data protection and confidentiality · 1995 eu directive in the uk the gdpr replaced the data...
TRANSCRIPT
Data Protection and ConfidentialityDirectory of Social Change
06 June 2019
2 COMMERCIAL IN CONFIDENCE
Introduction to Data Protection LawHistory of Data Protection and Cyber Crime
The Industry RegulatorKey requirements for businesses The Information Commissioners OfficeData protection and Brexit
Data Sharing Across BordersLegal frameworks
Data Processing RelationshipsReview of your personal data processing
BREAK Terminology Explained
Principles and rights under GDPRDefinitions
What this means in practiceMapping Processes
Lawful bases for processing
AGENDALUNCHRisk Assessment
Legitimate Interests AssessmentsData Protection Impact Assessments (DPIAs)Checklists
Cyber SecurityData Breach StatisticsThe price of ‘human error’
BREAKData Breach Reporting
How to keep breach registersData breach response plan
Data Subject Access Requests (DSARs)Data Subject Rights and DSAR proceduresDSAR response plan
Steps to GDPR ComplianceQuestions & AnswersSESSION CLOSE
INTRODUCTION TO DATA
PROTECTION LAW
4 COMMERCIAL IN CONFIDENCE
1995 EU Directive
In the UK the GDPR replaced the Data Protection Act 1998 – after
Brexit the Data Protection Act 2018 will replace the GDPR (aka UK GDPR)
2016 EU Regulation
The new legislation applies to all 28 Member States in the EU, and was
enforced on the same date.
Limited local derogations apply.
New data protection legislation
On 25th May 2018 the General Data Protection Regulation (GDPR) (EU)
2016/679 replaced various data protection laws in place across the
European Union
Data Protection Act 2018
General Data Protection
Regulation
5 COMMERCIAL IN CONFIDENCE
1970s
Limited personal data sharing, mainly processed by various Government depts
1970: first data protection law passed in Hessen
1971: world’s first ever ‘email’ is sent
1975: first mass produced digital watches
1977: Voyagers 1 & 2 launch
Mainframe
1980s
1980: OECD Council releases guidelines on privacy protection for transborder flows of personal data
1983: German court issues first verdict ‘Right of Information Self-Determination’
Ability to record and share personal data increases with new tech in leisure and consumer markets
PC
1990s
1995: EU Parliament introduces Data Protection Directive for Member States
First macro virus (Concept) designed to attack MS Word
Many US big tech co’s launch in a dot com boom
Google relaunches twice in the same decade, as Y2K fever hits companies worldwide
Market evolves for personal & consumer users of new tech especially via online platforms
www
2000: The US Safe Harbour framework is introduced
2001: Sept 11th attacks
2001: Wonderland Club arrests, first reports of large scale internet crimes
2005-2009: series of high profile personal data breaches
2009: UK tightens national data protection laws in response to high profile data abuse cases
2000 - 2010
Blogging becomes popular
2010: Apple suffers A-list email data breaches on new 3G iPad
2011: NotW closes due to phone hacking, Disney given $3m COPPA fine
2012: EC begins drafting the GDPR, ‘smart’ TVs and home appliances arrive
2013: Snowden leaks top secret docs on US Govm’t mass global surveillance, Yahoo breach loses 1bn user profiles
2014: Amazon launches Alexa, and Morrison’s breach sees an internal auditor attempt to sell staff salary data
2011 - 2018
Global and regional hacking and data breaches reach new heights
2015: EU declares US Safe Harbour programme invalid, major breaches at Pentagon and Kaspersky, Russia is proven to have hacked Obama’s emails
27th April 2016: EC approves final version of GDPR, with a 2 year period to enforcement date of 25th May 2018
2018: Carphone Warehouse fined £400k for 2015 attack, Cambridge Analytica’s data breach wipes £120bn off Facebook’s market value – both co’sinvestigated and fined. Cyber crime now a major undertaking & state sponsored
THE INDUSTRY REGULATOR
7 COMMERCIAL IN CONFIDENCE
Register with the ICO
Understand how the law applies to your
business operations
This includes internal data processing
Record of processing activities (ROPA)
Identify lawful bases for processing
Data controller or data processor?
