General Data Protection Regulations An Overview Implications for

General Data Protection Regulations – An Overview Implications for X Directorate

GDPR Implementation as of May 2018 General Data Protection Regulation (2016/679) – 25 May 2018 into EU States Crime and Justice Directive (2016/679) – XXX into EU States e-Privacy Regulation (being drafted) overhaul of Privacy Electronic Communications Regulations into EU States *Data Protection Bill 2017 ……likely to become UK Data Protection Act (date to be defined) into UK *Currently going through UK Parliament

Corporate GDPR Strategy What we’ve got in terms of data 3 Privacy Notice • Accountability • Purpose • Rights Data flow spreadsheet Rules on consent Screening Privacy Impact Assessment Full PIA Sign off by DPO Recorded form of consent – no options! EU Law 25 th May UK Law tbc

Corporate GDPR Project Work Services HR Procurement & Legal Services IT & D Ø Corporate IG Projects Undertaking exercises concerning HR information including information held locally on employees Undertaking exercise on current contracts and liaising with suppliers GDPR Project Manager to undertake audit of systems Distribution lists – draft letters

GDPR – Key Messages – an overview Wider Scope Applies to Data Processors Breach Reporting Privacy by design /Privacy Impact Assessments Accountability – the Evidence …. need to prove compliance Enhanced Rights Bigger Fines Data Protection Officer

Next Steps – X Directorate Checklist Fair processing Have you got them in place ? Are you fairly and lawfully & transparently processing personal data : Identify all points where you collect data , the purposes, type of data , sources and recipient from whom you obtain and disclose Audit – check whether you do subsequent things that the individual does not know about with their data ? Accountability and evidence – can you account for it – where are the records ?

Next Steps – X Directorate Checklist Information Asset register Have you provided information into the Information Asset register project Lawful basis for processing What is your lawful basis and have you recorded it for all your processing GDPR Legal Services Contract Review Are you liaising with Procurement and Legal Services review? About to undertake large scale /large volume high risk / special category data (particularly involving criminal information ) projects ? Contact CIG for a PIA template Buying in /designing new systems/software /processes – Consult the ICO privacy Design guidance Privacy Impact Assessments Privacy by design ?

Next Steps – X Directorate Checklist Current Policies and Processes Do they relate / include reference to data protection then contact CIG for advice eg wording etc Have you identified what staff need to understand know about GDPR ? Can they meet the requirements of GDPR eg the rights of individuals such as access, erasure requirements of your system Check Snet updates and ensure staff are signed up to the 2018 Introduction to Information Governance courses. …. . more to come Awareness Raising amongst staff re new requirements System Capability Training

Next Steps - Corporate Information Governance Awaiting appointment of DPO – there are new responsibilities ie. Statutory officer post with independent role (like the Monitoring Officer) and will have sign off for large scale PIA’s , breach notification New legislation includes the nuances of the DP Bill, Law Enforcement Directive, e-privacy Directive- corporate policies Placing advice and guidance on S-Net – Data Flow Template, screening PIA, Privacy Notice guidance Updating our e-learning Providing advice Updating Corporate Policies – these will be changing