1. D: DRIVE
How to become Data Driven?
This programme has been funded with
support from the European Commission
Module 5: Legislation
2. Smart Data Smart Region | www.smartdata.how
This programme has been funded with support from the European Commission. The author is
solely responsible for this publication (communication) and the Commission accepts no
responsibility for any use that may be made of the information contained therein.
The objective of this module is to provide an overview of
ethics, legislation and privacy issues of big data.
Upon completion of this module you will:
- Be able to recognize the neccessity of regulating big
data
- Understand the difference between privacy and data
protection
- Know how to implement actions of data protection into
your own (future) company
Duration of the module: approximately 1 – 2 hours
Module 5:
Legislation
3. 1
Legislation2
GDPR3
Smart Data Smart Region | www.smartdata.how
This programme has been funded with support from the European Commission. The author is
solely responsible for this publication (communication) and the Commission accepts no
responsibility for any use that may be made of the information contained therein.
– Ethics of Big Data
– Aspects of Big Data Ethics
4 Legal Glossary
How about Ethics?
– The Basics of GDPR
– Individual Rights
– GDPR Implementation
– Privacy vs. Data Protection
4. 1. Ethics of Big Data
2. Aspects of Big Data Ethics
HOW ABOUT ETHICS?
5. With the increase of computing power,
electronic devices and accessibility to the
Internet, more data than ever is being
produced, collected and transmitted.
Nowadays Big Data is big enough to raise
practical rather than merely theoretical
concerns about ethics. Big data itself, like all
technology, is ethically neutral.
The use of big data, however, is not.
6. Collecting and analysing big data has become a powerful way to unlock actionable insights
across any business, but it also brings with it some concerns about big data ethics that
need to be addressed. Because accessing and storing data is so easy, some organizations
collect everything and hang on to it forever, since the value of any piece of information is
only known when you can connect it with something else that arrives at a future point in
time.
And it is not just the CIA collecting data like this. Major grocery store chains, investment
banks and even the postal services have a predictive analytics function with the sole
purpose of collecting and analyzing data in order to predict buyer behavior.
Smart Data Smart Region | www.smartdata.how
ETHICS OF BIG DATA
Data can be either useful or
perfectly anonymous but never
both.
Paul Ohm
Smart Data Smart Region | www.smartdata.how
7. Smart Data Smart Region | www.smartdata.how
Aspects Of Big Data Ethics
Big data is already outpacing our ability to understand its implications. Businesses are
innovating every day, and the pace of big-data growth is practically immeasurable. To provide a
framework for dissecting the often nuanced and interrelated aspects of big data ethics, the
following key components can help untangle the situation.
Identity Privacy
Ownership Reputation
8. Identity Privacy
Ownership Reputation
Smart Data Smart Region | www.smartdata.how
„Is online existence identical to
offline existence?“
If our historical understanding of what identity means is being transformed by big-data
technologies (by providing others an ability to summarize or aggregate various facets of our
identity), then understanding our values around the concept itself enhances and expands our
ability to determine appropriate and inappropriate action. Big data provides others the ability
to quite easily summarize, aggregate, or correlate various aspects of our identity—without our
participation or agreement.
If big data is evolving the meaning of the concept of identity itself, then big data is also evolving
our ethical relationship to the concept the word represents. Which makes it easy to understand
the value of explicit dialog and inquiry. The more our actions are fully aligned with the
evolution and expansion of identity, the more fully and explicitly we can understand the values
motivating them.
9. Identity Privacy
Ownership Reputation
Smart Data Smart Region | www.smartdata.how
„Who should control access to
data about you?“
Plenty of people would argue that we have gained a degree of control over how the world
perceives us. Political dissidents in Egypt can express their views online in a way that no other
medium, technology, or context allows them to speak—or be heard. Victims of abuse or people
who suffer from the same disease can share their experiences and gain an invaluable sense of
connection and community through the use of ostensibly anonymous online identities. These
perspectives, however, motivate the question: have we lost or gained control over our ability to
manage how the world perceives us?
There are two issues. First, does privacy mean the same thing in both online and offline in the
real world? Second, should individuals have a legitimate ability to control data about
themselves, and to what degree? Frequently, these discussions boil down to distinctions
between offline behavior and online expectations. In the same way that we can ask of others
what justification allows them to turn private-by-choice information into public data, we can
ask of ourselves: why do we expect the ability to self-select and control which facets we share
with the world online to be the same as it is offline? The difference between online and offline
expectations regarding the degree of control individuals have over open access to data about
themselves is a deeply ethical inquiry. The goal is to understand how to balance the benefits of
big-data innovations with the risks inherent in sharing more information more widely.
