Data Protection and the GDPR General Data Protection

  • Slides: 76
Download presentation
Data Protection and the GDPR (General Data Protection Regulation) GENERAL DATA PROTECTION REGULATIONS

Data Protection and the GDPR (General Data Protection Regulation) GENERAL DATA PROTECTION REGULATIONS

Format for the evening • Opening • Welcome and introduction • Overview of GDPR

Format for the evening • Opening • Welcome and introduction • Overview of GDPR • Key actions and support for Congregations and Presbyteries • Questions • Benediction

Overview of GDPR 1. Background to GDPR 2. Essential Terminology 3. Key Principles 4.

Overview of GDPR 1. Background to GDPR 2. Essential Terminology 3. Key Principles 4. Legal Basis for processing 5. Data Subject rights 6. Data Protection Lead, Breaches, Penalties & Children

1. Background to GDPR • EU Data Protection Directive 95/46 • The Data Protection

1. Background to GDPR • EU Data Protection Directive 95/46 • The Data Protection Act 1988 and Data Protection (Amendment) Act 2003 • Regulated by the Data Protection Commissioner • GDPR replaces 1988 and 2003 Acts • 16 May 2017 Dept. Justice & Equality published the Data Protection Bill 2017 • Regulation applies to all EU member states on 25 May 2018

1. Background to GDPR Why do we need GDPR? • EU Directive drafted prior

1. Background to GDPR Why do we need GDPR? • EU Directive drafted prior to internet age – not “fit for purpose” • Personal data is now used in ways that didn't exist in 90 s • The types of personal data collected and held have also changed – biometric data, genetic data, images • This new legislation, GDPR, aimed at giving us, as individuals, more information and control over our personal data - comes into effect from 25 May

2. Essential terminology Personal Data … any information relating to an identifiable natural person.

2. Essential terminology Personal Data … any information relating to an identifiable natural person. That is an individual who can be identified directly or indirectly in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

2. Essential terminology Examples of personal data include? • Name • Address • Eircode

2. Essential terminology Examples of personal data include? • Name • Address • Eircode • Phone number • email address • PPS number • Photograph • ip address, etc.

2. Essential terminology Under GDPR there are special categories of personal data; • Racial

2. Essential terminology Under GDPR there are special categories of personal data; • Racial or ethnic origin • Political opinions • Religious or philosophical beliefs • Trades Union membership • Physical or mental health or condition • Sexual life or sexual orientation • Genetic data • Biometric data

2. Essential terminology …. Processing of special category data is prohibited unless one of

2. Essential terminology …. Processing of special category data is prohibited unless one of the listed exemptions applies…. We will return to this when we look at the guidance on legal bases of processing.

2. Essential terminology Data Subject … a natural person whose personal data is processed

2. Essential terminology Data Subject … a natural person whose personal data is processed by a Data Controller This does not include a deceased person or somebody who cannot be identified or distinguished from others.

2. Essential terminology In a Congregation/Presbytery the data subjects will include: • Members •

2. Essential terminology In a Congregation/Presbytery the data subjects will include: • Members • Individuals receiving pastoral care • Children/young people attending BB, GB, Holiday Bible Clubs, Sunday School, Youth Groups, Crèche • Gift Aid donors • Contacts via a web site • External users of our premises • Suppliers, tradesmen • Staff etc.

2. Essential terminology Data Controller … a body which determines the purposes and means

2. Essential terminology Data Controller … a body which determines the purposes and means of the processing of personal data. (for congregations the Charity Trustees or Kirk Session will be controller)

2. Essential terminology Acting for the data controller • Minister • Elders • Organisational

2. Essential terminology Acting for the data controller • Minister • Elders • Organisational leaders • Gift Aid secretary • Treasurer • Volunteers • etc.

2. Essential terminology Data Processor • …. a natural or legal person, public authority,

2. Essential terminology Data Processor • …. a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

2. Essential terminology Data Processor This essentially means a third party e. g. •

2. Essential terminology Data Processor This essentially means a third party e. g. • IT provider (e. g. cloud storage) • Payroll provider

2. Essential terminology GDPR requires a Processor to: • Act only on documented instruction

2. Essential terminology GDPR requires a Processor to: • Act only on documented instruction and use the personal data for agreed purposes. • Persons authorised to access under obligation of confidentiality. • Assist with Data Subject Rights, Data breaches • Return or delete Personal Data when service ends. • Demonstrate compliance

