Hello everyone. Hello everyone, it's chris stevens, the Privacy Gremlin. And I'm going to welcome you back to the course, we're going to continue our discussion on those important international privacy and data protection laws and regulations that we as privacy professional service security professionals and others should be familiar with. From a cybersecurity standpoint is important because we are there to assist our organizations, companies and institutions and complying with these various laws, their administrative, physical or technical safeguards, controls or other language used like we talked about in the GDP. Are there technical and organizational safeguards. Being able to protect personal data as it's defined in many of these international laws and global laws from the time is collected or created at the time that it's disposed of appropriately. We know that privacy and security complement one another. There's an adage, again that nearly looks at this where it says you can have security without privacy but you can't have privacy without security. I agree with that statement to some degree. Maybe after we've written our policies, procedures, guidelines and standards, we've defined what it means, the data that we're trying to protect. We determine the legal basis or the legitimate reason why we're processing this information, we're protecting it providing inland security. You have to protect. We're going to talk about a number of talks that are important to us. The United Kingdom's Data Protection Act of 2018 was first enacted in 1998 after the European Union had enacted its data protection directive which gave broad guidance to the actual European countries. But one of the shortfalls was it allowed these countries themselves to interpret what those laws meant. And so that created a lot of confusion for companies that were complying with those when we had the enactment of and full enforcement of the GDPR May 25th and 2018, we saw those European nations and other nations had hoped to do business and gain access to the European Union's. Over 550 million EU data subjects. That personal data. We saw these countries especially as required under the GDPR for them to either manage existing data protection laws, align those against the GDP are or two two implement and adopt the GDPR writ large. At this date In the 21st century is important that you as a professional familiar with the United Kingdom's Data Protection Act because as we know, if you've been following the last several years, we know that the United Kingdom has left European Union. Which caused great concern with companies around the globe and countries because what would be the status of the United Kingdom? Know in this relationship with the EU would it maintain its adequacy status that we talked about during our discussion with the GDPR. To where countries that the European commission that had designated these countries as being adequate in their privacy protections and the other host of things requirements you have to meet. Would it maintain that status? That means that the UK would be treated just like it was a member of the EU for the sharing of EU data subject data and from a data protection perspective. A war would it be a country much like the US, that has been deemed inadequate that needed other mechanisms in place to ensure that it had their appropriate data protection rules in place to safeguard EU data subject data. Everyone was so happy when the European commission came back and it adopted to adequate supervision for the UK that allowed it now to transfer data much like it did before. Imported from companies and institutions within the EU and within the European economic area, which consists of not only the 27 EU countries, but also Liechtenstein, Norway and Iceland. And so to our relief now again, we still have to look at the evolution of the Data Protection Act of 2018 as it moves further as the UK moves further away from the EU in many areas. One concern is, will there be such a large divergence and what the Data Protection Act of 2018 requires and the GDPR, which then in the future may call and question whether the UK maintains its adequacy status. Much like the US again, because of national security and law enforcement, practices and laws to that will also be closely looked at by the Europeans to make sure that companies and countries organizations, institutions in the EU. And the EU are sharing EU data subject data that will subsequently they've been shared with national security and intelligence agencies. So what are we going to talk about? Again, I get so excited when we talk about data protection and privacy. Like I mentioned before and I hope you get this bug also, for 35 years, I've worked as an intelligence professional. It wasn't until, I retired from the military, had a great career in the US intelligence community. I was looking at a third career taking a retirement from the government like I did from the military, I discovered data protection and privacy. We are our organization's privacy legionnaires, were on the front lines, making sure that every day that they're showing due diligence and due care when it comes to collecting. Using disclosing, retaining and disposing of an individual's personal, data personal information or however, that term is defined jurisdiction. We have a chance to make a difference. And so again, our understanding of the UK's DPA of 2018 extremely important. So what are we going to talk about? We're going to talk about the Acts objectives. We'll talk about those principles, guiding principles outlined against the GPRs principles, we'll talk about data subject rights, which is so important today. We're seeing laws across the globe that now we're holding companies accountable for how they process that information legally and lawfully with steep administrative fines for noncompliance. We're going to talk about controllers and processors much like we did when we talked about the GDPR much like we saw under the GDPR the UK is also concerned with whom organizations and institutions share a now, UK data subject's data outside of the UK. When can you do it? How can you do it under what conditions? And then we're going to talk about sadly noncompliance opponents. And for me when I talk about noncompliance, it equals