SlideShare a Scribd company logo

Building a register of data processing

Download as PPT, PDF
T
Tim Gough

Content for a workshop to educate your colleagues on how to compile a register of personal data processing activities to enable GDPR compliance.

Law
1 of 19
Building a register of data processing activities
Workshop overview • Key requirements of the General Data Protection Regulation • What is personal data? • What personal data do you collect? • Why we are here today – to compile a record of data processing activities • What is lawful processing? • What are legitimate interests? • What is consent? • Mix and match exercise • What is a data processor? • What is a data controller? • Controller or processor? • How long should you keep data? • Privacy notices • Recording processing activities • Summary
What is data protection? Data protection law concerns the use of personal data from the time it is collected to the time it is disposed of (‘processing’). It addresses lawfulness of processing, rights of individuals (‘data subjects’), and expectations re security. The current UK law is the Data Protection Act 1998. What is the General Data Protection Regulation? -A new EU Regulation that governs the processing of personal data -It is an evolution of existing laws -It introduces a number of administrative burdens and documentation requirements – such as records of processing, and in high risk situations, data protection impact assessments -The rights of individuals in relation to their data have been enhanced -Organisations can be fined up to the higher of 4% of global annual turnover or 20 Million Euros for failing to comply with the administrative requirements, unlawful processing, not respecting rights, or losing personal data -Organisations must be in compliance by 25 May 2018 -In the UK, the supervisory authority is the Information Commissioner’s Office (ICO)
What is personal data? Personal data Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Special categories of personal data (AKA sensitive personal data) Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
What personal data do you collect? Personal data Special categories of personal data (AKA sensitive personal data)
Register of data processing activities The GDPR requires that detailed records are maintained on how personal data is processed, with specific rules on the data that must be gathered and made available to regulators. Controls 1.A register must be maintained that includes the following information: the name and contact details of the controller, the controller's representative (where entity is non-EU) and the data protection officer; the purposes of the processing; a description of the categories of data subjects and of the categories of personal data; the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations; where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation; the envisaged time limits for erasure of the different categories of data; a general description of the technical and organisational security measures applied to the data.
Record processing at activity level What processing activities do you do? Commercial activity: (add relevant examples of the types of processing that you conduct in your business activities) Recruitment: how people apply for jobs online, by email. Reference checking. Employment: paying wages, recording absences, PAYE returns to HMRC or equivalent, paying expenses, personnel file management, appraisals, grievances. Workplace: CCTV, reporting an accident, issuing a security card Communications: signing up for newsletters and other marketing communications Activity: What other processing activities do you do?
What information should you record? •Department; •Process owner; •Step by step process flow – from collection to disposal; •Categories of data collected (e.g. bank account data, NI number, home address, email); •Data subjects (e.g job applicants, contacts, employees, customers); •Link to the applicable privacy notice •Lawful grounds for processing (and this process will involve close scrutiny of these) of personal data and special categories of personal data; •Where data is stored and accessed from (taking into account data processors, data centre location) •Where there is an ex-EEA* transfer, what is the legal mechanism for this; •Suggested retention period if not already agreed; •Whether there is a statutory retention period (and if so, what is the law/regulation) •Who has access to the data; •Are there any data processors involved in the process (and who they are); •Is any data being shared with data controllers? •Has infosec due diligence been conducted on data processors involved?; •Check of the contract clauses to see if they meet Article 28 (Processor) requirements; •Notes on security measures (e.g. password standards, access controls, disposal standards, relevant training) Items in red will need to be confirmed by your data protection officer or other. * European Economic Area – EU plus Norway, Iceland and Liechteinstein.
What are lawful grounds for processing? Any activity involving personal data should have a lawful grounds for processing. The grounds available to chose from for a commercial organisation: -You have the individual’s consent to use their personal data in this way -It is strictly necessary for the performance of a contract with the individual -It is strictly necessary to fulfil a legal obligation -It is in the legitimate interests of your organisation to process personal data in this way – unless it impinges on the rights of the individual -It is for the vital interests of the individual (life and death). There are additional grounds that need to be met for the lawful processing of special categories of data. Let’s have a closer look at consent….
