Story Transcript
Europe Data Protection Europe, Legal and Compliance Approver’s name and title
Last review date:
Mark Packer
January 2021
Europe Regional Counsel Document Author’s name and title
Classification
Konstantinos Voutsinas Data Protection Manager
Purpose The purpose of this document is help relevant people in Lendlease understand their role and responsibilities with regards to data protection and also provide clarity on our data protection requirements on business-as-usual matters. This document must be read in conjuction with the Europe Data Subject Access Request Procedure, the Europe Data Breach Reporting Procedure and the Data Protection Impact Assessment Procedure.
1.
Introduction The EU General Data Protection Regulation took effect from 25 May 2018. Its key impacts include new definitions of personal data, stricter breach reporting requirements, enhanced data subject rights, new processor obligations and larger fines amongst other. A more detailed list of regulatory changes on data protection can be found in Appendix 1 of this document.
2. Data Protection Roles One of the role key attributes of an effective approach to data protection is a clear allocation of roles, each with defined responsibilities. Therefore, it is vital that everyone within Lendlease to understand the part they must play in keeping the personal data we process safe. On data protection the following roles have been defined and allocated: • • • • • •
Data Protection Champions. Data Protection Manager. Senior Management. Global Head of IT Security. IT team. Remaining Lendlease people.
Version 2.0 As at January 20201
Uncontrolled when printed
Page 1 of 11
Europe Data Protection
2.1 Data Protection Champions The Data Protection Champions responsibilities include the following: •
•
•
•
•
• • •
Document processing activities. Maintain and update their business unit’s Record of Processing Activity (ROPA) as required and notify the Data Protection Manager if the personal data collected or the processing activity changes. This is discussed in greater detail in section 3 of this document. New processing activity. Contact the IT security team if a new personal data processing activity is to be introduced. Fill in an Information Asset Register and submit it to the Data Protection Manager for review. Please note that a new processing activity can only be introduced if approvals from both IT and the Data Protection Manager have been received. Follow the steps highlighted in section 4 of this document. Conduct Data Protection Impact Assessment (DPIA). Complete and submit to the Data Protection Manager for review DPIAs for any processing activities that are likely to be of high risk. Subject access request. Bring to the attention and collaborate with the Data Protection Manager when a Subject Access Request is received as per the Europe Data Subject Access Request Procedure. Data Incidents. Bring to the attention and collaborate with the Data Protection Manager when a data incident is believed to have taken place as per the Europe Data Breach Reporting Procedure. Data protection awareness. Raise awareness of data protection principles and governance in the team and remind your team of the key data protection questions. Data Retention and Destruction. Ensure that the set data retention and destructions schedules are implemented. Data processing agreements. Liaise with legal function to confirm that legal agreements with processors meet the requirements of the GDPR.
2.2 Data Protection Manager The Data Protection Manager ensures Lendlease’s compliance with the EU General Data Protection Regulation (GDPR) and other applicable data protection legislation in Europe. This is achieved by ensuring effective systems and controls are in place to enable Lendlease to comply with its legal obligations. The Data Protection Manager acts as an intermediary between relevant stakeholders, including supervisory authorities, data subjects, and business units within Lendlease. The Data Protection Manager fosters a good data protection culture within Lendlease and it is the focal point for data protection activities. The Data Protection Manager responsibilities include the following: • •
Data protection oversight. Have oversight of Lendlease data protection arrangements in Europe. Systems and controls. Implement and oversee systems and controls to ensure compliance with relevant UK and global data protection legislation and regulation. This includes drafting, maintaining and implementing data protection policies and procedures, conducting assessments on data protection compliance at appropriate intervals and answer any queries the Data Protection Champions might have.
