KEMBAR78
Building a register of data processing | PPT
TG
Uploaded byTim Gough
PPT, PDF6,359 views

Building a register of data processing

The document outlines the requirements for building a register of data processing activities under the General Data Protection Regulation (GDPR), detailing key concepts such as personal data, lawful processing, and data controllers versus data processors. It emphasizes the necessity of maintaining accurate records, understanding retention periods, and ensuring compliance with privacy notice requirements. Completion of this register is crucial for GDPR compliance and assists organizations in managing their data processing activities responsibly.

Downloaded 136 times
Building a register of data processing activities
Workshop overview • Key requirements of the General Data Protection Regulation • What is personal data? • What personal data do you collect? • Why we are here today – to compile a record of data processing activities • What is lawful processing? • What are legitimate interests? • What is consent? • Mix and match exercise • What is a data processor? • What is a data controller? • Controller or processor? • How long should you keep data? • Privacy notices • Recording processing activities • Summary
What is data protection? Data protection law concerns the use of personal data from the time it is collected to the time it is disposed of (‘processing’). It addresses lawfulness of processing, rights of individuals (‘data subjects’), and expectations re security. The current UK law is the Data Protection Act 1998. What is the General Data Protection Regulation? -A new EU Regulation that governs the processing of personal data -It is an evolution of existing laws -It introduces a number of administrative burdens and documentation requirements – such as records of processing, and in high risk situations, data protection impact assessments -The rights of individuals in relation to their data have been enhanced -Organisations can be fined up to the higher of 4% of global annual turnover or 20 Million Euros for failing to comply with the administrative requirements, unlawful processing, not respecting rights, or losing personal data -Organisations must be in compliance by 25 May 2018 -In the UK, the supervisory authority is the Information Commissioner’s Office (ICO)
What is personal data? Personal data Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Special categories of personal data (AKA sensitive personal data) Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
What personal data do you collect? Personal data Special categories of personal data (AKA sensitive personal data)
Register of data processing activities The GDPR requires that detailed records are maintained on how personal data is processed, with specific rules on the data that must be gathered and made available to regulators. Controls 1.A register must be maintained that includes the following information: the name and contact details of the controller, the controller's representative (where entity is non-EU) and the data protection officer; the purposes of the processing; a description of the categories of data subjects and of the categories of personal data; the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations; where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation; the envisaged time limits for erasure of the different categories of data; a general description of the technical and organisational security measures applied to the data.
Record processing at activity level What processing activities do you do? Commercial activity: (add relevant examples of the types of processing that you conduct in your business activities) Recruitment: how people apply for jobs online, by email. Reference checking. Employment: paying wages, recording absences, PAYE returns to HMRC or equivalent, paying expenses, personnel file management, appraisals, grievances. Workplace: CCTV, reporting an accident, issuing a security card Communications: signing up for newsletters and other marketing communications Activity: What other processing activities do you do?
What information should you record? •Department; •Process owner; •Step by step process flow – from collection to disposal; •Categories of data collected (e.g. bank account data, NI number, home address, email); •Data subjects (e.g job applicants, contacts, employees, customers); •Link to the applicable privacy notice •Lawful grounds for processing (and this process will involve close scrutiny of these) of personal data and special categories of personal data; •Where data is stored and accessed from (taking into account data processors, data centre location) •Where there is an ex-EEA* transfer, what is the legal mechanism for this; •Suggested retention period if not already agreed; •Whether there is a statutory retention period (and if so, what is the law/regulation) •Who has access to the data; •Are there any data processors involved in the process (and who they are); •Is any data being shared with data controllers? •Has infosec due diligence been conducted on data processors involved?; •Check of the contract clauses to see if they meet Article 28 (Processor) requirements; •Notes on security measures (e.g. password standards, access controls, disposal standards, relevant training) Items in red will need to be confirmed by your data protection officer or other. * European Economic Area – EU plus Norway, Iceland and Liechteinstein.
What are lawful grounds for processing? Any activity involving personal data should have a lawful grounds for processing. The grounds available to chose from for a commercial organisation: -You have the individual’s consent to use their personal data in this way -It is strictly necessary for the performance of a contract with the individual -It is strictly necessary to fulfil a legal obligation -It is in the legitimate interests of your organisation to process personal data in this way – unless it impinges on the rights of the individual -It is for the vital interests of the individual (life and death). There are additional grounds that need to be met for the lawful processing of special categories of data. Let’s have a closer look at consent….
