This document summarizes a presentation on getting to grips with the General Data Protection Regulation (GDPR). It discusses the challenges organizations face in complying with GDPR, which takes effect in May 2018. The presentation provides tips on where to get help with GDPR compliance, how to conduct an audit of personal data holdings, and the top 10 actions organizations should take now to prepare, such as forming an implementation task force and reviewing privacy policies and consent procedures. It emphasizes that May 25, 2018 marks the beginning of GDPR compliance obligations.
Even though GDPR is a European Union regulation, it impacts any company with customers in that region. One of the first key tasks of the data management team should be to create awareness regarding the impact of GDPR on the business with all key stakeholders across the organization. In order to generate awareness, organizations need to have clearly defined documentation defining the policies, rules, requirements and the impact of non-compliance. Kim Brushaber will look at what is involved with GDPR, what you should be concerned with, and how to get the conversation started between the business and technical teams within your organization using ER/Studio.
Understanding the EU's new General Data Protection Regulation (GDPR)Acquia
In 2016, the European Union (EU) approved its General Data Protection Regulation (GDPR) to protect European citizens’ data. As a regulation, the GDPR does not require the implementation of legislation, and will immediately become an applicable law as of the 25th of May, 2018.
What is GDPR exactly trying to accomplish? According to the official documents, the goal is the “protection of natural persons with regard to the processing of personal data and on the free movement of such data.”
In short, organizations that conduct business in the EU will need to be compliant with GDPR, and must come to terms with the huge fines that non-compliance can carry. Fines can be up to €20M or 4% of the annual turnover. For companies that experience breaches that result in the loss of personal data (such as Talk Talk, which lost 170,000 people’s data), the fines will be tremendous.
Join us for discussion about GDPR to learn more about:
The principles that organizations that use personal data need to adhere to
The consequences organizations can face if that do not adhere to this new regulation
How your organization can prepare for the future
Do You Have a Roadmap for EU GDPR Compliance?Ulf Mattsson
The General Data Protection Regulation (GDPR) goes into effect in 2018 and it will affect any business that handles data, even if it's not based in the European Union.Are you looking to move and host data for EU citizens? Do you have a roadmap and associated estimated costs for EU GDPR compliance?Join this webinar to learn:
• Case study and legal/regulatory impact to GDPR• Security Metrics• Oversight of third parties• How to measure cybersecurity preparedness
Presenters : Ulf Mattsson, David Morris, Ian West. and Khizar Sheikh
Date & Time : Aug 17 2017 5:00 pm
Timezone : United States - New York
Even though GDPR is a European Union regulation, it impacts any company with customers in that region. One of the first key tasks of the data management team should be to create awareness regarding the impact of GDPR on the business with all key stakeholders across the organization. In order to generate awareness, organizations need to have clearly defined documentation defining the policies, rules, requirements and the impact of non-compliance. Kim Brushaber will look at what is involved with GDPR, what you should be concerned with, and how to get the conversation started between the business and technical teams within your organization using ER/Studio.
Understanding the EU's new General Data Protection Regulation (GDPR)Acquia
In 2016, the European Union (EU) approved its General Data Protection Regulation (GDPR) to protect European citizens’ data. As a regulation, the GDPR does not require the implementation of legislation, and will immediately become an applicable law as of the 25th of May, 2018.
What is GDPR exactly trying to accomplish? According to the official documents, the goal is the “protection of natural persons with regard to the processing of personal data and on the free movement of such data.”
In short, organizations that conduct business in the EU will need to be compliant with GDPR, and must come to terms with the huge fines that non-compliance can carry. Fines can be up to €20M or 4% of the annual turnover. For companies that experience breaches that result in the loss of personal data (such as Talk Talk, which lost 170,000 people’s data), the fines will be tremendous.
Join us for discussion about GDPR to learn more about:
The principles that organizations that use personal data need to adhere to
The consequences organizations can face if that do not adhere to this new regulation
How your organization can prepare for the future
Do You Have a Roadmap for EU GDPR Compliance?Ulf Mattsson
The General Data Protection Regulation (GDPR) goes into effect in 2018 and it will affect any business that handles data, even if it's not based in the European Union.Are you looking to move and host data for EU citizens? Do you have a roadmap and associated estimated costs for EU GDPR compliance?Join this webinar to learn:
• Case study and legal/regulatory impact to GDPR• Security Metrics• Oversight of third parties• How to measure cybersecurity preparedness
Presenters : Ulf Mattsson, David Morris, Ian West. and Khizar Sheikh
Date & Time : Aug 17 2017 5:00 pm
Timezone : United States - New York
GDPR The New Data Protection Law coming into effect May 2018. What does it me...eHealth Forum
GDPR The New Data Protection Law coming into effect May 2018. What does it mean for hospitals?
Anthe Papageorgiou, Compliance Officer & Data Protection Officer at Henry Dunant Hospital Center
How GDPR works : companies will be expected to be
fully compliant from 25 May 2018. The regulation
is intended to establish one single set of data
protection rules across Europe
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
This GDPR primer highlights key aspects of the new EU regulation regarding the protection of EU citizens data. It also presents a basic approach and key activities for GDPR preparedness. Useful as a discussion starter with senior management.
Do You Have a Roadmap for EU GDPR Compliance? ArticleUlf Mattsson
GDPR is Top Priority in US
Over half of US multinationals say GDPR is their top data- protection priority according to PWC. Of the 200 respondents, 54 % reported that GDPR readiness is the highest priority on their data-privacy and security agenda. Another 38% said GDPR is one of several top priorities, while only 7% said it isn’t a top priority.
MWLUG - 2017
Tim Clark & Stephanie Heit
Tim & Steph explain the basics of GDPR and give some recommendations about what you can do to be ready.
Data sources are in the final slides.
For more information about how BCC can help you get your Domino data ready for GDPR please contact us here.
http://bcchub.com/bcc-domino-protect/
GDPR: Is Your Organization Ready for the General Data Protection Regulation?DATUM LLC
The new European GDPR privacy regulations will significantly impact data governance for multinational companies worldwide. This presentation introduces GDPR, its implications, and a six step process for compliance. In May of 2018 the European Union’s General Data Protection Regulation (GDPR) will go into effect and the fines associated with non-compliance are significant with as much as 4% of global sales.
Presentation slides from an NCVO webinar which took place on 18 October 2017.
Presentation by Gary Shipsey from Protecture, find out more about Protecture: https://www.protecture.org.uk/
View the webinar recording: https://youtu.be/D7wuDS4QZgQ
Ensuring GDPR Compliance - A Zymplify GuideZymplify
The GDPR will come into force on 25 May 2018 and will change data protection laws across the EU. Organisations can face heavy fines if they are found to be in breach of the GDPR, so take a look at Zymplify's guide to the most important parts of the regulation. Act now to get ready for the GDPR. Book a Demo with Zymplify - http://d36.co/12vWD
Getting to grips with General Data Protection Regulation (GDPR)Zoodikers
Leading employment lawyer Pam Loch, and digital expert Katie King share their advice on how to get to grips with the topic of the moment - GDPR.
They look at who is liable, the impact of Brexit, how it affects marketing and what steps you can take to prepare.
Do You Have a Roadmap for EU GDPR Compliance?Ulf Mattsson
Do You Have a Roadmap for EU GDPR Compliance?
Description : The General Data Protection Regulation (GDPR) goes into effect in 2018 and it will affect any business that handles data, even if it's not based in the European Union.
Are you looking to move and host data for EU citizens? Do you have a roadmap and associated estimated costs for EU GDPR compliance?
Webcast URL : https://www.brighttalk.com/webcast/14723/259741
Norfolk Chamber delivered a morning conference based around the European General Data Protection Regulation (GDPR), which will come into force on May 25 2018. Delegates heared from a variety of GDPR expert speakers from legal, marketing, IT and Data Protection perspectives.
GDPR The New Data Protection Law coming into effect May 2018. What does it me...eHealth Forum
GDPR The New Data Protection Law coming into effect May 2018. What does it mean for hospitals?
Anthe Papageorgiou, Compliance Officer & Data Protection Officer at Henry Dunant Hospital Center
How GDPR works : companies will be expected to be
fully compliant from 25 May 2018. The regulation
is intended to establish one single set of data
protection rules across Europe
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
This GDPR primer highlights key aspects of the new EU regulation regarding the protection of EU citizens data. It also presents a basic approach and key activities for GDPR preparedness. Useful as a discussion starter with senior management.
Do You Have a Roadmap for EU GDPR Compliance? ArticleUlf Mattsson
GDPR is Top Priority in US
Over half of US multinationals say GDPR is their top data- protection priority according to PWC. Of the 200 respondents, 54 % reported that GDPR readiness is the highest priority on their data-privacy and security agenda. Another 38% said GDPR is one of several top priorities, while only 7% said it isn’t a top priority.
