Corporate Profile 47Billion Information Technology
GDPR master class accountable research organisations (january 2018)
1. MRS GDPR Master Class:
Accountable Research
Organisations
January 2018
2. Objectives for
Today
To help participants
Develop awareness of the legal framework and context for
data protection and build confidence around responsibilities
Identify key actions for research organisations to embed the
accountability requirements of the GDPR
Share best legal and ethical practice in the market research
sector
2
3. Agenda Topics
10:00 – 10:05 Introductions and welcome
10:05 – 10:30 The Changing Face of Compliance:
GDPR & UK DPA 2018
10:30– 11:15 Organisational Accountability Measures
(DPO’s; record-keeping; data retention;
subject access requests)
11:15 – 11:30 Coffee and Networking Break
11:30 – 12:20 GDPR Compliant Policies & Procedures
(Contract terms; data protection policies;
privacy information notices)
12:20– 12:50 Data security and breach reporting
12:50 – 13:00 Closing questions/Discussion
3
5. Session Topics
Some context behind GDPR
Key definitions
Privacy principles
Risk-based demonstrable compliance
Update UK DPA 2018
5
6. Some context
GDPR applies from 25th May 2018
Data Protection Act 2018 will be introduced in the UK to bring
GDPR into law
Evolutionary not revolutionary:
Fairness, transparency, accuracy, security, minimisation and
respect for individuals all remain from current legislation, plus:
Strengthened individual rights
Increased business accountability
Embedded privacy-centric focus
7. Extra territorial
reach
GLOBAL
REACH
EU data
controllers and
processors
processing data
of EU residents
Other data
processors and
controllers offering
goods or services to
individuals in the EU
Other data
processors and
controllers
monitoring
behaviour of
individuals in the
EU
8. Regulation v.
national law
Current privacy framework is a Directive:
Each EU state has own law and own interpretation
GDPR is a directly applicable Regulation:
…but Member States can legislate on specific areas including
employment and research
9. The Regulators
In the UK Information Commissioner’s Office (ICO) will regulate
the Data Protection Act 2018
In the EU the European Data Protection Board (EDPB) will
regulate the GDPR and ICO will be part of this
BREXIT negotiations to determine regulatory arrangements after
March 2019
10. Enhanced Fines
Fines may be imposed instead of, or in addition to, measures that
may be ordered by supervisory authorities. There are two tiers of
administrative fines:
- Some contraventions will be subject to administrative fines
of up to €10,000,000 or, 2% of global turnover, whichever is
the higher
- Others will be subject to administrative fines of up to
€20,000,000 or 4% of global turnover, whichever is the
higher
Higher fines for breaches of basic principles including consent
conditions, data subject rights, transfers and non-compliance with
orders by supervisory authorities
11. New definition of
personal data
Definition of Personal Data has been expanded:
- Data from which a living individual is identifiable (by anyone)
directly or indirectly
- From data
- From data and other information which is in the possession of,
or is likely to come into the possession of, the data controller
- Includes any expression of opinion about an individual and any
indication of the intentions of the data controller or any other
person in respect of the individual
12. Types of Data
Three types of data:
Identifiable Data: data that identifies a data subject
Anonymous Data: data from which no individuals can be
identified - outside the scope of the Data Protection Act 2018 and
GDPR (but not the Code!)
Pseudonymous Data: Personal data that has been processed so
that it can no longer be attributed to a specific data subject
without the use of additional information e.g. coded data sets
that can not identify individuals without a “key”
13. New definition of
sensitive data
Sensitive data is classified as “special categories of personal data”
Sensitive data: race or ethnic origin, political opinions, religious
or philosophical beliefs, trade union membership, data concerning
health or sex life and sexual orientation
PLUS new categories genetic and biometric data
Personal data relating to criminal convictions and offences are not
included but similar safeguards apply
14. Definition of
Controllers and
Processors
Controller means the natural or legal person, public authority, agency of
any other body which alone or jointly with others determines the
purposes and means of the processing of personal data
Processor means a natural or legal person, public authority, agency or
any other body which processes personal data on behalf of the controller
If you are a processor: the GDPR places specific legal obligations on you,
including requirement to maintain records of personal data and
processing activities. You also have legal liability for any breaches
If you are a controller: you are not relieved of your obligations where
processors ae involved – the legislation places further obligations on
your to ensure your contracts with processors comply with the GDPR
16. Privacy by Design
and Default
1
Organisational
measures
Technical
safeguards
Privacy Impact
Assessment (PIA)
17. Risk-based
demonstrable
compliance
Organisations must fully consider the risks that processing poses
to the fundamental rights and freedoms of individuals.
