Need help with GDPR? Pick what would help the most.

As part of the Jersey Business GDPR workshops we will explain GDPR and offer a practical outcome in the form of a worked example for your business. Which of the following would be most useful to your organisation?

A worked example of…

1.       A Privacy Notice

2.       A Subject Access Process, Flowchart and Form

3.       A Breach Notification Process, Flowchart and Form

4.       A Data Sharing Agreement (for sharing data between two controllers)

5.       A Controller/Processor Agreement (for outsourcing data processing)

6.       A due diligence checklist, to help you ensure suppliers compliance

7.       A Data Processing Impact Assessment, to help you understand the risks and measures

The next Jersey Business GDPR workshops will be in November and December and due to their success we are planning well into 2019 too.

You may not be the one to know if you have been hacked.

In a recent article in The Register online bank Monzo said it warned Ticketmaster that something weird was going on in early April, two months before the ticket-slinging giant revealed its payment pages had been hacked.

According to Monzo, 50 customers had complained on April 6 that someone had hijacked their bank cards and spent their money – and 35 of them, or 70 per cent – had used Ticketmaster.

https://www.theregister.co.uk/2018/06/28/ticketmaster_monzo_inbenta/

The Ticketmaster cyber-break-in is the first major computer security breach since Europe's GDPR came into effect on May 25, so close attention will be paid on whether Ticketmaster complied with the regulation relating to breach notification and adequate security.

KEY ACTIONS YOU SHOULD TAKE

1. Make sure you have Data Processing Impact Assessments – if you have any risks or any doubts use a DPIA as an opportunity to think about the measures to mitigate or transfer risk.

2. Make sure you have good vendor due diligence – ensure the people you share data with are reliable and secure. Check their credentials, certifications and policies.

3. Make sure you have necessary Controller-Processor Contracts and Data Sharing Agreements – this should include clauses prescribed by law, plus arrangements for notifying each other and indemnities in case of Breach.

KEEP IN TOUCH

Come and visit
https://gdprjersey.blogspot.com/
Subscribe
https://gdprjersey.blogspot.com/feeds/posts/default

GDPR TRAINING

I am doing a series of workshops at Jersey Business from 8am to 10am so maybe you’d like to come to these
Wednesday 4th July
Wednesday 1st August
Wednesday 5th September
Wednesday 3rd October
Wednesday 7th November
Wednesday 5th December

GDPR TOOLKIT

I also provide bespoke training for organisations (£100/hour for businesses and £70/hour for Charities) If you don’t have all the necessary tools, training, templates, policies and procedures I provide a GDPR toolkit (£375 for Charities, £750 for businesses) If you use the link you can see both the contents and samples
http://www.adaptconsultingcompany.com/gdprtoolkit/

GDPR Jersey Update July 2018

GDPR Jersey Update
https://gdprjersey.blogspot.com/

From January 2018 I provided a lot of free presentation, guidance and training for the Association of Jersey Charities. I then set-up a GDPR Toolkit of policies, procedures and paperwork ready to use. More recently I have been providing monthly workshops for SMEs at Jersey Business.

The blog GDPRJersey was originally set-up to provide a Question and Answer service. You email me a question and I anonymise the details and offer guidance and links in a response that can benefit others too.

We’ve long since passed 25 May start-line for GDPR but it is clear that people are struggling with the implementation and some of the court decisions have implications that few anticipated.

For example
Facebook fan page case leads to new understanding of “joint controllers” concept
http://blog.pritchettslaw.com/2018/06/facebook-fan-page-case-leads-to-new.html

With this in mind, I am re-starting GDPRJersey. You can view the blog or subscribe to it so that you get a notice when-ever there is an update. If you want to ask a question email me at timhjrogers@gmail.com and I will write an article on that subject. You are also able to add comments to any article.

I also welcome lawyers, consultants, technology experts and others to submit articles or comments in an effort to improve knowledge and understanding. I think this will improve our community as a whole.

Be aware, that Blogger does track some data – I don’t know your name, email or anything about you (unless you choose to include that in comments that you post). However, Blogger knows you visited and that’s how it tells me whether I have 10 views or 10,000 views.

Come and visit
https://gdprjersey.blogspot.com/
Subscribe
https://gdprjersey.blogspot.com/feeds/posts/default

GDPR TRAINING

I am doing a series of workshops at Jersey Business from 8am to 10am so maybe you’d like to come to these.
Wednesday 4th July
Wednesday 1st August
Wednesday 5th September
Wednesday 3rd October
Wednesday 7th November
Wednesday 5th December

GDPR TOOLKIT

I also provide bespoke training for organisations (£100/hour for businesses and £70/hour for Charities) If you don’t have all the necessary tools, training, templates, policies and procedures I provide a GDPR toolkit (£375 for Charities, £750 for businesses) If you use the link you can see both the contents and samples
http://www.adaptconsultingcompany.com/gdprtoolkit/

Thoughts on Special Category Data v Confidential Data

The GDPR mentions Personal Data and Special Category Data

PERSONAL DATA: Name; Email; Address; Phone

SPECIAL CATEGORY DATA: Ethnic Origin; Politics; Religion; Trade Union Membership; Genetics; Biometrics (Where Used For ID Purposes); Health; Sex Life; Or Sexual Orientation.