10. Identity Privacy
Ownership Reputation
Smart Data Smart Region | www.smartdata.how
„What does it mean to own
data about ourselves?“
The degree of ownership we hold over specific information about us varies as widely as the
distinction between privacy rights and privacy interests. Do we, in the offline world, “own” the
facts about our height and weight? Does our existence itself constitute a creative act, over
which we have copyright or other rights associated with creation? Does the information about
our family history, genetic makeup, and physical description, preference for Coke or Pepsi, or
ability to shoot free throws on the basketball court constitute property that we own? Is there
any distinction between the ownership qualities of that information? If it does, then how do
those offline rights and privileges, sanctified by everything from the Constitution to local, state,
and Federal statues, apply to the online presence of that same information?
As open data markets grow in size and complexity, open government data becomes increasingly
abundant, and companies generate more revenue from the use of personal data, the question
of who owns what—and at what point in the data trail—will become a more vocal debate.
11. Identity Privacy
Ownership Reputation
Smart Data Smart Region | www.smartdata.how
„How can we determine what
is trustworthy?“
As recently as that New Yorker cartoon (19 years ago), reputation consisted primarily of what
people—specifically those who knew and frequently interacted with you—knew and thought
about you. Unless we were famous for some other reason, the vast majority of us managed our
reputation by acting well (or poorly) in relation to you said about you to the people who they
knew—might influence one’s reputation. those directly around us. In some cases, a second-
degree perception—that is, what the people who knew
One of the biggest changes born from big data is that now the number of people who can form
an opinion about what kind of person you are is exponentially larger and farther removed than
it was even a few short years ago. And further, your ability to manage or maintain your online
reputation is growing farther and farther out of individual control. There are entire companies
now whose entire business model is centered on “reputation management”. We simply don’t
know how our historical understanding of how to manage our reputation translates to digital
behavior. At a minimum, this is sufficient reason alone to suggest further inquiry.
13. Privacy on the
internet? That‘s an
oximoron.
Catherine Butler
Smart Data Smart Region | www.smartdata.how
14. Most users have been unaware of the
volume of personal data retained by entities
for various purposes. This is beginning to
change as awareness of the data privacy
debate is increasing. The two trends—
increasing popularity of big data and
increasing awareness of data privacy—
are beginning to come to a head and
companies that intend to capitalize on this
era of big data need to be conscious about
and address these basic ethical concerns.
Smart Data Smart Region | www.smartdata.how
18. PRIVACY DATA
PROTECTION
vs.
Is there any difference?
Smart Data Smart Region | www.smartdata.how
YES
• Privacy relates to the appropriate use and
control of data
• Data privacy protocols around the world address
the control people have over their personal
data and how they can protect it from
unwanted or harmful uses
• It covers issues such as: what type of data will
be processed, where will it be held, how long
will it be held for
• Data protection relates to the
confidentiality, availability and integrity
of data
• It focuses on two main aread – the
physical security of premises and the
logical security of data and digitized
information
• It covers issues such as: the
confidentiality, integrity and availability
of data, the protection of networks, the
physical security of sites, equipment,
transport and people
19. Smart Data Smart Region | www.smartdata.how
PRIVACY
Data privacy, also called
information privacy, is the
aspect of information
technology that deals with
the ability an organization or
individual has to determine
what data in a computer
system can be shared with
third parties.
Privacy applies whenever the data is:
- Collected
- Processed
- Stored
Which relates to a living individual person who can be identified by that data.
EU data protection rules mean that your personal data can only be processed in certain
situations and under certain conditions, such as:
– if you've given your consent (you must be informed that your data is being collected)
– if data processing is needed for a contract, for a job application or a loan request
– if there is a legal obligation for your data to be processed
– if processing is in your 'vital interest', for example if a doctor needs access to your
private medical data when you've had an accident
– if processing is needed to carry out tasks in the public interest or tasks carried out by
government, tax authorities, the police or other public bodies
Personal data about your racial or ethnic origin, sexual orientation, political
opinions, religious or philosophical beliefs, trade-union membership or health may not be
processed except in specific cases (e.g. when you've given explicit consent or when
processing is needed for reasons of substantial public interest, on the basis of EU or
national law). These rules apply to both public and private bodies.