What does this mean?
Identify risky processing activities
Consider implications of the risk level
Mitigate any risks
18. Processing
research data
Three options available for research processing:
Consent - specific, informed and freely given consent through clear
affirmative action
Legitimate interest - based on reasonable expectations and provided
does not override the rights of individuals (research is a compatible
purpose)
Research exemption - (if implemented) where impossible to conduct
research otherwise but subject to adoption of technical and
organisational measures to limit collection to the minimum and use of
methods that de-identify
Other grounds apply but less likely to be used in research such as on
contract; compliance with legal obligation; vital interests of data subject;
public interests
19. Update on UK DPA
2018: Research
exemption
Scientific research in the public interest
• Scientific research broadly defined
• Exemption provides limited flexibilities on some aspects
• In determining public interest conduct balancing test that considers
rights of individuals and the public interest
• Sound methodological techniques, recognised ethical safeguards
and robust technical and organisational measures are all critical
1
21. Session Topics
Appointment of Data Protection Officer
Research agency record keeping requirements
Data retention policies
Handling subject access requests
2
22. DPO: New GDPR
Requirement
• regularly and systematically monitoring of
individuals on a large scale?
• processing sensitive personal data on a large
scale?
• a public authority?
Are you?
2
23. DPO: Mandatory for
many research
businesses
Number of data subjects (as
a specific number or
proportion of relevant
population)
Volume of data and/or range
of different items being
processed
Duration or permanence of
processing
Geographical extent
Large Scale
Data Processing
24. DPO: Compliance &
Liaison Role
Core role includes:
Informing and advising on obligations to comply with the
GDPR and other data protection laws
Monitoring compliance, including managing internal data
protection activities, training data processing staff, and
conducting internal audits
Advising on data protection impact assessments
Working, cooperating with and serving as the contact point
for ICO
Dealing with inquiries from data subjects on exercise of
rights
2
25. DPO: Independent &
well resourced
High level appointment who must have:
sufficient corporate resources to fulfil functions and for
own ongoing training
access to data processing personnel and operations of
business
significant independence in performance of the roles, and
direct reporting line “to the highest management level”
high job security
may also perform other tasks and duties provided they do
not create conflicts of interest
Can either appoint an employee or outsource to a
consultancy service
2
26. DPO: Expert &
Experienced
Level of expertise depends on complexity of data
processing activities:
Higher level of expertise required if processing more
sensitive categories of data or if often cross-border
transfers
Expertise in national and European data protection laws
and practices and an in-depth understanding of the GDPR
Knowledge of the research sector and understand
processing operations, information systems, data security
and data protection needs of controller
2
27. Business Impact –
Burdens and Benefits
- Effective way to
increase overall
compliance of
business
- Increased
public/client trust and
reputational benefit
- Additional initial and
ongoing compliance
burden
- Monetary penalty
for failure to appoint
2
28. DPO Checklist:
Action Points
Determine whether appointment is necessary or desirable
Decide between outsourcing the role or appointing an
employee
Consider conflicts of interest before appointing current
employee
Ensure role has sufficient autonomy and resources
Appoint the DPO
Publish contact details of DPO and advise ICO
2
29. Record-keeping for
research agencies
Written records of
data processing
(exemptions for small
business not useful for
agencies)
Types of records
depend on
whether acting as
a data controller
or data processor
Need to consider
whether kept up
to date and who is
responsible
30. Record keeping
requirements
Data Controller (s) Data Processors
Name and contact details (also that of other
controllers, data representatives and data
protection officers)
Name and contact details (also that of data
controllers, representatives, data protection
officer)
Purpose (s) of processing Categories of processing (on behalf of each
controller)
Description of categories of individuals and
categories of personal data
Details of transfers to third countries
Categories of recipients of personal data
(including those in third countries or
international organisations)
Description of technical and organisational
security measures
Details of data transfers to third countries
Retention schedules
Description of technical and organisational
security measures
31. Record Keeping
Checklist
If over 250 employees written records of data processed must be kept
If fewer than 250 employees, written records only required if
processing activities are risky, frequent or include sensitive personal
data
Types of records depend on whether acting as a data controller or a
data processor
Need to ensure that records are kept up to date
33. Is there a fixed
retention period?