KEY REQUIREMENTS
Due diligence on data sharing relationships
Review data security
Transparent user-friendly privacy notices
Keep data breach registers and report
serious breaches
Allow individuals to exercise rights
Obey e-marketing rules
8 COMMERCIAL IN CONFIDENCE
28 Lead Data Protection Supervisory Authorities
Up to c.700 staff (>500 now, across Wilmslow, Belfast, Edinburgh and Cardiff)
Increased powers to investigate independently and impose sanctions and penalties
GDPR fines here to stay
Will continue to liaise with the European Data Protection Supervisory Authorities regarding breach investigations post-Brexit
UK Data Protection Act 2018
THE ICO
9 COMMERCIAL IN CONFIDENCE
Latest news
Nuisance call reporting
Public information
How to contact companies
Report issues
Register of data controllers
Tools, checklists and guidelines
10 COMMERCIAL IN CONFIDENCE
CHANGES TO ICO REGISTRATION
It costs £40 per year for micro businesses:
£35 if paid by direct debit
Defined by no more than 10 staff, OR
By max annual turnover £632,000
It will cost £60 per year for SMEs:
Defined by no more than 250 employees, OR
By max annual turnover of £36m
For large organisations it will cost £2,900 per year
11 COMMERCIAL IN CONFIDENCE
NOT-FOR-PROFIT EXEMPTIONS
Organisation established for non-profit making purposes - any profits are for the organisation’s own purposes and do not enrich others
You only process information necessary to establish or maintain membership or support
You only process information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it
You only hold information about individuals whose data you need to process for the exempt purpose
The personal data you process is restricted to personal information that is necessary for the exempt purpose
12 COMMERCIAL IN CONFIDENCE
PECR HIGHLIGHTSElectronic Marketing Service Communications
Any communication not specifically requested
Solicited marketing still requires full disclosure
Opting in to future marketing doesn’t mean ‘solicited’
Contracted 3rd parties equally responsible
Opting in requires clear, informed and active consent
Beware of indirect or 3rd party consent!
Check local country rules for international campaigns
Any advertising or promotional material
Includes aims, ideals, charitable or political activities
Phone, fax, email, text, SMS, or other electronic means
Stricter rules for targeting individuals than companies
Different rules for different methods - check TPS:
E.g. live vs automated calls, or electronic text vs email
Non-essential cookies or tracking technologies require fully informed consent, even for anonymous data:
Covert tracking and surveillance is against the law
Implied consent insufficient for sensitive personal data
Apps that gain access to user content or mobile device info also require informed user consent before installation
Mailshots via post fall under direct marketing rules for MPS
Anything devoid of promotional, advertising or marketing approaches
Branding or logos for identification are fine
Genuine market research, including polls and surveys
Provided not accompanied by promotional material
Routine customer service or account information
Updates to software, services, elements of a contract or to overall Terms & Conditions
Alerts or advisory notices falling under legal or contractual requirement
Essential cookies for providing essential online content:
E.g. for login security, retaining shopping carts, etc., but full disclosure still required
13 COMMERCIAL IN CONFIDENCE
PERSONAL & SPECIAL CATEGORY DATA EXERCISE
Example 2:
A local church group has a historical list of church members, collated over the years for volunteers,keyholders, event organisers and fundraising activities. The list includes a mix of home and mobile phonenumbers, addresses and email addresses. It is kept on the Secretary’s home PC, and is printed out fordisplay on the noticeboard of the local church hall.
Example 1:
A charity buys in a marketing list from a commercial data company, consisting of names, titles, companies,phone numbers and email addresses. They intend to send marketing emails to the entire list.
Would the people’s details on the list be considered personal data?
Does the new legislation apply to B2B (business-to-business) information?
Should the charity check to ensure the data company verified consent for this list before they start marketing to the people on the list?
Yes No
Personal Data
Special Category
Yes No
Should the secretary review the security of the spreadsheet on their PC?
Would the contents of this list be classed as personal data?
