![Page 1: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/1.jpg)
Data Protection& EU Regulations
2016
![Page 2: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/2.jpg)
Webinar Presenters
Miles Maier @LasaICT
Paul Ticher @PaulTicher
www.londoncouncils.gov.uk/grantsLondon Councils is committed to fighting for more resources for London and getting the best possible deal for London's 33 councils. London Councils has a website about its grants service. To read about our grants funding and the work of some of the 300 groups we support
Supported by:
![Page 3: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/3.jpg)
• London For All – partnership of LVSC, Lasa,
ROTA, WRC and HEAR
• Only pan-London service providing tech advice
• www.lvsc.org/londonforall/
![Page 4: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/4.jpg)
About Lasa
• 30 years in the sector
• Technology leadership, publications, events and consultancywww.lasa.org.uk
• Welfare Rightswww.rightsnet.org.uk
![Page 5: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/5.jpg)
Webinar Tips• Ask questions
Post questions via chat or raise your virtual hand
• InteractRespond to polls during webinar
• Focus Avoid multitasking. You may just miss the best part of the presentation
• Webinar PowerPoint & RecordingPowerPoint and recording links will be shared after the webinar
![Page 6: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/6.jpg)
Paul Ticher
• Data Protection expert, author and trainer• Specialist in information management and
systems• Many charity clients
Twitter: @PaulTicher
![Page 7: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/7.jpg)
Data Protection:The new EU Regulation
12th May 2016
![Page 8: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/8.jpg)
This presentation is intended to help you understand aspects of the EU General Data Protection Regulation and related legislation.It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.
![Page 9: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/9.jpg)
Protecting people
Protecting data
What Data Protection is about: 1
![Page 10: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/10.jpg)
Privacy & choice
Give us more
money! Support
our campaign!
But of course we told your
social worker
What Data Protection is about: 2
![Page 11: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/11.jpg)
Right of Subject Access
Individual rights, such as:
Right to opt out of direct marketing
Right to compensation for harm
What Data Protection is about: 3
![Page 12: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/12.jpg)
The current legal framework
EC Directive 95/46/EC Data Protection Act 1998 Similar legislation in most other European countries
Privacy & Electronic Communications (EC Directive) Regulations 2003
Non-statutory Guidance and Codes of Practice, including: Information Commissioner Institute of Fundraising
![Page 13: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/13.jpg)
The new Regulation
First draft January 2012Extensive negotiations between Commission,
Parliament and Council over nearly four years
Final agreed draft December 2015Published May 2016 (Reg. 2016/679)Coming into force 25th May 2018
It’s a Regulation, not a Directive
![Page 14: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/14.jpg)
Themes
“The processing of personal data should be designed to serve [hu]mankind” (Recital 4)
More control over online services and large commercial organisations, especially multinationals
Emphasis on reducing riskLimited extension of individual rightsData Controller evidence of compliance
![Page 15: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/15.jpg)
Main changes include:
Definition of consent tightened up … but still not always required
Tighter rules on children’s data (under 16), especially online More transparency requirements Data minimisation and pseudonymisation More rights to have data erased Provision for allocating responsibilities between joint Data
Controllers Data Processors carry more direct responsibilities No registration: Data Controller has to keep records Requirement to notify serious breaches Bigger fines Additional responsibilities on large organisations and those
doing riskier processing
![Page 16: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/16.jpg)
Consent
Consent is “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed” (Article 4(11))
“Where processing is based on consent, the controller shall be able to demonstrate that consent was given by the data subject … ” (Article 7(1))
“Silence, pre-ticked boxes or inactivity should … not constitute consent.” (Recital 32)
![Page 17: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/17.jpg)
When is consent not required?
Similar conditions to now, including:Processing is lawful [if it is] “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. …” (Article 6(f) )“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” (Recital 47)
![Page 18: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/18.jpg)
Where does this leave fundraising?
Definitions unclear: when does a communication become marketing?
How does the fundraising Code relate to the marketing provisions of the Regulation?
