General Data Protection Regulation (GDPR) Richard Galley 7

General Data Protection Regulation (GDPR) Richard Galley 7

General Data Protection Regulation (GDPR) Richard Galley 7 December 2017 Todays session The purpose of this session is to help you understand the key elements of the EU General Data Protection Regulation (GDPR) and how you will need to prepare for

implementation of the UKs new Data Protection Act. Agenda

Setting the scene DPA versus GDPR GDPRs scope The 6 Principles Consent and other lawful bases Individuals rights Accountability & governance

Breaches The UK Data Protection Bill Top Tips & Action Planning GDPR GDPR in force from 25 May 2018 Makes existing DP Directive (& UK Data Protection Act) redundant Brexit??! UKs decision to leave the EU will not affect GDPRs implementation

GDPR one way or another, GDPR is going to be an important part of the global data protection landscape over the years ahead, with great relevance to UK organisations, the public and their data. Rob Luke Deputy Commissioner, ICO

May 2017 GDPR = Data Protection Bill 2017 A new law will ensure that the United Kingdom retains its world-class regime protecting personal data The Queens Speech 21 June 2017

Any legislation introduced into Parliament is open to change so once we have a clearer idea of its final form we will be able to make firmer plans and develop the structure and the content of the guidance. Our aim is to provide a suite of data protection guidance that is as comprehensive as possible by May 2018. UK Information Commissioner 1998

GDPR Why?! ? Unifies data regulations within the EU - creates a single regulatory framework across EU for DP Gives you and me greater control over our personal information Protects the rights and interests of the individual quantity and use of data

GDPR highlights Principles based! Applies to controllers and processors controller says how and why personal data is processed processor acts on the controllers behalf Applies to processing carried out by organisations operating in EU and to organisations outside EU that offer goods or services to EU citizens

GDPR highlights Places specific legal obligations on processors (e.g. keep records of personal data and processing activities) Significantly more legal liability if responsible for a breach GDPR v. DPA

DPA v. GDPR DPA Only UK Enforced by Information Commissioners Office (ICO) Non-compliance can result in fines up to 500,000 or 1% of annual turnover

No need for any business to have a dedicated Data Protection Officer (DPO) GDPR Whole of EU

Enforced by national Supervisory Authorities (SA) Non-compliance can result in fines up to 17 million or 4% of the businesss annual global turnover DPO mandatory for some e.g. public authorities / large scale processing DPA v. GDPR

DPA No obligation to report data breaches (but encouraged to do so) No requirement for an organisation to remove all data they hold on an individual Data collection does not necessarily require an opt-in

GDPR Certain data breaches must be reported to the SA within 72 hours of the incident Individual has Right to erasure data being permanently deleted Individuals must actively optin and there must be clear privacy notices DPA v. GDPR

DPA Data portability encouraged but not a right GDPR Right to data portability allowing individuals to obtain and reuse their personal data for their own purposes across different services - moving, copying or transferring

personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability GDPR Scope GDPR scope personal data GDPR definition more detailed makes clear

that information such as an online identifier e.g. IP addresses can be personal data GDPR scope Personal data any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to

one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. GDPR scope personal data GDPR definition more detailed makes clear that information such as an online identifier e.g. IP addresses can be personal data sensitive personal data GDPR definition broadly same as DPA but

includes genetic and biometric data GDPR scope Sensitive Personal Data are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership;

data concerning health or sex life and sexual orientation; genetic data or biometric data. Data relating to criminal offences and convictions are addressed separately (as criminal law lies outside the EU's legislative competence) GDPR scope personal data GDPR definition more detailed makes clear that information such as an online identifier e.g. IP addresses can be personal data

sensitive personal data GDPR definition broadly same as DPA but includes genetic and biometric data automated personal data and manual filing systems GDPRs 6 Principles GDPR The 6 Principles 1

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals Lawful: Processing must meet the tests described in GDPR Fair: What is processed must match up with how it has been described Transparent: Tell the subject what data processing will be done

GDPR The 6 Principles 1 Personal data shall be processed lawfully Must identify a lawful basis before processing personal data (often referred to as the conditions for processing under DPA) Document this

