ESSENTIALS: GDPR Essentials: Post Brexit

Contents2 The essentials

10 Personal data & processing

15 Principles & rights

27 Why compliance matters

33 Summary & next steps

ESSENTIALS:

GDPR Essentials: Post Brexit

eBook

2

ESSENTIALS:GDPR Essentials: Post Brexit

THE ESSENTIALS

PERSONAL DATA AND PROCESSING

PRINCIPLES AND RIGHTS

WHY COMPLIANCE MATTERS

SUMMARY AND NEXT STEPS

The essentials

3


THE ESSENTIALS





DATA PROTECTION COMPLIANCE In a rapidly changing digital and connected world, the way organisations handle our personal data regularly hits the headlines, affecting people's confidence and trust.

In the EU, the use of personal date by organisations is regulated primarily by the General Data Protection Regulation.

And In the UK, the equivalent regulations are the Data Protection Act 2018 and the UK GDPR.

Complying with data protection regulations helps our customers and colleagues to be confident that they can trust us to treat their personal data with the privacy and care that it needs.In this eBook, we'll explore what the GDPR means to you, its key definitions and its core principles, individual legal rights and the consequences of non-compliance.

This course covers:

• The relevance of the GDPR to you

• The key definitions of the Regulation

• The Regulation's principles

• The individual's rights

• The consequences of non-compliance

• Questions to check your knowledge

Please note that unless otherwise stated, all references to 'GDPR' used in this course relate to areas where the regulations for both the EU GDPR and the UK GDPR regulations are consistent.

https://www.cdc.gov/mentalhealth/learn/index.htm

4


THE ESSENTIALS





Why do we need data protection?

AVAILABILTYCan the right people access it easily when it's needed?

E.g. Is it stored so it's easy to retrieve?

CONFIDENTIALITYCan I be sure that only the people who should see the information will see it? Could it be shared inappropriately?

E.g. Is it encrypted? Are the organisation’s systems protected from hackers?

AUTHORISATIONHave I given consent or does the organisation have another lawful basis for using my personal information?

The way organisations hold personal information electronically and online makes it easy to find, edit, network and share personal data.

Naturally people are concerned about the safety of their data.

Like its availability.

And its integrity.

Its confidentiality.

And whether it's being processed lawfully.

These four criteria are at the core of personal information security and they are at the heart of the GDPR's aims.

INTEGRITYIs it accurate, complete and up-to-date so that the right decisions are made when it's used?

E.g. Is it protected from unauthorised editing? Could it be copied or deleted inappropriately?

5


THE ESSENTIALS





You may be wondering: 'what is UK GDPR and is it different from EU GDPR?'From May 2018, the EU Regulation known as the EU GDPR applied to all countries in the European Economic Area.

As a result of the UK's departure from the EU, the UK has adopted a tailored version of the EU GDPR into UK law, known as the UK GDPR.

The UK GDPR became part of the UK's Data Protection Act 2018 from the end of the Brexit transition period. At present, the EU GDPR and the UK GDPR are very similar in their provisions.

And unless otherwise stated, when we refer to ‘GDPR’ we are referring to regulations that apply to both the EU and the UK.

Different GDPRs

6


THE ESSENTIALS





GDPR Highlights

Personal data:• From name to biometric

• geo-location

• onlineidentifiers

Consent:• Informed

• Clear,affirmativeconsent

• Right to refuse

• Right to withdraw

Enhanced data subject rights:• Right to be informed

• Right to rectification

• Right to erasure/to be forgotten

• Right to restrict processing

• Right to object

• Right to data portability

• Right of access

• Rights in relation to automated decision making and profiling

Fines and penalties:

The most serious violations can attract fines of £17.5 Million or 4% global revenue

7


THE ESSENTIALS





GDPR Highlights

Breach notifications:• Mandatory reporting

• 24-72 Hour time limit

• Largefinesfornon-reporting

Subject access requests:• Free

• Verbal

• Written

Scope:GDPR EU: any organisation, anywhere, processing the personal data of people in the EU

GDPR UK: any organisation, anywhere, processing the personal data of people in the UK

Your responsibility to comply:• Understand the relevant parts of the GDPR

• Follow our systems and processes

• Check when you're unsure

Your responsibility is to help us comply with the GDPR. That means understanding the bits of the GDPR that affect your work, following our systems and processes, and checking when you're unsure.