I have always suggested that organisations should consider a middle Category called Confidential Data

CONFIDENTIAL DATA: SocSec; TaxRef; Passport; Driving Licence; Utility Bills; Bank Account;

I have also advocated perhaps have a RED, AMBER, GREEN approach to how data is classified and handled. This is simplistic, but for example, you might say GREEN can be shared within the organisation, AMBER only by approved persons and RED only by a senior manager under strict controls. This is a very simple approach to Data Processing Impact Assessment, making decisions based on the potential harm to the person.

RED = Special Category Data - likely to have significant negative impact on the data subject
AMBER = Confidential Data - likely to have a negative impact on the data subject
GREEN = Personal Data – unlikely to have a negative impact on the data subject

In Jersey the conditions for processing PERSONAL DATA are as follows
01 Consent
02 Contract
03 Vital interests
04 Public functions
05 Legitimate interests

The key thing about Special Category Data is that there are the conditions for processing special category data. The conditions are listed in Article 9(2) of the GDPR
In Jersey the conditions for processing SPECIAL CATEGORY data are as follows
06 Consent
07 Other legal obligations
08 Employment and social fields
09 Vital interests(subject to certain conditions)
10 Non-profit associations (subject to certain conditions)
11 Information made public
12 Legal proceedings, etc.
13 Public functions
14 Public interest
15 Medical purposes
16 Public health
17 Archiving and research
18 Avoidance of discrimination
19 Prevention of unlawful acts
21 Publication about malpractice and mismanagement
22 Counselling
23 Insurance and pensions: general determinations
24 Insurance and pensions: current processing
25 Functions of a police officer
26 Regulations

The point is that SPECIAL CATEGORY DATA must fit one of the conditions above.

As for CONFIDENTIAL DATA (which is not legally defined) this needs to comply with legal basis, but I would suggest merit a higher level of care, custody and safeguarding.

As noted above, this is what a Data Processing Impact Assessment is about. Ask yourself: Is there are risk? If there is perhaps give the data a special category and special treatment to make sure it is private, safe and secure.

So to be clear the law only talks about PERSONAL DATA and SPECIAL CATEGORY DATA, but I recommend that CONFIDENTIAL DATA is recognised as sensitive and treated accordingly.

Logically I would hope that any business would treat Passport; Driving Licence; Utility Bills; Bank Account; with special care and that is all I am advocating.

USEFUL LINKS

UK Guidance on Special Category Data
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/?template=pdf&patch=152#link19

Jersey Law re Special Category Data
https://www.jerseylaw.je/laws/enacted/Pages/L-03-2018.aspx#_Toc506561306

Working Party 29 Guidance on how to intrepret EU GDPR

Great interview with Claire, the Busy Queen Bee, about GDPR

You can find out about my GDPR Toolkit here
http://www.adaptconsultingcompany.com/gdprtoolkit/

The Regulator's website also has great guidance
https://oicjersey.org/

Be ready for 25 May 2018
Tim 07797762051

What should go into a Privacy Notice?

QUESTON

What should go into a Privacy Notice?

SHORT ANSWER

At the time of collecting their data, people must be informed clearly about at least:

1.      who your company/organisation is (your contact details, and those of your DPO if any);

2.      why your company/organisation will be using their personal data (purposes);

3.      the categories of personal data concerned;

4.      the legal justification for processing their data;

5.      for how long the data will be kept;

6.      who else might receive it;

7.      whether their personal data will be transferred to a recipient outside the EU;

8.      that they have a right to a copy of the data (right to access personal data) and other basic rights in the field of data protection (see complete list of rights);

9.      their right to lodge a complaint with a Data Protection Authority (DPA);

10. their right to withdraw consent at any time;

11. where applicable, the existence of automated decision-making and the logic involved, including the consequences thereof.

There is guidance here

https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/privacy-notices-under-the-eu-general-data-protection-regulation/

https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/privacy-notices-in-practice/

LONG ANSWER

I have answered a few questions on Privacy Notice already and have added a couple of links below for further reading, in order to avoid repetition here.

Based on my own experience so far having worked with a good number of organisations ahead of GDPR coming into force in May I would offer the following advice.

THINK WHY – WHAT IS THE PURPOSE?

Think about the purpose and the people and align everything to these. If the purpose is “club membership for newsletters” then the data gathered and processing should be based on the necessity for “club membership for newsletters”.  If the purpose is “look after the health and wellbeing of customers” then the data gathered and processing should be based on the necessity for “look after the health and wellbeing of customers”.