Conditions for consent 1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. 2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. 4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. Now let’s look at legitimate interests
What are your legitimate interests? Sounds like a way to make anything lawful? NO! Your organisation has to demonstrate compelling legitimate grounds for the processing which overrides the interests or fundamental rights and freedoms of subjects – i.e. it mustn’t invade privacy disproportionately, must be within their reasonable expectations and so on. Examples where legitimate interests might be considered: Limited use of CCTV for security purposes Limited analysis of data for marketing purposes Fraud prevention NB: Any uses of legitimate interests MUST be published as part of the relevant privacy notice. Now let’s ‘Mix and Match’
Mix and Match: fair processing conditions (use some relevant processing activities and ask delegates which grounds they would use)
What is a data processor? You are a ‘data controller’ for the personal data you collect when you decide how data will be processed. You are legally responsible for it. When you outsource the collection or use of personal data to another organisation, they will be acting as a data processor. As a processor, they can only use the personal data under your instruction and for no other purpose. E.g outsourcing payroll, email marketing management. Requirements -You must have a process to assess that the processor has the ability to protect data accordingly; -You must have a contract in place with the processor that contains appropriate provisions on data protection – and the GDPR contains specific requirements that must be included; -By May 2018 all contracts will need to be reviewed and amended according. In building the register we are identifying where data processors exist (and where they store our personal data) and so we can see where remediation might be required.
What is a data controller? A data controller has the ability to determine the purposes and means of the processing of personal data. Sharing your personal data with them therefore also needs to be assessed for lawfulness. Examples: •HMRC •Courts •Other group entities (depending on the purposes for data sharing) •Other corporates for their own marketing purposes Actions In the record keeping activity process we are identifying where data controllers exist and so we can check that the sharing is lawful.
Processor or Controller? (using examples that are relevant to your organization, ask delegates whether they would be acting as a data controller or a data processor)
How long should I keep data? GDPR Article 5.1a: (Personal data must be) be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed.. Considerations? •Is there a statutory record keeping period that would guide your retention period and at least confer a minimum retention period? •In the absence of a statutory requirement, how long do you need the personal data? •What is your rationale for keeping personal data, e.g. beyond the end of a relationship? What is your grounds for processing and does this influence the retention period? •Could the data be anonymised and still be useful? Truly anonymised data would fall outside the GDPR (and you will need a documented methodology for anonymization).
Privacy Notice requirements in GDPR Ideally provided at the time you collect personal data, a privacy notice explains: -The identity and contact details of the controller -Contact details for the data protection office(r) -The purposes of the processing for which the personal data are intended as well as the legal basis for the processing -Recipients and categories of recipients -Intention to transfer personal data to a recipient in a ‘third country’ -The period personal data will be stored for -Awareness of all of their rights and how they can be exercised -Where processing is consent based, the existence of the right to withdraw consent at any time -The right to complain to the supervisory authority (in the UK being the ICO) -Whether provision of data is a statutory or contractual requirement, whether provision is an obligation, and consequences if fail to provide
How else are we using the information that we will collect? Record retention: the process enables us to decide how long we will retain personal data – this is critical because the GDPR will require retention periods to be disclosed in privacy notices and if someone makes a request to access their data the retention period would also be disclosed. Legitimate interests: Any processing that is made lawful using legitimate interests will need to be explained in the applicable privacy notice. Consent: We can assess whether consent is being used appropriately, and if we are reliant upon consent that the conditions for consent have been met. We can also make sure we provide information on how consent can be withdrawn. International transfers: We need to know exactly where data is located and where it can be accessed from as there are rules that need to be followed where data leaves the European Economic Area, and we need to maintain a register of all international transfers. Now let’s try to fill in a form……. (provide a template for people to fill in)
Summary • Completing a register of data processing activities is a critical first step in compliance with the GDPR. • It provides us with information on lawful processing, involvement of data processors/third parties, make us think about how long we keep data, and provides pertinent information that we need to include in privacy notices and in response to requests for access to an individual’s personal data. • It is critical that new initiatives are discussed with your data protection adviser prior to inception so advice on lawfulness can be taken, and the register updated. A data protection impact assessment may also be required if the project is high risk.

