Available from FS Cables Ltd, please contact 01727 840841 ...
Overview of the Law - AMCIS · St Albans 01727 798000 London 020 7183 5683 | @SA_Law WE ARE SA LAW....
Transcript of Overview of the Law - AMCIS · St Albans 01727 798000 London 020 7183 5683 | @SA_Law WE ARE SA LAW....
GDPR:A YEAR ON© SA Law 2019 | Every care is taken in the preparation of our materials. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.
St Albans 01727 798000
London 020 7183 5683
www.salaw.com | @SA_Law
WE ARE SA LAW.We help people like you with all aspects of their business, professional & personal lives.
Be compliant Grow Stay competitive Do business with others Reduce risk & protect
your interests Translate issues so they
are ‘board level ready’ And much more…
WE ARE: WE CAN HELP YOU:
A full-service law firm based in London and St Albans
A team of expert solicitors who regularly write in industry press, national newspapers & online
WE HAVE:
Spoken to over 1000 people about GDPR
Achieved the Lexcelexcellence quality mark
Achieved the Top tier in The Legal 500 and Chambers and Partners Legal directories
Vast experience in the education sector
St Albans 01727 798000
London 020 7183 5683
www.salaw.com | @SA_Law
KEY DEFINITIONS
WHAT IS PERSONAL DATA? WHAT IS SPECIAL CATEGORY DATA?Any information relating to identifying an individual (data subject):
A photo Email address Bank details Posts on social networking websites Medical information Computer IP address
Any personal data consisting of information related to:
Race or ethnic origin Political opinions Religious beliefs Trade union membership Physical or mental health records Alleged criminal activity Genetic Biometric
Processing: Obtaining, recording, holding, organising, disclosing, minimising, deleting, maintaining, storing data
SPECIFIC CONSIDERATIONS FOR SCHOOLS
Student ID cards CRB records School registers & attendanceinformation
St Albans 01727 798000
London 020 7183 5683
www.salaw.com | @SA_Law
DATA: WHO’S WHO
DATA CONTROLLER (DC) DATA PROCESSOR (DP)
An individual or organisation which determines the purpose and use of how to process personal data. e.g. Employer/HR
A body or individual who processes the data on behalf of the data controller. e.g. Payroll provider/digitalagency/printing company/ outsourced provider
NOTE: Both controllers and processors may be liable to pay
compensation to individuals who have suffered damage as a
result of a breach of the GDPR.
St Albans 01727 798000
London 020 7183 5683
www.salaw.com | @SA_Law
GDPR: THE
SIGNIFICANT
CHANGES
DATA CONTROLLERSA controller determines the purposes & the manner in which any personal data are processed• Must provide privacy notices
- DPO - Legal basis for processing- Right to object - Retention periods- Right to complain - Right to make a DSAR
DATA PROCESSORSA processor processes the data on behalf of the data controller• Must maintain full documentation
of all processing and should nominate a DPO
DATA BREACHESMandatory requirement to report data breaches. Report within 72 hrs of becoming aware of breachor provide ‘reasoned justification’
CONSENTData controller has an obligation to demonstrate that consent has been unambiguous & freely given, right to object / withdraw consent at any time and consent will not be freely given if a contract is conditional on obtaining consent
HARSHER PENALTIESMaximum fine will be up to 20 million Euros or 4% of annual worldwide turnover
MANDATORY PRIVACY IMPACT ASSESSMENTS
New risk-based approach to assess degree of risk posed to data subjects in relation to processing activity. For example: signing-in registers, CCTV, thumb-print scanning etc.
NEW RIGHTSMost publicity = The right to be forgotten & erasureimplications for advertising and marketing materials
SUBJECT ACCESS REQUESTSMust reply within 1 month instead of 40 days and no scope for charging
St Albans 01727 798000
London 020 7183 5683
www.salaw.com | @SA_Law
AUDITING
DATA PROTECTION PRINCIPLES KEY AUDIT QUESTIONS
1. Lawfulness, fairness and transparency
2. Purpose limitation3. Data minimisation4. Accuracy5. Storage limitation6. Integrity and confidentiality7. Accountability
1. How did you gather the data?
2. How long have you held it for?
3. Is it necessary to obtain consent?
St Albans 01727 798000
London 020 7183 5683
www.salaw.com | @SA_Law
PROCESSING
PERSONAL DATA – ARTICLE 6 (1)
Necessary for: Performance of a contract Compliance with a legal obligation Protecting vital interests where consent can’t be given Public interest reasons Legitimate interests of data controller
The best justification for processing is always CONSENT. In the absence of consent, you may be able to rely on these exemptions:
St Albans 01727 798000
London 020 7183 5683
www.salaw.com | @SA_Law
PROCESSING
SENSITIVE PERSONAL DATA – ARTICLE 9 Obligations under employment, social security law etc. To protect vital interests where consent can’t be given. Processing by a not-for-profit body with political/philosophical/religious/trade union aim Data made public by data subject Reasons of substantial public interest, including:
Archiving purposes; Historical, scientific, research or statistical purposes, Preventive or occupational medicine, The assessment of the working capacity of an employee A medical diagnosis
The best justification for processing is always CONSENT. In the absence of consent, you may be able to rely on these exemptions:
N.B. SAFEGUARDING & DBS CHECKS
St Albans 01727 798000
London 020 7183 5683
www.salaw.com | @SA_Law
DATA SECURITY MEASURES
Risk-based approach. “Ensure a level of security appropriate to the risk”
Pseudonymisation
Encryption
Think of data security as an ongoing process
Ensure ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident
Regularly test, assess and evaluate the effectiveness of technical and organisational measures for ensuring the security of the process
St Albans 01727 798000
London 020 7183 5683
www.salaw.com | @SA_Law
CONSENT
ICO GUIDELINES FOR CHILDREN
All information provided to children must be in clear plain language that they can easily understand
Need to obtain consent from parent or guardian to process child’s data
Required for children aged under 13, but best practice to obtain parental/guardian consent for ALL pupils
Protection particularly significant where children’s data used for marketing and creating online profiles, including photos
St Albans 01727 798000
London 020 7183 5683
www.salaw.com | @SA_Law
LEGITIMATE INTEREST ASSESSMENT (LIA)
In the absence of consent, legitimate interest is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.
