SlideShare a Scribd company logo

Building a register of data processing

Download as PPT, PDF
T
Tim Gough

Content for a workshop to educate your colleagues on how to compile a register of personal data processing activities to enable GDPR compliance.

Law
1 of 19
Building a register of data processing activities
Workshop overview • Key requirements of the General Data Protection Regulation • What is personal data? • What personal data do you collect? • Why we are here today – to compile a record of data processing activities • What is lawful processing? • What are legitimate interests? • What is consent? • Mix and match exercise • What is a data processor? • What is a data controller? • Controller or processor? • How long should you keep data? • Privacy notices • Recording processing activities • Summary
What is data protection? Data protection law concerns the use of personal data from the time it is collected to the time it is disposed of (‘processing’). It addresses lawfulness of processing, rights of individuals (‘data subjects’), and expectations re security. The current UK law is the Data Protection Act 1998. What is the General Data Protection Regulation? -A new EU Regulation that governs the processing of personal data -It is an evolution of existing laws -It introduces a number of administrative burdens and documentation requirements – such as records of processing, and in high risk situations, data protection impact assessments -The rights of individuals in relation to their data have been enhanced -Organisations can be fined up to the higher of 4% of global annual turnover or 20 Million Euros for failing to comply with the administrative requirements, unlawful processing, not respecting rights, or losing personal data -Organisations must be in compliance by 25 May 2018 -In the UK, the supervisory authority is the Information Commissioner’s Office (ICO)
What is personal data? Personal data Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Special categories of personal data (AKA sensitive personal data) Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
What personal data do you collect? Personal data Special categories of personal data (AKA sensitive personal data)
Register of data processing activities The GDPR requires that detailed records are maintained on how personal data is processed, with specific rules on the data that must be gathered and made available to regulators. Controls 1.A register must be maintained that includes the following information: the name and contact details of the controller, the controller's representative (where entity is non-EU) and the data protection officer; the purposes of the processing; a description of the categories of data subjects and of the categories of personal data; the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations; where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation; the envisaged time limits for erasure of the different categories of data; a general description of the technical and organisational security measures applied to the data.
Record processing at activity level What processing activities do you do? Commercial activity: (add relevant examples of the types of processing that you conduct in your business activities) Recruitment: how people apply for jobs online, by email. Reference checking. Employment: paying wages, recording absences, PAYE returns to HMRC or equivalent, paying expenses, personnel file management, appraisals, grievances. Workplace: CCTV, reporting an accident, issuing a security card Communications: signing up for newsletters and other marketing communications Activity: What other processing activities do you do?
What information should you record? •Department; •Process owner; •Step by step process flow – from collection to disposal; •Categories of data collected (e.g. bank account data, NI number, home address, email); •Data subjects (e.g job applicants, contacts, employees, customers); •Link to the applicable privacy notice •Lawful grounds for processing (and this process will involve close scrutiny of these) of personal data and special categories of personal data; •Where data is stored and accessed from (taking into account data processors, data centre location) •Where there is an ex-EEA* transfer, what is the legal mechanism for this; •Suggested retention period if not already agreed; •Whether there is a statutory retention period (and if so, what is the law/regulation) •Who has access to the data; •Are there any data processors involved in the process (and who they are); •Is any data being shared with data controllers? •Has infosec due diligence been conducted on data processors involved?; •Check of the contract clauses to see if they meet Article 28 (Processor) requirements; •Notes on security measures (e.g. password standards, access controls, disposal standards, relevant training) Items in red will need to be confirmed by your data protection officer or other. * European Economic Area – EU plus Norway, Iceland and Liechteinstein.
What are lawful grounds for processing? Any activity involving personal data should have a lawful grounds for processing. The grounds available to chose from for a commercial organisation: -You have the individual’s consent to use their personal data in this way -It is strictly necessary for the performance of a contract with the individual -It is strictly necessary to fulfil a legal obligation -It is in the legitimate interests of your organisation to process personal data in this way – unless it impinges on the rights of the individual -It is for the vital interests of the individual (life and death). There are additional grounds that need to be met for the lawful processing of special categories of data. Let’s have a closer look at consent….