MWLUG - 2017
Tim Clark & Stephanie Heit
Tim & Steph explain the basics of GDPR and give some recommendations about what you can do to be ready.
Data sources are in the final slides.
For more information about how BCC can help you get your Domino data ready for GDPR please contact us here.
http://bcchub.com/bcc-domino-protect/
GDPR: Is Your Organization Ready for the General Data Protection Regulation?DATUM LLC
The new European GDPR privacy regulations will significantly impact data governance for multinational companies worldwide. This presentation introduces GDPR, its implications, and a six step process for compliance. In May of 2018 the European Union’s General Data Protection Regulation (GDPR) will go into effect and the fines associated with non-compliance are significant with as much as 4% of global sales.
Presentation slides from an NCVO webinar which took place on 18 October 2017.
Presentation by Gary Shipsey from Protecture, find out more about Protecture: https://www.protecture.org.uk/
View the webinar recording: https://youtu.be/D7wuDS4QZgQ
Ensuring GDPR Compliance - A Zymplify GuideZymplify
The GDPR will come into force on 25 May 2018 and will change data protection laws across the EU. Organisations can face heavy fines if they are found to be in breach of the GDPR, so take a look at Zymplify's guide to the most important parts of the regulation. Act now to get ready for the GDPR. Book a Demo with Zymplify - http://d36.co/12vWD
Getting to grips with General Data Protection Regulation (GDPR)Zoodikers
Leading employment lawyer Pam Loch, and digital expert Katie King share their advice on how to get to grips with the topic of the moment - GDPR.
They look at who is liable, the impact of Brexit, how it affects marketing and what steps you can take to prepare.
Do You Have a Roadmap for EU GDPR Compliance?Ulf Mattsson
Do You Have a Roadmap for EU GDPR Compliance?
Description : The General Data Protection Regulation (GDPR) goes into effect in 2018 and it will affect any business that handles data, even if it's not based in the European Union.
Are you looking to move and host data for EU citizens? Do you have a roadmap and associated estimated costs for EU GDPR compliance?
Webcast URL : https://www.brighttalk.com/webcast/14723/259741
Norfolk Chamber delivered a morning conference based around the European General Data Protection Regulation (GDPR), which will come into force on May 25 2018. Delegates heared from a variety of GDPR expert speakers from legal, marketing, IT and Data Protection perspectives.
GDPR How ready are you? The What, Why and How.James Seville
An overview of how GDPR 2018 will effect your business and what you can do to stay compliant. A step by step guild to data breach vulnerabilities and solutions.
[Webinar Slides] Think Brexit Saves You From EU Data Regulations? Think Again!AIIM International
The General Data Protection Regulations (GDPR) will apply to any company that collects or handles the personal data of EU citizens. Review these slides to learn the steps to prepare your organization for compliance.
Learn even more how to protect your private data with AIIM's Information Government training: http://www.aiim.org/InfoGovTraining
The Evolution of Data Privacy: 3 Things You Need To ConsiderSymantec
The European Union’s proposed General Data Protection Regulation (GDPR) has left even the most informed confused. This new regulation has been designed
to update the current directive which was drafted in a time that was in technology terms, prehistoric. It’s time to evolve.
EMMA’s EMEA Regional Director Joseph Yammine explains how the EU’s General Data Protection Regulation applies to the Health Care Industry and how you can prepare your team to follow the regulation and avoid any data breaches.
This Webinar featuring guests from the EU Commission, the French data regulator CNIL, DLA Piper and IBM provided an overview of the new EU data protection and privacy perspective from the perspective of the regulation author, regulator, legal advisor and technology providers.
The conference will contextualise the changing regulatory landscape, considering the business impact of the GDPR and DPA (2018) and how it is changing policy and process in practice.
When GDPR came into force in May it significantly raised the bar of obligation and accountability, ensuring that all organisations who handle personal data adhere to strict regulations around privacy, security and consent. 6 months on from implementation, the conference will consider how data protection procedure has moved on, with insight from frontline practitioners reflecting on how practices within their organisation have changed.
The event will also provide an update from the regulator; exploring regulatory action policy, decision making for fines and penalties, and clarifying some of the most prominent areas of misconception and non-compliance.
Core conference topics include:
• Key legal issues and obligations
• Data security and encryption
• Privacy Impact Assessments
• Databases, data mapping and classification
• Privacy by design
• Practical strategy implementation
#FIRMday Manchester Autumn 2017 - The General Data Protection Regulation (GDP...Emma Mirrington
On 25th May 2018 the business landscape and particularly that of recruitment will change forever. The General Data Protection Regulation (GDPR) comes into force. The power imbalances that exist today between companies and individuals will be evened out through a suite of increased rights for individuals in terms of the use of their personal data, reinforced by a range of sanctions that could put financial burden and reputational consequences onto those businesses that show a lack of respect towards privacy. Lucy Kendall of ComplyGDPR will explore what this means for recruitment activities and how you can protect your business from the things that do go wrong.
The Countdown is on: Key Things to Know About the GDPRCase IQ
The EU’s General Data Protection Regulation (GDPR) comes into effect on May 25th. This powerful legislation strengthens data privacy laws in Europe and has implications for companies all over the world that store, process or transfer the information of the EU’s citizens.
Failure to comply with the regulation can expose a company to fines based on global revenue and reputation damage, yet many companies are struggling to comply in time.
Join information security expert and CEO/Founder of AsTech Consulting, Greg Reber, as he walks participants through a plan for GDPR compliance.
What approaches are being taken to tackle the policy challenges within the big data landscape, and how are these solutions coping in reality? This webinar will address these issues through the perspective of two projects: e-SIDES and SMOOTH. Daniel Bachlechner, of e-SIDES, will discuss the organizational and technical challenges that privacy-preserving big data technologies present, and how an increased level of dialogue between stakeholders can pave the way for appropriate and fair solutions. Rosa M. Araujo Rivero will delve into the main challenges experienced by SMEs and startups in dealing with GDPR compliance. Rosa’s work with the SMOOTH project will demonstrate how the proposed solutions are experienced in practice.
General Data Protection Regulation (GDPR) tidal wave that has hit, are you ready? Is your organization prepared for the extensive privacy requirements GDPR puts forth for any organization handling EU Data Subjects' personal Data? At this point, organizations must have a complete inventory of personal data and have conducted a DPIA against it. A handful of supervisory authorities have issued compliance guidelines, but your organizations must be able to assess compliance with this ambiguous regulation at any time.
Many aspects of GDPR define the distinction between a data collector and a data processor, their respective responsibilities and compliance requirements. Those responsibilities will have an effect on the contracts you negotiate with third parties, the way in which you evaluate the risks involved with establishing a business relationship and the policies you develop to maintain compliance to the regulations.
Join this webinar to learn:
*More information about GDPR and what the industry is experiencing to date
*What minimum requirements you should have had in place by May 25, 2018
*What you should plan to do for the next 12-18 months if you are not completely ready
*What the SEC Privacy Shield program is and why you should self-certify
*How to continuously monitor vendor risk KPIs
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
2. Getting to grips with GDPR
David Reeve, Head of information strategy, Jisc
04/01/2018 2Getting to grips with GDPR
3. 04/01/2018 3
Global spend estimated
at $300 to $500 billion
combating the bug
Getting to grips with GDPR
4. GDPR coverage in the newspapers
04/01/2018 4
“Banks could be stung for €5bn
under GDPR, screams latest report
on industry readiness”
“Fears data protection rules could
close small firms”“Last year’s ICO would be 79 times
higher under GDPR: TalkTalk’s
£400,000 penalty was big – how
about £59 MILLION?”
