GDPR Workshop Partnerships for Jewish Schools 7 March
- Slides: 20
GDPR Workshop – Partnerships for Jewish Schools 7 March 2018 Sarah Rowley, Senior Associate charlesrussellspeechlys. com
2
Sector data scandals and the fallout 1) Olive Cook and the aftermath too many mailings. new regime as a result. 2) ICO fines 13 charities trading data and wealth screening 3) Selling Barbara documentary charities accused on BBC over data swapping. 4) Age UK data breaches 3
What we’ll cover • • 4 Intro and background The main changes under GDPR Processing by education organisations Lawful grounds for processing Direct marketing, fundraising and consent Agreements and data sharing with third parties Policies, notices and notifications
Intro and background Applicable laws: • General Data Protection Regulation – 25 May 2018 • E-Privacy Regulation (repealing the E-Privacy Directive) – planned date for implementation – 25 May 2018? • Data Protection Bill (Data Protection Act 2017/18) – 25 May 2018 Regulatory guidance: • Information Commissioner’s Office - https: //ico. org. uk/fororganisations/data-protection-reform/ • Article 29 Working Party - http: //ec. europa. eu/newsroom/just/itemdetail. cfm? item_id=50083
Intro and background Key concepts: • 6 data protection principles: 1. 2. 3. 4. 5. 6. ‘lawfulness, fairness and transparency’ ‘purpose limitation’ ‘data minimisation’ ‘accuracy’ ‘storage limitation’ ‘integrity and confidentiality’ GDPR, Art 5. 1 • “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’). ” GDPR, Art 5. 2 • Organisations must act as either data controllers or data processors
The main changes under GDPR • • • 7 Extra territorial applicability Breach notification Data protection officer Data transfers Agreements with data processors Sanctions for non compliance
Processing by education organisations • Various categories of data – although mostly relating to students and staff • Parental consent • Managing sensitive data “special categories of data” e. g. health records, classification of ethnicity or religious indicators • Direct marketing to prospective parents 8
Issues for schools • • • 9 Notification Personal data Fair processing Information security Disposal Policies Subject access requests Sharing personal information Websites Photographs Processing by others Training
What are the lawful grounds for processing: 10 Art. 6(1) GDPR Lawfulness of processing “Processing shall be lawful only if and to the extent that at least one of the following applies: ” Comment a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes • Only ground available for electronic direct marketing b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract c) processing is necessary for compliance with a legal obligation to which the controller is subject d) processing is necessary in order to protect the vital interests of the data subject or of another natural person e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden… Top tip: Document your balancing test for legit interests • Conduct a balancing test • May be used for non electronic direct marketing
Direct marketing, fundraising and consent 11
Direct marketing, fundraising and consent New donors: • If your consent mechanism is not GDPR compliant, change it to something like: Use a : p i t Top rate tick sepa for email s boxe eting (but mark off post) leave • No longer permitted: 12
Data mapping, lawful grounds and records Understanding what you do: • Who? • What? • Why? • Where? • How long? 13
Agreements and data sharing with third parties Understand who you are sharing your data with, controller or processor? • Who determines the purpose for which the data is processed and the means by which it is processed • A good litmus test is whethere is any data for which you could expect, at the end of the agreement, to tell them to stop using/hand back If you are sharing with a data controller: (for example, other educational establishments or other organisations providing services directly to your students or staff): • You do not abdicate responsibility for an end user’s personal data simply by sharing it with a third party data controller • Put some controls in place: “where we share data with you, you shall not do or omit to do anything which would cause us to breach applicable data protection law” etc Top tip: Create a list of controllers and processors 14
Agreements and data sharing with third parties If you are sharing data with a data processor: (For example: external pay-roll providers, IT service providers, others providing back-office admin functions for you…) • Binding written contract • ü ü Under the DPA 1998: shall only act on instructions must ensure the security of the data • ü ü ü Under the GDPR shall only act on instructions must ensure the security of the data much more… Top tip: Write to your processors. Ask them how they’re complying? 15
Policies, notices and notifications Policies • What policies do you have in place? • Data protection policy • Information security (and data breach notification) policy • Data retention policy • Always good to have an instruction manual • Demonstrates compliance with the accountability principle 16
Policies, notices and notifications Privacy notices / ‘fair processing info’ • Tell people what you do with their data. Do you pass the ‘red-face test’? • New – notices should be GDPR compliant • Wide enough to cover all intended processing? 17 Top tip: At the very least, pass the red-face test!
Policies, notices and notifications Notifications • The obligation to register as a data controller (and pay a fee) will remain in place (although no longer need to provide detailed particulars) • Don’t let your registrations lapse • Not needed if you sit within an exemption (NB. the one below is v. narrow – schools should not rely on it!) Top tip: Keep up with your renewals – they will still last 12 months 18
Conclusion and questions Sarah Rowley, Senior Associate sarah. rowley@crsblaw. com +44 (0)20 7203 5370 19
charlesrussellspeechlys. com Charles Russell Speechlys LLP is a limited liability partnership registered in England Wales, registered number OC 311850, and is authorised and regulated by the Solicitors Regulation Authority. Charles Russell Speechlys LLP is also licensed by the Qatar Financial Centre Authority in respect of its branch office in Doha. Any reference to a partner in relation to Charles Russell Speechlys LLP is to a member of Charles Russell Speechlys LLP or an employee with equivalent standing and qualifications. A list of members and of non-members who are described as partners, is available for inspection at the registered office, 5 Fleet Place, London. EC 4 M 7 RD. For information as to how we process personal data please see our privacy policy on our website www. charlesrussellspeechlys. com 104476285
Poland national anthem lyrics
Huntsville city schools returning student registration
Safety reach and target schools
Product development partnerships
Epsrc prosperity partnerships
Accounting for partnerships chapter 12 solutions
Characteristics of just-in-time partnerships do not include
Chapter 12 accounting for partnerships answers
Accenture development partnership
Maintaining effective partnerships
Complete the word partnerships with brand product or market
Publicpartnerships.com login
Chappaqua jewish population
Hebrew
Jewish gen
Jewish leadership council
Jewish chronic disease hospital
Jewish gen
Jewish translation
Jewish buddha
Samuel beckett haircut
