General Data Protection Regulation (GDPR)

Transcription

1 General Data Protection Regulation (GDPR) Michael Eva, London Grid for Learning

2 What is GDPR? General Data Protection Regulation (GDPR) protects the personal data of EU citizens regardless of where the company is based in the world GDPR will replace the current DPA on 25 th May 2018, potential UK version by 2019 Government has confirmed that Brexit will not affect the implementation of GDPR Non compliance could result in fines of up to 20,000,000 or 4% of gross annual turnover

3 Difference Between GDPR & DPA DPA has 8 Data Protection Principles, GDPR has 24 Sections which each contain a number of articles and recitals Increased responsibility for Data Owners that includes Governance, Compliance, Education etc Privacy by Design / Protection by Default Breach Notification 72 Hours to notify Supervisory & Data Subject without undue delay

4 GDPR & DPA (cntd ) Penalties Huge fines for both the Data Owner and Processor e.g. Recycling company Consent - Explicit consent has to be given to process/store sensitive personal data no more check here if you DO NOT wish to. Right to be forgotten Individual has the right to request erasure of personal data

5 Where to start.?? Internal/Independent review of current IG position: What data do we store, where and with who? Legacy? Data Sharing agreements do we have any? Breach notification process do we have one? Contracts with suppliers - ensure GDPR compliance Subject Access Requests new timescales & policies Consent any changes required? Staff awareness and education ongoing Speak with LA for further advice/guidance

6 Information Governance (IG) Assign a Data Protection Officer (DPO) Establish a CIG & identify key stakeholders to support the compliance programme Identify key roles and responsibilities within the board to support compliance Consider reporting lines within the data protection governance structure

7 IG (cntd ) Consider how board will support the DPO with the necessary resources (e.g. staffing, board support, budget) & ensure DPO reports in to Head Educate senior management about GDPR and the potential exposure of non-compliance Educate the wider audience on GDPR Document legal basis for processing personal data

8 Data Protection Officer (DPO) Appoint a Data Protection Officer Inform all school employees of their obligations under the GDPR Implement an IG Programme in line with the GDPR Monitor compliance, responsibilities and related audits Advice on Data Protection Impact Assessment (DPIA) Cooperate with and act as a point of contact for the ICO Whistleblowing Protection under legal challenge

9 Contracts Review Suppliers section to agree with applicable law Change control revisions - change control request Mandatory change control - if change in law etc Could work both ways - suppliers could force upgrades you're only supported on our latest greatest version. Annual renewal point - get GDPR added Suppliers may want to change they can be sued!

10 Governance, Risk & Compliance (GRC) GRC is cornerstone to IG Framework - CIG Data Protection Impact Assessments (DPIA) Risk Assessments Impact vs Likelihood Risk Treatment compensating controls Residual Risk Risk Acceptance & Risk Appetite Remedial Actions Compliance

11 Privacy By Design & Protection By Default Proactive not reactive; Preventative not remedial Privacy as the default setting Privacy embedded into design End-to-end security full lifecycle protection Respect for privacy - keep it user centric

12 Data Security Encryption of data Workstation encryption Data Encryption at Rest Data Encryption in Transit Data Sharing Agreements What 3 rd party suppliers are doing with data? How do they store it? Who do they share it with?

13 Case Study A Implementing New IT System New computer system being implemented, company based in the UK with Data Centres in the US Personal data relating to pupils and staff will be stored on the system What considerations should be given under GDPR to safeguard the data?

14 Case Study A Considerations Data Protection Impact Assessment (DPIA) What data is being stored, where & who accesses it Risk Assessments CIG Sign off Supply Chain Due Diligence/Contract reflects GDPR Service Development Life Cycle (SDLC) Privacy By Design / Protection by Default Consent/Retention

15 Case Study B Data Breach Member of staff ed pupil data including names and addresses to wrong recipient and unencrypted. What are key considerations for next course of action(s)?

16 Case Study B Considerations Invoke Incident Management Procedure Log Incident Damaged Limitations Prevent from getting any worse Retrieve/Track Data Impact Analysis Notify ICO, LGFL & Data Subjects Remedial/Preventative Actions

17 Summary of Key Points Breach Reporting - procedures in place to detect, report and investigate a breach Assign a DPO No conflict of interests IG Structure - DPIA s, ensure that school can demonstrate compliance Review current supplier contracts Data Processing criminal offence to select IT supplier without required certs e.g. Recycling

18 Summary of Key Points (cntd ) Awareness/Training demonstrate GDPR awareness throughout school & ongoing training Consent review how seeking consent Data Encryption protecting data at rest and in transit Penalties for non compliance - fines of up to 20,000,000 or 4% of gross annual turnover (whichever is the greatest!!) or sued for distress!

19 @LGfL facebook.com/ LondonGridforLearning