Data-Protection-and-the-GDPR-(RoI) General Data Protection Privacy.pptx

Data Protection and the GDPR (General Data Protection Regulation) General Data Protection Regulations

Format for the evening Opening Welcome and introduction Overview of GDPR Key actions and support for Congregations and Presbyteries Questions Benediction

Overview of GDPR Background to GDPR Essential Terminology Key Principles Legal Basis for processing Data Subject rights Data Protection Lead, Breaches, Penalties & Children

1. Background to GDPR EU Data Protection Directive 95/46 The Data Protection Act 1988 and Data Protection (Amendment) Act 2003 Regulated by the Data Protection Commissioner GDPR replaces 1988 and 2003 Acts 16 May 2017 Dept. Justice & Equality published the Data Protection Bill 2017 Regulation applies to all EU member states on 25 May 2018

1. Background to GDPR Why do we need GDPR ? EU Directive drafted prior to internet age – not “fit for purpose” Personal data is now used in ways that didn't exist in 90s The types of personal data collected and held have also changed – biometric data, genetic data, images This new legislation, GDPR, aimed at giving us, as individuals, more information and control over our personal data - comes into effect from 25 May

2. Essential terminology Personal Data … any information relating to an identifiable natural person. That is an individual who can be identified directly or indirectly in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

2. Essential terminology Examples of personal data include ? Name Address Eircode Phone number email address PPS number Photograph ip address, etc.

2. Essential terminology Under GDPR there are special categories of personal data; Racial or ethnic origin Political opinions Religious or philosophical beliefs Trades Union membership Physical or mental health or condition Sexual life or sexual orientation Genetic data Biometric data

2. Essential terminology ….Processing of special category data is prohibited unless one of the listed exemptions applies…. We will return to this when we look at the guidance on legal bases of processing.

2. Essential terminology Data Subject … a natural person whose personal data is processed by a Data Controller This does not include a deceased person or somebody who cannot be identified or distinguished from others.

2. Essential terminology In a Congregation/Presbytery the data subjects will include: Members Individuals receiving pastoral care Children/young people attending BB, GB, Holiday Bible Clubs, Sunday School, Youth Groups, Crèche Gift Aid donors Contacts via a web site External users of our premises Suppliers, tradesmen Staff etc .

2. Essential terminology Data Controller … a body which determines the purposes and means of the processing of personal data. (for congregations the Charity Trustees or Kirk Session will be controller)

2. Essential terminology Acting for the data controller Minister Elders Organisational leaders Gift Aid secretary Treasurer Volunteers etc.

2. Essential terminology Data Processor ….a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

2. Essential terminology Data Processor This essentially means a third party e.g. IT provider (e.g. cloud storage) Payroll provider

2. Essential terminology GDPR requires a Processor to: Act only on documented instruction and use the personal data for agreed purposes. Persons authorised to access under obligation of confidentiality. Assist with Data Subject Rights, Data breaches Return or delete Personal Data when service ends. Demonstrate compliance

2. Essential terminology Processing … any operation or set of operations performed on personal data or sets of personal data whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. …basically it is anything at all you do with the data

2. Essential terminology Personal Data (including Special Data) Data Subject Data Controller Data Processor Data Processing

3. Principles under GDPR (Article 5) accountability governance

3. Principles under GDPR (Article 5) The Lawfulness and Transparency Principle processed lawfully, fairly and in a transparent manner in relation to individuals [ To be used lawfully you must be able to rely on at least one of six legal bases for processing i.e. there must be a legitimate reason for us processing someone’s personal data ]

3. Principles under GDPR (Article 5) The Purpose Limitation Principle Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those stated purposes; further processing for archiving purposes in the public interest or for scientific, historical research or statistical purposes shall not be considered incompatible with the initial purpose. [Need to be clear about reason for collecting personal information and ensure it is only used for that purpose] Used appropriately

3. Principles under GDPR (Article 5) The Data Minimisation Principle adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. [Don’t hold it if you can’t demonstrate a need] [Only collect what information you need e.g. if you don’t need someone’s work phone number don’t collect it] used sparingly

