GDPR - Accountability and Governance

Welcome to this data protection training session from Data Law. My name is Robert Edwards. I'm a consultant at Luhan. Previously, I was a counterintelligence and I t security specialist with Her Majesty's government. I then moved on to lecturing Andi providing legal training GPL accountability. The General Data Protection Regulation GDP are is designed to update the Data Protection Act 1998 d p. A. This session provides an overview of the changes which GDP are makes to accountability. I shall be using the following terms individual meaning the data subject. The individual whose data is held by an organization or data controller and organization meaning either the data controller or the organization holding the data data to mean personal data as applicable within the meaning of the Data Protection Act on GDP. All GDP are on the accountability principle. Judy PR Reach extends GDP Our reach Judy PR extends the reach of the U Data protection law on will apply to any U based data controller and all process er a non you based data controller. Andi all process er who will process personal data of data subjects who are in the U in connection with goods services offered to that resident or monitors the behavior of data subjects within the EU. The GDP are will not apply to certain processing activities, including those for law enforcement. National security and member states can introduce delegations for this all processing carried out by individuals only for their own personal or household activities. In accordance with articles 85 to 91 certain data processing situations will be exempt, such as freedom of expression and information well subject to additional requirements such as for employee data of a Judy PR principles. Article five Warn of Judy PR lays down the basic principles which relate to lawfulness, fairness and transparency of data processing, purpose limitation, data minimization, accuracy, storage limitation and integrity and confidentiality. Article 51 states that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject meeting. The principles of lawfulness, fairness and transparency data shall also be collected for specified, explicit and legitimate purposes on not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall in accordance with Article 89 1 not be considered to be incompatible with the initial purposes on that meets the purpose limitation requirement, the data she'll be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Data minimization onda Accurate onda where necessary kept up to date, every reasonable step must be taken to ensure that personal data are accurate. Having regard to the purposes for which they are processed are erased or rectified without delay. The accuracy data will be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 1 Subject to implementation of the appropriate technical and organisational measures required by this regulation. In order to safeguard the rights and freedoms of the data subject storage limitation, Andi Finally, data will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures. So the principles of integrity on confidentiality Article two GDP are adds a new principal that of accountability and states quite clearly that the controller shall be responsible for on be able to demonstrate compliance with paragraph one. We know from Article 47 that the data controller is the natural or legal person, public authority, agency or other body, which alone or jointly with others, determines the purpose is on means of the processing of personal data, where the purposes and means of such processing or determined by union or member state law, the controller or the specific criteria for its nomination may be provided for by union or member state law. This means that GDP are brings major new implications. Were all data controllers to put it simply, if you or your organization can determine the purposes and means off the processing of relevant personal data, where the purposes and means of such processing or effectively determined by you law, you are responsible for complying with Article 51 Onda must now be able to demonstrate your compliance with article 51 The basics of compliance compliance falls under privacy by design Onda, as the Information Commissioners Office explains under the GDP, are you have a general obligation to implement technical and organisational measures to show that you've considered and integrated data protection into your processing activities. Demonstrating compliance means proving your compliance. Many businesses will have a DP a policy, but may not be able to actively prove on provide evidence of adherence even if they do a deer in practice. For that reason, GDP are will see much more rigid processes and record keeping data protection offices. Although the data controller has overall responsibility for compliance, any organization can appointed GPO if they require. The DEPO doesn't need any special qualifications, but they should have sufficient knowledge of data protection law to perform the role. Article 39 1 defines a deep EOS role as to inform and advise the organization and its employees about their obligations to comply with the GDP are and other data protection laws to monitor compliance with the GDP are on other data protection laws managing internal data protection activities, including the assignment of responsibilities, awareness raising on training of staff involved in processing operations. Andi. The Related audits to provide advice where requested as regards the data protection impact assessment on Monitor its performance to cooperate with supervisory authorities. Andi. To be the first point of contact for supervisory authorities on for individuals whose data is processed, including employees on clients. There are certain organizations which must appoint a data protection officer, including public authorities, except for courts acting in their judicial capacity. Organizations which carry out large scale systematic monitoring of individuals. For example, online behavior tracking and organizations which carry out large scale processing of special categories of data or data relating to criminal convictions on defenses. Data protection impact assessments. DP II's are also referred to as privacy impact assessments, or P eyes, and they're described by the I C E. O as a tool which can help organizations identify the most effective way to comply with the data protection obligations and meet individuals. Expectations of privacy. They're regarded as best practice because properly and effectively used, they should allow you to both identify risks and resolve issues at the earliest stage, the I C O. Produces guidance regarding DP eyes. There are certain circumstances when the I C e O advises that you must carry out a D i p d P. I A. When using new technologies or