GDPR - Responsible Technology - 7COM2001-0901-2024 PDF

1 7COM2001-0901-2024 - Responsible Technology Understanding GDPR EricJukes A brief (but relevant) biography 2 1963 first job in the legal profession in a north London solicitors’ (lawyers) office. In 1984 - 1989 I worked on an AI expert system for advising on National Insurance and Social Security law and calculating welfare benefits. In 1992 my M.Sc. in ‘Knowledge Engineering’ – an AI field in expert systems – included my dissertation on legal decision-making. I published two papers on legal decision-making and case-based reasoning (another AI area), one of which is still being cited today. I’m on the committee of the British Computer Society’s Specialist Group on AI Earlier this year I was appointed a Special Reference Group (SRG) Adviser in AI to CILEX (Chartered Institute of Legal Executives). Eric Jukes 3 4 Aims of these Lectures 5 To understand GDPR – particularly its Principles of Data Processing (Article 5) and the Rights of Data Subjects (Article 12); To understand GDPR in order to be able to use its structure to assist in answering any questions which you may be asked as a computer professional; To understand how GDPR (an EU regulation) has been incorporated into UK law through the Data Protection Act, 2018 (with some differences); Remember - GDPR is the General Data Protection Regulation – and NOT Regulations! Terminology used in the GDPR 6 Articles and Recitals — GDPR consists of two components: Articles and Recitals. Articles are the legal requirements organisations must follow to demonstrate compliance. (There are 99 of them). In UK law we refer to “clauses’. Recitals provide additional information and supporting context to supplement the articles. Personal data — Personal data is any information that relates to an individual who can be directly or indirectly identified. Data processing — Any action performed on data, whether automated or manual. Data subject — The person whose data is processed. Data controller — The person who decides why and how personal data will be processed. Data processor — A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organisations. GDPR was introduced for several reasons 7 To protect the privacy of individuals in the digital age. The GDPR was designed to give individuals more control over their personal data and to protect them from unauthorised or unlawful processing of their data. The legislation was designed to create a single, harmonised set of data protection rules across the EU. This was intended to make it easier for businesses to operate across borders and to reduce the risk of data breaches. To promote trust in the digital economy by ensuring that businesses are transparent about how they collect and use personal data. This is important because consumers are more likely to do business with companies that they trust to protect their privacy. from the gdpr.eu website – ‘What is GDPR?’ GDPR - Toughest privacy & security law 8 ‘The GDPR is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organisations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.’ Denbigh-White, C. (2023) How European privacy regulators are stepping up scrutiny of Business Data Practices, Next DLP. Available at: https://www.nextdlp.com/resources/blog/business-data-practices-under-scrutiny#:~:text=The%20General%20Data%20Protection%20Regulation,to%20people%20in%20the%20EU. (Accessed: 01 October 2023). But …. the UK left the EU ….. (Brexit) 9 The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK and implemented the GDPR into UK legislation. The DPA2018 “makes provision about the processing of personal data” and says that “most processing of personal data is subject to the GDPR.” The EU legislation, GDPR, sits alongside the DPA2018 which amends or modifies some of the EU GDPR. For example, the age of child consent is reduced from 16 to 13. Understanding GDPR – how we will do it … 10 To understand legislation as complex as GDPR you need to know its structure. To do this you will examine the table of contents, and some of the relevant ‘articles’. You will then find that you will remember the subject headings which are there. This is the method to use when you are or trying to answer a GDPR question. You are not being asked to become a lawyer! I suggest that this message is just as useful if you were learning Python, Javascript or C# programming! Understanding GDPR – how we will do it … 11 STRUCTURE: Chapter I: General Provisions Chapter II: Principles Chapter III: Rights of the Data Subject Chapter IV: Controller and Processor Chapter V: Transfers of Personal Data to Third Countries or International