3. Principles under GDPR (Article 5) The Accuracy Principle accurate and, where necessary, kept up to date; every reasonable effort must be taken to ensure that personal data that is inaccurate having regard to the purposes for which is processed is erased or rectified without delay; [Otherwise confidential information could, for example, go to the wrong address] accurate

3. Principles under GDPR (Article 5) The Storage Limitation Principle kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as it will be processed solely for archiving purposes in the public interest, or for scientific, historical research or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals [Clear out redundant personal data – data we no longer need or use for its original purpose] not kept forever

3. Principles under GDPR (Article 5) The Integrity and Confidentiality Principle processed in a manner that ensures appropriate security of the personal data , including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. secure

3. Principles under GDPR (Article 5) The Integrity and Confidentiality Principle3. For example Passwords should be kept secure, should be strong, changed regularly Use bcc when emailing to a large number of people Confidential waste – shredded Preventative measure re virus attacks Keep back-ups Encrypt data taken off PCs / laptops Hard-copy material kept secure secure

3. Principles under GDPR (Article 5) The controller must be able to show that they are complying with these principles Requirement to have documentary evidence of consent, data processed and legal basis for processing Burden of proof on data controller to demonstrate compliance with principles of GDPR accountability

3. Principles under GDPR (Article 5) Data audit Data Protection Policies Staff Training Internal review Maintain record of processing activities Data Protection Officer (or Lead) Data minimisation, pseudonymisation, transparency accountability

3. Principles under GDPR (Article 5) The practical measures you put in place , the steps that you have taken so that you can demonstrate compliance under the principles above – these then are the means by which you have implemented good governance . This can be achieved by documenting the decisions you take about processing personal data, undertaking training, reviewing policies and procedures such as data protection, privacy notices, consent etc. governance

3. Principles under GDPR (Article 5) accountability governance

4. Legal basis for processing Having a lawful basis for each processing activity is critical to an organisation’s ability to comply with GDPR Processing of personal data is lawful only if, and to the extent that, it is permitted under EU data protection law. If the Controller does not have a lawful basis for a given data processing activity then that activity is essentially unlawful.

4. Legal basis for processing Legal basis available (six) : Consent of the data subject (Article 6(1)(a)) Necessary for performance of a contract (Article 6(1)(b)) Compliance with a legal obligation (Article 6(1)(c)) Protect the vital Interests of a data subject (Article 6(1)(d)) Task carried out in the Public Interest (Article 6(1)(e)) Legitimate interests pursued by the controller (Article 6(1)(f)) (then there are Special Categories of Data which can inform legal basis – examples later)

4. Legal basis for processing Most presbyteries or congregations will rely on Legitimate interests Only rely on consent as a last resort If someone withdraws consent you will have difficulty processing the data in question

4. Legal basis for processing Legitimate interests Can be that of the congregation or presbytery Or the legitimate interest of a third party That an individual has a reasonable expectation that you will process their data for a particular purpose makes it likely that processing on this basis will be lawful

4. Legal basis for processing Consent - use as basis of “last resort” Under GDPR must be; Freely given, specific, informed and an unambiguous indication of the individual’s wishes There must be some form of clear affirmative action i.e. a positive opt in Must be capable of being withdrawn Has to be verifiable Must be separate from other written matters

4. Legal basis for processing Not required to refresh all existing DPA consents But should meet GDPR requirements If not, seek fresh GDPR compliant consents or find alternative to consent

4. Legal basis for processing Legal basis available (six) : Consent of the data subject (Article 6(1)(a)) Necessary for performance of a contract (Article 6(1)(b)) Compliance with a legal obligation (Article 6(1)(c)) Protect the vital Interests of a data subject (Article 6(1)(d)) Task carried out in the Public Interest (Article 6(1)(e)) Legitimate interests pursued by the controller (Article 6(1)(f)) (then there are Special Categories of Data which can inform legal basis – examples later)

2. Essential terminology Under GDPR there are special categories of personal data; Racial or ethnic origin Political opinions Religious or philosophical beliefs Trades Union membership Physical or mental health or condition Sexual life or sexual orientation Genetic data Biometric data

4. Legal basis for processing Special Categories – there are 10 subsidiary legal bases for processing Special Categories of data identified in the legislation. Most relevant ones include: Obligations under employment (Article 9(2)(b)) Vital Interests – subject cannot give consent (Article 9(2)(c)) Not for Profit body, no 3 rd party disclosure (Article 9(2)(c)) Archiving Data in the Public Interest (Article 9(2)(j)) (… we will see some examples later )

4. Legal basis for processing Article 9(2)(d)) Processing carried out by a not for profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent.