Conditions for consent 1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. 2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. 4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. Now let’s look at legitimate interests
What are your legitimate interests? Sounds like a way to make anything lawful? NO! Your organisation has to demonstrate compelling legitimate grounds for the processing which overrides the interests or fundamental rights and freedoms of subjects – i.e. it mustn’t invade privacy disproportionately, must be within their reasonable expectations and so on. Examples where legitimate interests might be considered: Limited use of CCTV for security purposes Limited analysis of data for marketing purposes Fraud prevention NB: Any uses of legitimate interests MUST be published as part of the relevant privacy notice. Now let’s ‘Mix and Match’
Mix and Match: fair processing conditions (use some relevant processing activities and ask delegates which grounds they would use)
What is a data processor? You are a ‘data controller’ for the personal data you collect when you decide how data will be processed. You are legally responsible for it. When you outsource the collection or use of personal data to another organisation, they will be acting as a data processor. As a processor, they can only use the personal data under your instruction and for no other purpose. E.g outsourcing payroll, email marketing management. Requirements -You must have a process to assess that the processor has the ability to protect data accordingly; -You must have a contract in place with the processor that contains appropriate provisions on data protection – and the GDPR contains specific requirements that must be included; -By May 2018 all contracts will need to be reviewed and amended according. In building the register we are identifying where data processors exist (and where they store our personal data) and so we can see where remediation might be required.
What is a data controller? A data controller has the ability to determine the purposes and means of the processing of personal data. Sharing your personal data with them therefore also needs to be assessed for lawfulness. Examples: •HMRC •Courts •Other group entities (depending on the purposes for data sharing) •Other corporates for their own marketing purposes Actions In the record keeping activity process we are identifying where data controllers exist and so we can check that the sharing is lawful.
Processor or Controller? (using examples that are relevant to your organization, ask delegates whether they would be acting as a data controller or a data processor)
How long should I keep data? GDPR Article 5.1a: (Personal data must be) be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed.. Considerations? •Is there a statutory record keeping period that would guide your retention period and at least confer a minimum retention period? •In the absence of a statutory requirement, how long do you need the personal data? •What is your rationale for keeping personal data, e.g. beyond the end of a relationship? What is your grounds for processing and does this influence the retention period? •Could the data be anonymised and still be useful? Truly anonymised data would fall outside the GDPR (and you will need a documented methodology for anonymization).
Privacy Notice requirements in GDPR Ideally provided at the time you collect personal data, a privacy notice explains: -The identity and contact details of the controller -Contact details for the data protection office(r) -The purposes of the processing for which the personal data are intended as well as the legal basis for the processing -Recipients and categories of recipients -Intention to transfer personal data to a recipient in a ‘third country’ -The period personal data will be stored for -Awareness of all of their rights and how they can be exercised -Where processing is consent based, the existence of the right to withdraw consent at any time -The right to complain to the supervisory authority (in the UK being the ICO) -Whether provision of data is a statutory or contractual requirement, whether provision is an obligation, and consequences if fail to provide
How else are we using the information that we will collect? Record retention: the process enables us to decide how long we will retain personal data – this is critical because the GDPR will require retention periods to be disclosed in privacy notices and if someone makes a request to access their data the retention period would also be disclosed. Legitimate interests: Any processing that is made lawful using legitimate interests will need to be explained in the applicable privacy notice. Consent: We can assess whether consent is being used appropriately, and if we are reliant upon consent that the conditions for consent have been met. We can also make sure we provide information on how consent can be withdrawn. International transfers: We need to know exactly where data is located and where it can be accessed from as there are rules that need to be followed where data leaves the European Economic Area, and we need to maintain a register of all international transfers. Now let’s try to fill in a form……. (provide a template for people to fill in)
Summary • Completing a register of data processing activities is a critical first step in compliance with the GDPR. • It provides us with information on lawful processing, involvement of data processors/third parties, make us think about how long we keep data, and provides pertinent information that we need to include in privacy notices and in response to requests for access to an individual’s personal data. • It is critical that new initiatives are discussed with your data protection adviser prior to inception so advice on lawfulness can be taken, and the register updated. A data protection impact assessment may also be required if the project is high risk.