Recommended

The Digital Healthcare Roadmap
The Digital Healthcare RoadmapThe Digital Healthcare Roadmap
The Digital Healthcare Roadmap
Steven Rubis
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
Jane Lambert
 
Management of Fashion and Luxury Companies
Management of Fashion and Luxury CompaniesManagement of Fashion and Luxury Companies
Management of Fashion and Luxury Companies
Samaan Al-Msallam
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
SPIN Chennai
 
InfoVision Corporate Profile
InfoVision Corporate ProfileInfoVision Corporate Profile
InfoVision Corporate Profile
InfoVisionHQ
 
Predicting Denials to Improve the Healthcare Revenue Cycle and Maximize Opera...
Predicting Denials to Improve the Healthcare Revenue Cycle and Maximize Opera...Predicting Denials to Improve the Healthcare Revenue Cycle and Maximize Opera...
Predicting Denials to Improve the Healthcare Revenue Cycle and Maximize Opera...
Health Catalyst
 
POPI Act compliance presentation
POPI Act compliance presentationPOPI Act compliance presentation
POPI Act compliance presentation
OvationsGroup
 
Privacy in AI/ML Systems: Practical Challenges and Lessons Learned
Privacy in AI/ML Systems: Practical Challenges and Lessons LearnedPrivacy in AI/ML Systems: Practical Challenges and Lessons Learned
Privacy in AI/ML Systems: Practical Challenges and Lessons Learned
Krishnaram Kenthapadi
 

Recommended

The Digital Healthcare Roadmap
The Digital Healthcare RoadmapThe Digital Healthcare Roadmap
The Digital Healthcare Roadmap
Steven Rubis
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
Jane Lambert
 
Management of Fashion and Luxury Companies
Management of Fashion and Luxury CompaniesManagement of Fashion and Luxury Companies
Management of Fashion and Luxury Companies
Samaan Al-Msallam
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
SPIN Chennai
 
InfoVision Corporate Profile
InfoVision Corporate ProfileInfoVision Corporate Profile
InfoVision Corporate Profile
InfoVisionHQ
 
Predicting Denials to Improve the Healthcare Revenue Cycle and Maximize Opera...
Predicting Denials to Improve the Healthcare Revenue Cycle and Maximize Opera...Predicting Denials to Improve the Healthcare Revenue Cycle and Maximize Opera...
Predicting Denials to Improve the Healthcare Revenue Cycle and Maximize Opera...
Health Catalyst
 
POPI Act compliance presentation
POPI Act compliance presentationPOPI Act compliance presentation
POPI Act compliance presentation
OvationsGroup
 
Privacy in AI/ML Systems: Practical Challenges and Lessons Learned
Privacy in AI/ML Systems: Practical Challenges and Lessons LearnedPrivacy in AI/ML Systems: Practical Challenges and Lessons Learned
Privacy in AI/ML Systems: Practical Challenges and Lessons Learned
Krishnaram Kenthapadi
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
Healthcare in Digital Age
Healthcare in Digital Age Healthcare in Digital Age
Healthcare in Digital Age
ict moph
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
TechTalks | Digital Transformation in Healthcare: Opportunities and Trends
TechTalks | Digital Transformation in Healthcare: Opportunities and TrendsTechTalks | Digital Transformation in Healthcare: Opportunities and Trends
TechTalks | Digital Transformation in Healthcare: Opportunities and Trends
rmcsoft
 
Blockchain Applications in Healthcare
Blockchain Applications in HealthcareBlockchain Applications in Healthcare
Blockchain Applications in Healthcare
CitiusTech
 
GDPR infographic
GDPR infographicGDPR infographic
GDPR infographic
Marketing Team at Crown Worldwide Group
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in Malaysia
MSC Malaysia Cybercentre @ Bangsar South City
 
AI in Supply chains
AI in Supply chainsAI in Supply chains
AI in Supply chains
Vibhanshu Abhishek
 
Digital Health (March 14, 2018)
Digital Health (March 14, 2018)Digital Health (March 14, 2018)
Digital Health (March 14, 2018)
Nawanan Theera-Ampornpunt
 
About Indegene
About IndegeneAbout Indegene
About Indegene
Indegene
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
Digital Healthcare Trends: Transformation Towards Better Care Relationship
Digital Healthcare Trends: Transformation Towards Better Care RelationshipDigital Healthcare Trends: Transformation Towards Better Care Relationship
Digital Healthcare Trends: Transformation Towards Better Care Relationship
Kumaraguru Veerasamy
 
Artificial intelligence transforming the phase of supply chain management
Artificial intelligence transforming the phase of supply chain managementArtificial intelligence transforming the phase of supply chain management
Artificial intelligence transforming the phase of supply chain management
Rahul R
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
DipanjanDey12
 
Ai and Legal Industy - Executive Overview
Ai and Legal Industy - Executive OverviewAi and Legal Industy - Executive Overview
Ai and Legal Industy - Executive Overview
Graeme Wood
 
