members evening - data protection
Post on 11-Apr-2017
433 Views
Preview:
TRANSCRIPT
Ten things you need to know about the Data Protection Regulation
Presentation to MRS Members Evening
10th February 2016
Dr Michelle GoddardDirector of Policy & Standards
2
Topics for tonight
Why is it important? What do you need to know?
How should you prepare?
3
Why this matters!
It’s been a long road to get here ….
2012
• European Commission GDPR proposals tabled
2014
• European Parliament adopted a first reading
2015
• Council of the EU agreed a general approach after trialogues
Dec 2015
• Informal Agreement reached on Compromise Text
4
From Directive to Regulation
… but the end is in sight
June 2018Enforcement of GDPR begins
May to June 2016GDPR enters into force in the UK
April 2016Publication of Approved Text in Official Journal
February 2016Translation of GDPR Compromise Text
5
6
Ten Things
1. Applies a harmonised regime directly in all Member States2. Widens scope and application of data 3. Places liability on both data processors and controllers4. Requires greater business accountability5. Enhances individuals rights6. Maintains exemption for research7. Introduces notification of data breaches8. Mandates appointment of Data Protection Officers9. Raises standards for cross border transfers10. Increases fines and strengthens the enforcement regime
7
1. Directly applicable and harmonised
From Directive to Regulation and no need for national implementation Built in consistency mechanisms such as European Data Protection
Board and the One-Stop Shop for enforcement
….but over 50 areas for national carve-outs and
modifications in Union and Member State Law
… and will this affect ICO’s enforcement approach
8
2. Much wider scope and application
Expanded categories of personal data (including online identifiers) and special categories i.e. sensitive personal
data include biometric and genetic New explicit category of pseudonymised data as a security
measure but an art not a science Extra territorial scope to activities of controllers and
processors within and outside EU processing data of EU citizens so need to consider appointment of representative
9
3. Significant culture and risk shift for data processors
Data Controller
• Determines purposes and manner in which personal data is collected/used e.g. client companies
• New mandatory contract terms inc security measures, right of audit of DP, sub-processor approvals
• Liability still includes full range of enforcement action and liability for breach of contract
Joint Data Controller
• Determines (with other DC) purposes and manner in which personal data is collected/used e.g. research suppliers
• New mandatory contract terms inc security of measures, right of audit of DP etc and how data subjects can exercise rights and who provides information
• Liability still includes full range of enforcement action and liability for breach of contract
Data Processor
• Process data on behalf of others e.g. any other suppliers working on research data e.g. transcription, processing, coding, analysing translation
• New mandatory contract terms inc seek approval of DC for appointment of sub-processor and data transfer out of EEA
• Direct liability now includes full range of enforcement action in addition to liability for breach of contract
10
4. Requires greater business accountability
Reduction of administrative burdens e.g. no notifications to ICO but …Accountability and transparency requirements to
entrench privacy by design and default maintain good records inc privacy policies/notices and
detailed internal documentation on processing activities undertake privacy impact assessments for riskier or large
scale activities Implement technical and security measures
Some exemptions for SME’s but less useful for researchers
11
5. Enhances rights of individuals
Individual Right Right to data portability New Right to erasure New
Right to restrict processing* New but limited impactRight of access to data* Strengthened –includes retention period
and possibly free and within 30 daysRight to information in notices Strengthened – clearer and greater detail
Right to object to different types of processing (including profiling and marketing)*
Strengthened – burden now on controller to demonstrate compelling grounds
Right not to be evaluated on basis of automated processing
Equivalent provision
Right to rectification (of inaccurate data)*
Equivalent provision
Obligation on DC to notify third parties for rectification, erasure or restrictionNeed to promote these rights to individuals
12
6. Maintains an exemption for research
EFAMRO/ESOMAR gains from EU advocacy/lobbying include
Broad definition of research:
Scientific research purposes should be interpreted in a broad manner
