Data protection
Download as PPT, PDF1 like3,380 views
The document summarizes proposed changes to data protection regulations in the European Union. The key points are: 1) The proposed General Data Protection Regulation aims to standardize data protection laws across EU states through a single set of rules and increased individual rights and enforcement. 2) The regulation proposes stricter obligations for organizations around data documentation, security, privacy by design, and appointing data protection officers. It also strengthens individual rights like the "right to be forgotten." 3) Non-compliance could result in fines of up to 2% of global annual turnover. Organizations are advised to review their data processing and protection practices in preparation for the new regulations.
Data protection
- 1. Data Protection Regulations James Davies and Steve Lorber 23 April 2013
- 2. Crystal ball
- 3. Cheap data • Statistics/visual imagery about how workplace has changed over last 15 years re collection and use of data
- 4. Data Protection – a brief history Late 1960s First electronic messaging
- 6. The UK in October 1969
- 7. Data Protection – a brief history Late 1960s First electronic messaging 1984 Original Data Protection law (minimal impact)
- 8. 1984 First Data Protection legislation
- 9. Data Protection – a brief history Late 1960s First electronic messaging 1984 Original Data Protection law (minimal impact) 1998 Data Protection Act
- 10. 1998 Act – key principles
- 11. What has this meant over last 15 years? • Data subject requests • Data protection policies - consent • Transfer overseas especially to US • “Light touch” enforcement • Globalisation and other less light touch data protection laws
- 12. Data Protection – a brief history Late 1960s First electronic messaging 1984 Original Data Protection law (minimal impact) 1998 Data Protection Act 2005 Employment Practices Code
- 13. Who is this? Christopher Graham, Information Commissioner
- 14. 2005 ICO employment practices code
- 15. Data Protection – a brief history Late 1960s First electronic messaging 1984 Original Data Protection law (minimal impact) 1998 Data Protection Act 2005 Employment Practices Code 2007 ICO Personal Data guidance
- 16. 2007 ICO Personal Data Guidance
- 17. Data Protection – a brief history Late 1960s First electronic messaging 1984 Original Data Protection law (minimal impact) 1998 Data Protection Act 2005 Employment Practices Code 2010 Sanctions increase to £500k 2007 ICO Personal Data guidance
- 18. 2010 Increase sanction to £500k
- 19. Data Protection – a brief history Late 1960s First electronic messaging 1984 Original Data Protection law (minimal impact) 1998 Data Protection Act 2005 Employment Practices Code 2010 Sanctions increase to £500k 2013 ICO BYOD guidance 2007 ICO Personal Data guidance
- 20. 2013 ICO BYOD guidance
- 21. Data Protection – a brief history Late 1960s First electronic messaging 1984 Original Data Protection law (minimal impact) 1998 Data Protection Act TODAY Proposed General Data Protection Regulation 2005 Employment Practices Code 2010 Sanctions increase to £500k 2013 ICO BYOD guidance 2007 ICO Personal Data guidance
- 23. Data Protection Regulation – introduction • What’s the problem? • Commission solution • Strategy • Particular measures proposed • Practical implications for now?
- 24. Data protection – the need for change • Change in nature and extent of processing • Globalisation Different rules in different states Cloud • Employment context volume free-form data
- 25. Commission solution – a Data Protection Regulation • What is a regulation? • Aim one-stop shop greater legal certainty - and consistency throughout EU reduction of administrative burden strengthened data subject rights efficiency of supervision and enforcement • And “it will save money” – not just red tape
- 26. Strategy proposed • Strategy similar to current rules....but more stricter data protection principles more specific and granular obligations more extensive individual rights...right to be forgotten... Backed up by tougher enforcement – fines of 2% of global turnover
- 27. Policy, process...and documentation (1) • Internal documentation adopt policies implement measures to ensure compliance with policies be able to demonstrate compliance if appropriate establish an audit
- 28. Policy, process...and documentation (2) • Documentation for data subjects Extensive information including > purposes of processing > if justified by "legitimate interests" ...what those interests are > data subject rights and how to complain > who gets to see it ....recipients > If data does not come from data subject, who the source is
- 29. Policy, process...and documentation (3) • Very granular..... underscored by new data protection principle for each processing operation, controller must ensure and demonstrate compliance • Lots of paper .....but does it protect privacy?
- 30. Right to be forgotten • Right to have personal data erased if no longer necessary in relation to purposes for which collected consent withdrawn expiry of retention period processing is non- compliant
- 31. Right to be forgotten • If personal data has been made public, controller shall take all reasonable steps to tell third parties • Controller may restrict where issue over accuracy data needed for purposes of proof (evidence of business operations)
- 32. Data security (1) • Controller and processor must do risk assessment implement technical and organisations measures to ensure security • "Personal data breach" means breach of security .... leading to accidental or unlawful destruction, loss or alteration unauthorised disclosure
- 33. Data security (2) • Duty to notify • Duty to document breaches • If breach is likely to affect privacy of data subjects, controller must tell data subject of breach and what it is doing
- 34. Data protection by design • "Data protection by design" ...if developing business in ways that impinge on personal data (e.g. a new HR system) implement to ensure compliance (having regard to cost and technology) ensure that by default system > only processes data necessary for purpose > does not collect too much > does not store too long > controls
- 35. Data protection officer • Controller and processor must establish a DPO if 250 employees or more • What are the roles/functions of a DPO?
- 36. Data protection officer • Controller and processor must establish a DPO if 250 employees or more • What are the roles/functions of a DPO?
- 37. Data protection officer Monitoring data protection breaches Contact point for supervisory authority Informing controller and processor of obligations under DPR (and documenting) Monitoring implementation of policies (including audit and training) Ensuring documentation is maintained Monitoring protection by design and security Monitoring data protection impact assessment
- 38. Remedies and sanctions • Up to 2% of turnover • Enforcement by "main establishment" regulator In EU - where purposes of processing determined or, if not, where main processing takes place If not established in EU, must appoint a "representative"
- 39. Special rules on employment • Regulation allows members states to adopt special rules for employment....but upwards only Extra conditions for processing Regulatory consent? Works Council approval? • Defeats "one-stop" shop?
- 40. What to do now? • Proposals will change............ • Share your thoughts with MoJ? • Processing operations identify and record consider how you comply • Establish extent to which you use "consent" to justify processing...and find other ways
- 41. Thank you