GDPR Module 3 Accountability and Governance 148 Please
GDPR Module 3: Accountability and Governance 1/48
Please select the required option… To start the module, click on this box To resume from a previous session (or go back and revise a specific section) click this box. 2/48
Please click on the section from which you wish to resume Requirement to implement appropriate technical and organisational measures Maintaining records on processing activities Data protection impact assessments Requirement to appoint a data protection officer Data protection by design and default Voluntary compliance schemes (general) Codes of conduct Certification 3/48
Module 3: Introduction In Module 3 we’ll learn how the GDPR will introduce more explicit obligations around accountability and governance. The subjects covered are… • The requirement to implement appropriate technical and organisational measures • Maintaining records on processing activities • Data protection impact assessments • The requirement to appoint a data protection officer • Data protection by design and default • Codes of conduct • Certification schemes Click on this box to continue 4/48
You’ll recall from module 1 that the GDPR introduces a new ‘accountability’ principle (Article 5(2)) which makes it an explicit general requirement for data controllers to be responsible for, and demonstrate compliance with, the data protection principles… …but the GDPR also contains more specific provisions that aim to increase compliance and accountability. Click on this box to continue 5/48
…these are… 6/48 To implement appropriate technical and organisational measures. Click on this box to continue To use data protection impact assessments where appropriate. To appoint a data protection officer if appropriate. To maintain relevant records on processing. To Implement data protection by design and default.
…we’ll now look at each of these requirements in turn, starting with technical and organisational measures. . The GDPR requires the data controller to take measures to ensure and demonstrate that its processing complies with the legislation. This could include implementing internal data protection policies such as… 7/48 reviews of internal HR policies staff training Click on this box to continue internal audits of processing activities
Proceed Back to section menu 8/48
Next we’ll take a look at the requirement to keep records of processing activities… 9/48
Click on the letters below for examples of the types of records a data controller is required to maintain under the GDPR. You may notice that there are some similarities between the information to be recorded under the GDPR and the ‘registrable particulars’ that have to be notified to the ICO under the DPA. Categories of recipients of personal data to third Purpose of Transfers processing Retention schedules countries T Click on this box when ready to continue R P C Records of processing 10/48
The extent to which a data controller has to comply with the obligation to keep records of processing will depend on the number of staff it employs. . . Click on this box to continue 11/48
The requirement to maintain a record of processing activities is obligatory for data controllers that employ 250 or more staff… 0 500 250 Click on this box to continue 12/48
However, if the data controller has fewer than 250 employees then it will be exempt from the requirement to maintain records of its processing… The requirement to maintain a record of processing activities is obligatory for data controllers that employ 250 or more staff… 250 0 500 …unless that processing… Click on this box to …or… continue 13/48 …concerns special categories of data/data on convictions and offences… …could result in a risk to the rights and freedoms of individuals
Proceed Back to section menu 14/48
In this section we cover Data Protection Impact Assessments. . . These assessments help organisations identify the most effective way to comply with their data protection obligations and meet data subjects’ expectations of privacy… …The ICO already encourages data controllers to use privacy impact assessments as part of a ‘privacy by design approach’, but they are not a mandatory requirement under the DPA…(click on this box to continue). 15/48
Under the GDPR, a data controller must carry out a data protection impact assessment if… …the processing is likely to result in a high risk to the rights and freedoms of individuals… …in particular where… …the processing activity involves the use of new technologies. (click on this box to continue) 16/48
The GDPR says that a data protection impact assessment will be particularly required where any of the following applies… Systematic and extensive evaluation of individuals’ personal aspects (based on automated processing) that’s used to make decisions which produce legal effects on, or significantly affect, those individuals. 17/48 Large scale systematic monitoring of public areas (such as CCTV). Large scale processing of special categories of data, or personal data relating to criminal convictions or offences. Click on this box to continue.
So what information should be included in a data protection impact assessment (or DPIA)…? Contents Data protection impact Data protection Data protection impact Data protection impact Data impact protection Data protection impact Data protection impact assessment assessment assessment 18/48
Click on the images to reveal the information a DPIA should contain… Contents Description and purposes of proposed processing, including (where applicable) the Data protection impact legitimate interests assessment pursued by the data controller. An assessment of the risks to data subjects' rights and freedoms. 19/48 Contents The measures in place to address risk, including security and to demonstrate the data controller is complying. An assessment of the necessity and proportionality of the processing in relation to the purpose. Click on this box when ready to continue
The supervisory authority must then What if the data protection impact assessment finds that provide the data controller with its view the processing poses a high risk to data subjects…? as to whether the measures proposed in the DPIA to mitigate that risk are adequate…. Data controller …in that event the data controller must consult the supervisory authority before beginning that processing. 20/48 Supervisory authority …this would be a significant new work stream for us here at the ICO, and the operational implications of this are being considered as part of the Change Programme. Click on this box to continue
Proceed Back to section menu 21/48
This section explores the new requirement for some data controllers and processors to appoint a data protection officer… 22/48
Click on this box when ready to continue The GDPR sets out three specific circumstances in which an organisation must appoint If the organisation is a a data protection officer. one of these for has to be met public Only authority (except for the obligation totheir apply… courts acting in judicial capacity). Click on the job openings signs to uncover them…. If the organisation’s processing involves regular and systematic monitoring of data subjects on a large scale. 23/48 If the organisation carries out large scale processing of special categories of data/data on convictions and offences.
