Revising policies and procedures under the new EU GDPR

Similar documents
The New EU General Data Protection Regulation (GDPR)

Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)

Appropriate Policy Document

European Union General Data Protection Regulation

Mobius Life Limited Data Privacy Notice

EU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 )

Member Circular March Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members

The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018

Privacy Policy Statement

ARE YOU READY FOR THE NEW DATA PROTECTION LAWS?

DATA SUBJECT ACCESS REQUEST POLICY AND PROCEDURE

Pension Trustees. Final Countdown to the GDPR

All Sorts UK Limited Data Protection Policy 17 th May 2018

Privacy Statement v 1.1

Privacy Policy and Personal Data

Guidance: The new EU General Data Protection Regulation: Implications for Australia

CHARITY & NFP LAW BULLETIN NO. 419

The Pension and Life Assurance Plan of NG Bailey (Scheme) Privacy notice

Banks Sheridan Limited Data Protection Privacy Policy 19 May 2018

DATA PROTECTION POLICY

DATA PROCESSING AGREEMENT

A guide for the insurance industry

DATA PROCESSING AGREEMENT

INTERNATIONAL SOS. Data Protection Policy. Version 1.8

IRIS Group of Companies Customer Data Processing Terms

THE UNIVERSITY, CAMBRIDGE IN AMERICA AND THE COLLEGES DATA SHARING PROTOCOL

DATA PROTECTION LAWS OF THE WORLD. Czech Republic

Newsletter NEW DATA PROTECTION REGIMES IN THE EU AND JAPAN: Similarities and Differences. Atsumi & Sakai

Your Right Hand Finance Ltd (YRH) Subject Request Policy

Southern Golden Retriever Rescue Data Protection Policy

Data Processing Addendum

CLOUDINARY DATA PROCESSING ADDENDUM

WHAT DOES THE GDPR MEAN FOR PENSIONS? HANDY GUIDE

INFORMATION ON THE PROCESSING OF PERSONAL DATA

New legislation brings changes to how data is handled

What does GDPR and the new Data Protection Act mean to Brokers/Intermediaries?

WHAT DOES THE GDPR MEAN FOR PENSIONS?

GROUP PRIVACY POLICY. Adopted June 20th, 2017 by each of the Boards of Carnegie Holding AB and Carnegie Investment Bank AB (publ).

LAMP Services Limited Privacy Notice v1.2 4 th March Controller

DATA PROTECTION POLICY. AtonLine Limited

Firefighters Pension Scheme

GDPR update and its impact on accountancy practices

Hillgate Travel GDPR Response. Privacy Policy

Aegon Asset Management Europe ICAV ( the Fund ) Data Protection Policy

Broadbean Technology Limited - Data Processing Agreement (25th May 2018)

The contract is important so that both parties understand their responsibilities and liabilities.

BINDING CORPORATE RULES

The General Data Protection Regulation (GDPR): action plan for pension scheme trustees

Your Data Your Rights

Man and Machine - Data Protection Policy

The new data protection law main changes at a glance

Privacy vs Data Protection: The Impact of EU Data Protection Legislation

Data Protection Privacy Notice for people not directly involved in the accident

Privacy Policy. This privacy policy shall be valid even if you have reserved your transfers through the other sales partners of Plus Group Kft.

Institutional Investment Advisors Limited

Data Privacy Notice. Who are we and why do we register and use personal data?

Pension Trustees Final Countdown To GDPR

Data Transfer Policy Version 1.1 Last amended: 18 September 2014 Policy Owner: Governance Team

Amgen Binding Corporate Rules (BCRs) Public Document

DATA PROTECTION LAWS OF THE WORLD. Angola vs Czech Republic

The GDPR Possible Impact on the Life Sciences and Healthcare Sectors

Privacy Statement. Key Definitions. Data Controller. Processing

Kent and Medway Information Sharing Agreement v4 2014/15

ROSETTA STONE LTD. PROCESSING ADDENDUM

General Data Protection Regulation (GDPR)

DEAL BY SEA LTD PRIVACY NOTICE

LOCAL GOVERNMENT ASSOCIATION TEMPLATE MEMORANDUM OF UNDERSTANDING FOR LGPS FUNDS

Impact of the European General Data Protection Regulation on U.S. M&A

The Controller and Processor Data Protection Binding Corporate Rules of BMC Software

Data Processing Addendum

Claims Handling We process Your Personal Data in order to record and handle your insurance claim. This may include sharing your Personal Data with:

INFORMATION ON THE PROCESSING OF PERSONAL DATA

PRIVACY POLICY FOR CUSTOMER, PROSPECT AND PARTNER REGISTER

North Yorkshire Pension Fund

DATA PROCESSING ANNEX

INFORMATION ON THE PROCESSING OF PERSONAL DATA

Privacy Policy. For the purposes of Data Protection Legislation the data controller is the Company.

