Professional Documents
Culture Documents
Information
Introducing Governance
the General Services
Data Protection Regulation 2016
14.07.2017
Housekeeping
Fire exit -
Toilets -
Please put mobile phones on ‘silent’
What – Why - When?
GDPR repeals Directive 95/46/EC on which our own Data Protection Act
1998 was built.
The Regulation is directly applicable and does not require any domestic
law to be written, it must be implemented ‘as is’.
DPA
Compliant
until proven
not to be
GDPR must
prove
compliance
from day 1
Key Legislative Changes
Code of
7 Principles
Practice
Data
Protection Child Consent
Officer
Key Legislative Changes – Managing our Data
Records of Processing Activities [Article 30]
This is the mechanism which requires organisations to evidence compliance
with the GDPR
requested using
intelligible accessible
clear language
provided with the
provable that
ability to necessary
withdraw consent was given
Consent will be required from a child aged 16 (UK law may lower this to 13)
to process data in regard to information society services (online services).
Key Legislative Changes – Data
Subject Rights
The right to
restrict processing
Rights in relation
to profiling
Right to
rectification
Right to erasure
Key Legislative Changes – Data
Subject Rights
Subject Access Rights (SARs) have been amended:
• Can be delivered:
o In-house
o Outsourced
o Clustered
Key Legislative Changes – Security
ENCRYPTION
SERVICE CONTINUITY
• Ensure you • Make sure
PROTECTION
have your business • Apply security
encryption continuity patches
activated on plan covers IT quickly
devices • Ensure your • Ensure
• Extend to Disaster regular
removable Recovery Plan penetration
media is up to date testing
• Train your
staff
Key Legislative Changes – Outsourcing
•Data Processors (i.e. third party contractors) will now
have specific legal obligations to maintain records of
ROPA personal data and processing activities.
Know what data you use and Ensure you have an information Asset Register & Map your
how you use it data flows fully to create your Records of Processing Activity
Privacy by Design Review your data and ensure that your privacy notices and
other policies align (e.g. consent, PIA, outsourcing, risk etc.)
Training & Awareness Arrange training for staff to ensure their understanding of the
requirements of the GDPR, an on-going requirement