GENERAL DATA PROTECTION REGULATION GDPR What it means

GENERAL DATA PROTECTION REGULATION (GDPR) What it means for businesses

INTRODUCTION What to expect from this presentation ▪ What is GDPR? ▪ What do businesses need to know? ▪ What might we need to do?

WHAT IS GDPR?

SUMMARY ▪ General Data Protection Regulation – enforced by EU ▪ Expands on some parts of DPA/existing Directive; creates other new requirements ▪ First global data protection law ▪ Determines how personal data should be processed and used ▪ Comes into effect on 25 May 2018, regardless of Brexit

WHO IT INVOLVES Data subject Any EU citizen who has entrusted a controller with their personal data Customers, service users, employees Data controller Who the data subject entrusts with their data. Responsible for deciding how the data is handled Data processor Any entity that handles personal data on the data controller's behalf

WHAT DO BUSINESSES NEED TO KNOW?

WHAT’S NEW? ▪ Expanded definition of “personal data” ▪ Transparency and consent ▪ Enhanced rights for data subjects ▪ Accountability ▪ Data protection by design ▪ Notifying subjects of data breaches

PERSONAL DATA Examples Now also includes… Personal data Name; ID number; any physical, physiological, economic, cultural or social data Location; online identifiers (e. g. IP address, cookies) Sensitive personal data Race/ethnicity; politics; religious beliefs; sexual orientation Biometric data; genetic data

TRANSPARENCY ▪ Must tell individuals how personal data is processed ▪ Clear, concise and easily accessible format ▪ Must include: ▪ Legal basis for processing ▪ Legitimate interests (if any) ▪ Right to lodge complaint ▪ How long data will be retained

ACCOUNTABILITY – DATA PROTECTION BY DESIGN ▪ Must demonstrate compliance with GDPR ▪ How? ▪ Policies and procedures (audits, HR policies) ▪ Staff training ▪ Pseudonymisation ▪ Data protection impact assessments ▪ Appointing data protection officer

ACCOUNTABILITY – NOTIFICATION OF DATA BREACHES ▪ Destroyed, lost, altered, disclosed to or accessed by unauthorised people ▪ Reported to: ▪ Supervisory authority ▪ Discrimination, reputational damage, financial loss, confidentiality ▪ Individual(s) affected ▪ Same, but high risk ▪ Report within 72 hours of breach

WHAT MIGHT WE NEED TO DO?

STEPS ▪ Review data protection policies ▪ Establish legal basis for processing ▪ Identify how to demonstrate compliance ▪ Consider whether to appoint DPO

REVIEW POLICIES ▪ Individuals told about right to object, at first communication ▪ Understanding of what constitutes “data breach” – more than loss of data ▪ Procedures for detecting, investigating and reporting breaches ▪ Insurance coverage in case of breach

ESTABLISH LEGAL BASIS FOR PROCESSING ▪ Be clear on grounds for lawful processing ▪ If consent: ▪ Obtained correctly, as mentioned earlier ▪ Subjects informed of right to withdraw at any time, and given simple methods to do so

DEMONSTRATE COMPLIANCE ▪ New policies – data protection by design ▪ Regular audits ▪ Staff training ▪ Pseudonymisation ▪ Review and update existing information notices

CONSIDER A DATA PROTECTION OFFICER ▪ Informs and advises on obligations ▪ Monitors compliance – manages internal activities and audits, trains staff ▪ First point of contact for supervisory authorities and data subjects ▪ Compulsory that DPO: ▪ Reports to board/directors ▪ Independent, and not penalised for performing job ▪ Has resources to meet obligations ▪ Can be existing employee as long as compatible and no conflict of interest ▪ No qualifications, but should have professional experience and knowledge of law

25 MAY 2018

FURTHER HELP AND SUPPORT Qualsys Limited Aizlewood’s Mill Nursery Street Sheffield S 3 8 GG emily. hill@qualsys. co. uk +44 (0)114 282 3338 marc. gardner@qualsys. co. uk +44 (0)114 282 3338