3. ICO, Controllers, Processors & Subjects
Obtaining, recording, storing, accessing, transmitting, disclosing, sharing, using, consultation,
manipulating etc.
Processing
The UK’s independent authority set up to uphold information rights in the public interest,
promoting openness by public bodies and data privacy for individuals. Regulate, audit, investigate,
Issue penalties and fines etc.
Information Commissioners Office
4. Any entity (i.e. organisation, person etc.) which determines the manner and purpose for which
Personal data is processed.
Data Controller
Data Processor
Service providers, other group companies who provide a service using personal data on behalf of a
Data Controller
Data Subject
Staff, students, learners, suppliers, consultants, agents etc.
ICO, Controllers, Processors & Subjects
5. Overview
‘How do we
collect data’
‘How do we process and
store data’
‘Who do we share
data with’
Where Does it
Come From?
Where Does
It Go?
What Do We
Do With It?
#CyberSafeLambeth | @IntegrateUK
6. Article 24 –
Responsibility of
the Controller
consider
Article 6 –
Lawfulness of
Processing
Article 7 –
Condition for
Consent
Article 6 –
Contract
Rights of the Data Subject
Article 12 - Transparent information
Article 13 – Information to Be Provided (Privacy Statement)
Article 14 – Information to be Provided
Article 15– Right of Access
Article 16– Right to rectification
Article 17– Right of Erasure ‘To Be Forgotten’
Article 18– Right to Restriction of Processing
Article 19– Notification Obligation
Article 20– Right to Data Portability
Article 21– Right to Object
Article 22– Automated Decision Making & Profiling
Article 9 –
Special
Categories
consider
Point of Data
Capture
Data Type
Data Storage &
Processing
Article 32 -
Security of
processing
Article 35 -
Privacy Impact
Assessment
Article 25 -
Privacy by
Design / Default
Processor
Article 28 -
Processor
consider
Hosted
On
Premise
Article 13 – Privacy
Statement
GDPR Article Flow
#CyberSafeLambeth | @IntegrateUK
7. Evidence
Article 5 (2)
‘The controller shall be responsible for, and
be able to demonstrate compliance’
#CyberSafeLambeth | @IntegrateUK
GDPR Article Flow
8. Article 30
‘Each controller and, where applicable, the controller's
representative, shall maintain a record of processing activities
under its responsibility’
#CyberSafeLambeth | @IntegrateUK
GDPR Article Flow
Evidence
10. 173 Recitals of explanatory text
11 chapters covering 99 Articles:
General provisions
Data protection principles
Rights of the data subject
Obligations on controllers and processors
Transfer of personal data to third countries or international organisations
Independent supervisory authorities
Cooperation and consistency between member states
Remedies, liability and penalties
Provisions relating to specific processing situations
#CyberSafeLambeth | @IntegrateUK
GDPR Content Breakdown
12. “The controller shall be responsible for, and be able
to demonstrate, compliance with the principles.”
The onus on data controllers & processors to
demonstrate compliance
Review all contracts
Review Privacy Statement (Web and Paper)
Joint responsibility through out the supply chain
Both must have robust security measures – regularly
tested and certified
Processors must report breaches to controllers and
must assist with investigations
Both could be subject to Penalties.
Article 5 (2) #CyberSafeLambeth | @IntegrateUK
GDPR General Provisions
14. Personal data shall be:
Processed lawfully, fairly and in a transparent manner in relation to the data
subject (‘lawfulness, fairness and transparency’);
Collected for specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes;;
Adequate, relevant and limited to what is necessary in relation to the
purposes for which they are processed (‘data minimisation’);
Accurate and, where necessary, kept up to date; every reasonable step must
be taken to ensure that personal data that are inaccurate, (‘accuracy’);
kept in a form which permits identification of data subjects for no longer than
is necessary for the purposes for which the personal data are processed;
(‘storage limitation’);
Processed in a manner that ensures appropriate security of the personal
data, including protection against unauthorised or unlawful processing and
against accidental loss, destruction or damage, using appropriate technical
or organisational measures (‘integrity and confidentiality’).
