Lecture 9 - Legislation

Question 1

What is GDPR?

Answer 1

General Data Protection Regulation (2018) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU).

• Personal data is any information that can identify a specific individual ie., ethnic group, health, religious views, criminal record (including allegations), sexual orientation, or genetics.
• Processing data means collecting, structuring, organising, using, storing, sharing, disclosing, erasing and destruction of data. Each organization that processes personal data (which is every organization with employees and customers) must ensure that the personal data it uses fulfils the requirements of the GDPR.

Implementations of GDPR vary by country because of degorations allow for changes in certain scenarios such as national security, crime and legal proceedings. GDPR should be used as a based for adding extra requirements or exceptions to the regulations

Although it was passed in Europe, it affects businesses worldwide.

Question 2

What are the data protection laws like in the US?

Answer 2

In the US, there is no all-encompassing law regulating the collection and processing of personal data. Instead, data protection is regulated by many state and federal laws.

Question 3

Why will different data protection policies cause conflict?

Answer 3

Issues around where data is being sent (from 1 country to another) and where it is being held by multinationals (ie., Google).

Question 4

Discuss the UK Data Protection Acts.,

Answer 4

The Data Protection Act is designed to control how personal data can be used and your rights to ask for information about yourself.

Data Protection Act 1984 (DPA) protected individuals from misuse of data by large organisations:
• use of inaccurate/incomplete/irrelevant personal data
• use of personal data by unauthorised persons
• use of personal data for purposes other than those for which it was collected

Data Protection Act 1998 (DPA)
• followed the European Directive on Data Protection 1995
• covers Internet data as well as stored data
• no longer assumes that large organisations are the only possible offenders.

Data Protection Act 2018 (DPA)
• Updates and supersedes the Data Protection Act 1998.
• Supplements the GPDR and refines the application of it in the UK.
• Also covers areas such as law enforcement and intelligence services

Question 5

What is a data controller?

Answer 5

a person within an organisation who determines how or why personal data is processed.

Question 6

What are principles of the Data Protection Act 2018?

Answer 6

Enterprises must ensure that personal data is:

1. Processed lawfully, fairly and transparently
2. Used for specified, explicit, and legitimate purposes
3. Processed in a way that is adequate, relevant and limited to only the purpose for which it was collected
4. Accurate and, where necessary, kept up to date
5. Kept for no longer than is necessary
6. Handled in a way that ensures appropriate security

Question 7

What is the Data Protection Act 2018?

Answer 7

Places further restrictions on what organisations can legally do with personal data.

In essence, the Data Protection Act is the UK’s tailored version of the EU’s General Data Protection Regulation (GDPR).

Question 8

What are the 7 principles of GDPR?

Answer 8

1. lawfulness, fairness and transparency
   - ie. don’t use medical records for research without permission.
2. purpose limitation
3. data minimisation
4. accuracy
5. storage limitation
6. integrity and confidentiality
7. accountability

Question 9

What are the 7 principles of GDPR?

Answer 9

1. lawfulness, fairness and transparency
   - ie. don’t use medical records for research without permission.
2. purpose limitation
3. data minimisation
4. accuracy
5. storage limitation
6. integrity and confidentiality
7. accountability

Question 10

What are the rights of Data Subjects under GDPR?

Answer 10

• Data rights are QUALIFIED, not absolute because they are balanced against the needs of everyone else.

Individuals right’s’:

1. right to be information
2. right to access
3. right to rectification ( alter inaccurate data, but it doesn’t define what accurate data is)
4. right to erasure
5. right to restrict processing
6. right to data portability
7. right to object (processing data (ie., marketing)
8. rights in respect to automated individual decision making

Question 11

What is the material scope of GDPR?

Answer 11

• Doesnt cover all aspects of personal data in the UK or any outside of the EU.
• GDPR covers automated processing & structured data on paper etc..
• Does not apply in foreign policy freedom of information requests
• Doesn’t apply to private individuals

Question 12

What is the territorial scope of GDPR?**** REALLY IMPORTANT

Answer 12

GDPR applies to controllers & processors that are established in the EU, even if the processing occurs outside of the EU.
• The GDPR applies to data subjects that are within in the EU even if the controller and/or processor are outside of the EU.
• specifically where activities relate to a good or service, involving payment or otherwise.
• behaviour monitoring where that behaviour is occurring within in the European Union.