This keeps things narrow, easy to manage and control. There may be a bias towards “..lets have all their data about everything and then we can do anything…” but this is entirely contrary to GDPR and is the key cultural change that I don’t think people have grasped.

KEY PRINCIPLES

Next make sure each statement in the Privacy Notice meets the key principles. If you remember nothing else, remember the key principles!

Lawfulness, fairness and transparency	Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject
Purpose limitation	Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
Data minimisation	Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Accuracy	Personal data shall be accurate and, where necessary, kept up to date
Storage limitation	Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
Integrity and confidentiality	Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Accountability	The controller shall be responsible for, and be able to demonstrate compliance with the GDPR

POSSIBLE HEADINGS

These are some useful headings

1.     About Us And What We Do

2.     About The Service We Provide And Why Information Is Necessary

3.     What Data We Gather

4.     The Roles And Controls Protecting Your Data

5.     Data Sharing Or Disclosure (If You Do Any?)

6.     Location Of Data (Eg Transferred To A Recipient Outside The Eu)

7.     The Legal Basis And Your Rights

Note rights include [1] that they have a right to a copy of the data (right to access personal data) and other basic rights in the field of data protection (see complete list of rights); [2] their right to lodge a complaint with a Data Protection Authority (DPA); [3 ] their right to withdraw consent at any time; [4] where applicable, the existence of automated decision-making and the logic involved, including the consequences thereof.

See earlier article “What information must be given to individuals whose data is collected? “

https://gdprjersey.blogspot.com/2018/02/what-information-must-be-given-to.html

SAMPLE PRIVACY NOTICE

If you want a model Privacy Notice then I suspect that the Privacy Notice of the people in charge of Privacy Notices, is probably a good start! Have I look at the regulators Privacy Notice!!

https://ico.org.uk/global/privacy-notice/

However as said many times, if you organisation is not doing what the ICO is doing then your notice doesn’t need to say what the ICO is saying.

See earlier article “I am sharing feedback as a learning exercise for anyone contemplating a Privacy Notice and a stark warning for anyone who simply recycles someone else’ Privacy Notice without thought.”

https://gdprjerseyarticles.blogspot.com/2018/02/read-your-own-privacy-notice-and.html

What information must be given to individuals whose data is collected?

 QUESTION

What information must be given to individuals whose data is collected?

ANSWER

At the time of collecting their data, people must be informed clearly about at least:

1.      who your company/organisation is (your contact details, and those of your DPO if any);

2.      why your company/organisation will be using their personal data (purposes);

3.      the categories of personal data concerned;

4.      the legal justification for processing their data;

5.      for how long the data will be kept;

6.      who else might receive it;

7.      whether their personal data will be transferred to a recipient outside the EU;

8.      that they have a right to a copy of the data (right to access personal data) and other basic rights in the field of data protection (see complete list of rights);

9.      their right to lodge a complaint with a Data Protection Authority (DPA);

10. their right to withdraw consent at any time;

11. where applicable, the existence of automated decision-making and the logic involved, including the consequences thereof.

See complete list of information to be provided.

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

The information may be provided in writing, orally at the request of the individual when identity of that person is proven by other means, or by electronic means where appropriate. Your company/organisation must do that in a concise, transparent, intelligible and easily accessible way, in clear and plain language and free of charge.

When data is obtained from another company/organisation, your company/organisation should provide the  information listed above to the person concerned at the latest within 1 month after your company obtained the personal data; or, in case your company/organisation communicates with the individual, when the data is used to communicate with them; or, if a disclosure to another company is envisaged, when the personal data was first disclosed.

Your company/organisation is also required to inform the individual of the categories of data and the source from which it was obtained including if it was obtained  from publicly accessible sources. Under specific circumstances listed in Articles 13(4) and 14(5) of the GDPR your company/organisation may be exempted from the obligation to inform the individual. Please check whether that exemption applies to your company/organisation.

References

Article 12(1), (5) and (7), Articles 13 and 14 and Recitals (58) to (62) of the GDPR

Article 29 Working Party guidelines on transparency

FURTHER ADVICE AND SUPPORT

If you need more specific support (for example a meeting) I know the Jersey Community Partnership and Association of Jersey Charities are looking to co-ordinate some resources with various local suppliers. Where necessary grant funding may be available.

http://www.jerseycommunitypartnership.org/

http://www.jerseycharities.org/

USEFUL LINKS

Jersey Data Protection Association

https://jdpa.org.je/

There is a list of Jersey Data Protection events here

https://www.eventbrite.com/d/jersey--saint-helier/jersey-data-protection-association/

For a general understanding of GDPR I highly recommend the guidance of Jersey’s Data Protection Authority

https://thinkgdpr.org/

https://thinkgdpr.org/article/gdpr-guidance/