Conditions for consent 1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. 2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. 4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. Now let’s look at legitimate interests
What are your legitimate interests? Sounds like a way to make anything lawful? NO! Your organisation has to demonstrate compelling legitimate grounds for the processing which overrides the interests or fundamental rights and freedoms of subjects – i.e. it mustn’t invade privacy disproportionately, must be within their reasonable expectations and so on. Examples where legitimate interests might be considered: Limited use of CCTV for security purposes Limited analysis of data for marketing purposes Fraud prevention NB: Any uses of legitimate interests MUST be published as part of the relevant privacy notice. Now let’s ‘Mix and Match’
Mix and Match: fair processing conditions (use some relevant processing activities and ask delegates which grounds they would use)
What is a data processor? You are a ‘data controller’ for the personal data you collect when you decide how data will be processed. You are legally responsible for it. When you outsource the collection or use of personal data to another organisation, they will be acting as a data processor. As a processor, they can only use the personal data under your instruction and for no other purpose. E.g outsourcing payroll, email marketing management. Requirements -You must have a process to assess that the processor has the ability to protect data accordingly; -You must have a contract in place with the processor that contains appropriate provisions on data protection – and the GDPR contains specific requirements that must be included; -By May 2018 all contracts will need to be reviewed and amended according. In building the register we are identifying where data processors exist (and where they store our personal data) and so we can see where remediation might be required.
What is a data controller? A data controller has the ability to determine the purposes and means of the processing of personal data. Sharing your personal data with them therefore also needs to be assessed for lawfulness. Examples: •HMRC •Courts •Other group entities (depending on the purposes for data sharing) •Other corporates for their own marketing purposes Actions In the record keeping activity process we are identifying where data controllers exist and so we can check that the sharing is lawful.
Processor or Controller? (using examples that are relevant to your organization, ask delegates whether they would be acting as a data controller or a data processor)
How long should I keep data? GDPR Article 5.1a: (Personal data must be) be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed.. Considerations? •Is there a statutory record keeping period that would guide your retention period and at least confer a minimum retention period? •In the absence of a statutory requirement, how long do you need the personal data? •What is your rationale for keeping personal data, e.g. beyond the end of a relationship? What is your grounds for processing and does this influence the retention period? •Could the data be anonymised and still be useful? Truly anonymised data would fall outside the GDPR (and you will need a documented methodology for anonymization).
Privacy Notice requirements in GDPR Ideally provided at the time you collect personal data, a privacy notice explains: -The identity and contact details of the controller -Contact details for the data protection office(r) -The purposes of the processing for which the personal data are intended as well as the legal basis for the processing -Recipients and categories of recipients -Intention to transfer personal data to a recipient in a ‘third country’ -The period personal data will be stored for -Awareness of all of their rights and how they can be exercised -Where processing is consent based, the existence of the right to withdraw consent at any time -The right to complain to the supervisory authority (in the UK being the ICO) -Whether provision of data is a statutory or contractual requirement, whether provision is an obligation, and consequences if fail to provide
How else are we using the information that we will collect? Record retention: the process enables us to decide how long we will retain personal data – this is critical because the GDPR will require retention periods to be disclosed in privacy notices and if someone makes a request to access their data the retention period would also be disclosed. Legitimate interests: Any processing that is made lawful using legitimate interests will need to be explained in the applicable privacy notice. Consent: We can assess whether consent is being used appropriately, and if we are reliant upon consent that the conditions for consent have been met. We can also make sure we provide information on how consent can be withdrawn. International transfers: We need to know exactly where data is located and where it can be accessed from as there are rules that need to be followed where data leaves the European Economic Area, and we need to maintain a register of all international transfers. Now let’s try to fill in a form……. (provide a template for people to fill in)
Summary • Completing a register of data processing activities is a critical first step in compliance with the GDPR. • It provides us with information on lawful processing, involvement of data processors/third parties, make us think about how long we keep data, and provides pertinent information that we need to include in privacy notices and in response to requests for access to an individual’s personal data. • It is critical that new initiatives are discussed with your data protection adviser prior to inception so advice on lawfulness can be taken, and the register updated. A data protection impact assessment may also be required if the project is high risk.