Is the display of this list in the church hall a security risk for those people on it?
DATA SHARING ACROSS BORDERS
15 COMMERCIAL IN CONFIDENCE
Binding Corporate RulesIntra-organisational rules
Avoids need for EC approvalPersonal data to 3rd countries
Protect rights and freedomsLegally enforceable, applies to all
Alliances, franchises, partners
Standard Contract (Model) ClausesCross-border data transfers between EU and 3rd countries
Must clarify each party’s controller / processor statusFile with relevant Supervisory Authority for approval
Cannot be amended once approved
EU-U.S. Privacy Shield
Protects fundamental rightsEU data transferred to USObligations on US recipientsSafeguards against US Gov accessEffective protection and redressAnnual joint EU and US review Companies can choose to subscribe or notSubscribers self-certify to own definitionsNo US-side overview or scrutiny unless claims brought
16 COMMERCIAL IN CONFIDENCE
Local serverbackup
EU
DA
TA
BO
RD
ER
EU
DA
TA
BO
RD
ER
EEA, or Country / Territories that meet EU adequacy rules on safeguarding personal data
EEA DATA BORDER
EE
A D
ATA
BO
RD
ER
Norway Iceland Lichtenstein
AndorraArgentinaCanadaFaeroe Islands
Third Countries (151 others)
Switzerland (EU-Swiss Privacy Shield)
GuernseyIsraelIsle of ManJapan
JerseyNew ZealandUruguayUSA (EU-U.S. Privacy Shield)
Model Clauses or
Binding Corporate
Rules
Head Office
28 EU Member States HRiS
(SaaS supplier overseas)
Payroll Services(SaaS supplier
overseas)
HRiSBackup
Payroll ServiceBackup
17 COMMERCIAL IN CONFIDENCE
https://ico.org.uk/for-organisations/data-protection-and-brexit/ https://www.gov.uk/government/publications/data-protection-if-theres-no-brexit-deal/data-protection-if-theres-no-brexit-deal
DATA PROCESSING RELATIONSHIPS
19 COMMERCIAL IN CONFIDENCE
Data Subject
The individual to whom the personal data or information relates
Data Controller
The “person”* that decides (alone, jointly, or in common) the purpose(s) and manner in which data is to be processed
Data Processor
Any “person”* (other than an employee of the Data Controller)
who processes the data on behalf of the Data Controller
*A “person” recognised in law as: An individual An organisation Other corporate or unincorporated bodies
It is possible to have joint or common controllers and sub-processors.
The key lies in the decisions regarding purpose of collecting and processing the data.
Under GDPR the Data Controller and Data Processor share joint responsibility and liability for data processing
compliance
20 COMMERCIAL IN CONFIDENCE
Do you have a Data Sharing Agreement in place for this processing?
Yes No
Have you conducted any GDPR due diligence on this Data Sharing arrangement?
Yes No
Give an example of Personal Data sharing in your own department / business:
Identify the following parties: Data Subject(s): _________________________________________________________
Data Controller(s): ________________________________________________________
Data Processor(s): ________________________________________________________
Do you know the Categories of personal Data being shared? (e.g. Personal / Sensitive)
To your knowledge, is any of this personal data shared outside the EEA? (consider everyday systems and suppliers you use for email or accounting, where data is backed up / stored etc..)
What level of risk do you think there may be to the Data Subjects’ rights and freedoms in this data sharing arrangement?
Perceived Risk LevelLow
Medium
High
External data sharing relationships:
Suppliers Affiliates Partners Government Agencies Funding Partners Other 3rd parties
Data Subject
The individual to whom the personal
data, or information, relates
Data Controller
The “person” that decides (alone, jointly, or in common) the purpose(s) and manner in which data is to be processed
Data Processor
Any “person” (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller
21 COMMERCIAL IN CONFIDENCE
What personal data do we process?
Why do we process it?
What are our lawful bases for processing?
Who do we share personal data with?
Are there any risks to the data subjects?
Is there a more secure way to do it?
