ICO - preparing for GDPR

1. Preparing for and complying
with the GDPR
Andrew Rose, Senior Policy Officer, ICO
Leeds
January 2017

2. Contents
• Demonstrating compliance
• Role of the DPO
• Responsibilities of controllers and processors
• Breach notification
• Preparation and further information

3. Chapter I: Key definitions
and scope of Act.
Chapter II: Contains the data
protection principles, covers the
bases (equivalent of DPA
conditions) for processing and
outlines the special categories of
data.
Chapter VI: – Sets out the
powers and duties of
supervisory authorities.
Chapter IV: – Outlines the
responsibilities of data controllers and
processors (including security), for
example around breach notification and
employing Data Protection Officers.
Chapter III: Sets out the Rights of the
Data Subject (similar to part II of DPA).
Chapter VIII: – Outlines the right to
Judicial remedy and conditions for
imposing penalties.
Chapter VII: Covers co-operation and
consistency between different
supervisory authorities.
Chapter V: International
transfers.
Chapter IX: Sets out provisions
relating to specific processing
situations.
Chapter X: Delegated acts
and implementing acts.
Chapter XI: Final
provisions.
GDPR contents

4. Demonstrating compliance
• The controller shall be responsible for,
and be able to demonstrate compliance
with the Principles (Art 5(2))
• The requirement to
appoint a data protection
officer
• Data protection by design
and default
• Codes of conduct
• Certification schemes
• The requirement to implement
appropriate technical and
organisational measures
• Maintaining records on processing
activities
• Data protection impact
assessments

5. To maintain relevant records
on processing (Art 30).
To implement appropriate
technical and organisational
measures (Art 24).
Demonstrating compliance

6. Role of the DPO (Arts 35-37)
•Inform and advise the organisation about its
obligations to comply with the GDPR
•Monitor compliance with the GDPR, including
managing internal data protection activities
•Provide training to staff, advise on data protection
impact assessments and conduct internal audits
•First point of contact for supervisory authority
Responsibilities
•Directly report to the highest management level of the
controller or processor
•Not be given instructions on how to carry out duties
and can’t be dismissed for carrying out duties
•Can combine duties if no conflict of interest
•Be contactable by data subjects
•Be provided with necessary resources
Position

7. Role of the DPO
Appointed on the basis of
professional qualities :-
• Expert knowledge of DP
• Ability to fulfil tasks
Can be a staff member or
contracted
May be designated to act for
several authorities depending on
size and structure

8. Demonstrating compliance
Lawfulness of processing
(Art 6).
Processing special categories
of personal data (Art 9).

9. Responsibilities of
controllers and processors
Security responsibilities
Arts (32-34)
Pseudonymisation and encryption –
specifically mentioned as security
measures.
You must be able to ensure the
confidentiality, integrity, availability
and resilience of your systems.
The ability to restore the availability of
and access to data in a timely
manner.
Have a process to test, assess and
evaluate the effectiveness of the
measures you have in place.

10. Responsibilities of
controllers and processors
Joint controllers
(Art 26)
Transparently determine respective
responsibilities
• Compliance with regulations
• Exercising rights of data subjects
• Provide information required for
Arts 13&14
DS can exercise rights against each
controller

11. Responsibilities of
controllers and processors
Processors
(Art 28)
Processors must provide sufficient
guarantees that processing will:
• Meet the requirements of the
regulation
• Ensure the protection of the rights
of the data subject
No sub-processors without specific
agreement of controller
Processing subject to contract

12. Responsibilities of
controllers and processors
Contracts
(Art 28 (3))
Binding contract to cover:
• Process data only on instructions of
controller
• People authorised to access data
are subject to confidentiality
• Ensure security of processing
• Assist the controller in complying
with data subjects rights (where
possible)
• Assist the controller with regard to
security measures, breach
reporting and DPIAs

13. Mandatory to report to ICO where likely to result in a risk to the rights
and freedoms of the individual.
Without undue delay and no later than 72 hours of discovery (can add
detail later).
Risks include: -
• Loss of control of personal data
• Discrimination
• Identity theft
• Financial loss
• Damage to reputation
• Loss of confidentiality
Breach reporting (Arts 33-34)

14. What can you do to prepare?
• Published guidance
• 12 steps
• Overview of the GDPR
• Privacy notices code of
practice
• A29 guidance
• Right to data portability
• DPOs
• Identifying a lead
supervisory authority
https://ico.org.uk/for-organisations/data-protection-reform/

15. What’s the ICO doing?
• Working with DCMS
and A29
• Further guidance
• Internal change
programme

16. !?
How the ICO can help
• Guidance:
www.ico.org.uk
• Helpline:
0303 123 1113