Recommended

Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTIRingkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTIEryk Budi Pratama
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysQualsys Ltd
 
How does GDPR affect your business?
How does GDPR affect your business?How does GDPR affect your business?
How does GDPR affect your business?Christiana Kozakou
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowPECB
 
Data Protection Officer Dashboard | GDPR
Data Protection Officer Dashboard | GDPRData Protection Officer Dashboard | GDPR
Data Protection Officer Dashboard | GDPRCorporater
 
Business Semantics for Data Governance and Stewardship
Business Semantics for Data Governance and StewardshipBusiness Semantics for Data Governance and Stewardship
Business Semantics for Data Governance and StewardshipPieter De Leenheer
 
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data QualityEnabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data QualityEryk Budi Pratama
 
Data Lake Architecture – Modern Strategies & Approaches
Data Lake Architecture – Modern Strategies & ApproachesData Lake Architecture – Modern Strategies & Approaches
Data Lake Architecture – Modern Strategies & ApproachesDATAVERSITY
 

Recommended

Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTIRingkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTIEryk Budi Pratama
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysQualsys Ltd
 
How does GDPR affect your business?
How does GDPR affect your business?How does GDPR affect your business?
How does GDPR affect your business?Christiana Kozakou
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowPECB
 
Data Protection Officer Dashboard | GDPR
Data Protection Officer Dashboard | GDPRData Protection Officer Dashboard | GDPR
Data Protection Officer Dashboard | GDPRCorporater
 
Business Semantics for Data Governance and Stewardship
Business Semantics for Data Governance and StewardshipBusiness Semantics for Data Governance and Stewardship
Business Semantics for Data Governance and StewardshipPieter De Leenheer
 
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data QualityEnabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data QualityEryk Budi Pratama
 
Data Lake Architecture – Modern Strategies & Approaches
Data Lake Architecture – Modern Strategies & ApproachesData Lake Architecture – Modern Strategies & Approaches
Data Lake Architecture – Modern Strategies & ApproachesDATAVERSITY
 
Chief Data Officer: DataOps - Transformation of the Business Data Environment
Chief Data Officer: DataOps - Transformation of the Business Data EnvironmentChief Data Officer: DataOps - Transformation of the Business Data Environment
Chief Data Officer: DataOps - Transformation of the Business Data EnvironmentCraig Milroy
 
Activate Data Governance Using the Data Catalog
Activate Data Governance Using the Data CatalogActivate Data Governance Using the Data Catalog
Activate Data Governance Using the Data CatalogDATAVERSITY
 
Pdpa presentation
Pdpa presentationPdpa presentation
Pdpa presentationAlan Teh
 
Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control DBmaestro - Database DevOps
 
CDMP Overview Professional Information Management Certification
CDMP Overview Professional Information Management CertificationCDMP Overview Professional Information Management Certification
CDMP Overview Professional Information Management CertificationChristopher Bradley
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?Martin Hawksey
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationEryk Budi Pratama
 
Big data ppt
Big data pptBig data ppt
Big data pptAKASH SIHAG
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection RegulationBCC - Solutions for IBM Collaboration Software
 
Chapter 1: The Importance of Data Assets
Chapter 1: The Importance of Data AssetsChapter 1: The Importance of Data Assets
Chapter 1: The Importance of Data AssetsAhmed Alorage
 
Chapter 3: Data Governance
Chapter 3: Data Governance Chapter 3: Data Governance
Chapter 3: Data Governance Ahmed Alorage
 
Improving Data Literacy Around Data Architecture
Improving Data Literacy Around Data ArchitectureImproving Data Literacy Around Data Architecture
Improving Data Literacy Around Data ArchitectureDATAVERSITY
 
DBaaS in the Real World: Risks, Rewards & Tradeoffs
DBaaS in the Real World: Risks, Rewards & TradeoffsDBaaS in the Real World: Risks, Rewards & Tradeoffs
DBaaS in the Real World: Risks, Rewards & TradeoffsScyllaDB
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR The Pathway Group
 
The Five Pillars of Data Governance 2.0 Success
The Five Pillars of Data Governance 2.0 SuccessThe Five Pillars of Data Governance 2.0 Success
The Five Pillars of Data Governance 2.0 SuccessDATAVERSITY
 
Data Governance for Enterprises
Data Governance for EnterprisesData Governance for Enterprises
Data Governance for EnterprisesChaitanya Avasarala
 
