DCH Data Protection Training Presentation

Data Protection
Training
support@digitalcompliancehub.co.uk
https://digitalcompliancehub.co.uk
v1.0 December 2018

Welcome to this Digital Compliance Hub training module.
Available as part of your Hub subscription.
We’re going to be covering data protection basics and what
you need to consider when working in your organisation.

You’ve probably heard of
the General Data
Protection Regulation or
GDPR – it was a new EU
data protection
regulation which became
law in the UK on 25th
May 2018.

The UK government
implemented it into UK
law as the Data
Protection Act 2018

…and despite Brexit,
thanks to the 2018 Act it
will remain UK law post-
Brexit

1. As we mentioned, the law has recently changed
2. Your organization needs to be compliant
3. It’s important that everyone in your organization
understands what it means to them
4. Everyone has a role to play in data protection
compliance
5. There’s penalties if we get it wrong
So why this training?

2. Your organisation needs to be compliant
3. It’s important that everyone in your organization
compliance

2. Your organisation needs to be compliant
3. It’s important that everyone in your organisation
compliance

What will we be covering?
Next steps for you
What if we get it wrong?
What compliance means, day to day
Introduction to data protection

Introduction to
data protection

Data protection law has lots of definitions
but we’re just going to cover
the essentials…

Data protection law has lots of definitions
but we’re just going to cover
the essentials…
Personal
Data
Processing
Data
Subject
Data
Controller
Data
Processor

Personal Data
Personal data is any data that can be used to identify an
individual either directly or indirectly.

Personal Data
“Directly” means that it is data that is obviously personal,
so it may contain a name, an email address, postal
address, etc.
“Indirectly” means that on it’s own the data doesn’t look
personal, but when used with other information an
individual can be identified from it, e.g. location data on
it’s own may not identify an individual but when you
couple it with a customer database containing a postal
address, both sets of data become personal.

Personal Data
“Directly” means that it is data that is obviously personal,
so it may contain a name, an email address, postal
address, etc.
“Indirectly” means that on it’s own the data doesn’t look
personal, but when used with other information an
individual can be identified from it, e.g. location data on
it’s own may not identify an individual but when you
couple it with a customer database containing a postal
address, both sets of data become personal.
NOTE: there are “special categories” of data too. This
data is things like medical information, trade union
membership, biometric data used for ID, etc. The rules for
processing this data is even stricter than “normal”
personal data.

Processing of personal data is everything you do with that
data. It has a wide definition and includes more than why
you have collected the data in the first place. It includes:
Processing

• Processing the data for the purpose for which you
collected it in the first place
• Storing data (including in the cloud)
• Editing or manipulating the data
• Sharing the data
• Deleting the data
Processing

• Processing the data for the purpose for which you
collected it in the first place
• Storing data (including in the cloud)
• Editing or manipulating the data
• Sharing the data
• Deleting the data
Processing
NOTE: This also means that “processing” includes adding,
storing and using the data in online software systems
such as CRMs, cloud storage, MailChimp, GoogleDrive,
Dropbox, etc.

Data Subjects, Controllers & Processors
The Data Subject is the individual who’s personal data is
being processed

being processed
The Data Controller is the organisation who collects the
personal data from the Data Subject and determines how
it’s going to be processed

being processed
The Data Controller is the organisation who collects the
personal data from the Data Subject and determines how
it’s going to be processed
A Data Processor is an organisation who processes the
data on behalf of the Data Controller. Remember, that
wider definition of processing will mean that you may be
using Data Processors in all different ways across your
organisation.

Processing example: email marketing

Subscriber You
A subscriber gives you their email
address because they want to receive
your email newsletter.

Subscriber You
A subscriber gives you their email
address because they want to receive
your email newsletter.
Data Subject
Personal Data
Data Conroller

Subscriber You
You store their email address in email
marketing software, MailChimp…
Data Subject
Personal Data
Data Conroller

Subscriber You
You store their email address in email
marketing software, MailChimp…
Data Subject
Personal Data
Data Conroller
Data Processor
Processing

Subscriber You
…but ask a digital marketing company
to actually send your email newsletter
to your subscribers
Data Subject
Personal Data
Data Conroller
Data Processor
Processing
Agency

Subscriber You
…but ask a digital marketing company
to actually send your email newsletter
to your subscribers
Data Subject
Personal Data
Data Conroller
Data Processor
Data Processor
Processing
Agency

Data Protection Principles
There are a number of “rules”, called Principles
which set out what you can and can’t do with
personal data.