GDPR The 6 Principles 2 Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical

purposes shall not be considered to be incompatible with the initial purposes GDPR The 6 Principles 3 Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

No more than the minimum amount of data should be kept for specific processing GDPR The 6 Principles 4 Personal data shall be accurate and, where necessary, kept up to date; every

reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay GDPR The 6 Principles 5 Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal

data are processed; personal data may be stored for longer periods insofar as they will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals GDPR The 6 Principles

6 Personal data shall be processed in a manner that ensures appropriate security of them, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures GDPR

& Consent GDPR & consent Consent - definition DPA any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data

relating to him being processed GDPR any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the

processing of personal data relating to him or her GDPR & consent Consent has to be freely given, specific, informed and an unambiguous indication of the individuals wishes requires some form of clear affirmative action silence, or inactivity does not constitute consent & pre-ticked boxes banned consent must be verifiable some form of record

must be kept of how and when consent was given may be withdrawn, easily, by individuals at any time GDPR & consent If existing DPA consents dont meet the GDPR standards or are poorly documented, need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing

GDPR & consent If consent is difficult - consider using an alternative basis Consent appropriate if people offered real choice and control over use of their data - if not consent is inappropriate. If processing personal data without consent will happen anyway, asking for consent is misleading and inherently unfair If consent a precondition of a service, consent is unlikely to be the most appropriate lawful basis

GDPR & consent Look out for ICOs definitive guidance early in 2018 (Draft version now available from ICO website) Consent the alternatives IMPORTANT! Organisations can rely on other lawful bases apart from consent!

Consent the alternatives Personal data can be processed on the following legal bases (i.e. without consent): Necessary for the performance of a contract with the individual Necessary for compliance with a legal obligation Necessary to protect the vital interests of a data subject or another person Necessary for performance of a task carried out in the public interest / exercise of official authority

Consent the alternatives Personal data can be processed on the following legal bases, without consent: Necessary for the purposes of legitimate interests: if theres a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individuals rights and interests Consent legitimate interests

Private-sector organisations will often be able to consider the legitimate interests basis if they find it hard to meet the standard for consent and no other specific basis applies. This recognises that you may have good reason to process someones personal data without their consent but you must ensure there is no unwarranted impact on them, and that you are still fair, transparent and accountable. ICO Draft GDPR Consent Guidance

Consent legitimate interests Legitimate interests include: processing for direct marketing purposes or preventing fraud transmission of personal data within a group of undertakings for internal admin purposes processing for ensuring network and information security reporting possible criminal acts or threats to public security to a competent authority

Marketing and GDPR GDPR - Recital 47: direct marketing is a legitimate use of personal information However! Other rules also apply e.g. Privacy and Electronic Communication Regulations 2003 (PECR). PECR restricts marketing by phone, text, email or other electronic means. When sending electronic marketing messages need to comply with data protection rules and

PECR Marketing and GDPR We recommend that your marketing campaigns are always permission-based and you explain clearly what a person's details will be used for. Provide a simple way for them to opt out of marketing messages and have a system in place for dealing with complaints. ICO July 2017

GDPR & legal bases Issues for you? Children GDPR & children Privacy Notice Where services offered directly to a child - privacy notice must be written in a clear, plain way that a

child will understand Includes most internet services provided at users request, normally for remuneration GDPR emphasises protection is particularly significant childs personal data is used for the purposes of marketing and creating online profiles GDPR & children Consent Those offering online services to children may need to obtain consent from parent / guardian to process

childs data If consent is basis for processing childs personal data, a child under the age of 16 cant give consent themselves consent required from a person holding parental responsibility Individual Rights GDPR & individuals rights GDPR provides the following rights for individuals

1. 2. 3. 4. 5. 6. 7. The right to be informed The right of access The right to rectification

The right to erasure The right to restrict processing The right to data portability The right to object GDPR & individuals rights The right to be informed GDPR & individuals rights The right to be informed

Requires transparency over how personal data is used and obliges data controllers to provide fair processing information, typically through a privacy notice GDPR & individuals rights Privacy Notice Doesnt have to be a single statement ICO recommends a blended approach information can be provided in different, most appropriate places / media