8


THE ESSENTIALS





The consequences of non-compliance - the organisation

An organisation that's found to be in breach of its data protection obligations can be investigated, suffer reputational damage, compensation claims, and fines.

The fines can be extremely punitive and can seriously impact the financial health of an organisation, which makes data protection compliance a high priority.

MAXIMUM OF

£17.5 MILLION OR 4% OF ANNUAL GLOBAL TURNOVER

An investigation by the UK Information Commissioner's Office

Reputational damage caused by bad publicity

Compensation claims against the organisation for the damage and distress

A fine imposed by the UK Information Commissioner

9


THE ESSENTIALS





GDPR language

The Regulation defines a number of roles and concepts it helps to be clear about. We've summarised some key ones here.

Data subject The individual to whom the personal data relates.

Data controllerThe natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data processorThe natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

DataprotectionofficerA person appointed by the data controller to ensure compliance with the GDPR and monitor how data are treated.

RecipientAnyone to whom the data are disclosed by the data controller, including employees.

Third party

Means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

ConsentConsent signifies the agreement of the data subject to personal data relating to them being processed. It must be freely given, specific, informed, unambiguous and a clear affirmative action.

Data breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

KEY ROLES

KEY CONCEPTS

10


THE ESSENTIALS





Personal data and processing

11


THE ESSENTIALS





WHAT IS 'PERSONAL DATA'?

DRIVING TO WORK

• GPS location data

• Security CCTV footage

• Car registration

You may be surprised about the amount of information that could be personal data, here's a few typical scenarios...

AT WORK

• Bank details

• Union Membership

• National insurance number

• Number of calls an employee handles a dayAT HOME

• Geolocation data

• IP address

• Cookie data

• Emailed biometric data

• Giving bank account # on the phone

• Political affiliation on social media

12


THE ESSENTIALS





The extent of personal data

• used to identify a living individual, either on its own or in combination with other information

or• any data directly linked with a specific living individual.

For instance, an employer may collect information on an employee relating to their performance, past experience, next of kin and bank account details. This data is also likely to be considered Personal Data.

PERSONAL DATA IS DATA THAT CAN BE:

From the Regulation: Personal data definition

GDPR definition:Personaldatameansanyinformationrelatingtoanidentifiedoridentifiablenaturalperson ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Natural persons are living humans as opposed to legal entities.

Personal data can include factual information, such as a name, address or date of birth, or can be an opinion, such as how a manager thinks an employee has performed in his/her performance review.

13


THE ESSENTIALS





The Data Protection Principles

Racial or ethnic origin

Political opinions

Religious or philosophical beliefs

Trade union membership

Biometric data for the purpose of uniquely identifying a natural person

Genetic data

Data concerning health

Data concerning a sex life or sexual orientation

Special category data could lead to discrimination so it is specially protected by the GDPR.

Financial information in isolation is not classified as special category data.

Criminaloffencedata

You cannot process personal data about criminal convictions or offences unless you have a specific legal basis. Take advice if you are asked to.




14


THE ESSENTIALS





Processing

Central to the GDPR is what you actually do with personal data - what's known as 'data processing'This includes:

• Collecting data, manually or using, say, an online form.

• Recording or organising data, for example, compiling data in a spreadsheet.

• Retrieving, consulting or using the data.

• Disclosing the data in any way - in a memo or email, or even handing over a file.

• Erasing or destroying data.

In fact, according to the Information Commissioner, who's responsible for enforcing data protection, 'it is difficult to envisage any action involving data which does not amount to processing'.

15


THE ESSENTIALS





Principles & rights

16


THE ESSENTIALS





THE DATA PROTECTION PRINCIPLESAt the heart of the GDPR are these 7 principles:

We must process – collect, store, use, share, dispose of – personal information fairly, lawfully and transparently

We must say why we are collecting it and use it only for that purpose

We must collect what we need – no more, no less

We must keep it accurate and up-to-date

We must keep it for only as long as necessary and then destroy it safely

We must keep it secure

We, as data controllers and/or processors, must follow these principles, and demonstrate that we have, to make sure that personal information is handled properly.

17


THE ESSENTIALS





1: LAWFULNESS, FAIRNESS AND TRANSPARENCY

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject

LawfulDo we have at least one of these lawful bases for processing this personal data?

• Consent

• Contractual necessity

• Legal compliance

• Vital interests

• Public interest

• Legitimate interests

FairCould our processing:

• harm the person in some way?

