Public Sector Organisations -

are you GDPR ready?

Data Protection Practitioners’

Conference 2018 #DPPC2018
Are we a public authority?
Public authority is not defined in the
GDPR. It will be defined in the Data
Protection Act 2018 (when passed)

It is likely that if you are a public

authority as defined under the Freedom
of Information Act 2000 or Freedom of
Information (Scotland) Act 2002), you
will be a public authority for the
purposes of the GDPR

Data Protection Practitioners’

Conference 2018 #DPPC2018
What lawful bases should we use?
Consent: the individual has given clear consent for you to process their personal data for a specific
purpose

Contract: the processing is necessary for a contract you have with the individual, or because they have
asked you to take specific steps before entering into a contract

Legal obligation: the processing is necessary for you to comply with the law (not including contractual
obligations)

Vital interests: the processing is necessary to protect someone’s life

Public task: the processing is necessary for you to perform a task in the public interest or for your
official functions, and the task or function has a clear basis in law

Legitimate interests: the processing is necessary for your legitimate interests or the legitimate
interests of a third party unless there is a good reason to protect the individual’s personal data which
overrides those legitimate interests

Data Protection Practitioners’

Conference 2018 #DPPC2018
What lawful bases should we use?
The six lawful bases for processing are broadly similar
to the old conditions for processing, although there are
some differences

You need to review your existing processing, identify

the most appropriate lawful basis, and check that it
applies

Once you have identified your lawful basis, you must

document it and update your privacy notice to explain
it

Documenting your lawful basis will help you comply

with the GDPR’s ‘accountability’ requirements

Data Protection Practitioners’

Conference 2018 #DPPC2018
Public task?
One of the differences between the old conditions for processing
and new lawful bases is that public authorities now need to
consider the new ‘public task’ basis for most processing

The ‘public task’ basis can apply where the processing is

necessary for you to perform a task in the public interest or in
the exercise of your official authority (for example a public
body’s tasks, functions or powers)

There must be a clear basis in law for the relevant task or

function

It is most relevant to public authorities, but it can apply to any

organisation that exercises official authority or carries out tasks
in the public interest

Data Protection Practitioners’

Conference 2018 #DPPC2018
Consent or legitimate interest?
In many circumstances consent may not be the most appropriate lawful
basis. You should always choose the lawful basis that most closely
reflects the true nature of your relationship with the individual and the
purpose of the processing. If consent is difficult, this is often because
another lawful basis is more appropriate, so you should consider the
alternatives

If you are a public authority, you cannot rely on legitimate interests for
any processing you do to perform your tasks as a public authority
However, if you have other legitimate purposes outside the scope of
your tasks as a public authority, you can consider legitimate interests
where appropriate

You need to review your existing processing, identify the most

appropriate lawful basis, and check that it applies. More information can
be found in our lawful basis section of our Guide to GDPR

Data Protection Practitioners’

Conference 2018 #DPPC2018
Consent or legitimate interest?
For example:

Universities and museums are likely to be classified as public authorities, so the ‘public task’
basis is likely to apply to much of their processing

But where they are processing personal data separate from their tasks as a public authority,
then they may instead wish to consider whether either the lawful basis of consent or that of
legitimate interests is appropriate

These bases could apply, for example, where they are processing personal data for alumni
relations or for fundraising purposes

There are other lawful bases which could also be relevant. For more information see the lawful
basis section of our Guide to GDPR

Data Protection Practitioners’

Conference 2018 #DPPC2018
Do we need to appoint a DPO?
Public authorities must appoint a DPO (except for courts acting in their judicial
capacity)

You will need to provide the ICO with the contact details of your DPO when you pay
your fee

Data Protection Practitioners’

Conference 2018 #DPPC2018
Can organisations share a DPO?
Yes, you may appoint a single
DPO to act for a group of public
authorities, taking into account
their size and structure

However, you must ensure that

the DPO is still able to perform
their tasks effectively and is
easily accessible

Data Protection Practitioners’

Conference 2018 #DPPC2018
Special categories of personal data
“Special Category Data” under the GDPR
is broadly similar to the concept of
“Sensitive Personal Data” under the DPA
1998

It is personal data which is more

sensitive, and so needs more protection

The special categories have been

expanded to include genetic data and
biometric data where it is processed to
uniquely identify an individual

Data Protection Practitioners’

