data protection
DESCRIPTION
TRANSCRIPT
Data Protection Regulations
James Davies and Steve Lorber
23 April 2013
Crystal ball
Cheap data
• Statistics/visual imagery about how workplace has changed over last 15 years re collection and use of data
Data Protection – a brief historyLate 1960s First electronic messaging
1969 First email
The UK in October 1969
Data Protection – a brief historyLate 1960s First electronic messaging 1984 Original Data Protection
law (minimal impact)
1984 First Data Protection legislation
Data Protection – a brief historyLate 1960s First electronic messaging 1984 Original Data Protection
law (minimal impact)
1998 Data Protection Act
1998 Act – key principles
What has this meant over last 15 years?
• Data subject requests
• Data protection policies - consent
• Transfer overseas especially to US
• “Light touch” enforcement
• Globalisation and other less light touch data protection laws
Data Protection – a brief historyLate 1960s First electronic messaging 1984 Original Data Protection
law (minimal impact)
1998 Data Protection Act
2005 Employment Practices Code
Who is this?
Christopher Graham, Information Commissioner
2005 ICO employment practices code
Data Protection – a brief historyLate 1960s First electronic messaging 1984 Original Data Protection
law (minimal impact)
1998 Data Protection Act
2005 Employment Practices Code
2007 ICO Personal Data guidance
2007 ICO Personal Data Guidance
Data Protection – a brief historyLate 1960s First electronic messaging 1984 Original Data Protection
law (minimal impact)
1998 Data Protection Act
2005 Employment Practices Code
2010 Sanctions increase to £500k
2007 ICO Personal Data guidance
2010 Increase sanction to £500k
Data Protection – a brief historyLate 1960s First electronic messaging 1984 Original Data Protection
law (minimal impact)
1998 Data Protection Act
2005 Employment Practices Code
2010 Sanctions increase to £500k
2013 ICO BYOD guidance
2007 ICO Personal Data guidance
2013 ICO BYOD guidance
Data Protection – a brief historyLate 1960s First electronic messaging 1984 Original Data Protection
law (minimal impact)
1998 Data Protection Act
TODAY Proposed General Data Protection Regulation
2005 Employment Practices Code
2010 Sanctions increase to £500k
2013 ICO BYOD guidance
2007 ICO Personal Data guidance
TODAY Draft Regulation
Data Protection Regulation – introduction
• What’s the problem?
• Commission solution
• Strategy
• Particular measures proposed
• Practical implications for now?
Data protection – the need for change
• Change in nature and extent of processing
• GlobalisationDifferent rules in different statesCloud
• Employment contextvolumefree-form data
Commission solution – a Data Protection Regulation
• What is a regulation?
• Aimone-stop shopgreater legal certainty - and consistency
throughout EUreduction of administrative burdenstrengthened data subject rightsefficiency of supervision and enforcement
• And “it will save money” – not just red tape
Strategy proposed
• Strategysimilar to current rules....but morestricter data protection principlesmore specific and granular obligations more extensive individual rights...right to be forgotten...
Backed up by tougher enforcement – fines of 2% of global turnover
Policy, process...and documentation (1)
• Internal documentationadopt policies implement measures to ensure
compliance with policiesbe able to demonstrate complianceif appropriate establish an audit
Policy, process...and documentation (2)
• Documentation for data subjectsExtensive information including
> purposes of processing
> if justified by "legitimate interests" ...what those interests are
> data subject rights and how to complain
> who gets to see it ....recipients
> If data does not come from data subject, who the source is
Policy, process...and documentation (3)
• Very granular..... underscored by new data protection principle
for each processing operation, controller must ensure and demonstrate compliance
• Lots of paper .....but does it protect privacy?
Right to be forgotten
• Right to have personal data erased if
no longer necessary in relation to purposes for which collected
consent withdrawnexpiry of retention period processing is non-
compliant
Right to be forgotten
• If personal data has been made public, controller shall take all reasonable steps to tell third parties
• Controller may restrictwhere issue over accuracy data needed for purposes
of proof (evidence of business operations)
Data security (1)
• Controller and processor mustdo risk assessmentimplement technical and organisations measures to ensure
security
• "Personal data breach" means breach of security .... leading to accidental or unlawful
destruction, loss or alterationunauthorised disclosure
Data security (2)
• Duty to notify
• Duty to document breaches
• If breach is likely to affect privacy of data subjects, controller must tell data subject of breach and what it is doing
Data protection by design
• "Data protection by design" ...if developing business in ways that impinge on personal data (e.g. a new HR system)
implement to ensure compliance (having regard to cost and technology)
ensure that by default system
> only processes data necessary for purpose
> does not collect too much
> does not store too long
> controls
Data protection officer
• Controller and processor must establish a DPO if 250 employees or more
• What are the roles/functions of a DPO?
Data protection officer
• Controller and processor must establish a DPO if 250 employees or more
• What are the roles/functions of a DPO?
Data protection officer
Monitoring data protection breaches
Contact point for supervisory authority
Informing controller and processor of obligations under DPR (and documenting)
Monitoring implementation of policies (including audit and training)
Ensuring documentation is maintained
Monitoring protection by design and security
Monitoring data protection impact assessment
Remedies and sanctions
• Up to 2% of turnover
• Enforcement by "main establishment" regulatorIn EU - where purposes of processing determined or, if not,
where main processing takes placeIf not established in EU, must appoint a "representative"
Special rules on employment
• Regulation allows members states to adopt special rules for employment....but upwards only
Extra conditions for processingRegulatory consent?Works Council approval?
• Defeats "one-stop" shop?
What to do now?
• Proposals will change............
• Share your thoughts with MoJ?
• Processing operations identify and recordconsider how you comply
• Establish extent to which you use "consent" to justify processing...and find other ways
Thank you