PRIVACY NOTICES – KEY POINTS
TIME FOR A
QUICK BREAK…
TERMINOLOGY
EXPLAINED
24 COMMERCIAL IN CONFIDENCE
1 2 3 4 5 6 7
GDPRPrinciples
Fair, lawful and transparentprocessing of personal data
Specified, explicit andinformed legitimate purpose
Adequate, relevant and limited to necessary purpose
Take all reasonable steps to keep data accurate and updated
Data not kept in identifying format beyond necessary use
Take all organisational or technical measures to comply with the law
Accountability
GDPRRights
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Extra rights re: automated processing and profiling that produce legal effects on data subjects
Extension of access right:• Personal data gathered
directly from data subject
• Automated processing• Consent or contract• Structured machine-
readable format• No adverse affect on
others
Erasure:• Erased / no longer processed• Consent withdrawn, if
applicable• Objection to Leg.Int processing• Consent based ISS services to
children• Unlawful processing• For legal compliance
Forgotten:• Delete public data• Inc. data made public by
Controller• Reasonable steps taken by
Controller to inform other controllers & 3rd parties
Temporary or Permanent:• Alternative to erasure• Put data on hold,
mark as limited, move to separate system or remove from website
• Store only• Use only for legal
requirements, protect others’ rights or in public interest
• Whilst processing objection is assessed
Objection:• Direct marketing• Public or legitimate
interest• Research or
statistical purposes
25 COMMERCIAL IN CONFIDENCE
Any information…
Collected or meant to be collected
relating to…
Relationship by content (e.g. name, job title, address)
Purpose
Impact on someone’s privacy rights
an identified…
Name or singling out
Specific characteristics
or identifiable…
Indirect
Taking into account all means reasonably likely to be used
natural person
Someone alive (birth through to death)
This includes business information, such as job titles,
work contact details etc.
PERSONAL DATA DEFINITION
26 COMMERCIAL IN CONFIDENCE
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier:
a name
an identification number
location data
an online identifier
a person’s age
also, by reference to one or more of the following factors specific to the individual:
- physical
- physiological
- genetic
- mental
- economic
- cultural identity
- social identity
TYPES OF PERSONAL
DATA
27 COMMERCIAL IN CONFIDENCE
Special category (also known as sensitive personal data) reveals the following about, or can be used to uniquely identify, a natural person, either directly or indirectly:
racial or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
genetic data
biometric data
a person’s age (where a protected characteristic)
data concerning health
information relating to family life or circumstances
data concerning a natural person’s sex life or sexual orientation
Core business function = mandatory appointment of a DPO
(Data Protection Officer)
SPECIAL CATEGORY DATA
28 COMMERCIAL IN CONFIDENCE
Processing, in relation to information or data, means obtaining, recording or simply holding it. It includes any operation(s) performed:
organising the data into any formal or semi-formal filing or reference system
adapting or altering the information
- e.g. pseudonymisation or encryption
retrieving, accessing, performing searches on, or looking up the data
disclosing the data in any way to other parties, either internal or external
- printing, copying, emailing, sharing snapshots and images of it etc.
repurposing, aligning or combining the information with other information or existing data
blocking, minimising, storing, archiving, deleting or destroying the information
DATA PROCESSING DEFINITION
29 COMMERCIAL IN CONFIDENCE
Each Data Controller / Data Processor (including Joint Controllers and Sub-Processors) and their Representativesmust maintain a written /electronic record of the data processing under their responsibility, to include:
Name and contact details of Data Controllers, Joint Controllers and Representatives
- Data Processors and Sub-Processors must outline the full chain of Data Controllers
Contact details for the Data Protection Officer (DPO) as applicable
Purposes of the processing being carried out
Types and categories of data subjects and their personal data
Categories of recipients of the data, including international organisations and those in third countries
Retention and deletion schedules for the data
Where possible, a description of the technical and organisational security measures in place
Details to be submitted to a relevant Supervisory Authority on request
ARTICLE 30: RECORDS OF PROCESSING ACTIVITIES
Organisations <250 persons are exempt from the ROPA requirements, unless:
The processing carried out is likely to affect the rights and freedoms of the data subjects
The processing cannot be described as occasional
The processing includes special categories of data (per Article 9)
The processing relates to criminal convictions and offences (per Article 10)
WHAT THIS MEANS IN PRACTICE
31 COMMERCIAL IN CONFIDENCE
To meet your transparency of processing obligations (the 1st GDPR Principle) and articulate your processing effectively in a Privacy Notice, you’ll need to first map what data you have in your business, where, why, who has access etc...