“Worldwide climate of fear over
GDPR data compliance claims
veritas study”
“Cyber insurance ‘unlikely to cover
massive GDPR fines’ ”
“Last year’s ICO fines would soar to
£69 million post – GDPR””
Getting to grips with GDPR
6. The dangers of running projects based on FEAR
04/01/2018 6
“I am a GDPR expert offering consultancy”
There is no case law or enforcement actions to offer compliance guidance. We don’t know yet what the final GDPR will
look like so how can you be an expert…be sceptical!! ££££££££££
“You can buy our GDPR solutions now”
“Our product will make you compliant”
There are some solutions that can help with auditing but there is no miraculous product that will make you compliant
simply by purchasing and installing it. ££££££££££
“After Brexit the GDPR won’t apply to the UK”
Recent survey revealed 44% of firms think the regulation will not apply to UK business after Brexit UK bring this into
law by 25 May 2018 and a new bill is going through Parliament for post Brexit. £££££££££
Information Commissioner’s Office:
Don’t focus on fines regime “focus on risk, transparency, control and accountability”
There is no silver bullet technology solution. GDPR is still an unknown so claims of compliance is premature. ££££££££
Getting to grips with GDPR
7. Implementing GDPR
04/01/2018 7
Jan 2017 May 2018
Not applicable to Jisc 11. Children (ICO Step 8) 12. International (ICO Step 12
Dec 2017
Getting to grips with GDPR
8. Where to go for help
» Information Commissioner’s Office: (https://ico.org.uk/)
» Article 29Working Group: (https://edps.europa.eu/)
» Legal changes: Number of free sites including: Bird and Bird guide to the GDPR (http://ji.sc/two-birds-
data-protection)
» Sector guidance and advice: (jisc.ac.uk/gdpr)
04/01/2018 8Getting to grips with GDPR
9. Links to Jisc blogs
Step 1: Awareness
GDPR: Alumni Process (http://ji.sc/regulatory-developments-alumni)
Data Protection Bill and Public Authorities (http://ji.sc/gdprdata-protection)
Step 2: Information we hold
GDPR: Information Lifecycle Registers (http://ji.sc/gdpr-moving-information)
Service Categories (http://ji.sc/gdpr-service-categories)
Step 4: Individual rights
Portability Rights and Data Protection Challenges (http://ji.sc/portability-right-data-protection)
GDPR: Backups, Archives and the Right to Erasure (http://ji.sc/gdpr-backups-archives)
04/01/2018 9Getting to grips with GDPR
10. Links to Jisc blogs
Step 6: Legal basis for processing personal data
What'sYour Justification? (http://ji.sc/gdpr-whats-your-justification)
Web forms and consent (http://ji.sc/gdpr-web-forms-and-consent)
GDPR: Student Unions (http://ji.sc/gdpr-student-unions)
Service categories (http://ji.sc/gdpr-service-categories)
Step 7: Consent
GDPR: A New Kind of Consent (http://ji.sc/gdpr-new-kind-of-consent)
Step 9: Data breaches
Incident Response and GDPR (http://ji.sc/incident-response-and-gdpr)
04/01/2018 10Getting to grips with GDPR
11. What you should be doing now – top 10 tips
1. Get support …put together a GDPR implementation task force
2. Conduct an audit of what personal data the organisation holds, how it is being used, to whom it is being disclosed and to where it is
being transferred
3. TheGDPR advocates taking a risk based approach; through the audit identify your systems and services that present most risk and
focus on mitigating these
4. Start reviewing data protection clauses used (both for templates and live negotiations) in supplier agreements to include the
mandatoryGDPR clauses
5. Review breach notification and management systems and procedures, including draft notification forms for both notifications to
the supervisory authority and affected individuals
6. Review IT systems and internal processes to ensure that an individual's data can be captured both for the purpose of data portability
(ie passing a copy to the data subject or another controller), but also to enable such data to be deleted easily when no longer needed
7. Review and update student and staff privacy notices to reflect the new transparency requirements of theGDPR
8. Develop a template DPIA to be used in any high risk projects with a checklist of when to apply
9. Review existing processes and procedures for subject access requests, including the development of template response forms and
assessing whether the one-month response deadline could be met
10. Start putting together training materials to raise staff awareness of the new rules under the GDPR
04/01/2018 11Getting to grips with GDPR
14. Practical applications of GDPR for FE
JoeYeadon, GodalmingCollege, jxy@godalming.ac.uk
04/01/2018 14Practical applications of GDPR for FE
15. Practical applications of GDPR for FE
About Godalming College:
»Sixth Form College in SW Surrey
»2100 full-time 16-19 students
»<50 14-16 from local schools
»Turnover c £9m, 250 staff
»In-house MIS, online systems
»Planning conversion to Sixth
FormAcademy
04/01/2018 15Practical applications of GDPR for FE
16. Practical applications of GDPR for FE
About me:
»Worked in FE since 2001
»Responsible for IT and MIS at
Godalming College
› ILR, SQL Reporting, Software, etc
»Data Protection Officer
»Dealt with DP Breach in 2011
»No formal DP qualifications!
04/01/2018 16
JoeYeadon
Practical applications of GDPR for FE
17. Where to start?
»Look at the “12 Steps”, JISC website and ICO guidance – it’s free!
»Work out where you are – it might be better than you think!
»Read the Data Protection Bill (and EU Reg 2016/679)
»Work out where you need to be
»Have a data security breach (or just panic – whichever you prefer)
“I’m in FE – where do I start with this GDPR-fangled thing?”
04/01/2018 17Practical applications of GDPR for FE
18. Where to start?
04/01/2018 18
1. Awareness – make sure the College boss knows about GDPR
2. Document – what Personal Information have you got and where is it?
3. Communication – how do your staff/students etc know?
4. Rights – Retention policy, erasure procedure etc
5. SAR – procedures/policy – need a mechanism
6. Lawful basis – statutory duty (Education & Skills Act etc)
7. Consent – to consent or not consent, that is the question
8. Children – what age are the Data Subjects?
9. Breaches – have a procedure
10. Design – ‘Data Protection by Design’
11. Data Protection Officer – you need one!
12. International - (EU – identify the lead authority etc)
12Stepsto
GDPR
Practical applications of GDPR for FE
19. Good News for FE
»Most College activity is covered by Statutory Duty – contract rather
than consent
»Very little automated processing (if any)
»UK implementation of GDPR gives lower age limit for consent
»Most data is only collected for a specific purpose
»Generally, the same sorts of things which make Colleges work well
involve centralisation of data
»Generally, there’s already expertise
»Generally, there’s no cross-border transfer of Personal Information
04/01/2018 19Practical applications of GDPR for FE
20. Where did we start?
»DPO in place already – reporting to Principal, will report to
Governors. Experience of Breach management
»Good Data Protection Policy already, revamped forGDPR (draft)
»In-house MIS
› Logs of communication, scanned documents, no student files
› Staff, Student and Parent Portals
»Reasonable culture of contract and consent
› We can’t perform our legal duty without Personal Information,
but we already seek consent for publicity purposes
04/01/2018 20
Godalming College’s approach (1/2)
Practical applications of GDPR for FE
21. Where did we start?
»Use networks
› S7 Group of Sixth Form College
› Principals’ group, MIS managers, new Data Protection Group
› JISC, ICO webinars
»Use common-sense
› Read the Directive, read the Bill, look around the College
»Get the ‘management’ on-board
»Write the policy – get some momentum in the right direction
04/01/2018 21
Godalming College’s approach (2/2)
Practical applications of GDPR for FE
22. Where to start?
»Lack of experience with GDPR
› Nobody has been tested yet!
»Hype – consultants want it to sound difficult
»Unclear guidance on data retention
»Possibly need new systems to deal with Subject Access?
»Silo mentality – ‘department spreadsheet’, mark-books, separate
systems for teaching & learning …
“OK – that sounds easy, what’s the catch?”
04/01/2018 22Practical applications of GDPR for FE
23. Where are we?
“So what’s the problem?”
04/01/2018 23
»Hype –worrying the boss
»Safeguarding – guidance is confusing (age 25, indefinitely?)
»What about UCAS references 10 years-on, COSHH 40 years..?
»Do emails referencing personal information stored elsewhere
form part of the record? (Confusing advice)
»Is CCTV Personal Information?
»Information stored/backed-up in the Cloud, paper and tape
»Perception about ‘right to erasure’, education exemptions
Practical applications of GDPR for FE
24. Where are we?
Godalming College – progress to date
04/01/2018 24
»Read the documentation, drafted the policy, revised the NFP
»Network – S7 Data Protection group, consulted JISC
› Worked out who the real experts are in the network
»Senior ManagementTeam meetings – clarifying and refining
»Identified need to clarify how data is deleted
»Identified need to develop a one-stop-SAR-shop
»Inset activities planned
Practical applications of GDPR for FE
25. »GDPR in FE isn’t necessarily difficult
»We are all travelling in the right direction
»There’s still some confusion of the detail
»Engage with Senior Managers – appoint a DPO if you haven’t
already
»Review, refresh DP statements and policies – and communicate
04/01/2018 25
In summary…
Summary
Practical applications of GDPR for FE
26. jisc.ac.uk
JoeYeadon
Head of ILT services
Godalming College
jxy@godalming.ac.uk
04/01/2018 26Practical applications of GDPR for FE
28. Developing an information asset register
from scratch
Rachael Maguire, Records Manager, London School of Economics
04/01/2018 28Developing an information asset register from scratch
29. Developing an information asset register
»Why develop an information asset register?
› Why not before now?
–Not covered by Crown Copyright
› GDPR Article 30 requirements
› Internal requirements
–Data Licences agreements
–Secure destruction
–Better records management
04/01/2018 29Developing an information asset register from scratch
30. Developing an information asset register
»Article 30 requires:
» Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its
responsibility.That record shall contain all of the following information:
› the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the
data protection officer;
› the purposes of the processing;
› a description of the categories of data subjects and of the categories of personal data;
› the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or
international organisations;
› where applicable, transfers of personal data to a third country or an international organisation, including the identification of that
third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the
documentation of suitable safeguards;
› where possible, the envisaged time limits for erasure of the different categories of data;
› where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
04/01/2018 30Developing an information asset register from scratch
31. Developing an information asset register
How did we go about creating the IAR?