Cracking the Workforce Genome with HR Analytics
Cracking the Workforce Genome with HR AnalyticsCracking the Workforce Genome with HR Analytics
Cracking the Workforce Genome with HR Analytics
Accenture Insurance
 
CB Insights | AI in Healthcare
CB Insights | AI in HealthcareCB Insights | AI in Healthcare
CB Insights | AI in Healthcare
Galen Growth
 
GDPR Demystified
GDPR Demystified GDPR Demystified
GDPR Demystified
Terence O'Sullivan - The Employment Lawyer
 
Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...
Forums financiers de Wallonie
 
GDPR: Key Article Overview
GDPR: Key Article OverviewGDPR: Key Article Overview
GDPR: Key Article Overview
Craig Clark ITIL, CIS LI,EU GDPR P
 
GDPR for your Payroll Bureau
GDPR for your Payroll BureauGDPR for your Payroll Bureau
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 
Gdpr for business full
Gdpr for business fullGdpr for business full
Gdpr for business full
Fionnuala Hendrick
 

More Related Content

What's hot

TechTalks | Digital Transformation in Healthcare: Opportunities and Trends
TechTalks | Digital Transformation in Healthcare: Opportunities and TrendsTechTalks | Digital Transformation in Healthcare: Opportunities and Trends
TechTalks | Digital Transformation in Healthcare: Opportunities and Trends
rmcsoft
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
Cracking the Workforce Genome with HR Analytics
Cracking the Workforce Genome with HR AnalyticsCracking the Workforce Genome with HR Analytics
Cracking the Workforce Genome with HR Analytics
Accenture Insurance
 

What's hot (17)

General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
Healthcare in Digital Age
Healthcare in Digital Age Healthcare in Digital Age
Healthcare in Digital Age
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
 
TechTalks | Digital Transformation in Healthcare: Opportunities and Trends
TechTalks | Digital Transformation in Healthcare: Opportunities and TrendsTechTalks | Digital Transformation in Healthcare: Opportunities and Trends
TechTalks | Digital Transformation in Healthcare: Opportunities and Trends
 
Blockchain Applications in Healthcare
Blockchain Applications in HealthcareBlockchain Applications in Healthcare
Blockchain Applications in Healthcare
 
GDPR infographic
GDPR infographicGDPR infographic
GDPR infographic
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in Malaysia
 
AI in Supply chains
AI in Supply chainsAI in Supply chains
AI in Supply chains
 
Digital Health (March 14, 2018)
Digital Health (March 14, 2018)Digital Health (March 14, 2018)
Digital Health (March 14, 2018)
 
About Indegene
About IndegeneAbout Indegene
About Indegene
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Digital Healthcare Trends: Transformation Towards Better Care Relationship
Digital Healthcare Trends: Transformation Towards Better Care RelationshipDigital Healthcare Trends: Transformation Towards Better Care Relationship
Digital Healthcare Trends: Transformation Towards Better Care Relationship
 
Artificial intelligence transforming the phase of supply chain management
Artificial intelligence transforming the phase of supply chain managementArtificial intelligence transforming the phase of supply chain management
Artificial intelligence transforming the phase of supply chain management
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
 
Ai and Legal Industy - Executive Overview
Ai and Legal Industy - Executive OverviewAi and Legal Industy - Executive Overview
Ai and Legal Industy - Executive Overview
 
Cracking the Workforce Genome with HR Analytics
Cracking the Workforce Genome with HR AnalyticsCracking the Workforce Genome with HR Analytics
Cracking the Workforce Genome with HR Analytics
 
CB Insights | AI in Healthcare
CB Insights | AI in HealthcareCB Insights | AI in Healthcare
CB Insights | AI in Healthcare
 

Similar to Building a register of data processing

GDPRpresentationFeb-Apr2018.pptx
GDPRpresentationFeb-Apr2018.pptxGDPRpresentationFeb-Apr2018.pptx
GDPRpresentationFeb-Apr2018.pptx
pixvilx
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
Acquia
 
GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?
Sage HR
 

Similar to Building a register of data processing (20)

GDPR Demystified
GDPR Demystified GDPR Demystified
GDPR Demystified
 
Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...
 