Balance it against the individual’s interests, rights and freedoms1 2Identify a
legitimate interest
Show that the processing is necessary to achieve it; and 3
St Albans 01727 798000
London 020 7183 5683
www.salaw.com | @SA_Law
LEGITIMATE INTEREST ASSESSMENT (LIA)
The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
The processing must be necessary. If you can achieve the same result in another less intrusive way, legitimate interests will not apply.
You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your
legitimate interests.
Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.
You must include details of your legitimate interests in your privacy information.
St Albans 01727 798000
London 020 7183 5683
www.salaw.com | @SA_Law
ELECTRONIC
MARKETING
PECRPRIVACY AND ELECTRONIC COMMUNICATIONS REGULATIONS
Soft opt inClear opt out
GDPRGENERAL DATA PROTECTION REGULATION
× No express consent LIA Include clear opt out
You must not send electronic mail marketing to individuals, unless:
They have specifically consented to electronic mail marketing from you; OR
They are an existing parent who has received communication from you in the past and you gave them a simple way to opt out both when you first collected their details and in every message you have sent.
St Albans 01727 798000
London 020 7183 5683
www.salaw.com | @SA_Law
WHAT IS A PERSONAL DATA BREACH?
Disclosing information to an unauthorised persons in a conversation
Losing equipment on which data is stored
Losing or leaving documents in a public space
Emailing the wrong person
Posting photographs on social media which have been taken inside the school with data in the background
Producing and sending bundles which have been contaminated with other documents
Personal Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted or stored or otherwise processed (GDPR Art4(12)
St Albans 01727 798000
London 020 7183 5683
www.salaw.com | @SA_Law
Key learning point: Thoroughly analyse all operations involving the processing of personal data to ensure compliance.
St Albans 01727 798000
London 020 7183 5683
www.salaw.com | @SA_Law
6 STEP DATA BREACH PROCEDURE
Thoroughly investigate and document findings
Breach or potential breach has occurred
Notify DPO at the point breach is suspected. Inform face 2 face or by
phone don’t rely on email
Trigger Data Breach Response Plan
Review policies & procedures
If a personal data breach - notify the ICO and potentially the Data Subjects
Consider school-wide training or training of
individuals
St Albans 01727 798000
London 020 7183 5683
www.salaw.com | @SA_Law
WHAT WE’VE LEARNT IN THE PAST YEAR
OBSERVATIONS HOW THIS AFFECTS YOU
Data breach complaints increased by 160% between May and July 2018 in comparison with the same period in 2017
Increasing number of customers querying whether or not organisations are GDPR-compliant
More comprehensive analysis of what constitutes personal data
ICO has finalised its detailed guidance on children and GDPR
Data protection fee now applies to many organisations in the UK
Importance of DPOs ICO attitude to breaches Rise in Data Subject Access Requests (DSARs) Pressure from third parties to sign up to new
data protection policies Children’s consent Threats to report to ICO ICO helpline
St Albans 01727 798000
London 020 7183 5683
www.salaw.com | @SA_Law
GOOD TO KNOWA CIM survey conducted six months post-GDPR of 1,500 respondents found:
Source: CIM, November 2018
of customers say that they are aware of GDPR, a significant increase from 41% in May
of customers would take action to stop companies using their data if they didn’t want them to
of customers don’t think GDPR has slowed the messaging they get communications from companies and organisations
of consumers think GDPR has improved how companies use their data
72%
50%
41%
42%
St Albans 01727 798000
London 020 7183 5683
www.salaw.com | @SA_Law
ACTION POINTS
Undertake regular data audits
Implement and review security measures – e.g. encryption, passwords
Update key policies and procedures
Data retention (consider culling data)
Make use of the ICO helpline
Ensure a data breach register is maintained
Provide appropriate training for staff (remember new joiners too)
Familiarise yourself with ICO guidance published since 25 May 2018
St Albans 01727 798000
London 020 7183 5683
www.salaw.com | @SA_Law
HINTS & TIPS
Keep your desk clear Keep files securely Use strong passwords and
change from time to time
Claim printing and
photocopying straight away
Password protect documents
containing sensitive data
Take care with emails. Check
what you’re sending and who toSave documents in a
secure area
Don’t open suspicious emails Dispose of paper sensibly.
Recycle or shred?
If you are unsure, don’t be afraid
to check someone’s identity
Suspect a data breach?
Report it straight away
Follow your school’s policies
and procedures
Make sure personal data is
accurate and up to dateTreat parent’s/pupil’s data as
you would like your own data to be treated
Don’t remove files from the office
unless absolutely necessary
St Albans 01727 798000
London 020 7183 5683
www.salaw.com | @SA_Law
ANY THOUGHTS OR QUESTIONS?
CHRIS COOK | PartnerHead of Employment & Data [email protected] 01727 798017
EMMA GROSS | SolicitorEmployment & Data Protection [email protected] 798049
© SA Law 2019Every care is taken in the preparation of our materials. However, no responsibility can be accepted to any person who acts onthe basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.