»CheckedTNA guidance
»Looked at other examples. What was useful to us?What was worth
borrowing?
»Developing the specification
»Refining what the fields should be called
»Getting sign off through the committees
04/01/2018 31Developing an information asset register from scratch
32. Developing an information asset register
Our IAR includes:
» Core fields – name, owner, description, retention
» Information Security fields – access, classification, security measures
» Business continuity fields – risks to asset, support contacts, backup
» Data protection fields – what sort of personal data, lawful basis, data processor
» Publication fields – is the asset published and if so where
» Data licence agreements – restrictions of use, renewal date
» Systems/unstructured collections
04/01/2018 32Developing an information asset register from scratch
33. Developing an information asset register
Asset Type Asset Name Asset Description No. of Records Retention Retention Trigger Location Asset Platform Owner Business Area Data Collection Activity
Physical,
Electronic,
Database,
Office PC,
Mobile Device
What is the asset called.
Sometimes this will be a
database name e.g. SITS,
sometimes it will be a
description of a collection
e.g. personnel files.
Short description of what
information the asset
contains
How many records
are held within the
asset? This may be
shelf metres,
number of records
in a database, size
in KB/GB/TB, etc
How long
should the
information
asset be kept -
NOTE
Permanent
should only be
used on
guidance of
LSE Archivist
What causes the
disposal/archiving of
the information asset
Where is the
information
asset? In
general, we
would want a
specific room
number or
drive or cloud
storage name.
What software
manages the
information asset
e.g. Oracle,
proprietary system
and/or the format
e.g. Word. Excel
Who is
responsible
for managing
the
information
asset
Department/
Division/ Centre
and sub team if
necessary
E.g. ongoing, ceased
Electronic
Data Protection
request case files
The case files for DP
requests, organised
by DP number 26.2MB 7 years
Last action on
case file P Drive
Mainly Word,
some Excel, pdf
and email
Rachael
Maguire
Secretary's
Division, Legal
Team Ongoing
04/01/2018 33Developing an information asset register from scratch
34. Developing an Information Asset Register
Getting the IAR filled out
»We have started!
»An Excel template, two examples
»Already filled out by a couple of units at the School, only 140 to go
»Aiming for finishing this by end of January 2018
04/01/2018 34Developing an information asset register from scratch
35. Developing an information asset register
Next steps
»Where are we keeping the data gathered?
»Spreadsheet, SharePoint or database?
»How will we keep it updated?
04/01/2018 35Developing an information asset register from scratch
41. Scary services
04/01/2018 41
We may not be able to contact all data subjects
They’re complicated
They probably need individual treatment
Simplifying GDPR
43. Service categories
Risk
level
Relationship Example
1 Service provider has direct
interaction with user
helpdesk
2 Service provider has direct
long-term relationship with
user
eduroam site
contact
Risk-based guide to prioritisation/resource
04/01/2018 43Simplifying GDPR
44. Service categories
Risk
level
Relationship Example
1 Service provider has direct
interaction with user
helpdesk
2 Service provider has direct
long-term relationship with
user
eduroam site
contact
3 User has relationship with
third party
eduroam user
Risk-based guide to prioritisation/resource
04/01/2018 44Simplifying GDPR
45. Service categories
Risk
level
Relationship Example
1 Service provider has direct
interaction with user
helpdesk
2 Service provider has direct
long-term relationship with
user
eduroam site
contact
3 User has relationship with
third party
eduroam user
4 User may be unaware of
service’s existence
incident
response
Risk-based guide to prioritisation/resource
04/01/2018 45Simplifying GDPR
46. Bundles
Groups of services likely to use same approach
04/01/2018 46
Type 1 (direct interaction): enquiry/response/done
Helpdesk-like
Type 2 (direct relationship): join/nominate/use
SiteLicence-like
Type 2 (as above) for site contact
Type 3 (indirect relationship) for users
FedAuth-like
More…?
Simplifying GDPR
48. GDPR instruments
Sources of assurance to provider and user…
04/01/2018 48
• Explain key points to data subjects
User-friendly
privacy notice
• Assign legal responsibilities among partners
Contractual terms
and conditions
• Understand/document non-obvious
legal bases
Legal analysis
• Analyse risks (to individuals) and mitigations
of processing
Data Protection
Impact Assessment
Simplifying GDPR
49. Service categories
Risk-based guide to prioritisation/resource
04/01/2018 50
Risk
level
Relationship Example Privacy
notice?
Contract? Legal basis
test?
DPIA?
1 Service provider has direct
interaction with user
helpdesk
2 Service provider has direct
long-term relationship with
user
eduroam site
contact
3 User has relationship with
third party
eduroam user
4 User may be unaware of
service’s existence
incident
response
Simplifying GDPR
50. Service categories
Risk-based guide to prioritisation/resource
04/01/2018 51
Risk
level
Relationship Example Privacy
notice?
Contract? Legal basis
test?
DPIA?
1 Service provider has direct
interaction with user
helpdesk X X X
2 Service provider has direct
long-term relationship with
user
eduroam site
contact
3 User has relationship with
third party
eduroam user
4 User may be unaware of
service’s existence
incident
response
Simplifying GDPR
51. Service categories
Risk
level
Relationship Example Privacy
notice?
Contract? Legal basis
test?
DPIA?
1 Service provider has direct
interaction with user
helpdesk X X X
2 Service provider has direct
long-term relationship with
user
eduroam site
contact
? X
3 User has relationship with
third party
eduroam user
4 User may be unaware of
service’s existence
incident
response
Risk-based guide to prioritisation/resource
04/01/2018 52Simplifying GDPR
52. Service categories
Risk
level
Relationship Example Privacy
notice?
Contract? Legal basis
test?
DPIA?
1 Service provider has direct
interaction with user
helpdesk X X X
2 Service provider has direct
long-term relationship with
user
eduroam site
contact
? X
3 User has relationship with
third party
eduroam user ?
4 User may be unaware of
service’s existence
incident
response
Risk-based guide to prioritisation/resource
04/01/2018 53Simplifying GDPR
53. Service categories
Risk
level
Relationship Example Privacy
notice?
Contract? Legal basis
test?
DPIA?
1 Service provider has direct
interaction with user
helpdesk X X X
2 Service provider has direct
long-term relationship with
user
eduroam site
contact
? X
3 User has relationship with
third party
eduroam user ?
4 User may be unaware of
service’s existence
incident
response
?
Risk-based guide to prioritisation/resource
04/01/2018 54Simplifying GDPR
57. Possible employment activity categories
Same relationship with all, so now based on data type
04/01/2018 58
Risk
level
Type of data Example Privacy
notice?
Contract? Legal basis
test?
DPIA?
1 Optional Social chatter X X X
3 Mandatory, non-sensitive
data
IT, HR ?
4 Sensitive data (inc.financial) Payroll, medical ?
Simplifying GDPR
58. Possible employee privacy notices
Work-in-progress…
04/01/2018 59
Master Notice
» Retention, transfers, exports,
security, exercising rights
»For each of
› “purposes of employment”
› “law requires us to”
› Vital interests
› “identify problems or improvements”
› “you asked us to”
Per-service notice
(at point of collection)
» Purpose(s), link to master
» [Other options]
»Not (only) at point of collection
› That could be many years ago
› Probably a role for context-awareness
› eg reminders on communications?
jisc.ac.uk/website/privacy-notice
Simplifying GDPR
62. Student data and GDPR: what are their rights?
Paul Duller, IM consultancy director, services and solutions,Tribal
04/01/2018 63
63. Student Data and the GDPR:
What are their rights?
Dr Paul Duller
IM Consultancy Director
Tribal Group plc
6th December, 2017
Tribal Group plc
64. Tribal and the GDPR
TRIBAL provides services and technology to the education sector.
Many of our customers, rely on TRIBAL to manage, host and process
their student and staff data. As such, data protection is at the heart of
everything we do.
We are committed to ensuring that our systems, services and staff fully
comply with the GDPR (and that our clients do too!).
We are also delighted to be the sole sponsor today’s conference.
Tribal Group plc 65
65. Agenda
1. Overview
2. The Principles
3. Students Rights
4. The Guide for Students
Tribal Group plc 66
67. The GDPR is the biggest
change to Data Protection
Law in 20 years …..
68. GDPR FINES: Up to €20M or 4% of global
turnover
Tribal Group plc 69
69. The
Timeframe
Effects
personal
data of all
EU citizens
Fines for
Non
complianc
e
NEW
Appointment
Data
Protection
Officer
Starting
point:
Review,
audit &
report
Plan &
provision
for
resources
and time
Appoint a
GDPR
Champion
Most activity is compliance-led
Discussion focused on what you and your team needs to know,
but not necessarily what your students need to know.