Big Data Analytics for Banking, a Point of View
Big Data Analytics for Banking, a Point of ViewBig Data Analytics for Banking, a Point of View
Big Data Analytics for Banking, a Point of ViewPietro Leo
 
Practical Guide to Data Governance Success
Practical Guide to Data Governance SuccessPractical Guide to Data Governance Success
Practical Guide to Data Governance SuccessAmple Insight Inc
 
Data Modeling, Data Governance, & Data Quality
Data Modeling, Data Governance, & Data QualityData Modeling, Data Governance, & Data Quality
Data Modeling, Data Governance, & Data QualityDATAVERSITY
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
GDPR Demystified
GDPR Demystified GDPR Demystified
GDPR Demystified Terence O'Sullivan - The Employment Lawyer
 
Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...Forums financiers de Wallonie
 

More Related Content

What's hot

Chief Data Officer: DataOps - Transformation of the Business Data Environment
Chief Data Officer: DataOps - Transformation of the Business Data EnvironmentChief Data Officer: DataOps - Transformation of the Business Data Environment
Chief Data Officer: DataOps - Transformation of the Business Data EnvironmentCraig Milroy
 
Activate Data Governance Using the Data Catalog
Activate Data Governance Using the Data CatalogActivate Data Governance Using the Data Catalog
Activate Data Governance Using the Data CatalogDATAVERSITY
 
Pdpa presentation
Pdpa presentationPdpa presentation
Pdpa presentationAlan Teh
 
Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control DBmaestro - Database DevOps
 
CDMP Overview Professional Information Management Certification
CDMP Overview Professional Information Management CertificationCDMP Overview Professional Information Management Certification
CDMP Overview Professional Information Management CertificationChristopher Bradley
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationEryk Budi Pratama
 
Chapter 1: The Importance of Data Assets
Chapter 1: The Importance of Data AssetsChapter 1: The Importance of Data Assets
Chapter 1: The Importance of Data AssetsAhmed Alorage
 
Chapter 3: Data Governance
Chapter 3: Data Governance Chapter 3: Data Governance
Chapter 3: Data Governance Ahmed Alorage
 
Improving Data Literacy Around Data Architecture
Improving Data Literacy Around Data ArchitectureImproving Data Literacy Around Data Architecture
Improving Data Literacy Around Data ArchitectureDATAVERSITY
 
DBaaS in the Real World: Risks, Rewards & Tradeoffs
DBaaS in the Real World: Risks, Rewards & TradeoffsDBaaS in the Real World: Risks, Rewards & Tradeoffs
DBaaS in the Real World: Risks, Rewards & TradeoffsScyllaDB
 
The Five Pillars of Data Governance 2.0 Success
The Five Pillars of Data Governance 2.0 SuccessThe Five Pillars of Data Governance 2.0 Success
The Five Pillars of Data Governance 2.0 SuccessDATAVERSITY
 
Big Data Analytics for Banking, a Point of View
Big Data Analytics for Banking, a Point of ViewBig Data Analytics for Banking, a Point of View
Big Data Analytics for Banking, a Point of ViewPietro Leo
 
Practical Guide to Data Governance Success
Practical Guide to Data Governance SuccessPractical Guide to Data Governance Success
Practical Guide to Data Governance SuccessAmple Insight Inc
 
Data Modeling, Data Governance, & Data Quality
Data Modeling, Data Governance, & Data QualityData Modeling, Data Governance, & Data Quality
Data Modeling, Data Governance, & Data QualityDATAVERSITY
 

What's hot (20)

Chief Data Officer: DataOps - Transformation of the Business Data Environment
Chief Data Officer: DataOps - Transformation of the Business Data EnvironmentChief Data Officer: DataOps - Transformation of the Business Data Environment
Chief Data Officer: DataOps - Transformation of the Business Data Environment
 
Activate Data Governance Using the Data Catalog
Activate Data Governance Using the Data CatalogActivate Data Governance Using the Data Catalog
Activate Data Governance Using the Data Catalog
 
Pdpa presentation
Pdpa presentationPdpa presentation
Pdpa presentation
 
Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control
 
CDMP Overview Professional Information Management Certification
CDMP Overview Professional Information Management CertificationCDMP Overview Professional Information Management Certification
CDMP Overview Professional Information Management Certification
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program Implementation
 