New Regulation does not rescind PECRTherefore, consent is likely to remain the
only reliable basis for most direct unsolicited fundraising
Consent has to involve “clear affirmative action”
Therefore, are we looking at opting in only?
![Page 19: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/19.jpg)
Tighter rules on children’ data
Children deserve specific protection … as they may be less aware of risks, consequences, safeguards and their rights … . This concerns especially the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of child data when using services offered directly to a child. … (Recital 29)
Where [consent] applies, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 16 years … shall only be lawful if … consent is given … by the holder of parental responsibility over the child.
![Page 20: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/20.jpg)
More transparency requirements
(Articles 13 & 14)
Data Subjects must usually be made aware of: the identity and the contact details of the controller the purposes as well as the legal basis of the
processing where relevant the legitimate interests
any recipient(s); any overseas transfers the storage period or criteria for deletion right of access to data and rectification or erasure right to withdraw consent at any time the right to lodge a complaint to a supervisory
authoritywhether the provision of personal data is
[contractually] required [or] the data subject is obliged to provide the data and … possible consequences of failure to provide [it]
![Page 21: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/21.jpg)
Minimisation and pseudonymisation
Principle 3 now says data must be: “adequate, relevant and limited to what is necessary … (“data minimisation”)”
Data protection by design and by default (Article 25) stresses pseudonymisation as a security measure – especially for things like ‘big data’ analysis
Pseudonymisation means that the person is still identifiable but their identity can only be retrieved with the use of additional data which is held separately and securely
![Page 22: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/22.jpg)
Rights to erasure, etc.
Data Subjects have the rights to require:Rectification of inaccurate data (Article 16)Completion of incomplete data (Article 16)Erasure (“right to be forgotten”), with
exceptions, but including removal of links (Article 17)
Restriction of processing in certain cases (Article 18)
Compensation for “material or non-material damage” (Article 82)
Also the right to complain to the supervisory authority
![Page 23: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/23.jpg)
Data Controller responsibilities
Technical and organisational measures to ensure full compliance (Article 24)
Appropriate policies (including Data Protection by design and by default) (Articles 24 & 25)
Records of processing – what, who, how, etc. (Article 30)… but no registration (notification)
Joint Controllers must transparently “determine their respective responsibilities” – but each can be “liable for the entire damage” caused by a breach (Articles 26 & 82)
![Page 24: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/24.jpg)
Data Processor responsibilities
(Article 28)
Data Controller still has responsibility to select competent Processors
More detailed rules about what has to be in the contract
Standard contracts should be availableProcessor may be liable for breaches and
other compliance (many obligations refer to the “controller or processor” – including processors based overseas)
![Page 25: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/25.jpg)
Notification of serious breaches
(Article 33)
Must report (preferably within 72 hours) unless the breach is unlikely to result in a risk to individuals
Individuals must usually be notified where the breach is likely to result in a high risk to them
Processors must notify breaches to Controllers
![Page 26: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/26.jpg)
Penalties(Article 79)
Breaches subject to two levels of penalty, depending on the breach:€10 million or 2% of total worldwide turnover€20 million or 4% of total worldwide turnover
(whichever is higher, in each case)
![Page 27: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/27.jpg)
Large organisations & riskier activities
Impact assessments before starting innovative processing (Article 35)
Data Protection Officer, with specified competence and duties (Articles 37– 39)
![Page 28: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/28.jpg)
Selected other changes
Overseas transfers – slight loosening of the conditions that legitimise transfers (Article 49)
Jurisdiction over multi-national companies operating into Europe (including web-based) (Recital 101)
Scope for national variations in a number of places
![Page 30: Lasa Webinar: Data Protection & EU Regulations 2016](https://reader035.vdocuments.site/reader035/viewer/2022070602/587ac70b1a28ab760f8b490d/html5/thumbnails/30.jpg)
Follow-up questions:[email protected]
LINKS TO SLIDES AND RECORDING SOON
HELP KEEP THIS SERVICE FREE BY COMPLETING THE EVALUATION
Twitter @LasaICT