Article 5 #CyberSafeLambeth | @IntegrateUK
Principles
17. Rights of the Data Subject
#CyberSafeLambeth | @IntegrateUK
“You were involved in a road traffic accident in
The last 2 years”
18. Rights of the Data Subject
#CyberSafeLambeth | @IntegrateUK
19. Privacy procedures – What changes are needed?
There is no one-size fits all, the
content of these procedures should
be based on an organisations’
processing operations and current
risk processes and procedures
You will need to consider how these
requirements will be met in the HR context
and document the measures taken to
ensure compliance in each case
The GDPR introduces new privacy concepts and requirements, for example:
1. Privacy
by design
and default
2. DPIAs
3. New data
subject rights
4. Mandatory
breach
notification
#CyberSafeLambeth | @IntegrateUK
Privacy
20. Information (Articles
13 and 14)
Access
(Article 15)
Rectification
(Article 16)
Erasure (right to be
forgotten) (Article 17)
Restrict Processing
(Article 18)
Data Portability
(Article 20)
Object to Processing
(Article 20)
Automated decisions
and/or profiling
(Article 20)
DATA
SUBJECT
RIGHTS
#CyberSafeLambeth | @IntegrateUK
Rights of the Data Subject
21. RIGHT OF ACCESS
The right exists now, but is
reduced to 1 month, down
from 40 days – But can be
extended if complex
Can no longer charge £10 for processing
- but can charge a ‘reasonable fee’ when a
request is manifestly unfounded or
excessive, particularly if it is repetitive
Responses must provide
context as to why the data
is held
Article 15 #CyberSafeLambeth | @IntegrateUK
Rights of the Data Subject
22. Article 16
RIGHT TO RECTIFICATION
MUST BE ACTIONED
WITHIN 1 MONTH
#CyberSafeLambeth | @IntegrateUK
Rights of the Data Subject
23. Article 17
RIGHT TO ERASURE
Does not provide an absolute ‘right to be forgotten’ but allows for personal data to be
erased and to prevent processing in specific circumstances:
Under the DPA, the right to erasure is limited to processing that causes unwarranted and substantial
damage or distress. Under the GDPR, this threshold is not present. However, if processing causes
damage or distress, this is likely to strengthen the case for erasure
Where the data is no longer
necessary in relation to the
purpose for which it was
originally collected/
processed
When the individual
withdraws consent
The data was unlawfully
processed (i.e.
otherwise in breach of
the GDPR)
The data has to be
erased in order to
comply with a legal
obligation
#CyberSafeLambeth | @IntegrateUK
Rights of the Data Subject
24. 37
RIGHT TO RESTRICT
PROCESSING
Article 18 #CyberSafeLambeth | @IntegrateUK
Rights of the Data Subject
Accuracy is contested
Unlawful processing
No longer required but opposes erasure
Objects to processing (21/1)
26. #CyberSafeLambeth | @IntegrateUK
Rights of the Data Subject
Article 20
Right to Data Portability
The right to data portability only applies:
DATA MUST BE AVAILABLE WITHIN 1 MONTH OF THE REQUEST
Allows individuals to obtain and reuse their personal data for their own
purposes across different services.
