Information for senior management to increase awareness of their responsibilities under GDPR
Organisations or data controllers, are responsible and accountable for compliance under the GDPR for all the processing that occurs with the internal and external data they collect.
This course provides business owners and senior management with an understanding on key areas of responsibility that will need to be addressed
The Controller may be an organisation or individual that determines the purposes and means of processing personal data.
Since a company is a separate legal entity, it (the company) is normally the data controller, rather than an individual who is a part of the company.
Organisations must ensure that when planning any new project, businesses processes are developed to ensure privacy and data protection principles are addressed and integrated into their data processing activities and that only the minimum amount of personal data is processed.
Requires you to place appropriate technical and organisational measures and integrate safeguards into your processing to implement the data protection principles and protect the individual rights
Requires that you only process the data that is necessary to achieve your specific purpose.
More info – Data protection by design and default – ICO
An authority responsible for courts and tribunals are building new IT systems for storing or accessing personal data. Prior to any live use, the authority is required to review their privacy and data protection compliance and perceived risks from the start of the project, rather than adding on such considerations at the end. This process could involve undertaking a Data Protection Impact Assessment (DPIA).
The regulation requires organisations to keep records of their processing activities and, that the information be available on request by the supervisory authority.
Documenting your processing activities is important not only because it is a legal requirement, but also because it supports good data governance and helps demonstrate your compliance with certain aspects of the GDPR. The records must be kept up to date and reflect current data processing activities.
More Info – Documentation of processing activities – ICO
Who needs to document their processing activities – ICO
A processor is organisation or individual who process data on behalf of the Controller e.g. third party payroll provider.
Under the GDPR the controller needs to demonstrate that any processors used are also compliant with the GDPR.
This is done by a data processing agreement or contract and is a legal guarantee that the processor will abide by the regulations at all times, upholding the rights of the data subjects.
It also sets out the terms of the work to be carried out, and the obligations of both the controller and the processor.
More info – Contracts and liabilities between controllers and processors – ICO guidance
The data processing agreement is a contract between the controller and processor that sets out the rights of the data subjects, the terms of the work to be carried out, and the obligations of both the controller and the processor.
To implement best practice if in doubt processor – controller contracts should be reviewed by a lawyer.
More info- Contracts and liabilities between controllers and processors – ICO guidance
If a processor deviates from the controllers instructions and processes data outside of the instructions then they are regarded by the GDPR as the Data Controller for that set of data and, assume controller obligations over it.
A processor must report any instructions to the controller if they breach the processors local legislation.
The controller should be aware that the GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations.
These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
The GDPR states that personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR.
More info – International transfers – ICO
Accountability is arguably one of the most important principles of the GDPR. Not only does the GDPR make the organisation responsible for complying with the regulations, it also puts the responsibility to demonstrate it is complying. Evidence of compliance needs to be made available to the ICO if requested.
It encourages organisations to develop a culture of data privacy across all levels – from senior management to the most junior.
This includes ensuring adequate training is received and ensuring policies and procedures are understood and followed.
More info – Accountability & Governance – ICO
Responsibilities under the Accountability principle include ensuring:
More info – Lawful basis for processing – ICO
The GDPR sets a high standard for consent, and it is the only basis allowed for obtaining and processing personal information for marketing purposes or, for processing sensitive personal data. Consent may not be necessary or be the most appropriate basis, and as it can be difficult to get, you should explore alternative options first.
The following conditions apply for consent
You should review existing consent and your consent mechanisms to check they meet the GDPR standard. If they do not you need to obtain fresh consent.
More info – Consent – ICO
You have a lawful basis for processing if:
You have a contract with the individual and you need to process their personal data to comply with your obligations under the contract.
Example
When a data subject makes an online purchase, a controller processes the address of the individual in order to deliver the goods. This is necessary in order to perform the contract.
You do not yet have a contract with the individual but, they have asked you to do something as a first step (e.g. provide a quote) and you need to process their personal data to do what they ask.
Example
An individual shopping around for car insurance requests a quotation. The insurer needs to process certain data in order to prepare the quotation, such as the make and age of the car.
It does not apply if you need to process one person’s details but the contract is with someone else.
More info – Contract – ICO
You can rely on this lawful basis if you are obliged to process the personal data in order to comply with the law or statutory obligation but not including contractual obligations.
Example
An employer needs to process personal data to comply with its legal obligation to disclose employee salary details to HMRC. The employer can point to the HMRC website where the requirements are set out to demonstrate this obligation. In this situation it is not necessary to cite each specific piece of legislation.
More info – Legal obligation – ICO
This lawful basis is intended to cover only interests that are essential for someone’s life. So, it is very limited in its scope, and generally only applies to matters of life and death. It is particularly relevant for emergency medical care, when you need to process personal data for medical purposes but the individual is incapable of giving consent to the processing.
Example
An individual is admitted to the A & E department of a hospital with life-threatening injuries following a serious road accident. The disclosure to the hospital of the individual’s medical history is necessary in order to protect his/her vital interests.
More info – Vital interests – ICO
This lawful basis applies mainly to public organisations and can apply if you are either:
Example
Private water companies are likely to be able to rely on the public task basis even if they do not fall within the definition of a public authority in the Data Protection Act 2018. This is because they are considered to be carrying out functions of public administration and they exercise special legal powers to carry out utility services in the public interest.
More info – Public task – ICO
Legitimate interests is most likely appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. However, you cannot assume it will always be the most appropriate.
There are three elements to the legitimate interests basis. It helps to think of this as a three-part test.