Data Privacy Notice of Sumitomo Mitsui Banking Corporation, Brussels Branch ( SMBC )

WHO IS RESPONSIBLE FOR LOOKING AFTER YOUR PERSONAL DATA?

GDPR : We protect your data

INFORMATION ON THE PROCESSING OF PERSONAL DATA

General Data Protection Regulation. Asked Questions

Processing the customer s personal data at FINE

Data Protection Act Policy

General Data Protection Regulations Briefing (the presentation you ve all been waiting for)

INFORMATION ON PERSONAL DATA PROCESSING in Connection with the General Meeting of ČEZ, a. s.

Working Party on the Protection of Individuals with regard to the Processing of Personal Data

Data Protection Cayman Islands

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018

DATA PROCESSING ADENDUM

Legal Compliance Education and Awareness. Privacy Act (Commonwealth)

PRIVACY NOTICE Use of Information Data Controller and Data Processor

DATA PROTECTION POLICY

Privacy Notice Student Loans Company Ltd

Privacy notice. What personal data do we register and use?

DATA PROTECTION NOTICE

2. FROM WHICH SOURCES THE BANK COLLECTS YOUR PERSONAL DATA?

We protect your data and privacy by taking all relevant measures in accordance with applicable legislation.

L 145/30 Official Journal of the European Union

Personal Data. Protection Policy

Transcription:

Revising policies and procedures under the new EU GDPR Richard Campo, CISM GRC Consultant IT Governance Ltd 1 Sept 2016 www.itgovernance.co.uk

TM Introduction Richard Campo GRC consultant Data protection and information security Lead auditor Lead ISO27001:2013 implementer GDPR compliance Enterprise risk management 2

TM IT Governance Ltd: GRC one-stop shop All verticals, all sectors, all organisational sizes

Agenda TM An overview of the regulatory landscape Territorial scope Remedies, liability and penalties Principles of the EU GDPR Policies - GDPR reference (Recital 78, Articles 4, 24, 39) What if we don t have policies in place? What policies are required? How to develop a policy? 4

TM The nature of European law Two main types of legislation: Directives º Require individual implementation in each Member State º Implemented by the creation of national laws approved by the parliaments of each Member State º European Directive 95/46/EC is a directive º UK Data Protection Act 1998 Regulations º Immediately applicable in each Member State º Require no local implementing legislation º EU GDPR is a regulation

Article 99: Entry into force and application TM This Regulation shall be binding in its entirety and directly applicable in all Member States. KEY DATES On 8 April 2016 the Council adopted the Regulation. On 14 April 2016 the Regulation was adopted by the European Parliament. On 4 May 2016, the official text of the Regulation was published in the EU Official Journal in all the official languages. The Regulation entered into force on 24 May 2016, and applies from 25 May 2018. http://ec.europa.eu/justice/data-protection/reform/index_en.htm Final text of the Regulation: http://data.consilium.europa.eu/doc/document/st- 5419-2016-REV-1/en/pdf

GDPR The GDPR chapters: TM Chapter I: General provisions (Articles 1-4) 1 Chapter II: Principles (Articles 5-11) 2 Chapter III: Rights of the data subject (Articles 12-23) 3 Chapter IV: Controller and processor (Articles 24-43) 4 Chapter V: Transfer of personal data to third countries (Articles 44-50) 5 Chapter VI: Independent supervisory authorities (Articles 51-59) 6 Chapter VII: Cooperation and consistency (Articles 60-76) 7 Chapter VIII: Remedies, liability and penalties (Articles 77-84) 8 Chapter IX: Provisions relating to specific processing situations (Articles 85-91) 9

