A presentation aimed at increasing the organisations knowledge on GDPR
Welcome to your training on the General Data Protection Regulation or GDPR
This course provides information on the new GDPR regulation which came into force on the 25th May 2018.
The purpose of the course is to provide employees of an organisation an understanding of the regulations and how it affects the business.
Training is also an essential element of compliance to ensure employees have adequate knowledge of the GDPR.
Protects the rights of EU subjects and gives them more control over how their personal information is collected and processed.
Simplifies and unifies regulations across the EU.
Requires organisations to demonstrate compliance with the GDPR principles by adopting appropriate policies, procedures and processes to protect the personal data they hold.
Worldwide digital data created and replicated Zettabytes*
Apple – $567.75 billion
Alphabet – $546.49 billion
Microsoft – $445.14 billion
Amazon – $366.95 billion
Facebook – $364.26 billion
The GDPR applies to any organisations that collects and processes any personal data of EU citizens irrespective of
their location and, regardless of where that organisation is, or where the processing takes place.
Thus, a company outside the EU targeting consumers within the EU will be subject to the GDPR.
An identifiable individual is one who can be identified by anything such as:
It’s also applies to data that could be combined with other information to find something out about a person and is thus classified as personal information.
The special categories of data include data which reveals:
Processing includes any of the following activities:
The GDPR protects all personal data from anything you’re likely to do with it, making sure it’s only used in the way the person whose data it is has agreed to.
The GDPR applies to ALL organisations processing the personal data of anyone who lives in the EU, regardless of where that organisation is, or where the processing takes place.
Thus, a company outside the EU but which does business in the EU is subject to the GDPR.
Every country in the EU has its own supervisory authority and the ICO is the UK’s.
It is an independent regulatory authority whose mission is to “uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals”.
Understanding the GDPR
The GDPR is new EU legislation that protects the rights of EU subjects and gives them more control over how their personal information is processed. It applies to any organisation that processes the personal data of anyone who resides in the EU, even if the processing takes place elsewhere.
Personal Data
Personal Identifiable Information is any information about an identifiable living person.
Supervisory Authority
The Information Commissioner’s Office or ICO is the Supervisory Authority for the UK.
We must be open and honest about who we are and how we will process someone’s personal data. We must only handle it as they would reasonably expect and we mustn’t have an unjustifiably negative effect on them.
We must have a legal basis before we can process personal data. These include:
A clear and complete privacy notice tells people exactly how we will use their data.
We must only collect personal data for the purpose it was collected for. We cannot collect it for one reason and then decide at a later stage to use it for another reason. If you decide to use it in a different way, you will need to obtain further consent.
Example
A GP discloses his patient list to his wife, who runs a travel agency, so that she can offer special holiday deals to patients needing recuperation. Disclosing the information for this purpose would be incompatible with the purposes for which it was obtained.
To comply, keep these in mind
You can only ask for information which is relevant to the reason you’re collecting it. This means that you can’t ask for information simply because it might be useful in the future.
Your organisation should have regular reviews, looking at the data they’re asking for and checking it’s still necessary to complete their intended purpose.
Example
A debt collection agency is engaged to find a particular debtor. It collects information on several people with a similar name to the debtor. During the enquiry some of these people are discounted. The agency should delete most of their personal data, keeping only the minimum data needed to form a basic record of a person they have removed from their search. It is appropriate to keep this small amount of information so that these people are not contacted again about debts which do not belong to them.
To comply, keep these in mind
Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate are either erased or rectified without delay.
Be careful when you take the details, make sure the correct information is collected. The GDPR gives people the right to request that their data is changed, completed, corrected or deleted. So, your organisation needs a clear procedure to do this.
Your organisation should also have a procedure in place to check that data is up-to-date.
Example
If an individual moves house from London to Manchester a record saying that they currently live in London will obviously be inaccurate. However a record saying that the individual once lived in London remains accurate, even though they no longer live there.
To comply, keep these in mind
You should only keep personal data for as long as it’s needed and must be deleted when it is no longer needed for the purpose it was collected..
Your organisation should have procedures in place to check if you still need to keep the data and a procedure to securely delete information if not.
You can’t keep hold of data on the off-chance that it may be useful in the future.