• be unexpected?

• mislead the person?

TransparentDo we tell the individual clearly and comprehensively how we intend to use the personal data?

18


THE ESSENTIALS





Consent We have asked and got consent from the individual Consent notice

Contractual necessity It's necessary to begin or carry out a contract with the individual Utility or phone contract

Legal compliance It's necessary for us to comply with the law Supplying tax authority with financial information

Vital interests It's necessary to protect someone's life Where medical treatment is required

Public interest It's necessary to perform a task in the public interest or to exercise official authority

Usually a public body: E.g. government, school etc.

Legitimate interests

It’s necessary to carry out the legitimate interests of the controller except where those interests are overridden by the interests, rights or freedoms of the individual. (particularly where the individual is a child )

Direct marketing in certain circumstances

A finance company who uses an agency to locate a client

It's necessary to perform a task in the public interest or to exercise official authority

Usually a public body: E.g. government, school etc.

Legitimate interests

It’s necessary to carry out the legitimate interests of the controller except where those interests are overridden by the interests, rights or freedoms of the individual. (particularly where the individual is a child )

Direct marketing in certain circumstances

Conditions for processing

*We mustn't break any other laws

2: PURPOSE LIMITATION

Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.

To comply:If you collect personal data, explain why clearly and fully.

If you decide how to use personal data, don't use the data for anything but the original purpose without consent or another legal basis.

19


THE ESSENTIALS





3: DATA MINIMISATION

5: INFORMATION STORAGE

4: ACCURACY

Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

If you collect or decide how to process personal data, answer these questions:

• Is this the minimum amount of data I need?

• Do I have enough information to make accurate decisions?

• Does it all apply directly?

• Is any of this information 'just in case' or 'might be useful'?

Follow our data housekeeping rules to keep data to a minimum.

Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

To comply with this principle, ask yourself questions such as:

• When and how should personal data be destroyed?

• Should data be retained or disposed of?

Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

Answer questions like these:

• Is the data likely to change?

• How often? How often should it be checked and updated?

• Do I know the processes for keeping it up to date?

20


THE ESSENTIALS





6: INTEGRITY AND CONFIDENTIALITY

7: ACCOUNTABILITY

Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

To comply with this principle:

• Read our information security policy

• Follow procedures such as setting strong passwords

Never disclose personal data to anyone who is not authorised

The controller is responsible for, and must be able to demonstrate compliance with the Data Protection Principles.

To comply with this principle:

• You must follow data protection and information security policies

21


THE ESSENTIALS





The rights of the data subject

• Individuals have the right to be informed about how their data is processed• Privacy notices are a common way of telling people what data you are collecting and for what purpose• The information we provide must be concise, transparent, intelligible, easily accessible, and use clear and plain language

A privacy notice should include:• name and contact details of the organisation• purpose and legal basis for processing the data• how the data will be processed• the categories of personal data concerned• the recipients or categories of recipient• who will be involved in processing the data• how long it will be kept• their rights (to rectification, erasure, restriction, to object to processing etc.)• the right to withdraw consent

• Individuals have the the right to access their personal data to see what we hold• This is called 'subject access'• A 'subject access request' can be made verbally or in writing• We have one month to respond to a request• We cannot charge for a subject access request in most circumstances

As well as a copy of the personal data, we have to supply information like this:• confirmation that their personal data are being processed• the purposes of the processing• the categories of data being processed• who their data might be shared with• how long their data will be stored• the source of their data• their rights (to erasure, rectification)• how automated decisions are madeAll of which should be in your privacy policy.

The right to be informed

The right of access

22


THE ESSENTIALS






• Data subjects have the right to have inaccurate personal data corrected• We have to erase or amend any inaccurate or incomplete data within one month of notice (up to three if the request is complex)• If we have shared personal data with third parties, we have to notify them that it must be corrected

Therighttorectification

Also known as the right to be forgotten.An individual can request the deletion or removal of personal data and we have to comply when certain conditions are met.For example:• there is no compelling reason for its continued processing• the data subject withdraws consent where processing is based on consent alone• their data was unlawfully processedNote: The right to erasure does not provide an absolute 'right to be forgotten'.Right to erasure is not always clear cut. Here are some examples where ‘right to erasure’ conditions aren’t met or don't provide an absolute ‘right to be forgotten’.