Boiling an egg simple version
…don’t assume you know this without first trying to map it all out. You may be surprised at how complex some of the simplest processes in your business really are!
Egg in pan of water
Bring to the boil
Lid onHeat off
Leave for 6 minutes
Egg out of pan
Eat and enjoy
Boiling an egg detailed version
No
YesEggs for Breakfast
Fill pan with water
Go to fridge 2 Eggs? Put 2 eggs in pan
Put pan on the cooker
Go to the
Shop
BuyEggs
Back to Kitchen
Turn on Heat
Wait for water to
boil
Turn off heat
Put lid on pan
Leave eggs for 6 mins
Remove eggs from
pan
2 pieces of bread in toaster
Toast BreadButter Toast
Serve Eggs and toast
Eat and enjoy!
32 COMMERCIAL IN CONFIDENCE
MAPPING YOUR DATA PROCESSING
LAWFUL BASES FOR PROCESSING
34 COMMERCIAL IN CONFIDENCE
Internal External
35 COMMERCIAL IN CONFIDENCE
Consent through clear, informed affirmative action
This relates to the individual’s right to object
Clear, informed and EXPLICIT affirmative action
Unless reliance on consent is against the law
Personal Data Processing – Article 6:
Compliance with a legal obligation
Performance of public interest task, or exercising official controller authority
Protect vital interests
Special Category Data Processing – Article 9:
Employment, social security, social protection or collective agreement
For preventative or occupational medical reasons, or assessing fit to work
Protect vital interests (physically or legally incapable of giving consent)
Establish, exercise or defend legal claims or court proceedings
Performance of a contract, or to take steps to enter into a contract
Legitimate interests of controller or 3rd party (can’t override rights)
Non-profit body: political, trade union, religious, philosophical
Public interest for archiving, historic, scientific or statistical research
Data manifestly made public
Public health interest
Substantial public interest
Special category data processing must include one lawful basis from each list (Article 6) and (Article 9)
LAWFUL BASES FOR PROCESSING
36 COMMERCIAL IN CONFIDENCE
The GDPR places a high bar on businesses considering consent as a basis for processing:
Genuine choice and control
Positive, affirmative and unambiguous action to indicate consent
- No pre-ticked boxes
- No assumed consent
- No blanket consent
- No open-ended consent
Clearly and specifically informed on all separate purposes
Split out different areas of processing consent
As easy to withdraw consent as it was to give it
Not a precondition of a service
No imbalance of power over the individual data subject
Consent must be separate to ordinary Terms & Conditions
Principles of transparency and accountability – keep records / audit trail
Don’t ask for consent if you don’t need it
If “consent” is difficult to justify, then look at another lawful or legitimate
basis for the data processing
A WORD ON ‘CONSENT’
Consent is not a valid ‘umbrella’ basis for your HR-related data processing
37 COMMERCIAL IN CONFIDENCE
Lawful Basis Right to erasure
Right to data portability
Right to object
Additional information
Legal Obligation
Contract Legal effect of objecting to contractual processing means clause discussions or even contract void
Legitimate Interests
Reliance on legitimate interests means you’ll need more detail in your privacy notice to comply with the right to be informed
Vital Interests
Public Task
Consent No right to object, but has the right to withdraw consent
Individuals have the right to object to direct marketing no matter what lawful basis applies.
The right to be informed is a fundamental right, and ties in with the 1st Principle of transparency.
Other rights aren’t absolute and need to be looked at carefully in context and against requirements.