Different types of personal data records are likely to require different
retention periods.
In deciding time limits consider if need to keep the data, delete it or
archive it?
Current and future value?
Costs, risks and liabilities of keeping?
Ease or difficulty of ensuring up to date?
Is there a relevant legal or regulatory requirement?
Remember if information is retained there is a risk that it will become
inaccurate, out of date or irrelevant and generally it can be accessed
by subject access requests
3
34. Template for Data
Retention
Type of Data Retention Period Reason
Personnel Files 6 years from end employment References
Income Tax and NI 3 years after the end of the
financial year to which it relates
Income Tax Regulations
Member Application Forms 4 years To respond to member queries
and facilitate financial and audit
requirements
Customer data Permanent Suppression from list
Primary research data with
personal data
1 year from end of project Client contractual obligations;
Quality control
3
For Illustrative purposes only
35. Data Retention
Checklist
Establish retention periods for different types of date including personal
research data
Consider purpose in deciding how long to keep it for
Is there a minimum statutory period? If not set out in privacy policies
and terms of business
Review and adhere to your organisational data retention policy for all
different types of records – the shorter the time periods the better
Ensure retention periods included in privacy notices
Ensure suppliers and third parties working with your organisation’s data
understand and adhere to any data retention and deletion policies
Update, archive or securely delete if data goes out of date
Check with IT how deletion should be undertaken
Conduct annual audit of data and/or periodic reviews
Document all decisions on data retention and destruction
3
36. Subject access requests:
Overview
3
Criteria GDPR
Time period to respond 30 days (DPA 40 days)
Content of response Allow individual to know what information is held and what
processing is being carried out; may need to provide further
information such as data retention period and right to have
inaccurate data provided
Right to withhold If disclosure would “adversely affect the rights and freedoms
of others”
Fee Free (unless manifestly unfounded or excessive) but
reasonable charge for further copies (DPA £10 fee)
Electronic access Must be possible to make requests electronically and where
request is electronic response should be as well
37. Subject Access
Requests: What steps
should you take to
prepare?
• Develop policies to ensure sufficient to cover subject access requests,
data portability requests, requests to be forgotten or restrict use of
personal data
• Check which records will be covered by data portability requests
• Update procedures to handle within new timeframes
• Develop template responses
• Assess ability to identify personal data relating to an individual and
provide to them
• Appoint nominated individual(s) to deal with requests and ensure trained
• Develop performance dashboards especially for panels or online
communities
40. GDPR Myth-Busting
– True or False?
Commissioning clients
will need consent from
their customers to send
agencies details of their
customer database
All personal data
records must be
destroyed
GDPR will still apply
after Brexit
Organisations do not
need to file
notifications with the
ICO
41. Session Topics
Contracts in the research supply chain
Privacy information notices
Internal data protection policies
4
44. Different yet similar
obligations
Data
Controller(s)
Data Processor
But also similar
obligations
•Lead responsibility
•Direct responsibilities e.g. Required
to conduct DPIA; Point of contact
for individuals; Audit of DP
responsibilities
•Contractual obligations
•Direct responsibilities
•Contractual obligations e.g. seek
approvals e.g. to appoint sub-
processor or data transfers out of
EEA
•Appointment of DPO; record-
keeping; technical and
organisational measures; privacy by
design and default, lawful basis for
processing; data breach notification
45. GDPR compliant
contracts - Processors
and sub-processors
Written contracts between controllers and processors are mandatory and must
contain specific minimum terms.