GDPR: Key Article Overview
GDPR: Key Article OverviewGDPR: Key Article Overview
GDPR: Key Article Overview
 
GDPR for your Payroll Bureau
GDPR for your Payroll BureauGDPR for your Payroll Bureau
GDPR for your Payroll Bureau
 
Gdpr for business full
Gdpr for business fullGdpr for business full
Gdpr for business full
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentation
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
 
GDPRpresentationFeb-Apr2018.pptx
GDPRpresentationFeb-Apr2018.pptxGDPRpresentationFeb-Apr2018.pptx
GDPRpresentationFeb-Apr2018.pptx
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
 
GDPR Presentation
GDPR PresentationGDPR Presentation
GDPR Presentation
 
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)
 
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
 
Public sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, ExeterPublic sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, Exeter
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
 
GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?
 
GDPR master class accountable research organisations (january 2018)
GDPR master class accountable research organisations (january 2018)GDPR master class accountable research organisations (january 2018)
GDPR master class accountable research organisations (january 2018)
 

Recently uploaded

一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理
Airst S
 
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
ss
 
Types of Agricultural markets LLB- SEM I
Types of Agricultural markets LLB- SEM ITypes of Agricultural markets LLB- SEM I
Types of Agricultural markets LLB- SEM I
yogita9398
 
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
Airst S
 
一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理
Airst S
 
一比一原版(UNSW毕业证书)新南威尔士大学毕业证如何办理
一比一原版(UNSW毕业证书)新南威尔士大学毕业证如何办理一比一原版(UNSW毕业证书)新南威尔士大学毕业证如何办理
一比一原版(UNSW毕业证书)新南威尔士大学毕业证如何办理
ss
 
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
F La
 
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
e9733fc35af6
 
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
Airst S
 
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
ZurliaSoop
 

Recently uploaded (20)

一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理
 
Jim Eiberger Rental Agreement Redacted Former Lease.docx
Jim Eiberger Rental Agreement Redacted Former Lease.docxJim Eiberger Rental Agreement Redacted Former Lease.docx
Jim Eiberger Rental Agreement Redacted Former Lease.docx
 
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
 
Types of Agricultural markets LLB- SEM I
Types of Agricultural markets LLB- SEM ITypes of Agricultural markets LLB- SEM I
Types of Agricultural markets LLB- SEM I
 
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
 
OVERVIEW OF LABOUR LAWS with Case Studies- ppt.ppt
OVERVIEW OF LABOUR LAWS with Case Studies- ppt.pptOVERVIEW OF LABOUR LAWS with Case Studies- ppt.ppt
OVERVIEW OF LABOUR LAWS with Case Studies- ppt.ppt
 
Dematerialisation of securities of private companies
Dematerialisation of securities of private companiesDematerialisation of securities of private companies
Dematerialisation of securities of private companies
 
Democratic Awareness with Legal Literacy POLS 303.pptx
Democratic Awareness with Legal Literacy POLS 303.pptxDemocratic Awareness with Legal Literacy POLS 303.pptx
Democratic Awareness with Legal Literacy POLS 303.pptx
 
From Scratch to Strong: Introduction to Drafting of Criminal Cases and Applic...
From Scratch to Strong: Introduction to Drafting of Criminal Cases and Applic...From Scratch to Strong: Introduction to Drafting of Criminal Cases and Applic...
From Scratch to Strong: Introduction to Drafting of Criminal Cases and Applic...
 
一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理
 
Assignment of Law of crime.pptx including crpc
Assignment of Law of crime.pptx including crpcAssignment of Law of crime.pptx including crpc
Assignment of Law of crime.pptx including crpc
 
一比一原版(UNSW毕业证书)新南威尔士大学毕业证如何办理
一比一原版(UNSW毕业证书)新南威尔士大学毕业证如何办理一比一原版(UNSW毕业证书)新南威尔士大学毕业证如何办理
一比一原版(UNSW毕业证书)新南威尔士大学毕业证如何办理
 
5-6-24 David Kennedy Article Law 360.pdf
5-6-24 David Kennedy Article Law 360.pdf5-6-24 David Kennedy Article Law 360.pdf
5-6-24 David Kennedy Article Law 360.pdf
 
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
 
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
 
Career As Legal Reporters for Law Students
Career As Legal Reporters for Law StudentsCareer As Legal Reporters for Law Students
Career As Legal Reporters for Law Students
 
Petitioner Moot Memorial including Charges and Argument Advanced.docx
Petitioner Moot Memorial including Charges and Argument Advanced.docxPetitioner Moot Memorial including Charges and Argument Advanced.docx
Petitioner Moot Memorial including Charges and Argument Advanced.docx
 