2. Essential terminology Processing … any operation or set of operations performed on personal

2. Essential terminology Processing … any operation or set of operations performed on personal data or sets of personal data whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. …basically it is anything at all you do with the data

2. Essential terminology • Personal Data (including Special Data) • Data Subject • Data

2. Essential terminology • Personal Data (including Special Data) • Data Subject • Data Controller • Data Processor • Data Processing

3. Principles under GDPR (Article 5) used with integrity used appropriately used sparingly accurate

3. Principles under GDPR (Article 5) used with integrity used appropriately used sparingly accurate not kept forever secure accountability governance

3. Principles under GDPR (Article 5) The Lawfulness and Transparency Principle used with integrity

3. Principles under GDPR (Article 5) The Lawfulness and Transparency Principle used with integrity processed lawfully, fairly and in a transparent manner in relation to individuals [To be used lawfully you must be able to rely on at least one of six legal bases for processing i. e. there must be a legitimate reason for us processing someone’s personal data]

3. Principles under GDPR (Article 5) The Purpose Limitation Principle Used appropriately Collected for

3. Principles under GDPR (Article 5) The Purpose Limitation Principle Used appropriately Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those stated purposes; further processing for archiving purposes in the public interest or for scientific, historical research or statistical purposes shall not be considered incompatible with the initial purpose. [Need to be clear about reason for collecting personal information and ensure it is only used for that purpose]

3. Principles under GDPR (Article 5) The Data Minimisation Principle used sparingly adequate, relevant

3. Principles under GDPR (Article 5) The Data Minimisation Principle used sparingly adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. [Don’t hold it if you can’t demonstrate a need] [Only collect what information you need e. g. if you don’t need someone’s work phone number don’t collect it]

3. Principles under GDPR (Article 5) The Accuracy Principle accurate and, where necessary, kept

3. Principles under GDPR (Article 5) The Accuracy Principle accurate and, where necessary, kept up to date; every reasonable effort must be taken to ensure that personal data that is inaccurate having regard to the purposes for which is processed is erased or rectified without delay; [Otherwise confidential information could, for example, go to the wrong address]

3. Principles under GDPR (Article 5) The Storage Limitation Principle not kept forever kept

3. Principles under GDPR (Article 5) The Storage Limitation Principle not kept forever kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as it will be processed solely for archiving purposes in the public interest, or for scientific, historical research or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals [Clear out redundant personal data – data we no longer need or use for its original purpose]

3. Principles under GDPR (Article 5) The Integrity and Confidentiality Principle secure processed in

3. Principles under GDPR (Article 5) The Integrity and Confidentiality Principle secure processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

3. Principles under GDPR (Article 5) The Integrity and Confidentiality Principle 3. secure For

3. Principles under GDPR (Article 5) The Integrity and Confidentiality Principle 3. secure For example • Passwords should be kept secure, should be strong, changed regularly • Use bcc when emailing to a large number of people • Confidential waste – shredded • Preventative measure re virus attacks • Keep back-ups • Encrypt data taken off PCs / laptops • Hard-copy material kept secure

3. Principles under GDPR (Article 5) accountability • The controller must be able to

3. Principles under GDPR (Article 5) accountability • The controller must be able to show that they are complying with these principles • Requirement to have documentary evidence of consent, data processed and legal basis for processing • Burden of proof on data controller to demonstrate compliance with principles of GDPR

3. Principles under GDPR (Article 5) accountability • • Data audit Data Protection Policies

3. Principles under GDPR (Article 5) accountability • • Data audit Data Protection Policies Staff Training Internal review Maintain record of processing activities Data Protection Officer (or Lead) Data minimisation, pseudonymisation, transparency

3. Principles under GDPR (Article 5) governance The practical measures you put in place,

3. Principles under GDPR (Article 5) governance The practical measures you put in place, the steps that you have taken so that you can demonstrate compliance under the principles above – these then are the means by which you have implemented good governance. This can be achieved by documenting the decisions you take about processing personal data, undertaking training, reviewing policies and procedures such as data protection, privacy notices, consent etc.

3. Principles under GDPR (Article 5) used with integrity used appropriately used sparingly accurate

3. Principles under GDPR (Article 5) used with integrity used appropriately used sparingly accurate not kept forever secure accountability governance

4. Legal basis for processing • Having a lawful basis for each processing activity

4. Legal basis for processing • Having a lawful basis for each processing activity is critical to an organisation’s ability to comply with GDPR • Processing of personal data is lawful only if, and to the extent that, it is permitted under EU data protection law. • If the Controller does not have a lawful basis for a given data processing activity then that activity is essentially unlawful.