Collection and processing of personal data
20. Smart Data Smart Region | www.smartdata.how
DATA PROTECTION
Data protection is the
process of safeguarding important
information from corruption,
compromise or loss. The
importance of data protection
increases as the amount of data
created and stored continues
to grow at unprecedented
rates.
Data protection applies whenever we deal with 2 types of information:
...is data which relates to a
living individual who can be
identified:
• from that data, or
• from that data and other
information which is in the
possession of the data
controller,
And includes any expression
of opinion about the
individual and any indication
of the intentions of the data
controller or any other
person in respect of the
individual.
Personaly Identifiable
Information
...is PII data, consisting of
Information as to:
• the racial or ethnic origin
of the data subject,
• his political opinions,
• his religious beliefs or
other beliefs of a similar
nature,
• whether he is a member of
a trade union,
• his physical or mental
health or condition,
• his sexual life,
• the commission or alleged
commission by him of any
offence.
Sensitive Personal
InformationPII SPI
21. It is no exaggeration to say that we are
nothing more than a collection of data to
most of the institutions—and many of the
people—with whom we deal. Big data
poses enormous challenges for data
protection— both by processors and
regulators. It simultaneously changes the
context and raises the stakes for Data
protection. As personal data are
universally collected and shared across
sectorial and national boundaries,
inconsistent data protection laws pose
increasing threats to individuals,
institutions, and society.
Smart Data Smart Region | www.smartdata.how
22. Impact: 3 billion user accounts
Details: In September 2016 Yahoo
announced it had been the victim of the
biggest data breach in history, likely by “a
state-sponsored actor,” in 2014. The attack
compromised the real names, email
addresses, dates of birth and telephone
numbers of 500 million users. The company
said the "vast majority" of the passwords
involved had been hashed using the robust
bcrypt algorithm.
Impact: 145 million users compromised
Details: The online auction giant eBay reported a
cyberattack in May 2014 that it said exposed names,
addresses, dates of birth and encrypted passwords
of all of its 145 million users. The company said
hackers got into the company network using the
credentials of three corporate employees, and had
complete inside access for 229 days, during which
time they were able to make their way to the user
database.
Impact: Credit/debit card information and/or
contact information of up to 110 million people
compromised.
Details: The breach of Target costumers began
before Thanksgiving, but was not discovered until
several weeks later. The retail giant initially
announced that hackers had gained access through
a third-party HVAC vender to its point-of-sale (POS)
payment card readers, and had collected about 40
million credit and debit card numbers.
With an increasing number of data breaches splashed across
front page news, companies have good reason to take
security seriously.
23. Afterall, they gain a
lot of data for each
user. For example,
just take a look at all
data Uber gets from
each individual who
takes a ride from
point A to point B.
24. 1. The Basics of GDPR
2. Individual rights
3. Implementation of GDPR
GDPR
25. As we were approaching this Big Data
industrial revolution, the laws governing its
protection had reached a point where they
were a bit like an old operating system. In
need of an update or they would have become
unfit for purpose. Each country, concerned
about citizens’ personal data, big data
analytics and security, was attempting to come
up with its own legislation to control data. In
the European Union companies have to follow
the GDPR legislation.
Smart Data Smart Region | www.smartdata.how
26. Smart Data Smart Region | www.smartdata.how
General Data Protection
Regulation (GDPR) is a single
set of legislation across
Europe that gives individuals
get better control of their
personal data. GDPR
What is the
GDPR?
Why was
the GDPR
drafted?
When will
the GDPR
apply?
Who does
the GDPR
apply to?
When can I
process data
under the
GDPR?
What are
the
consequenc
es of not
acting by
GDPR?
THE BASICS OF GDPR
27. GDPR
What is
the
GDPR? Why was
the GDPR
drafted?
When will
the GDPR
apply?
Who does
the GDPR
apply to?
When can I
process
data under
the GDPR?
What are
the
consequen
ces of not
acting by
GDPR?
The EU's General Data Protection Regulation (GDPR) is the
result of four years of work by the EU to bring data protection
legislation into line with new, previously unforeseen ways that
data is now used.
