General Data Protection Regulations: The Key Changes
Craig Clark Information Security & Compliance Manager
University of East London– London’s Leading University for civic engagement
Topics
What is the GDPR?European LawKey Dates for the GDPRKey changes from Data Protection Act- Harmonisation- Enforcement- Off Shore Processing- Governance- One Stop Shop- Consent- Transparency- Data Portability- Data ProcessorsNext Steps
University of East London– London’s Leading University for civic engagement
What isthe GDPR?
A complete overhaul of data protection regulation with extensive updates of what can be considered identifiable informationApplies across all member states of the European UnionApplies to all organisations processing the data of EU data subjects –wherever the organisation is geographically basedSpecific and significant rights for data subjects to seek compensation, rights to erasure and accurate representationCompensation can be sought against organisationsandindividuals employed by themFines of up €20,000,00 or 4% global annual turnoverSignificant reduction in that amount based on the implementation of technical, or organisational controls implemented
University of East London– London’s Leading University for civic engagement
European Law Landscape
EU Legislation can be separated into two main branches:DirectivesRequireindividual implementation in each MemberState (Each State can implement rules in their own way)Implementedby the creation of national laws approved by the parliaments of each Member StateEuropeanDirective 95/46/EC is aDirectiveSets out a goal that a member state must achieve –room for tailoringUKData Protection Act 1998
University of East London– London’s Leading University for civic engagement
European Law Landscape
EU Legislation can be separated into two main branches:Regulations:Immediately applicable in each Member State in a uniform mannerBinding legislative ActRequire no local implementing legislation – no tailoringEU GDPR is a RegulationRegulations are not negotiable by member statesRegulations may apply to countries outside the EU if they affect EU subjects (people who are originally from the EU)
University of East London– London’s Leading University for civic engagement
Key Dates for GDPR
8April 2016the EuropeanCouncil adopted the Regulation.14April 2016 the Regulation was adopted by the European Parliament.4 May2016, the official text of the Regulation was published in the EU Official Journal in all the official languages.The Regulation entered into force on 24 May 2016, and applies from 25 May 2018.ThisRegulation shall be binding in its entirety and directly applicable in all Member States.
University of East London– London’s Leading University for civic engagement
GDPR Structure
University of East London– London’s Leading University for civic engagement
European Data Protection Board
Lead Supervising Authority(Information Commissioners Office)
Data Processor
Data Controller(Organisation)
Data Subject(Individuals)
3rdCountries
3rdParty
GDPR Structure
University of East London– London’s Leading University for civic engagement
The European Data Protection Board will issue guidance for controllers and processorsThey will facilitate the use of Data Protection Impact AssessmentsThe ICO will oversee both Data Controllers and Data ProcessorsBreaches and Notifications will be made to the ICO3rdCountries – countries to which data is transferredAt the centre of the GDPR is the protection of Personally Identifiable Information
Key Changes Between DPA and GDPR
Harmonisation Across Member States:Adoption of a single set of rules on data protection, directly applicable in all EU MemberStates:Even if the UK leave the EU the GDPR will apply for all EU Data SubjectsEachMember State haspreviously implementeddata protection laws locally which transpose the EU Data ProtectionDirective leadingto fragmentation in terms of compliance requirements across Member States.The GDPRis intended to adopt a harmonised approach to compliance across all Member States by implementing legislation that will be directly applicable in all 28 Member States. There will be no opportunity for local transposition.
University of East London– London’s Leading University for civic engagement
Key Changes Between DPA and GDPR
Enforcement:A revised enforcement regime underpinned by power forsupervising authoritiestolevy heavy financial sanctions of up to 4% of the annual worldwideturnoverof theorganisation or€20Million, whichever is greater.Fines are designed to be effective and dissuasive and ensure that whichwillnon compliance is considered a significantrisk for businesses.Supervisory authoritieswill have thepowerto impose thesesanctionsfrom where the data subject habitually residesorin the territory that the breach occurs.Thesechanges will significantly increase the risk associated with privacy non-compliance.
University of East London– London’s Leading University for civic engagement
Key Changes Between DPA and GDPR
Off Shore Processing:Application of theGDPRto companies established outside the EU, if they target EUcitizens e.g. international students.The newrules havea broader territorial scope sincethey applyto non-EU established companies targeting the EU market by either offering their goods or services to EU citizens or by monitoring their behaviour.Currently,EU DataProtectionlegislation only applies to non-EU established controllers if they make use of equipment on EU territory for the purposes of processing personal data, and to processing taking place in the EU.