To personal data an
individual has provided to
a controller;
Where the processing is based on
the individual’s consent or for the
performance of a contract; and
When processing is carried
out by automated means
(not paper)
27. Rights of the Data Subject
#CyberSafeLambeth | @IntegrateUK
RIGHT TO OBJECT
Right to prevent
direct marketing
Immediate effect
upon receipt
No exemptions or
grounds to refuse
Article 21
28. Rights of the Data Subject
#CyberSafeLambeth | @IntegrateUKArticle 22
RIGHT PREVENT AUTOMATED DECISION-MAKING AND PROFILING
INDIVIDUALS HAVE
THE RIGHT NOT TO
BE SUBJECT TO A
DECISION WHEN:
MUST ENSURE
THAT INDIVIDUALS
ARE ABLE TO:
THE RIGHT DOES
NOT APPLY IF
THE DECISION:
It is based on automated
processing; and
Obtain human
intervention;
Is necessary for entering
into or performance of a
contract
Is authorised by law
(e.g. for the purposes of
fraud or tax evasion
prevention); or
Based on explicit
consent. (Article 9(2)).
Express their point of
view; and
It produces a legal effect
or a similarly significant
effect on the individual.
Obtain an explanation
of the decision and
challenge it.
29. Rights of the Data Subject
#CyberSafeLambeth | @IntegrateUK
GDPR DEFINES PROFILING AS ANY FORM OF AUTOMATED PROCESSING INTENDED TO EVALUATE
CERTAIN PERSONAL ASPECTS OF AN INDIVIDUAL, IN PARTICULAR TO ANALYSE OR PREDICT THEIR:
PROFILING MUST ENSURE THAT APPROPRIATE SAFEGUARDS ARE IN PLACE.
AUTOMATED DECISIONS MUST NOT:
Performance At Work
Economic Situation
Health
Personal Preferences
Reliability
Behaviour
Location
Movements
Fair and transparent -
providing information about
the logic involved, the
significance and the
envisaged consequences.
Concern a child; or Be based on the processing of special categories of data unless:
You have the explicit consent of the individual; or The processing is necessary for reasons of
substantial public interest on the basis of State law.
Technical and
organisational measures in
place to enable
inaccuracies to be
corrected and minimise the
risk of errors.
Secure personal data in a way
that is proportionate to the risk
to the interests and rights of
the individual and prevents
discriminatory effects.
Article 22
30. Rights of the Data Subject
#CyberSafeLambeth | @IntegrateUK
Subject Access Request Discussion
31. Rights of the Data Subject
#CyberSafeLambeth | @IntegrateUK
(Exemption) - DPA 2018, Schedule 2, Part 3/4 (16) - Protection of the rights of others
(3) In determining whether it is reasonable to disclose the information without consent, the controller must
have regard to all the relevant circumstances, including—
(b) any duty of confidentiality owed to the other individual,
(4) For the purposes of this paragraph—
(a) “information relating to another individual” includes information identifying the other
individual as the source of information;
ICO Guidance - Access to Information Held in Complaint Files recommended by the ICO
1. Not everything in a ‘complaint’ file is the complainant’s personal data, for it to be personal data it must relate to
an individual and allow an individual to be identified. Under DPA individuals have a right of subject access about
information about themselves, it does not give right of access to information about anyone else.
Recital 63 Right of Access
A data subject should have the right of access to personal data which have been collected concerning him or her, that
right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property.
However, the result of those considerations should not be a refusal to provide all information to the data subject.
32. Rights of the Data Subject
#CyberSafeLambeth | @IntegrateUK
(DPA 1998 (Subject Access Code of Practice) Current Guidance
The Data Protection Act 1998 (DPA) says you do not have to comply with a SAR if to do so would mean disclosing
information about another individual who can be identified from that information,
If you have not got the consent of the third party and you are not satisfied that it would be reasonable in all the
circumstances to disclose the third-party information, then you should withhold it.
