EN

Translate:

GDPR - Questions & Answers!

What is the main aim of the GDPR?

Does the GDPR apply to non European Citizens?

Does GDPR apply to residents or citizens?

image115

The purpose of the GDPR is to provide a set of standardised Data Protection laws across all of the member countries. GDPR is currently the strongest protection regulation in the world

Does GDPR apply to residents or citizens?

Does the GDPR apply to non European Citizens?

Does GDPR apply to residents or citizens?

image116

The term European Union resident is more useful, or a person located within the European Union. GDPR requires the personal data of an individual residing within an European Union country to be subjected to certain safeguards and their rights and freedoms must be protected.

Does the GDPR apply to non European Citizens?

Does the GDPR apply to non European Citizens?

How long to the ICO have to provide written advice?

image117

The GDPR will apply to non European Union companies who deal with personal data relating to offering goods or services to European citizens, or monitoring European citizens behaviour occurring within the European Union. In essence, where a business has a European Union connection, then its highly likely that it will fall within the scope of GDPR.

How long to the ICO have to provide written advice?

How long to the ICO have to provide written advice?

How long to the ICO have to provide written advice?

image118

The Information Commissioners Office will provide written advice within eight (8) weeks, or fourteen (14) weeks in a complex cases. If appropriate, the ICO issue a formal warning not to process the data, or ban the processing of the data altogether.

What is an ICO enforcement notice?

How long to the ICO have to provide written advice?

What is an ICO enforcement notice?

image119

The ICO can serve information notices requiring companies to provide specified information within a predefined time period. The ICO can impose penalty notices for a wider range of failures, including failure to comply with an information notice, assessment notice or an enforcement notice

Can i sue for breach under GDPR?

How long to the ICO have to provide written advice?

What is an ICO enforcement notice?

image120

GDPR accommodates claims for breach. It provides that individuals may sue in corcumstances when they have suffered a) damage or b) distress. This means that you only have to demonstrate that such a breach caused you some level of distratess in order to claim compensation.

What constitues a breach of data protection?

What is the difference between the DPA 2018 and the GDPR?

What constitues a breach of data protection?

image121

A data breach is a confirmed incident in which sensitive, confidential or otherwise protected data has been accessed and/or disclosed in an unauthorized fashion. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.

How long should personal data be kept?

What is the difference between the DPA 2018 and the GDPR?

What constitues a breach of data protection?

image122

How long certain kinds of personal data is kept may also be governed by specific business-sector requirements and agreed practices. For example, the ICO have agreed that credit reference agencies are permitted to keep consumer credit data for six (6) years.

What is the difference between the DPA 2018 and the GDPR?

What is the difference between the DPA 2018 and the GDPR?

What is the difference between the DPA 2018 and the GDPR?

image123

The GDPR has direct effect across all EU member states and has already been passed. This means organisations will still have to comply with this regulation and we will still have to look to the GDPR for most legal obligations. However, the GDPR gives member states limited opportunities to make provisions for how it applies in their country. One element of the DPA 2018 is the details of these. It is therefore important the GDPR and the DPA 2018 are read side by side

Data Protection Officer

image124

at a glance

  • The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority or body, or if you carry out certain types of processing activities.
  • DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.
  • The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
  • A DPO can be an existing employee or externally appointed.
  • In some cases several organisations can appoint a single DPO between them.
  • DPOs can help you demonstrate compliance and are part of the enhanced focus on accountability.

Data Protection Officer

Do I need to appoint a DPO?

What is the role, tasks and liability of the DPO?

What is the role, tasks and liability of the DPO?

image125

Probably. Under the GDPR, you must appoint a DPO if you 


  • are a public authority (except for courts acting in their judicial capacity); 
  • your core activities include large scale regular and systematic monitoring of individuals (for example, online behaviour tracking);
  • your core activities include large scale processing of special categories of data (which includes information relating to an individual’s health) or data relating to criminal convictions and offences. 


We have appointed a DPO based on their professional qualities and expert knowledge of data protection law and practices.