A wide range of interests may be legitimate interests. They can be your own interests or the interests of third parties, and commercial interests as well as wider societal benefits.
More info – Legitimate interests – ICO
A key obligation under the GDPR is for controllers and processors to take ‘appropriate technical and organisational measures to ensure
appropriate security of the personal data they hold. This includes, protection against unauthorised or unlawful processing and, against accidental loss, destruction or damage.
Since the level of security should be ‘appropriate’ to the risks presented by the processing, you need to assess your information risk before deciding what measures are considered appropriate.
You should review the personal data you hold, the way you use it, assess how valuable, sensitive or confidential it is – as well as the damage or distress that may be caused if the data was compromised.
More info – Security – ICO
Since the majority of data breaches are as a result of human error, poor internal systems and processes or lack of adequate IT security, improving data security is a relatively simple and quick way to improve the security of the personal data you hold and comply with your obligation.
This can be achieved by:
More info – GDPR security outcomes – National cyber security centre
The majority of data incidents reported to the ICO in Q4 2017 were as a result of human error with the most common ones being:
Protect access to data
Consider carefully allowing staff to use their own devices for work
It may be easier to allow staff to login from their phone, or laptop from home. As a data controller you need to own the devices that the data is shared with and control it. Since you don’t own the users’ personal device you do not have right to check or remove at data stored on it. If you are to allow personal devises to be used, you will need to instigate a Bring Your Own Device (BYOD) Policy
Working away from the office
Be aware of additional risks of working in public spaces or at home.
Do not use shared logins
Do not use shared logins (such as “accounts” or “info”). It means that multiple users know the password and what happens. When someone leaves – do you change the password? Keep logins unique to each team member and never share accounts.
Improve password protocols
Identify suspect emails
Ensure staff are trained to ensure they never open an unexpected attachment, click a link that comes from an unknown sender and, how to identify spam email.
Improve password protocols
Get protected
Ensure you have adequate protection to guard against viruses, spyware and malware.
There is a legal obligation to allow data subjects to obtain a copy of their personal data and other supplementary information. This is known as a Subject Access Request or SAR.
Organisations need to develop systems and processes to manage these SAR’s
The Subject Access Request
More info – Rights of access – ICO
Controllers should:
More info – Subject access code of practice – ICO
Controllers are obliged to provide
If an organisation is likely to receive a significant number of SAR’s you may wish to consider using appropriate software to
make the task efficient and manageable.
What is a data breach?
A personal data breach is an incident that as a result of accidental or deliberate causes leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Example
Personal data breaches can include:
An organisation should understand the different aspects of data breach management to ensure they have the capabilities to
respond to personal data breaches.
Controllers are obliged to report data breaches that are likely to result in risk to peoples rights and freedoms. If this risk is unlikely, you do not have to report it. However, should you choose not to report, you need to be able to justify and record your decision.
Example
The theft of a customer database, the data of which may be used to commit identity fraud, would need to be notified, given the impact this is likely to have on those individuals who could suffer financial loss or other consequences. On the other hand, you would not normally need to notify the ICO, for example, about the loss or inappropriate alteration of a staff telephone list.
If a processor you use suffers a breach of the personal data they are processing on your behalf, they need to inform you as soon as they become aware, allowing you to meet your breach obligations under the GDPR.
Example
Your organisation (the controller) contracts an IT services firm (the processor) to archive and store customer records. The IT firm detects an attack on its network that results in personal data about its clients being unlawfully accessed. As this is a personal data breach, the IT firm promptly notifies you that the breach has taken place. You in turn notify the ICO.
When
A breach must be reported to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If you take longer you must give reasons for the delay
Example
You detect an intrusion into your network and become aware that files containing personal data have been accessed, but you don’t know
how the attacker gained entry, to what extent that data was accessed, or whether the attacker also copied the data from your system.
You notify the ICO within 72 hours of becoming aware of the breach, explaining that you don’t yet have all the relevant details, but that you expect to have the results of your investigation within a few days. Once your investigation uncovers details about the incident, you give the ICO more information about the breach without delay.
How
When reporting a breach, you must provide:
When
Individuals should be informed without undue delay if a breach is likely to result in a high risk to their rights and freedoms.
The threshold for informing individuals is higher than for notifying the ICO.
If you decide not to notify individuals, you will still need to notify the ICO unless you can demonstrate that the breach is unlikely to result in a risk to rights and freedoms
Example
A hospital suffers a breach that results in an accidental disclosure of patient records. There is likely to be a significant impact on the affected individuals because of the sensitivity of the data and their confidential medical details becoming known to others. This is likely to result in a high risk to their rights and freedoms, so they would need to be informed about the breach.
A university experiences a breach when a member of staff accidentally deletes a record of alumni contact details. The details are later recreated from a backup. This is unlikely to result in a high risk to the rights and freedoms of those individuals. They don’t need to be informed about the breach.
How
You need to describe, the nature of the personal data breach and:
Tier 1 – For infringements of the organisation’s obligations, including data security breaches. Up to €10 million, or 2% annual global turnover – whichever is higher.
So, it is important to make sure you have a robust breach-reporting process in place to ensure you can detect and notify a breach, on time; and to provide the necessary details.
It is important management are aware of the considerable risk faced by failure to comply through either administrative
failures or personal data beaches.
The consequences could be:
2%Annual Global Turnover
Tier 1 – For infringements of the organisation’s obligations, including data security breaches. Up to €10 million, or 2% annual global turnover – whichever is higher.
4% Annual Global Turnover
Tier 2 – For infringements of an individual’s privacy rights. Up to €20 million, or 4% annual global turnover – whichever is higher
