Summary sheet
Practical steps you need to take to implement GDPR.
Key Areas.
data protection audits
data mapping exercises
Ensuring compliance
Information Commissioner (the regulator of data protection in the UK) ICO
The head of many of our organizations in the UK, is Elizabeth Denham, that'll be enforcing the GDPR
GDPR comes into effect on the 25th of May 2018
The reason it's more important and the reason that the information commission has been taking on so many new people about 200 at the last count is because the sanctions are much higher, upto 20 million euros for a significant breach of GDPR for data controllers.
The First part of GDPR
The GDPR concepts and the data protection principles.
At the moment the data protection act 1998 with its eight data protection principles are those that we have be complying with
From the 25th of May next year we’ll comply with six principles under GDPR
These are set out in article five of the regulation.
The first principle:
Personal data; information about an individual will be processed lawfully, fairly, and transparently.
Lawfully, means that you'll do it in line with the grounds for processing, you MUST always have grounds that are set in article six and nine of the GDPR.
Fairly, means that you'll do so by telling individuals what you're going to do with their information That's in the form of a fair processing notice or privacy notice.
Transparently, is being clear what you are doing with that information.
The second principle:
You must process personal data for a specific, explicit, and legitimate purpose and not to go further than that, always think about the why. Why are we processing this information? What is our purpose? It's really important to think about the purpose. When you’re doing your data mapping exercises that's one of the five w's the why. Why do we do this?
The third principle:
Data must be used only when adequate, relevant and be limited to what's necessary for the purpose (this is the principle of data minimization)
The fourth principle: is
Personal information must be accurate and where necessary kept up to date, and every reasonable step must be taken to keep it up to date.
The fifth principle:
Information can only be kept for as long as is necessary for the purpose.
If you choose to anonymize the information, that's no longer personal data. This is a key concept to remember. Does your school have a data retention policy, If not it’s important to start thinking about keeping data, and how long for.
The sixth principle:
Having appropriate technical and organizational measures:
Security measures, to keep data secure and safe.
The principles are the first part of GDPR.
Accountability:
ICO is keen that organizations demonstrate compliance with GDPR.
How do you demonstrate that compliance? By
ANS:
By your processes, your policies, by writing things down, by implementing training
The second part of GDPR
Individual rights:
There are a number of rights in GDPR, some of whichexist under data protection law currently, and some are new:
Rights that we all have as individuals, and as an organization, as a school, or academy.
We must respect these rights.
The first right:
Information must be provided to individuals at the time of collecting their data.
This means you'll have to look at your data processing notices to make sure the individuals are aware of what you do with it.
The second right:
Subject access rights
You may have had subject access requests, they're continue in existence, they're now free, you cannot charge a fee, previously you could charge £10, and they must be complied with within a month of the request.
The third right:
Right of rectification:
This is linked to the principle of data accuracy. If data isn't inaccurate, then individuals have a right to have their data rectified.
The right to be forgotten.
Individuals have a right to erasure in certain circumstances. It's fairly limited the circumstances where you'll have the right to be forgotten, and organizations can resist that right in certain circumstances as well
The fourth right:
Right to the restriction of processing.
An individual can say to an organization, "I want you to hold the data, don't do anything with it." Because there might be litigation envisaged.
The fifth right:
Right to data portability.
All organizations must enable an individual to move their data in a machine-readable format, which could be in an excel spreadsheet from one organization to another. Primarily this was created for customers of utility companies, and banks for example. They are probably the organizations who will receive most requests to port their data. This is a new right.
The sixth right:
The right to object.
Individuals have a right to object to processing, particularly for direct marketing purposes, and profiling.
The seventh right:
Profiling.
Individuals have a right not to be subject to a decision which is based on automated processing, including profiling, where that produces legal effects.
The third part of GDPR
The concepts that we need to be careful and make sure we comply with.
- Requirement to have a data protection officer (DPO)
- Need to notify ICO of personal data breaches within 72 hours
- Privacy by design
- ( the concept that you have a system that's being inbuilt into processors, then it has to have privacy at the heart of it. It has to be designed with privacy in mind.)
- Record of processing activities
- Information about the processing you do.
- Which if you look at the principles, it will follow the purposes for processing the data subjects you're processing data about, what you do with it, and who you share with
- The requirements to carry out data protection impact assessments
- In certain circumstances where the processing of data is likely to result in a high risk to the rights of natural persons, then you need to carry out a data privacy impact assessment.
- Controllers and processes
- Working out as a school or an academy whether you're a controller of data or a processor
- Each of these organizations if you're a controller or a processor, will now be subject to GDPR at the moment under Data Protection Act, only controllers are obliged to comply with the law. From next May Controllers and Processors will be subject to the requirements of GDPR. Processors are also subject potentially to fines of up to 10 million pounds or 2% of their global turnover.
The aboveare the key concepts.Think about the 25th of May next year and where you want to be. The Information Commissioner has got a helpful blog on where you need to be and what you need to be doing. It's about making sure you do the most risky things first. It's looking at where the riskiest processing is happening within the organization and tackling that first. Looking at training for your staff as well since all Teachers will become data processors.
1