Tribal Group plc 70
This paper presents a more student-centric view of the GDPR, and forms the
basis of a student-friendly pocket book on GDPR, available in Jan 2018.
71. General Data
Protection Regulation
•Replaces the UK Data Protection Act
•Effects any EU based organisation
processing personal data, and
•Effects any organisation processing
personal data or trading with individuals
within the EU.
2018
GDPR comes into force on the 25th May 2018
Tribal Group plc 72
72. What is Personal Data? (Article 4(1))
Tribal Group plc 73
Personal data is any data relating to a living individual who is or
can be identified directly or indirectly from the data.
• The GDPR applies to both automated personal data and to manual filing systems.
• Personal data that have been pseudonymised are within the scope of the GDPR, however
anonymised data is not.
• Personal data relating to criminal convictions & offences are not covered by GDPR (Article 10)
73. What is Processing? (Article 4(2))
Tribal Group plc 74
Processing is almost every act relating to personal data.
“Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated
means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
Collection Storage Use Transfer
Retention &
Destruction
Personal data lifecycle
The GDPR applies to both electronic personal data processing and to manual filing systems.
74. Where is my data processed?
Tribal Group plc 75
It no longer matters if the data processing takes place
within the European Union or not, as long as data of
natural persons in the Union are processed.
This is an important advance for the privacy of individuals. In the past, major internet giants like Google and Amazon
could escape European privacy laws as they had a headquarters in Silicon Valley. Now the GDPR will also apply to
them as soon as they process personal data of European residents.
75. The GDPR Principles (Article 5(1))
A key objective of the GDPR is to protect and strengthen the rights of data subjects.
In general, the GDPR builds on existing data protection principles and adds tighter
obligations and restrictions on businesses.
The GDPR does not have principles relating to individuals’ rights or the overseas
transfer of personal data. These are addressed in separate sections of the GDPR
legislation.
The GDPR features new accountability and documentation duty (comply and be able to
demonstrate compliance)
76. 1. Processed lawfully, fairly and in a transparent manner
2. Collected for specified, explicit and legitimate purposes
3. Adequate, relevant and limited to what is necessary
4. Accurate and, where necessary, kept up to date
5. Retained in an identifiable form for no longer than necessary
6. Processed in an appropriate manner to maintain security
Accountability(Article5(2))
The GDPR Principles (Article 5(1))
77. Lawfulness of Processing (Article 6 and 7)
All data processing must have a lawful basis to be legal under the GDPR.
The majority of personal data processing undertaken by universities and colleges is
carried out under a contract between the student and the establishment, not by
consent.
When reliant on consent to process data, the student will generally have stronger
rights, e.g. to have their data deleted, than if any other lawful basis apply.
Requests for consent must be given in an intelligible and easily accessible form using
clear and plain language, together with the purpose for data processing.
Consent must be a freely given, specific, informed and unambiguous. It must involve
some form of positive opt-in, and cannot be inferred from silence, pre-ticked boxes
or inactivity.
04 January 2018 Tribal Group plc 78
78. Identifying Data Subjects (Article 12(2),12(6); Recital 57, 64)
The GDPR explicitly enables controllers to require data subjects to provide proof of
identity before giving effect to their rights.
If there are reasonable doubts regarding the identity of the data subject, the controller
may request the provision of additional information to confirm the identity of the data
subject, but is not required to do so.
04 January 2018 Tribal Group plc 79
79. Time Limits (Article 12(3), 12(4); Recital 59)
You will have less time to comply with a subject access request under the GDPR.
Information must be provided without delay and at the latest within one month of
receipt.
If you fail to meet this deadline, the data subject may complain to the ICO and may
seek a judicial remedy.
If the controller receives large numbers of requests, or especially complex requests, the
time limit may be extended by a maximum of two further months.
If this is the case, however, you must inform the individual within one month of the
receipt of the request and explain why the extension is necessary.
04 January 2018 Tribal Group plc 80
80. Fees for Access Requests (Article 12(5), 15(3), 15(4); Recital
59).
The rights of access, rectification, erasure and the right to object, must be
provided free of charge.
The controller may charge a reasonable fee for "repetitive requests",
"manifestly unfounded or excessive requests" or "further copies".
This may have a significant effect on organisations who receive large numbers of
requests and may result in an increase in administrative costs.
At present there is insufficient guidance on what is meant by “manifestly
unfounded or excessive”, so approach this with some caution.
04 January 2018 Tribal Group plc 81
82. 1. Right to basic information
2. Right of access
3. Right to rectification
4. Right to erasure (new)
5. Right to restrict processing
6. Right to data portability (new)
7. Right to object
8. Rights related to automated decision making and profiling
9. Right to breach notification
10. Right to lodge a complaint
11. Right to compensation
04 January 2018 Tribal Group plc 83
Students Rights
83. Under the GDPR data subjects (the “students”) have the right to
confirmation as to whether their personal data is being processed, and
the to receive a minimum set of information regarding the purposes for
processing.
This includes the identity of the controller, the reasons for processing
their personal data and other relevant information necessary to ensure
the fair and transparent processing. (This is usually documented in a
Privacy Notice).
Tribal Group plc 84
1 Right to basic information
(Article 13-14; Recital 58, 60)
84. Content of a Privacy Notice
Identity and contact details of the controller and
the data protection officer (DPO)
Purpose of the data processing
Lawful basis for the processing
Legitimate interests of the controller/third party
Categories of personal data processed
The recipient or categories of recipients of the
personal data
Details of transfers to third country and
safeguards
Retention period or criteria used to determine
the retention period
The right to withdraw consent at any time, where
relevant
The right to lodge a complaint to the ICO
Whether the provision of personal data is part of
a statutory or contractual requirement or
obligation
The possible consequences of failing to provide
the personal data
The existence of automated decision making,
including profiling and information about how
decisions are made, the significance and the
consequences.
04 January 2018 Tribal Group plc 85
Information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
The information given to the data subject should not consist of privacy policies that are excessively lengthy or difficult to understand.
85. 2 Data Subjects are also entitled to access the following information:
the reasons why their data is being processed;
the description of the personal data concerning them;
Details of who has received or will receive their personal data; and
details of the origin of their data if it was not collected from them.
Tribal Group plc 86
Right of Access
(Article 15; Recital 63)
86. 2 If a student wishes to exercise their subject access right and receive
a copy of their personal data, a subject access request (SAR)must be
made in writing.
This request does not have to include the words “Subject Access” or
refer to the GDPR for it to constitute a SAR.
Subject Access Requests may be made electronically. If they are, the
information should also be provided in a commonly-used electronic
format, unless otherwise requested.
Tribal Group plc 87
Right of Access
(Article 15; Recital 63)
87. 3 Data Subjects are entitled to have data rectified if it is inaccurate or incomplete.
If the data in question has been disclosed to third parties, you must inform the
third parties of the rectification, and the Data Subject about the third parties
involved.
The controller must respond within one month. This can be extended by two
months where the request for rectification is complex.
If you decide to take no action in response to a request for rectification, then
you must explain why, informing the Data Subject of their right to complain to
the supervisory authority and to a judicial remedy.
Tribal Group plc 88
Right to Rectification
(Article 5(1)(d), 16; Recital 39, 59, 65, 73)
88. 4 Otherwise known as “the right to be forgotten”, this right entitles the
data subject to require an organisation that holds their personal data to
delete those data, cease further distribution of the data, and have third
parties halt processing of the data where the retention is not GDPR
compliant.
The right, however, is not an absolute right. In most cases, provided that
an organisation has a lawful basis for processing personal data, it will not
be significantly affected by the right to be forgotten.
Tribal Group plc 89
Right to Erasure
(Article 17; Recital 65-66, 68)
89. 5 Under the DPA, individuals have a right to ‘block’ or suppress processing
of personal data. The restriction of processing under the GDPR is similar.
When processing is restricted, you are permitted to store the personal
data, but not process it further. You can retain just enough information
about the individual to ensure that the restriction is respected in future.
If you have disclosed the personal data in question to third parties, you
must inform them about the restriction on the processing of the
personal data, unless it is impossible or involves a disproportionate
effort to do so.
Tribal Group plc 90
Right to Restrict Processing
(Article 18, 19; Recital 67)
90. 6 The right to data portability allows individuals to obtain and reuse a
digital copy of their personal data in a safe and secure manner.
Data covered by a portability request includes: ‘personal data’ that the
data subject has provided and ‘observed data’ (i.e. anything observed or
measured, such as Marks/Grades or Attendance records)
Data excluded includes: ‘derived data’ (e.g. data calculated using other
values, for example ranking data) and ‘Inferred data’ (e.g. data created
using predictive analytics, such as a student risk/intervention record).
