1. Home

GDPR

GDPR: new regulations giving individuals control over their personal data.

DPD: The police and criminal justice sectors will ensure that the data of victims, witnesses, and suspects of crimes, are duly protected in the context of a criminal investigation or a law enforcement action.

The best bits...

  1. One set of rules across Europe. Organisations outside the EU are subject to the regulation just by collecting data on an EU resident.
  2. Personal data is any information relating to a person who can identified. Direct and Indirect. Covers name, ID number, location data, online identifiers (IP address, cookies, email etc) or identifying factors such as physical, mental, cultural etc.
  3. Work based data about people is personal data.
  4. Controllers only to use processors with 'sufficient guarentees'.
  5. Controllers and processors are required to “implement appropriate technical and organisational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals.”
  6. Recommended security:
    1. Encryption / obsfucation
    2. Ensure confidentiality
    3. Ability to restore access to data
    4. Regular testing & evaluation
  7. Must have contracts that mandate privacy obligations.
  8. There are big fines for getting this wrong... (Greater of £17m or 4% of revenue)
  9. You might need a Data Protection Officer
    1. A legal expert
    2. Update everyone on obligations
    3. Monitor compliance, run audits
    4. Data protection impact assessments when required under Article 33
    5. Work with the EU authority when required
    6. Being available for inquiries from data subjects: withdrawal of consent, the right to be forgotten, etc.
    7. Can demand resources to get the job done.
    8. Direct reporting to "the highest level".
    9. Can't be fired for doing their job
    10. Can be outsourced
  10. Need a "Risk Based Approach" to privacy - focus on protecting personal data
  11. Privacy assessments when needed 
  12. Privacy by Design
  13. Need Pseudonyms if you want to do big-data style processing.
  14. Improve record-keeping (especially if over 250 employees)
  15. Consent is required to be legal: “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;”
  16. Data can only be “collected for specified, explicit and legitimate purposes”
  17. Has to be obvious what it's for at the point of collection - need to be able to show how consent was gained.
  18. When someone gives consent they readily need to know:
    1. the identity and the contact details of the controller and DPO
    2. the purposes of the processing for which the personal data are intended
    3. the legal basis of the processing.
    4. where applicable the legitimate interests pursued by the controller or by a third party;
    5. where applicable, the recipients or categories of recipients of the personal data;
    6. where applicable, that the controller intends to transfer personal data internationally
    7. the period for which the personal data will be stored, or if this is not possible, the criteria used to determine this period;
    8. the existence of the right to access, rectify or erase the personal data;
    9. the right to data portability;
    10. the right to withdraw consent at any time;
    11. and the right to lodge a complaint to a supervisory authority;
  19. If from a third-party, you also need:
    1. From which source the personal data originate.
    2. The existence of any profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  20. Potentially only need to inform the user once.
  21. Profiling: “to analyse or predict aspects concerning that natural person' s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”
  22. Profiling may require explicit consent
  23. Individuals can opt out of profiling.
  24. Direct marketing is a legitimate reason to have personal data.
  25. You need to be able to demonstrate legitimate 'interest'
  26. Breach: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
  27. Wilful destruction or alteration of data is as much a breach as theft.
  28. In the event of a personal data breach data controllers must notify the appropriate supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.”
  29. Notice is not required if “the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals,”
  30. Importantly when a data processor experiences a personal data breach, it must notify the controller but otherwise has no other notification or reporting obligation.
  31. Should the controller determine that the personal data breach “is likely to result in a high risk to the rights and freedoms of individuals,” it must also communicate information regarding the personal data breach to the affected data subjects. Under Article 32, this must be done “without undue delay.”
  32. Don't have to notify subjects if:
    1. The data has been rendered unintelligible to any unauthorised person
    2. You take actions to “ensure that the high risk for the rights and freedoms of data subjects” is unlikely to materialise.
    3. When notification to each data subject would “involve disproportionate effort,” in which case alternative communication measures may be used.
  33. People can make Data Subject Access Requests
  34. Information on how personal data is processed should be available in a clear and understandable way.
  35. Where requests to access data are manifestly unfounded or excessive, SMEs will be able to charge a fee for providing access.
  36. Must be executed “without undue delay and at the latest within one month of receipt of the request.”
  37. If customers are processed automatically there is now "The Right to Data Portability": format TBC
  38. Tell people how long you will keep their data
  39. Should the data subject subsequently wish to have their data removed and the data is no longer required for the reasons for which it was collected then it must be erased.
  40. There is a “downstream” responsibility for controllers to take “reasonable steps” to notify processors and other downstream data recipients of such requests.

Now you've got all that... ePrivacy, ePrivacy2, PECR2 and ePR might change everything, due same date although maybe August 2018..