The future of data protection General Data Protection

Data Protection Act 1998 Privacy and Electronic Communications (EC Directive) Regulations 2003 Freedom of

General Data Protection Regulation (EU) 2016/679, replaces Directive 95/46/EC n Applies directly in UK

General changes § Explicitly shifts emphasis onto data controllers demonstrating compliance (Art. 5(2)) §

Data subjects' rights Chapter III (Articles 12 – 23)

Adds new rights § Data Portability (Art. 20) § Right to restrict processing (Art.

“Artists-impressions-of-Lady-Justice, (statue on the Old Bailey, London)” by Lonpicman is licensed under CC BY-SA

Fines of up to 10 m euros or 2% of worldwide annual turnover Fines

Special categories of personal data (Article 9) • Racial or ethnic origin • Genetic

Criminal convictions and offences (Article 10) Processing of information about criminal convictions and offences

International transfers (Chapter V, Articles 44 – 50) § Restrictions on transfers outside EU

Sharing intelligence data n Clarity of purpose and legal basis n Transparency n Data

Money Laundering Regulations 2017 n Data protection law shouldn't prevent effective sharing of data

ICO guidance n Overview of GDPR n Consent (currently draft) n Profiling (discussion paper)

Released guidance from the Article 29 working party n Data portability n Lead supervisory

Upcoming guidance from the Article 29 working party n Consent n Transparency n Profiling

Slides: 19

Download presentation

The future of data protection: General Data Protection Regulation Presenter: Richard Syers, Senior Policy Officer richard. syers@ico. org. uk

Data Protection Act 1998 Privacy and Electronic Communications (EC Directive) Regulations 2003 Freedom of Information Act 2000 Environmental Information Regulations 2004 Upholding information rights in the public interest, promoting openness by public authorities and data privacy for individuals

General Data Protection Regulation (EU) 2016/679, replaces Directive 95/46/EC n Applies directly in UK – no need to transpose n Time and technology has moved on n The way we process data has changed – stronger penalties reflect the increased potential for harm to individuals when things go wrong n Builds on existing data protection law n Provisions apply from 25 May 2018

General changes § Explicitly shifts emphasis onto data controllers demonstrating compliance (Art. 5(2)) § Consent strengthened in practice § Greatly expanded requirements in relation to fair processing § Specific requirements on data processors

Data subjects' rights Chapter III (Articles 12 – 23)

Adds new rights § Data Portability (Art. 20) § Right to restrict processing (Art. 18) § Right to erasure ("right to be forgotten") (Art. 17 Strengthens existing rights § Right not to be subject to automated decision making (Art. 22) § Right to be informed (Art. 12, 13 and 14) § Right of subject access (Art. 15)

“Artists-impressions-of-Lady-Justice, (statue on the Old Bailey, London)” by Lonpicman is licensed under CC BY-SA Enforcement § Mandatory security breach reporting § Significantly larger fines for non-compliance § Two tier fine system

Fines of up to 10 m euros or 2% of worldwide annual turnover Fines of up to 20 m euros or 4% of worldwide annual turnover Failing to take steps to keep personal data secure. Failing to comply with individuals rights Failing to notify the supervisory authority of a data breach Infringements related to transfers Penalties § Two tier fine system depending on nature of the breach § Tier 1 - up to 10 million Euros or 2% of annual global turnover § Tier 2 - up to 20 million Euros or 4% of annual global turnover

Special categories of personal data (Article 9) • Racial or ethnic origin • Genetic data • Political opinions • Biometric data (in some cases) • Trade union membership • Health data • Religious or philosophical beliefs • Sex life or sexual orientation

Criminal convictions and offences (Article 10) Processing of information about criminal convictions and offences is prohibited unless: • Processing is under the control of official authority, or • "authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. "

International transfers (Chapter V, Articles 44 – 50) § Restrictions on transfers outside EU § Can only take place in compliance with Chapter V § ICO can authorise some transfers

Sharing intelligence data n Clarity of purpose and legal basis n Transparency n Data minimisation – only share what you need to n Consistent process with safeguards n Security n Record keeping

Money Laundering Regulations 2017 n Data protection law shouldn't prevent effective sharing of data for anti-money laundering purposes n Ultimately for DCMS and HMT to ensure that laws dovetail effectively n ICO has submitted several consultation responses, outlining our concerns on certain areas n DCMS currently consulting on GDPR implementation, submit responses by 10 May 2017

ICO guidance n Overview of GDPR n Consent (currently draft) n Profiling (discussion paper) n Currently planning guidance on contracts and liability

Released guidance from the Article 29 working party n Data portability n Lead supervisory authorities n Data protection officers

Upcoming guidance from the Article 29 working party n Consent n Transparency n Profiling n High risk processing n Certification n Administrative fines n Breach notification n Data transfers

Keep in touch Subscribe to our e-newsletter at www. ico. org. uk or find us on… /iconews http: //ico. org. uk/livechat n @iconews