Tribal Group plc 91
Right to Data Portability
(Article 20; Recital 68, 73; WP29)
91. 7 Data subjects have the right to object to the processing of their personal
data, where the basis for that processing is either public interest; or
legitimate interests of the controller.
The burden of proof is now with the controller who must cease such
processing unless it can demonstrate compelling legitimate grounds for
the processing which override the interests, rights and freedoms of the
data subject; or requires the data in order to establish, exercise or
defend legal rights. This is unlikely to impact universities or colleges as
they rely upon a different legal basis for processing.
Tribal Group plc 92
Right to Object to Processing
(Article 21; Recital 50, 59, 69-70, 73)
92. 8 Data subjects have the right not to be subject to a decision based solely
on automated processing of their personal data which significantly
impacts them (including profiling) without human intervention.
Processing is permitted where it is necessary for entering into or
performing a contract with the data subject provided that appropriate
safeguards are in place; it is authorised by law; or explicit consent has
been obtained.
Tribal Group plc 93
Rights related to automated decision making
(Article 22; Recital 71, 75)
93. 9 Breach notifications to the ICO are mandatory where they are likely to
“result in a risk for the rights and freedoms of individuals”.
Notification must occur within 72 hours of the breach. Data processors
will also be required to notify their customers, the controllers, “without
undue delay” of any data breach.
Where a breach is likely to result in a “high risk” to the rights and
freedoms of individuals, those concerned must be notified directly
“without undue delay,” and be provide with specific information about
the steps they should take to protect themselves.
Tribal Group plc 94
Right to Breach Notification
(Article 34, A29 WP)
94. 1
0
Any data subject has the right to lodge a complaint with a supervisory
authority (in the UK this is the ICO) if they consider that the processing
of personal data relating to him or her infringes the GDPR.
Upon investigation, the supervisory authority shall inform the
complainant on the progress and the outcome of the complaint.
The data subject has the right to an effective judicial remedy where the
supervisory authority does not handle a complaint or does not inform
the data subject within three months on the progress or outcome of the
complaint.
Tribal Group plc 95
Right to Lodge a Complaint
(Article 77-79; Recital 141, 143, 145)
95. 1
1
Any data subject has the right to compensation for material, or non-
material damage resulting from a GDPR infringement.
Compensation can be sought from the controller and processor.
Tribal Group plc 96
Right to Compensation
(Article 82)
96. Key Takeaways…..
FEES: In most cases, the GDPR does not permit fees to be charge. There is a risk
that individuals will attempt to exercise their rights merely because they can, or as a
cheap but effective means of protest. This may result in an increase in administrative
costs on your organisation. There is no limit on the cost of a SAR. Recent Court of
Appeal cap at £120k.
MANDATORY INFORMATION: The GDPR expands the mandatory categories of
information which must be supplied in connection with a subject access request. Such
requests will place an even greater burden on your DPO’s than currently experienced.
TIME LIMITS: The introduction of specified time limits under the GDPR results in more
onerous compliance obligations for controllers.
SUBJECT ACCESS REQUESTS: SAR’s do not have to include the words “Subject Access” or
refer to the GDPR to constitute a valid SAR. Just because a SAR ends up sitting in the wrong in-
tray, it does not make it any less valid. It’s therefore essential to ensure all staff can recognise a
SAR, and know exactly who to pass them on to.
04 January 2018 Tribal Group plc 97
97. A free pocket book, based
on a summary of this
presentation will be
available in Jan 2018.
To obtain your copy of
this pocket book and
today’s presentation, just
register your interest on
our stand or email me at:
98Tribal Group plc
Paul.duller@tribalgroup.com
99. Required contract provisions for data protection
Anjeli Bajaj, Director of information and data compliance,
University ofWarwick
04/01/2018 100
100. Anjeli Bajaj - Information and Data Director,University of Warwick
Data ProtectionOfficer
Overview Required Contract Provisions:
GDPR
101. Required Contract Provisions: Data Protection
Anjeli Bajaj - Information and Data Director, University of Warwick. Data Protection Officer 102
Focus – procuring services of a data processor
CommercialTerms run parallel
Data Compliance Schedule
- Data Protection terms
- PIA ( SIA) Article 25
- Security Measures
- 2% of GTO Article 83
102. Required Contract Provisions: Data Protection
Supplier of Services as Data Processor
» The GDPR enhances the responsibilities and liabilities of Data Processors it is
still important to be clear as to the parties respective roles
breach reporting .
» Relevant legislative provision
› See S1(1) DPA, and Article 4(7) GDPR for the definitions of Data Controller
and Data Processor.
Anjeli Bajaj - Information and Data Director, University of Warwick. Data Protection Officer 103
103. Required Contract Provisions: Data Protection
The Contract between the DP and DC
»Should set out the subject matter, duration, nature, and
purpose of the processing, the type of personal data that is
processed, the categories of data subjects and the duties and
rights of the DC.
»Relevant legislative provision
- Article 28 (3)
Anjeli Bajaj - Information and Data Director, University of Warwick. Data Protection Officer 104
104. Supplier’s ObligationsTo Act on Instructions
» The DP must only act upon receipt of the Data Controller's documented
instructions (evidence – expecting demonstration of compliance ).
» So as to limit the University’s exposure for non-compliant processing of
personal data it is important for the University control the way in which the
Supplier processes personal data.
» It is important therefore that in any accompanying commercial agreement
the scope of the Service(s) to be provided by the Supplier is very clearly
specified and that very clear instructions are given to the Supplier so that
they can understand what their instructions are.
» Relevant legislative provision
› Article 28 GDPR - Paragraphs 11 and 12 of Schedule 1 part II DPA.
Anjeli Bajaj - Information and Data Director, University of Warwick. Data Protection Officer 105
Required Contract Provisions: Data Protection
105. Third Parties - Engaging Another Processor
» The use by the Supplier of third parties needs to be strictly regulated and
expressly approved by the University.
» Only if, the DP has the DC's authorisation,
» the nomination is in a written contract or other legal act,
» has the same duties arranged with the DC,
» specifies the data protection obligations & the initial DP remains liable
» Relevant legislative provision
› Article 28 (4)
Anjeli Bajaj - Information and Data Director, University of Warwick. Data Protection Officer 106
Required Contract Provisions: Data Protection
106. Confidentiality
» Stipulate:Guarantee Confidentiality
» The DP shall ensure that all its staff processing the personal data are
committed to confidentiality duties or other appropriate statutory obligation
of confidentiality.
» Relevant legislative provision
› Article 28 (3b) .
Anjeli Bajaj - Information and Data Director, University of Warwick. Data Protection Officer 107
Required Contract Provisions: Data Protection
107. Duty of Assistance to the DC
DP must assist to respond the data subject's requests, security
processing, the duties in case of a data breach, data protection
impact assessment and prior consultation.
Anjeli Bajaj - Information and Data Director, University of Warwick. Data Protection Officer 108
Required Contract Provisions: Data Protection
108. Security Measures
» It is a legal requirement for the University to ensure that the Supplier has in
place appropriate technical and organisational measures to ensure a level of
security appropriate to the risk.
» A security measures appendix to your Data Compliance Schedule will
stipulate the Security measures the Supplier will be required to put in place as
a minimum.
» Not an exhaustive list .
Anjeli Bajaj - Information and Data Director, University of Warwick. Data Protection Officer 109
Required Contract Provisions: Data Protection
109. Security Measures – continued
» Contractual provision to ensure that it is the Supplier’s responsibility to
ensure that the measures it puts in place are sufficient to comply the Data
Protection Legislation.
» Relevant legislative provision
› Article 32 GDPR & article 28 (3c) .
Anjeli Bajaj - Information and Data Director, University of Warwick. Data Protection Officer 110
Required Contract Provisions: Data Protection
110. Data Breach
» The University is required to notify the Information Commissioner of any
personal data breach within 72 hours of becoming aware of it, unless that
breach is unlikely to result in a risk to the rights and freedoms of natural
persons.
» This is an assessment which the Information and Data Compliance team will
need to make. Given the time frames involved it is imperative that Data
Compliance Schedule includes provisions for data breaches .
» Relevant legislative provision
› Article 33 GDPR.
Anjeli Bajaj - Information and Data Director, University of Warwick. Data Protection Officer 111
Required Contract Provisions: Data Protection
111. Requests from Data Subjects
» The legislation sets out clearly the steps which the University must take if a
data subject requests a copy of his/her personal data. In order to ensure
compliance with the legislation it is important that such requests are passed
as quickly as possible to the Information and Data Compliance team.
» Relevant legislative provision
› Articles 13-20 GDPR.
Anjeli Bajaj - Information and Data Director, University of Warwick. Data Protection Officer 112
Required Contract Provisions: Data Protection
112. Audit
Demonstrate Compliance
The DP should make available to the DC all the necessary
information to demonstrate compliance.Allow carrying out
audits, inspections, by the DC or auditor that the DC has
mandated, and contribute to these checks.