personal data.
This means that if there is a law or
regulation that prevents you from
processing the data in the way you want to,
then you can’t process it. Plus there must be
a lawful basis for processing (which we’ll
come onto in a bit)
All processing must be:
Lawful

personal data.
Lawful
Fair
This means that a Data Subject shouldn’t be
surprised to find out you have their data, or
how you are processing it

personal data.
You have to be open and clear about how
you’re processing someone’s data
Lawful
Fair
Transparent

personal data.
This means that you can only process the
data for the original purpose for which you
collected it. If you want to do something
else with the data then you will need to
make sure it is lawful for you to do so and
another lawful basis for processing exists
Lawful
Fair
Transparent
Specific
Purpose

personal data.
Lawful
Fair
This means you must only collect and
process the personal data that is relevant
for the purposes for which you want to
process it. So, if you don’t need to collect a
postal address or date of birth, then you
should not ask for that personal data. Transparent
Specific
Purpose
Relevant

personal data.
Lawful
Fair
You have a duty to make sure you update
your records if a Data Subject tells you their
data has changed, and when it is
appropriate for you to do so, you should
check that the data you hold is still accurate
and up to date. Transparent
Specific
Purpose
Relevant
Accurate

personal data.
Lawful
Fair
You must not keep data forever. If you no
longer need it and there is no lawful basis
for you to continue to process it then you
must delete it.
Transparent
Specific
Purpose
Relevant
Accurate
Not forever

personal data.
Lawful
Fair
All processing (remembering the wide
definition of processing) must be done so
with securely, so security of the data and
how you process it is very important (more
on that in a bit).
Transparent
Specific
Purpose
Relevant
Accurate
Not forever
Secure

personal data.
Lawful
Fair
This means that it’s not good enough that
you ARE compliant – you have to be able to
prove it! Accountability crops up throughout
the GDPR from recording your processing
activities to proving you have sought
consent (when you need it). Transparent
Specific
Purpose
Relevant
Accurate
Not forever
Secure
Accountable

personal data.
PLUS:
There are a number of individuals’ rights
that apply to Data Subjects (e.g. subject
access right, right to be informed, etc.). You
must make sure that you have processes in
place to honour those rights.
Subject’s
Rights

personal data.
PLUS:
And finally… there are strict rules about
processing personal data outside the EU.
You may only do so if there is adequate data
protection controls in place. Adequacy
means:
• The country has equivalent laws and are
approved by the EU
• There is an EU agreement in place (e.g.
the US Privacy Shield), or
• There is a contract (“model standard
clauses”) in place (provided by the EU)
Subject’s
Rights
International

Lawful Basis for Processing
For processing to be lawful there are a number of

LAWFUL BASIS FOR PROCESSING

1. CONSENT

1. CONSENT
• Consent means that the Data Subject has given you permission to process their data

1. CONSENT
• The law has specific requirements about what consent looks like

1. CONSENT
• It is often thought that you need consent for all processing – this is NOT true

1. CONSENT
• Think of consent as a binary option; a YES or a NO

1. CONSENT
• If you need to process the data even when the answer is NO, then consent is not
going to be the right lawful basis for processing.

1. CONSENT
• If you need to process the data even when the answer is NO, then consent is not
going to be the right lawful basis for processing.
• There is also a problem with consent: it can’t be withdrawn, at anytime, by the Data
Subject and you cannot do anything about it

2. CONTRACT

2. CONTRACT
• If you are processing data as part of performing a contract or as agreed with a
customer/user, then this is the most applicable lawful basis for processing

2. CONTRACT
• If you are processing data as part of performing a contract or as agreed with a
customer/user, then this is the most applicable lawful basis for processing
• You don’t need to ask for consent to process as well

3. LEGAL OBLIGATION

3. LEGAL OBLIGATION
• If a law or regulation requires you to process data in a particular way then this is your
lawful basis for processing

3. LEGAL OBLIGATION
• If a law or regulation requires you to process data in a particular way then this is your
lawful basis for processing
• Examples include tax law, care law for those operating in the care sector, disclosing
data to law enforcement or government agents, etc.

4. DATA SUBJECT’S INTEREST

• This is in a life of death situation

• It would be lawful for you to process personal data if it’s in the vital interests of the
Data Subject

• It would be lawful for you to process personal data if it’s in the vital interests of the
Data Subject
• An example would be if a colleague collapsed it would be lawful to disclose
information that might help the Paramedics care for your colleague, you wouldn’t
need to think about data protection, consent, etc.