Currently, the UK relies on the Data Protection Act 1998,
which was enacted following the 1995 EU Data Protection
Directive, but this will be superseded by the new legislation. It
introduces tougher fines for non-compliance and breaches,
and gives people more say over what companies can do with
their data. It also makes data protection rules more or less
identical throughout the EU.
Smart Data Smart Region | www.smartdata.how
28. GDPR
What is
the GDPR?
Why was
the GDPR
drafted?
When will
the GDPR
apply?
Who does
the GDPR
apply to?
When can I
process
data under
the GDPR?
What are
the
consequen
ces of not
acting by
GDPR?
Firstly, the EU wants to give people more control over how
their personal data is used, bearing in mind that many
companies like Facebook and Google swap access to people's
data for use of their services. The current legislation was
enacted before the internet and cloud technology created
new ways of exploiting data, and the GDPR seeks to address
that. By strengthening data protection legislation and
introducing tougher enforcement measures, the EU hopes to
improve trust in the emerging digital economy.
Secondly, the EU wants to give businesses a simpler, clearer
legal environment in which to operate, making data
protection law identical throughout the single market (the EU
estimates this will save businesses a collective €2.3 billion a
year).
Smart Data Smart Region | www.smartdata.how
29. GDPR
What is
the GDPR?
Why was
the GDPR
drafted?
When will
the GDPR
apply?
Who does
the GDPR
apply to?
When can I
process
data under
the GDPR?
What are
the
consequen
ces of not
acting by
GDPR?
The GDPR will apply in all EU member states from 25 May
2018. Because GDPR is a regulation, not a directive, the UK
does not need to draw up new legislation - instead, it will
apply automatically. While it came into force on 24 May 2016,
after all parts of the EU agreed to the final text, businesses
and organisations have until 25 May 2018 until the law
actually applies to them.
While the overwhelming majority of IT security professionals
are aware of GDPR, just under half of them are preparing for
its arrival, according to a snap survey of 170 cyber security
staff by Imperva. Just 43% are assessing GDPR's impact on
their company and changing their practices to stay in step
with data protection legislation, Imperva found. While the
respondents were mostly US-based, they would still be hit by
GDPR if they handle - or contract another firm to handle - EU
citizens' personal data.
Smart Data Smart Region | www.smartdata.how
30. GDPR
What is
the GDPR?
Why was
the GDPR
drafted?
When will
the GDPR
apply?
Who does
the GDPR
apply to?
When can I
process
data under
the GDPR?
What are
the
consequen
ces of not
acting by
GDPR?
'Controllers' and 'processors' of data need to abide by the
GDPR. A data controller states how and why personal data is
processed, while a processor is the party doing the actual
processing of the data. So the controller could be any
organisation, from a profit-seeking company to a charity or
government. A processor could be an IT firm doing the actual
data processing.
Even if controllers and processors are based outside the EU,
the GDPR will still apply to them so long as they're dealing
with data belonging to EU residents.
It's the controller's responsibility to ensure their processor
abides by data protection law and processors must
themselves abide by rules to maintain records of their
processing activities. If processors are involved in a data
breach, they are far more liable under GDPR than they were
under the Data Protection Act.
Smart Data Smart Region | www.smartdata.how
31. GDPR
What is
the GDPR?
Why was
the GDPR
drafted?
When will
the GDPR
apply?
Who does
the GDPR
apply to?
When can I
process
data under
the GDPR?
What are
the
consequen
ces of not
acting by
GDPR?
Once the legislation comes into effect, controllers must
ensure personal data is processed lawfully, transparently, and
for a specific purpose. Once that purpose is fulfilled and the
data is no longer required, it should be deleted.
Smart Data Smart Region | www.smartdata.how
32. GDPR
What is
the GDPR?
Why was
the GDPR
drafted?
When will
the GDPR
apply?
Who does
the GDPR
apply to?
When can I
process
data under
the GDPR?
What are the
consequence
s of not
acting by
GDPR?
Penalties for violation of record keeping, security, breach
notifications and privacy impact assessment are greater of 10
million EUR or 2% of entity‘s global gross revenue.
Penalties for violations olegal justification for processing
(consent), data subject rights and cross-border data transfers
are greater of 20 million EUR or 4% of entity‘s global gross
revenue.
Smart Data Smart Region | www.smartdata.how
33. INDIVIDUAL RIGHTS
A key part of the regulation requires consent to be given by the individual whose data is
held. Concent means „any freely given, specific, informed and unambiguous indication
of his or her wishes by which the data subject, either by statement or by a clear
affirmative action, signifies agreement to personal data relating to them being
processed“.
