An Overview of GDPR by Pathway Group
1 like81 views
The document provides an overview of the General Data Protection Regulation (GDPR), highlighting its implications for businesses in the UK and the importance of compliance. It notes that a significant portion of the private sector is unprepared for GDPR, which introduces enhanced rights for data subjects and stricter responsibilities for data controllers and processors. Key changes include increased penalties for non-compliance and the requirement for clear consent from individuals regarding the processing of their personal data.
![AN OVERVIEW OF GDPR
MASOOD BUTT – COMMERCIAL & REGULATORY LAWYER
AHSAN HUSAIN – HEAD OF MIS & IT AND [DATA COMPLIANCE]](https://image.slidesharecdn.com/8gdpr4pathwaygroup03-180613105019/85/An-Overview-of-GDPR-by-Pathway-Group-1-320.jpg)
![AN OVERVIEW OF GDPR
MASOOD BUTT – COMMERCIAL & REGULATORY LAWYER
AHSAN HUSAIN – HEAD OF MIS & IT AND [DATA COMPLIANCE]](https://image.slidesharecdn.com/8gdpr4pathwaygroup03-180613105019/85/An-Overview-of-GDPR-by-Pathway-Group-17-320.jpg)
An Overview of GDPR by Pathway Group
- 1. AN OVERVIEW OF GDPR MASOOD BUTT – COMMERCIAL & REGULATORY LAWYER AHSAN HUSAIN – HEAD OF MIS & IT AND [DATA COMPLIANCE]
- 2. DISCLAIMER The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
- 3. Some Research based FACTS 1. 98% of the UK private sector is not ready for the GDPR 2. 84% of the small and medium sized businesses and 43% of the large companies are unaware of the implications of the GDPR. 3. 75% of the data held by companies shall become unuseable or risky after GDPR. 4. 48% of the adults surveyed in the UK confirmed they shall exercise their rights to Data protection afforded under GDPR.
- 4. Contents Data Protection Frame Work GDPR – Responsibilities GDPR – Changes GDPR - Exemptions GDPR – Rights Penalty TEN HIGH LEVEL STEPS
- 5. Data Protection Framework 1. Data Protection Directive EU 95/46 2. Data Protection Act 1998. 3. Information Commissioner’s Office (ICO). 3. A 2008 Council Framework Decision applies to the cross- border processing of personal data in police and judicial cooperation in criminal matters. 4. Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014.
- 6. Data Protection framework 1. The EU’s Charter of Fundamental Rights and Freedoms. 2. In January 2012, a new EU legislative framework for data protection. In its now finalised form, this has two elements: • The General Data Protection Regulation (“GDPR”) EU 2016/679 • The Police and Criminal Justice Directive (the “Law Enforcement Directive” (LED), also known as the “PCJ Directive”) EU 2016/680
- 7. The General Data Protection Regulation (GDPR) Passed on 24 May 2016 Coming into force on 25th May 2018 Duty Holders: Data controllers - the persons or bodies that determine the purposes and means of processing of personal data) and Data processors - those who process personal data on behalf of a controller. Right Holders: Data subjects - (the individuals whose personal data is being processed). Data – any information relating to an identifiable natural person –Art 4 (1) Personal Data Breach means breach of security accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data stored, processed or transmitted. (Art 4 (12)
- 8. Changes made by GDPR •Territorial scope •Data protection by design and default •A European Data Protection Board •Increased penalties •Data protection officers •A “one-stop shop” principle • Enhanced transparency duties when communicating with data subjects
- 9. Exemption - Art 9 Exempted for data subjects, where processing does not include data on; Racial; Ethnic; Political opinions; Religious or philosophical beliefs; Trade union membership; Genetic data; Biometric data; Health data; Sex life or sexual orientation data;
- 10. Exemptions – Art 30(5) •Organisation employs less than 250 staff; • unless •Likely to result in a risk to the rights or freedoms; •Occasional processing; •Special categories as above; •Data relating to criminal conviction and offences.
- 11. Data subject rights Lawful processing – express and specific consent - Art 6 Right to withdraw consent at any time - Art 7 Right of access - Art 15 Right to rectification - Art 16 Right to erasure (forgotten) - Art 17 Right to restriction - Art 18 Right to be notified Art - 19 Right to data portability - Art 20 Right to object - Art 21 Right for not to be profiled automatically - Art 22 Right to lodge a complaint to supervisory authority - Art 77 Right to an effective judicial remedy against controller or processor - Art 79 Right to compensation for damages - Art 82
- 12. The General Data Protection Regulation (GDPR) Strengthened consent is one of the major changes that the GDPR will make for data subjects. Article 4 (11) defines consent as follows: ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The definition’s references to “unambiguous” and “clear affirmative action” are new. A data controller must be able to demonstrate that a data subject has consented to the processing of their personal data. It must be possible to withdraw consent at any time. Article 7 (conditions for consent) states: 1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
- 13. PENALTY Non compliance with an Order of supervisory body be subject to 20,000 000 EUR or 4% global annual turn over - Art 83
- 14. Further costs • In addition to the sanctions, fines and reputational damage. • Problems which are only identified after the project has launched are more likely to require expensive fixes. • The use of biometric information or potentially intrusive tracking technologies may cause increased concern and cause people to avoid engaging with the organisation. • Information which is collected and stored unnecessarily, or is not properly managed so that duplicate records are created, is less useful to the business. • Public distrust about how information is used can damage an organisation’s reputation and lead to loss of business. • Data losses which damage individuals could lead to claims for compensation.
- 15. Ten HIGH LEVEL STEPS Here are ten high-level steps to help you prepare. 1 be aware and be accountable; 2 Create/Renew Data Policy; 3 Classify Risk & Retention; 4 Evaluate and actively manage existing contracts with third party service providers; 5 Establish, embed and test a procedure to handle personal data incidents • Increase internal privacy-awareness;
- 16. Ten HIGH LEVEL STEPS –cont. 6 Ensure how to recognise and respond appropriately to requests from data subjects; 7 Determine and document Privacy Impact Assessment and appointment of Data Protection Officer; 8 Review and amend and document privacy policy and statements and notices to meet the enhanced transparency requirements; 9 Document and identify the main causes of any potential data breach; 10. Would you be able to notify the regulator of any data breach within 72 hours?
- 17. AN OVERVIEW OF GDPR MASOOD BUTT – COMMERCIAL & REGULATORY LAWYER AHSAN HUSAIN – HEAD OF MIS & IT AND [DATA COMPLIANCE]