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
 
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
 
posts-harmful-to-secular-structure-of-the-country-539103-1.pdf
posts-harmful-to-secular-structure-of-the-country-539103-1.pdfposts-harmful-to-secular-structure-of-the-country-539103-1.pdf
posts-harmful-to-secular-structure-of-the-country-539103-1.pdf
 

Building a register of data processing

  • 1. Building a register of data processing activities
  • 2. Workshop overview • Key requirements of the General Data Protection Regulation • What is personal data? • What personal data do you collect? • Why we are here today – to compile a record of data processing activities • What is lawful processing? • What are legitimate interests? • What is consent? • Mix and match exercise • What is a data processor? • What is a data controller? • Controller or processor? • How long should you keep data? • Privacy notices • Recording processing activities • Summary
  • 3. What is data protection? Data protection law concerns the use of personal data from the time it is collected to the time it is disposed of (‘processing’). It addresses lawfulness of processing, rights of individuals (‘data subjects’), and expectations re security. The current UK law is the Data Protection Act 1998. What is the General Data Protection Regulation? -A new EU Regulation that governs the processing of personal data -It is an evolution of existing laws -It introduces a number of administrative burdens and documentation requirements – such as records of processing, and in high risk situations, data protection impact assessments -The rights of individuals in relation to their data have been enhanced -Organisations can be fined up to the higher of 4% of global annual turnover or 20 Million Euros for failing to comply with the administrative requirements, unlawful processing, not respecting rights, or losing personal data -Organisations must be in compliance by 25 May 2018 -In the UK, the supervisory authority is the Information Commissioner’s Office (ICO)
  • 4. What is personal data? Personal data Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Special categories of personal data (AKA sensitive personal data) Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
  • 5. What personal data do you collect? Personal data Special categories of personal data (AKA sensitive personal data)
  • 6. Register of data processing activities The GDPR requires that detailed records are maintained on how personal data is processed, with specific rules on the data that must be gathered and made available to regulators. Controls 1.A register must be maintained that includes the following information: the name and contact details of the controller, the controller's representative (where entity is non-EU) and the data protection officer; the purposes of the processing; a description of the categories of data subjects and of the categories of personal data; the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations; where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation; the envisaged time limits for erasure of the different categories of data; a general description of the technical and organisational security measures applied to the data.
  • 7. Record processing at activity level What processing activities do you do? Commercial activity: (add relevant examples of the types of processing that you conduct in your business activities) Recruitment: how people apply for jobs online, by email. Reference checking. Employment: paying wages, recording absences, PAYE returns to HMRC or equivalent, paying expenses, personnel file management, appraisals, grievances. Workplace: CCTV, reporting an accident, issuing a security card Communications: signing up for newsletters and other marketing communications Activity: What other processing activities do you do?
  • 8. What information should you record? •Department; •Process owner; •Step by step process flow – from collection to disposal; •Categories of data collected (e.g. bank account data, NI number, home address, email); •Data subjects (e.g job applicants, contacts, employees, customers); •Link to the applicable privacy notice •Lawful grounds for processing (and this process will involve close scrutiny of these) of personal data and special categories of personal data; •Where data is stored and accessed from (taking into account data processors, data centre location) •Where there is an ex-EEA* transfer, what is the legal mechanism for this; •Suggested retention period if not already agreed; •Whether there is a statutory retention period (and if so, what is the law/regulation) •Who has access to the data; •Are there any data processors involved in the process (and who they are); •Is any data being shared with data controllers? •Has infosec due diligence been conducted on data processors involved?; •Check of the contract clauses to see if they meet Article 28 (Processor) requirements; •Notes on security measures (e.g. password standards, access controls, disposal standards, relevant training) Items in red will need to be confirmed by your data protection officer or other. * European Economic Area – EU plus Norway, Iceland and Liechteinstein.
  • 9. What are lawful grounds for processing? Any activity involving personal data should have a lawful grounds for processing. The grounds available to chose from for a commercial organisation: -You have the individual’s consent to use their personal data in this way -It is strictly necessary for the performance of a contract with the individual -It is strictly necessary to fulfil a legal obligation -It is in the legitimate interests of your organisation to process personal data in this way – unless it impinges on the rights of the individual -It is for the vital interests of the individual (life and death). There are additional grounds that need to be met for the lawful processing of special categories of data. Let’s have a closer look at consent….
