Preparation for the General Data Protection Regulation .... Jane Briggs... · squirepattonboggs.com...

Preparation for the General Data Protection Regulation (GDPR)

Teachers Pensions conferences

17 October 2017

2squirepattonboggs.com

Agenda

Background

Key changes

Preparing for the GDPR

Data mapping

Data processing agreements

Data security

Summary

Q&As


The General Data Protection Regulation

• 25 May 2018 deadline for compliance

• The Post-Brexit picture

• Data Protection Bill

• GDPR contains significantly more stringent requirements than the

Data Protection Act 1998

• Consequences of non-compliance

ALL pension scheme trustees/managers will need to take action

to ensure that they meet those requirements by 25 May 2018


Key changes affecting pension schemes

Data processors will have direct liability for breaches of the GDPR

Individuals must be given clear information about what is done with

their data

Consent, if needed, must be clear and capable of being withdrawn

Full records of data processing

Mandatory data breach reporting

Privacy impact assessments

Data protection by design and by default


Article 30 GDPR

“Each controller…..shall maintain a record

of processing activities under its

responsibility.”

Data mapping


Data mapping

Pension scheme

trustees/managers

Payroll

Employers

Administrators

Actuary

Insurers

Scheme

secretary

Brokers

Non-EEA

processing

centres

Data

Storage

Legal

advisor

Consultants

Auditors

Financial

advisors

DC Investment

providers


• WHERE is the data?

• Identify recipients

• WHAT is the data?

• WHO does the data relate to?

• WHY is the data being processed?

• HOW is the data being kept secure?

• WILL the data be transferred outside the EEA?

• WHEN will the data be erased?

Data mapping


Data Mapping Questionnaire


Service provider and data processing

agreements

All processors e.g. employers, payroll,

administrators, consultants

Agreements to be reviewed and revised prior

to 25 May 2018

Processor or (joint) controller?



agreements

Data security and due diligence

Article 28 GDPR

“….the controller shall use only processors

providing sufficient guarantees to implement

appropriate technical and organisational

measures in such a manner that processing will

meet the requirements of this Regulation and

ensure the protection of the rights of the data

subject.”



agreements

Mandatory terms to be included in contracts

Transfers of personal data outside the EEA?

Liability and indemnities



agreements

Mandatory terms to be included in contracts

The subject matter and duration of the processing

The nature and purpose of the processing

The type of personal data and categories of data subjects

The obligations and rights of the controller

The obligations of the processor to:

• Only act on the written instructions of the controller

• Ensure that people processing the data are subject to a duty of confidence

• Take appropriate measures to ensure the security of processing

• Only engage sub-processors with the prior consent of the controller and under a written

contract

• Assist the controller in responding to data subject requests to exercise their rights under the

GDPR

• Assist the controller in meeting its GDPR obligations in relation to the security of processing,

the notification of personal data breaches and data protection impact assessments

• Delete or return all personal data to the controller as requested at the end of the contract

• Submit to audits and inspections and provide the controller with any information to

demonstrate compliance with its processor obligations under the GDPR. Processors are

under an obligation to inform the controller if the instructions to the processor are in

infringement of the GDPR or other data protection law.



Article 32 GDPR

“….the controller and the processor shall

implement appropriate technical and

organisational measures to ensure a level of

security appropriate to the risk…”


Data security – threats and consequences

Threats

Hacking

Loss of a lap-top

Non-encryption of data

Stolen/cracked passwords

Virus/malware

Human error

By governments, criminals,

political activists, disgruntled

employees, bored teenagers

Ever changing, evolving

Consequences

Business interruption

Reputational loss

Fines

Professional costs

Legal claims and complaints



Appropriate technical and organisational measures

Integrity,

availability and

resilience of

processing

systems and

servicesRestoration of

access to data

following an

incident

Encryption and

pseudonymisation

of personal data

Integrity, availability

and resilience of

processing systems

and services

TrainingEncryption and

pseudonymisation

of personal data

Confidentiality and

limits on use

Restoration of

access to data

following an incident

Policies and

procedures

Due diligence on

providers

Risk registerRegular testing and

evaluation of

security measures


Data breach

Pensions industry attractive target for cyber attackers

Trustees/managers to adopt data breach response

plan

ICO to be notified of data breach if likely to cause risk

to individuals, without delay and, where feasible,

within 72 hours

Members to be informed of breach without delay if

breach is “high risk”


A change in mindset

• Privacy by design and default

• Not a standalone compliance exercise

• Data protection to be built into all decisions

and actions


• 25 May 2018 deadline

Don’t delay

31 2

• Is your data secure?

• Cyber breach response

plan

Cybersecurity

• Data protection to be built

into all decisions and

actions

A new mindset

Summary


Q&A


Speaker

Jane Briggs

Director

0113 284 7479

[email protected]

Preparation for the General Data Protection Regulation .... Jane Briggs... · squirepattonboggs.com...

Documents

Transcript of Preparation for the General Data Protection Regulation .... Jane Briggs... · squirepattonboggs.com...