pain. Because now the Foreign Minister of the findings are becoming so steep that you know it does cause pain, it's not just a monetary impact to be something to be a injunction, it could require you to have to implement costly but necessary information security and information privacy and data protection practices. But we don't want our companies to have to go through that. That's the reason why we're going to work diligently from a cybersecurity perspective. An information privacy perspective, a data protection perspective to information to ensure that our companies are always showing due diligence and due care. So buckle up your seatbelts. Let's get ready for this, this ride that we're going to have as we discussed the d p of 28. So let's talk about this act subject, you know, the D P A of 2018, much like his predecessor the D P A of 1998. You know, hopes that line, you know the law to allow for the protection of individual rights and freedoms of data subjects at the same time enabling organizations to engage in the practice of processing this information for legitimate and legal basis. And so it wants to establish the ground, the framework for how they can do that in processing personal information. They want to make sure that there's some alignment with differences with the G D P R. They want to make sure that they cover those gaps from a national perspective to where they've gone beyond the GPR GPR and tailored their law to reflect reflect the needs of the U K. There's also I talked about this it's not often times talked about people focused so heavily on the G D P R. But again, at the same time In 2016, we had the enactment of the use law Enforcement Data Protection Directive. And in 2018 it was fully enforced. Really harmonize those disparity, european. Law enforcement laws that govern how personal information or personal data could be used in support of criminal investigations. And so they want to make sure that they had compliance there. You know, unlike because it falls outside the scope of the G D P R. When we started talking about national security, law enforcement, border asylum and those things that are germane to national laws in the european union. It also looked at how the UK's Intelligence Services would process personal data and support of their activity. It also defined just like we saw in the G D P R. What are those responsible of the UK Information Commissioner, I must say. And I encourage you as you look at these laws. If you're looking for good guidance, documents, templates, you must go to the U K. As Information Commissioner's office is one of the best, if not the best supervisory authority office that we have in the UK or in the EU, I want to make sure that it talks about. How do you enforce these laws? You know, we found that if you, if you try to drive compliance and you don't apply that or link that to some type of enforcement, then that law falls flat on his face. And then it makes again, looks at how the government itself, you know, either the parliament itself in the UK or the crown. And those opposites have fallen under, royal jurisdiction also comply with this Important. So what are those principles? They look a lot like what we saw under the G D P R. They want to make sure you have lawful fair and transparent processing of personal data, you want to make sure that you have a stated purpose. What is that purpose? Legal basis under which you're processing this information, looking at necessity and proportionality, making sure that you minimize the data you collect for to satisfy that specific legal basis. Make sure the information is accurate, timely and relevant we've seen in the past that when you've had inaccurate untimely data that it could pose significant privacy harms and data protection harms to a data subject. Only keeping information for as long as you had a legal or lawful purpose for doing so. Make sure you're protecting that information from the time you collected or created to the time you dispose of it. Make sure it remains unaltered, unmodified and an accountability, having someone oversees the program, making sure at the national level you have a supervisory authority that enforces the law, but it's not just about enforcement, it's also about working with those controllers and processors ensuring that they understand what their obligations are under the law. Let's talk about the rights of the data subject. You know, you can't fine, you know, in many countries to where now these countries haven't started to integrate the rights and freedoms of individuals into laws and regulations that now are enforced. So let's look at these, you know, individual rights and freedoms that look a lot like what we talked about on the G D P R. Under the D P A of 2018. Ew I mean a U K data subject has the right to know what information has been collected on and why what is it being used for? They got a right to access that information and correct it. They got a right to know what other super supplementary information that when linked to the personal data might allow someone to identify that data subject got a right to rectify. In other words, was saying correct information that's inaccurate or to complete information. That's an act that's incomplete. Right to erasure. Right be for God. Now I'm the GDP are the right gear ratio exists that predates the G D P R. By the final ruling by the Court of Justice of the EU was in 2014. Remember we said that right? The ratio applies though to those controllers and then the right to be forgotten extends to those processes that are processing that data subjects data on the behalf of the controller. We said short of just completely erasing that information from your active, your backup, systems and archives that you can have a temporary cessation of the process. That information under certain circumstances. A new ride is you got a right to data portability. You got a right to engage either have a control or give the information to you under certain conditions or to provide that information or trusted 3rd party or if the interoperability exists to be able to trans for that information from one controller to another. Much like on the G D P. Are you got a right to object to processing in certain circumstances? I want you to remember this. You know there where we