4. Legal basis for processing Legal basis available (six): • Consent of the data

4. Legal basis for processing Legal basis available (six): • Consent of the data subject (Article 6(1)(a)) • Necessary for performance of a contract (Article 6(1)(b)) • Compliance with a legal obligation (Article 6(1)(c)) • Protect the vital Interests of a data subject (Article 6(1)(d)) • Task carried out in the Public Interest (Article 6(1)(e)) • Legitimate interests pursued by the controller (Article 6(1)(f)) (then there are Special Categories of Data which can inform legal basis – examples later)

4. Legal basis for processing Most presbyteries or congregations will rely on • Legitimate

4. Legal basis for processing Most presbyteries or congregations will rely on • Legitimate interests • Only rely on consent as a last resort If someone withdraws consent you will have difficulty processing the data in question

4. Legal basis for processing Legitimate interests • Can be that of the congregation

4. Legal basis for processing Legitimate interests • Can be that of the congregation or presbytery • Or the legitimate interest of a third party That an individual has a reasonable expectation that you will process their data for a particular purpose makes it likely that processing on this basis will be lawful

4. Legal basis for processing Consent - use as basis of “last resort” Under

4. Legal basis for processing Consent - use as basis of “last resort” Under GDPR must be; • Freely given, specific, informed an unambiguous indication of the individual’s wishes • There must be some form of clear affirmative action i. e. a positive opt in • Must be capable of being withdrawn • Has to be verifiable • Must be separate from other written matters

4. Legal basis for processing • Not required to refresh all existing DPA consents

4. Legal basis for processing • Not required to refresh all existing DPA consents • But should meet GDPR requirements • If not, seek fresh GDPR compliant consents or find alternative to consent

4. Legal basis for processing Legal basis available (six): • Consent of the data

4. Legal basis for processing Legal basis available (six): • Consent of the data subject (Article 6(1)(a)) • Necessary for performance of a contract (Article 6(1)(b)) • Compliance with a legal obligation (Article 6(1)(c)) • Protect the vital Interests of a data subject (Article 6(1)(d)) • Task carried out in the Public Interest (Article 6(1)(e)) • Legitimate interests pursued by the controller (Article 6(1)(f)) (then there are Special Categories of Data which can inform legal basis – examples later)

2. Essential terminology Under GDPR there are special categories of personal data; • Racial

2. Essential terminology Under GDPR there are special categories of personal data; • Racial or ethnic origin • Political opinions • Religious or philosophical beliefs • Trades Union membership • Physical or mental health or condition • Sexual life or sexual orientation • Genetic data • Biometric data

4. Legal basis for processing Special Categories – there are 10 subsidiary legal bases

4. Legal basis for processing Special Categories – there are 10 subsidiary legal bases for processing Special Categories of data identified in the legislation. Most relevant ones include: • Obligations under employment (Article 9(2)(b)) • Vital Interests – subject cannot give consent (Article 9(2)(c)) • Not for Profit body, no 3 rd party disclosure (Article 9(2)(c)) • Archiving Data in the Public Interest (Article 9(2)(j)) (… we will see some examples later )

4. Legal basis for processing Article 9(2)(d)) Processing carried out by a not for

4. Legal basis for processing Article 9(2)(d)) Processing carried out by a not for profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent.

5. Data Subject Rights 1. 2. 3. 4. 5. 6. 7. 8. The right

5. Data Subject Rights 1. 2. 3. 4. 5. 6. 7. 8. The right to be informed (Privacy Notice) The right of access (Subject Access Request) The right to rectification The right to erasure (right to be forgotten) The right to restrict processing The right to data portability The right to object Rights in relation to automated decision making and profiling

5. Data Subject rights Right to be informed • Obligation to provide “fair processing

5. Data Subject rights Right to be informed • Obligation to provide “fair processing information” typically through a privacy notice and incl. • Identity and contact details of the controller • Lawful basis of processing • Retention periods • Existence of data subject’s rights • Right to withdraw consent • Right to complain to supervising authority

5. Data subject rights Right of access • No fee payable for Subject Access

5. Data subject rights Right of access • No fee payable for Subject Access Requests (SARs) • Elevated risk of SARs as a consequence • Info supplied with 1 month (previously 40 days) • Data can include opinions, voice recordings and manual records