Big data ppt
Big data pptBig data ppt
Big data ppt
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
Chapter 1: The Importance of Data Assets
Chapter 1: The Importance of Data AssetsChapter 1: The Importance of Data Assets
Chapter 1: The Importance of Data Assets
 
Chapter 3: Data Governance
Chapter 3: Data Governance Chapter 3: Data Governance
Chapter 3: Data Governance
 
Improving Data Literacy Around Data Architecture
Improving Data Literacy Around Data ArchitectureImproving Data Literacy Around Data Architecture
Improving Data Literacy Around Data Architecture
 
DBaaS in the Real World: Risks, Rewards & Tradeoffs
DBaaS in the Real World: Risks, Rewards & TradeoffsDBaaS in the Real World: Risks, Rewards & Tradeoffs
DBaaS in the Real World: Risks, Rewards & Tradeoffs
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
 
The Five Pillars of Data Governance 2.0 Success
The Five Pillars of Data Governance 2.0 SuccessThe Five Pillars of Data Governance 2.0 Success
The Five Pillars of Data Governance 2.0 Success
 
Data Governance for Enterprises
Data Governance for EnterprisesData Governance for Enterprises
Data Governance for Enterprises
 
Big Data Analytics for Banking, a Point of View
Big Data Analytics for Banking, a Point of ViewBig Data Analytics for Banking, a Point of View
Big Data Analytics for Banking, a Point of View
 
Practical Guide to Data Governance Success
Practical Guide to Data Governance SuccessPractical Guide to Data Governance Success
Practical Guide to Data Governance Success
 
Data Modeling, Data Governance, & Data Quality
Data Modeling, Data Governance, & Data QualityData Modeling, Data Governance, & Data Quality
Data Modeling, Data Governance, & Data Quality
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 

Similar to Building a register of data processing

Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...Forums financiers de Wallonie
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentationPriyanka Aash
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsHarrison Clark Rickerbys
 
GDPRpresentationFeb-Apr2018.pptx
GDPRpresentationFeb-Apr2018.pptxGDPRpresentationFeb-Apr2018.pptx
GDPRpresentationFeb-Apr2018.pptxpixvilx
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...Harrison Clark Rickerbys
 
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]Kwanzoo Inc
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law Owako Rodah
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Acquia
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)RAKESH S
 
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18Fife Centre for Equalities
 
Public sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, ExeterPublic sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, ExeterBrowne Jacobson LLP
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. dan hyde
 
GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?Sage HR
 
GDPR master class accountable research organisations (january 2018)
GDPR master class accountable research organisations (january 2018)GDPR master class accountable research organisations (january 2018)
GDPR master class accountable research organisations (january 2018)MRS
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...Harrison Clark Rickerbys
 

Similar to Building a register of data processing (20)

GDPR Demystified
GDPR Demystified GDPR Demystified
GDPR Demystified
 
Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...
 
GDPR: Key Article Overview
GDPR: Key Article OverviewGDPR: Key Article Overview
GDPR: Key Article Overview
 
GDPR for your Payroll Bureau
GDPR for your Payroll BureauGDPR for your Payroll Bureau
GDPR for your Payroll Bureau
 
Gdpr for business full
Gdpr for business fullGdpr for business full
Gdpr for business full
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentation
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
 
GDPRpresentationFeb-Apr2018.pptx
GDPRpresentationFeb-Apr2018.pptxGDPRpresentationFeb-Apr2018.pptx
GDPRpresentationFeb-Apr2018.pptx
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
 
GDPR Presentation
GDPR PresentationGDPR Presentation
GDPR Presentation
 
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)
 
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
 
Public sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, ExeterPublic sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, Exeter
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
 
GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?
 