talked about three under GDPR. And we said the only absolute right under the right to object to processing is the right to object to being subject to unsolicited direct market. We're starting to see this incorporated into U S Laws like the California privacy rights Act of 2022, where you've got a right to object to automated decision making and profiling that might negatively or adversely impact you as a data subject UK data sub. To where before that fuzzy logic or AI artificial intelligence makes that decision or that might apply to you from employment benefits, services and things like that, that a human intervenes into that process and make sure that decision is fair and objective. You got a right to withdraw consent at any time. When applicable under the law, like we said, consent is the most fickle of these different rights. Because again, as easily as it's given, it can be withdrawn, consent can't be bundled, it can't be coerced, it can't be forced. It can't be ambiguous. And then when you've tried to exhaust these rights by working with that data control or data processor, you have a right to go to the UK's Information Commissioner Office. And have them intercede on your behalf as an EU data subject or UK data subject, my apologies. Let's talk about those controllers and processors. Like we said under the old DPA of 1998 much like the former EU data processor protection directive, the onus was squarely placed on the shoulders of that controller. Processes themselves, the only way you could drive compliance as the controller would be to have a contract in place that obligated those processes. I mean, the confidentiality of the data subject information as well as having some modicum of security to protect that information. Now, when we talk about it from a controller standpoint, now you got just like we saw under the GDPR, now you must document how you're implementing data protection by design and by default. You may know this term as privacy by design, privacy by default, it's article 25 and I think recital 78 to provide guidance on how you're supposed to do that from a technical and a organizational perspective. The concept really talks about before you even begin conceptually considering the production of the offering of a service that you look at those privacy risk or data protection risk associated with those. You conduct what we know, we talked about that data protection impact assessment, identify those risks, especially for processing information that might pose a high risk to data subjects. You try to mitigate that and then you design in in the conceptual phase, the design phase of that system development lifecycle, what those controls are. And then, when by the time you offer that service or that product to the consumer, then default kicks in to where those controllers are working unbeknownst to the data subject. Unbeknownst to the system owner, the business owner to where they're providing those protections in place from a data protection perspective until which time that you either replace that system with a new system or discontinue it. It covers joint controllers because you can have an agreement between two controllers when it comes to the processing. Now the UK data center gives guidance on what those processes are. Controllers have to ensure that they have, like we talked about on the GDPR, Article 28, that you have that data process or agreement in place that legally obligates that processor to comply with the processing guidance of that controller. Just like we talked about, you've gotta maintain those records of processing activity, the who, what, when, where, why and how while you're processing that information. And make that available to supervisor authorities, in this case the UK ICO, should they request to see that. You gotta make sure you're making sure that you're logging that information as a story. You gotta conduct those data protection impact assessments. For me, again it's a no brainer but for many especially smaller companies and mid sized companies, you've gotta consider the cost associated with conducting these data protection impact assessments if you're going to do it voluntarily. The UK ICO has a great template that you can download. I think version four was released in 2018 that walks you through the DPIA process. You've gotta cooperate with the Information Commissioner especially if they're investigating cases of alleged noncompliance. There's been an increase across the different supervisor authorities and complaints about security incidents and data breaches. You know that prior consultation with Information Commissioner also comes into play when we're talking about those DPIAs. Should a data controller or processor not be able to mitigate that high risk associated with processing, that engaging in risky behavior or activities, not behavioral activities or processing those special categories of data that we talked about. Ethnic and racial origin, religion, philosophical, religious beliefs, philosophical beliefs, trade union information. Again sensitive information, sex health, sexual orientation, genetic information, criminal investigatory information. If you can't mitigate that in consultation with your data protection officer, the data subject, and using those appropriate technical organizations and controls. Then you've gotta reach out to the UK Information Commissioner and much like on the GDPR. It has eight weeks initially to respond to that request and it can request an extension of six weeks. You gotta make sure that you have security process and consider the nature and scope of those processing activities and the risk associated with processing in this case the UK data subjects' personal data. Because you're going to hear me say this throughout the learning path, there's always inherent risk associated with processing an individual's personal information. And we apply these administrative, physical and technical controls. They try to lower that risk from inherent risk to where you haven't applied any controls until residual risk. But you're always going to have some level of residual risk because we can't drive risk to zero, it accounts for personal data breach obligations. Now beforehand under the old act of 1998 and before the GDPR, we didn't have a requirement that when