Organisations will need to be able to show how and when consent was obtained. This
consent does not need to be explicitly given, it can be implied by the person‘s
relationship with the company. However, the data obtained must be for specific, explicit
and legitimate purposes.
Individuals must be able to withdraw consent at any time and have a right to be
forgotten; if their data is no longer required for the reasons for which it was collected, it
must be erased.
34. The right to be informed
- The right to be informed encompasses your
obligation to provide ‘fair processing
information’,
typically through a privacy notice.
- It emphasizes the need for transparency
over how you use personal data
The right of access
- Individuals have the right to access
their personal data and supplementary
information.
- The right of access allows individuals to
be aware of and verify the lawfulness of
the processing.
The right to rectification
- The GDPR gives individuals the right to
have personal data rectified.
- Personal data can be rectified if it is
inaccurate or incomplete.
The right to erase
- The right to erasure is also known as
‘the right to be forgotten’.
- The broad principle underpinning this
right is to enable an individual to request
the deletion or
removal of personal data where there is
no compelling reason for its continued
processing.
The right to restrict
processing
- Individuals have a right to ‘block’ or
suppress processing of personal data.
- When processing is restricted, you are
permitted to store the personal data, but
not further process
it.
- You can retain just enough information
about the individual to ensure that the
restriction is respected
in future.
The right to data portability
- The right to data portability allows
individuals to obtain and reuse their
personal data for their own
purposes across different services.
- It allows them to move, copy or transfer
personal data easily from one IT
environment to another in
a safe and secure way, without hindrance to
usability.
The right to object
The right to data portability allows
individuals to obtain and reuse their
personal data for their own
purposes across different services.
It allows them to move, copy or transfer
personal data easily from one IT
environment to another in
a safe and secure way, without hindrance to
usability.
Rights in relation to
automated decision making
and profiling
- The GDPR has provisions on:
automated individual decision-making
(making a decision solely by automated
means without any
human involvement);and
profiling (automated processing of
personal data to evaluate certain things
about an individual).
- Profiling can be part of an automated
decision-making process.
Smart Data Smart Region | www.smartdata.how
35. Smart Data Smart Region | www.smartdata.how
GDPR IMPLEMENTATION
Companies are required to implement appropriate technical and organisational measures in relation to nature, scope, context and
purposes of their handling and rocessing of personal data. Data protection safeguards must be designed into products and
services from the earliest stages of development.
AWARENESS
INFORMATION YOU
HOLD
COMMUNICATING
PRIVACY
INFORMATION
INDIVIDUAL RIGHTS
SUBJECT ACCESS
REQUESTS
LAWFUL BASIS FOR
PROCESSING
PERSONAL DATA
CONSENT CHILDREN
DATA BREACHES
DATA PROTECTION BY
DESIGN AND DATA
PROTECTION IMPACT
ASSESSMENTS
DATA PROTECTION
OFFICERS
INTERNATIONAL
12 steps you can make in your company to implementate GDPR
1 2 3 4
5 6 7 8
109 11 12
36. AWARENESS1
You should make sure that decision makers and key people in
your organisation are aware that the law is changing to the
GDPR. They need to appreciate the impact this is likely to have
and identify areas that could cause compliance problems under
the GDPR. It would be useful to start by looking at your
organisation’s risk register, if you have one.
Implementing the GDPR could have significant resource
implications, especially for larger and more complex
organisations. You may find compliance difficult if you leave
your preparations until the last minute.
37. INFORMATION YOU HOLD2
You should document what personal data you hold, where it came from
and who you share it with. You may need to organise an information audit
across the organisation or within particular business areas.
The GDPR requires you to maintain records of your processing activities.
It updates rights for a networked world. For example, if you have
inaccurate personal data and have shared this with another organisation,
you will have to tell the other organisation about the inaccuracy so it can
correct its own records.
You won’t be able to do this unless you know what personal data you hold,
where it came from and who you share it with. You should document this.
Doing this will also help you to comply with the GDPR’s accountability
principle, which requires organisations to be able to show how they comply
with the data protection principles, for example by having effective policies
and procedures in place.
