The clock has started on the biggest change to data protection law for a generation. With public authorities regularly handling personal data – and at times sensitive (or special category) data - in relation to the delivery of public services, we've brought together a panel of public sector experts to help you prepare for May 2018 as the General Data Protection Regulation (GDPR) comes into force. With the new regulation comes significant change, including the basis on which public authorities can process personal data for HR and public functions. Patrick O’Connell and Dmitrije Sirovica explore how the GDPR will impact the way that you communicate with individuals and collect, hold and process their personal information. Patrick and Dmitrije take a closer look at whether public bodies can ever use consent – if so, when and what’s needed? Similarly, they explore whether public bodies can use 'legitimate interests’ to process personal information – again, if so, when?

1. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
How to implement GDPR for
the public sector

2. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Connect with Dmitrije
dmitrije.sirovica@brownejacobson.com
+44 (0)115 976 6238
Connect with Patrick
patrick.o‘connell@brownejacobson.com
+44 (0)330 045 2149
How to implement GDPR for
the public sector

3. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
• key definitions
• legal grounds for processing
• guidance and tips
• questions
GDPR

4. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Article 4(1)
‘personal data’ means any
information relating to an
identified or identifiable natural
person (the data subject)
Key definitions

5. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Article 4(7)
‘controller’ means the natural or
legal person, public authority,
agency or other body which,
alone or jointly with others,
determines the purposes and
means of the processing of
personal data;
Key definitions

6. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Article 4(7)
where the purposes and means
of such processing are
determined by Union or Member
State law, the controller or the
specific criteria for its
nomination may be provided for
by Union or Member State law
Key definitions

7. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Requirement for a
lawful basis for
processing

8. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
1. processed lawfully, fairly and in
a transparent manner
2. only processed for specified,
explicit and legitimate purposes
3. adequate, relevant and limited to
the purposes for which processed
4. must be accurate
5. kept for no longer than necessary
6. kept securely
Data protection
principles

9. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
• personal data
– Article 6 GDPR
• special categories of personal
data
– Article 9 GDPR
Bases for processing

10. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
• Article 13 GDPR
– information to be provided
where personal data are
collected from the data
subject
• Article 14 GDPR
– information to be provided
where personal data have
not been obtained from the
data subject
Information to be
provided to data
subjects

11. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
“means any information relating to an identified or identifiable natural person
(‘data subject’)
an identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person”
Personal data

12. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
• (1)(c) – processing is necessary
for compliance with a legal
obligation to which the
controller is subject
• (1)(e) – processing is necessary
for the performance of a task
carried out in the public interest
or in the exercise of official
authority vested in the
controller
Article 6

13. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
• (1)(b) – processing is necessary
for the performance of a
contract to which the data
subject is party or in order to
take steps at the request of the
data subject prior to entering
into a contract
• (1)(d) – processing is necessary in
order to protect the vital
interests of the data subject or
of another natural person
Article 6

14. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
• the processing of genetic data,
biometric data for the purpose
of uniquely identifying a natural
person
• data concerning health
• data concerning a natural
person's sex life or sexual
orientation
Processing special categories of
personal data
• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership

15. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
• Article 9(2)(b) – employment,
social security and social
protection
• Article 9(2)(h) – health or social
care purposes
• Article 9(2)(i) – public health
Bases for processing

16. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Processing is necessary for reasons
of substantial public interest, on the
basis of Union or Member State law
which shall be proportionate to the
aim pursued, respect the essence of
the right to data protection and
provide for suitable and specific
measures to safeguard the
fundamental rights and interests of
the data subject
Article 9(2)(g)

17. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Explains the controller’s:
• procedures for securing
compliance with the data
protection principles in
connection with the processing
of that personal data
• policies as regards the retention
and erasure of that personal
data, giving an indication of how
long such personal data is likely
to be retained
Appropriate policy
document

18. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
processing data
• consent and legitimate interests
other legal grounds
• contractual necessity
• statutory basis/public function
• compliance with a legal
obligation
Schedule 2 to the Data
Protection Act 1998

19. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
‘consent’ of the data subject means
any freely given, specific, informed
and unambiguous indication of the
data subject's wishes by which he or
she, by a statement or by a clear
affirmative action, signifies
agreement to the processing of
personal data relating to him or her
Article 4(11)

20. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
In order to ensure that consent is freely given, consent should not provide a
valid legal ground for the processing of personal data in a specific case where
there is a clear imbalance between the data subject and the controller, in
particular where the controller is a public authority and it is therefore unlikely
that consent was freely given in all the circumstances of that specific situation
Recital 43

21. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
‘consent’ of the data subject means
any freely given, specific, informed
and unambiguous indication of the
data subject's wishes by which he or
she, by a statement or by a clear
affirmative action, signifies
agreement to the processing of
personal data relating to him or her
Article 4(11)

22. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
The data subject shall have the right
to withdraw his or her consent at
any time. The withdrawal of consent
shall not affect the lawfulness of
processing based on consent before
its withdrawal. Prior to giving
consent, the data subject shall be
informed thereof. It shall be as easy
to withdraw as to give consent.
Article 7(3)

23. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
processing is necessary for the
purposes of the legitimate interests
pursued by the controller or by a
third party, except where such
interests are overridden by the
interests or fundamental rights and
freedoms of the data subject which
require protection of personal data,
in particular where the data subject
is a child.
Article 6(1)(f)

24. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Point (f) of the first subparagraph
shall not apply to processing carried
out by public authorities in the
performance of their tasks.
Article 6(1)

25. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
‘consent’ of the data subject means
any freely given, specific, informed
and unambiguous indication of the
data subject's wishes by which he or
she, by a statement or by a clear
affirmative action, signifies
agreement to the processing of
personal data relating to him or her
Article 4(11)

26. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
processing is necessary for the
purposes of the legitimate interests
pursued by the controller or by a
third party, except where such
interests are overridden by the
interests or fundamental rights and
freedoms of the data subject which
require protection of personal data,
in particular where the data subject
is a child.
Article 6(1)(f)

27. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Connect with Dmitrije
dmitrije.sirovica@brownejacobson.com
+44 (0)115 976 6238
Connect with Patrick
patrick.o‘connell@brownejacobson.com
+44 (0)330 045 2149
Get in touch with your
questions