So what would the job description for a data protection officer appointed under the GDPR look like…? …click on the images to reveal the data protection officer’s duties… Position: Data Protection Officer Job description: 1. Inform and advise the organisation about its obligations to comply with the GDPR. 2. Monitor compliance with the GDPR, including managing internal data protection activities. 3. Be first point of contact for supervisory authorities and data subjects. Click on this box when ready to continue 24/48 4. Provide training to staff, advise on data protection impact assessments and conduct internal audits.
Position: Data Protection Officer What about the person themselves? What qualities does the GDPR say they will need? Person specification: Skills and experience: The GDPR says that this experience should be… …but it doesn’t go into any further detail about the exact credentials the data protection officer should have (such as what qualifications they should hold). 25/48 Professional experience and knowledge of data protection law. …proportionate to the type of processing the data controller carries out. Click on this box to continue
The GDPR says that a single data protection officer can be appointed to act for a group of companies or Public Authorities…. …taking into account their structure and size and the availability of that data protection officer. Click on this box to continue 26/48
The data protection officer doesn’t have to be an external appointment… …the organisation can appoint an existing member of staff to the role… Head ofof IT IT and Head Data Protection Sarah Farris Chief executive Head of HR Head of Finance Ian Campbell Nadia Yilmaz …so long as they have the required experience and there won’t be a conflict of interests with their other duties. (click on this box to continue) 27/48
…or, if it prefers, the organisation can contract out the role of data protection officer externally… Chief executive Head of IT Head of HR Head of Finance Sarah Farris Ian Campbell Nadia Yilmaz Click on this box to continue 28/48
Chief executive Head of IT Head of HR Head of Finance Sarah Farris Ian Campbell Nadia Yilmaz …and whoever is appointed, the organisation must ensure that person reports to the highest management level (i. e. board level). 29/48 Click on this box to continue
The organisation also has two additional obligations…(click on the images for more information). ) The data protection officer must be allowed to operate independently and can’t be dismissed or penalised for performing their job. The organisation must provide the necessary resources for the data protection officer to meet their GDPR obligations. Click on this box when ready to continue 30/48
Proceed Back to section menu 31/48
In this next section we’ll take a look at what the GDPR has to say about data protection by design and default… Data protection by design and default was always an implicit requirement of the DPA data protection principles, for example relevance and non excessiveness… …however, under the GDPR data controllers will be explicitly required to incorporate data protection by design and default into their processing. 32/48 Click on this box to continue
The GDPR suggests that appropriate measures to help fulfil the requirement for data protection by design and default could include…(click on the images) Pseudonymising personal data as soon as possible Transparency of processing of personal data to enable the data subject to monitor the data processing. Minimising the processing of personal data Click on this box when ready to continue 33/48
…in the case of data protection by default, the implementation of data minimisation measures is a mandatory requirement… Minimising the processing of personal data. . . this is because Article 25 of the GDPR explicitly states that data controllers must take appropriate measures to ensure that, ‘…by default, only the personal data necessary for each specific purpose of processing are processed…’ 34/48 Click on this box to continue
The GDPR also states that, when considering which measures to adopt, the data controller should take into account factors such as: available technology… the cost of implementation… the nature, scope, context and purposes of the processing. . . the risk to the rights and freedoms of the data subjects. . . 35/48 Click on this box to continue
Proceed Back to section menu 36/48
We’ve now covered all of the specific accountability requirements we set out at the beginning of the module… …next we’ll move on to voluntary schemes that are aimed at encouraging compliance… 37/48
The GDPR introduces two voluntary schemes that data controllers (or processors) can sign up to in order to demonstrate compliance with the legislation. These are… ed i f i t Cer Approved codes of conduct Certification mechanisms Signing up to these schemes offers a number of advantages. . . 38/48 Click on this box to continue
Click on the numbers to reveal three of the main advantages to an organisation of signing up to a scheme. d tifie r e C 39/48 1 It can improve transparency and accountability so data subjects can see which organisations are complying with the GDPR and can be trusted with their personal data. 2 It can provide mitigation against enforcement action. 3 It can improve standards by establishing best practice. Click on this box when ready to continue
Proceed Back to section menu 40/48
In this next section we’ll take a more detailed look at codes of conduct… 41/48
A code of conduct can be drawn up by trade associations or representative bodies. The code must be approved by the relevant supervisory authority… Click on the blue arrows to continue… Click on this box to continue Any data controller (or processor) that adopts the code will be subject to mandatory monitoring by the accredited body. 42/48 It. However, hasispowers excludeaccredited a controller This an organisation theto responsibility for or thatcode is authority claiming byprocessor the supervisory monitoring the lies with the adherence tobody’…(more) the code. level of which has an appropriate ‘accredited expertise in the subject matter of the code…(more)
Codes of conduct will set out sector specific guidelines on how to comply with the GDPR. They may cover topics such as…; Data transfers outside the EU Fair and transparent processing Appropriate technical and organisational measures. Breach notification 43/48 Click on this box to continue
Proceed Back to section menu 44/48
In this final section we’ll look at certification schemes in more detail… Certification offers another means for a data controller to demonstrate that it is complying with the GDPR. In particular it can be used to show that the data controller is implementing appropriate technical and organisational measures… 45/48 Click on this box to continue
The. Adata controller/data certification can be processor must provide the supervisory authority or awarded by… certification body with sufficient information and access to its processing activities to conduct the certification procedure. Certification lasts for a maximum of… 3 Years 12 Data controller/data processor 46/48 …and it can be renewed or withdrawn by the supervisory authority or certification body. Click on this box to continue 1. The supervisory authority …or… 2. A certification body accredited by the supervisory authority
Proceed Back to section menu 47/48
- Slides: 47