People unwilling to read lengthy statements but That doesnt mean theyre not interested in what happens to their data GDPR & individuals rights The right to be informed GDPR sets out information that should be supplied and when individuals should be informed Determined by whether or not personal data obtained directly from individuals Much of the information is consistent with current

obligations under the DPA, but Some further information explicitly required GDPR & individuals rights The right to be informed new to GDPR Individuals have the right to be informed about the: period for which data will be stored (or the criteria used to determine that period) existence of the rights to erasure, to rectification, to restriction of processing, to object to processing, to complaints to SA (ICO)

source of data where they were not collected from the data subject existence of, and an explanation of the logic involved in, any automated processing GDPR & individuals rights The right to be informed Information supplied about processing of personal data must be: concise, transparent, intelligible and easily accessible

written in clear and plain language; and free of charge GDPR & individuals rights ICO Code of Practice - Privacy Notices Following the advice in this code about the use of language, about adopting innovative technical means for delivering privacy information such as layered and just in time notices, and about user testing will help you to comply with the new provisions of the GDPR, as

well as the current requirements of the DPA. ICO GDPR & individuals rights ICO Code of Practice - Privacy Notices Issues covered include: Where you should deliver privacy information When you should actively communicate privacy information How you should write a privacy notice Test, roll out and review

Privacy Notices Issues for you? GDPR & individuals rights The right of access GDPR & individuals rights The right of access

Reason for being allows individuals access to personal data so that they are aware of and can confirm the lawfulness and / or accuracy of data processing GDPR & individuals rights The right of access Individuals have the right to obtain: confirmation that their data is being processed; access to their personal data; and other supplementary information (i.e. info in the

privacy notice) Similar to existing subject access rights under the DPA. GDPR & individuals rights The right of access Information must be provided free of charge Reasonable fee may be charged when a request is unfounded / excessive, or when asked to replicate information Reasonable fee must be based on the administrative cost of providing the information

You may refuse if request manifestly unfounded or excessive give explanation GDPR & individuals rights The right of access Information must be provided without delay and at the latest within one month of request Two month extensions where requests are complex or numerous individual must be told why extension is necessary within one month of the request being received

GDPR & individuals rights The right of access If request made electronically information should be provided in a commonly used electronic format GDPRs best practice recommendation where possible provide remote access to a secure selfservice system which provides the individual with direct access to their information Right of access

Issues for you? GDPR & individuals rights The right to rectification GDPR & individuals rights The right to rectification Individuals entitled to have their data rectified where it is inaccurate or incomplete Must respond within one month can be extended

by two months where the request is complex GDPR & individuals rights The right to erasure GDPR & individuals rights . a.k.a the right to be forgotten GDPR & individuals rights

The right to erasure Under the DPA, the right to erasure is limited to processing that causes unwarranted and substantial damage or distress. Under GDPR, this threshold is not present. ICO GDPR & individuals rights The right to erasure

enables individual to ask for personal data to be deleted / removed where no compelling reason for continued processing Not absolute - can be refused e.g. where data is processed for purposes in the public interest, or in legal claims, or in exercising the right of freedom of expression and information

GDPR & individuals rights The right to erasure - specific circumstances Personal data no longer needed in relation to the purpose for which it was originally collected / processed Individual withdraws consent Individual objects to processing & no overriding legitimate interest for it continuing Personal data unlawfully processed Erasure needed to comply with legal obligation

Right to erasure Issues for you? GDPR & individuals rights The right to restrict processing GDPR & individuals rights The right to restrict processing

Individuals can block / restrict processing e.g. where they contest the accuracy of the data Similar to DPA GDPR & individuals rights The right to restrict processing Individual contests accuracy of data - restrict processing until accuracy has been verified Individual objects to processing and consideration is being given to whether legitimate grounds override those of the individual

Processing is unlawful the individual opposes erasure and requests restriction instead Personal data no longer needed but individual requires it for a legal claim GDPR & individuals rights The right to data portability GDPR & individuals rights The right to data portability

An individual is entitled to obtain and reuse their personal data for their own purposes across different services Allows movement, copying or transferring personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability GDPR & individuals rights The right to data portability Only applies: to personal data an individual has provided;

where the processing is based on the individuals consent or for the performance of a contract; and when processing is carried out by automated means GDPR & individuals rights The right to data portability Data must be in a structured, commonly used and machine readable form (e.g. CSV files) Machine readable data structured so that

software can extract specific elements of it Information must be provided free of charge May be required to transmit the data directly to another organisation if technically feasible & no need to adopt / maintain processing systems technically compatible with other organisations GDPR & individuals rights The right to data portability What tools are recommended to answer data portability requests?