you experience a data breach that you have to notify the supervisory authority. And then if it that breach poses a high risk to the individual rights and freedoms of the data subject, you also have to notify them. Same obligations require you have with the undue delay within 72 hours and that falls on the shoulders of the data controller. Under certain circumstances, you gotta have data protection officers. And then the law, much like your GDPR, looks at there, okay, which countries? And this applies to non profit and for profit companies, where are you sending, exporting now the UK's data subject's data, are they adequate? Did you have the appropriate mechanisms in place like we talked about on the GDPR? Standard contractual clauses, binding corporate rules. Are you using ad hocks? You have to make that determination and make sure you're doing that transfer in compliance with the UK DPA of 2018. Talk about those penalties, much like on the journey law, again they're going to be minute monetary fines for not complying with the law. But that supervisory authority in this case, the UK Information Commissioner just doesn't jump to the higher levels of this administrative fines without considering how effective it's going to be. What's the impact on the organization itself? Is it proportional to the offense? Will it drive compliance? And it looks at the cases individually when making his ruling. Now, the DPA of 2018 has two tiers of penalties, much like we saw the GDPA. But it's been adjusted now to look at UK currency. And so at the time of the creation of this course it was 17 .5lb or four of the annual turnover or revenues and the preceding financial year, which everyone is higher. And this happens is again you're going to woefully violate the rights and freedoms of the data subject, not comply with the ICO's requirements. Transfer information two on a data subject. UK data subject to another country not meeting the requirements or the UK has the right to look at the GDPRS requirements, 4% of your annual turnover revenues or €20 million euros per infraction. Then you have for the lower level of the standard model which under UK currency is 8.7 million pounds or 2% of your annual revenues, a worldwide turnover or Whichever one is higher. Now this is for violations, administrative violations of the law, then you'll find yourself whichever one is higher. I have to make sure I say that. Now the UK also has to right to enforce the GDPRS administrative fines for noncompliance which are at this lower level € 10 million per infraction or 2% of your annual turnover or revenues, whichever one is higher. Now we know that again currency changes multiple times during the day. So the Aiko when it looks at the fine, if it uses currency set by the exchange rates by the bank of England, then again, that rate could change based on the currency rate on that given day. Are you still with me? Are you here? So let's talk about it. Post Brexit, Brexit turned to roll on his end. No UK companies were so terrified. They were worried that again, you're never going to put in that quandary to where they couldn't have that same status the UK wouldn't have as adequacy that's been resolved for us. Again, the European commission will continue to look at the UK especially engaging in this practice from a Nasa Coring law enforcement perspective, how it is importing and handling EU data subject data. We know the U K, much like the other at the time, 28 members of the EU to include the EEA and other countries that were deemed adequate adjusted their laws to reflect those requirements. And the principles stated under the G D P R much like before the UK left the EU with Brexit. Again, the G D P R has always allowed some exceptions. And we talked about those under the G D P R s. Article two as the material scope. We talked about again, much like the G D P R. The D P A of 2018 does establish those six legal basis under which data controllers and data processes can legally process UK data subject personal data. We know that UK data subject enjoy the rights and freedoms. We talked about the number of those, the right to access their information to determine the accuracy to correct it when appropriate to right to restrict processing the right to erasure and to be forgotten. The right to object to processing personal data. The right to notification, the right to consent, the right to object to the automated process or decision making associated with a UK data subject's personal data. We know that controllers and now processes have to comply with this act to ensure that they're processing a UK guys subject data both lawfully and legally. You got a security component It says that given the nature and scope the processing activities. And the risk associated that given the cost of implementation of the security controls, that again, you must ensure that you have. And insecurity when you're processing a UK data subject's personal data, we know much like the G D P R. It has a requirement that you have to, these companies within the U K, much like they did when the UK was part of the EU you have to know which countries to whom you're exporting the data subject's data. Within the adequacy status we talked about that's a small group and information to be shared just like you were part of the EU for the E A. For those countries that were deemed inadequate, there were additional controls. We saw this with invalidation of the EU US privacy shield arrangement framework where we have to find other mechanisms. Likes of standard contractual clauses like the binding corporate rules, ad hoc contractual agreements and other derogations in the law. We know that again, if you are a company, an organization, whether you're for profit or non for profit have to comply with this law. And if you don't, there are steep administrative fines for not doing so. It is always a pleasure to be your instructor. I'm so passionate about this topic. Data protection information privacy. I hope that you, your families and significant others are safe and sound. I hope to see you in the next recording or video that we have. When we continue our discussion on international laws and regulations that apply to data protection and information privacy. Take care Chris the privacy Gremlin will see you in the next video