GDPR master class accountable research organisations (january 2018)
GDPR master class accountable research organisations (january 2018)GDPR master class accountable research organisations (january 2018)
GDPR master class accountable research organisations (january 2018)
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
 

Recently uploaded

昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书1k98h0e1
 
Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...shubhuc963
 
Alexis OConnell mugshot Lexileeyogi 512-840-8791
Alexis OConnell mugshot Lexileeyogi 512-840-8791Alexis OConnell mugshot Lexileeyogi 512-840-8791
Alexis OConnell mugshot Lexileeyogi 512-840-8791BlayneRush1
 
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesAre There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesChesley Lawyer
 
Vanderburgh County Sheriff says he will Not Raid Delta 8 Shops
Vanderburgh County Sheriff says he will Not Raid Delta 8 ShopsVanderburgh County Sheriff says he will Not Raid Delta 8 Shops
Vanderburgh County Sheriff says he will Not Raid Delta 8 ShopsAbdul-Hakim Shabazz
 
Comparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesComparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesritwikv20
 
Special Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreementSpecial Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreementShubhiSharma858417
 
Alexis O'Connell Arrest Records Houston Texas lexileeyogi
Alexis O'Connell Arrest Records Houston Texas lexileeyogiAlexis O'Connell Arrest Records Houston Texas lexileeyogi
Alexis O'Connell Arrest Records Houston Texas lexileeyogiBlayneRush1
 
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxSarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxAnto Jebin
 
Grey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptxGrey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptxBharatMunjal4
 
Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.2020000445musaib
 
PPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training CenterPPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training Centerejlfernandez22
 
Conditions Restricting Transfer Under TPA,1882
Conditions Restricting Transfer Under TPA,1882Conditions Restricting Transfer Under TPA,1882
Conditions Restricting Transfer Under TPA,18822020000445musaib
 
citizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicablecitizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicableSaraSantiago44
 
Law360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
Law360 - How Duty Of Candor Figures In USPTO AI Ethics GuidanceLaw360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
Law360 - How Duty Of Candor Figures In USPTO AI Ethics GuidanceMichael Cicero
 
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis LeeAlexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis LeeBlayneRush1
 
Illinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideIllinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideillinoisworknet11
 
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSTHE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSRoshniSingh312153
 
The Patents Act 1970 Notes For College .pptx
The Patents Act 1970 Notes For College .pptxThe Patents Act 1970 Notes For College .pptx
The Patents Act 1970 Notes For College .pptxAdityasinhRana4
 
Rights of under-trial Prisoners in India
Rights of under-trial Prisoners in IndiaRights of under-trial Prisoners in India
Rights of under-trial Prisoners in IndiaAbheet Mangleek
 

Recently uploaded (20)

昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
 
Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...
 
Alexis OConnell mugshot Lexileeyogi 512-840-8791
Alexis OConnell mugshot Lexileeyogi 512-840-8791Alexis OConnell mugshot Lexileeyogi 512-840-8791
Alexis OConnell mugshot Lexileeyogi 512-840-8791
 
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesAre There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
 
Vanderburgh County Sheriff says he will Not Raid Delta 8 Shops
Vanderburgh County Sheriff says he will Not Raid Delta 8 ShopsVanderburgh County Sheriff says he will Not Raid Delta 8 Shops
Vanderburgh County Sheriff says he will Not Raid Delta 8 Shops
 
Comparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesComparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use cases
 
Special Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreementSpecial Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreement
 
Alexis O'Connell Arrest Records Houston Texas lexileeyogi
Alexis O'Connell Arrest Records Houston Texas lexileeyogiAlexis O'Connell Arrest Records Houston Texas lexileeyogi
Alexis O'Connell Arrest Records Houston Texas lexileeyogi
 
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxSarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
 
Grey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptxGrey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptx
 
Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.
 
PPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training CenterPPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training Center
 
Conditions Restricting Transfer Under TPA,1882
Conditions Restricting Transfer Under TPA,1882Conditions Restricting Transfer Under TPA,1882
Conditions Restricting Transfer Under TPA,1882
 
citizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicablecitizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicable
 
Law360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
Law360 - How Duty Of Candor Figures In USPTO AI Ethics GuidanceLaw360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
Law360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
 
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis LeeAlexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
 
Illinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideIllinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guide
 
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSTHE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
 
The Patents Act 1970 Notes For College .pptx
The Patents Act 1970 Notes For College .pptxThe Patents Act 1970 Notes For College .pptx
The Patents Act 1970 Notes For College .pptx
 