1) data controllers should offer a direct download opportunity for the data subject and, 2) they should allow data subjects to directly transmit the data to another data controller e.g. via an Application Programming Interface Article 29 Working Party FAQs GDPR & individuals rights The right to data portability Data subjects may also make use of a personal data

store, a trusted third party, to hold and store the personal data and grant permission to data controllers to access and process the personal data as required, so data can be transferred easily from one controller to another. Article 29 Working Party FAQs GDPR & individuals rights The right to data portability To what extent are data controllers responsible for

the data transferred or received through the right to data portability? Data controllers that answer data portability requests are not responsible for the processing handled by the data subject or by another company receiving personal data Article 29 Working Party FAQs GDPR & individuals rights The right to data portability

At the same time, the receiving data controller is responsible for ensuring that the portable data provided are relevant and not excessive with regard to the new data processing, that they have clearly informed the data subject of the purpose of this new processing and, more generally, that they have respected the data protection principles applying to their processing in accordance with the GDPR provisions Article 29 Working Party FAQs

Right to data portability Issues for you? GDPR & individuals rights The right to object GDPR & individuals rights The right to object

Individuals can object to direct marketing (including profiling) and processing for statistical purposes. Their right to object must be brought to their attention at the first point of communication e.g. via privacy notice explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information GDPR & individuals rights

The right to object Objection must be on grounds relating to his or her particular situation Processing of data must stop unless compelling legitimate grounds for it, which override the interests, rights and freedoms of the individual GDPR & individuals rights The right to object Processing personal data for direct marketing purposes must stop as soon as objection received no exemptions or grounds to refuse

Objections to processing for direct marketing must be dealt with at any time and free of charge Similar to existing DPA GDPR & individuals rights Automated decision making and profiling Individuals have the right not to be subject to a decision when: it is based on automated processing; and it produces a legal effect or a similarly significant effect on the individual

GDPR & individuals rights Automated decision making and profiling The right does not apply if the decision: is necessary for entering into or performance of a contract between the organisation and the individual; is authorised by law (e.g. for the purposes of fraud or tax evasion prevention); or based on explicit consent

GDPR & individuals rights Automated decision making and profiling Profiling automated processing to evaluate certain personal aspects of an individual, in particular to analyse or predict their: performance at work economic situation

health personal preferences reliability behaviour location movements

GDPR & individuals rights Automated decision making and profiling Ensure processing is fair and transparent provide meaningful information about logic involved & the significance and envisaged consequences Use appropriate mathematical or statistical procedures for profiling Appropriate technical and organisational measures to enable inaccuracies to be corrected and minimise risk of errors

Secure personal data proportionate to the risk to the interests and rights of the individual Automated decision making & profiling Issues for you? Accountability GDPR accountability principle Required to show how compliance with

the principles is achieved for example by documenting the decisions taken about a processing activity Staff Staff IC O Reporting

Management Management cts bje Su Boar Boar dd

ta Da DP Key Priority Accountability & Culture GDPR accountability principle Organisations must: implement technical and organisational measures that

ensure and demonstrate compliance (e.g. DP policies, staff training, internal audits of processing activities etc.) maintain relevant documentation on processing activities where appropriate, appoint a data protection officer public authority carrying out large scale systematic monitoring of individuals (for example, online behaviour tracking) carrying out large scale processing of special categories of data or data relating to criminal convictions and offences

GDPR accountability principle You must: pseudonymisation - the processing of personal implement meet thethe principles of data

datameasures in such that a way that data can no protection including: longer be attributed to a specific data subject without data minimisation

theuse of additional information additional pseudonymisation information must be kept separately and subject to transparency creating technical andand organisational measures

to on ensure nonimproving security features an ongoing basis to an identified or identifiable person attribution use data protection impact assessments where appropriate in short its a privacy-enhancing technique!