5. Data Subject Rights The right to be informed (Privacy Notice) The right of access (Subject Access Request) The right to rectification The right to erasure (right to be forgotten) The right to restrict processing The right to data portability The right to object Rights in relation to automated decision making and profiling

5. Data Subject rights Right to be informed Obligation to provide “fair processing information” typically through a privacy notice and incl. Identity and contact details of the controller Lawful basis of processing Retention periods Existence of data subject’s rights Right to withdraw consent Right to complain to supervising authority

5. Data subject rights Right of access No fee payable for Subject Access Requests (SARs) Elevated risk of SARs as a consequence Info supplied with 1 month (previously 40 days) Data can include opinions, voice recordings and manual records

5. Data Subject rights Right to Rectification & Erasure Require controller to rectify personal data if it is inaccurate or incomplete Within one month, or 2 months if complex Ask controller to delete their personal data in certain circumstances e.g. if processing is not justified or individual withdraws consent

5. Data subject rights Right to restrict processing Data subject may be entitled to limit the purpose for which the controller can process data e.g. When accuracy of data is contested Data no longer needed by controller but individual requires to establish, exercise or defend a legal claim

5. Data Subject rights Right to portability Data subjects have the right to transfer their data to another data controller.

5. Data subject rights Right to object to processing Data subjects have the right to object to, for example, direct marketing, processing for historical research and statistics

5. Data Protection Lead Inform and advise on obligations Monitor compliance Training First point of contact for authorities

6. Breach Notification “a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data ... is more than just losing personal data” “… notify the relevant authorities … if it is likely to result in a risk to the rights and freedoms of individuals” High risk – notify individual Breach notification – contents

6. Penalties For (mainly) a breach of record keeping, contracting and security clauses: Maximum fine of up to €10million, or 2% of annual worldwide turnover, which is greater . For (mainly) a breach of the basic principles, data subject rights, transfer to third countries, non-compliance with an Information Commissioner’s order: Maximum fine of up to €20million, or 4% of annual worldwide turnover, whichever is greater . EU DPAs intend to co-ordinate their supervisory and enforcement powers across the Member States but it is unclear as to what effect Brexit will have on this.

6. Children New provision to enhance the protection of children's personal data Services to Children - Privacy Notice written in a way that a child will understand Online services to children - consent from parent or guardian Child under 16 can’t give consent (under 13 in UK) Parental consent not required for preventative or counselling services Same rights as adults

Overview of GDPR Background to GDPR Essential Terminology (Personal Data, Data Subject, Data Controller, Data Processor, Processing ) Key Principles (Integrity, appropriately, sparingly, accurate, not kept forever, and kept secure) Legal Basis for processing (six bases and ten special categories) Data Subject rights (informed, access, rectification, erasure, processing , portability, object) Data Protection Lead, Breaches, Penalties & Children

Summary Don’t panic : prepare Requirement to comply Follow the six key principles - used with integrity, used appropriately, used sparingly, kept accurate, not kept for ever, kept secure, AND underpinned with accountability and governance. Consider your processing activities and the appropriate lawful basis for processing Remember data subject rights, consequences of breaches Penalties ……. so how do you achieve compliance and how can PCI help ?