University of East London– London’s Leading University for civic engagement
Key Changes Between DPA and GDPR
Governance:Area of major changeIncreased responsibility and accountability on organisations to manage how they control and process personal data.Controllers must ensure all personal data is processed in compliance with the Regulation and be able to demonstrate compliance to a supervisory authority if requested.There is now a requirement to keep extensive and detailed recordsof processingoperations.Organisations must perform Data Privacy Assessments for all high risk activities.A Data Protection Officer must be formally appointed and recognised with a number of stipulations added for ensuring impartiality.
University of East London– London’s Leading University for civic engagement
Key Changes Between DPA and GDPR
Governance Continued:When notifyingthe regulator of databreaches, Controllerswill be required to notify theInformation Commissioners Office,and insomecasesthe data subjects involved of significant databreaches within72 Hours.Privacybydesign - takingprivacy risk into account throughout the process of designing a new product or service, rather than treating it as an afterthought.Now required to assess and implementappropriate technical and organisational measures and procedures from the outset to ensure that processing complies with the Regulation and protects the rights of the data subjects.Privacybydefault -ensuring mechanismsare applied retrospectively toensure that, by default, only as much personal data is collected, used and retained for eachprocessing task, both in terms of the amount of data collated and time for which it is kept.
University of East London– London’s Leading University for civic engagement
Key Changes Between DPA and GDPR
One Stop Shop:Ability to nominate a single national data protection authority as the lead regulator for all compliance issues in the EU, where the organisation has multiple points of presence across theEU
University of East London– London’s Leading University for civic engagement
Key Changes Between DPA and GDPR
Consent:Area of major changeThe DPAallows a controller to lawfully process data with the "consent" of the datasubject. Consent can beeither express or implied consent - or where the processing is necessary for the "legitimate interests" of the controller in circumstances that do not cause undue prejudice to the individual.GDPR redefines consent. Now, consent mustbe freely given, specific, informed and unambiguous. Implied consent, (e.g., by just staying on a website or not responding to a request) will not besufficient.
University of East London– London’s Leading University for civic engagement
Key Changes Between DPA and GDPR
Consent Continued:Requiring consent from an end user in order to give that person access to a service, wherethesepersonal data arenot necessaryto perform the contract, will no longer be allowed.Controllerswill be expected to provide much more consideration in their working practices as to what the data subject would like and expect their data to be usedfor.Consent can be withdrawn any time, and as easy to withdraw consent as giveitData subject must give consent for specificpurposes - blanket consent no longer allowed –This has significant implications in information sharing, processing and retentionOne month to respond to subject access and no charges can be appliedMust be able to supply evidence that consentfor each specific purposewas given
University of East London– London’s Leading University for civic engagement
Key Changes Between DPA and GDPR
Transparency:Any communications with a data subject must be concise, transparent, intelligibleControllermust be transparent in providing information about itself and the purposes of the processingControllermustprovidedata subject with information about theirrights.Policies mustexplain todata subjects both how their personal data will be processed and what their individual rights are and how they may be exercised.Thismust be provided in an intelligible form, using clear and plain language that will be understood by the targetaudience.
University of East London– London’s Leading University for civic engagement
Key Changes Between DPA and GDPR
Data Portability:TheRegulation introduces a new right to data portability, which grants data subjects the right to receive personal data concerning him or her, which he or she has provided to a controller, in a structured and commonly used and machine-readable format.Thedata subject is also entitled to have the data transmitted directly from one controller to another, where this is technically feasible.A statutory "right to be forgotten"has been included whichwill allow individuals the right to require a controller to delete data files relating to them if there are no legitimate grounds for retainingit – including when a subject has withdrawn consent.
University of East London– London’s Leading University for civic engagement
Key Changes Between DPA and GDPR
Data Processors:The GDPR directly regulates Data ProcessorsProcessorswill be required to comply with a number of specific obligations, including to maintain adequate documentation, implement appropriate security standards, carry out routine data protection impact assessments, appoint a data protection officer, comply with rules on international data transfers and cooperate with national supervisoryauthorities.Processors will be liable to sanctions at the same level as controllers if they fail to meet these criteria.Information Sharing Agreements will help ensure that Controllers give clear instructions to processors on how they expect and require their data to be handled.
University of East London– London’s Leading University for civic engagement
Next Steps
Meet with top management and form a Working Group to ensure that compliance with GDPRbeforeit is enforced.Follow the ICO’s ‘12 Point Plan’ for actions to take prior to introduction.Obtain specialist knowledge in the implementation of changes required and ongoing compliance with GDPR.ITIBGQ offer Foundation and Practitioner certification in EU GDPR – in my view these certifications are essential for Information Security managers so that they can provide the skills and advice required to ensure compliance.
University of East London– London’s Leading University for civic engagement
0
Embed
Upload