More Related Content

PDF
Di lặc cứu khổ chân kinh chú giải
byHoàng Lý Quốc
 
PDF
Beautiful Place Essay
byCustom Paper Writing Service
 
PPTX
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
byHarrison Clark Rickerbys
 
PPTX
GDPR Breakfast Briefing for Business Advisors
byHarrison Clark Rickerbys
 
PPTX
GDPR Breakfast Briefing for Business Advisors
byHarrison Clark Rickerbys
 
PPTX
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
byHarrison Clark Rickerbys
 
PDF
Protection des données et de la vie privée : nouvelles obligations pour les e...
byForums financiers de Wallonie
 
PPTX
Gdpr powerpoint 15.01.18
byJon Rathbone
 
Di lặc cứu khổ chân kinh chú giải
byHoàng Lý Quốc
 
Beautiful Place Essay
byCustom Paper Writing Service
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
byHarrison Clark Rickerbys
 
GDPR Breakfast Briefing for Business Advisors
byHarrison Clark Rickerbys
 
GDPR Breakfast Briefing for Business Advisors
byHarrison Clark Rickerbys
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
byHarrison Clark Rickerbys
 
Protection des données et de la vie privée : nouvelles obligations pour les e...
byForums financiers de Wallonie
 
Gdpr powerpoint 15.01.18
byJon Rathbone
 

Similar to Building a register of data processing

PPTX
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
byBrightPay Payroll and Auto Enrolment Software
 
PDF
mHealth Israel_EU General Data Protection Regulation_Simon Marks
byLevi Shapiro
 
PDF
Public sector breakfast club, October 2016, Exeter
byBrowne Jacobson LLP
 
PDF
Public sector breakfast club - October 2017, Exeter
byBrowne Jacobson LLP
 
PDF
GDPR for your Payroll Bureau
byBrightPay Payroll and Auto Enrolment Software
 
PDF
Browne Jacobson - Administrative and public law - October 2017
byBrowne Jacobson LLP
 
PDF
Gdpr for business full
byFionnuala Hendrick
 
PDF
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
bydan hyde
 
PPTX
How GDPR will change Personal Data Control and Affect Everyone
byThomas Goubau
 
PPTX
General Data Protection Regulation (GDPR)
byExtentia Information Technology
 
PPTX
General Data Protection Regulation or GDPR
byNupur Samaddar
 
PDF
GDPR webinar for business leaders
byDeeson
 
PPTX
Get you and your business GDPR ready
byHarrison Clark Rickerbys
 
PDF
Data Protection and IDEA
byAuditWare Systems Ltd.
 
PPTX
GDPRpresentationFeb-Apr2018.pptx
bypixvilx
 
PPTX
ABM Display Advertising Success in the World of GDPR [PPT]
byKwanzoo Inc
 
PDF
GDPR for public sector DPO's seminar, April 2018, Manchester
byBrowne Jacobson LLP
 
PPTX
DCH Data Protection Training Presentation
byMark Gracey
 
PDF
GDPR: how IT works
byMorris Dorfer
 
PDF
The Essential Guide to GDPR
byTim Hyman LLB
 
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
byBrightPay Payroll and Auto Enrolment Software
 
mHealth Israel_EU General Data Protection Regulation_Simon Marks
byLevi Shapiro
 
Public sector breakfast club, October 2016, Exeter
byBrowne Jacobson LLP
 
Public sector breakfast club - October 2017, Exeter
byBrowne Jacobson LLP
 
GDPR for your Payroll Bureau
byBrightPay Payroll and Auto Enrolment Software
 
Browne Jacobson - Administrative and public law - October 2017
byBrowne Jacobson LLP
 
Gdpr for business full
byFionnuala Hendrick
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
bydan hyde
 
How GDPR will change Personal Data Control and Affect Everyone
byThomas Goubau
 
General Data Protection Regulation (GDPR)
byExtentia Information Technology
 
General Data Protection Regulation or GDPR
byNupur Samaddar
 
GDPR webinar for business leaders
byDeeson
 
Get you and your business GDPR ready
byHarrison Clark Rickerbys
 
Data Protection and IDEA
byAuditWare Systems Ltd.
 
