general data protection regulation (gdpr) · what is the gdpr and why is it important? •gdpr is...
TRANSCRIPT
www.hqip.org.uk
General Data Protection Regulation (GDPR)
Sasha Hewitt Associate Director, HQIP
What is the GDPR and why is it important?
• GDPR is the new legal framework for the EU
• Applies to personal and sensitive personal data
• Will have direct effect across the EU from 25th May 2018
• Brexit will not impact upon UK adoption of GDPR – Data Protection Bill progressing through parliament now
• Has implications for HQIP as a data controller and for providers as data processors
• Processors now have direct responsibilities and obligations under the GDPR, outside of the terms of contract. Can now be held directly responsible for non-compliance
• Failure to comply means fines of 20 million euro or 4% annual global turnover, whichever largest (DPA was £500,000)
Organisations frantically working towards GDPR compliance but much of the guidance is still not published.
Article 29 working party guidance update
Guidance Published Yet?
Data Portability Yes
Identifying a lead Supervisory Authority Yes
Data Protection Officers Yes
Consent Draft
Profiling and individual's rights Yes
High risk processing and data protection impact assessments (DPIAs)
Draft
Contracts and Liabilities Draft
Transparency No
Certification No
Data Transfers No
Administrative fines Yes
Breach Notification Yes
Data Protection Bill
• Covers law enforcement processing
• Covers national security data processing
• Exemptions for processing personal data for literary, journalistic or academic purposes, largely reflecting the current system.
• Sets the age of child consent (of online data processing) to 13 years
• Role of the ICO (increased max fines from £500K to £18m, creates new offences, e.g. re-identification of de-identified data)
Direct legal responsibilities of processors under the GDPR:
• Not to use a sub-processor without prior written authorisation of the controller
• To co-operate with ICO
• To ensure the security of it’s processing
• To keep records of processing activities
• To notify any personal data breaches to the controller
• To appoint a data protection officer
• To appoint (in writing) a representative within the EU (if needed)
Compulsory internal documentation
Driving principles of accountability and transparency 1. Policies (IG, security, records management, third party processing, home
working etc)
2. Controller-processor written contract containing (this includes when a processor employers another processor):
– description, duration, purpose, type personal data, categories data subjects
– processor must comply with articles 32 (security), 28 (sub-processing), 28 (assistance to controller)
– If processor contracts a sub-processor then certain contract terms must be imposed in that contract and the original processor remains liable to the controller for the compliance of their sub-processor
3. Data processing records:
– Controller (DPO, purpose, legal basis, categories, recipients, safeguards, retention periods, security measures)
– Processor (controller details, processor details, DPO, legal basis, categories of processing carried out, security measures in place)
Compulsory internal documentation cont…
4. Data breach inventory
5. Data protection impact assessments:
– High risk processing
– Controller responsibility (but processor must assist)
– Risks and mitigation.
6. Records of decisions taken
7. General evidence of compliance
8. Training records
9. Appointment/role of DPO
10.Records of compliance with data subject rights requests (i.e access requests and responses)
Compulsory external documentation
1. Privacy notices/fair processing: – More detailed
– Details of controller, processor, DPO
– Purpose and legal basis
– Categories of personal data
– Recipients
– Transfers and safeguards
– Retention period
– Data subject rights (withdraw consent, opt out, subject access, complaint)
– Source of personal data
– Existence of automated decision making/profiling
2. Consent capture forms
3. Data subject rights request form and response template
4. Data subject breach notification template
Information Governance checklist
General information for each contract year
Data sharing
Breach inventory
Further reading and resources…
• ICO guidance - https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
• IG Alliance https://digital.nhs.uk/information-governance-alliance/General-Data-Protection-Regulation-guidance