5. PUBLIC INTEREST

5. PUBLIC INTEREST
• Public bodies (e.g. government, council, schools, universities, etc.) may rely on this
for carrying out certain public interest tasks

6. LEGITIMATE INTEREST

• Often thought as the default lawful basis (if not thinking about consent) because it
sounds as though you just need to be able to show it’s in your interest to process the
data

• Often thought as the default lawful basis (if not thinking about consent) because it
sounds as though you just need to be able to show it’s in your interest to process the
data
• But this is not the case. Legitimate interest can be tricky because you have to
demonstrate:
1. The purpose of processing in terms of why and that it is lawful
2. That the processing is necessary
3. That the processing is not harmful to the rights of the Data Subjects

What this means in
practice: compliance

Not everything discussed in this next section will
necessarily apply to you and your role.
But it’s important (a) that you know when it does and (b)
what else is necessary that your colleagues or perhaps the
Data Protection Officer or lead within your business need
to know about when you do process personal data
Compliance in Practice

When we collect data, we will:
Compliance in Practice:
Collecting Data

 Only collect the data we actually need and not collect
or ask for anything extra, just in case
Collecting Data

 We will make sure it is clear to the individual why we
need this data, and if it’s not…
Collecting Data

 We will make sure it is clear to the individual why we
need this data, and if it’s not…
 We’ll make sure we have a suitable Privacy Notice or
similar statement that explains everything
Collecting Data

Once we’ve collected the data, we will:
Using & Storing Data

 Only use it for the purpose we originally collected it

 Only keep it for as long as we need or for as long as it is lawful for us to do
so (as per the lawful basis for processing),

so (as per the lawful basis for processing), delete it if we no longer need it
and…

and don’t keep it “just in case”

and don’t keep it “just in case”
 Be mindful if we keep copies for local processing to delete them once
we’re finished (so we don’t leave copies of data lying around on our
computers or servers)

When we process data, we will:
Security

 Do so securely
Security

 Do so securely
 Make sure we protect the data from
unauthorised access or viewing
Security

 Do so securely
 Only share data or take it out of the office in a
way that protects it and is secure
Security

 Do so securely
 Avoid copying the data to our own personal
devices or online services
Security

 Do so securely
 Avoid copying the data to our own personal
devices or online services
 Tell the data protection lead if we see something
that might be a breach
Security

Individuals’ Rights

Data subjects have a number of rights which they can
exercise at any time, relating to the way we process their
data.

Data subjects have a number of rights which they can
exercise at any time, relating to the way we process their
data.
We’re not going to go through all of them, but will cover
the important ones

Subject Access
An individual has the right to ask

What data is
being processed,
why & for how
long
Subject Access
Who has access
to the data
For a copy of the
data and other
information
We have to:

What data is
being processed,
why & for how
long
Subject Access
Who has access
to the data
For a copy of the
data and other
information
We have to:
Verify their
identity
Deal within
1 month
Provide
FREE

Right to Erasure (or Right to be Forgotten)
An individual has the right to request

Their data is
deleted
But only if we
don’t need it (it’s
not an absolute
right!)
We have to:

Their data is
deleted
But only if we
don’t need it (it’s
not an absolute
right!)
We have to:
Verify their
identity
Deal within
1 month
Delete for
FREE

Right to Portability
An individual can request

A machine
readable export
of the data they
provided
We have to:

A machine
readable export
of the data they
provided
We have to:
Verify their
identity
Deal within
1 month
Provide for
FREE

Withdraw Consent
An individual has an absolute right to

Change their
mind about
consent
Withdraw Consent
Ask us to stop
processing
We have to:

Change their
mind about
consent
Withdraw Consent
Ask us to stop
processing
We have to:
Verify their
identity
STOP!
Processing

Accountability
Remember the Accountability principle?

Accountability
Remember the Accountability principle?
Well it requires us to carry out certain actions for some
types of processing…

Accountability
Data
Controllers
Data
Processors
&

Accountability
Data
Controllers
Data
Processors
&
Us
Organisations who
process our data

Accountability
Data
Controllers
Data
Processors
&
When we use third-parties to process our data we must:

Accountability
Data
Controllers
Data
Processors
&
Only use
processors who
are compliant
Carry out due
diligence on all
third-party
processors
Put in place legal
contracts with
our third-parties

Accountability
Data
Controllers
Data
Processors
&
Only use
processors who
are compliant
Carry out due
diligence on all
third-party
processors
Put in place legal
contracts with
our third-parties
So be mindful that a processor could be a cloud service, software, as well as a company or individual

Accountability
Data
Controllers
Data
Processors
&
Us
Organisations who
process our data
Only use
processors who
are compliant
Carry out due
diligence on all
third-party
processors
Put in place legal
contracts with
our third-parties
So be mindful that a processor could be a cloud service, software, as well as a company or individual
Make sure your Data Protection Lead knows about any third-parties you are using

Accountability
Data Protection Impact
Assessments (DPIA)

Accountability
Assessments (DPIA)
mean we have to

Accountability
Assessments (DPIA)
mean we have to
Consider data protection in everything we do

Accountability
Assessments (DPIA)
mean we have to
Carry out a DPIA every time we plan on doing something different with our
data

Accountability
Assessments (DPIA)
mean we have to
Carry out a DPIA every time we plan on doing something different with our
data
It’s a risk assessment essentially: what’s the risk from the processing?

