PowerPoint Presentation

. . General Data Protection Regulation. Awareness.

. . • About GDPR – The Data Protection Act What is data privacy? Who does this affect? Why data privacy matters to us.

. . . About GDPR – The Data Protection Act. • GDPR is a regulation that went into effect in 25th, May 2018. The goal of GDPR is to protect the personal data of European citizens..

. . . About GDPR – What is data privacy?. • Being open with people about how we use their information.

. . . About GDPR – Who does this affect?. • All of us - we all have a responsibility to keep people’s information safe..

. . . About GDPR – Why data privacy matters to us.

. . . Definitions (As per Article 4). Establishment –.

. . . Definitions (As per Article 4). Special categories of personal data –.

. . . Definitions (As per Article 4). • Processing –.

. . . Definitions (As per Article 4). Profiling –.

. . . Definitions (As per Article 4). Data subject consent.

. . • Under the GDPR there are certain types of information which are.

. . • When working with different types of information we need to consider what can be interpreted or inferred when we combine them..

. . Personal information Sensitive personal information.

. . • All information is important, and while there are differences, it is best practice to ensure you take measures to maintain the confidentiality of anything that is shared with you..

. . • Before you work with any data it is important that you take a moment to ask yourself: can I manage this information securely?.

. . . Processing Personal Data. Personal data must be processed:.

. . . Processing Sensitive Personal Data. • Restrictions on use of ‘sensitive personal data’.

. . PERSONAL DATA SPECIAL CATEGORIES OF PD. Consent Explicit consent.

. . • Restrictions on exports outside the EEA to countries without ‘adequate safeguards’.

. . • Breach by the data processor is the responsibility of the data controller.

. . NIPL’s Privacy Notice outlines how we use personal data, keeps people informed about the data we hold, and provides assurances that we work with data in a legal and ethical way..

. . • Under data protection regulations, it is vital that anyone sharing their data understands for what purpose they are giving their information and how it will be handled..

. . . Lawful bases for processing. Consent congnt of a data suW to tho of hismer data Legitimate interests Thn a weghed & '"derest is nterestis not ovemddenby others Public interest Puü auth«tjes ard in of put*c duties and interest Legitimate interests Public interest Consent LaMulness of processing Vital interests Contractual necessity Legal ligation Contractual necessity s in order to enter hto a contract Legal obligations The mntrot to prsonal data a •al oblqatm Vital interests It s vdal that sg±fic data for of Me ard death.

. . . Seven Principles of GDPR. LAWFULNESS. FAIRNESS AND TRANSPARENCY Personal data shall processed •awfully, fairly and in a transparent manner in relation to the data su bject. PURPOSE Personal data shall be collected for specified, explicit ard legitimate purposes and not further processed in a that is incompatible with those purposes. DATA MINIMISATION Personal data shall he adequate, relevant and limited to what is necessary in relation to the far which they are processed. ACCURACY Personal data shall be accurate and. where necessary, kept up todate, STORAGE LIMITATION Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed, INTEGRITY AND CONFIDENTIALITY Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental toss, destruction or damage, using appropriate technical or organisational measures. ACCOUNTABILITY The controller shall be responsible for. and he able to demonstrate compliance with the Dara Protestion Principles,.

. . Be informed Access Rectification. Erasure Restrict processing Data portability.

. . Individuals have the right to receive privacy information such as:.

. . Individuals have the right to:. • Have confirmation that their data is being processed.

. . • You may charge a reasonable fee or refuse to respond when a request is manifestly unfounded or excessive, particularly if it is repetitive.

. . Individuals have the right to:. • Their personal data being accurate.

. . Individuals have the right to erasure if:. • Personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.

. . Individuals can request:. • Restriction of processing until an accuracy claim is verified.

. . Individuals have the right to:. • Receive their personal data in a structured, commonly used and machine readable format..

. . Individuals have the right to object to:. • Processing for direct marketing.

. . Under Article 22, individuals have the right not to be subject to a decision when:.

. . The GDPR’s accountability principle (Article 5(2)) requires you to be able to demonstrate how you comply with the data protection principles.

. . The first principle of the GDPR requires you to process data in a transparent manner in relation to the data subject (Article 5(1)(a)).

. . Personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).”.

. . Data Protection Impact Assessments. Data protection impact assessments (DPIAs) are required by Article 35 of GDPR. It is up to the organization to determine when a DPIA as GDPR allows consideration based on the scope of processing and risk to data subjects..

. . Required when:. • using new technologies,. • profiling,.

. . • Contract laying out multiple party commitments to personal data.

. . • Implement implement appropriate technical and organizatonal controls based on DPIA and data protection design requirements to ensure safety of personal data held..

. . Technical measures include :. • Data encryption at rest.

. . • Pesudonymization. Is the process of removing personal identifiers from data and replacing those identifiers with placeholder values..

. . Organizational measures include : • Robust data security policy,.

. . A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed..

. . In brief, when reporting a breach:. Be quick Be open.

. . The Information Commissioner’s Office (ICO) is the UK’s independent body set up to uphold information rights. Its duties are to:.

. . GDPR clearly articulates the goal of penalties to be effective, proportionate and dissuasive. in Article 83. Fines under GDPR fall into two categories depending on the severity of the case..

. . There are two categories of fines. You can be fined the higher of 2% of your annual global turnover, or 10 million Euros, for shortcomings including:.