  • 10. Conditions for consent 1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. 2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. 4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. Now let’s look at legitimate interests
  • 11. What are your legitimate interests? Sounds like a way to make anything lawful? NO! Your organisation has to demonstrate compelling legitimate grounds for the processing which overrides the interests or fundamental rights and freedoms of subjects – i.e. it mustn’t invade privacy disproportionately, must be within their reasonable expectations and so on. Examples where legitimate interests might be considered: Limited use of CCTV for security purposes Limited analysis of data for marketing purposes Fraud prevention NB: Any uses of legitimate interests MUST be published as part of the relevant privacy notice. Now let’s ‘Mix and Match’
  • 12. Mix and Match: fair processing conditions (use some relevant processing activities and ask delegates which grounds they would use)
  • 13. What is a data processor? You are a ‘data controller’ for the personal data you collect when you decide how data will be processed. You are legally responsible for it. When you outsource the collection or use of personal data to another organisation, they will be acting as a data processor. As a processor, they can only use the personal data under your instruction and for no other purpose. E.g outsourcing payroll, email marketing management. Requirements -You must have a process to assess that the processor has the ability to protect data accordingly; -You must have a contract in place with the processor that contains appropriate provisions on data protection – and the GDPR contains specific requirements that must be included; -By May 2018 all contracts will need to be reviewed and amended according. In building the register we are identifying where data processors exist (and where they store our personal data) and so we can see where remediation might be required.
  • 14. What is a data controller? A data controller has the ability to determine the purposes and means of the processing of personal data. Sharing your personal data with them therefore also needs to be assessed for lawfulness. Examples: •HMRC •Courts •Other group entities (depending on the purposes for data sharing) •Other corporates for their own marketing purposes Actions In the record keeping activity process we are identifying where data controllers exist and so we can check that the sharing is lawful.
  • 15. Processor or Controller? (using examples that are relevant to your organization, ask delegates whether they would be acting as a data controller or a data processor)
  • 16. How long should I keep data? GDPR Article 5.1a: (Personal data must be) be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed.. Considerations? •Is there a statutory record keeping period that would guide your retention period and at least confer a minimum retention period? •In the absence of a statutory requirement, how long do you need the personal data? •What is your rationale for keeping personal data, e.g. beyond the end of a relationship? What is your grounds for processing and does this influence the retention period? •Could the data be anonymised and still be useful? Truly anonymised data would fall outside the GDPR (and you will need a documented methodology for anonymization).
  • 17. Privacy Notice requirements in GDPR Ideally provided at the time you collect personal data, a privacy notice explains: -The identity and contact details of the controller -Contact details for the data protection office(r) -The purposes of the processing for which the personal data are intended as well as the legal basis for the processing -Recipients and categories of recipients -Intention to transfer personal data to a recipient in a ‘third country’ -The period personal data will be stored for -Awareness of all of their rights and how they can be exercised -Where processing is consent based, the existence of the right to withdraw consent at any time -The right to complain to the supervisory authority (in the UK being the ICO) -Whether provision of data is a statutory or contractual requirement, whether provision is an obligation, and consequences if fail to provide
  • 18. How else are we using the information that we will collect? Record retention: the process enables us to decide how long we will retain personal data – this is critical because the GDPR will require retention periods to be disclosed in privacy notices and if someone makes a request to access their data the retention period would also be disclosed. Legitimate interests: Any processing that is made lawful using legitimate interests will need to be explained in the applicable privacy notice. Consent: We can assess whether consent is being used appropriately, and if we are reliant upon consent that the conditions for consent have been met. We can also make sure we provide information on how consent can be withdrawn. International transfers: We need to know exactly where data is located and where it can be accessed from as there are rules that need to be followed where data leaves the European Economic Area, and we need to maintain a register of all international transfers. Now let’s try to fill in a form……. (provide a template for people to fill in)
  • 19. Summary • Completing a register of data processing activities is a critical first step in compliance with the GDPR. • It provides us with information on lawful processing, involvement of data processors/third parties, make us think about how long we keep data, and provides pertinent information that we need to include in privacy notices and in response to requests for access to an individual’s personal data. • It is critical that new initiatives are discussed with your data protection adviser prior to inception so advice on lawfulness can be taken, and the register updated. A data protection impact assessment may also be required if the project is high risk.