data protection
DESCRIPTION
TRANSCRIPT
![Page 1: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/1.jpg)
Data Protection Regulations
James Davies and Steve Lorber
23 April 2013
![Page 2: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/2.jpg)
Crystal ball
![Page 3: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/3.jpg)
Cheap data
• Statistics/visual imagery about how workplace has changed over last 15 years re collection and use of data
![Page 4: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/4.jpg)
Data Protection – a brief historyLate 1960s First electronic messaging
![Page 5: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/5.jpg)
1969 First email
![Page 6: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/6.jpg)
The UK in October 1969
![Page 7: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/7.jpg)
Data Protection – a brief historyLate 1960s First electronic messaging 1984 Original Data Protection
law (minimal impact)
![Page 8: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/8.jpg)
1984 First Data Protection legislation
![Page 9: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/9.jpg)
Data Protection – a brief historyLate 1960s First electronic messaging 1984 Original Data Protection
law (minimal impact)
1998 Data Protection Act
![Page 10: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/10.jpg)
1998 Act – key principles
![Page 11: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/11.jpg)
What has this meant over last 15 years?
• Data subject requests
• Data protection policies - consent
• Transfer overseas especially to US
• “Light touch” enforcement
• Globalisation and other less light touch data protection laws
![Page 12: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/12.jpg)
Data Protection – a brief historyLate 1960s First electronic messaging 1984 Original Data Protection
law (minimal impact)
1998 Data Protection Act
2005 Employment Practices Code
![Page 13: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/13.jpg)
Who is this?
Christopher Graham, Information Commissioner
![Page 14: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/14.jpg)
2005 ICO employment practices code
![Page 15: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/15.jpg)
Data Protection – a brief historyLate 1960s First electronic messaging 1984 Original Data Protection
law (minimal impact)
1998 Data Protection Act
2005 Employment Practices Code
2007 ICO Personal Data guidance
![Page 16: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/16.jpg)
2007 ICO Personal Data Guidance
![Page 17: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/17.jpg)
Data Protection – a brief historyLate 1960s First electronic messaging 1984 Original Data Protection
law (minimal impact)
1998 Data Protection Act
2005 Employment Practices Code
2010 Sanctions increase to £500k
2007 ICO Personal Data guidance
![Page 18: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/18.jpg)
2010 Increase sanction to £500k
![Page 19: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/19.jpg)
Data Protection – a brief historyLate 1960s First electronic messaging 1984 Original Data Protection
law (minimal impact)
1998 Data Protection Act
2005 Employment Practices Code
2010 Sanctions increase to £500k
2013 ICO BYOD guidance
2007 ICO Personal Data guidance
![Page 20: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/20.jpg)
2013 ICO BYOD guidance
![Page 21: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/21.jpg)
Data Protection – a brief historyLate 1960s First electronic messaging 1984 Original Data Protection
law (minimal impact)
1998 Data Protection Act
TODAY Proposed General Data Protection Regulation
2005 Employment Practices Code
2010 Sanctions increase to £500k
2013 ICO BYOD guidance
2007 ICO Personal Data guidance
![Page 22: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/22.jpg)
TODAY Draft Regulation
![Page 23: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/23.jpg)
Data Protection Regulation – introduction
• What’s the problem?
• Commission solution
• Strategy
• Particular measures proposed
• Practical implications for now?
![Page 24: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/24.jpg)
Data protection – the need for change
• Change in nature and extent of processing
• GlobalisationDifferent rules in different statesCloud
• Employment contextvolumefree-form data
![Page 25: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/25.jpg)
Commission solution – a Data Protection Regulation
• What is a regulation?
• Aimone-stop shopgreater legal certainty - and consistency
throughout EUreduction of administrative burdenstrengthened data subject rightsefficiency of supervision and enforcement
• And “it will save money” – not just red tape
![Page 26: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/26.jpg)
Strategy proposed
• Strategysimilar to current rules....but morestricter data protection principlesmore specific and granular obligations more extensive individual rights...right to be forgotten...
Backed up by tougher enforcement – fines of 2% of global turnover
![Page 27: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/27.jpg)
Policy, process...and documentation (1)
• Internal documentationadopt policies implement measures to ensure
compliance with policiesbe able to demonstrate complianceif appropriate establish an audit
![Page 28: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/28.jpg)
Policy, process...and documentation (2)
• Documentation for data subjectsExtensive information including
> purposes of processing
> if justified by "legitimate interests" ...what those interests are
> data subject rights and how to complain
> who gets to see it ....recipients
> If data does not come from data subject, who the source is
![Page 29: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/29.jpg)
Policy, process...and documentation (3)
• Very granular..... underscored by new data protection principle
for each processing operation, controller must ensure and demonstrate compliance
• Lots of paper .....but does it protect privacy?
![Page 30: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/30.jpg)
Right to be forgotten
• Right to have personal data erased if
no longer necessary in relation to purposes for which collected
consent withdrawnexpiry of retention period processing is non-
compliant
![Page 31: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/31.jpg)
Right to be forgotten
• If personal data has been made public, controller shall take all reasonable steps to tell third parties
• Controller may restrictwhere issue over accuracy data needed for purposes
of proof (evidence of business operations)
![Page 32: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/32.jpg)
Data security (1)
• Controller and processor mustdo risk assessmentimplement technical and organisations measures to ensure
security
• "Personal data breach" means breach of security .... leading to accidental or unlawful
destruction, loss or alterationunauthorised disclosure
![Page 33: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/33.jpg)
Data security (2)
• Duty to notify
• Duty to document breaches
• If breach is likely to affect privacy of data subjects, controller must tell data subject of breach and what it is doing
![Page 34: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/34.jpg)
Data protection by design
• "Data protection by design" ...if developing business in ways that impinge on personal data (e.g. a new HR system)
implement to ensure compliance (having regard to cost and technology)
ensure that by default system
> only processes data necessary for purpose
> does not collect too much
> does not store too long
> controls
![Page 35: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/35.jpg)
Data protection officer
• Controller and processor must establish a DPO if 250 employees or more
• What are the roles/functions of a DPO?
![Page 36: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/36.jpg)
Data protection officer
• Controller and processor must establish a DPO if 250 employees or more
• What are the roles/functions of a DPO?
![Page 37: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/37.jpg)
Data protection officer
Monitoring data protection breaches
Contact point for supervisory authority
Informing controller and processor of obligations under DPR (and documenting)
Monitoring implementation of policies (including audit and training)
Ensuring documentation is maintained
Monitoring protection by design and security
Monitoring data protection impact assessment
![Page 38: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/38.jpg)
Remedies and sanctions
• Up to 2% of turnover
• Enforcement by "main establishment" regulatorIn EU - where purposes of processing determined or, if not,
where main processing takes placeIf not established in EU, must appoint a "representative"
![Page 39: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/39.jpg)
Special rules on employment
• Regulation allows members states to adopt special rules for employment....but upwards only
Extra conditions for processingRegulatory consent?Works Council approval?
• Defeats "one-stop" shop?
![Page 40: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/40.jpg)
What to do now?
• Proposals will change............
• Share your thoughts with MoJ?
• Processing operations identify and recordconsider how you comply
• Establish extent to which you use "consent" to justify processing...and find other ways
![Page 41: Data protection](https://reader033.vdocuments.us/reader033/viewer/2022051609/547992ffb4af9f700a8b462d/html5/thumbnails/41.jpg)
Thank you