Rights of under-trial Prisoners in India
Rights of under-trial Prisoners in IndiaRights of under-trial Prisoners in India
Rights of under-trial Prisoners in India
 

Building a register of data processing

  • 1. Building a register of data processing activities
  • 2. Workshop overview • Key requirements of the General Data Protection Regulation • What is personal data? • What personal data do you collect? • Why we are here today – to compile a record of data processing activities • What is lawful processing? • What are legitimate interests? • What is consent? • Mix and match exercise • What is a data processor? • What is a data controller? • Controller or processor? • How long should you keep data? • Privacy notices • Recording processing activities • Summary
  • 3. What is data protection? Data protection law concerns the use of personal data from the time it is collected to the time it is disposed of (‘processing’). It addresses lawfulness of processing, rights of individuals (‘data subjects’), and expectations re security. The current UK law is the Data Protection Act 1998. What is the General Data Protection Regulation? -A new EU Regulation that governs the processing of personal data -It is an evolution of existing laws -It introduces a number of administrative burdens and documentation requirements – such as records of processing, and in high risk situations, data protection impact assessments -The rights of individuals in relation to their data have been enhanced -Organisations can be fined up to the higher of 4% of global annual turnover or 20 Million Euros for failing to comply with the administrative requirements, unlawful processing, not respecting rights, or losing personal data -Organisations must be in compliance by 25 May 2018 -In the UK, the supervisory authority is the Information Commissioner’s Office (ICO)
  • 4. What is personal data? Personal data Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Special categories of personal data (AKA sensitive personal data) Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
  • 5. What personal data do you collect? Personal data Special categories of personal data (AKA sensitive personal data)
  • 6. Register of data processing activities The GDPR requires that detailed records are maintained on how personal data is processed, with specific rules on the data that must be gathered and made available to regulators. Controls 1.A register must be maintained that includes the following information: the name and contact details of the controller, the controller's representative (where entity is non-EU) and the data protection officer; the purposes of the processing; a description of the categories of data subjects and of the categories of personal data; the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations; where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation; the envisaged time limits for erasure of the different categories of data; a general description of the technical and organisational security measures applied to the data.
  • 7. Record processing at activity level What processing activities do you do? Commercial activity: (add relevant examples of the types of processing that you conduct in your business activities) Recruitment: how people apply for jobs online, by email. Reference checking. Employment: paying wages, recording absences, PAYE returns to HMRC or equivalent, paying expenses, personnel file management, appraisals, grievances. Workplace: CCTV, reporting an accident, issuing a security card Communications: signing up for newsletters and other marketing communications Activity: What other processing activities do you do?
  • 8. What information should you record? •Department; •Process owner; •Step by step process flow – from collection to disposal; •Categories of data collected (e.g. bank account data, NI number, home address, email); •Data subjects (e.g job applicants, contacts, employees, customers); •Link to the applicable privacy notice •Lawful grounds for processing (and this process will involve close scrutiny of these) of personal data and special categories of personal data; •Where data is stored and accessed from (taking into account data processors, data centre location) •Where there is an ex-EEA* transfer, what is the legal mechanism for this; •Suggested retention period if not already agreed; •Whether there is a statutory retention period (and if so, what is the law/regulation) •Who has access to the data; •Are there any data processors involved in the process (and who they are); •Is any data being shared with data controllers? •Has infosec due diligence been conducted on data processors involved?; •Check of the contract clauses to see if they meet Article 28 (Processor) requirements; •Notes on security measures (e.g. password standards, access controls, disposal standards, relevant training) Items in red will need to be confirmed by your data protection officer or other. * European Economic Area – EU plus Norway, Iceland and Liechteinstein.
  • 9. What are lawful grounds for processing? Any activity involving personal data should have a lawful grounds for processing. The grounds available to chose from for a commercial organisation: -You have the individual’s consent to use their personal data in this way -It is strictly necessary for the performance of a contract with the individual -It is strictly necessary to fulfil a legal obligation -It is in the legitimate interests of your organisation to process personal data in this way – unless it impinges on the rights of the individual -It is for the vital interests of the individual (life and death). There are additional grounds that need to be met for the lawful processing of special categories of data. Let’s have a closer look at consent….