Data retention Create Data Retention Policy assess what data currently stored & list all personal data types handled identify and log where data is held (e.g. servers, databases, emails, company computers and backups etc.) define the storage period for each type of data take account of legal and regulatory requirements (e.g. Employers Liability insurance etc.)

Implement and enforce policy include summary in Privacy Notice Data retention periods Legal and Regulatory stipulations take priority SYSC 9.1.5: With respect to retention periods, the general principle is that records should be retained for as long as is relevant for the purposes for which they are made General rule of thumb = 6 years (e.g. from claim) Policies that cover any loss that happened during the

policy term, no matter when the claim is made retain indefinitely Data retention - HR HR records included Terms of Employment (Information) Act, 1994 employees terms and conditions of employment retain for duration of their employment Safety, Health and Welfare at Work (General Applications) Regulations 1993 - 10 year retention from the date of an accident

The Companies Acts and Taxes Consolidation Act, 1997 - 8 year retention of tax records Parental Leave Acts 1998-2006 - 8 year retention of records showing the dates and times an employee took parental leave Data retention - HR HR records included National Minimum Wage Act, 2000 - 3 year retention to show compliance with the Acts provisions Organisation of Working Time Act, 1997 & Organisation

of Working Time (Records) Prescribed Form and Exemptions) Regulations 2001 - 3 year retention for records of weekly working hours, the name and address of employee, the employees PPS numbers and a statement of their duties Data retention - HR HR records included Protection of Young Persons (Employment) Act, 1996, 3 year retention of employment records relating to persons under 18 years of age Protection of Employment Acts, 1977-2007 - where an

employer has collective redundancies, must retain records to show that Acts provisions complied with for a 3 year period Employment Equality Acts - records relating to recruitment process should be retained for 1 year Data retention - HR Statute of Limitations 1957 Personal injury actions - recommended 3 years (mandatory 2 years) from date of cause of action Breach of contract actions - contracts retained for at

least 7 years from the date of termination of the employment GDPR accountability principle Data Protection Officer Any organisation can appoint a DPO: Inform / advise organisation about obligations to comply with the data protection law Monitor compliance with data protection law e.g. advise on data protection impact assessments and conduct internal audits

First point of contact for supervisory authorities and for individuals whose data is processed GDPR accountability principle Data Protection Officer Reports to the highest management level of the organisation i.e. board level Operates independently and is not dismissed or penalised for performing their task Adequate resources provided to enable DPO to meet their obligations

GDPR accountability principle Data protection impact assessments DPIA must be carried out when: using new technologies; and the processing is likely to result in a high risk to the rights and freedoms of individuals GDPR accountability principle Data protection impact assessments

High risk includes: systematic & extensive processing, including profiling and where decisions have legal or significant effects on individuals large scale processing data relating to criminal convictions or offences GDPR accountability principle Data protection impact assessments Should include:

Description of processing operations and purposes, including legitimate interests Assessment of the necessity and proportionality of processing in relation to the purpose Assessment of the risks to individuals. Measures in place to address risk & to demonstrate that you compliance GDPR accountability principle Data protection impact assessments Suggestion

Consider adopting DPIA on all IT, operational & business development projects as best practice Privacy by design Breach notification GDPR & notification of breach Must notify the supervisory authority of a breach

likely to result in a risk to the rights and freedoms of individuals, and in some cases to the individuals affected for example: damage to reputation financial loss loss of confidentiality any other significant economic or social disadvantage report these breaches within 72 hours GDPR & notification of breach

REMEMBER! Failure to notify a breach when required to do so may result in a fine of up to 17 million or 4% of global turnover Data Protection Bill 2017

UK Data Protection Bill 2017 The Bill is a complete data protection system, so as well as governing general data covered by GDPR, it covers all other general data, law enforcement data and national security data. Furthermore, the Bill exercises a 208 number of

agreed modifications to 1 20 18 GDPR to make it work for the the benefit of the UK in areas such as academic research, financial services and child protection. Department for Digital, Culture, Media & Sport