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
HOW LAWFUL BASES IMPACT RIGHTS
38 COMMERCIAL IN CONFIDENCE
Special Category
ContractEmployment / Social Security
Personal DataLegitimate Interests
Personal Data Contract
Special Cat. Legal Obligation Employ/Soc.Sec
Special Cat. Legal Obligation Employ/Soc.Sec
Personal Data Contract Employ/Soc.SecSpecial Cat. Legal Obligation
Personal Data Legit. Interests
Special Cat.Legitimate Interests
Vital Interests
Special Cat. Vital Interests Employ/Soc.Sec
Personal Data Legal Obligation
Special Cat. Legal Obligation Employ/Soc.Sec
39 COMMERCIAL IN CONFIDENCE
DATA SHARING – CHARITY SECTOR
PublicShopsDept’sExecutive
Board of Trustees
Directors
Regional Managers
Retail Managers
Retail Teams
Volunteers
Fundraising
Fundraising Teams
Volunteers
Individual Data Subjects
Beneficiaries
Benefactors
Customers
Donors
(regular / one-off)
Suppliers
Service Providers
Partners
Affiliates
Third Parties
DATA SHARING DATA SHARINGDATA SHARING
40 COMMERCIAL IN CONFIDENCE
ICO ACTION AGAINST VOLUNTARY & CHARITY ORGANISATIONSIn each example the breaches were a direct result of human errors:
poor decision making by managementpoor organisational behaviourpoor IT policies and practices
The ICO ruled that in each example the breaches were entirely avoidable and preventable.
TIME FOR LUNCH…
RISK ASSESSMENT
43 COMMERCIAL IN CONFIDENCE
NECESSARY
Identify Legitimate Interests Necessity Test Balancing Test
Why do you want to process the data?
Who benefits from it?
Any wider / public benefits? Important?
Impact of not being able to proceed?
Unethical or unlawful?
Will processing help achieve aims?
Is it reasonable?
Any alternatives to achieve results?
Relationship with data subject(s)?
Sensitive or private data?
Children or vulnerable people?
Would people expect it?
Are you happy to explain it?
Some likely to object? Intrusive?
Impact on data subject(s)? Big?
Any safeguards you can adopt?
Can you offer an opt-out?Document your LIAs, to include all considerations
44 COMMERCIAL IN CONFIDENCE
As a tool they help businesses to:
Identify and fix problems / issues early on, saving money
Demonstrate attempts to meet compliance obligations
Help meet processing transparency (GDPR 1st Principle)
Build trust with data subjects’ around data privacy
Reduce risk of breaches, complaints and penalties Source: www.termsfeed.com
Data Protection Impact Assessments (DPIAs) are a key aspect of Privacy By Design
PRIVACY BY DESIGN
45 COMMERCIAL IN CONFIDENCE
Not all processing actions require a DPIA:
Those that are likely to result in a high risk to individual’s rights and freedoms
Potential gaps in procedures that could lead to breaches
A group of linked processing activities can be reviewed under one overall DPIA
It is important that you determine the company’s risk criteria BEFORE you begin your DPIAs
New databases or IT / software systems used
to store, access or consolidate personal
data
A data sharing or data pooling exercise,
especially with other organisations
Any new proposals to collect or process data about demographics or particular groups
Installing or using new or upgraded
surveillance or monitoring technology
in your business
Deciding to use existing data for new,
unexpected or potentially intrusive
purposes
Document your DPIAs, to include all considerations
DATA PROTECTION IMPACT ASSESSMENTS
46 COMMERCIAL IN CONFIDENCE
This handy image explains what we mean by PROBABILITY and
IMPACT
You will need to be able to easily assess the
likelihood, or probability, of risk to the data subjects
and also the level, or impact, of risk posed.