Example
A bank may need to retain images from a CCTV system installed to prevent fraud at an ATM machine for several weeks, since a suspicious transaction may not come to light until the victim gets their bank statement. In contrast, a pub may only need to retain images from their CCTV system for a short period because incidents will come to light very quickly. However, if a crime is reported to the police, the pub will need to retain images until the police have time to collect them.
To comply, keep these in mind
Personal data must be kept safe and secure and should be protected from accidental or deliberate loss, destruction, damage or unauthorised access.
An organisation needs to know how to keep data safe and have a robust IT security policy.
To comply with this principle:
The GDPR states that organisations must be able to demonstrate compliance with the Data Protection Principles.
Make sure you know what your organisations’ policies and procedures contain and how they’re used.
To comply you must:
Remember the ICO can audit and check an organisations compliance through this documentation.
Terminology
Controller is the person or entity who determines the purpose and means of processing personal data. The company as a whole is normally the data controller.
GDPR Principles
There are seven principles that an organisation must adhere to:
We must inform data subjects about the collection and processing of their personal data in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
This is done through a privacy notice, welcome letter or terms and conditions of engagement.
Data subjects have the right to access their personal data, so they can see what data is being held and what is being done with it. They can access this right by submitting a subject access request (SAR) which has to be responded to within one month and free of charge.
Data subjects have the right to correct inaccurate personal data.
We have to erase or amend any inaccurate or incomplete data within one month of notice or two if the request is complex.
If personal data is shared with third parties, there is an obligation to ensure the information they hold is corrected.
An individual can request the deletion or removal of personal data and this has to be done when certain conditions are met.
Example
A search engine notifies a media publisher that it is delisting search results linking to a news report as a result of a request for erasure from an individual. If the publication of the article is protected by the freedom of expression exemption, then the publisher is not required to erase the article.’
For when
Data subjects can demand access to their personal data be restricted so the organisation can only access it for certain purposes
Individuals have the right to restrict processing when there is a dispute about the accuracy of their data.
When the data is restricted, it can be stored but not processed it any way.
We must hold just enough personal data to ensure that the restriction is maintained.
Third parties with whom the data has been shared must be informed.
Individuals can obtain and reuse their personal data for their own purposes.
The data must be provided in a format that is easily accessible or it has to transmitted directly to another data controller.
Example
When an individual requests to switch utility supplier from one to another. The existing supplier is bound to provide all the information they hold on the data subject to the new provider (controller)
The data subject has the right to request the organisation stop processing
Individuals need to be informed as to their right to object when their data is collected.
If they object, processing needs to cease except for specific circumstances.
However, for direct marketing processing must stop immediately.
The GDPR gives individuals certain protections against the risk that a potentially damaging decision is made by a computer without the involvement of a human.
This extends to profiling and processing that on aspects such as health, behaviour or performance at work
A data breach occurs when someone gets unauthorised access to personal data
A personal data breach is whenever any personal data is lost, destroyed, corrupted or disclosed.
These can include:
Three steps need to be taken in the event of a data breach
If a personal data breach occurs an organisation needs to action the following:
The majority of data breaches are as a result of human error, poor internal systems and or lack of adequate IT
security.
Here are some quick and easy ways you can implement to ensure security of personal data you hold.
Reduce human error
Improve internal systems and processes
Strengthen your IT security
Identify Phishing emails
Get protected with good anti-virus software
Failure to comply through ‘administrative failures’ or ‘personal data beaches’ may result in:
2% Annual Global Turnover
Tier 1 – for infringements of an organisations obligations – up to 10 million, or 2% annual global turnover – whichever is higher.
4% Annual Global Turnover
Tier 2 – for infringements of an individual’s privacy rights up to €20 million, or 4% annual global turnover – whichever is higher.
Understanding data breaches
A data breach occurs when someone gets unauthorised access to personal data. In the event of a personal data breach an organisation must: Report it to the ICO. Notify the individuals concerned. Record it internally.
Reducing the risk of data breaches
Understanding and improving IT security systems and processes will significantly reduce the likelihood of a data breach occurring.
Non-compliance
Can lead to: An investigation by the ICO, Significant fines, Compensation claims. Reputational damage