Question 13

What is a restritced Transfer?

Answer 13

GDPR restricts the transfer of data to international organisations and countries outside the European Union (EU) and European Economic Area (EEA)

Transfer and transit are not the same,

Question 14

What happens if you want to transfer data from the EU to a non-EEA country?

Answer 14

Step 1. Does the country have an adequacy decision.

This is determined by the EUROPEAN COMMISSION (EC) who permits data transfer if non-EEA countries have suitable safeguards in place to ensure data protection.
• protection for data subject rights and freedoms.
• appropriate legal frameworks.

New Zealand and Switzerland have such decisions.

Step 2: If there is no adequacy decision, “Appropriate Safeguards” should be considered. Eg.,
• a legally binding and enforceable instrument between public authorities or bodies.
• binding corporate rules
• legally binding and enforceable instrument between public authorities or bodies
• an approved code of conduct pursuant together with binding and enforceable commitments of the controller or processor in the third country to apply to the appropriate safeguards.

3. Exceptions
   Exceptions are permitted but must be interpreted narrowly in line with the European Data Protection Board Guidance. Eg.,
   -Restricted transfer necessary in the public interest.

Question 15

What should the 7 principles of data protection be considered as?

Answer 15

North star that guides the ship in the EU!

Outline guidelines for best practice when designing a system in the EU.

Question 16

Why was GDPR introduced?

Answer 16

It was introduced to standardise data protection law across the single market and give people in a growing digital economy greater control over how their personal information is used.

Question 17

Describe GDPR principle 1. “Lawfulness, fairness and transparency”

Answer 17

• Clear and transparent about how data is being used and have a valid reason for collecting and processing the data.
• Prevents it being used in unexpected or detrimental sold for marketing purposes etc

Question 18

What is the 2nd principle of GDPR “purpose limitation” about?

Answer 18

Data collected for one purpose may not then be used for another. Data collected for one purpose may not then be used for another. The purpose must be clearly documented from the outset.

Eg., for marketing

If you have a contract with an individual to provide financial advice, it may be in their interests to share upcoming market predictions, but this could be classed as an addition to your service.

Question 19

What is the 3rd principle of GDPR “data minimisation” about?

Answer 19

Only the Personal Data actually needed to achieve the Data Subject’s intended purpose may be collected.

Personal Data should be adequate, relevant and limited to what is absolutely necessary. For example, if a Data Subject’s marital status isn’t relevant to the contracted financial advice you’re carrying out, there’s no reason for you to collect and store it.

Where necessary, it’s important that Personal Data is kept up-to-date. Every reasonable step should be taken to erase or correct inaccurate data.

Organisations absolutely cannot collect data on a ‘just in case it becomes useful’ basis. Think carefully about what you might want Personal Data for and ensure you get the individual’s informed consent for anything you might want to do with their data in the future

Question 20

What is the 4th principle of GDPR “accuracy” about?

Answer 20

A Data Controller is anyone who collects, stores or determines how Personal Data is or will be used.

This principle states that they are responsible for taking reasonable steps to ensure Personal Data is accurate and up-to-date.

Question 21

What is the 5th principle of GDPR “storage limitation” about?

Answer 21

Data should not be kept longer than necessary, and the ‘right to be forgotten’ should also be considered.

The ‘right to be forgotten’ is the right of a Data Subject to have their data completely removed by the Data Controller.

With regard to financial advice however, legal requirements for retention can deem the retention necessary. If an individual requested to be forgotten, and then attempted to make a legal claim against you in the future, you need to have proof of the business you performed for them.

Get specific advice from your compliance adviser on this and how it relates to your particular business, to see where you stand legally

It should also be periodically reviewed

Question 22

What is the 6th principle of GDPR “integrity and confidentiality” about?

Answer 22

Controllers are also responsible for the security of the data they collect. This also includes the security of the data when it’s being processed by a third party as well as by yourself.

Security refers to both external and internal threats. This could be external hackers, or inadequately trained internal staff.

Security of both electronic and physical records is required.

Question 23

What is the 7th principle of GDPR “accountability” about?

Answer 23

The Data Controller (ie. organisation supported by management) is responsible for compliance with all seven of the Data Protection Principles and must be able to demonstrate that the appropriate measures have been adopted to ensure compliance.

