Information Governance Support

Information
Introducing Governance
the General Services
Data Protection Regulation 2016

Text placeholder for Powerpoint

06.06.2017

14.07.2017
 Housekeeping

Fire exit -
Toilets -
Please put mobile phones on ‘silent’
What – Why - When?

GDPR repeals Directive 95/46/EC on which our own Data Protection Act
1998 was built.

The Regulation is directly applicable and does not require any domestic
law to be written, it must be implemented ‘as is’.

Current DPA not fit for digital age

Enters into force on 25th May 2018

Brexit does not affect the implementation of this regulation

 What is the key difference between
DPA and GDPR?

DPA
Compliant
until proven
not to be
GDPR must
prove
compliance
from day 1
Key Legislative Changes

Code of
7 Principles
Practice

Data
Protection Child Consent
Officer
Key Legislative Changes – Managing our Data
Records of Processing Activities [Article 30]
This is the mechanism which requires organisations to evidence compliance
with the GDPR

RECORDS OF PROCESSING ACTIVITY

Information Asset Data Flow ‘Privacy by
Register Mapping Design’ elements

Categories of Data Legal Basis/

Recipients/ Subjects Conditions for processing
 Key Legislative Changes – Privacy by
Design & Default

• Privacy must be considered at the start of any work to amend or bring in

new processes or systems
• Privacy Impact Assessments will have to be undertaken in some
circumstances
• Need to understand statutory duties and what the law requires you to do
with personal data
• Biometrics are a Special Category of Data
• Data Subject Rights are increased and strengthened
• Higher bar set for privacy notices and consent processes
Key Legislative Changes – Privacy Notices

• Ensure you have an online privacy notice on your school website

• Ensure all points of data collection are signposted to your online notice
• To comply with GDPR you will need to add:
• Legal Basis
• Contact Details for your DPO
• Security arrangements for overseas transfers
• Profiling – where applicable
• Automated Decision-making – where applicable
• Meet accessibility requirements
Key Legislative Changes - Consent
Consent must be freely given, explicit, specific, informed and an
unambiguous indication of wishes. It must be:


 
requested using
intelligible accessible
clear language



provided with the 
provable that
ability to necessary
withdraw consent was given

Consent will be required from a child aged 16 (UK law may lower this to 13)
to process data in regard to information society services (online services).
Key Legislative Changes – Data
Subject Rights
The right to
restrict processing

The right to data

portability

Rights in relation
to profiling

Right to
rectification

Right to erasure
 Key Legislative Changes – Data
Subject Rights
Subject Access Rights (SARs) have been amended:

Disclosure now must be within 20 working days

Can claim an extra 40 working days for complex or numerous SARs,

(but the requestor must be advised of this at the start of the process)

Can’t charge for a SAR

For ‘manifestly unfounded’ or excessive requests particularly where

they are repetitive we are allowed to either:
•– Refuse the request explaining why, or;
•– Charge a reasonable amount for the SAR

It is no longer a requirement for requestors to advise where their data

might be held, (i.e. tell us which services they have received)
 Key Legislative Changes – Data
Protection Officer (DPO)

• All public Bodies (incl. schools) must appoint a DPO

• This is a statutory position

• Must be experienced and qualified to take on the role

• Can be delivered:
o In-house
o Outsourced
o Clustered
 Key Legislative Changes – Security
ENCRYPTION

SERVICE CONTINUITY
• Ensure you • Make sure

PROTECTION
have your business • Apply security
encryption continuity patches
activated on plan covers IT quickly
devices • Ensure your • Ensure
• Extend to Disaster regular
removable Recovery Plan penetration
media is up to date testing
• Train your
staff
 Key Legislative Changes – Outsourcing
•Data Processors (i.e. third party contractors) will now
have specific legal obligations to maintain records of
ROPA personal data and processing activities.

•Where we can prove that a breach resulted from a

processor not following our instructions they will be
Fines held accountable for the breach and any resulting fine.

•All contracts will need to be reviewed prior to 25th May 2018 to

ensure contract provisions meet GDPR requirements, e.g.
Contracts • No sub-contracting without explicit consent of Controller
• Ability to disclose pursuant to legal obligation on the
processor (restricted to EU or member state)
Key Legislative Changes – Breaches
A new requirement to report ‘High risk’ breaches to the ICO and the relevant data
subjects within 72 hours. Failure to notify a breach can result in a significant fine of
up to 10 million euros

Medium breaches of data protection are subject to administrative

fines: whichever is higher of the following:
• up to 10,000,000 EUR
• up to 2 % of the total worldwide annual turnover of the preceding financial year (in the
case of an undertaking)
• Focussed on process failures

Major breaches of data protection are subject to administrative fines:

whichever is higher of the following:
• up to 20,000,000 EUR
• up to 4 % of the total worldwide annual turnover of the preceding financial year (in the
case of an undertaking)
• Focussed on incidents which are likely to cause damage and distress

The Data Subject is at the centre of claims for compensation.

The Data Controller must pay up front and then recoup from the Data Processor
where appropriate
 Where do we start?
Requirement Activity

Know what data you use and Ensure you have an information Asset Register & Map your
how you use it data flows fully to create your Records of Processing Activity

Privacy by Design Review your data and ensure that your privacy notices and
other policies align (e.g. consent, PIA, outsourcing, risk etc.)

Roles & Responsibility Appoint a Data Protection Officer

Training & Awareness Arrange training for staff to ensure their understanding of the
requirements of the GDPR, an on-going requirement

Incident Management Have a robust policy and process to manage security

incidents
Where can you get help?

WEISF.ESSEX.GOV.UK Templates & Guidance

ICO.org.uk Regulatory guidance & Codes of Practice

IGS@essex.gov.uk Traded support Services

Questions/Discussion Time
 Guidance on the GDPR can be found at:
Guidance type
GDPR – Full Text
ICO EU DP Reform Microsite
ICO 12 steps to preparing for the GDPR
Whole Essex Information Sharing
Framework (WEISF) portal
Web link
http://ec.europa.eu/justice/data-
protection/reform/files/regulation_oj_en.p
df
https://ico.org.uk/for-organisations/data-
protection-reform/
https://ico.org.uk/media/1624219/prepari
ng-for-the-gdpr-12-steps.pdf
Weisf.essex.gov.uk
 Simplify
We have the knowledge and experience to
simplify your challenges