www.hqip.org.uk

General Data Protection Regulation (GDPR)

Sasha Hewitt Associate Director, HQIP

What is the GDPR and why is it important?

• GDPR is the new legal framework for the EU

• Applies to personal and sensitive personal data

• Will have direct effect across the EU from 25th May 2018

• Brexit will not impact upon UK adoption of GDPR – Data Protection Bill progressing through parliament now

• Has implications for HQIP as a data controller and for providers as data processors

• Processors now have direct responsibilities and obligations under the GDPR, outside of the terms of contract. Can now be held directly responsible for non-compliance

• Failure to comply means fines of 20 million euro or 4% annual global turnover, whichever largest (DPA was £500,000)

Organisations frantically working towards GDPR compliance but much of the guidance is still not published.

Article 29 working party guidance update

Guidance Published Yet?

Data Portability Yes

Identifying a lead Supervisory Authority Yes

Data Protection Officers Yes

Consent Draft

Profiling and individual's rights Yes

High risk processing and data protection impact assessments (DPIAs)

Draft

Contracts and Liabilities Draft

Transparency No

Certification No

Data Transfers No

Administrative fines Yes

Breach Notification Yes

Data Protection Bill

• Covers law enforcement processing

• Covers national security data processing

• Exemptions for processing personal data for literary, journalistic or academic purposes, largely reflecting the current system.

• Sets the age of child consent (of online data processing) to 13 years

• Role of the ICO (increased max fines from £500K to £18m, creates new offences, e.g. re-identification of de-identified data)

Direct legal responsibilities of processors under the GDPR:

• Not to use a sub-processor without prior written authorisation of the controller

• To co-operate with ICO

• To ensure the security of it’s processing

• To keep records of processing activities

• To notify any personal data breaches to the controller

• To appoint a data protection officer

• To appoint (in writing) a representative within the EU (if needed)

Compulsory internal documentation

Driving principles of accountability and transparency 1. Policies (IG, security, records management, third party processing, home

working etc)

2. Controller-processor written contract containing (this includes when a processor employers another processor):

– description, duration, purpose, type personal data, categories data subjects

– processor must comply with articles 32 (security), 28 (sub-processing), 28 (assistance to controller)

– If processor contracts a sub-processor then certain contract terms must be imposed in that contract and the original processor remains liable to the controller for the compliance of their sub-processor

3. Data processing records:

– Controller (DPO, purpose, legal basis, categories, recipients, safeguards, retention periods, security measures)

– Processor (controller details, processor details, DPO, legal basis, categories of processing carried out, security measures in place)

Compulsory internal documentation cont…

4. Data breach inventory

5. Data protection impact assessments:

– High risk processing

– Controller responsibility (but processor must assist)

– Risks and mitigation.

6. Records of decisions taken

7. General evidence of compliance

8. Training records

9. Appointment/role of DPO

10.Records of compliance with data subject rights requests (i.e access requests and responses)

Compulsory external documentation

1. Privacy notices/fair processing: – More detailed

– Details of controller, processor, DPO

– Purpose and legal basis

– Categories of personal data

– Recipients

– Transfers and safeguards

– Retention period

– Data subject rights (withdraw consent, opt out, subject access, complaint)

– Source of personal data

– Existence of automated decision making/profiling

2. Consent capture forms

3. Data subject rights request form and response template

4. Data subject breach notification template

Information Governance checklist

General information for each contract year

Data sharing

Breach inventory

Further reading and resources…

• ICO guidance - https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

• IG Alliance https://digital.nhs.uk/information-governance-alliance/General-Data-Protection-Regulation-guidance