Points to consider and reflect in contract include:-
Details of the specific processing activities e.g. subject matter and duration; nature
and purpose; type of personal data and categories of data subject; obligations and rights
of controller
Terms requiring the processor to:
Only act on written instructions of DC
Ensure people processing subject to duty of confidence
Appropriate security measures
Assist DC in providing subject access and allowing data subjects to exercise rights
Assist DC in meeting obligations regarding security; data breach notification; DPIA’s
Delete or return all personal data to controller as requested at end of contract
Submit to audit/inspection and ensure both meeting obligations by notifying DC if
doing something contrary to GDPR
46. GDPR compliant
contracts - Other
controllers?
Additionally also consider as joint data controller:
• Research parameters such as outputs and
standard for delivery of anonymised data; Re-
contact consents
• Liabilities, assurances and indemnities
• Joint legal controllers allocation of
responsibilities on data subject requests,
applicable privacy policies
47. Are there any
standard contracts
available?
Standard contract clauses for controller-processor contracts to be
developed by EU Commission and authorities such as ICO
Clauses in GDPR Codes and certification schemes (in time) will
also meet some of compliance obligations
48. Contract Checklist:
Action Points
Understand where you act as joint data controller or data
processor
Review and revise legacy contracts (clients, freelancers
and other research suppliers)
Allocate responsibilities between joint controllers and
agree co-operation approach with data processors e.g.
data breach reporting; data subject requests
Consider apportionment of liability and risks (what cap do
you need? What level of insurance do you have? Are
indemnities needed? How is liability level reflected in price
of services?)
Ensure mandatory terms reflected in contract
49. GDPR: External and
Internal Policies
• Privacy Information Notice
Client requirements e.g.
procurement, due diligence
Customer communication e.g.
what data is collected, how it is
used, etc.
• Data Protection Policy
Parameters for activities and
organizations
Core to staff and supplier terms
and conditions
Appropriate behaviour and practice
4
50. Privacy Information
Notice
Starting point is:
who you are;
what you are going to do with participant information; and
who it will be shared with.
Also consider including:
what you are doing to ensure the security of personal
information;
information about participants right of access to their data and
their right to withdraw consent; and
what you will not do with their data (such as use it for marketing
purposes).
Privacy information notices will be required regardless of the
legal ground being used.
51. How to deliver
the information
effectively?
Transparent user-centric notices
Tailored
Layered
Blended
52. First Layer Information –
Actively provide this
information
Actively provide:
name of research organisation collecting the data and any client organisation
general subject
purpose
any sensitive data collection
whether the data collection will be recorded and/or observed
guarantee of participant anonymity and/or confidentiality
right to access data
right to withdraw consent
right to object to processing
description of any reasonably foreseeable risks (including physical or emotional harm and
discomfort or embarrassment) particularly in qualitative research projects
details of any international data transfer to third countries in the absence of an adequacy
decision and appropriate safeguards
length in minutes of data collection
re-contact details including when re-contact will occur; the purpose and by who
costs likely to be incurred by the participant (if appropriate)
assurance that the activity is being collected in accordance with the MRS Code of Conduct
53. Second Layer Information
- Make this information
accessible
Make accessible:
who will administer incentives, what it will be; when it will be received; any conditions
attached
generic contact details for data protection officer (if applicable)
details of any international data transfer to third countries considered adequate by the EU
retention period for data or criteria for retention
right to lodge a complaint with the supervisory authority in the Member State of residence,
place of work or alleged breach of GDPR. In the UK this is the ICO
right to port data (if automated data collection)
right to erasure of any personal data made public
right to restrict processing
right to rectify data held
54. Internal Data
Protection Policy
Core part of the accountability principle
Data and privacy policies should accurately cover:
data activities
data and privacy processes
lines of responsibility (where appropriate)
monitoring and audit arrangements
Need to reflect both legal and ethical requirements
55. Internal Policies: Some
Useful Headings
Scope and Coverage
General & Privacy
Data Collection
Data Use
Data Accuracy & Cleansing
Data Access & Sharing
Data Retention
Third Party Data
Data Transfer
Data Deletion &/or Destruction
Data Monitoring & Audit
Sub-Contractors
Data Breach Reporting
Data Policy Development
Bring your own device
56. Data Policies:
Checklist
Audit existing policies and practices
What data exists?
