data protection

Data Protection Regulations

James Davies and Steve Lorber

23 April 2013

Crystal ball

Cheap data

• Statistics/visual imagery about how workplace has changed over last 15 years re collection and use of data

Data Protection – a brief historyLate 1960s First electronic messaging

1969 First email

The UK in October 1969

Data Protection – a brief historyLate 1960s First electronic messaging 1984 Original Data Protection

law (minimal impact)

1984 First Data Protection legislation



1998 Data Protection Act

1998 Act – key principles

What has this meant over last 15 years?

• Data subject requests

• Data protection policies - consent

• Transfer overseas especially to US

• “Light touch” enforcement

• Globalisation and other less light touch data protection laws




2005 Employment Practices Code

Who is this?

Christopher Graham, Information Commissioner

2005 ICO employment practices code





2007 ICO Personal Data guidance

2007 ICO Personal Data Guidance





2010 Sanctions increase to £500k


2010 Increase sanction to £500k






2013 ICO BYOD guidance





TODAY Proposed General Data Protection Regulation





TODAY Draft Regulation

Data Protection Regulation – introduction

• What’s the problem?

• Commission solution

• Strategy

• Particular measures proposed

• Practical implications for now?

Data protection – the need for change

• Change in nature and extent of processing

• GlobalisationDifferent rules in different statesCloud

• Employment contextvolumefree-form data

Commission solution – a Data Protection Regulation

• What is a regulation?

• Aimone-stop shopgreater legal certainty - and consistency

throughout EUreduction of administrative burdenstrengthened data subject rightsefficiency of supervision and enforcement

• And “it will save money” – not just red tape

Strategy proposed

• Strategysimilar to current rules....but morestricter data protection principlesmore specific and granular obligations more extensive individual rights...right to be forgotten...

Backed up by tougher enforcement – fines of 2% of global turnover

Policy, process...and documentation (1)

• Internal documentationadopt policies implement measures to ensure

compliance with policiesbe able to demonstrate complianceif appropriate establish an audit


• Documentation for data subjectsExtensive information including

> purposes of processing

> if justified by "legitimate interests" ...what those interests are

> data subject rights and how to complain

> who gets to see it ....recipients

> If data does not come from data subject, who the source is


• Very granular..... underscored by new data protection principle

for each processing operation, controller must ensure and demonstrate compliance

• Lots of paper .....but does it protect privacy?

Right to be forgotten

• Right to have personal data erased if

no longer necessary in relation to purposes for which collected

consent withdrawnexpiry of retention period processing is non-

compliant

Right to be forgotten

• If personal data has been made public, controller shall take all reasonable steps to tell third parties

• Controller may restrictwhere issue over accuracy data needed for purposes

of proof (evidence of business operations)

Data security (1)

• Controller and processor mustdo risk assessmentimplement technical and organisations measures to ensure

security

• "Personal data breach" means breach of security .... leading to accidental or unlawful

destruction, loss or alterationunauthorised disclosure

Data security (2)

• Duty to notify

• Duty to document breaches

• If breach is likely to affect privacy of data subjects, controller must tell data subject of breach and what it is doing

Data protection by design

• "Data protection by design" ...if developing business in ways that impinge on personal data (e.g. a new HR system)

implement to ensure compliance (having regard to cost and technology)

ensure that by default system

> only processes data necessary for purpose

> does not collect too much

> does not store too long

> controls

Data protection officer

• Controller and processor must establish a DPO if 250 employees or more

• What are the roles/functions of a DPO?

Data protection officer

Monitoring data protection breaches

Contact point for supervisory authority

Informing controller and processor of obligations under DPR (and documenting)

Monitoring implementation of policies (including audit and training)

Ensuring documentation is maintained

Monitoring protection by design and security

Monitoring data protection impact assessment

Remedies and sanctions

• Up to 2% of turnover

• Enforcement by "main establishment" regulatorIn EU - where purposes of processing determined or, if not,

where main processing takes placeIf not established in EU, must appoint a "representative"

Special rules on employment

• Regulation allows members states to adopt special rules for employment....but upwards only

Extra conditions for processingRegulatory consent?Works Council approval?

• Defeats "one-stop" shop?

What to do now?

• Proposals will change............

• Share your thoughts with MoJ?

• Processing operations identify and recordconsider how you comply

• Establish extent to which you use "consent" to justify processing...and find other ways

Thank you

data protection

Technology

data security

data protectionregulation

design data protection

data protection legislation

data subject of breach

ico personal data guidance

privacy of data subjects

s firstelectronic messaging