38. COMMUNICATING PRIVACY INFORMATION3
You should review your current privacy notices and put a plan in place for
making any necessary changes in time for GDPR implementation. When you
collect personal data you currently have to give people certain information,
such as your identity and how you intend to use their
information.
This is usually done through a privacy notice. Under the GDPR there are some
additional things you will have to tell people. For example, you will need to
explain your lawful basis for processing the data, your data retention periods
and that individuals have a right to complain to the ICO if they think there is a
problem with the way you are handling their data. The GDPR requires the
information to be provided in concise, easy to understand and clear language
39. INDIVIDUAL RIGHTS4
You should check your procedures to ensure they cover all the rights
individuals have, including how you would delete personal data or provide
data electronically and in a commonly used format.
The GDPR includes the following rights for individuals:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including
profiling.
You should consider whether you need to revise your procedures and
make any changes. You will need to provide the personal data in a
structured commonly used and machine readable form and provide the
information free of charge.
40. SUBJECT ACCESS REQUESTS5
You should update your procedures and plan how you will handle requests
to take account of the new rules:
- In most cases you will not be able to charge for complying with a
request.
- You will have a month to comply, rather than the current 40 days.
- You can refuse or charge for requests that are manifestly unfounded
or excessive.
- If you refuse a request, you must tell the individual why and that
they have the right to complain to the supervisory authority and to
a judicial remedy. You must do this without undue delay and at the
latest, within one month.
If your organisation handles a large number of access requests, consider
the logistical implications of having to deal with requests more quickly.
You could consider whether it is feasible or desirable to develop systems
that allow individuals to access their information easily online.
41. LAWFUL BASIS FOR PROCESSING
PERSONAL DATA
6
You should identify the lawful basis for your processing activity in the
GDPR, document it and update your privacy notice to explain it.
Many organisations will not have thought about their lawful basis for
processing personal data. Under the current law this does not have many
practical implications. However, this will be different under the GDPR
because some individuals’ rights will be modified depending on your
lawful basis for processing their personal data.
The most obvious example is that people will have a stronger right to have
their data deleted where you use consent as your lawful basis for
processing. You will also have to explain your lawful basis for processing
personal data in your privacy notice and when you answer a subject
access request. The lawful bases in the GDPR are broadly the same as the
conditions for processing in the DPA. It should be possible to review the
types of processing activities you carry out and to identify your lawful
basis for doing so. You should document your lawful bases in order to help
you comply with the GDPR’s ‘accountability’ requirements.
42. CONSENT7
You should review how you seek, record and manage consent and
whether you need to make any changes. Refresh existing consents now if
they don’t meet the GDPR standard.
You should read the detailed guidance the ICO has published on consent
under the GDPR, and use our consent checklist to review your practices.
Consent must be freely given, specific, informed and unambiguous. There
must be a positive opt-in – consent cannot be inferred from silence, preticked
boxes or inactivity. It must also be separate from other terms and
conditions, and you will need to have simple ways for people to withdraw
consent. Public authorities and employers will need to take particular
care. Consent has to be verifiable and individuals generally have more
rights where you rely on consent to process their data.
You are not required to automatically ‘repaper’ or refresh all existing DPA
consents in preparation for the GDPR. But if you rely on individuals’
consent to process their data, make sure it will meet the GDPR standard
on being specific, granular, clear, prominent, opt-in, properly documented
and easily withdrawn. If not, alter your consent mechanisms and seek
fresh GDPR-compliant consent, or find an alternative to consent.
43. CHILDREN8
You should start thinking now about whether you need to put systems in
place to verify individuals’ ages and to obtain parental or guardian
consent for any data processing activity.
For the first time, the GDPR will bring in special protection for children’s
personal data, particularly in the context of commercial internet services
such as social networking. If your organisation offers online services
(‘information society services’) to children and relies on consent to collect
information about them, then you may need a parent or guardian’s
consent in order to process their personal data lawfully.
The GDPR sets the age when a child can give their own consent to this
processing at 16 (although this may be lowered to a minimum of 13 in the
UK). If a child is younger then you will need to get consent from a person
holding ‘parental responsibility’. This could have significant implications if
your organisation offers online services to children and collects their
personal data. Remember that consent has to be verifiable and that when
collecting children’s data your privacy notice must be written in language
that children will understand.
44. DATA BREACHES9
You should make sure you have the right procedures in place to detect,
report and investigate a personal data breach.