the processing is likely to result in a high risk to the rights and freedoms of individuals. And this eye CEO guidance is, um, that this would include but is certainly not limited to systematic and extensive processing activities, including profiling. Onda, where decisions that have legal points or similar significant defects on individuals. Large scale processing of special categories of data or personal data in relation to criminal convictions or offenses. Processing a considerable amount of personal data at regional, national or super national level. That effects a large number of individuals and involves a high risk to rights and freedoms, for example, based on the sensitivity of the processing activity. Large scale systematic monitoring of public areas. Widespread use of CCTV, which we're very well aware of. So demonstrating compliance. You will need documented policies or codes of conduct and associative processes in place to prove that you meet the principles of data protection, including assessment of your obligations and practices, using as an example, DP II's lawful, fair and transparent processing. This would also include obtaining consent if applicable to your organization. The collection of data data minimization, pseudonym ization transparency. Allowing individuals to monitor processing, creating and improving security features on an ongoing basis. Data transfers outside the U breach notification ANDI dispute resolution and policies and processes will include internal use policies and individual rights policies and for internal use. These provide the compliance background and process for everyone in an organization and will include internal data protection policy which will be reviewed and amended where necessary. HR policies also reviewed and amended as necessary. Stop training internal audits of processing activities, individual rights policies, well policies and documented processes to demonstrate how you comply with your obligations to provide information to individuals and facilitate the exercise of individual rights under GDP are including the right to be informed information which must be provided to individuals, including at the time that you obtain the data, for example by means of a privacy policy or within a reasonable period of having obtained the data within a month. This includes information provided to on before the protection of Children, including mechanisms for obtaining parental consent where applicable the right to access how individuals access data on the relevant mechanism or system to do so. The right of rectification off personal data which is inaccurate or incomplete. Where possible. You will need to include a system for in informing third parties to whom you have disclosed the information on and where appropriate for informing individuals about the third parties to whom the data has been disclosed. The right of a ranger, also known as the right to be forgotten to request the deletion or removal of personal data where there is no compelling reason for continued processing. This must also include withdrawal of consent. Again, there's an obligation to tell any third party to whom the data has been disclosed so that they can take action to erase data which would include copies or replication, or to raise links to it unless it's impossible or involves disproportionate effort to do so now. This obligation will also apply if you process data on social networks, on forums or on websites. Unless an exemption applies the right to restrict processing to suppress or block processing of their their personal data, it means that on organization can still store the data on retain just sufficient information about the the individual to ensure that the restriction is respected in future, but not for the process. It again, where the data has been disclosed to any third parties than the organization, must inform those third parties about the restriction on the processing of the personal data unless it's impossible or involves disproportionate effort to do so. Andi, the individuals. If the organization decides to lift a restriction on processing data portability, this is a new right provided by Article 20 which means that an individual can obtain and move or copy or transfer personal data easily from one i t. Environment to another in a safe and secure way. Andi without hindrance to usability It means that individuals can reuse their personal data for their own purposes across different services. The right to object to processing, including processing based on legitimate interests or the performance of a task in the public interest or exercise official authority on direct marketing, including profiling or for scientific or historical research and statistical purposes. Rights related to automated decision making under Article 22 1 an individual has the right not to be subject to a decision based on automated processing, which produces a legal effect or similarly significant Excuse me or similarly significantly effects that individual record keeping your processing activities. Where on organization has less than 250 employees, you must still keep records of activities relating to higher risk processing, and this will improve. Include. And this will include processing off personal data that could result in a risk to the rights and freedoms of individuals on a large scale, off special categories of data or criminal convictions on defenses. The I C E. O currently recommends that your internal records of processing activities should include at least the following information. The name and details of your organization Andi were applicable of other controllers. Your representative on data protection Officer. The purposes of the processing, a description of the categories of individuals and categories of personal data. Categories of recipients of personal data. Details of transfers to third countries, including documentation of the transfer mechanism, safeguards that were in place, retention, shad jewels, a description of technical and organizational security measures. If you're asked to do so, such as when an inspection takes place, the supervisory authority in our case, the I C e o may ask you to produce these records. If you have more than 250 employees, then there are additional records required. Adherence to codes of conduct and certification mechanisms, as the ICE CEO advises GDP are endorses the use of approved codes of conduct and certification mechanisms to demonstrate that you comply. This will mean mandatory monitoring by the relevant body accredited by the i c e o. But you should be provided with support Onda a compliance framework. However, as the I c e o is quick to point out, certification does not reduce your data protection responsibilities. And that concludes this session for Data Law. Thank you for joining me, Robert Edwards on this session.