Statistical research purposes include statistical surveys and their results may be used for other purposes
Research is a compatible purpose for further processing
Segmentation is not considered as profiling under the GDPR
Research exemption available to Member States
13
Grounds for processing research data under GDPR
Research exemptio
n
Legitimate Interests
Consent… but remember obligations under MRS Code of Conduct
14
7. Personal data breaches must be notified
When?without undue delay or within 72 hours
To who?Controllers, supervisory authorities and/or individuals affected
Why? Likelihood of risk/high risk to individuals but not if unlikely to cause harm i.e. encrypted data breaches
15
8. Need to appoint Data Protection Officer
Who needs to appoint a data protection officer? Dependent on type of processing and risk but likely to
be mandatory for all researchers Businesses should publish contact details and advise
ICO
What is their role? act independently reporting to highest level of
management Should understand your business Liaison between business and data subjects/consumer
champion? Employee (or outsourced) protected from dismissal
16
9. Raises standards for cross border transfers
Current rules and mechanisms remain but will be kept under review Safe Harbor invalidity decision remains (not affected by
this process) Adequacy decisions can be made by EU Commission for
territories, sectors and states such as EU-US Privacy Shields
Binding corporate rules still valid
Some procedural streamlining/flexibility Model clauses favoured and no longer require DPAs
approval DPAs may also create own model clauses New avenue for transfers under approved codes of
conduct
17
10. Higher legal risks of non-compliance
Heavy sanctions for non-compliance up to €20m (£15m) or 4% turnover
Increased powers for supervisory authorities and liaison with European Data Protection Board
Data subject claims for compensation for breaches “Class actions” by consumer associations
…. and also reputational risks …
Reputation at risk
18
80% of people would think twice about giving their business to an online company that made headlines for failing to stop a data security breach
You Gov 2016 poll for ICO
19
How should you prepare?
20
GDPR Compliance Project should start now
1. Assess business risk through understanding data use2. Draw up compliance plan covering IT systems, staffing and
policies3. Commit to best practice in research and data management4. Keep up to date through MRS
21
Practical Tips
Obligation What your business needs to doAdhere to data controller or data processor compliance obligations
• Audit and understand data use • Review and strengthen existing data policies
o Review and revise legacy contracts to consider mandatory terms and negotiations on apportionment of liability
o Establish appropriate technical and security measures for data protection
o Consider adequacy of mechanisms for cross-border transfers i.e. contracts with cloud providers
o Set up process for written record-keeping of all categories of personal data
o Consult with ICO on riskier activities and privacy impact assessments
Respect individual rights • Use clearer language in privacy policies and fair processing notices but cover off intended purposes
• Review getting consent and implement steps for recording• Establish clear data retention and deletion policies and communicate
retention periods to individuals• Review mechanisms for consent of children online• Work with IT to set up procedures and systems for individuals to
exercise new rights of data portability and to be forgotten and enhanced information and rectification rights etc
22
Practical Tips
Obligation Practical TipsPromote accountability across the business
• Set up demonstrable processes to ensure accountability • Conduct individual and staff training • Appoint a data protection officer considering outsourcing and
sharing role
Prepare for data breach notifications
• Set up internal procedures/strategy for data breach identification • Establish process for notification to DPA and individual• Explore what “risk” to individuals means• Build in effective ways of detecting breaches
Embed privacy by design and default in research projects
• Collect minimum information required for research projects• Maintain accurate and up to date/current databases• Client side need to engage with product teams earlier in process• Use anonymisation, pseudonymisation and encryption security
techniques
Keep up to date
Guidance and tools FAQ’s, webinars and guidance notes
But let us know how we can best help you Training areas; webinar topics; new guidance
Follow guidance from ICO
Seek advice from CodeLine Codeline@mrs.org.uk
Keep informed through MRS www.mrs.org.uk @tweetmrs
THANK YOU www.mrs.org.uk/standards
top related