Version 2.0 As at January 2021
Uncontrolled when printed
Page 2 of 11
Europe Data Protection •
•
•
•
• • • •
International data transfers. Educate the data protection champions as to the Lendlease obligations in instances where international data transfers have been identified. If data transfers are between Lendlease entities then this is covered by the intra-company data transfer agreement. If data transfers are between Lendlease and an entity incorporated outside the EU then advice must be sought by the legal function. Procedure implementation. Oversee the implementation of the Europe Data Breach Reporting and Europe Data Subject Access Request Procedures. Moreover, ensure the alignment of these procedures to Group wide equivalent documents. Remedial action implementation. Responsible to oversee the implementation of recommendations brought forward from the regulator, identified as a result of an audit or a data incident. Training. Ensure that online data protection training is undertaken by Lendlease people in Europe. Conduct tailored training (additional to the standard data protection training) of any business units/teams across the Lendlease Group, on a risk-based approach, within Lendlease that require it. Monitor legislation updates. Keep abreast with regulatory developments within the European countries that Lendlease operates and adapt data protection arrangements accordingly. Global Co-operation. Liaise as appropriate with Lendlease data protection managers in other jurisdictions to ensure a consistent global approach to data protection. Data protection fees. Ensure the timely payment of any fees due to the ICO and the provision of any registration information (if required); Communications with regulators. Serve as the primary point of contact and liaison for the ICO and other EEA Data Protection Authorities on all data protection related matters under the GDPR and relevant national legislation.
2.3 Europe General Counsel Europe General Counsel will • • •
ensure that the Data Protection Manager has a clear reporting line and adequate authority to discharge their role. Provide support to the Data Protection Manager, if necessary. Agree a process to apply in the Data Protection Manager’s absence.
2.4 Global Head of IT Security The Global Head of IT Security is the primary role with a dedicated focus on information security and related issues. The Global Head of IT Security has the following responsibilities: • • • •
Management Information. Report to senior management on all security related matters on a regular and ad-hoc basis, when required. Information Security Policy. Communicate the Information Security policy to all relevant interested parties where appropriate and ensure its implementation. Risk management. Manage risk associated with access to the service or systems. Systems and controls. Ensure that security controls are in place and documented. Quantify and monitor the types, volume and impacts of security incidents and malfunctions and identify and manage information security incident according the process.
Version 2.0 As at January 2021
Uncontrolled when printed
Page 3 of 11
Europe Data Protection
2.5 IT Team The Lendlease IT team in relation to data protection includes both the IT Security team and IT personnel working on systems that process personal data. The latter is expected to include project teams, data architects and application support personnel. The IT team, has the following responsibilities: • • •
Data Protection Champion support. Contribute to the ROPA, IARs and data protection impact assessments, when required by the Data Protection Champions. Europe Data Breach Reporting Procedure. Identify and escalate any potential, suspected or actual data breach occurrence to the Data Protection Manager Europe. Europe Data Subject Access Request. When the data subject access request is granted, to engage with the Data Protection Champions and Data Protection Manager to retrieve copies of the information.
2.6 All Lendlease Authorised Users (LAUs) All of our Lendlease Authorised Users have responsibilities which include: • • •
•
Management of data. This includes following all policies, standards and procedures to manage data security and quality. Co-operation. This includes contributions to the ROPA, IARs and DPIAs, when required and to answer any queries the Data Protection Champions or Data Protection Manager have. New and amended processing activities. Bring to the attention of the relevant Data Protection Champion any forthcoming new processing activity or amendment to an existing processing activity. Compliance with policies. They are responsible to comply with all data protection policies of Lendlease, relevant to their business role.
3. Recording Data Processing Activities One of the core responsibilities of the Data Protection Champions is to maintain a record of processing activity (ROPA) which sets out the details of the processing activities of their business unit or function on a spreadsheet. The following are documented on a ROPA: a) What the objectives of the processing are. b) Why the processing is necessary to achieve the objectives. c) An assessment of whether the processing is proportional i.e. that it does no more than it need to. d) Definitions of specific data items to be stored and processed. e) How the data will be processed. f)
Determine the retention period of the data.
g) How the data will be stored.
Version 2.0 As at January 2021
Uncontrolled when printed
Page 4 of 11
Europe Data Protection
h) Legal basis of collecting and holding the data.1 i)
Where the data may be transferred.
j)
The risk of the processing activity.
k) If the rights of the data subjects are in place. l)
Possible future uses of the data.
m) Processing of special categories of personal data. The Data Protection Champions need to understand whether their business unit or function is processing special categories of personal data for example personal data relating to children or criminal offences. In the event that any personal data in these special categories is processed this will need to be flagged to IT and IT security team in order for appropriate due diligence to be conducted on any associated processors. With regards to personal data relating to children in specific the Data Protection Champions will have to think about the need to protect them from the outset, and design appropriate systems and processes. The Europe Data Protection Manager manages the ROPAs and has oversight of their maintenance. The ROPAs are stored in a SharePoint site. It is the responsibility of the Data Protection Champions to ensure that the most recent version of their ROPAs is stored in the SharePoint site. ROPAs will be reviewed periodically by the Data Protection Manager. For any new processing activity, an Information Asset Register, will need to be completed. This is a similar but abbreviated format to that of ROPA. The IAR will need to be reviewed and approved by the Data Protection Manager prior to the processing activity introduced.