34. #CyberSafeLambeth | @IntegrateUK
The Controller
Obliged to implement appropriate technical and organisational controls
Be able to demonstrate that processing is in accordance with the regulation
Appropriate data protection policies and procedures are in place
Must only use processors who provide sufficient guarantees they will comply with GDPR
Must ensure appropriate contracts are in place with processors
Records of processing
Cooperation with supervisory authorities
Things to consider:
Responsibilities
Article 24
35. #CyberSafeLambeth | @IntegrateUK
The Processor
CONTROLLER SHALL ONLY
USE PROCESSORS
PROVIDING SUFFICIENT
GUARANTEES
Processor shall not engage
another party without prior
authorisation
CONTRACTS WITH PROCESSOR
MUST BE BINDING AND SET OUT:
Subject matter and duration of
processing
Nature and purpose
Type of personal data
Categories of data subjects
Obligations and rights of
controller
Specific terms to be included in
the contract (Article 28)
Article 28
43. Security and Data Breaches
Security of personal data, key measures:
Pseudonymisation and encryption
Confidentiality, integrity, availability and resilience of
processing systems and services
Ability to restore availability and access in a timely manner
after an incident
Process for regularly testing the measures
Take into account the risks of:
Accidental/unlawful destruction
Loss
Alteration
Unauthorised disclosure of, or access to personal data
#CyberSafeLambeth | @IntegrateUKArticle 32
44. A personal data breach means a breach of security leading to the destruction,
loss, alteration, unauthorised disclosure of, or access to, personal data. This
means that a breach is more than just losing personal data.
#CyberSafeLambeth | @IntegrateUK
Mandatory Breach Notification
GDPR INTRODUCES A DUTY ON ALL ORGANISATIONS TO REPORT
WITHIN 72 HOURS CERTAIN TYPES OF DATA BREACH TO THE ICO,
AND IN SOME CASES TO THE INDIVIDUALS AFFECTED:
WHERE A BREACH IS LIKELY TO RESULT IN A HIGH RISK TO
INDIVIDUAL(S) THEY MUST BE NOTIFIED DIRECTLY.
A ‘HIGH RISK’ MEANS THE THRESHOLD FOR NOTIFYING
INDIVIDUALS IS HIGHER THAN FOR NOTIFYING THE RELEVANT
SUPERVISORY AUTHORITY.
Must review our internal
reporting procedures
and training
Must maintain records
of reports and
investigations
Article 33/34
45. Privacy Impact Assessments for all new systems or processes
where personal data is processed
#CyberSafeLambeth | @IntegrateUK
Privacy By Design
Regular Risk Assessments
Identify all overseas
processing
Documented Mitigation How is it justified?
Review Contracts
Determine the supervising
authority (local ICO
equivalents)
Pseudonymous data
Some sets of data can be amended in
such a way that no individuals can be
identified from those data (whether
directly or indirectly) without a "key"
that allows the data to be re-identified.
GDPR explicitly encourages
organisations to consider
pseudonymisation as a
security measure.
It can allow organisations to satisfy their
obligations of "privacy by design" and may
be used to justify processing that would
otherwise be deemed "incompatible" with
the purposes for which the data were
originally collected – Could help legitimate
interest problem.
Article 25
Justification for
accepting risk
46. Privacy Impact Assessments for all new systems or
processes where personal data is processed
Regular Risk Assessments
Documented
Mitigation
Justification for
accepting risk
#CyberSafeLambeth | @IntegrateUK
DPIA
Article 35
48. #CyberSafeLambeth | @IntegrateUK
Data Breach
The data controller shall without undue delay and where feasible, and not
later than 72 hours notify the supervisory authority of a personal data breach
Exception: when the data breach is not High Risk to Data Subject
When notification is not made within 72 hour, this shall be accompanied with
reasons for delay
When the personal data breach is likely to result in a high risk to the rights
and freedoms of natural persons, the controller shall communicate the
personal data breach to the data subject without undue delay.