Conference 2018 #DPPC2018
Special categories of personal data

Religious or Trade union

Race or ethnicity Political opinions
philosophical beliefs membership

Physical or mental Sexual life or

Genetic or biometric
health orientation

Data Protection Practitioners’

Conference 2018 #DPPC2018
Special categories of personal data
Under GDPR if you are processing special category data you must have a lawful basis for processing under Article
6 (as you would for other personal data) but you must also satisfy a condition under Article 9:

• Explicit consent
• Employment law
• Vital interests of anyone
• Not-for-profit TU/religious/ political/philosophical groups
• Already in public domain
• Legal proceedings/advice
• Substantial public interest
• Medical purposes
• Public Health
• Archiving in public interest, scientific/historical research purposes or statistical purposes

Data Protection Practitioners’

Conference 2018 #DPPC2018
Criminal offence data
The GDPR rules for special category data do not apply to
information about criminal allegations, proceedings or convictions

Instead, there are separate safeguards for personal data relating

to criminal convictions and offences, or related security
measures, set out in Article 10

To process such data, you must have both a legal basis under
Article 6 and either legal authority or official authority for the
processing under Article 10

Article 10 also specifies that you can only keep a comprehensive

register of criminal convictions if you are doing so under the
control of official authority

Data Protection Practitioners’

Conference 2018 #DPPC2018
Data sharing agreements under GDPR
If you have an existing data sharing agreement, and this
agreement complies with the Data Protection Act 1998, it is
likely you can still share data under the GDPR. You should still
review any existing agreements to ensure that any data sharing
is fair and transparent and complies with the requirements of
GDPR

A data protection impact assessment (DPIA) may need to be

carried out for any new or revised data sharing, especially if you
are using new technologies and the processing is likely to result
in a high risk to the rights and freedoms of individuals

You should also be aware that GDPR contains explicit provisions

about documenting processing activities, including maintaining
records on data sharing. There is a limited exemption for small
and medium-sized organisations

Data Protection Practitioners’

Conference 2018 #DPPC2018
What rights will exist under GDPR?
Be informed Access Rectification

Restrict Data
Erasure
processing portability

Object ADM/Profiling

Data Protection Practitioners’

Conference 2018 #DPPC2018
Right to be informed
Individuals have the right to receive privacy information
such as:

• How their data will be processed

• Who it will be shared with
• What their rights are with respect to it

The information you supply must be:

• Concise, transparent, intelligible and easily accessible

• Written in clear and plain language, particularly if
addressed to a child AND
• Provided free of charge

Data Protection Practitioners’

Conference 2018 #DPPC2018
Right of access
Individuals have the right to:

• Have confirmation that their data is being processed

• Be aware of and verify the lawfulness of the
processing
• Request access to their personal data

You must:

• Take reasonable steps to verify the identity of the

requestor
• Comply with such requests within 1 calendar month
• Provide data free of charge

Data Protection Practitioners’

Conference 2018 #DPPC2018
Right of access
You may charge a reasonable fee or refuse to respond when a request is manifestly unfounded or excessive, particularly
if it is repetitive

Where you refuse a request, you must explain why to the individual, informing them of their right to complain to the
ICO and to a judicial remedy without undue delay and at the latest within one month

The fee must be based on the administrative costs of providing the information

If a request is made electronically, you should provide the information in a commonly used electronic format

It would be considered best practice, where possible, to provide remote access to a secure self-service system which
would provide individuals with direct access to his or her information

Where you process a large quantity of information, the GDPR permits you to ask the individual to specify the
information that the request relates to

Data Protection Practitioners’

Conference 2018 #DPPC2018
Right to rectification
Individuals have the right to:

• Their personal data being accurate

• Request inaccurate data be corrected and incomplete
data completed

You must:

• Correct inaccurate matters of fact and confirm

rectification
• Inform recipients of incorrect data of the rectification
• Inform the data subject if you are not amending the
record and why

Data Protection Practitioners’

Conference 2018 #DPPC2018
Right to erasure
Individuals have the right to erasure if:

• Personal data is no longer necessary in relation to the purpose

for which it was originally collected/processed
• Individuals withdraw consent
• Their data has been unlawfully processed
• There is legal obligation to erase
• The data was added to social media when the individual was a
child

You must:

• Comply with the request unless you have a legal obligation to

continue processing the data
• Take steps to inform any other processors of the data subject’s
request for erasure if personal data has been made public

Data Protection Practitioners’

Conference 2018 #DPPC2018
Right to restrict processing
Individuals can request:

• Restriction of processing until an accuracy claim is

verified
• Retention of unlawfully processed data
• Retention of data for exercise or defence of legal claims

You must:

• Take steps to ensure the restriction as requested

• Inform the data subject if data processing will
recommence and why

Data Protection Practitioners’

Conference 2018 #DPPC2018
Right to data portability
Individuals have the right to:

• Receive their personal data in a structured,

commonly used and machine readable format.
• Transmit their data to another controller without
hindrance.