Key Actions and Support The DPC’s website contains a document indicating 12 steps to compliance so we will use that for the basis of the rest of our presentation The guidance being made available to help you in achieving compliance are under development and will be made available through the PCI website on a roll-out basis (Toolkit) 25 May 2018

12 steps to ensure compliance Step Content Action Resource 1. Become aware Make everyone in your organisation aware of the GDPR and what needs to be done Decide how you are going to communicate with everyone within your organisation the requirements and responsibilities under GDPR For example – arrange training session for Kirk Session, Congregational Committee and Group/Organisation Leaders using this presentation. Consider insert in announcements, church magazine etc. This presentation Brief Guide to GDPR We may review some CBT (Computer Based Training) material as an option - TBC

12 steps to ensure compliance Step Content Action Resource 2. Complete a written inventory of Personal Data Inventory all personal data and record for example : Why you are holding it ? How it was obtained ? What is the legitimate purpose using it ? How long will you keep it ? How is it kept secure ? Who has access to it ? Is it shared with a third party (outside your organisation) ? Complete an Information Register Template Register supplied Template Action Plan supplied Examples supplied

12 steps to ensure compliance Step Content Action Resource 3. Communicate privacy information Review any current privacy notices and put in place a plan for any necessary changes to their format and content and how they are communicated Check/write privacy notices Guidance and templates supplied

12 steps to ensure compliance Step Content Action Resource 4. Be aware of and prepared for Data Subject rights Data Subject rights have been strengthened in the areas of: Right to be Informed Right of Access Right to Rectification Right to Erasure Right to Restrict Processing Right to Data Portability Right to Object Rights in respect of Automated Decision Making and Profiling Consider how to respond to these rights – perhaps through the designation of a Data Protection Lead to be the point of contact should a Data Subject wish to exercise one or more of these rights Right to be informed covered under Step 3 – Privacy Notice which should also advise individuals of their rights under GDPR Access, Rectification and Erasure will generally be as a result of a request – guidance and Templates supplied Restricting processing, data portability, objection, and automated decision making and profiling are less likely to occur and you should consult with PCI Data Protection Lead if necessary.

12 steps to ensure compliance Step Content Action Resource 5. Enable Subject access requests You will need a policy and procedure on how to deal with such a request. You have one month to respond to an access request so knowing what to do, who will deal with it and having your records stored in an organised and efficient manner will allow you to comply. Review what you hold and how you hold it – this should be a product of your Inventory of Personal Data under Step 2 Create a policy and procedure for dealing with access requests Designate a point of contact for such requests Guidance and template supplied for Subject Access Request

12 steps to ensure compliance Step Content Action Resource 6. Decide upon Legal Basis for Processing There are a number of these legal bases in the legislation – refer to DPC/ICO website. For each processing situation consider what legal basis is the most appropriate and record this in your Inventory of Personal Data See resource under Step 2 Some examples to follow

12 steps to ensure compliance Step Content Action Resource 7. Understand Consent Where you use consent as the legal basis you must ensure that the means by which you obtain consent is in compliance with the GDPR Review your consent forms and the means by which you obtain consent. Obtain fresh consent using redesigned forms as necessary Guidance and template supplied

12 steps to ensure compliance Step Content Action Resource 8. Children’s Personal Data Special rules and rights will apply to children. Within the Republic of Ireland for the purposes of GDPR the definition of child will be an individual under 16 years of age, in the UK a child is an individual under 13 Consultation not yet completed When we have a clearer picture of guidance from DPC/ICO we will supply guidance and template

12 steps to ensure compliance Step Content Action Resource 9. Data Breaches It is necessary to put in place procedures to detect, report and investigate a personal data breach Understand the reporting requirements and penalties associated with a breach Put in place a procedure to deal with a data breach. Guidance and template supplied

12 steps to ensure compliance Step Content Action Resource 10. Consider the requirement for a Privacy Impact Assessment This simply involves taking data protection into planning consideration when working on a project that involves personal data. The basic concept is of ‘Data Protection by Design’ – build it in to thinking and planning. This is more relevant to larger or public organisations ….. but any new technology or systems should always be considered and applied with the GDPR in mind This is for individual organisations to consider but any guidance developed by PCI will be made available on the website

12 steps to ensure compliance Step Content Action Resource 11. Appoint a Data Protection Lead The legislation requires for certain types of organisations or volumes of personal data processing the appointment of a Data Protection Officer. This is not a requirement for PCI but it is important that someone within a Congregation, Presbytery, PCI Central Administration takes the lead in facilitating and advising on GDPR. Appoint a Data Protection Lead A suggested ‘role description’ is supplied