• If someone withdraws their consent for marketing, we still need to keep their details based on our legitimate interests to maintain a marketing suppression list• Where data is processed in the performance of a contract, for example an agreement for a mortgage or savings account. The data can be held for as long as is necessary to perform that agreementWhere data is processed to comply with a legal obligation, such as reporting money laundering activity, the right to erasure may not exist while that legal obligation is valid.

The right to erasure

23


THE ESSENTIALS






• Under certain circumstances, such as when there's a dispute about the accuracy of the data, people have the right to restrict processing• When it is restricted, we are permitted to store the personal data, but not to process it in any other way• We must hold just enough personal data to ensure that the restriction is maintained

• We have to tell all third parties with whom we've shared the data, if anyAn individual can make a request for restriction verbally or in writing. We have one calendar month to respond to a request.

• This right allows individuals to get hold of and reuse their personal data for their own purposes across different services• So if someone requests their data, we either have to give them a copy in a format that they can use or we have to transmit it directly to another data controller• This could apply, for example, to bank customers who want to switch banks and port all their data to the new bank

The right to restrict processing

The right of data portability

24


THE ESSENTIALS






The GDPR gives individuals certain protections against the risk that a potentially damaging decision is made by a computer without the involvement of a human.This extends to profiling and processing that analyses or predicts aspects such as health, behaviour or performance at work.

Rights related to automated decision making

• Individuals have the right to object and an example of this would be deciding not to receive direct marketing• If we receive a request to stop direct marketing, we must do so immediately• In other situations, we may be able to continue processing if we can show a compelling reason. E.g. sending an email for security purposes when an individual has stated they do not wish to be contacted

• We must tell individuals about their right to object e.g. in a privacy notice• An individual can make an objection verbally or in writing• We have one calendar month to respond to an objection

The right to object

25


THE ESSENTIALS





IDENTIFYING DATA SUBJECT RIGHTSBecause people can make subject access requests verbally, it can be useful to be alert for them.

So your computer is saying no to giving me insurance?Rightsrelatedto automateddecisionmakingThis person is asking about their rights related to a decision that a computer has apparently made. They want to know whether there has been human involvement in a decision which could have a damaging effect on them.

How long will you keep my details?Righttobe informedThis person is exercising their right to be informed about the way their personal data is being processed.

26


THE ESSENTIALS





I prefer to use Ms, so please can you change my title?Rightto rectificationThis person is using their right to rectification to get their data changed.

I'm not happy with the reason you've given me for keeping my data, so I want you to stop using it until this is resolved.Rightto restrictprocessingThis person is using their right to restrict processing because they are contesting the basis of that processing.

People can ask to see the personal data we hold about them - verbally or in writing - to any employee, face to face, via social media, by email, by letter or in a variety of formats.• Subject access requests can be verbal or in writing

• We normally have to respond within a month

• If you receive a request, follow our subject access procedure

• If you aren't authorised to deal with it, refer it to someone who can as quickly as possible

I want to see everything

you've got on me.

I want copies of all the

records you hold about this

account.

Can I check you've

deleted the information

you promised you would?

I'd like to see everything you hold on me in the personnel

database.

Subject access requests

27


THE ESSENTIALS





Why compliance matters

28


THE ESSENTIALS





A personal data breach is when there's a breach of security leading to the unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.We have to report a breach to the Information Commissioner's Office if it is likely to cause someone harm.

Forexample,ifitcouldleadtodiscrimination,financialloss,identitytheftorreputationaldamage.Andwealsoneedtotelltheindividualsaffectedincertaincircumstances.

If we do have to report a breach, we have to do so within 72 hours, and we also have to keep a record of all breaches (even if they are only minor and don't need to be reported).

DATA PROTECTION BREACHES

29


THE ESSENTIALS





Data protection breaches

A data protection breach fined under the GDPR - October 2020TheICOfinedBritishAirways£20millionfordatabreachesaffectingmorethan400,000 customers.

BA was subject to a cyber-attack during 2018 which it did not detect for more than 2months.TheICOdeterminedthatBAoughttohaveidentifiedweaknessesinitssecurity and resolved them, and that this would have prevented the cyber-attack.

A personal data breach is when there's a breach of security leading to the unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.We have to report a breach to the Information Commissioner's Office if it is likely to cause someone harm.

Forexample,ifitcouldleadtodiscrimination,financialloss,identitytheftorreputationaldamage.Andwealsoneedtotelltheindividualsaffectedincertaincircumstances.