GDPRpresentationFeb-Apr2018.pptx
bypixvilx
 
ABM Display Advertising Success in the World of GDPR [PPT]
byKwanzoo Inc
 
GDPR for public sector DPO's seminar, April 2018, Manchester
byBrowne Jacobson LLP
 
DCH Data Protection Training Presentation
byMark Gracey
 
GDPR: how IT works
byMorris Dorfer
 
The Essential Guide to GDPR
byTim Hyman LLB
 

Recently uploaded

PDF
Complaint for Negligence, Breach of Duty, Emotional Distress, and Public Enda...
bycesarpublishingcompa
 
PDF
Legal Strategics for Startup Success Securities Laws 10.15.pdf
byRoger Royse
 
PDF
AHRP LB - Waste-to-Energy Processing Based on Environmentally Friendly Techno...
byAHRP Law Firm
 
DOCX
HANOI 18th OCTOBER - SOFITEL METROPOLE LEGEND - WORKING DINNER - BOARD OF MAN...
byDr. Oliver Massmann
 
PDF
Criminal Profiling & Financial Profiling
byAshwini Singh
 
PDF
Korea's Isomorphic Platform Regulation Pushes (ASCOLA Asia Oct 2025)
bySangyun Lee
 
PDF
AHRP LB - Adjusting to Global & Domestic Landscape National Energy Policy thr...
byAHRP Law Firm
 
PDF
University Malaya ISLAMIC LAW lecture notes.pdf
byAnneMarieDawson4
 
PDF
Ricardo Pellerano Paradas Justice by Force
byJoseDavidRodriguez14
 
PDF
ACFrOgBesbXEk39ubTesfqVn9PaczvZaTf5g-VRHBY28QqkhN29-FXt3KzZdCDlX2KH3PHNTU-hZC...
bysabranghindi
 
PPTX
OGUTU POWER POINT on politics and economics .pptx
bykianjogu2021
 
PPTX
fiduciary concept for the law students.pptx
bymumbasammy15
 
PDF
Brazils Legal Culture_ The Jeito Revisited.pdf
byMariaChristinaMendes
 
PPTX
美国纽约州立大学宾汉姆顿分校毕业证书文凭SUNY-Binghamton成绩单学历认证
by德国卡尔斯鲁厄音乐学院学历认证【Q微号:1954 292 140】HfM毕业证成绩单
 
PPTX
原版一样(Oxon毕业证书)英国牛津大学毕业证哪里购买成绩单在读证明真实学历认证
by西澳大利亚大学学历认证【Q微号:1954 292 140】办理学位证(UWA毕业证成绩单)
 
PDF
The Promotion of Access to Information Act 2 of 2000
byAshwini Singh
 
PPTX
Election Commission of India. Election commission of India
bysonusharma9124
 
PPT
Fem waves and fem in pak new updated.pppt
byFatima499186
 
PPTX
Search and Seizures.pptx Remedial Law in the Phils
bylfcaiban1
 
PDF
Understanding The H-1B Visa Process: A Complete Guide for First-Time Applicants
byLaw office of Abhisha Parikh
 
Complaint for Negligence, Breach of Duty, Emotional Distress, and Public Enda...
bycesarpublishingcompa
 
Legal Strategics for Startup Success Securities Laws 10.15.pdf
byRoger Royse
 
AHRP LB - Waste-to-Energy Processing Based on Environmentally Friendly Techno...
byAHRP Law Firm
 
HANOI 18th OCTOBER - SOFITEL METROPOLE LEGEND - WORKING DINNER - BOARD OF MAN...
byDr. Oliver Massmann
 
Criminal Profiling & Financial Profiling
byAshwini Singh
 
Korea's Isomorphic Platform Regulation Pushes (ASCOLA Asia Oct 2025)
bySangyun Lee
 
AHRP LB - Adjusting to Global & Domestic Landscape National Energy Policy thr...
byAHRP Law Firm
 
University Malaya ISLAMIC LAW lecture notes.pdf
byAnneMarieDawson4
 
Ricardo Pellerano Paradas Justice by Force
byJoseDavidRodriguez14
 
ACFrOgBesbXEk39ubTesfqVn9PaczvZaTf5g-VRHBY28QqkhN29-FXt3KzZdCDlX2KH3PHNTU-hZC...
bysabranghindi
 
OGUTU POWER POINT on politics and economics .pptx
bykianjogu2021
 
fiduciary concept for the law students.pptx
bymumbasammy15
 
Brazils Legal Culture_ The Jeito Revisited.pdf
byMariaChristinaMendes
 
美国纽约州立大学宾汉姆顿分校毕业证书文凭SUNY-Binghamton成绩单学历认证
by德国卡尔斯鲁厄音乐学院学历认证【Q微号:1954 292 140】HfM毕业证成绩单
 
原版一样(Oxon毕业证书)英国牛津大学毕业证哪里购买成绩单在读证明真实学历认证
by西澳大利亚大学学历认证【Q微号:1954 292 140】办理学位证(UWA毕业证成绩单)
 