5. Data Subject rights Right to Rectification & Erasure • Require controller to rectify

5. Data Subject rights Right to Rectification & Erasure • Require controller to rectify personal data if it is inaccurate or incomplete • Within one month, or 2 months if complex • Ask controller to delete their personal data in certain circumstances e. g. if processing is not justified or individual withdraws consent

5. Data subject rights Right to restrict processing Data subject may be entitled to

5. Data subject rights Right to restrict processing Data subject may be entitled to limit the purpose for which the controller can process data e. g. • When accuracy of data is contested • Data no longer needed by controller but individual requires to establish, exercise or defend a legal claim

5. Data Subject rights Right to portability • Data subjects have the right to

5. Data Subject rights Right to portability • Data subjects have the right to transfer their data to another data controller.

5. Data subject rights Right to object to processing • Data subjects have the

5. Data subject rights Right to object to processing • Data subjects have the right to object to, for example, direct marketing, processing for historical research and statistics

5. Data Protection Lead • Inform and advise on obligations • Monitor compliance •

5. Data Protection Lead • Inform and advise on obligations • Monitor compliance • Training • First point of contact for authorities

6. Breach Notification • “a breach of security leading to the destruction, loss, alteration,

6. Breach Notification • “a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. . . is more than just losing personal data” • “… notify the relevant authorities … if it is likely to result in a risk to the rights and freedoms of individuals” • High risk – notify individual • Breach notification – contents

6. Penalties • For (mainly) a breach of record keeping, contracting and security clauses:

6. Penalties • For (mainly) a breach of record keeping, contracting and security clauses: Maximum fine of up to € 10 million, or 2% of annual worldwide turnover, which is greater. • For (mainly) a breach of the basic principles, data subject rights, transfer to third countries, non-compliance with an Information Commissioner’s order: Maximum fine of up to € 20 million, or 4% of annual worldwide turnover, whichever is greater. • EU DPAs intend to co-ordinate their supervisory and enforcement powers across the Member States but it is unclear as to what effect Brexit will have on this.

6. Children • New provision to enhance the protection of children's personal data •

6. Children • New provision to enhance the protection of children's personal data • Services to Children - Privacy Notice written in a way that a child will understand • Online services to children - consent from parent or guardian • Child under 16 can’t give consent (under 13 in UK) • Parental consent not required for preventative or counselling services • Same rights as adults

Overview of GDPR Background to GDPR Essential Terminology (Personal Data, Data Subject, Data Controller,

Overview of GDPR Background to GDPR Essential Terminology (Personal Data, Data Subject, Data Controller, Data Processor, Processing) Key Principles (Integrity, appropriately, sparingly, accurate, not kept forever, and kept secure) Legal Basis for processing (six bases and ten special categories) Data Subject rights (informed, access, rectification, erasure, processing , portability, object) Data Protection Lead, Breaches, Penalties & Children

Summary • Don’t panic : prepare • Requirement to comply • Follow the six

Summary • Don’t panic : prepare • Requirement to comply • Follow the six key principles - used with integrity, used appropriately, used sparingly, kept accurate, not kept for ever, kept secure, AND underpinned with accountability and governance. • Consider your processing activities and the appropriate lawful basis for processing • Remember data subject rights, consequences of breaches • Penalties ……. so how do you achieve compliance and how can PCI help?

Key Actions and Support The DPC’s website contains a document indicating 12 steps to

Key Actions and Support The DPC’s website contains a document indicating 12 steps to compliance so we will use that for the basis of the rest of our presentation The guidance being made available to help you in achieving compliance are under development and will be made available through the PCI website on a roll-out basis (Toolkit) 25 May 2018

12 steps to ensure compliance Step Content Action Resource 1. Become aware Make everyone

12 steps to ensure compliance Step Content Action Resource 1. Become aware Make everyone in your organisation aware of the GDPR and what needs to be done Decide how you are going to communicate with everyone within your organisation the requirements and responsibilities under GDPR • This presentation • Brief Guide to GDPR • We may review some CBT (Computer Based Training) material as an option - TBC For example – arrange training session for Kirk Session, Congregational Committee and Group/Organisation Leaders using this presentation. Consider insert in announcements, church magazine etc.