If we do have to report a breach, we have to do so within 72 hours, and we also have to keep a record of all breaches (even if they are only minor and don't need to be reported).

This section will show you how to recognise and report data incidents and breaches.

30


THE ESSENTIALS





Identifying data incidents

Because we have to report data breaches you need to be able to recognise when one might have occurred and know what to do.The ICO needs to be notified of any data breaches that could potentially cause harm to individuals.

Some examples of data breach are:• A database is corrupted and customer's personal information is sent to the wrong address

• A spreadsheet containing employee's salary information is emailed to the whole organisation

• The organisation's data networks are hacked

• A laptop on which personal data is stored is lost in a taxi

• An external payroll service sends payslips to the wrong people

All of these could potentially cause harm to the people involved. Therefore, the ICO would need to be notified about it.

A personal data breach is when there's a breach of security leading to the unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data that's likely to cause someone harm.

31


THE ESSENTIALS





Reporting data breaches

How to stay compliant

It's absolutely crucial to take the correct action if you think you discover a data incident.Make sure you know:

• Who you should report a data incident to

• How to report it

Even if a data incident is not found to be a breach, reporting it will help us to build stronger systems and processes.

ALWAYSBe clear and transparent about the purposes for which you use or disclose or share personal data

Keep personal data accurate and up to date

Consider whether an individual would consider the purpose for which you intend to use their data as being fair

Destroyfilescontainingpersonalorcorporatedatawhenitisnolongerrequired

Save personal data in a secure place

Choose the most secure route for sharing data

BE AWARE OFThe information contained within an email trail before forwarding - even if you are forwarding an email sent to you

Your surroundings when working with personal data, particularly in public areas

NEVERAllow others to know your system logins or passwords

Leave files or documents containing personal data or sensitive corporate information visible

Forward information to anyone that does not have a valid reason for seeing it

Use personal data in a manner that is inconsistent with the privacy policy

32


THE ESSENTIALS





The consequences of non-compliance

There are consequences if we fail to comply with the GDPR. Do you know what the penalties are for you should you fail to comply with the Regulation?If you make a mistake that leads to a data breach or a failure to comply with the GDPR - you may face disciplinary action which can lead to dismissal. If you misuse personal information maliciously, you can face fines and criminal convictions

An organisation that's found to be in breach of its data protection obligations can be investigated, suffer reputational damage, compensation claims, and fines.Thefinescanbeextremelypunitive and can seriously impact the financial health of an organisation, which makes data protection compliance a high priority.

MAXIMUM OF £17.5 MILLION or 4% of ANNUAL GLOBAL TURNOVER• An investigation by the UK Information Commissioner's Office

• Reputational damage caused by bad publicity

• Compensation claims against the organisation for the damage and distress

• A fine imposed by the UK Information Commissioner

The Consequences of Non-Compliance –The Organisation

33


THE ESSENTIALS





Next steps

34


THE ESSENTIALS





Summary

This course has given you a brief overview of the GDPR. We've covered basic terms, the key principles, the legal rights of individuals to their personal data and why compliance matters.Your next steps now is to make sure that you:

• Understand our data protection policies and procedures

• Appreciate the role you play in protecting personal data on a day to day basis

• Are able to identify when a task is within the scope of the GDPR

• Apply the data protection principles to your work

Talk to your line manager or consult our IT security policy and, if in doubt, contact your legal or compliance team.

You should feel confident that you understand:

That the processing of all personal data is governed by the General Data Protection Regulation.The key principles of the Regulation:

• Lawfulness, fairness, and transparency

• Purpose limitation

• Data minimisation

• Accuracy

• Information storage

• Integrity and confidentiality

• Accountability

• Individuals' legal rights concerning their personal data

• Why the GDPR is a high priority for you and the organisation

• The consequences of failing to comply with the GDPR

In the EU, personal data is protected by the General Data Protection Regulation (GDPR)

In the UK, personal data is protected and regulated by the Data Protection Act 2018 and the UK GDPR



35


THE ESSENTIALS





NOTES

36


THE ESSENTIALS





NOTES


THE ESSENTIALS





01453 796222

[email protected]

www.engageinlearning.com

©2015–2020 Hot Learning Ltd trading as Engage in Learning. All rights reserved.

Date post:	04-Apr-2022
Category:	Documents
Upload:	others
View:	15 times
Download:	0 times

ESSENTIALS: GDPR Essentials: Post Brexit

Documents