We aren’t required to appoint a DPO under the GDPR but we have decided to do so voluntarily. We understand that the same duties and responsibilities apply had we been required to appoint a DPO. We support our DPO to the same standards.

    

Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and resources to discharge your obligations under the GDPR.

What is the role, tasks and liability of the DPO?

What is the role, tasks and liability of the DPO?

What is the role, tasks and liability of the DPO?

image126

The WP29 guidance also clarifies the position under Articles 38 and 39 in relation to the role and tasks of the DPO:


  • Role – the GDPR requires the DPO to be appointed “on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”. The WP29 guidance confirms that the level of knowledge required should be determined on the basis of the data processing operations and the level of protection required. It also lists some skills which the DPO should possess such as expertise in national and European data protection laws, understanding of the processing operations etc.
  • Tasks – the WP29 emphasise that organisations need to ensure the DPO is involved in all data protection issues as early as possible and that the DPO’s key concern is monitoring compliance with the GDPR. In order to successfully do this, the DPO must remain independent e.g. they cannot hold a position within the organisation that leads them to determine the purposes and means of the processing.  


In the WP29’s guidance, it is also emphasised that the DPO is not personally responsible for non-compliance with the GDPR. The liability still remains with the controller or processor to demonstrate that the processing activities are being performed in accordance with the GDPR.


Adding or modifying a DPO

What is the role, tasks and liability of the DPO?

Adding or modifying a DPO

To add a Data Protection Officer (DPO) email dataprotectionfee@ico.org.uk with the subject line ‘Add a DPO’ and include:


  • the registration number of your organisation;
  • whether you required to provide the details of your DPO, or if you are doing so voluntarily; andthe name, address, phone number and/or email address of your DPO if they are an individual (eg a member of staff or a member of your organisation);or
  • the name, address, phone number and/or email address of the external organisation that will be carrying out the DPO duties on your behalf. 


The ICO will publish details of all controllers who pay the data protection fee on the data protection register, which is available on our website. Please state clearly within your email whether or not you wish to publish the name of your DPO if they are an individual.

Poisition of the DPO

Accessibility of the DPO

Adding or modifying a DPO

image127

  • Your DPO should report directly to your companies highest level of management and is given the required independence to perform their tasks.
  • Your company involves our DPO, in a timely manner, in all issues relating to the protection of personal data.
  • Your companies DPO is sufficiently well resourced to be able to perform their tasks.
  • Your company does not penalise the DPO for performing their duties.
  • Our company will ensure that any other tasks or duties are assigned to your DPO do not result in a conflict of interests with their role as a DPO.

Tasks of the DPO

Accessibility of the DPO

Accessibility of the DPO

image128

  • Your DPO is tasked with monitoring compliance with the GDPR and other data protection laws, your data protection policies, awareness-raising, training, and audits.
  • Your company will take account of your DPO’s advice and the information they provide on our data protection obligations.
  • When carrying out a DPIA, our company will seek the advice of your DPO who also monitors the process.
  • Your DPO acts as a contact point for the ICO. They co-operate with the ICO, including during prior consultations under Article 36, and will consult on any other matter.
  • When performing their tasks, your DPO should have due regard to the risk associated with processing operations, and takes into account the nature, scope, context and purposes of processing.

Accessibility of the DPO

Accessibility of the DPO

Accessibility of the DPO

image129

  • Your companies DPO is easily accessible as a point of contact for your employees, individuals and the ICO.
  • Your company has published the contact details of their DPO and communicated them to the ICO.

Managing Private Health Information (PHI)

What does the GDPR mean for personal data in medical reports?

Information about an employee's health is considered a ‘special category of data’ under the GDPR (sensitive personal data under the DPA), which an employer will need to process if it obtains a medical report. Processing special categories of data is prohibited unless one of a number of exceptions apply. 


It appears that as GDPR came into effect it will be almost impossible for an employer to rely on consent to process employees' personal data, even if it is given in relation to a particular medical issue. 


For special categories of data, employers are likely to rely on processing being “necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment law” (Article 9(2)(b) GDPR). For this, under the new data protection bill, employers will need an ‘appropriate policy document’ explaining how they handle special categories of data.

image130