19
Building a register of data processing activities
Building a register of data processing activities
Workshop overview• Key requirements of the General Data Protection Regulation• What is personal data? • What personal data do you collect?• Why we are here today – to compile a record of data processing activities• What is lawful processing?• What are legitimate interests?• What is consent?• Mix and match exercise• What is a data processor?• What is a data controller?• Controller or processor?• How long should you keep data?• Privacy notices• Recording processing activities• Summary
What is data protection?
Data protection law concerns the use of personal data from the time it is collected to the time it is disposed of (‘processing’).
It addresses lawfulness of processing, rights of individuals (‘data subjects’), and expectations re security.
The current UK law is the Data Protection Act 1998.
What is the General Data Protection Regulation?
-A new EU Regulation that governs the processing of personal data-It is an evolution of existing laws-It introduces a number of administrative burdens and documentation requirements – such as records of processing, and in high risk situations, data protection impact assessments-The rights of individuals in relation to their data have been enhanced-Organisations can be fined up to the higher of 4% of global annual turnover or 20 Million Euros for failing to comply with the administrative requirements, unlawful processing, not respecting rights, or losing personal data-Organisations must be in compliance by 25 May 2018-In the UK, the supervisory authority is the Information Commissioner’s Office (ICO)
What is personal data?
Personal data
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Special categories of personal data (AKA sensitive personal data)
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
What personal data do you collect?
Personal data Special categories of personal data (AKA sensitive personal data)
Register of data processing activities
The GDPR requires that detailed records are maintained on how personal data is processed, with specific rules on the data that must be gathered and made available to regulators.
Controls
1.A register must be maintained that includes the following information: the name and contact details of the controller, the controller's representative (where entity is non-EU) and the data protection officer; the purposes of the processing; a description of the categories of data subjects and of the categories of personal data; the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations; where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation; the envisaged time limits for erasure of the different categories of data; a general description of the technical and organisational security measures applied to the data.
Record processing at activity level
What processing activities do you do?
Commercial activity: (add relevant examples of the types of processing that you conduct in your business activities)Recruitment: how people apply for jobs online, by email. Reference checking.Employment: paying wages, recording absences, PAYE returns to HMRC or equivalent, paying expenses, personnel file management, appraisals, grievances.Workplace: CCTV, reporting an accident, issuing a security cardCommunications: signing up for newsletters and other marketing communications
Activity: What other processing activities do you do?
What information should you record?•Department;•Process owner;•Step by step process flow – from collection to disposal;•Categories of data collected (e.g. bank account data, NI number, home address, email);•Data subjects (e.g job applicants, contacts, employees, customers);•Link to the applicable privacy notice•Lawful grounds for processing (and this process will involve close scrutiny of these) of personal data and special categories of personal data;•Where data is stored and accessed from (taking into account data processors, data centre location)•Where there is an ex-EEA* transfer, what is the legal mechanism for this;•Suggested retention period if not already agreed;•Whether there is a statutory retention period (and if so, what is the law/regulation)•Who has access to the data;•Are there any data processors involved in the process (and who they are);•Is any data being shared with data controllers?•Has infosec due diligence been conducted on data processors involved?;•Check of the contract clauses to see if they meet Article 28 (Processor) requirements;•Notes on security measures (e.g. password standards, access controls, disposal standards, relevant training)
Items in red will need to be confirmed by your data protection officer or other.* European Economic Area – EU plus Norway, Iceland and Liechteinstein.
What are lawful grounds for processing?Any activity involving personal data should have a lawful grounds for processing. The grounds available to chose from for a commercial organisation:
-You have the individual’s consent to use their personal data in this way
-It is strictly necessary for the performance of a contract with the individual
-It is strictly necessary to fulfil a legal obligation
-It is in the legitimate interests of your organisation to process personal data in this way – unless it impinges on the rights of the individual
-It is for the vital interests of the individual (life and death).
There are additional grounds that need to be met for the lawful processing of special categories of data.
Let’s have a closer look at consent….
Conditions for consent
1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Now let’s look at legitimate interests
What are your legitimate interests?Sounds like a way to make anything lawful? NO!