The Promotion of Access to Information Act 2 of 2000
byAshwini Singh
 
Election Commission of India. Election commission of India
bysonusharma9124
 
Fem waves and fem in pak new updated.pppt
byFatima499186
 
Search and Seizures.pptx Remedial Law in the Phils
bylfcaiban1
 
Understanding The H-1B Visa Process: A Complete Guide for First-Time Applicants
byLaw office of Abhisha Parikh
 

Building a register of data processing

  • 1.
    Building a registerof data processing activities
  • 2.
    Workshop overview • Keyrequirements of the General Data Protection Regulation • What is personal data? • What personal data do you collect? • Why we are here today – to compile a record of data processing activities • What is lawful processing? • What are legitimate interests? • What is consent? • Mix and match exercise • What is a data processor? • What is a data controller? • Controller or processor? • How long should you keep data? • Privacy notices • Recording processing activities • Summary
  • 3.
    What is dataprotection? Data protection law concerns the use of personal data from the time it is collected to the time it is disposed of (‘processing’). It addresses lawfulness of processing, rights of individuals (‘data subjects’), and expectations re security. The current UK law is the Data Protection Act 1998. What is the General Data Protection Regulation? -A new EU Regulation that governs the processing of personal data -It is an evolution of existing laws -It introduces a number of administrative burdens and documentation requirements – such as records of processing, and in high risk situations, data protection impact assessments -The rights of individuals in relation to their data have been enhanced -Organisations can be fined up to the higher of 4% of global annual turnover or 20 Million Euros for failing to comply with the administrative requirements, unlawful processing, not respecting rights, or losing personal data -Organisations must be in compliance by 25 May 2018 -In the UK, the supervisory authority is the Information Commissioner’s Office (ICO)
  • 4.
    What is personaldata? Personal data Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Special categories of personal data (AKA sensitive personal data) Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
  • 5.
    What personal datado you collect? Personal data Special categories of personal data (AKA sensitive personal data)
  • 6.
    Register of dataprocessing activities The GDPR requires that detailed records are maintained on how personal data is processed, with specific rules on the data that must be gathered and made available to regulators. Controls 1.A register must be maintained that includes the following information: the name and contact details of the controller, the controller's representative (where entity is non-EU) and the data protection officer; the purposes of the processing; a description of the categories of data subjects and of the categories of personal data; the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations; where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation; the envisaged time limits for erasure of the different categories of data; a general description of the technical and organisational security measures applied to the data.
  • 7.
    Record processing atactivity level What processing activities do you do? Commercial activity: (add relevant examples of the types of processing that you conduct in your business activities) Recruitment: how people apply for jobs online, by email. Reference checking. Employment: paying wages, recording absences, PAYE returns to HMRC or equivalent, paying expenses, personnel file management, appraisals, grievances. Workplace: CCTV, reporting an accident, issuing a security card Communications: signing up for newsletters and other marketing communications Activity: What other processing activities do you do?
  • 8.
    What information shouldyou record? •Department; •Process owner; •Step by step process flow – from collection to disposal; •Categories of data collected (e.g. bank account data, NI number, home address, email); •Data subjects (e.g job applicants, contacts, employees, customers); •Link to the applicable privacy notice •Lawful grounds for processing (and this process will involve close scrutiny of these) of personal data and special categories of personal data; •Where data is stored and accessed from (taking into account data processors, data centre location) •Where there is an ex-EEA* transfer, what is the legal mechanism for this; •Suggested retention period if not already agreed; •Whether there is a statutory retention period (and if so, what is the law/regulation) •Who has access to the data; •Are there any data processors involved in the process (and who they are); •Is any data being shared with data controllers? •Has infosec due diligence been conducted on data processors involved?; •Check of the contract clauses to see if they meet Article 28 (Processor) requirements; •Notes on security measures (e.g. password standards, access controls, disposal standards, relevant training) Items in red will need to be confirmed by your data protection officer or other. * European Economic Area – EU plus Norway, Iceland and Liechteinstein.
  • 9.
    What are lawfulgrounds for processing? Any activity involving personal data should have a lawful grounds for processing. The grounds available to chose from for a commercial organisation: -You have the individual’s consent to use their personal data in this way -It is strictly necessary for the performance of a contract with the individual -It is strictly necessary to fulfil a legal obligation -It is in the legitimate interests of your organisation to process personal data in this way – unless it impinges on the rights of the individual -It is for the vital interests of the individual (life and death). There are additional grounds that need to be met for the lawful processing of special categories of data. Let’s have a closer look at consent….
  • 10.