12 steps to ensure compliance Step Content Action 2. Complete a written inventory of

12 steps to ensure compliance Step Content Action 2. Complete a written inventory of Personal Data Inventory all personal data and Complete an record for example: Information Register • Why you are holding it? • How it was obtained? • What is the legitimate purpose using it? • How long will you keep it? • How is it kept secure? • Who has access to it? • Is it shared with a third party (outside your organisation)? Resource • Template Register supplied • Template Action Plan supplied • Examples supplied

12 steps to ensure compliance Step Content Action Resource 3. Communicate privacy information Review

12 steps to ensure compliance Step Content Action Resource 3. Communicate privacy information Review any current privacy notices and put in place a plan for any necessary changes to their format and content and how they are communicated Check/write privacy notices • Guidance and templates supplied

12 steps to ensure compliance Step Content Action Resource 4. Be aware of and

12 steps to ensure compliance Step Content Action Resource 4. Be aware of and prepared for Data Subject rights have been strengthened in the areas of: • Right to be Informed • Right of Access • Right to Rectification • Right to Erasure • Right to Restrict Processing • Right to Data Portability • Right to Object • Rights in respect of Automated Decision Making and Profiling Consider how to respond • Right to be informed covered to these rights – perhaps under Step 3 – Privacy Notice through the designation which should also advise of a Data Protection Lead individuals of their rights under to be the point of contact GDPR should a Data Subject • Access, Rectification and Erasure wish to exercise one or will generally be as a result of a more of these rights request – guidance and Templates supplied • Restricting processing, data portability, objection, and automated decision making and profiling are less likely to occur and you should consult with PCI Data Protection Lead if necessary.

12 steps to ensure compliance Step Content Action 5. Enable You will need a

12 steps to ensure compliance Step Content Action 5. Enable You will need a policy and • Review what you hold Subject access procedure on how to deal and how you hold it – requests with such a request. You this should be a product have one month to respond of your Inventory of to an access request so Personal Data under knowing what to do, who Step 2 will deal with it and having • Create a policy and your records stored in an procedure for dealing organised and efficient with access requests manner will allow you to • Designate a point of comply. contact for such requests Resource Guidance and template supplied for Subject Access Request

12 steps to ensure compliance Step Content Action Resource 6. Decide upon Legal Basis

12 steps to ensure compliance Step Content Action Resource 6. Decide upon Legal Basis for Processing There a number of these legal bases in the legislation – refer to DPC/ICO website. For each processing See resource under Step situation consider 2 what legal basis is the most appropriate Some examples to follow and record this in your Inventory of Personal Data

12 steps to ensure compliance Step Content Action Resource 7. Understand Consent Where you

12 steps to ensure compliance Step Content Action Resource 7. Understand Consent Where you use consent as the legal basis you must ensure that the means by which you obtain consent is in compliance with the GDPR Review your consent Guidance and forms and the means template supplied by which you obtain consent. Obtain fresh consent using redesigned forms as necessary

12 steps to ensure compliance Step Content Action Resource 8. Children’s Personal Data Special

12 steps to ensure compliance Step Content Action Resource 8. Children’s Personal Data Special rules and rights will apply to children. Within the Republic of Ireland for the purposes of GDPR the definition of child will be an individual under 16 years of age, in the UK a child is an individual under 13 Consultation not yet completed When we have a clearer picture of guidance from DPC/ICO we will supply guidance and template

12 steps to ensure compliance Step Content 9. Data Breaches It is necessary to

12 steps to ensure compliance Step Content 9. Data Breaches It is necessary to put in place procedures to detect, report and investigate a personal data breach Action Resource • Understand the reporting requirements and penalties associated with a breach • Put in place a procedure to deal with a data breach. Guidance and template supplied

12 steps to ensure compliance Step Content Action Resource 10. Consider the requirement for

12 steps to ensure compliance Step Content Action Resource 10. Consider the requirement for a Privacy Impact Assessment This simply involves taking data protection into planning consideration when working on a project that involves personal data. The basic concept is of ‘Data Protection by Design’ – build it in to thinking and planning. This is more relevant to larger or public organisations …. . but any new technology or systems should always be considered and applied with the GDPR in mind This is for individual organisations to consider but any guidance developed by PCI will be made available on the website

12 steps to ensure compliance Step Content Action 11. Appoint a Data Protection Lead

12 steps to ensure compliance Step Content Action 11. Appoint a Data Protection Lead The legislation requires for Appoint a Data certain types of organisations or Protection Lead volumes of personal data processing the appointment of a Data Protection Officer. This is not a requirement for PCI but it is important that someone within a Congregation, Presbytery, PCI Central Administration takes the lead in facilitating and advising on GDPR. Resource A suggested ‘role description’ is supplied

12 steps to ensure compliance Step Content Action Resource 12. Select a Lead Supervisory