This right only applies if:
• The individual has provided you with their
personal data
• The data is processed by consent or a contract
AND
• Processing is carried out by automated means
This right does not apply when the data
processing is necessary for the
performance of a task carried out in
the public interest or in the exercise of
your official authority. However, it may
be good practice to provide for
portability regardless

Data Protection Practitioners’

Conference 2018 #DPPC2018
Right to object
Individuals have the right to object to:

• Processing for direct marketing

• Processing if done in the public interest or for your
legitimate interests, including profiling

You must:

• Comply immediately if you are direct marketing! No

exemptions!
• For public and legitimate interests, comply unless you can
demonstrate legitimate ground for the processing which
override the interests, rights and freedoms of the data
subject or for the establishment, exercise or defence of
legal claims

Data Protection Practitioners’

Conference 2018 #DPPC2018
Rights in relation to ADM including profiling
Under Article 22, individuals have the right not to be subject to a decision when:

• It is based solely on automated processing, including profiling AND

• It produces a legal or similarly significant effect on the individual

You must identify whether any of your processing falls under Article 22 and, if so, make
sure that you:
• Give individuals information about the processing
• Introduce simple ways to request human intervention or
challenge a decision
• Carry out regular checks to make sure that your system
works as intended

Data Protection Practitioners’

Conference 2018 #DPPC2018
What rights will exist under GDPR?
Your obligation to uphold these individual rights may
vary depending on the lawful basis you are relying on

For example, individuals’ rights to erasure and data

portability do not apply where you are processing on
the basis of ‘public task’ but individuals will have a
right to object

Please see the Individual Rights section of our Guide

to the GDPR for further information

Data Protection Practitioners’

Conference 2018 #DPPC2018
Accountability under GDPR
The GDPR’s accountability principle (Article 5(2)) requires you to be able to
demonstrate how you comply with the data protection principles

This can be demonstrated by having effective policies and procedures in place

such as:

• Processing data in a transparent manner

• Maintaining records of processing
• Appointing a DPO
• Carrying out DPIAs

Data Protection Practitioners’

Conference 2018 #DPPC2018
Transparency under GDPR
The first principle of the GDPR requires you to process data in a transparent manner in relation to the
data subject (Article 5(1)(a))

The GDPR emphasises the need for transparency over how you use personal data. This can be achieved
by providing individuals with privacy information (typically through a privacy notice) such as how their
data will be processed, who it will be shared with and what their rights are with respect to it (Article 13
and 14)

If individuals know this information from the outset, they will be able to make informed decisions in
relation to their personal data

Any information you supply relating to the processing of personal data

should be easily accessible, easy to understand and written in clear and
plain language

Data Protection Practitioners’

Conference 2018 #DPPC2018
Security under GDPR
Personal data must be “processed in a manner that ensures appropriate security of the
personal data, including protection against unauthorised or unlawful processing and
against accidental loss, destruction or damage, using appropriate technical or
organisational measures (integrity and confidentiality).”

You are required to implement appropriate technical, organisational and security

measures to ensure and be able to demonstrate that processing is performed in
accordance with the GDPR. This may include:

• Staff training
• Internal audits
• Pseudonymisation and encryption
• A process for regularly testing, assessing and evaluating measures
• Breach Management

Data Protection Practitioners’

Conference 2018 #DPPC2018
Breach reporting
Notify ICO:
• Not later than 72 hours (Can add detail
later)
• Where likely to result in a risk to rights
and freedoms of individuals
Notify data subject:
• Without undue delay
• Where likely to result in a high risk to
rights and freedoms of individuals

Data Protection Practitioners’

Conference 2018 #DPPC2018
Keep in touch
Subscribe to our e-newsletter at www.ico.org.uk
or find us on…

/iconews http://ico.org.uk/livechat

@iconews

Data Protection Practitioners’

Conference 2018 #DPPC2018