    Conditions for consent 1.Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. 2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. 4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. Now let’s look at legitimate interests
  • 11.
    What are yourlegitimate interests? Sounds like a way to make anything lawful? NO! Your organisation has to demonstrate compelling legitimate grounds for the processing which overrides the interests or fundamental rights and freedoms of subjects – i.e. it mustn’t invade privacy disproportionately, must be within their reasonable expectations and so on. Examples where legitimate interests might be considered: Limited use of CCTV for security purposes Limited analysis of data for marketing purposes Fraud prevention NB: Any uses of legitimate interests MUST be published as part of the relevant privacy notice. Now let’s ‘Mix and Match’
  • 12.
    Mix and Match:fair processing conditions (use some relevant processing activities and ask delegates which grounds they would use)
  • 13.
    What is adata processor? You are a ‘data controller’ for the personal data you collect when you decide how data will be processed. You are legally responsible for it. When you outsource the collection or use of personal data to another organisation, they will be acting as a data processor. As a processor, they can only use the personal data under your instruction and for no other purpose. E.g outsourcing payroll, email marketing management. Requirements -You must have a process to assess that the processor has the ability to protect data accordingly; -You must have a contract in place with the processor that contains appropriate provisions on data protection – and the GDPR contains specific requirements that must be included; -By May 2018 all contracts will need to be reviewed and amended according. In building the register we are identifying where data processors exist (and where they store our personal data) and so we can see where remediation might be required.
  • 14.
    What is adata controller? A data controller has the ability to determine the purposes and means of the processing of personal data. Sharing your personal data with them therefore also needs to be assessed for lawfulness. Examples: •HMRC •Courts •Other group entities (depending on the purposes for data sharing) •Other corporates for their own marketing purposes Actions In the record keeping activity process we are identifying where data controllers exist and so we can check that the sharing is lawful.
  • 15.
    Processor or Controller? (usingexamples that are relevant to your organization, ask delegates whether they would be acting as a data controller or a data processor)
  • 16.
    How long shouldI keep data? GDPR Article 5.1a: (Personal data must be) be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed.. Considerations? •Is there a statutory record keeping period that would guide your retention period and at least confer a minimum retention period? •In the absence of a statutory requirement, how long do you need the personal data? •What is your rationale for keeping personal data, e.g. beyond the end of a relationship? What is your grounds for processing and does this influence the retention period? •Could the data be anonymised and still be useful? Truly anonymised data would fall outside the GDPR (and you will need a documented methodology for anonymization).
  • 17.
    Privacy Notice requirementsin GDPR Ideally provided at the time you collect personal data, a privacy notice explains: -The identity and contact details of the controller -Contact details for the data protection office(r) -The purposes of the processing for which the personal data are intended as well as the legal basis for the processing -Recipients and categories of recipients -Intention to transfer personal data to a recipient in a ‘third country’ -The period personal data will be stored for -Awareness of all of their rights and how they can be exercised -Where processing is consent based, the existence of the right to withdraw consent at any time -The right to complain to the supervisory authority (in the UK being the ICO) -Whether provision of data is a statutory or contractual requirement, whether provision is an obligation, and consequences if fail to provide
  • 18.
    How else arewe using the information that we will collect? Record retention: the process enables us to decide how long we will retain personal data – this is critical because the GDPR will require retention periods to be disclosed in privacy notices and if someone makes a request to access their data the retention period would also be disclosed. Legitimate interests: Any processing that is made lawful using legitimate interests will need to be explained in the applicable privacy notice. Consent: We can assess whether consent is being used appropriately, and if we are reliant upon consent that the conditions for consent have been met. We can also make sure we provide information on how consent can be withdrawn. International transfers: We need to know exactly where data is located and where it can be accessed from as there are rules that need to be followed where data leaves the European Economic Area, and we need to maintain a register of all international transfers. Now let’s try to fill in a form……. (provide a template for people to fill in)
  • 19.
    Summary • Completing aregister of data processing activities is a critical first step in compliance with the GDPR. • It provides us with information on lawful processing, involvement of data processors/third parties, make us think about how long we keep data, and provides pertinent information that we need to include in privacy notices and in response to requests for access to an individual’s personal data. • It is critical that new initiatives are discussed with your data protection adviser prior to inception so advice on lawfulness can be taken, and the register updated. A data protection impact assessment may also be required if the project is high risk.