12 steps to ensure compliance Step Content Action Resource 12. Select a Lead Supervisory Authority The GDPR covers the entire European Economic Area , including the UK after Brexit. This is a matter of deciding whether the UK Information Commissioner or the RoI Data Protection Commissioner is the appropriate Supervisory Authority – for example in the situation of having to report a data breach. This will be directed by PCI but it is likely that Congregations and Presbyteries in the RoI will take the DPC as Lead Authority whereas NI Congregations , Presbyteries and Church House will have the ICO as Lead Authority UK based presbyteries and congregations will respond to the ICO and that Republic of Ireland based presbyteries and congregations will respond to the DPC

Data Inventory Audit and Register Step 1 What personal data do you hold? How did you obtain the information? What is it used for? In what form is it held? Is it shared with any external 3 rd party? (if so record)? How is it kept secure? How long do you keep it for and how do you dispose of it What is the lawful basis for processing Identify any action points

Data Inventory Audit and Register No. Description/ Organisation What Personal Data do you hold? How did you obtain the information? What is it used for? In what form is it held? Who has access to this data? Is it shared with any external 3rd party? (Specify) How is it kept secure? How long do you keep it for and how do you dispose of it? Lawful basis for processing Actions 1 2 3 4 5

Action Plan There is no reference in the legislation about an Action Plan – but if we do the work in creating the Data Register then logically it should indicate whether any action is required

4. Legal basis for processing Processing Activity Lawful Basis Special Data Membership list Legitimate Not for profit Coffee Rota Legitimate N/A Church weekend Legitimate Not for profit Staff Contract & Legal Employment Pastoral records Legitimate Not for profit Prayer chain Legitimate N/A Youth Club (<13) Consent (Parental) Not for profit Youth Club (13-16) Consent (Both) Not for profit

Legal basis for processing Processing Activity Lawful Basis Special Data Letting of premises Contract N/A Gift Aid donors Legal Not for profit Parent emergency contact Vital interests Vital interests Home Groups Legitimate Not for profit Special Need Club Vital Interests Vital Interests Herald subscribers Consent Not profit …… .

Data Breaches Most likely source of concern! Most likely causes of breach: Weak or stolen credentials (log-in + password) Back Doors, Application Vulnerabilities Malware Accidental loss Physical Theft Hack attack

Resources A website landing page http://www.presbyterianireland.org/gdpr is being developed and resources mentioned will be placed on this as they are developed and cleared: Already supplied: Brief Guide to GDPR DPL Role Template Data Inventory + examples Template Action Plan + examples Policies, guidance and templates: Data Protection Policy Subject Access Request Data Breach Policy Data Retention Policy Consent Policy Other materials: GDPR Myths & FAQs Ten Top Tips Signpost to Other Resource This PowerPoint Presentation

What you need to do: Training and awareness – ensure key decision makers are aware of GDPR Appoint a data protection lead or compliance person to manage the compliance project Carry out a GDPR audit and create a register of all data activity that you process and all data activity that you control Decide how you want to use the resources being made available to you to suit your own presbytery or congregation

Other Resources ICO website – Guide to GDPR https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr Data Protection Commission website – The GDPR and You http://gdprandyou.ie/ Posters, stickers and e-learning from ICO https://ico.org.uk/for-organisations/resources-and-support/posters-stickers-and-e-learning/ Nicva - Cyber Security: Small Charity Guide http://www.nicva.org/resource/cyber-security-small-charity-guide

GDPR Questions

Data-Protection-and-the-GDPR-(RoI) General Data Protection Privacy.pptx

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Data-Protection-and-the-GDPR-(RoI) General Data Protection Privacy.pptx

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Slide 66

Slide 67

Slide 68

Slide 69

Slide 70

Slide 71

Slide 72

Slide 73

Slide 74

Slide 75

Slide 76

Tags

7-10. STP + Branding and Product & Services Strategies.pptx