With regards to processing personal data about criminal convictions or offences Lendlease must have both a lawful basis under Article 6 and either legal authority or official authority for the processing under Article 10. Version 2.0 As at January 2021 Uncontrolled when printed Page 5 of 11 1
Europe Data Protection
4. Roadmap for New Processing Activities At the outset of any new processing activity the analysis that is depicted below should take place. The person responsible to oversee this process is the Data Protection Champion, delegating as appropriate actions to the Business Lead, and will need to liaise (with the help of the project manager) with the following Lendlease teams: • • •
IT security. In order for the security assessment to take place. Data Protection Manager. To received answers for any queries and for the review of the IAR. Legal. For the review of any legal agreements with processors or other parties.
The remainder of this section examines the steps of the flowchart below.
Is there any Personal Data involved?
4.1.
Is that Personal Data being Processed?
Who is the Processor and who is the Controller?
Does the GDPR apply?
If the GDPR does apply, what do I do next?
Is there any Personal Data involved? As a first step, Lendlease will need to consider whether the data which relates to or is dealt with as part of the processing activity is Personal Data. If there is no personal data at all involved in the process, then it is unlikely that any data protection rules will apply. However, in many processes at least some Personal Data will be involved, even if this is simply the contact details of the individuals at Lendlease and the other party (e.g. a supplier) who will be administering the contract (for example, the contact addresses of individuals for notice requirements or escalating disputes). If Special Categories of Personal Data2 are involved in a processing activity the Data Protection Manager must be contacted to ensure that the additional rules are considered.
4.2.
Personal Data being processed? Lendlease determined that Personal Data or Special Categories data is involved in an activity, Lendlease needs to establish if the Personal/ Sensitive data is being processed3.
These include: Information about an individual’s race, ethnic origin, politics opinions, religion, trade union membership, genetics data, biometrics data (where used for ID purposes), health, sex life; or sexual orientation. 3 Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction Version 2.0 As at January 2021 Uncontrolled when printed Page 6 of 11 2
Europe Data Protection
For example, this could be a hosting provider who is simply hosting Personal Data in the cloud would be processing Personal Data. If Lendlease is holding Personal Data, the safest course of action is to assume it is processing it.
4.3.
Who is the Controller and who is the Processor? If it has been identified that personal data will be processed then the next step is to understand the role Lendlease is playing to be able to properly establish whether the GDPR is relevant. That is the identification of the entity(ies) that it the Controller4 and the Processor5. However, it is important to note that in many countries (such as Australia) there is no such concept. In most circumstances, Lendlease will be the controller, and the other party (commonly a supplier) will be the processor acting on Lendlease's behalf.
4.4.
Does GDPR apply? If the previous steps have identified that personal data is involved, they are processed and the controllers/processor have been identified the following assessment must take place in order to determine whether GDPR applies or not.
A Controller is the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. 5 A Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Version 2.0 As at January 2021 Uncontrolled when printed Page 7 of 11 4
Europe Data Protection
Version 2.0 As at January 2021
Uncontrolled when printed
Page 8 of 11
Europe Data Protection
4.5.
