1 / 47

GDPR Module 3: Accountability and Governance

Learn about the explicit obligations of accountability and governance under the GDPR, including the requirement to appoint a data protection officer and implement technical and organizational measures. Explore topics such as data protection by design and default, codes of conduct, certification schemes, maintaining records on processing activities, and data protection impact assessments.

eddiey
Download Presentation

GDPR Module 3: Accountability and Governance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GDPR Module 3: Accountability and Governance 1/48

  2. Please select the required option… To start the module, click on this box To resume from a previous session (or go back and revise a specific section) click this box. 2/48

  3. Please click on the section from which you wish to resume 3/48

  4. Module 3: Introduction In Module 3 we’ll learn how the GDPR will introduce more explicit obligations around accountability and governance. The subjects covered are… • The requirement to appoint a data protection officer • Data protection by design and default • Codes of conduct • Certification schemes • The requirement to implement appropriate technical and organisational measures • Maintaining records on processing activities • Data protection impact assessments Click on this box to continue 4/48

  5. You’ll recall from module 1 that the GDPR introduces a new ‘accountability’ principle (Article 5(2)) which makes it an explicit general requirement for data controllers to be responsible for, and demonstrate compliance with, the data protection principles… …but the GDPR also contains more specific provisions that aim to increase compliance and accountability. Click on this box to continue 5/48

  6. …these are… To implement appropriate technical and organisational measures. • To maintain relevant records on processing. Click on this box to continue To Implement data protection by design and default. • To use data protection impact assessments where appropriate. To appoint a data protection officer if appropriate. 6/48

  7. …we’ll now look at each of these requirements in turn, starting with technical and organisational measures.. The GDPR requires the data controller to take measures to ensure and demonstrate that its processing complies with the legislation. This could include implementing internal data protection policies such as… reviews of internal HR policies internal audits of processing activities staff training Click on this box to continue 7/48

  8. Proceed Back to section menu 8/48

  9. Next we’ll take a look at the requirement to keep records of processing activities… 9/48

  10. Click on the letters below for examples of the types of records a data controller is required to maintain under the GDPR. You may notice that there are some similarities between the information to be recorded under the GDPR and the ‘registrable particulars’ that have to be notified to the ICO under the DPA. T C Categories of recipients of personal data Transfers to third countries Purpose of processing Retention schedules R P Click on this box when ready to continue Records of processing 10/48

  11. The extent to which a data controller has to comply with the obligation to keep records of processing will depend on the number of staff it employs... Click on this box to continue 11/48

  12. The requirement to maintain a record of processing activities is obligatory for data controllers that employ 250 or more staff… 500 250 0 Click on this box to continue 12/48

  13. However, if the data controller has fewer than 250 employees then it will be exempt from the requirement to maintain records of its processing… The requirement to maintain a record of processing activities is obligatory for data controllers that employ 250 or more staff… 500 250 0 …unless that processing… Click on this box to continue …or… • …concerns special categories of data/data on convictions and offences… …could result in a risk to the rights and freedoms of individuals 13/48

  14. Proceed Back to section menu 14/48

  15. In this section we cover Data Protection Impact Assessments... These assessments help organisations identify the most effective way to comply with their data protection obligations and meet data subjects’ expectations of privacy… …The ICO already encourages data controllers to use privacy impact assessments as part of a ‘privacy by design approach’, but they are not a mandatory requirement under the DPA…(click on this box to continue). 15/48

  16. Under the GDPR, a data controller must carry out a data protection impact assessment if… …the processing is likely to result in a high risk to the rights and freedoms of individuals… …in particular where… …the processing activity involves the use of new technologies. (click on this box to continue) 16/48

  17. The GDPR says that a data protection impact assessment will be particularly required where any of the following applies… Systematic and extensive evaluation of individuals’ personal aspects (based on automated processing) that’s used to make decisions which produce legal effects on, or significantly affect, those individuals. Large scale systematic monitoring of public areas (such as CCTV). Large scale processing of special categories of data, or personal data relating to criminal convictions or offences. Click on this box to continue. 17/48

  18. So what information should be included in a data protection impact assessment (or DPIA)…? Data protection impact assessment Data protection impact assessment Data protection impact assessment Data protection impact assessment Data protection impact assessment Data protection impact assessment Data protection impact assessment Data protection impact assessment Data protection impact assessment Contents Data protection impact assessment Data protection impact assessment Data protection impact assessment 18/48

  19. Click on the images to reveal the information a DPIA should contain… • Contents Contents Data protection impact assessment Description and purposes of proposed processing, including (where applicable) the legitimate interests pursued by the data controller. The measures in place to address risk, including security and to demonstrate the data controller is complying. Click on this box when ready to continue An assessment of the necessity and proportionality of the processing in relation to the purpose. An assessment of the risks to data subjects' rights and freedoms. 19/48

  20. The supervisory authority must then provide the data controller with its view as to whether the measures proposed in the DPIA to mitigate that risk are adequate…. What if the data protection impact assessment finds that the processing poses a high risk to data subjects…? Data controller Supervisory authority …in that event the data controller must consult the supervisory authority before beginning that processing. …this would be a significant new work stream for us here at the ICO, and the operational implications of this are being considered as part of the Change Programme. Click on this box to continue 20/48

  21. Proceed Back to section menu 21/48

  22. This section explores the new requirement for some data controllers and processors to appoint a data protection officer… 22/48

  23. Click on this box when ready to continue The GDPR sets out three specific circumstances in which an organisation must appoint a data protection officer. Only one of these has to be met for the obligation to apply… If the organisation is a public authority (except for courts acting in their judicial capacity). Click on the job openings signs to uncover them…. If the organisation’s processing involves regular and systematicmonitoring of data subjects on a large scale. • If the organisation carries out large scale processing of special categories of data/data on convictions and offences. 23/48