Question 24

What are the 8 principles of the UK Data Protection Act?

Answer 24

1. Adequacy.
2. Rights.
3. International transfers
4. Security
5. Retention
6. Accuracy
7. Fair and lawful
8. Purposes

Question 25

What is the difference between the UK Data Protection Act (DPA) and GDPR?

Answer 25

DPA is built on similar principles to GDPR, but DPA includes some additional requirements and safeguards that wouldn’t usually be included.
For example, immigration is considered under DPA, but they are required to keep documentation to prove that the controller is complying with the data protection principles & the policies for the retention and erasure of the data in question.

DPA exempts groups that safeguard national security purposes or government bodies designated by freedom of information legislation.
This means organisations processing data for the prevention and detection of crime, for example, would be exempt from the GDPR’s provisions around the right to be informed or the purpose limitation principle if it would prejudice the purposes of processing. An example the ICO gives includes a bank passing data to the National Crime Agency while investigating financial fraud not informing the subject of this sharing of data, as it may prejudice the investigation.

Question 26

What is the difference between the UK Data Protection Act (DPA) and GDPR?

Answer 26

DPA is built on similar principles to GDPR, but DPA includes some additional requirements and safeguards that wouldn’t usually be included.
For example, immigration is considered under DPA, but they are required to keep documentation to prove that the controller is complying with the data protection principles & the policies for the retention and erasure of the data in question.

DPA exempts groups that safeguard national security purposes or government bodies designated by freedom of information legislation.
This means organisations processing data for the prevention and detection of crime, for example, would be exempt from the GDPR’s provisions around the right to be informed or the purpose limitation principle if it would prejudice the purposes of processing. An example the ICO gives includes a bank passing data to the National Crime Agency while investigating financial fraud not informing the subject of this sharing of data, as it may prejudice the investigation.

There are also exceptions to data subject rights in certain scenarios, meaning a company can refuse data subject access requests (DSARS).
Eg.,
immigration control
information in connection with legal proceedings
regulatory functions relating to legal, health, and children’s services
price-sensitive corporate finance etc

DPA minimum age for consent of data is 13, GDPR is 16.

The DPA also stipulates that the ICO shall produce codes of practices to provide guidelines on how companies can stay compliant when processing data in specific scenarios and/or industries.

Question 27

How are the DTA and GDPR simliar?

Answer 27

GDPR 1. lawfulness, fairness and transparency = DTA fair and lawful

GDPR 2. purpose limitation = DTA purposes

GDPR 3. data minimisation = DTA adequacy

GDPR 4. accuracy = DTA accuracy

GDPR 5. storage limitation = DTA rentention

GDPR 6. integrity and confidentiality = DTA security

Others:
GDPR 7. accountability
GDPR 3: rights
iGDPR 5: nternational transfers

Rather than seeing this as a separate set of requirements, companies should simply look at the DPA – and any other local implementations of GDPR with their own derogations – as simply another process to build into their local GDPR compliance efforts

Question 28

What are the 8 Data Subject rights?

Answer 28

The right…

1. to be informed
2. of access
3. to rectification
4. to object to processing
5. in relation to automated decision making & profiling
6. erasure (to be forgotten)
7. data portability
8. restrict processing

Question 29

What do we mean my by data protection by design and default?

Answer 29

In the context of the EU, we are talking about the union of the principles and the rights of the data subjects.

Steers & accommodates the rights of data subjects. Clearly communicate the data we’re collecting etc & in terms of rights we think of the rights to be informed by telling them and making it clear about whats being used & to restrict processing we can build into our processes features & structures to support.

Question 30

What

Answer 30

US, UN and EU have laws that state the individuals have a reasonable expectation of privacy, but its qualified because it can be broken in a systemic way if approved in your jurisdication

Question 31

What is a processor?

Answer 31

……

Question 32

Something to note from linked in

Answer 32

In accordance with GDPR, where a data Processor, in breach of the GDPR, determines the purposes and means of any processing activity, that Processor is treated as a Controller in respect of that processing activity. Organisations should be cautious of this provision. In principal, any time they processes personal data in their acquiring activity, it may be qualified as a Controller, and thus subject to the full compliance obligations of a Controller in relation to that processing during the acquiring activity.