How’s it being stored?
How’s it being used?
Who has access and who needs access?
How’s it being secured?
Strengthen data policies and procedures
Ensure external notice transparent and user friendly
Check internal policy is robust and tailored to your organisation
Establish systems to incorporate new data subject rights
Educate, train staff and raise awareness
60. GDPR: Data Security
Principle
DPA – Data Security Appropriate technical and
organisational measures
GDPR - Integrity and Confidentiality – Personal
data should be kept secure.
6
62. Data Security
checklist
Consider the following when assessing whether their technical and organisation measures are
appropriate:
Are the automated systems protected by a level of security appropriate to the data held?
Are technical measures in place to restrict access to systems holding personal data?
Are technical measures in place to secure data during transit (e.g. to subcontractors and
interviewers)?
How is the data stored by your sub-contractors and interviewers – is it adequate and
appropriate?
Are the premises on which the data is held secure?
Is access to the premises restricted?
If the data is held on non-automated systems e.g. paper files, discs, microfilm, and
microfiche, is access still restricted or secure?
Are copies of printouts, obsolete back-up tapes etc. disposed securely?
Is obsolete hardware and software from which data could be recovered disposed of
securely?
Is there an auditable data retention and destruction policy?
Are staff trained and made aware of their responsibilities to safeguard the personal data?
63. Personal data breach
notifications
If you are made aware of a personal data
breach
Is the breach a risk to individuals? If yes
tell supervisory authority (if no then
document personal data breach)
Is breach “high risk”? If yes tell affected
individuals (if no end of process)
64. What are the
timelines for
notification?
Inform regulators ‘without undue delay’ and ‘not later than 72
hours’ that a breach has taken place
If notification not be made in time, then there must be ‘reasoned
justification’ for the delay
65. Data security breach
notification process
•response to incident should include a recovery plan
•procedures for damage limitation
1.Containment
and recovery
•assess risks as these affect what you do once the breach
has been contained
•consider potential adverse consequences for individuals
(severity and likelihood of risk)
•Critical consideration for GDPR notification
2.Assessing the
Risks
66. Data security breach
notification process
• Establish process for notification to DPA,
individual and controller
3.Notification
• investigate the causes of the breach and also
evaluate the effectiveness of your response to it
• Build in effective ways of detecting breaches
• If necessary, then update your policies and
procedures accordingly
4. Evaluation
and Response
67. And the last word
on GDPR
compliance …..
Responsibly assess the risks and
then document, document,
document and document …….
69. MRS guidance &
awareness
Guidance
• MRS EFAMRO ESOMAR Guidance Note on Research Sector – Legal Bases (June 2017)
• GDPR In Brief – 7 GDPR topics covered to date
• Data Protection & Market Research: Guidance for MRS members (February 2018; April 2018)
• Fair Data, Impact, MRS Blogs and Articles
Live and Recorded Webinars
• GDPR Countdown (May 2017)
• MRS AURA Client Side Research (November 2017)
• RAS GDPR (March 2018)
• Off the Starting Blocks (March 2018)
Events
• MRS Roadshow (Leeds, Bristol, Edinburgh, Brighton, Birmingham, London March to July 2018)
• Association events e.g. EphMra; Cvent
• GDPR Master Class – Accountable Research Organisations (January 2018)
• GDPR Master Class – Transparent Research Projects (April 2018)
• Company Partner Briefings (Ongoing)