Data Protection for SDS Employers Alison Johnston Lead

Data Protection for SDS Employers Alison Johnston Lead

Data Protection for SDS Employers Alison Johnston Lead Policy Officer (Scotland) Information Commissioners Office The Strands of Data Protection Law Key Definitions Data Controller the organisation that makes the

decisions Data Processor an organisation instructed to process personal data on behalf of a Data Controller Data Processing anything which a Data Controller does with personal data, including storing it Data Breach anything that happens to personal data which shouldnt Data Subject an individual identifiable from the personal data that you hold on them

The Accountability Principle The controller shall be responsible for, and be able to demonstrate compliance What is Personal

Data? Personal Data is Any information relating, directly or indirectly, to an identified or identifiable natural person Not all data is the same

Personal Data isnt Always Obvious! Recorded data Electronic Processed by automated equipment

Manual Notes which will be automated Filing systems

Official records Public authorities Who is responsible?

Data controllers Data processors I must get consent to process personal data under GDPR TRUE

FALSE Consent is just one of the lawful basis for processing personal data Conditions for processing Personal data Special category data

Explicit consent Employment, social security, social protection law Vital interests

Not for profit religious, political or trade union bodies Put in public domain by the person Legal proceedings/advice Substantial public interest based on law Health, medical, social care Public health Archiving, research, statistical

Additional conditions are in the new UK Data Protection Act 2018 Consent Contract with the individual Comply with a legal obligation Protecting vital interests Public function in the public interest

Exercise of official authority Legitimate interests of the data controller, but not prejudicial to the person Lawful Basis Tool To be Informed Access

Accuracy/ Rectification Erasure Restrict Processing Object Data Portability Data Sharing

Data Processing Data Breaches Report to the ICO if it is likely to result in a risk to the rights and freedoms of individuals Without undue delay; No later than 72 hours. Will need to provide specific details including: nature of data involved;

contact point details; measures taken as a result of the breach May need to notify individuals affected Data Breach Guidance Useful Links Guide to the GDPR ICO Resources and Support

Self Assessment Toolkit ICO Guidance Keep in touch ICO Scotland 45 Melville Street Edinburgh EH3 7HL T: 0330 123 1115 E: [email protected] Subscribe to our e-newsletter at or find us on


Recently Viewed Presentations