If GDPR applies, what do I do next? In the event that it has been determined that GDPR applies the following have to be considered: •
•
Determine if other local laws apply. Under the GDPR, Member States can derogate in respect of certain provisions and have implemented local laws in order to do this (for example, the Data Protection Act 2018 in the UK). In addition, just because the GDPR applies, does not mean that other local laws (for example in Australia, Australian data protection rules) do not. Lawful basis of processing. Lendlease must have a valid lawful basis in order to process personal data. There are six alternatives ways in which the lawfulness of a specific case of processing of personal data maybe established under GDPR: a) Consent. Data subjects have provided consent via a filled-in form. b) Contract. Personal data is being processed to fulfil contractual obligation. c) Legal obligation. Personal data are processed to comply with a common law or statutory obligation. d) Vital interest of a data subject. Where personal data are required to be processed to protect the vital interest of a data subject or of another natural person. Lendlease has to retain reasonable, documented evidence if this is the case. e) Performance of a task carried out in the public interest. When Lendlease processes personal data because it has to perform a task that is believed is in the public interest or as part of an official duty. f)
•
•
•
•
•
Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Information Asset Register and Data Protection Impact Assessment. An IAR has to be completed, reviewed by the Data Protection Manager and approval to be granted. In the event that the IAR review identified the processing activity to be of high risk the completion of a DPIA will be required. More information on the completion of a DPIA can be found by reading the Europe Data Protection Impact Assessment Procedure. IT Vendor Onboarding process. As the data controller, Lendlease must perform their due diligence on the “data processors” to whom Lendlease outsource the processing of Personal Data. As such, the Data Protection Champions, the ICT team and the Data Protection Manager will need to discuss the IT/ Security impact on the Personal Data that will be processed in the new system. Thus, a risk assessment and a data privacy and IT security are conducted. Contract agreement. If Lendlease as a Controller appoints a Processor a written contract has to be in place. In this event the Data Protection Champion has to liaise with legal for a review and sign-off of the legal agreement. International Data Transfer Agreement. In the event that a transfer of data outside the EU will take place a result of the forthcoming processing activity, the Data Protection Champion must liaise with Legal for a review of the contract with the other party. Data Retention and Destruction. Appropriate data retention and destruction schedules must be set for the forthcoming processing activity. For this purpose, the Data Protection Champion must liaise with Legal and the Data Protection Manager.
Version 2.0 As at January 2021
Uncontrolled when printed
Page 9 of 11
Europe Data Protection •
Data Privacy by Design6. Data Protection Champion will need to liaise with the Data Protection Manager to consider the use of techniques that are applicable and appropriate.
5. Appendix 1 The key impacts that have resulted from the introduction of GDPR on the 25th of May 2018 include the following: • • • • • • •
• • •
New definitions of personal data, including “special categories” replacing sensitive personal data More obligations around receiving consent from data subjects New direct obligations on processors More information to be provided to data subjects when data is collected Mandatory breach reporting within 72 hours, subject to conditions Larger fines of (up to) €20,000,000 or four per cent of worldwide annual turnover, whichever is higher Enhanced data subjects’ rights, including: subject access, right to object to processing, right to be forgotten/erasure and data portability. These will be enforceable through the courts, including by awarding damages for losses. Data protection officers needed if organisations core activities include large scale data processing Privacy impact assessments required where type of processing e.g. using new technologies is likely to result in a high risk to the rights and freedoms of individuals Concepts of ‘privacy by design’ and ‘privacy by default’
Data protection by design is ultimately an approach that ensures you consider privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle. As expressed by the GDPR, it requires Lendlease to put in place appropriate technical and organisational measures designed to implement the data protection principles; and integrate safeguards into your processing so that you meet the GDPR's requirements and protect the individual rights. Version 2.0 As at January 2021 Uncontrolled when printed Page 10 of 11 6
Europe Data Protection
Definitions Term
Definition
RoPA
Record of Processing Activity
DPIA
Data Protection Impact Assessment
GDPR
General Data Protection Regulations
IAR
Information Asset Register
Further Information and Related Materials Related information
Description
Global Policy on Privacy
The Privacy Policy sets out of how Lendlease uses, collects and safeguards data subject’s personal information. This Privacy Policy applies where any company within Lendlease receives personal data through its websites.
Europe Procedure Data Breach Reporting
This procedure describes the steps that need to be followed in the event that a data incident takes place. This document is available from both a Controller and a Processor point of view.
Europe Procedure Data Subject Access Request
This document covers the procedure for addressing data subject access requests received.
Europe Procedure Data Impact Assessment
Describes the steps that need to be taken when a high-risk processing activity has been identified and a risk assessment has to take place.
Europe Policy Employee Privacy
European policy that sets out how Lendlease seeks to protect the personal data of its people.
Contact
Details
Europe Data Protection Manager
If you have questions on these guidelines please contact the Europe Data Protection Manager. Contact details can be found under Key Contacts on the Policies section on Pulse.
Version 2.0 As at January 2021
Uncontrolled when printed
Page 11 of 11