Accountability
Data Breaches

Accountability
Data Breaches
A personal data breach means a breach of security which leads to
the “accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, personal data”.

Accountability
Data Breaches
This means that a data breach is more than your typical cyber-
security hacking incident. It can also include someone looking at
your data “over your shoulder”, accidentally deleting someone’s
data, loss of a device containing personal data, sending the wrong
person someone else’s data, etc.

Accountability
Data Breaches
The law says that if there is a risk to the Data Subjects we have to
tell the Information Commissioner (ICO) and if there is HIGH risk to
the Data Subjects we have to tell the Data Subjects too (so they
can protect themselves, e.g. from ID fraud).

Accountability
Data Breaches
The law says that if there is a risk to the Data Subjects we have to
tell the Information Commissioner (ICO) and if there is HIGH risk to
the Data Subjects we have to tell the Data Subjects too (so they
can protect themselves, e.g. from ID fraud).
We have 72 hours to report it!!!

Accountability
Data Breaches
So what does this mean in practice?

Accountability
Data Breaches
Make sure you know how to identify a breach

Accountability
Data Breaches
Make sure you know what to do if a breach
occurs

Accountability
Data Breaches
occurs
Make sure you tell whoever it is who is
responsible for data protection within your
organisation

Accountability
Data Breaches
occurs
Make sure you tell whoever it is who is
responsible for data protection within your
organisation
DON’T ignore anything you suspect is a breach

The ICO may investigate us and ask questions about our processing and
compliance activities

The ICO has the power to fine us

Under some circumstances responsible persons could be fined or sent to
prison

Data Subjects have the right to sue for damages if they can show they have
suffered harm from the processing or breach

There’s plenty of
examples of action
taken…

There’s plenty of
examples of action
taken…
• Uber failure to secure data (£385,000 fine)

There’s plenty of
examples of action
taken…
• Heathrow Airport for USB loss (£120,000 fine)

There’s plenty of
examples of action
taken…
• GP Surgery Secretary for unlawful (unnecessary) access

There’s plenty of
examples of action
taken…
• Bayswater Medical Centre for leaving medical records in
empty building (£35,000 fine)

There’s plenty of
examples of action
taken…
• Bayswater Medical Centre for leaving medical records in
empty building (£35,000 fine)
• Gain Credit LLC failure to deal with subject access
request (enforcement notice – criminal penalty if ignored)

…but there’s one
case that stands out
& highlights wider
concerns

…but there’s one
case that stands out
& highlights wider
concerns
Morrisons Supermarket

• An employee stole payroll data and leaked it online – he’s now serving a prison
sentence
• Morrisons were vindicated of any wrong doing – it was the employees fault that
there was a breach, nothing to do with Morrisons’ compliance
• But the employees have been able to demonstrate they have suffered harm and
are suing Morrisons for damages

• An employee stole payroll data and leaked it online – he’s now serving a prison
sentence
• Morrisons were vindicated of any wrong doing – it was the employees fault that
there was a breach, nothing to do with Morrisons’ compliance
• But the employees have been able to demonstrate they have suffered harm and
are suing Morrisons for damages
• It has been through various court proceedings and the courts have so far
concluded that Morrisons have “vicarious liability” meaning that whilst it wasn’t
their fault they have a duty of care to their employees who have suffered thanks
to the breach!

• Familiarise yourself with company data protection
policies✓
• Know what to do if someone asks for their data or
wishes to complain about how their data is being
used✓
• Make sure you ask your data protection lead if you
are unsure about a data protection issue or
whether it’s lawful to use data✓
• Make sure you pay attention to any internal
communications updating you on developments or
changes✓

• Familiarise yourself with company data protection
policies✓
• Know what to do if someone asks for their data or
wishes to complain about how their data is being
used✓
• Make sure you ask your data protection lead if you
are unsure about a data protection issue or
whether it’s lawful to use data✓
• Make sure you pay attention to any internal
communications updating you on developments or
changes✓
If in doubt: ask the person
responsible for data protection

Data Protection Training
support@digitalcompliancehub.co.uk
https://digitalcompliancehub.co.uk

DCH Data Protection Training Presentation

More Related Content

What's hot

Similar to DCH Data Protection Training Presentation

Recently uploaded

DCH Data Protection Training Presentation