Article 33/34
Article 33
Article 34
50. #CyberSafeLambeth | @IntegrateUK
Fines
Article 83
THIS WILL PROBABLY OPEN US UP TO MORE ACCESS
REQUESTS AND MORE COMPLAINTS
Fines up to €20 million or 4% of global turnover for
a data breach (deliberate or accidental loss)
Fines up to €10 million or 2% of global turnover for non
compliance of processing records or non appointment
of Data Protection Officer
52. #CyberSafeLambeth | @IntegrateUK
Road to Compliance
Awareness – decision makers and key people
Information – document what you hold
Communicating privacy information –
privacy notices
Individuals’ rights – facilitate data subject rights
Subject access requests – update procedures
Legal basis for processing – identify
and document
Consent – review how you obtain and
record consent
Children – review consent processes for minors
Data breaches – processes for detecting
and reporting
Data protection by design and DPIA
Data protection officers – appoint one
if required
International transfers – ensure appropriate
legal basis
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
53. WHAT
Source
WHEN
Retention Period
#CyberSafeLambeth | @IntegrateUK
Actions Required – Information Audit
Type
Name
Address
Contact Details
Health Details
CV
Reference
CRB Check
Passport Details
Work Permit
Appraisals
Annual Leave
Disciplinary
Tax/NI
Bank Account
Pension Details
Name
Contact Details
Names
Address
Email
Mobile
Phone
Names
Address
Email
Mobile
Phone
Names
Email
WHY
Staff Admin
Direct
Marketing
Individual
Third Party
Third Party
Individual
Individual/Third party
Individual/Third party
Individual
Individual/Third party
Individual/Third party
Individual
Not Sure - Find out
Individual/Third Party
Individual
Individual
Not Sure - Find out
Legal Basis
Contract
Legal Obligation
Legal Obligation
Legitimate Interests - Staff
Management
Contract
Contract
Contract
Vital Interests
Consent
Consent
Originally
Pre-Apointment
Not Sure find out
Appointment
Pre-Apointment
At the time
At Request
At the time
Appointment
Appointment
First Contact
First Contact
Web Enquiries
Updated
As required
Never
Never
Not Sure find out
Not Sure find out
Annually
Not Sure find out
Not Sure find out
As required
When notified
Annual Enrollment
Not Sure - Find
out
Not applicable
Termination of
Employment + 6
Copy not retained,
record of Number only
Termination of
Employment + 6
3 years
End of Financial year + 6
Not Sure find out
Termination of
employment + 70
Untill staff leave
End of relationship
unless enrolled in
Alumni or consent
withdrawn
End of relationship
or consent
withdrawn
Not Sure - Find
out
WHERE
HRMIS hosted on
premise NCG Data
Centre.
HRMIS hosted on premise
NCG Data Centre.
Held on a 3rd Party
cloud server hosted
in the US
WHO
Current staff
member
Emergency
Contact
Existing
Students
Potential
Students
Enquiries
Determined by
Employment
Law/Limitation Law
CRB Code of
Practice
Standard Practice
Tax Law
Employment Law
Durty of Care?
Data Protection
Data Protection
Data ProtectionNot Sure - Find
out
NCG Finance System
hosted on premise NCG
Data Centre
Not Sure - Find out
54. Article 24 –
Responsibility of
the Controller
consider
Article 6 –
Lawfulness of
Processing
Article 7 –
Condition for
Consent
Article 6 –
Contract
Rights of the Data Subject
Article 12 - Transparent information
Article 13 – Information to Be Provided (Privacy Statement)
Article 14 – Information to be Provided
Article 15– Right of Access
Article 16– Right to rectification
Article 17– Right of Erasure ‘To Be Forgotten’
Article 18– Right to Restriction of Processing
Article 19– Notification Obligation
Article 20– Right to Data Portability
Article 21– Right to Object
Article 22– Automated Decision Making & Profiling
Article 9 –
Special
Categories
consider
Point of Data
Capture
Data Type
Data Storage &
Processing
Article 32 -
Security of
processing
Article 35 -
Privacy Impact
Assessment
Article 25 -
Privacy by
Design / Default
Processor
Article 28 -
Processor
consider
Hosted
On
Premise
Article 13 – Privacy
Statement
GDPR Article Flow
#CyberSafeLambeth | @IntegrateUK