ASSESSING RISK
47 COMMERCIAL IN CONFIDENCE
Probability of breach
3 0 3 6 9
2 0 2 4 6
1 0 1 2 3
0 0 1 2 3
Severity of impact
HighLow
Low
Probability and Impact Matrix
Probability and Impact Table
Risk Level
From ToRisk
AssessmentDescription of Risk Level
High 6 9 High risk Risk exceeds the business’ risk appetite
Medium 3 5 Unacceptable risk Could exceed risk appetite in some instances
Low 1 2 Acceptable risk The risk is within acceptable boundaries
None 0 0 No risk No apparent risk
DPIA risk assessments must be approached from the
perspective of the data subjectnot from the perspective of the
business
RISK PROBABILITY / IMPACT MATRIX
48 COMMERCIAL IN CONFIDENCE
A hospice organisation wants to create a new marketing database, combined of two separate lists: Gift Aid donors, and current newsletterrecipients. The company privacy notice doesn’t detail how marketing lists are compiled. Complete the LIA checklist to practice consideringthe impact from a data subject’s perspective, and then decide if you feel a Data Protection Impact Assessment (DPIA) may also be needed:
First Section: LIA Checklist
Questions to Consider Y N
1Does the activity involve collecting new information about people that you don’t already have?
2Might it compel people to give information to you about themselves?
3Will this info be shared with organisations or people who have not previously had routine access to the information?
4Will the personal information be used for new purposes, or in a way it is not currently being used?
5Does the activity involve using new technology which might be perceived as being privacy intrusive?
6Will the activity result in making decisions or taking action against individuals in ways which can have a significant impact on them?
7Is the personal information of a kind particularly likely to raise concerns or expectations about people’s privacy?
8Will the activity involve contact with people in ways which they may find intrusive?
Legitimate Interests Balancing Test
Why do you want to process this data? What’s your relationship with the data subject(s)?
Who benefits? Is the data sensitive or particularly private?
Are there wider or public benefits? If so, how important are they?
Does the data belong to children or vulnerable people?
What’s the impact of not being able to proceed?
Would people reasonably expect this processing of their data?
Is there anything unfair, unlawful or unethical about what you want to do?
Are you happy to explain it (transparency principle)?
Necessity TestAre any data subjects likely to object or find it intrusive?
Will this processing help you achieve your aims?
Is the processing likely to have an impact on them? If so, how big?
Is it reasonable? Are there any safeguards that you can, or must, put in place?
Are there any alternative ways to achieve results without doing it?
Are you able to offer ability to opt-into this processing (and therefore opt-out)?
Second Section: DPIA Checklist
CYBERSECURITY, MARKETING &
LIABILITIES
50 COMMERCIAL IN CONFIDENCE
6 out of 10 people are fed up with passwords using a mix of numbers, symbols and capital letters
Of firms had formal policies covering cyber security risks in 2017
39%
Had formal cyber security incident management
processes in 2017
14%
Gave their staff cyber security training in 2017
25%
Of businesses have been affected by
fraudulent emails
Of cyber security policies are related to
remote or mobile working
Of organisations who suffered a breach have
taken no action to prevent another attack
The average the number of days for a business to discover
a data breach
120
Don’t know the source of the most disruptive cyber security breach or attack in the last 12
months
60%
Of businesses experienced cyber
security breaches in 2017
Of computers and mobile devices are vulnerable to
exploit kits
99%
The cost to UK businesses who experienced cyber
security breaches in 2016
£30bnapx
51 COMMERCIAL IN CONFIDENCE
Source: https://ico.org.uk/action-weve-taken/data-security-incident-trends/
“HUMAN ERROR”
Source: https://iapp.org/news/a/data-indicates-human-error-prevailing-cause-of-breaches-incidents/
The statistics on human error contributing to data breaches are
quite concerning…
52 COMMERCIAL IN CONFIDENCE
THE PRICE OF ‘HUMAN ERROR’?
TIME FOR A
QUICK BREAK…
DATA BREACH REPORTING
55 COMMERCIAL IN CONFIDENCE
Records must be kept for all breaches, including minor and unreported ones
Report breaches to the ICO within 72 hours after discovery, unless the risk is low impact / unlikely to impact rights - document your rationale for not reporting
Advise data subjects without delay exactly what has happened
What categories / types of data involved, how many people/records affected
Likely consequences / impact of the breach for the data subjects
Describe measures taken / proposed to address or mitigate breach impact
Contact details for your DPO, or other contact point in the business
DATA BREACH REPORTING
56 COMMERCIAL IN CONFIDENCE
Compare data protection breach recording and reporting with Health & Safety incident recording and reporting.
