Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Preparing for GDPR


Published on

A presentation from the Department of Finance at NICVA's Data Fridays events

Published in: Government & Nonprofit
  • Be the first to comment

Preparing for GDPR

  1. 1. General Data Protection Regulation GDPR IS A GAME CHANGER With fines for breaches of up to €20m or 4% of turnover, and reputational damage for getting it wrong, no organisation can afford to ignore its responsibilities. Changes such as the statutory duty to report breaches, the new "right to be forgotten" and the much stricter rules around consent and privacy notices completely alter the landscape for working with personal data. "We're all going to have to change how we think about Data Protection." Elizabeth Denham, Information Commissioner, Jan 2017 NICVA presentation by John Morgan 16th June 2017
  2. 2. Today is the 16th of June 2017 Fast Forward to 25th May 2018 16th June 2017 25th May 2018 11 Months aka less than1 Year
  3. 3. GDPR – So what ! The ICO Commissioner Elizabeth Denham said this on in January 2017 “The General Data Protection Regulation builds on the previous legislation: but provides more protections for consumers, and more privacy considerations for organisations. It brings a more 21st century approach to the processing of personal data. And it puts an onus on businesses to change their entire ethos to data protection – The message about GDPR is continuity and change. There’s a lot in the GDPR you’ll recognise from the current law, but make no mistake, this one’s a game changer for everyone”
  4. 4. Current Situation • Finance (DoF) are the lead department for implementation of GDPR into the NICS • DoF are in regular communication with both Information Commissioners Office (ICO) Department for Culture Media & Sport and the Cabinet Office • NICS working group has been established • This consists of all 9 departments, PRONI Public Prosecution Service & Enterprise Shared Services.
  5. 5. Implementation plan • Working group is using the ICO’s 12 steps document as their current guide • These 12 steps have been prioritised by the working group • A number of sub-groups have been established to look at topics in more depth • More will be established as and when required.
  6. 6. 12 Steps to Perfection • Awareness • Information you Hold • Communicating Privacy Information • Individuals’ Rights • Subject Access Requests • Legal Basis for Processing Personal Data • Consent • Children • Data Breaches • Data Protection by Design and Data Protection Impact Assessments • Data Protection Officers • International
  7. 7. Governance • The GDPR working group reports directly to Information Management Council (IMC) • IMC subsequently reports to Information Governance and Innovation Board (IGIB) • IGIB is chaired by David Sterling who reports to Permanent Secretaries Group on all relevant matters.
  8. 8. Sub-group role • Each sub-group will look in depth at a specific topic. • They will normally consist of 3-4 members from the larger working group • They will provide recommendations to both IMC and IGIB • They will communicate with and seek advice from all relevant stakeholders
  9. 9. Sub-groups • A number of sub-groups have been established: • Information Asset Register • Contracts • Awareness • Privacy Notices • GDPR Data Protection Officer’s • IT sub-group • Each Group will have Terms of Reference, Objectives, Targets and be time-bound.
  10. 10. Further sub-groups • Work is progressing well with these groups and recommendations will be forwarded to IMC for approval. • As the ICO & EU Article 29 working party produce more guidance further sub-groups will be established.
  11. 11. GDPR awareness • ICO presented to PSG in June 2016 • ICO attended NICS IT conference in October 2016 • ICO presented at the NICS GDPR awareness sessions in November 2016 • ICO presented to IGIB in December 2016 • ICO/NICS presented to over 300 people at PRONI • I have presented to some of the NICS Departmental Boards and am scheduled to complete the rest by end July. • ICO have presented at today’s event As you can see the pressure is being ramped up
  12. 12. Next steps • Further GDPR awareness sessions • 1-2 page GDPR outline document will issue to all staff in NICS departments • NICS Intranet will be operational from 25 May 2017 • Head of Civil Service will publicise Intranet in conjunction with the ICO • Communication plan to be developed • Sub-Group recommendations implemented by Departments across the NICS
  13. 13. What’s next for you? • Think about what you have heard today • Discuss with your colleagues • Consider how GDPR might affect your role, team, branch, division & your stakeholders • Raise concerns and queries to the appropriate representative • Support your representative in raising the awareness of GDPR
  14. 14. Bedtime Reading • Overview of the GDPR by ICO • Privacy notices, transparency and control – code of practice by ICO • ICO website • protection-reform/
  15. 15. Departmental Reps • Chair – Michael Reid (DoF) • Members – Jenny Lynn (DoF), Mark Maxwell (DAERA), David Moore (DoJ), Charlene McQuillan (DoH), Rosalind Ironside (TEO), Bernard McCaughan (DfE), Alan MacDonald (DE), Colin Picken (DfC), Pat Dougan (DfI), David Huddleston (PRONI), Seth Spiers (PPS), Sharon Nesbitt (DoF ESS), Stephen Lemon (DoF)
  16. 16. Central NICS Contacts • • • •
  17. 17. TalkTalk Data Breach ICO Fine £400K…. GDPR £70M???
  18. 18. Conclusion To Finish I will quote Elizabeth Denham again from her 17th January 2017 speech: “Because it’s important for all of us that we get this right. I’ve talked tonight about the sense people have that they are losing control of their data. As a regulator, it’s one of my jobs to turn that around, to start re-establishing that trust. The GDPR gives us all greater power to do that. Not just in terms of a bigger sticks for those who get it wrong, but in presenting an opportunity for every organisation to reconsider their data protection approach. I want organisations to think to themselves. We base our online user experience around what consumers want. We shape our products and services around what consumers want. We need to shape our data protection approach around what consumers expect. It’s something, as a regulator, I’ll demand of businesses. It’s something consumers increasingly demand. I hope after hearing me today you’ll be convincing your clients of it too. And you’ll know where to point them to get them heading in the right direction”.
  19. 19. Any questions?