Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GDPR: Data protection rights and wrongs

469 views

Published on

A talk from Jason Turner and Matt Donnelly about the General Data Protection Regulation from NUX Newcastle on Thursday 22 March 2018.

Published in: Design
  • A very interesting talk, thank you. Is anyone aware of any standardised iconography around privacy notices?
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

GDPR: Data protection rights and wrongs

  1. 1. www.data2action.co.uk Jason TurnerMatt Donnelly @particulardodge @data2_action matthew.donnelly@particular.legal jason.turner@data2action.co.uk
  2. 2. www.data2action.co.uk What we will cover • Introduction to GDPR • Key terms and roles • Rights and Principles • Risks and Liabilities • Planning for Compliance
  3. 3. www.data2action.co.uk Overview
  4. 4. www.data2action.co.uk
  5. 5. www.data2action.co.uk • Harmonised privacy law & practices • Lawful benchmark for Organisations • Covers all EU residents • Anyone offering goods / services • Not ‘B2B’/’B2C’ specific • Replaces the Data Protection Act • Focus on improved control and security • Increased trust & confidence in business
  6. 6. www.data2action.co.uk PII - Personal Identifiable Information Information relating to an identifiable natural person (aka Data Subject) Name, Id No Location data, Online ID Combination of the following factors: • Physical, Physiological • Genetic, Mental • Economic, Cultural • Social identity of that person
  7. 7. www.data2action.co.uk Processing of Information Obtaining, recording, holding or carrying out any operation on the data including: • Manipulation or Adaptation • Alteration or Modification • Use • Transmitting • Destroying, Blocking or Erasing Includes any type of ‘customer’ or employee data
  8. 8. www.data2action.co.uk Duties Rights Security Contract Guarantees Disclosure Processor European Data Protection Board Supervisory Authority Controller 3rd Parties & Countries (outside EU)
  9. 9. www.data2action.co.uk Individuals now have 8 Rights DATA2ACTION Ltd 1) To be Informed 2) Access 3) Rectification 4) Erasure 5) Restrict processing 6) Data Portability 7) Object (to processing) 8) In relation to auto decision making (profiling)
  10. 10. www.data2action.co.ukDATA2ACTION Ltd • Processed lawfully, fairly & in transparent way. • Collected for specific, explicit & authentic purpose • Data collected is relevant & limited to what is needed • Need to communicate why data is collected. • Kept accurate & only retained for as long as necessary • Processed appropriately to maintain security. Controllers must ensure data is
  11. 11. www.data2action.co.uk Lawful Basis Consent Contract Legal Obligation Vital Interest Public Interest Legitimate interest Processing needed to enter into / performance of a contract Data Subject proactively agrees you can process Assessed Legitimate interest and it is not overridden by others Obliged by law Data is processed to preserve life Public Authorities in the scope of Public Duties Note : Care re Special Data
  12. 12. www.data2action.co.uk Consent and the GDPR “Consent means offering individuals a real choice and control” Consent must be FREELY GIVEN, CLEAR, UNAMBIGOUS and POSITIVE!
  13. 13. www.data2action.co.uk Consent
  14. 14. www.data2action.co.uk Consent
  15. 15. www.data2action.co.uk Consent
  16. 16. www.data2action.co.uk Brexit What is the impact of the GDPR and Brexit? The Information Commissioners Office (ICO) and the British Government have both said that companies in the UK will need to implement the provisions of the GDPR.
  17. 17. www.data2action.co.uk Brexit EU Companies can only do business with other GDPR compliant business! This therefore includes businesses outside of the EU e.g. America and UK post- Brexit!
  18. 18. www.data2action.co.uk
  19. 19. www.data2action.co.uk Brexit Therefore WE MUST be GDPR Compliant to work with EU businesses in the future!
  20. 20. www.data2action.co.uk Breach and Incidents Required to report to ICO : • If presents risk to ‘rights and freedoms’ of people • ASAP / within 72 Hours If ‘High Risk’ – notify Individual(s) No Report if data remains protected Must have a policy/process/logs Consequences Significant brand/reputation damage People may sue for damages Fines/Scrutiny -Supervisory Authority
  21. 21. www.data2action.co.uk DATA2ACTION Ltd Your Plan: PEOPLE PROCESS TECHNOLOGY
  22. 22. www.data2action.co.uk Data Audit Staff education and engagement Deliver policies & procedures Assess systems and services Review tech/org measures Test Consider encryption & anonymisation Check restoration Review & Refine
  23. 23. www.data2action.co.uk Processes • Data Audit - map & gap (later) • Understand your role & who share data with • Review/document your legal basis • Review and update Privacy notices • Ensure compliance - 8 rights / 7 principles • Implement Privacy by design / DPIA process • Conduct risk reviews • External certification • Register with ICO
  24. 24. www.data2action.co.uk Summary • All change from 25th May 2018 • New lawful benchmark; all EU residents • Replaces DPA, unaffected by Brexit • 4 ‘E’’s – Educate, Engage, Encourage, Enforce • Review People, Process and Technology • Understand what you have & why you need it • Must produce & maintain documentation to demonstrate compliance
  25. 25. www.data2action.co.uk Jason TurnerMatt Donnelly @particulardodge @data2_action matthew.donnelly@particular.legal jason.turner@data2action.co.uk

×