BYOD guidance
  21. 21. Data Protection – a brief historyLate 1960s Firstelectronic messaging 1984 Original Data Protectionlaw (minimal impact)1998 DataProtection ActTODAY Proposed GeneralData Protection Regulation2005 EmploymentPractices Code2010 Sanctionsincrease to £500k2013 ICO BYOD guidance2007 ICO PersonalData guidance
  22. 22. TODAY Draft Regulation
  23. 23. Data Protection Regulation – introduction• What’s the problem?• Commission solution• Strategy• Particular measures proposed• Practical implications for now?
  24. 24. Data protection – the need for change• Change in nature and extent of processing• GlobalisationDifferent rules in different statesCloud• Employment contextvolumefree-form data
  25. 25. Commission solution – a Data ProtectionRegulation• What is a regulation?• Aimone-stop shopgreater legal certainty - and consistencythroughout EUreduction of administrative burdenstrengthened data subject rightsefficiency of supervision and enforcement• And “it will save money” – not just red tape
  26. 26. Strategy proposed• Strategysimilar to current rules....but morestricter data protection principlesmore specific and granular obligationsmore extensive individual rights...right to be forgotten...Backed up by tougherenforcement – fines of 2% ofglobal turnover
  27. 27. Policy, process...and documentation (1)• Internal documentationadopt policiesimplement measures to ensurecompliance with policiesbe able to demonstrate complianceif appropriate establish an audit
  28. 28. Policy, process...and documentation (2)• Documentation for data subjectsExtensive information including> purposes of processing> if justified by "legitimate interests" ...what thoseinterests are> data subject rights and how to complain> who gets to see it ....recipients> If data does not come from data subject, who thesource is
  29. 29. Policy, process...and documentation (3)• Very granular..... underscored by new data protectionprinciplefor each processing operation, controller must ensure anddemonstrate compliance• Lots of paper .....but does it protect privacy?
  30. 30. Right to be forgotten• Right to have personal dataerased ifno longer necessary inrelation to purposes forwhich collectedconsent withdrawnexpiry of retention periodprocessing is non-compliant
  31. 31. Right to be forgotten• If personal data has beenmade public, controller shalltake all reasonable steps totell third parties• Controller may restrictwhere issue over accuracydata needed for purposesof proof (evidence ofbusiness operations)
  32. 32. Data security (1)• Controller and processor mustdo risk assessmentimplement technical and organisations measures to ensuresecurity• "Personal data breach" means breach of security .... leadingto accidental or unlawfuldestruction, loss or alterationunauthorised disclosure
  33. 33. Data security (2)• Duty to notify• Duty to document breaches• If breach is likely to affect privacy of data subjects, controllermust tell data subject of breach and what it is doing
  34. 34. Data protection by design• "Data protection by design" ...if developing business in waysthat impinge on personal data (e.g. a new HR system)implement to ensure compliance (having regard to cost andtechnology)ensure that by default system> only processes datanecessary for purpose> does not collect too much> does not store too long> controls
  35. 35. Data protection officer• Controller and processor must establisha DPO if 250 employees or more• What are the roles/functions of a DPO?
  36. 36. Data protection officer• Controller and processor must establisha DPO if 250 employees or more• What are the roles/functions of a DPO?
  37. 37. Data protection officerMonitoring data protectionbreachesContact point for supervisoryauthorityInforming controller andprocessor of obligationsunder DPR (and documenting)Monitoringimplementation ofpolicies (including auditand training)Ensuring documentation ismaintainedMonitoring protectionby design andsecurityMonitoring data protectionimpact assessment
  38. 38. Remedies and sanctions• Up to 2% of turnover• Enforcement by "main establishment" regulatorIn EU - where purposes of processing determined or, if not,where main processing takes placeIf not established in EU, must appoint a "representative"
  39. 39. Special rules on employment• Regulation allows members states to adopt special rules foremployment....but upwards onlyExtra conditions for processingRegulatory consent?Works Council approval?• Defeats "one-stop" shop?
  40. 40. What to do now?• Proposals will change............• Share your thoughts with MoJ?• Processing operationsidentify and recordconsider how you comply• Establish extent to which you use "consent"to justify processing...and find other ways
  41. 41. Thank you

×