Why do we keep these records?
Penalties for non-compliance:
Criminal Offence
£20,000 fine (Magistrates Court)
Unlimited Fine (Crown Court)
Up to 2 years’ prison sentence
RIDDOR 2013
WHY REPORT BREACHES?
57 COMMERCIAL IN CONFIDENCE
Details of the Breach Assess Impact on Data Subjects
Remedy and Lessons LearnedKeep details of breaches and any decisions made to report them to the ICO (or not), plus what you’ll do to prevent repeat occurrences.
Regular reviews will help spot areas in need of training or intervention.
Penalties for non-compliance:Up to 4% of global turnover or €20million (whichever is the higher figure)
BREACH REGISTER EXAMPLE
58 COMMERCIAL IN CONFIDENCE
What should happen in each of the following types of breaches? Who should be involved in the investigation?:
Sending emails containing personal data to wrong / unauthorised recipient(s) (e.g. ‘Reply All’, ‘CC’, ‘BCC’)
A data breach occurring from a virus or hack in the company computer or email system?
The loss of a company mobile device or hard copy files/folders containing personal data?
A worker taking personal data from the company home (via personal email or mobile device)?
Do you understand what might constitute a ‘personal data breach’? Give some details:
Do you think your team members know how to recognise a personal data breach?
Do you have a response plan and an allocated person to deal with breaches?
Yes No
Yes No
DATA SUBJECT ACCESS REQUESTS
60 COMMERCIAL IN CONFIDENCE
Acknowledge request promptly, verify identity
Outline their rights and how they can exercise them
What categories of personal data you process
The source of this data, especially if not from them
Explain why you process their data
Outline your lawful bases for processing
Who you share their personal data with and why
Safeguards in place for overseas transfers
Details of any automated decision making
How long you keep it, and your criteria for this
SUBJECT ACCESS REQUEST PROCEDURE
61 COMMERCIAL IN CONFIDENCE
DPA 1998 GDPR / DPA 2018
Up to 40 days to respond
One calendar month to respond
Able to charge a small fee
Standard SARs are free
Provided in common electronic format
Could provide in various formats
Requests made in writing Requests in various formats
62 COMMERCIAL IN CONFIDENCE
Do you think that you or your staff know how to recognise and respond to a written or verbal DSAR?
What process or procedure would you follow in order to respond to a DSAR within the 30 day period?
If faced with multiple DSARs, do you have the procedures, template forms, resources and staff to cope?
Are you sure you’ll be able to ‘find’ all the relevant data? Did your mapping consider all locations for unstructured data? (paper files, archives, digital storage, where details have been shared, email inboxes and folders)
Whom else would you need to liaise with (internally/externally) to source it?
Yes No
STEPS TO COMPLIANCE
64 COMMERCIAL IN CONFIDENCE
Snake Oil
This Document Certifies
that you are now
GDPR Compliant
65 COMMERCIAL IN CONFIDENCE
The right advice
The right plan
The right team
66 COMMERCIAL IN CONFIDENCE
1. Map your business process flows
2. List and categorise personal data in the
flow mapping
3. Data controller or data processor?
4. Decide on your basis for processing
5. Review your 3rd
party processors
6. Conduct data protection impact
assessments
7. Define subject access request
procedures
8. Review security and training gaps
9. Implement staff awareness training
10. Publish updated privacy policies and
notices
Compliance is not a one-off activity
What data do you have?
What data do you need?
What data must you keep and what can you
delete?
How long must you keep it?
Who has access to the data?
Do you test your security?
Who do you share it with?
How secure is the data?How will you handle a complaint or breach?
Where is your data stored?
Do your staff know the law?
Are your processes transparent?
What’s your ongoing maintenance plan?
Do you need to appoint a DPO?
It requires ongoing
maintenance and review
Q&A
68 COMMERCIAL IN CONFIDENCE
01727 375 078www.spherehr.co.uk
www.spheredataprotection.com
Document Toolkits Bespoke Training ConsultancySeminars