  • 10. Conditions for consent 1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. 2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. 4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. Now let’s look at legitimate interests
  • 11. What are your legitimate interests? Sounds like a way to make anything lawful? NO! Your organisation has to demonstrate compelling legitimate grounds for the processing which overrides the interests or fundamental rights and freedoms of subjects – i.e. it mustn’t invade privacy disproportionately, must be within their reasonable expectations and so on. Examples where legitimate interests might be considered: Limited use of CCTV for security purposes Limited analysis of data for marketing purposes Fraud prevention NB: Any uses of legitimate interests MUST be published as part of the relevant privacy notice. Now let’s ‘Mix and Match’
  • 12. Mix and Match: fair processing conditions (use some relevant processing activities and ask delegates which grounds they would use)
  • 13. What is a data processor? You are a ‘data controller’ for the personal data you collect when you decide how data will be processed. You are legally responsible for it. When you outsource the collection or use of personal data to another organisation, they will be acting as a data processor. As a processor, they can only use the personal data under your instruction and for no other purpose. E.g outsourcing payroll, email marketing management. Requirements -You must have a process to assess that the processor has the ability to protect data accordingly; -You must have a contract in place with the processor that contains appropriate provisions on data protection – and the GDPR contains specific requirements that must be included; -By May 2018 all contracts will need to be reviewed and amended according. In building the register we are identifying where data processors exist (and where they store our personal data) and so we can see where remediation might be required.
  • 14. What is a data controller? A data controller has the ability to determine the purposes and means of the processing of personal data. Sharing your personal data with them therefore also needs to be assessed for lawfulness. Examples: •HMRC •Courts •Other group entities (depending on the purposes for data sharing) •Other corporates for their own marketing purposes Actions In the record keeping activity process we are identifying where data controllers exist and so we can check that the sharing is lawful.
  • 15. Processor or Controller? (using examples that are relevant to your organization, ask delegates whether they would be acting as a data controller or a data processor)
  • 16. How long should I keep data? GDPR Article 5.1a: (Personal data must be) be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed.. Considerations? •Is there a statutory record keeping period that would guide your retention period and at least confer a minimum retention period? •In the absence of a statutory requirement, how long do you need the personal data? •What is your rationale for keeping personal data, e.g. beyond the end of a relationship? What is your grounds for processing and does this influence the retention period? •Could the data be anonymised and still be useful? Truly anonymised data would fall outside the GDPR (and you will need a documented methodology for anonymization).
  • 17. Privacy Notice requirements in GDPR Ideally provided at the time you collect personal data, a privacy notice explains: -The identity and contact details of the controller -Contact details for the data protection office(r) -The purposes of the processing for which the personal data are intended as well as the legal basis for the processing -Recipients and categories of recipients -Intention to transfer personal data to a recipient in a ‘third country’ -The period personal data will be stored for -Awareness of all of their rights and how they can be exercised -Where processing is consent based, the existence of the right to withdraw consent at any time -The right to complain to the supervisory authority (in the UK being the ICO) -Whether provision of data is a statutory or contractual requirement, whether provision is an obligation, and consequences if fail to provide
  • 18. How else are we using the information that we will collect? Record retention: the process enables us to decide how long we will retain personal data – this is critical because the GDPR will require retention periods to be disclosed in privacy notices and if someone makes a request to access their data the retention period would also be disclosed. Legitimate interests: Any processing that is made lawful using legitimate interests will need to be explained in the applicable privacy notice. Consent: We can assess whether consent is being used appropriately, and if we are reliant upon consent that the conditions for consent have been met. We can also make sure we provide information on how consent can be withdrawn. International transfers: We need to know exactly where data is located and where it can be accessed from as there are rules that need to be followed where data leaves the European Economic Area, and we need to maintain a register of all international transfers. Now let’s try to fill in a form……. (provide a template for people to fill in)
  • 19. Summary • Completing a register of data processing activities is a critical first step in compliance with the GDPR. • It provides us with information on lawful processing, involvement of data processors/third parties, make us think about how long we keep data, and provides pertinent information that we need to include in privacy notices and in response to requests for access to an individual’s personal data. • It is critical that new initiatives are discussed with your data protection adviser prior to inception so advice on lawfulness can be taken, and the register updated. A data protection impact assessment may also be required if the project is high risk.