Your organisation has to demonstrate compelling legitimate grounds for the processing which overrides the interests or fundamental rights and freedoms of subjects – i.e. it mustn’t invade privacy disproportionately, must be within their reasonable expectations and so on.
Examples where legitimate interests might be considered:
Limited use of CCTV for security purposesLimited analysis of data for marketing purposesFraud prevention
NB: Any uses of legitimate interests MUST be published as part of the relevant privacy notice.
Now let’s ‘Mix and Match’
Mix and Match: fair processing conditions (use some relevant processing activities and ask delegates which grounds they would use)
What is a data processor? You are a ‘data controller’ for the personal data you collect when you decide how data will be processed. You are legally responsible for it.
When you outsource the collection or use of personal data to another organisation, they will be acting as a data processor. As a processor, they can only use the personal data under your instruction and for no other purpose. E.g outsourcing payroll, email marketing management.
Requirements
-You must have a process to assess that the processor has the ability to protect data accordingly;-You must have a contract in place with the processor that contains appropriate provisions on data protection – and the GDPR contains specific requirements that must be included;-By May 2018 all contracts will need to be reviewed and amended according.
In building the register we are identifying where data processors exist (and where they store our personal data) and so we can see where remediation might be required.
What is a data controller?
A data controller has the ability to determine the purposes and means of the processing of personal data. Sharing your personal data with them therefore also needs to be assessed for lawfulness.
Examples:
•HMRC •Courts•Other group entities (depending on the purposes for data sharing)•Other corporates for their own marketing purposes
Actions
In the record keeping activity process we are identifying where data controllers exist and so we can check that the sharing is lawful.
Processor or Controller?(using examples that are relevant to your organization, ask delegates whether they would be acting as a data controller or a data processor)
How long should I keep data?
GDPR Article 5.1a: (Personal data must be) be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed..
Considerations?
•Is there a statutory record keeping period that would guide your retention period and at least confer a minimum retention period?
•In the absence of a statutory requirement, how long do you need the personal data?
•What is your rationale for keeping personal data, e.g. beyond the end of a relationship? What is your grounds for processing and does this influence the retention period?
•Could the data be anonymised and still be useful? Truly anonymised data would fall outside the GDPR (and you will need a documented methodology for anonymization).
Privacy Notice requirements in GDPRIdeally provided at the time you collect personal data, a privacy notice explains:
-The identity and contact details of the controller-Contact details for the data protection office(r)-The purposes of the processing for which the personal data are intended as well as the legal basis for the processing-Recipients and categories of recipients-Intention to transfer personal data to a recipient in a ‘third country’ -The period personal data will be stored for-Awareness of all of their rights and how they can be exercised-Where processing is consent based, the existence of the right to withdraw consent at any time-The right to complain to the supervisory authority (in the UK being the ICO)-Whether provision of data is a statutory or contractual requirement, whether provision is an obligation, and consequences if fail to provide
How else are we using the information that we will collect?
Record retention: the process enables us to decide how long we will retain personal data – this is critical because the GDPR will require retention periods to be disclosed in privacy notices and if someone makes a request to access their data the retention period would also be disclosed.
Legitimate interests: Any processing that is made lawful using legitimate interests will need to be explained in the applicable privacy notice.
Consent: We can assess whether consent is being used appropriately, and if we are reliant upon consent that the conditions for consent have been met. We can also make sure we provide information on how consent can be withdrawn.
International transfers: We need to know exactly where data is located and where it can be accessed from as there are rules that need to be followed where data leaves the European Economic Area, and we need to maintain a register of all international transfers.
Now let’s try to fill in a form……. (provide a template for people to fill in)
Summary • Completing a register of data processing activities is a critical first step in
compliance with the GDPR.
• It provides us with information on lawful processing, involvement of data processors/third parties, make us think about how long we keep data, and provides pertinent information that we need to include in privacy notices and in response to requests for access to an individual’s personal data.
• It is critical that new initiatives are discussed with your data protection adviser prior to inception so advice on lawfulness can be taken, and the register updated. A data protection impact assessment may also be required if the project is high risk.