Relevant legislative provision
› Article 28 (3h)GDPR.
Anjeli Bajaj - Information and Data Director, University of Warwick. Data Protection Officer 113
Required Contract Provisions: Data Protection
113. Register ofTreatments
Demonstrate Compliance
Unless exempted in line with Art. 30 (5) GDPR, the DP should
maintain a register that lists all clients and describes the
treatments that its perform on their account.The content is set
out in Art. 30 (2) GDPR.
Relevant legislative provision
› Article 28 (3h)GDPR – Recital 82
Anjeli Bajaj - Information and Data Director, University of Warwick. Data Protection Officer 114
Required Contract Provisions: Data Protection
114. Warning and Advice
The DP must inform the DC without undue delay if, under its
opinion, a DC's instruction infringes the GDPR or other Union or
Member State data protection law.
Relevant legislative provision
Article 28 (3h)
Anjeli Bajaj - Information and Data Director, University of Warwick. Data Protection Officer 115
Required Contract Provisions: Data Protection
115. DataTransfers
» The rules governing the transfer of personal data outside the EEA are strict
and complex. Generally such transfers should be avoided if at all possible
although it is recognised that occasionally they may need to take place.
Where there is to be any transfer of data outside of the EEA an assessment
needs to be made as to the legal basis for that transfer, the adequacy of the
data protection legislation in that country and what other safeguards need to
be put in place.Accordingly, clause 5’s initial starting point is that transfers
outside the EEA are not permitted but where express approval for these is
given those transfers have to be restricted and carefully monitored.
» Relevant legislative provision
› Articles 13-20 GDPR /Model Contracts
Anjeli Bajaj - Information and Data Director, University of Warwick. Data Protection Officer 116
Required Contract Provisions: Data Protection
116. DataTreatment on termination
» Return of data.
» Secure Deletion
» Relevant legislative provision
› Article 28 GDPR.
Anjeli Bajaj - Information and Data Director, University of Warwick. Data Protection Officer 117
Required Contract Provisions: Data Protection
117. Indemnity
» The Data Compliance Schedule needs to include comprehensive indemnity
from the Supplier and a requirement for the Supplier to put in place adequate
insurance to cover it if the indemnity is called upon.
» It is recognised that often commercial agreements include limitations on
liability and more restrictive indemnities. In the circumstances, breach of the
Data Compliance Schedule should be expressly carved out of any limitation
on liability and this should be borne in mind when discussing the indemnities
in any commercial agreement.
Anjeli Bajaj - Information and Data Director, University of Warwick. Data Protection Officer 118
Required Contract Provisions: Data Protection
118. Indemnity – continued
» Whilst it is recognised that on occasion suppliers may seek to resist the
indemnity in the Data Compliance Schedule however no variation to this
should be agreed without the Information and Data Compliance team’s prior
agreement.
» Relevant legislative provision
› Articles 83 GDPR.
Anjeli Bajaj - Information and Data Director, University of Warwick. Data Protection Officer 119
Required Contract Provisions: Data Protection
119. Training
» Training is a key component of security and privacy by design and default.
» Relevant legislative provision
› Article 5,
› Article 28,
› Article 32,
› Article 35.
Anjeli Bajaj - Information and Data Director, University of Warwick. Data Protection Officer 120
Required Contract Provisions: Data Protection
120. Anjeli Bajaj - Information and Data Director, University of Warwick. Data Protection Officer 121
Type of
contract/agreement
Relationship Requirement T
e
m
p
l
a
t
e
Data sharing
agreement
Controller to controller Data sharing agreement
Controller to processor Draft data sharing agreement and attach data compliance schedule
Institutional agreement
where IDC are asked to
insert a DP schedule
Controller to controller Data sharing agreement
Controller to processor Insert data compliance schedule and where required a data sharing agreement
Supplier legal contract Check if any DP provisions and review. Separate data sharing agreement and data compliance schedule required. Clause in
supplier legal contract to be inserted referring to these documents.
Controller to processor Negotiating point begins with our data compliance schedule
Accreditation bodies Controller to controller Data Sharing Agreement
Auditors speaking to students Informed consent required
Controller to processor External auditing data provision agreement
Auditors Controller to controller Data Sharing
Controller to processor External auditing data provision agreement
Required Contract Provisions: Data Protection
122. Geek-DPR: how you still need ICT
Tim Rodgers, Compliance and information governance manager,
Imperial College London
04/01/2018 123
123. GDPR implications for research
Andrew Charlesworth, Reader in IT and the law, University of Bristol
04/01/2018 124
124. The GDPR and Research
Andrew Charlesworth
Centre for IT & Law
University of Bristol Law School
125. I must recognise … that the [Data
Protection] Act [1998] is of notorious
obscurity…”
Lindsay J. in Douglas v. Hello! Ltd (No.7) (2004)
“Hold our beer…”
The GDPR & UK Data Protection Bill
126. Background
• Cross-disciplinary post in Law & Computer Science (2001-2016)
• Author, Jisc DP Code of Practice for FE and HE (2001 & 2007)
• Empirical Researcher in a Social Sciences Faculty (2001–)
• Member/Chair, Law School Research Ethics Committee (2006-)
• Author, Jisc Data Protection and Research Data (2014-15)
• Member/Chair, University Research Data Access Committee (2015-
)
127. The GDPR: Issues I
• Anonymity & Pseudonymisation – R.26, 28 & 29 + Art.4(5)
• Further processing – R.50 + Art.5(1)(b) (+ Art.89(1) + R.156 + Art.9)
• Storage – Art.5(1)(e) (+ Art.89)
• Lawfulness of processing - Art.6(1)
• Consent - Art.6(1)(a) BUT Art.9(2)(j)
• Public interest - Art 6(1)(e) + R.45
• Legitimate interests Art.6(1)(f) + R.47 (are Universities ‘public authorities’?)
• Consent – R.33 + Art.7
• Special categories of personal data – Art.9 inc. Art.9(2)(j) (+Art.89)
• Also Art. 9(2)(g) - further alternatives in the substantial public interest
128. The GDPR: Issues II
• DSR: Information provided to data subject
• Where obtained from data subject - Art.13
• Where not obtained from data subject - Art.14(5)(b) (+ Art.89)
• DSR: Right to erasure – Art.17(3)(d) (+ Art 89)
• DSR: Right to object – Art.21(6) (+ Art.89)
• Freedom of expression and information – Art.85
• Processing for historical, statistical and scientific research
purposes – Art.89 + R.156.
129. The GDPR: Issues III
• Art.89(1) + R156 - requires safeguards for the processing of personal
data for research. If provided these derogations/special provisions
are enabled:
• Art.5(1)(b) and (e) - further processing and storage
• Art.9(2)(j) - processing of special categories of data
• Art.14(5)(b) - information requirements-
• Art.17(3)(d) - right to erasure
• Art.21(6) - right to object
• Technical and organisational approaches must ensure the processing
of personal data is limited to the minimum needed
• Anonymous data should be used instead of personal data where
possible
130. The GDPR: Issues IV
• Art.89(2) - Union or Member States can legislate further
derogations from the following data subject rights, inc:
• Art.15 - right to subject access
• Art. 16 - right to rectification
• Art. 17a - right to restriction of processing
• Art. 19 - right to object
• + others in R.156
• IF the conditions of A.89(1) are met; AND applying the right would
seriously compromise the purpose; AND the derogations are
necessary for the purpose to be achieved.
131. Data Protection Bill
• Currently Sch.2 Pt.6 s.25 & 26 – derogations under Art.86(2) GDPR
• Art. 15(1) to (3) (confirmation of processing, access to data and
safeguards for third country transfers);
• Art. 16 (right to rectification);
• Art. 18(1) (restriction of processing);
• Art. 21(1) (objections to processing).
• IF data is processed in accordance with Art. 89(1) AND for Arts.
15(1)-(3), the results of the research or any resulting statistics are
not made available in a form which identifies a data subject
132. Pragmatics I
• The EU is keenly aware of the potential impact of the GDPR on
research, both public & private.
• The existing framework for UK research compliance will remain broadly the
same.
• BUT there is scope for divergence in exemptions and derogations between EU
Member States, with implications for cross-border research collaborations.
• As a social sciences researcher and REC member, my key issues are:
• Education of researchers;
• Accountability and research governance;
• Addressing consent as both a legal and ethical requirement, and the alternatives
to consent.
133. Pragmatics II
• Different academic disciplines face varying challenges to existing
practices - avoid ‘one-size-fits-all’ solutions and ‘quick fixes’.
• RECs already address DP (to varying degrees) – they can identify discipline-
specific risks, good practice and problems with suggested ‘solutions’
• As RECs have varying expertise in DP, it is important that they are not
simply used as ‘gatekeepers’, but rather trained/developed as
‘facilitators’.