UK Data Protection Bill 2017 Implements the GDPR standards across all general data processing Provides clarity on the definitions used in the GDPR in the UK context 208Ensures that sensitive health, 201 18social care and education data

can continue to be processed to ensure continued confidentiality in health and safeguarding situations can be maintained UK Data Protection Bill 2017 Provides appropriate restrictions to rights to access and delete data to allow certain processing currently undertaken to continue where

there is a strong public policy justification, including for 208national security purposes 201 18 Sets the age from which parental consent is not needed to process data online at age 13 UK Data Protection Bill 2017

Key GDPR derogations in the Bill allows the processing of sensitive and criminal conviction data in the absence of consent where justification exists, including 208 allowing employers to fulfil 201 18

obligations of employment law and to support insurance processing. Top 10 Tips Top Ten Tips 1 Review data protection policies

and procedures ensure that these are compliant with the GDPR Policies and procedures should include what actions need to happen in the event of a data breach Top Ten Tips 2

Consider what breaches might do harm to customers/clients and pay particular attention to mitigating these risks Most serious are either financial fraud or identity fraud pay particular attention to personal information stored on servers Top Ten Tips

Train all staff involved in collecting and processing data 3 Try to automate as many processes as possible in order to reduce the risk of human error Top Ten Tips

4 Be clear about your legal bases for processing data document and communicate Set clear, fair and transparent rules for obtaining customer consent Top Ten Tips

5 Dont keep data forever unless its needed Top Ten Tips 6 Have a policy for destroying outof-date data

& enforce it! Top Ten Tips 7 Recognise the importance of handling DP complaints as quickly, efficiently and accurately as you would do any others

Top Ten Tips 8 Integrate data protection fully into all business processes Do not treat this as an add-on or side issue Top Ten Tips

9 Ensure that Data Protection and Information Security are seen as being a priority issues for the Board / senior management If youre not required to appoint a DPO, ensure that someone in authority is assigned oversight of DP

Top Ten Tips 10 Treat customers fairly and respect their right to privacy Fewer than 250 employees? ICO Helpline for small organisations: Dial 0303

123 1113 and select option 4 Covers: GDPR Current data protection rules and other legislation regulated by the ICO including electronic marketing and Freedom of Information Data protection self assessment tools

https://ico.org.uk/for-organisations/resourcesand-support/data-protection-self-assessment/ Next steps & action plan What must happen? When must it happen by? Names in frames

How will others be engaged (e.g. staff / customers)? How is success defined and measured? Knowledge Test 1. The initials GDPR stand for: A. General Data Protection Regime B. General Data Protection Rules C. General Data Protection Regulation

D. General Data Protection Requirements 2. When does GDPR come into force?: A. 23 February 2018 B. 1 April 2018 C. 25 May 2018 D. 25 December 2018 3.

What penalty can GDPR noncompliance result in?: A. B. C. D. Fine up to 500,000 or 4% of annual turnover Fine up to 10 million or 4% of annual turnover Fine up to 17 million or 4% of annual turnover Fine up to 500,000 or 4% of annual turnover

4. How many GDPR Principles are there?: A. B. C. D. 6 8 11 12

5. Which of the following is a legal basis for processing data?: A. Consent B. Compliance with a legal obligation C. Performance of a contract with the individual D. All of the above 6. What is the official title of the Right to be forgotten? A.

B. C. D. Right to eradication Right to erasure Right to extermination Right to extinction 7. What right entitles an individual to obtain and reuse their personal

data for their own purposes across different services?: A. B. C. D. Right of data portability Right of access Right to rectification Right to be informed

8. Individuals have the right not to be subject to a decision when ?: A. It is necessary for entering into or performance of a contract between the organisation and the individual B. It is authorised by law C. It is based on explicit consent

D. It is based on automated processing 9. What does DPIA stand for?: A. B. C. D. Data Protection Implementation Assessment Data Protection Impact Assessment Data Protection Implications Assessment

Data Protection Imperfection Assessment 10. Under GDPR within how many hours does a notifiable breach have to be reported to ICO?: A. B. C. D. 24

48 72 96 Answers 1. The initials GDPR stand for: A. General Data Protection Regime B. General Data Protection Rules C. General Data Protection Regulation D. General Data Protection Requirements

2. When does GDPR come into force?: A. 23 February2018 B. 1 April 2018 C. 25 May 2018 D. 25 December 2018 3. A. B. C.

D. What penalty can GDPR noncompliance result in?: Fine up to 500,000 or 4% of annual turnover Fine up to 10 million or 4% of annual turnover Fine up to 17 million or 4% of annual turnover Fine up to 500,000 or 4% of annual turnover 4. How many GDPR Principles are there?: A.

