Data Protection Flashcards

1
Q

What legislation covers data protection?

A

The principal law regulating the use of personal data is in the form of the EU’s General Data Protection Regulation (GDPR) which has direct effect across all EU member states. In the UK, the Data Protection Act 2018 (DPA) covers processing that does not fall within EU law, for example relating to immigration and national security. Both the GDPR and DPA became effective on 25 May 2018 representing the biggest change to UK data protection law for a generation, introduced out of the need to give individuals more control over how their personal data is used in an ever emerging digital economy and to standardise the law across the EU.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What data does your company have?

A

During the course of our business activities we collect, process and store personal data. This includes details of current, past and prospective employees, clients, suppliers and others that we communicate with. This information which may be held on paper, computer or other media is subject to a number of items of legislation relating to personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is personal data

A

In order to understand our obligations relating to data protection, we need to understand what constitutes personal data. ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; (Source: Article 4 GDPR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Who ensures compliance?

A

nominated Data Protection Officer (DPO) is CP

The DPO is supported by a core team who provide assistance with a number of different areas relating to the protection of information and who can help with queries.

Don’t forget - it is everyone’s responsibility to protect our client and employee data. You will be required to complete eLearning modules on Protecting Data and Information Security to demonstrate your understanding of these topics.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the penalties for non-compliance?

A

The Information Commissioner’s Office (ICO) is able to impose fines of up to €20,000,000 or 4% of global turnover for certain infringements in relation to data protection law, with less serious infringements attracting fines of up €10,000,000 or 2% of global turnover.

Even if a company is based outside of the EU, it can be fined for any data breach involving the details of EU citizens. Hotel company Marriott International was fined £99m for a security breach in November 2018 which resulted in more than 339 million guest records being exposed to hackers, of 30 million were of EU citizens. The ICO issued the fine the same week that it levied a £183m fine against British Airways for exposing payment details and personal information of 500,000 customers.

While our firm is not a large international company, it must protect the data it holds in the same way that these global giants are expected to or risk fines of up to 4% of our turnover - more than £1m based on our revenue in 2019. Think how much effort our employees put in to make £1m in client fees!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

10 tips to comply with GDPR

A

Prepare diligently to ensure compliance

Assess any privacy risks inherent in business processes/activities

Involve IT support to make appropriate changes

Provide staff training and support on data security

Appoint a Data Protection Officer if required by GDPR

Ensure you have adequate systems to deal with a breach and subsequent notification to the ICO (within 72 hours)

Do your systems comply with all GDPR principles, including the right to be forgotten

Update your internet security, e.g. virus protection, including on desktops, laptops and mobile phones

Ensure any data already held is up to date and compliant with GDPR

Can you release personal data promptly if a subject access request is made?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How do DPA and GDPR differ?

A

Accountability to ensure that data is kept in accordance with the principles of GDPR

Tougher penalties for non-compliance
Wider definition of personal data

Non-EU organisations holding EU-related personal data will need to comply

Parental consent required for holding personal data of <16s

Active consent must be required to hold data, i.e. silence does not equal consent

Data breaches must be notified to ICO within 72 hours of awareness, unless exceptional circumstances apply

Risk-based reviews (Privacy Impact Assessments) must be undertaken for high risk activities

Right to be forgotten introduced

Requirements for electronic data portability if a data request is submitted

Compliance/privacy by design must be included within systems and processes, including staff training and contractual clauses

Additional liabilities placed on both data controllers and processors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

GDPR KEY PRINCIPLES

A

Processed lawfully, fairly and in a transparent manner in relation to individuals

Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes

Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay

Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals

Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the individuals rights in GDPR?

A
Right to be informed
Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object
Rights in relation to automated decision making and profiling
How well did you know this?
1
Not at all
2
3
4
5
Perfectly