• Research training, research data management plans, workflow
• ‘privacy by design’ and ‘privacy impact assessment’ elements
• Accountability
• We do forms and training, but do we really do accountability?
Important informationNo fire alarms plannedEvacuation meeting point to the left of the carpark – please follow RCP staff
Chapter 67 of the Bill says “… the controller must have regard to the professional qualities of the proposed officer, in particular.. The proposed officer’s expert knowledge of data protection law and practice…”
How do we do that?!!!
Consider what online systems are in use, and can take-over from non-central systems
Students enter contract – it’s a requirement that they submit their data for processing and they can’t withdraw their consent because of this. Same does not necessarily apply for marketing, where student may withdraw permission. BUT it’s good practice anyway because applicant may not be aware of the implications of their image/information being published.
Original GDPR document says that parents need to give consent to 18 but this can vary. UK Bill gives lower age limit (age 13?)
Office 365 etc uses EU-based data centres, kindly negociated via Janet/JISC
Data is used for administration, Value Added, E+D monitoring, ILR etc.
Data Protection Officer needs ‘teeth’ – i.e. the authority to enforce change in the organisation. This is sometimes difficult in the FE setting because of the emphasis on Teaching and Learning.
Some institutions perform regular Data Protection Audits – noting what is where and who holds it. Godalming College says ‘thou shalt store stuff in specified places’
There’s a lot of confusion, mixed messages, and different opinions around Data Protection. Different
One College in S7 performed a staff SAR under Data Protection Act, and was advised by ICO to provide every email about that person, and manually redact any 3rd party information - 60,000 emails!!
NFP = Notice of Fair Processing – on the applications system, available on website, online learning environment and staff portal
So why are we developing an information asset register or IAR?
IARs have been around for over a decade, but as a university it had not been compulsory for us to develop one like the rest of the public sector. This comes down to not being covered by Crown Copyright, which was the trigger for the creation of IARs originally. So we missed the pain in developing these earlier, only to have to catch up now. However, it has helped in developing our own IAR to have the examples of other public authorities who have already had to go through the process.
When deciding on why to develop an IAR, the LSE had to consider:
Mainly for the GDPR Article 30 requirements, which I’ll go through in more detail in the next slide.
But we also had some internal requirements as well. For example, the School uses third part data sets that come with licensing agreements. These might say that only staff and students at the LSE may use the dataset or that the data set can only be used on a non networked secure PC. These agreements need to be renewed but the School was not recording the renewal date anywhere. The IAR seemed the perfect place to start recording this information.
Another issue that came up is determining what level of secure destruction personal data might need. For example, it may be a requirement that a research funder or data provider requires that the School use a Degausser to magnetically destroy a hard drive. The IAR would give us a chance to record any data that needed particular care in destruction.
And underpinning all of this is trying to actually run a records management programme. We had a policy and guidance, got paper records to secondary storage and otherwise disposed of, but this requirement of the GDPR has been a way to introduce records management practice that in my opinion, we should have been doing anyway.
While the IAR should meet the requirements of the record keeping requirements, it is worth looking at Article 30 if you haven’t already just to ensure that you have covered everything listed in Article 30(1).
For example, this states that as a controller you shall maintain a record of processing activities and that ‘that record shall contain’ the name and contact details of the controller. For every type of personal data? Or can you record this once elsewhere? I think it most likely that most people will do the latter, but the article does imply one record which contains all of this information, which isn’t necessarily what the IAR can do. As we have developed ours at the School, we have not included the name and contact details of the controller on each entry. It is likely that as a published document as we intend the IAR to be, it can be added to the web on a page that contains the contact details.
Purpose of processing we have taken to mean lawful basis as set out in Articles 6 and 9, the latter covering special categories data. This is one of the fields in our IAR
A description of the categories of data subjects and categories of personal data – to a degree I think the current data protection register entry does this more clearly in grouping the data subjects and types of personal data together. The IAR will have the details for each information asset containing personal data, so we are moving away from that model. However, the information asset name and an associated description field should cover both these. For systems, we have developed a checklist as well which details the types of personal data held by the system. This will get closer to detailing each personal data field in those systems.
Categories of recipients – again this is grouped together better in the data protection register entry, but we have included a field for who can access the information asset that would cover recipients, including those outside the School.
Where applicable, transfers to third countries or international organisations. So if you never do this you don’t need to include it in your IAR.
Where possible, time limits. We are using the IAR to make decisions relating to retention of data easier, so have included both a retention and retention trigger field. I think that the 5th data protection principle makes this more compulsory than the where possible would suggest.
Where possible, security measures. We have covered this in our IAR, and again, I think that the fact that technical and organisational methods are set out in another article makes this more something you should cover.
The first thing I did was check the TNA guidance on developing IARs. This set out a basic methodology to follow, though strangely enough, via its digital continuity programme.
The next thing was to look at examples from other places. For example, the TNA template, the Department of Transport IAR itself, the template provided to NHS organisations as we have some health data that we process and we didn’t want to set out IAR up without ensuring it wasn’t compatible in case we had to follow the IG toolkit in the future.
The next process was looking at the different fields used in the examples. The first look through removed fields we would not require, though also showed some we had not though of e.g. make and model for any information assets tied to a particular device. The second was to determine terminology. The examples used different terms to mean the same or similar things. For example, the TNA template has a field called ‘What Does it Do’ that is the equivalent to our ‘Asset Description’ field. The Information Security Manager, Archivist and I went through the list I created from the first drafts of the IAR specification until we were happy with the number of fields, their field names, their descriptions and their groupings, which I’ll go through next. For example, we decided on one field to indicate personal data rather than two separate fields.
The specification was added as an appendix to an update records management policy, which was now called the Information Asset and Records Management policy, and signed off by the most senior management committee.
The core fields cover the basic information about the asset, so what is it called, who owns it, what does it contain, how long is the information kept, etc.
The information security fields covers access to the asset, the School’s information security classification – hard to apply before, what security measures does the asset need, including level of destruction required.
Business continuity was used to group the risks to the asset, support contacts if applicable, and back up. In other words, what we need to ensure the information asset is available.
The data protection fields cover the sorts of personal data (normal, special categories, both), the lawful bases that apply and details of any data processors.
Publication fields.
The data licence agreement fields, which were developed by looking at the agreements themselves and seeing what they had in common.
One question we have wrestled with is coverage. We developed another checklist for systems as they also need to cope with requests for deletion, portability, etc. We also have a systems catalogue that could take that information in. However, the IAR was intended to cover both structured and unstructured data. Separating out the systems data could stop us from having a full picture of our personal data. So at the moment, we intend the IAR to cover all sources of personal data, including research data sets and the big systems like SITS our student database.
For illustration, these are some of the core fields. The example used within the template includes Data Protection case files to show that unstructured data should also be included. This is one of the examples.
Aside from the DP case files, there is also a governor’s database example.
We do have a lot of work to do on this, particularly is we are to meet our end of January target, but we have two Bas starting soon to work on this project, so that should help.
The main issues so far have been size of the information asset, retention periods and lawful basis. I have been sitting down with staff to take them through it.
We haven’t got everything sorted out yet. We could have taken a project management approach and got all this sorted out before hand, but the deadline of 25th May is approaching and I thought it best to make a start and make the further decisions down the line as needed. So we still need to sort out
Where will we keep the data. What sources will we bring together e.g. the IAR template, the systems checklist, cloud system questionnaires? Will we use a spreadsheet, a list in SharePoint or a proprietary database? There are some good examples of the latter out there, but they have systems costs in and of themselves. However, the spreadsheet or SharePoint formats may not support keeping the IAR and interrogating it as well.
How we will maintain the IAR. TNA suggests a yearly review. Whatever method we use, I think at least for the first year or two we will have to offer a moratorium on older data that is only just being added to the IAR.
My final thought is that as a records manager who moved into information rights, this has been one of the first times that a records management task has been required rather than merely supportive for information rights work. This is one of the truly good things that GDPR has given records management as a profession.
DPB s.6 Meaning of “public authority” and “public body”
(1) For the purposes of the GDPR, the following (and only the following) are “public authorities” and “public bodies” under the law of the United Kingdom—
(a) a public authority as defined by the Freedom of Information Act 2000,subject to subsection (2),
(b) a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002 (asp 13), subject to subsection (2), and
(c) an authority or a body specified by the Secretary of State in regulations.
(2) The Secretary of State may by regulations provide that a person specified in the regulations that is a public authority described in subsection (1)(a) or (b) is not a “public authority” or “public body” for the purposes of the GDPR.
Under Article 6(1) of the GDPR, those public authorities are not permitted to use the legitimate interests basis "in the performance of their tasks"; Instead, by Recital 47, those tasks and their legal basis should be "provide[d] by law";
And, by Clause 7(c) of the Bill, where a task is "conferred on a person by an enactment", the legal basis is that it is necessary in the public interest.