B. C. D. 6 8 11 12 5. Which of the following is a legal basis for processing data?:

A. Consent B. Compliance with a legal obligation C. Performance of a contract with the individual D. All of the above 6. What is the official title of the Right to be forgotten? A. B. C. D.

Right to eradication Right to erasure Right to extermination Right to extinction 7. What right entitles an individual to obtain and reuse their personal data for their own purposes across different services?: A.

B. C. D. Right of data portability Right of access Right to rectification Right to be informed 8.

Individuals have the right not to be subject to a decision when ?: A. It is necessary for entering into or performance of a contract between the organisation and the individual B. It is authorised by law C. It is based on explicit consent D. It is based on automated processing 9. What does DPIA stand for?:

A. B. C. D. Data Protection Implementation Assessment Data Protection Impact Assessment Data Protection Implications Assessment Data Protection Imperfection Assessment 10. Under GDPR within how many

hours does a notifiable breach have to be reported to ICO?: A. B. C. D. 24 48 72 96

Thank you! Richard Galley Senior Associate Searchlight Insurance Training Riverbridge House Guildford Road Leatherhead Surrey KT22 9AD

Telephone 01372 361177 Mobile 07712 789187 Mail [email protected] www.searchlightsolutions.co.uk

Recently Viewed Presentations

  • Roots, Prefixes and Suffixes

    Roots, Prefixes and Suffixes

    Prefixes. Prefixes: a word part attached to the BEGINNING of a base word or root to form a new word. Some prefixes negate. When words are negated, they change the meaning of the base word to its opposite. Examples of...
  • Social Workers Communication with Children involved in Child

    Social Workers Communication with Children involved in Child

    Helen says that it might be that they can find a temporary placement for ten days, which will allow them to get a bit of space, and they can work on working with the family to try and get Rachel...
  • t - cs.duke.edu

    t - cs.duke.edu

    several versions - we did island/rowboat. 3-4 part tutorial for middle school kids. More detailed on placement of objects, writing methods, events, camera control. several versions - we did short knight rescue princess from dragon. 2-3 versions of each of...
  • Polarizacion directa.

    Polarizacion directa.

    En la región de polarización inversa existe una región de agotamiento (libre de portadores) que se comporta como un aislante entre las capas de carga opuesta. Debido a que el ancho de esta región (d) se incrementara mediante el aumento...
  • Module I - Notes Milenge

    Module I - Notes Milenge

    Module I Classification of Laws Classification Mainly the laws is divided into four branches : (i) International law it includes public and private international laws. (ii) Substantive laws (iii) Procedural laws (iv) Municipal or National law it includes public and...
  • Finding Buried Treasure or Marooned on a Deserted

    Finding Buried Treasure or Marooned on a Deserted

    The largest RTO by sales volume is PJM Interconnection, which covers a region that includes all or part of 13 states and the District of Columbia with over 61 million people. In 2014, PJM produced 837,796 . Giga. watt hours...
  • Unified Wireless Network

    Unified Wireless Network

    D-Link Unified Wireless Solution. DWL- 6600AP. IEEE 802.11 a/b/g/n 2.4 GHz & 5GHz . Upto 300 Mbps in each frequency band simultaneously . 10/100/1000 Mbps PoE LAN Port
  • Hocc Action Points - Hr - Training Cell

    Hocc Action Points - Hr - Training Cell

    Financial institutions follow a stringent market tested parameters for project selection for commercial lending. Feasibility of a loan is dependent on viability of projects, and there are gaps between project appraisal parameters of banks which are based on market analysis...