1 / 26

An Introduction to the General Data Protection Regulation

An Introduction to the General Data Protection Regulation. General Data Protection Regulation. Single set of rules for all EU nations Supersedes the Data Protection Act 1998 Applies to international organisations that offer goods or services to or monitor EU citizens

dlester
Download Presentation

An Introduction to the General Data Protection Regulation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Introduction to the General Data Protection Regulation

  2. General Data Protection Regulation • Single set of rules for all EU nations • Supersedes the Data Protection Act 1998 • Applies to international organisations that offer goods or services to or monitor EU citizens • Sits with newly passed UK Data Protection Act • Requires Data Protection by Design & Default and documented accountability

  3. Think about it… • Are you familiar with the previous Data Protection Act 1998? • Do you know anything already about the GDPR? • What are your expectations from this training?

  4. Data protection principles 1. Personal data shall be: • processed lawfully, fairly and in a transparent manner; • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; • accurate and, where necessary, kept up to date; • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; • processed in a manner that ensures appropriate security of the personal data. • 2. The controller shall be responsible for and be able to demonstrate compliance with the above. Accountability Principle

  5. Think about it… • How might you demonstrate accountability with the principles? • What procedures does your team, Service, School, Institute, or College have in place to comply with any of the principles?

  6. Personal data Any information relating to a natural person who can be identified, directly or indirectly, by that information • Name • Identification number • Location data • Online identifier • Pseudonymised data • Factors specific to physical, physiological, genetic, mental, economic, cultural or social identity

  7. Special categories of personal data Personal data relating to: • racial or ethnic origin • political opinions • religious or philosophical beliefs • trade union membership • genetic or biometric data processed for purpose of identification • health • sex life or sexual orientation

  8. Think about it… • Can you identify the different types of personal data and special categories of personal data that you work with or store? • Include the data processed by your team, Service, School, Institute, or College

  9. What is processing? • Any operation or set of operations performed on personal data or on sets of personal data • collection, recording, receipt • storage, backup, filing, retention • display, scanning, review • deletion, destruction • editing, updating, modification • copying, transmission, transfer, release • loss, mislaying, misdirection

  10. When can you process personal data?

  11. Think about it… • Based on the personal data you previously identified, what are your legal bases for processing those different types of data?

  12. Conditions for consent • Implied consent is unacceptable for processing • Demonstrable by a statement or clear affirmative action • Freely given, specific, informed, unambiguous • Consent must be obtained for every processing scenario • Consent can be withdrawn at any time

  13. New and expanded rights • Right to be informed • Right of access • Right to rectification • Right to erasure • Right to restriction • Right to data portability • Right to object • Right to prevent automated processing, including profiling

  14. New and expanded rights • Data subjects must be aware of their rights • Responses must be provided within one calendar month • Systems and procedures must be in place to adhere to rights • Documentation of adherence required • If a right is exercised, we must notify any third party we’ve shared the relevant data with

  15. Think about it… • If someone exercised any one of their rights, how would you or your team go about providing a response? • Do you know how to find and access the data? • Can you erase it, correct it, or restrict it?

  16. Privacy notices under GDPR • Presented to data subject whenever new processing is undertaken • Consider a layered approach to notification • Must explain: • personal data being processed, • purpose of processing, • intended retention, • subject rights, • source of data, • conditions of processing, • intended sharing or international transfer • existence of automated decision making, including profiling

  17. Think about it… • University staff have a number of responsibilities that help the University to uphold and demonstrate compliance with the GDPR. • The next few slides detail how we can meet these responsibilities.

  18. Your responsibilities: Data Protection by Design • Maintain documentation and implement measures to demonstrate compliance with principles • Internal audits, reviews, training • Document processing activities to ensure transparency • Employ data minimisation and pseudonymisation • Do you need the data?

  19. Your responsibilities: Data Protection by Design • Data Protection Impact Assessments • Description of intended processing and purposes • Risk assessment and detail of risk avoidance measures • Required when: • using new technologies, • profiling, • surveilling, • processing of special categories of personal data • processing is likely to result in risk to rights and freedoms of individuals

  20. Your responsibilities: data sharing agreements • Contract laying out multiple party commitments to personal data • Required for sharing personal data with processors or any other third parties outwith the University • Ensures compliance with GDPR Principles and international or third party transfer requirements • Ensures you are working with a GDPR compliant processor • Drafted by Contracts team within Finance

  21. Your responsibilities: data security • Appropriate and secure storage for paper and electronic records • Encryptdata on laptops, tablets, memory sticks, etc. • Authorised access only, no password sharing • Double-check your correspondence addresses and attachments • Do not share information with 3rd parties without data sharing agreements • Destroy records appropriately and securely • Be aware of your cloud usage

  22. Think about it… • How do you meet the requirements of these various responsibilities? • Do you know all of the personal data that you process? Can you conduct an information audit within your work area or with your team? • Are you embarking on any projects or purchasing any products that may require a DPIA? • Do you share data with any third parties, and if so, do you have appropriate agreements or contracts in place? How can you demonstrate and ensure appropriate data security?

  23. Exemptions • Crime – we can share personal data in order to aid the prevention or detection of crime or the apprehension and prosecution of offenders • Any requests from law enforcement should be handled by DP Office • Research and statistics– if you’re using personal data for research or statistical purposes, you may be exempt from access, rectification, restriction and objection rights • Exam scripts – personal data recorded by candidates during an exam are not subject to right of access or privacy notice requirements • Confidential references – personal data in references created or given by GU are not subject to right of access or privacy notice requirements • All exemptions must be determined and exercised by DP & FOI Office.

  24. Personal data breaches A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed Breaches must be reported immediately to the DP & FOI Office, and to the ICO within 72 hours Sanctions vary depending on severity and extent of breach and organisation’s response Max fines = €20million or 4% of annual worldwide turnover

  25. Get in touch: • https://www.gla.ac.uk/myglasgow/dpfoioffice/ Email: dp@glasgow.ac.uk • Phone: 0141 330 3111 /glasgowuniversity @UofGlasgow @UofGlasgow UofGlasgow Search: University of Glasgow

More Related