12 steps to ensure compliance Step Content Action Resource 12. Select a Lead Supervisory Authority The GDPR covers the entire European Economic Area, including the UK after Brexit. This is a matter of deciding whether the UK Information Commissioner or the Ro. I Data Protection Commissioner is the appropriate Supervisory Authority – for example in the situation of having to report a data breach. This will be directed by PCI but it is likely that Congregations and Presbyteries in the Ro. I will take the DPC as Lead Authority whereas NI Congregations, Presbyteries and Church House will have the ICO as Lead Authority UK based presbyteries and congregations will respond to the ICO and that Republic of Ireland based presbyteries and congregations will respond to the DPC

Data Inventory Audit and Register Step 1 1. What personal data do you hold?

Data Inventory Audit and Register Step 1 1. What personal data do you hold? 2. How did you obtain the information? 3. What is it used for? 4. In what form is it held? 5. Is it shared with any external 3 rd party? (if so record)? 6. How is it kept secure? 7. How long do you keep it for and how do you dispose of it 8. What is the lawful basis for processing 9. Identify any action points

Data Inventory Audit and Register No. Description/O rganisation What Personal Data do you hold?

Data Inventory Audit and Register No. Description/O rganisation What Personal Data do you hold? How did you obtain the information? What is it used for? In what form is it held? Who has Is it shared with How is it kept access to this any external 3 rd secure? data? party? (Specify) How long do you keep it for and how do you dispose of it? Lawful basis Actions for processing 1 2 3 4 5

Action Plan There is no reference in the legislation about an Action Plan –

Action Plan There is no reference in the legislation about an Action Plan – but if we do the work in creating the Data Register then logically it should indicate whether any action is required

4. Legal basis for processing Processing Activity Membership list Coffee Rota Church weekend Staff

4. Legal basis for processing Processing Activity Membership list Coffee Rota Church weekend Staff Pastoral records Prayer chain Youth Club (<13) Youth Club (13 -16) Lawful Basis Legitimate Contract & Legal Legitimate Consent (Parental) Consent (Both) Special Data Not for profit N/A Not for profit Employment Not for profit N/A Not for profit

Legal basis for processing Processing Activity Letting of premises Gift Aid donors Parent emergency

Legal basis for processing Processing Activity Letting of premises Gift Aid donors Parent emergency contact Home Groups Special Need Club Herald subscribers ……. Lawful Basis Contract Legal Vital interests Special Data N/A Not for profit Vital interests Legitimate Vital Interests Consent Not for profit Vital Interests Not profit

Data Breaches Most likely source of concern! Most likely causes of breach: • •

Data Breaches Most likely source of concern! Most likely causes of breach: • • • Weak or stolen credentials (log-in + password) Back Doors, Application Vulnerabilities Malware Accidental loss Physical Theft Hack attack

Resources A website landing page http: //www. presbyterianireland. org/gdpr is being developed and resources

Resources A website landing page http: //www. presbyterianireland. org/gdpr is being developed and resources mentioned will be placed on this as they are developed and cleared: Already supplied: • Brief Guide to GDPR • DPL Role • Template Data Inventory + examples • Template Action Plan + examples Policies, guidance and templates: • Data Protection Policy • Subject Access Request • Data Breach Policy • Data Retention Policy • Consent Policy Other materials: • GDPR Myths & FAQs • Ten Top Tips • Signpost to Other Resource • This Power. Point Presentation

What you need to do: • Training and awareness – ensure key decision makers

What you need to do: • Training and awareness – ensure key decision makers are aware of GDPR • Appoint a data protection lead or compliance person to manage the compliance project • Carry out a GDPR audit and create a register of all data activity that you process and all data activity that you control • Decide how you want to use the resources being made available to you to suit your own presbytery or congregation

Other Resources ICO website – Guide to GDPR https: //ico. org. uk/for-organisations/guide-to-the-general-data-protection-regulationgdpr Data Protection

Other Resources ICO website – Guide to GDPR https: //ico. org. uk/for-organisations/guide-to-the-general-data-protection-regulationgdpr Data Protection Commission website – The GDPR and You http: //gdprandyou. ie/ Posters, stickers and e-learning from ICO https: //ico. org. uk/for-organisations/resources-and-support/posters-stickers-and-elearning/ Nicva - Cyber Security: Small Charity Guide http: //www. nicva. org/resource/cyber-security-small-charity-guide

GDPR Questions

GDPR Questions