Data protection model under GDPR European Data Protection Board Information Commissioner s Office (ICO) (supervisory authority) Assessment Enforcement Complaints Data processor Security? Data controller (organisations) Duties Rights Data subject (individuals) Inform? Third countries Guarantees? Disclosure? Third parties

TM Articles 1 3: Who and where? Natural person = a living individual Natural persons have rights associated with: The protection of personal data The protection of the processing personal data The unrestricted movement of personal data within the EU In material scope: Personal data that is processed wholly or partly by automated means Personal data that is part of a filing system, or intended to be The Regulation applies to controllers and processors in the EU, irrespective of where processing takes place It applies to controllers not in the EU

Remedies, liabilities and penalties TM Article 79: Right to an effective judicial remedy against a controller or processor Judicial remedy where their rights have been infringed as a result of the processing of personal data. º In the courts of the Member State where the controller or processor has an establishment. º In the courts of the Member State where the data subject habitually resides. Article 82: Right to compensation and liability Any person who has suffered material or non-material damage shall have the right to receive compensation from the controller or processor. Controller involved in processing shall be liable for damage caused by processing. Article 83: General conditions for imposing administrative fines Imposition of administrative fines will in each case be effective, proportionate and dissuasive º taking into account technical and organisational measures implemented; 20,000,000 or, in case of an undertaking, 4% total worldwide annual turnover in the preceding financial year (whichever is higher)

TM Article 5: Principles Personal data shall be: 1 Processed lawfully, fairly and in a transparent manner 2 Collected for specified, explicit and legitimate purposes 3 Adequate, relevant and limited to what is necessary 4 Accurate and, where necessary, kept up to date 5 Retained only for as long as necessary 6 Processed in an appropriate manner to maintain security Accountability 7.

TM Recital 78 Demonstrating compliance In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.

TM Article 4 - Definitions (20) Binding corporate rules means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.

Article 24 Responsibilities of the Data Controller TM Where proportionate in relation to processing activities, measures shall include the implementation of appropriate data protection policies by the controller.

Article 39 - Tasks of the data protection officer TM To monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data.

TM What should a Privacy Policy include? Article 13: Information to be provided where personal data collected from the data subject When obtaining personal data, the controller shall provide the data subject with all of the following information: the identity and contact details of the controller and their representative; the contact details of the data protection officer, where applicable; the purposes of the processing of as well as the legal basis for the processing; the legitimate interests pursued by the controller or by a third party; the recipients or categories of recipients of the personal data, if any; the fact that the controller intends to transfer personal data to a third country and the existence of adequacy conditions.

TM What should a Privacy Policy include? Article 13: When obtaining personal data the controller shall provide the data subject with the following further information to ensure fair and transparent processing: the period of time that the data will be stored; the right to rectification, erasure, restriction, objection; the right to data portability; the right to withdraw consent at any time; the right to lodge a complaint with a supervisory authority; the consequences of the data subject failure to provide data; the existence of automated decision-making, including profiling, as well as the anticipated consequences for the data subject.

TM What should a Privacy Policy include? Article 14: Information to be provided where the personal data have not been obtained from the data subject Where personal data has not been obtained directly from the data subject: the identity and contact details of the controller and their representative; the contact details of the data protection officer, where applicable; the purposes as well as the legal basis of the processing; the categories of personal data concerned; the recipients of the personal data, where applicable; the fact that the controller intends to transfer personal data to a third country and the existence of adequacy conditions.

TM Data breaches in the UK January to March 2016-448 new cases Data breaches by sector Health (184) Local government (43) Education (36) General business (36) Finance, insurance and credit (25) Legal (25) Charitable and voluntary (23) Justice (18) Land or property services (17) Other (41) Source: UK Information Commissioner s Office

Enforcement action - Principles TM Count of enforcement action against Principles 3- Proportionality, 1 1 - Fairness & Lawfulness, 2 5 - Data Retention, 4 6 - Rights of individuals, 1 7 - Data Security, 58 Source: ICO

Enforcement action - Reasons TM Excessive data held, 1% Unlawful processing of data, 2% Unsolicited marketing, 12% Accidental theft or loss of data, 8% Cyber attack, 5% Inappropriate disposal of data, 2% Public disclosure of sensitive data, 5% Unencrypted storage device lost/ stolen, 13% Lack of training, 19% Inappropriate handling of data, 5% Processing not in line with rights, 1% Misdirected communications, 10% Lack of sufficient contract, 1% Lack of sufficient policy, 16% Source: ICO