Organizations Chapter VI: Independent Supervisory Authorities Chapter VII: Cooperation and Consistency Chapter VIII: Remedies, Liability and Penalties Chapter IX: Provisions Relating to Specific Processing Situations Chapter X: Delegated Acts and Implementing Acts Chapter XI: Final Provisions Understanding GDPR 12 STRUCTURE: Chapter I: General Provisions Chapter II: Principles Chapter III: Rights of the Data Subject Chapter IV: Controller and Processor Chapter V: Transfers of Personal Data to Third Countries or International Organizations Chapter VI: Independent Supervisory Authorities Chapter VII: Cooperation and Consistency Chapter VIII: Remedies, Liability and Penalties Chapter IX: Provisions Relating to Specific Processing Situations Chapter X: Delegated Acts and Implementing Acts Chapter XI: Final Provisions Understanding GDPR 13 STRUCTURE: Chapter I: General Provisions Chapter II: Principles Chapter III: Rights of the Data Subject Chapter IV: Controller and Processor Chapter V: Transfers of Personal Data to Third Countries or International Organizations Chapter VI: Independent Supervisory Authorities Chapter VII: Cooperation and Consistency Chapter VIII: Remedies, Liability and Penalties Chapter IX: Provisions Relating to Specific Processing Situations Chapter X: Delegated Acts and Implementing Acts Chapter XI: Final Provisions GDPR – Articles 1 - 4 14 GDPR – Articles 1 - 4 15 GDPR – Article 1 16 GDPR – Article 1 17 GDPR – Article 1 18 GDPR – Articles 1 - 4 19 GDPR – Article 4 20 GDPR – Article 4 21 GDPR – Articles 1 - 4 22 GDPR – Article 2 23 GDPR – Article 2 24 GDPR – Article 2 25 Understanding GDPR Structure 26 Chapter I: General Provisions Chapter II: Principles Chapter III: Rights of the Data Subject Chapter IV: Controller and Processor Chapter V: Transfers of Personal Data to Third Countries or International Organizations Chapter VI: Independent Supervisory Authorities Chapter VII: Cooperation and Consistency Chapter VIII: Remedies, Liability and Penalties Chapter IX: Provisions Relating to Specific Processing Situations Chapter X: Delegated Acts and Implementing Acts Chapter XI: Final Provisions GDPR – Articles 5 - 11 27 GDPR – Article 5 28 Data processing principles - 29 Article 5) and transparency — processing must be lawful, fair, and transparent in relation 1. Lawfulness, fairness to the data subject. 2. Purpose limitation — process data for the legitimate purposes specified (but note historical and scientific research). 3. Data minimisation — collect and process only as much data as necessary for the purposes specified. 4. Accuracy — data should be accurate and up to date. 5. Storage limitation — store personally identifying data for as long as necessary for the specified purpose. 6. Integrity and confidentiality — processing must be done as to ensure appropriate security, integrity, and confidentiality, and protect against loss or damage. Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with 1 – 6. GDPR – Articles 5 - 11 30 GDPR – Article 6 31 GDPR – Article 6 32 GDPR – Articles 5 - 11 33 GDPR – Article 7 34 GDPR Consent – Article 7 35 Consent must be ‘freely given, specific, informed and unambiguous.’ Requests for consent must be ‘clearly distinguishable from the other matters’ and presented in ‘clear and plain language.’ Data subjects can withdraw previously given consent whenever they want. Children under 13 can only give consent with permission from their parent. Documentary evidence of consent must be kept. GDPR – Articles 5 - 11 36 GDPR – Articles 5 - 11 37 GDPR – Article 8 38 GDPR – Articles 5 - 11 39 GDPR – Article 9 40 GDPR – Article 9 41 GDPR – Article 9 42 GDPR – Article 9 43 GDPR – Articles 5 - 11 44 Understanding GDPR Structure 45 Chapter I: General Provisions Chapter II: Principles Chapter III: Rights of the Data Subject Chapter IV: Controller and Processor Chapter V: Transfers of Personal Data to Third Countries or International Organizations Chapter VI: Independent Supervisory Authorities Chapter VII: Cooperation and Consistency Chapter VIII: Remedies, Liability and Penalties Chapter IX: Provisions Relating to Specific Processing Situations Chapter X: Delegated Acts and Implementing Acts Chapter XI: Final Provisions GDPR – Articles 12 - 15 46 GDPR – Articles 12 - 15 47 GDPR – Article 12 48 GDPR – Article 12 49 GDPR – Articles 12 - 15 50 GDPR – Article 13 51 GDPR – Articles 12 - 15 52 GDPR – Article 15 53 GDPR – Article 15 54 GDPR – Article 15 55 GDPR – Articles 16 - 22 56 57 Understanding GDPR Thanks for listening (and understanding …) Q&A?

GDPR - Responsible Technology - 7COM2001-0901-2024 PDF

Document Details

Tags

Related

Summary

Full Transcript