  24. Position: Data Protection Officer So what would the job description for a data protection officer appointed under the GDPR look like…? …click on the images to reveal the data protection officer’s duties… Job description: 1. Inform and advise the organisation about its obligations to comply with the GDPR. 2. Monitor compliance with the GDPR, including managing internal data protection activities. 3. Be first point of contact for supervisory authorities and data subjects. 4. Provide training to staff, advise on data protection impact assessments and conduct internal audits. Click on this box when ready to continue 24/48

  25. Position: Data Protection Officer What about the person themselves? What qualities does the GDPR say they will need? Person specification: Skills and experience: The GDPR says that this experience should be… Professional experience and knowledge of data protection law. …proportionate to the type of processing the data controller carries out. …but it doesn’t go into any further detail about the exact credentials the data protection officer should have (such as what qualifications they should hold). Click on this box to continue 25/48

  26. The GDPR says that a single data protection officer can be appointed to act for a group of companies or Public Authorities…. …taking into account their structure and size and the availability of that data protection officer. Click on this box to continue 26/48

  27. The data protection officer doesn’t have to be an external appointment… …the organisation can appoint an existing member of staff to the role… • Head of IT • Sarah Farris • Head of IT and Data Protection • Sarah Farris …so long as they have the required experience and there won’t be a conflict of interests with their other duties. (click on this box to continue) 27/48

  28. …or, if it prefers, the organisation can contract out the role of data protection officer externally… Click on this box to continue 28/48

  29. …and whoever is appointed, the organisation must ensure that person reports to the highest management level (i.e. board level). Click on this box to continue 29/48

  30. The organisation also has two additional obligations…(click on the images for more information).) The data protection officer must be allowed to operate independently and can’t be dismissed or penalised for performing their job. The organisation must provide the necessary resources for the data protection officer to meet their GDPR obligations. Click on this box when ready to continue 30/48

  31. Proceed Back to section menu 31/48

  32. In this next section we’ll take a look at what the GDPR has to say about data protection by design and default… Data protection by design and default was always an implicit requirement of the DPA data protection principles, for example relevance and non excessiveness… …however, under the GDPR data controllers will be explicitly required to incorporate data protection by design and default into their processing. Click on this box to continue 32/48

  33. The GDPR suggests that appropriate measures to help fulfil the requirement for data protection by design and default could include…(click on the images) Minimising the processing of personal data Pseudonymising personal data as soon as possible Transparency of processing of personal data to enable the data subject to monitor the data processing. Click on this box when ready to continue 33/48

  34. …in the case of data protection by default, the implementation of data minimisation measures is a mandatory requirement… Minimising the processing of personal data ...this is because Article 25 of the GDPR explicitly states that data controllers must take appropriate measures to ensure that, ‘…by default, only the personal data necessary for each specific purpose of processing are processed…’ Click on this box to continue 34/48

  35. The GDPR also states that, when considering which measures to adopt, the data controller should take into account factors such as: available technology… the cost of implementation… the nature, scope, context and purposes of the processing... therisk to the rights and freedoms of the data subjects... Click on this box to continue 35/48

  36. Proceed Back to section menu 36/48

  37. We’ve now covered all of the specific accountability requirements we set out at the beginning of the module… …next we’ll move on to voluntary schemes that are aimed at encouraging compliance… 37/48

  38. The GDPR introduces two voluntary schemes that data controllers (or processors) can sign up to in order to demonstrate compliance with the legislation. These are… Certified Approved codes of conduct Certification mechanisms Click on this box to continue Signing up to these schemes offers a number of advantages... 38/48

  39. Click on the numbers to reveal three of the main advantages to an organisation of signing up to a scheme. Certified It can improve transparency and accountability so data subjects can see which organisations are complying with the GDPR and can be trusted with their personal data. 1 2 It can provide mitigation against enforcement action. 3 It can improve standards by establishing best practice. Click on this box when ready to continue 39/48

  40. Proceed Back to section menu 40/48

  41. In this next section we’ll take a more detailed look at codes of conduct… 41/48

  42. A code of conduct can be drawn up by trade associations or representative bodies. The code must be approved by the relevant supervisory authority… Click on the blue arrows to continue… Click on this box to continue It has powers to exclude a controller or processor that is claiming adherence to the code. This is an organisation accredited by the supervisory authority which has an appropriate level of expertise in the subject matter of the code…(more) Any data controller (or processor) that adopts the code will be subject to mandatory monitoring by the accredited body. However, the responsibility for monitoring the code lies with the ‘accredited body’…(more) 42/48

  43. Codes of conduct will set out sector specific guidelines on how to comply with the GDPR. They may cover topics such as…; Appropriate technical and organisational measures. Fair and transparent processing Data transfers outside the EU Click on this box to continue Breach notification 43/48

  44. Proceed Back to section menu 44/48

  45. In this final section we’ll look at certification schemes in more detail… Certification offers another means for a data controller to demonstrate that it is complying with the GDPR. In particular it can be used to show that the data controller is implementing appropriate technical and organisational measures… Click on this box to continue 45/48

  46. A certification can be awarded by… The data controller/data processor must provide the supervisory authority or certification body with sufficient information and access to its processing activities to conduct the certification procedure. 1.The supervisory authority Certification lasts for a maximum of… …or… Years 2 3 1 …and it can be renewed or withdrawn by the supervisory authority or certification body. Data controller/data processor 2.A certification body accredited by the supervisory authority Click on this box to continue 46/48

  47. Proceed Back to section menu 47/48

More Related