Some organisations are already required to notify the ICO (and possibly
some other bodies) when they suffer a personal data breach. The GDPR
introduces a duty on all organisations to report certain types of data
breach to the ICO, and in some cases, to individuals. You only have to
notify the ICO of a breach where it is likely to result in a risk to the rights
and freedoms of individuals – if, for example, it could result in discrimination,
damage to reputation, financial loss, loss of confidentiality
or any other significant economic or social disadvantage. Where a breach is likely
to result in a high risk to the rights and freedoms of individuals, you will also have
to notify those concerned directly in most cases.
You should put procedures in place to effectively detect, report and
investigate a personal data breach. You may wish to assess the types of
personal data you hold and document where you would be required to
notify the ICO or affected individuals if a breach occurred. Larger
organisations will need to develop policies and procedures for managing
data breaches. Failure to report a breach when required to do so could
result in a fine, as well as a fine for the breach itself.
45. DATA PROTECTION BY DESIGN
AND DATA PROTECTION IMPACT
ASSESSMENTS
6
It has always been good practice to adopt a privacy by design approach and to carry
out a Privacy Impact Assessment (PIA) as part of this. However, the GDPR makes
privacy by design an express legal requirement, under the term ‘data protection by
design and by default’. It also makes PIAs – referred to as ‘Data Protection Impact
Assessments’ or DPIAs – mandatory in certain circumstances.
A DPIA is required in situations where data processing is likely to result in
high risk to individuals, for example:
- where a new technology is being deployed;
- where a profiling operation is likely to significantly affect
individuals; or
- where there is processing on a large scale of the special categories
of data.
If a DPIA indicates that the data processing is high risk, and you cannot sufficiently
address those risks, you will be required to consult the ICO to seek its opinion as to
whether the processing operation complies with the GDPR.
10
46. DATA PROTECTION OFFICERS
You should designate someone to take responsibility for data protection compliance
and assess where this role will sit within your organisation’s structure and
governance arrangements.
You should consider whether you are required to formally designate a
Data Protection Officer (DPO). You must designate a DPO if you are:
- a public authority (except for courts acting in their judicial
capacity);
- an organisation that carries out the regular and systematic
monitoring of individuals on a large scale; or
- an organisation that carries out the large scale processing of special
categories of data, such as health records, or information about
criminal convictions. The Article 29 Working Party has produced
guidance for organisations on the designation, position and tasks of
DPOs.
It is most important that someone in your organisation, or an external data
protection advisor, takes proper responsibility for your data protection compliance
and has the knowledge, support and authority to carry out their role effectively.
11
47. INTERNATIONAL
If your organisation operates in more than one EU member state, you
should determine your lead data protection supervisory authority and
document this.
The lead authority is the supervisory authority in the state where your
main establishment is. Your main establishment is the location where
your central administration in the EU is or else the location where
decisions about the purposes and means of processing are taken and
implemented.
This is only relevant where you carry out cross-border processing – ie you
have establishments in more than one EU member state or you have a
single establishment in the EU that carries out processing which
substantially affects individuals in other EU states.
If this applies to your organisation, you should map out where your
organisation makes its most significant decisions about its processing
activities. This will help to determine your ‘main establishment’ and
therefore your lead supervisory authority.
12
48. No matter what volumes of data they’re
dealing with, it’s crucial for businesses to get a
good handle on where their data is, how it’s
stored and who has access to it. The GDPR
comes at a time when customer expectations
have never been higher over the privacy of
their data. Putting the power back into the
hands of customers can only serve the
businesses who rely on them, helping to build
a far more positive relationship and engender
consumer trust.
50. LEGAL GLOSSARY
PERSONAL DATA
Any information relating to a person who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an identification number,
location data, online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that person.
CONTROLLERS
Owners of the data, who are responsible for data protection and make sure
processors are compliant.
PROCESSORS
Work with the data and have to take responsible actions with the data. The
relationship between Controllers and Processor must be documented.
DATA PROTECTION OFFICERS
Public Authorities who have expert knowledge on data protection laws. They deal
with a large scale processing of special types of personal data.
PROFILING
Ay automated processing of personal data to determine certain criteria about a
person.
BREACH AND NOTIFICATION
A breach of security leading to the accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or access to, personal data transmitted,
stored or otherwise processed.
DATA SUBJECT ACCESS REQUESTS
The right of the individual to understand what is stored and how it is used.