TM Enforcement action: Monetary penalties Unlawful retention & inappropriate disposal, 100,000.00 Inappropriate disposal, 100,000.00 Lack of training/ policy, 270,000.00 Unsolicited marketing, 610,000.00 Public data breach, 310,000.00 Misdirected communications, 315,000.00 Hack / cyber attack, 450,000.00 Unencrypted data lost or theft, 385,000.00 Source: ICO

What is a policy? TM Policies are documents that define the objectives of an organisation. A policy is a statement of intent. Procedures outline what people must do in order to deliver the policy objectives. Guidelines provide advice on how to comply with policies. Policies are generally adopted by the Board of or senior governance body within an organisation.

TM Documentation structure 1: Policy (Board) 2: Procedures (Executive) Setting the policy strategic, high level, relatively unchanging board approved Reflect principles and demonstrate board accountability Implementing the policy setting out business requirements, procedures and processes change infrequently but have multiple overlaps and impacts on operational activity and business behaviours Making the policy work detailed, step-by-step descriptions of how to perform individual tasks subject to regular review and improvement 3: Work instructions (Operational) Records of what happened minutes, logs, reports, etc information about how the ISMS is performing 4: Records (All users and usages)

What policies and procedures are required? TM Notification procedures Data protection policy Training and awareness programme Audit and compliance policy Information management policy Document and record control policy Public trust charter Information security policy Compliance standards Data collection procedures fair/lawful/adequate Data quality procedures Subject access procedures Risk management strategy Data processor standards and agreements Data use procedures Data retention and archive procedures Complaints procedures Security policies and procedures Internal audit procedures System/data-specific procedures Data disposal procedures Information notices procedures Due diligence and third parties audit procedures Third-party exchange agreements Enforcement notices procedures

Steps to develop a policy? TM Step 1: Identify the policy objectives Identify the needs and expectations of interested parties that should inform the policy.

Steps to develop a policy? TM Step 2: Develop a policy framework The policy framework should have a few high-level policies that inform the more granular components such as procedures and processes.

Steps to develop a policy? TM Step 3: Communicate and enforce the policies. Communication should apply to all those within the scope of the policy. Audit the policies effectiveness.

Steps to develop a policy? TM Step 4: Review and update the policies Policies shouldn t change too often, but they are living documents and require periodic reviews to keep them relevant.

GDPR - Summary TM Complete overhaul of data protection framework Covers all forms of PII, including biometric, genetic and location data Applies across all member states of the European Union Applies to all organisations processing the data of EU residents wherever those organisations are geographically based Specific requirements around rights of data subjects, obligations on controllers and processors, including privacy by design Administrative penalties for breach up to 4% revenue or 20 million Intended to be dissuasive Data subjects have a right to bring actions (in their home state) and to receive damages if their human rights have been breached ( Right to an effective judicial remedy against a controller or processor ) Fines to take into account the technical and organisational measures implemented

TM IT Governance: GDPR one-stop shop Accredited training 1-Day Foundation Course London OR Cambridge: www.itgovernance.co.uk/shop/p-1795-certified-eugeneral-data-protection-regulation-foundation-gdpr-training-course.aspx ONLINE www.itgovernance.co.uk/shop/p-1834-certified-eu-general-dataprotection-regulation-foundation-gdpr-online-training-course.aspx Practitioner course, classroom or online www.itgovernance.co.uk/shop/p-1824-certified-eu-general-data-protectionregulation-practitioner-gdpr-training-course.aspx Pocket guide www.itgovernance.co.uk/shop/p-1830-eu-gdpr-a-pocket-guide.aspx Documentation toolkit www.itgovernance.co.uk/shop/p-1796-eu-general-dataprotection-regulation-gdpr-documentation-toolkit.aspx Consultancy support Data audit Transition/implementation consultancy www.itgovernance.co.uk/dpa-compliance-consultancy.aspx

TM Questions? rcampo@itgovernance.co.uk 0845 070 1750 www.itgovernance.co.uk

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback