GDPR EU Data Protection 2020 with Case Law - Latest | Robert Sullivan | Skillshare

GDPR EU Data Protection 2020 with Case Law - Latest

Robert Sullivan, International Coach, Educator and Entrepreneur

Play Speed
  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x
27 Lessons (2h 20m)
    • 1. HD Version GDPR Sizzler

      0:23
    • 2. Introduction Business Law and GDPR

      5:11
    • 3. L1 Introduction to GDPR

      2:06
    • 4. L2 Explaining GDPR

      4:14
    • 5. L3 GDPR Definition

      8:11
    • 6. L4 6 Principles

      4:10
    • 7. Documentation GDPR

      2:55
    • 8. L5 Fines

      8:03
    • 9. L6 Data Subject Rights

      3:13
    • 10. L7 Data Protection Officer

      3:59
    • 11. L8 Privacy Transparency

      6:24
    • 12. GDPR and Cookies

      2:32
    • 13. L10 Data Held

      5:49
    • 14. L11 Processing Data Lawfully

      4:10
    • 15. L12 Subject Data Access Request

      9:22
    • 16. L13 Rectification Erasure of Data

      9:00
    • 17. L14 Restrict Data Use

      2:30
    • 18. L15 Objection to Processing

      3:38
    • 19. L16 Profiling

      4:12
    • 20. L17 Data Portability

      3:27
    • 21. L18 Transfer outside of EU

      4:28
    • 22. Privacy Shield

      4:15
    • 23. L19 Data Protection Impact Assessments

      8:21
    • 24. L20 Breach Notification

      2:02
    • 25. Fines and minicases

      5:48
    • 26. Case Buivids v Latvian DPD

      10:38
    • 27. Case The Journalism or not question

      10:38

About This Class

This GDPR Certification course  tells you what you need to know about Data Protection in the EU and with EU Citizens.

It is build on our earlier GDPR course that you may have studied but adds much material based on feedback and the evolution of GDPR in practice.

Even if you do not trade with EU countries, you possibly trade with Citizens of the EU through EU Commerce. If so, you MUST know about GDPR.  Failing to do so could quite simply put you out of business due to the massive fines and reputational damage.

GDPR has positive points, it is seen as the Gold Standard for Data Protection by many. If you understand GDPR and use its Principles it is possible you will be at the leading edge of data protection. You will need to know any local country specific data protection rules for countries outside of the EU.

This is a course designed for Managers, IT people and others who handle data in any shape or form.

We update Case Law to give you an idea of GDPR in practice and to help understanding.

This is not legal advice but a best selling training course that will help you speak authoritatively with your legal team.

Most of all, it takes a complex subject and makes it accessible.

With easy, small bite size chunks its easily viewed or listened to when commuting or easy to focus in on a piece of information later.

An ideal reference tool at a later date, designed to be a course you can go back to time and again.

Led by a Business School Professor, this course has been tried , tested and updated with well over 5,000 students in over 120 countries give us amazing satisfaction ratings.

Join us now!

Transcripts

1. HD Version GDPR Sizzler: 2. Introduction Business Law and GDPR: So how does this course help you? The course will help you understand Andi be compliant with the General Data Protection Regulation. It puts you in the top or pole position in your organization to understand the restrictions . Costs benefits on opportunities off GDP are This is a major career break. It is an opportunity for you to look forward to understand something that many of your colleagues will not on to be able to speak to. GDP are added protection on business oils as well as I t on its protection People, whilst others are not able to do this. GDP are is a course, not optional. It is mandatory. It is something you and your organization must do if you're treating in any way with the European Union or citizens off the year, any organization or individual trading with the European Union citizen, no matter where individual or organization is based, most understand GDP are on complying with its requirements. We will talk later in the caution but other ways of achieving this. But in essence, you must understand nor boat aunt implement the requirements off GDP are it is important to have some understanding about this stale on ethos off the scores, the core seems to be informal under Formative. Winnick sure that you asked. Practitioners have an understanding not only of the basics off that protection war within the European Union on her impacts and you're under customers, but also, through Practical case studies will get the ways in which always in managing the nature and tape and sayings of volumes or feigns on the reasoning off the European court system throughout the cause, we give simple examples and scenarios once again to help your understanding off the knowledge give him. We believe that the ability of students to interact with each other is important, and therefore you're able to do so in a number of forum. The course offer CBT certification, and you will be able to call on your certificate as a way of registering that you took part in this amazing course. The courtship is fun. I'm not stuffy as possible. Of course, GDP are indeed protection, perhaps not the most riveting and fun off topics. Nonetheless, we hope it is not stuffy or boring. Indeed, we know. So the state of the course is international. We understand that we have students in over 120 different countries. Andare statue will try and get examples off The international context were never possible. Here, of course, is our legal disclaimer. I would like to read this as I talked through this. Remember is a training course. It does not represent any regard vice, nor does it guarantee to be fairly update heat comprehensive or complete, whilst every possible effort has been meat to ensure that the information contained in the course is accurate at time of going to publication, the publisher on the content author cannot accept responsibility for any errors or omissions. However, caused any opinions expressed in this course off those of the author andare fact simply opinion. External sources identified are for reference only not our endorsement on any use of such are at the reader or listeners on risk. No responsibility for loss of damage occasion to any person acting or refraining from action as an adult off. The material in this course can be accepted by the publisher. All the author. This is an educational course on does not constitute we go advice. We recommend you contact your own legal advisor council where appropriate before moving on to the rest of the course. Why just put one simple sleight here in context, The European Union has always bean at the forefront off the movement to protect the rates off individuals in respect of the Earth. Personal data The General Data Protection Regulation, known as G D P R. Is potentially the most regulars forward thinking step in the move to ensure privacy on the personal data of citizens is appropriately protected. 3. L1 Introduction to GDPR: you know. Hi. My name is Robert Sullivan, and I am a business consultant. Academic, country, cetera that works internationally. I fell off the Royal Society of Arts and the District of Leadership in Management, and I hold two months of degrees on have in excess of 30 publications. It is my pleasure to deliver this very important course about deeds. Protection on the GDP are we Thank you for joining us and look forward to working with you throughout this program. So what is GDP are the General detail Protection Regulation seven. Clear polices data protection legislation across old European Union states. At present, there is a detail irritation directive in police that requires member states to have their order national legislation to meet that director. This leads to different laws in different states. The new regulation gives consistency that requires all your Steve's to forward the regulation it exists to protect. Unfortunately to give control of data to you citizens. This is a fundamental change to deter protection with significant implications for organizations of all shapes and sizes. By the end of the course, you will be able to explain the GDP are who is covered by the regulation The purpose of GTP are explain what you mean by personal data and the data subject only weakly principles off GDP are Describe the responsibilities of individuals and organizations on discuss the subject Deter access request process. 4. L2 Explaining GDPR: in this lecture we will get explaining GDP are the general bitter protection regulation and a little more detail. In April 2016 the European Union ratified the General Data Protection Regulation after four years off, intense to beat across all European Union member states under the relevant politicians. Whilst the regulation was ratified by you member states in 2016 it does not become or until May 2020 18. At that point, the General Data Protection Regulation becomes the data protection regulation or a wall across all you member states. This leads to greater consistency on this helps not only a residents and citizens off the European Union, but also helps was trading with European Union states and individuals. In that only one regulation will apply across all you member states and told you, member citizens remember, the whole purpose off GDP are is for European Union citizens to have more race and protection about the win which the data is held and used. Importantly, GDP are does give better protection, Teoh EU citizens, Even when a data holder is outside of the European Union, what this means in effect is it of an organization or company in say, for example, the USC deals or treats was even an individual person who is a member of the European Union . They are covered by GDP are, in other words, to the European Union citizen. It does not matter, were the personally treat with resides or operates Rome, GDP are takes effect because they are European Union citizens. This will be particularly important in such as Brexit, where even if the UK leaves the European Union event when the trade with the European Union , other organizations, companies or EU member states citizens they will have to abide by the GDP are it is therefore critical that all organizations understand how to operate GDP are effectively, efficiently and within rates of European Union citizens on European Union war as part of GDP are, many organizations will be required to appoint it. It's a protection officer. Even their organizations are not required. The regulation to appoint a deep your idiot, a protection officer. It is likely that the charm we should look at the rules responsibilities off the data protection officer later in this course. But it is important to understand that they have very specific roles and responsibilities on the protected from sanctions as their adult off the GDP are. So why has debts of protection within you suddenly become even more important? Why is it the chief executive officers of major companies and organisations both within the European Union on those who trade with EU are very, very interested in GDP are put simply, it may be because of the huge fines and other sanctions that these organizations could see themselves feast with. You can be fined up to 20 million euros or 4% off your global turnover, whichever is highest for any breaches off the GDP. Are that calm? Within certain criteria, we shall look at these a letter. 5. L3 GDPR Definition: hi. We should not work in. Some of the definitions that are used within the GDP are this is particularly useful for anyone who has no previous expedience off the protection. There's also, of course, handy for people Hard experience of its protection, but wish to ensure the definitions remain seem within the GDP are so some of the useful definitions in respect of GDP are caroms. We will look at in this short nature are in natural person on what is meant by a natural person. Personal data? Or do we mean when we talk about personal detail processing? So what do we mean by processing of data proof failing what is made when we talk about profiling someone off what is made by me? Talk about profiling off decisions Controller. Who is the detail controller? The process, er, who is the processor but perhaps also reflect on the difference between the control over on the processor. They may well be different individuals or indeed organizations. The supervisory authority, the supervisor, the authority, as we shall see any United Kingdom would be the Information Commissioner's office. Firstly, we must remember that we did not have to be experts in every single definition or indeed, oh, aspect of GDP are so it s firstly, we got some definitions. Let's we got a natural person in natural piercing is a living person who can be identified either obviously and directly or perhaps indirectly by reference to some forum off. Identify those identifies may be very obvious, such as a person's name but the media less obvious, such as an identification number, perhaps a policy number, a staff number in terms of human resource management or some other means of identification . It could also be, well, Kishan identification, such as your street name, your postal court or even your I P address that make give away your location. Other identifies do, of course, exist, such as a physical. Identify where a physiological identify or indeed, a genetic identify. This could simply be the way you work the color if you hear the call of your eyes or people complicated such a zero g n e d N e. If it were held in storage at some point. In addition, you have other issues, such as mental, economic, cultural or social identity off that person. So, for example, census data may told some indicators about our economic at that particular time. We were filled in a forum, for example, that tells us what age band aren't for salary band. We are within all of these put together, or perhaps even on their own, could be used to identify a living individual. So what is meant by the terror in personal data? Personal data is, quite simply, any information that really it's to a natural person or D to subject. That's any information about them that can be used to, directly or indirectly identify that person from the data In terms of GDP are when we talk about processing, All we mean is any operation that people form or personal data, whether that is done manually by an individual or grip or whether it is by automated means , such as a computer program, it includes all collection of detail, the use of detail that we have collected, how we record eater and so one. So what do we mean? Meditating profile? Ngp are profile and, quite simply, is any automated processing or personal data that is intended to evaluate, analyse or predict data subject behavior. If you look very quickly at what this kid me. It means any details we have would be used to think about or analyze in order to perhaps predict a data subjects behavior no or in the future would be seen as profiling. This may be, for example, looking at the person's age, their occupation, previous automobile accidents, etcetera, on using this support for the risk of them having a future accident. This may then be used until it cut the premiums. They would be charged the other decisions shots as credit decisions that may be made only meant off credit. A person has the merit of income. They have coming in on disposable income and, of course, the credit history in terms of how reliable they have been in the past. In terms of paying for credit cards, loans, etcetera, this could obi profiling. In other words, it is automated processing off personal detail that is used to analyze that and perhaps use to protect the data subject behavior with no and in the future. So what do you mean, better Terram Data control. The data controller is the entity. Sometimes an individual who determines the purpose conditions on the means are processing personal data. Well, look, it is very quickly. If you think about the entity or individual who determines the purpose. In other words, why recollecting, storing or perhaps even sharing the data? What conditions hope will we store? Or how we collect the data on what ways in which we shall process the detail at all the responsibility and the decisions? That's happy meat by the detail controller. We will see in a moment how that differs from the detail processor. The process is simply the entity or person that process data on behalf of the detail controller. Normal of this will be someone within the same organization, but it keep your hearts be someone in, for example, a contracted organization. In other words, the data controller decides what information is collected, how it has collected her to stores, and we're import purpose. It will be picked to. They would also be responsible for considering and authorizing if information was to be shared with some other individual or indeed organization. The process of therefore simply processes the data. In effect, they do with the untold one of the terms within the GDP. Are is that off supervisory authority, any native kingdom, the supervisory authority is Information Commissioners office, otherwise known as the I C e O. But this will very in other you member states. The purpose of the supervisory authority is, as it says to supervise the GDP are it is to the supervisory authority that eventually complains about it. Breaches of the GPR may well find themselves. It is a supervisory authority. It will be the year zone between the outside world. On the organization, it is likely that the supervisory authority will talk to the detail protection Officer the DPL within your organization. It is also the supervisory authority who will recommend a meek recommendations as to the level of fines and sanctions that may be policed in your organization. 6. L4 6 Principles: remember that the GDP are has stapes key principles. If we stick to these principles, Andi indeed can evidence that we have done so. This will put us in a good place. If he ever have to justify anything we do with the Guard treaty to protection in you or with you citizens, you shall not look at those six principles. Remember, the six principles exist across Oh, you member states. So what slipped peacefully at each of the six principles of GDP are principle one states that old data collected must be for specific and explicit purposes. In other words, we can no longer collect data on people for the sake of collecting data in the vain hope that at some point in the future it may be useful. We have to call it the data for a specific purpose or purposes, and it must be explosive. In other words, we must tell them what the data will be used for. Secondly, the data must be accurate and contained. You must have processes in place that ensure that first lady to be collected or indeed we have got from other sources is accurate on that team. It must mean teen is I could see principle three and four off. The Six principles of GDP are principle three states. The data is retained Onley for home. It is need. It will not be acceptable for people to hold on to detail for months or years beyond that for the purpose it was originally intended. The four principles states that detail must be processed lawfully, transparently, unfairly. And most people should know what we're using Their view to four. Remember the GDP Air has a great trip off evidence. In other words, you really should keep records of why you're doing something. For example, while you're asking particular questions relating to Rita what you're holding the dita for , how you're holding the data and if you're shooting it, why you're sharing it on the security ever in this process Took it did two principal five. The data must be processed securely on. You must be able to prove we find that it is processed security. This may, for example, be notes off the systems used perhaps any certification, you have to prove that your data is held securely. Information of it passports. And so one principle six states that the data held must be adequate. In other words, we spoke before about not holding too much detail. But you must hold enough data for that data to be adequate for the reason it isn't ended. The data must be relevant and not simply collecting every piece of useless information about the person, just in case it with a previous full on. To emphasize that point, the data must be limited to what data is actually needed. Remember, the six pencils off GDP are are really important. Your organization is accountable for doing to GDP are on. The sex. Principles are key to doing that. Six principles. Also, all of us to think through what we're doing. Andi. So long as we can emphasize the importance of best and the fact we have had geared to the six principles, it'll standards and gets dead. You should remember that you can consult with your detail protection also deep. You'll to make sure that the work that you're doing had two years to six Principles on GDP are 7. Documentation GDPR: Judy pr on documentation. As is often the case in business, the way in which we document things is very important for various reasons. One of them is that it provides an order trail for what we did and why we did it. This in itself is often useful in defending actions retrospectively. If people understand what we did under, we did it in good faith. This is often much more off a defensible position than a things have not been documented. You should proactively document what you do to comply with GDP. Are. As I said, this provides evidence that you sought to comply. You were a were off the need to comply. And hopefully that you took reasonable actions to do so. If then you do suffer at it a breach. You're able to show that you deployed to get practice. At least you're trying. You took reasonable action on you have an order to showing what you did. Where's that is unlikely. This this will get you away free of charge. It is likely that any court in anyone will take into consideration what you're tempted to do on if it did it in good faith. Hopefully therefore, being proactive and following the GDP. Our requirements, Woodridge is any penalties that may be likely to come here or your organizations? We So who cares about documentation for the orders for any documentation will usually be under control. The controller often sees the consequences regardless of who is it. Vote records of consent from data subjects or their holder off parental responsibility will be an important aspect of holding documentation. The phone documentation is important. Details off the information. You collect the process for collecting at on the purpose for processing. As I said, directors of consent off data subjects are critical but suitor or records or processing activities under your responsibility. In other words, she shit document processes for the protection of personal data. Also, for example, what is your information security policy? Your cryptography policy on all other relevant procedures in this really demonstrates your heart procedures in place. Hopeful. You're aware of the requirements of GDP. Our and you took me seriously by having policies on procedures in place. It is important, of course, to document those 8. L5 Fines: fines and other sanctions across the European Union will not be far more significant than before, precipitate to data protection breaches. Theater protection is now high on the agenda. Off CEO is both within the European Union andan organizations who trade with the EU or with EU citizens. It is important that we do not even think about gambling with the use of data within European Union states or with European Union citizens as we saw before. The fines are very large indeed, as the GDP are is a new regulation on wall across the European Union. We cannot be certain how sanctions will imply to spit in please on the extent off those sanctions. But perhaps we could look at some of the reasons that may determine the extent of sanctions that could be putting please a guest organizations phone to be in breach of the g d. P. R. Perhaps the nature off the infringement itself and the impact it would have on the individual or individuals concerned would be taken indicate it is likely that preventive measures to stop things going wrong with the protection before and indeed after any detail incident would have omitted getting effect on any feigns or sanctions implied. Perhaps the intention in terms of that, the organization intend to beach the GDP are or is it more by accident would be taken into consideration when deciding on fines or other sanctions. Importantly, the extent to which the organization notified its supervisory body, such as the ice you quickly when they became aware off any the interpretation breaches would be very important in a decision to the extent of which sanctions would be appointed to that organization and suppose linked to notifying the supervisory body will be the extent of cooperation given to that supervisory body orderly to other stakeholders, including customers, would be important in determining sanctions. It could also be the keys at the history of the organization in terms of any breaches of data protection legislation or the GDP are could be taken into consideration in applying this or future sanctions against the G. D. P. R. As I said. However, at this stage, when the war is new, it is likely that people get a better idea off the extent of the sanctions apply to organizations as case or develops. You do not have to be experience in the extent of fame on the Michael hit off sanctions that could be applied to your under organization. If you have to breach the GDP are, it should be enough to look at the possible enormity of flames and the impact such a huge famous half on an organization. No torment is a payment off the fighting itself off a huge impact. But so also with their publicity around such a fame on the possible loss of trust and goodwill from customers that could also impact adversely on organization. As we said before, you don't have to be experiencing every part of the GDP are where you have to be. You can speak to the data protection officer or indeed to your organization's legal team if that is appropriate for you to do so. In this, we will get the very latest legal information, perhaps based on legal kiss wall as it develops GTP our beds and post me 2018. Of course, there are different levels of fines for different aspects of the wall or GDP are being broken. We can see in these lies. There is a higher on war level for different aspects off a bridge. However, as we have said already it is likely that we should look to case or as it evolves to look at what has been punished on the extent of any sanctions applied for such particular breaches. So why should be bother complying with digital P R. The most obvious reason, of course, is the large fines that we have already spoken about. These will be very significant to most companies on. Of course, we're very depending on the global turnover off a company. In addition to the impact of watch feigns. There were, of course, illegal costs associative but perhaps defending actions against the organization from the information commission, officers office or other regulatory body in other you member states as well as this, there will be the cost of putting things right. That may well be the course of changing processes and procedures so that the breach itself cannot happen again or it could be remedying this situation. Remember, too, that in GDP are unlike some of the previous data protection laws within the European Union , an individual or group of individuals could potentially sue or take civil action against the organization that reaches GDP are perhaps more important in the long term running off any organization is the fact that a data breach is likely to be well publicized in GDP are there are many instances when you must tell customers about britches off data protection. It is very possible that this will lead to a loss off. Customer trust in the organization here will freely give information to an organization that has lost that shared it or otherwise preached GDP are in previous historic times. So the loss of customer trust on the Wasatch customer goodwill is like what you have a huge impact on going with the organization put together with the course of large planes illegal course of defending action, the costs of remedial action. All of this work together give you very good reasons why you should comply with the G d. P. R. So to recount the fines for GTP are preaches can be very significant. They can be up to 20 million euros, or 4% of the world weight annual revenue, at the prayer financial year. Whichever of those two is the highest in themselves. The fines could damage severely. Any organization that falls faux off GDP are We've also in the short stature will other implications off the feigns on the beach gpr implications, such as the loss of trust thinking well of your customers could be more significant in the long one than even these very substantial fines. As we also said. However, as this legislation is relative, when you we do need to wait until Kisco was established on, we have some idea off what level or sanctions are imposed for punishments pitting please for different aspects of breaches of GDP are industry will be in a better position. Took a GDP are on the sanctions actually applied. Nonetheless, it is a very significant change in terms of the sanctions on the severity of the sanctions that can be implied. It is therefore important that many inner organization, including everyone who is working with data, understands a little bit about GDP, are on defines and sanctions that can be important implied if indeed GDP are is breached in any way 9. L6 Data Subject Rights: data subjects rights. Welcome to this lecture on individual rights in relation to data protection under the GDP are in this actually simply airplane. What those eight rates effectively are. These will be covered in significant detail later in the course. And, of course, if you do to quell further information, pleased to get back to us. The rates for sales are number one. The rate to portability portability essentially means that the data is euros. Effectively you on the detail on the one organization holds that information. You should be able to require them to take that data across another organization that you have given them permission to directly transfer the data to. In effect, this stops year as the guitar winner effectively have to have to repeat yourself and to have to go through time consuming Perot cities. Organizations do have obligations to meet such information, available electronically to ease API in between one organization and another. But of course, there are repetitions to that. The second rate is the rate to rectification, and it was directed by any data that maybe you were sleeping or maybe wrong that is being held by any organization about yourself. The third rate is that of Eurasia direct to raise or the right to be forgotten acid. To some things normal Number four is the rate total kept profiling and fairness. And I was organized issues use data held to actually profile you at plum things to make decisions about the course off, for example, insurance or to profile organizations or profile demographic grips about the ways in which governments turn. There are over services in particular areas. For example. Right Number five is that of access where we work it. Data subject access requests where we can actually ask organizations Teoh require them to. They vote what information they're holding honors. Six rate is that to restrict processing. That is, even if organizations hold detail, we cannot seem to district the ways or entirely ship the ways in which they are processing data about us. Very similar is to object to the processing off data at all about ourselves. On Number eight is the privacy aspect, of course, which is really very directly to the notion off detail, security and, of course, to sharing details with others. I just said this really is just a very short lecture at lighting what the rates are as the rate will be covered much more detail through the remaining parts off the scores. 10. L7 Data Protection Officer: In this lecture, you'll cut the rule of the detail Protection Officer. You look at what organizations are must appoint 80 pure and others, which may have options as to whether or not to point debut were there moved with skill sets and attributes required off a DPL. Essentially, if you do not wish to have a deep you'll you have to justify that to the authorities under the regulator if asked, so it doesn't require to have e d. P o. Deep use are required where processing is carried out by a public authority such as the central government or local authority. Father and the court activities off your business need regular and systematic monitoring off data subjects on the archer skill you required to have a deep eel in place. Likewise, if you call activities involve one skill processing off special categories of personal data , such as data relating to criminal convictions on defenses, you are also required to have a data protection officer in place. So, under what circumstances do you not have to appoint it? Eat a protection officer. You don't have to put a deep you if you mean activities really involved. Monitoring day to subjects, but that's infringement and was due to subject's rates. Also, you do not have to appoint a deep you if you don't produce a special category personal information that information, such as relating to criminal records so you don't have to pointed appeal. If you're only processing this special category personal detail off a small grip off the subjects, remember, it is important that you get this rate. So please do check with your legal advisers. If you're thinking of not having or a point in 80 peel and the phone section, you will look at the rule of the theater protection officer, the data protection officer gives and face and gains he or she will help you to controls indeed, processors with within the law, the death of Protection Officer as the data protection expert up within the organization as well, speaking to the difficult Drew and processor and giving them advice about the law. He also interact with customers and other stakeholders, as well as giving at facing Gaitan's The Deep You is also the contact point for the supervisory body. In the case of the United Kingdom, that would be the Information Commissioner's office, the GPO will also monitor your compliance with the GPR and give advice to senior management A good deep. You will come by knowledge of both national and European data protection laws with good knowledge off due to security, excellent communication skills and an ability to help engender a data protection culture across the organization. To summarize the deep you is a very critical rule in any organization. The deep your gives both advice. Ungh agents, helps the data control and process or hope within the law and communicates both with information commissioners office on customers. 11. L8 Privacy Transparency: welcome to this lesson on privacy and transparency within the GDP are some of the content off. This lesson will be covered in more detail later in the course. What is important is part of GDP are on just good business. Practice is that we are transparent, accessible and fear and holding and using personal data. Importantly, we should take account of the customers reluctance to read through, such as privacy nor disease on terms and conditions. Indeed, if you think of yourself how many of us simply scroll to the bottom of terms and conditions and click the box, Do we always read those terms and conditions? I think not. Perhaps what we should be doing under GDP are is working at each and every piece off information. We are going to hold on the individual concerned, tell them the reason we're holding it on the purpose were using it for and look for their specific and explicit consent on using that piece of information in the way or ways that we have told them. Bureau desseaux. In other words, we should try to make it clear and easy for them to understand and not be a large, complex forum that they have to complete. There is some information that you must tell the deter subject. We must tell the data subject. Heard it did to control or within our organization as on how to contact them. We must also tell them who the organization's data protection officer is on again, ideally, to contact them. Importantly, we must help the person. That is it. It's a subject what use people make off their personal data. In addition, we must also tell the data subject the legal basis we have for processing this data. In other words, why we're doing it on that It complies with all we have to explain the legitimate interests off the detail controller on If we subcontract, for example, to any other people, any third parties were appropriate. And finally, what categories of theater are held used on who we share this data with, or who can view and use this data within our own organization? You must remember to tell the data subject if we hold or transfer their data in another country, and what safe council in place in that country to secure the use off their data and indeed , the storage off the data in itself. It is not always easy to establish what regimes are, what countries the European Union are accepting as being safe harbors, if you like, for that information. Indeed, even the United States, which has a safe harbor agreement with other countries, which effectively says that they will replicate most of the Western democracies, safety and security regimes is sometimes invent. It is therefore, very important that you contact or which at the information or and for Mission Commissioners website and, of course, speak to your deep you. If you're looking at transferring or storing data outside of a European Union country, we must also consider the went off the air attention all the criteria used to determine retention period. What we simply mean by not is that should we hold the data for six months, one year, two years or indefinitely as maybe the keys, particularly at present? That, of course, is not good. Practice on did not believe under GDP. Are we really only to hold Peter Forest long as we require that information for analysis? Processing exception? Holding data for longer also gives us additional costs as we have to maintain the detail and should. It is accurate and relevant over time. So whether that be for a number of months or number of years, or whether there are certain criteria. For example, when you complete the field training course or when you graduate, we must tell the data subject about retention periods for their personal data. As I was telling the other subjects that they can withdraw consent on ensuring it can be easily done, they should also be told how to complain to us within the organization. If they're unhappy with the way we have collected store used or shit their data, we must have ever also tell them that they can complain to the supervisory authority on give them details of ho to do so, as well as making it easy for data subjects to be able to withdraw consent or in did not give consent for use of data. Ato. We also must remember to tell them about any legal or contractual obligations to provide data. So some contracts, for example, may mean that you have to tell the person you're in contract with if you have, for example, a car accident or perhaps if you have a illness that the cars getting a medical insurance policy cover. Remember, there also could be potential consequences of not providing data If, for example, someone wants an Amazon delivery off goods to their home. If they do not consent to giving Amazon the post or drains, it would be impossible for Amazon to surely make the contract as it did not know where to deliver the gets to. This is a very simple example, but there will be other instances where, by not giving permission to use data, the person maybe not be able to access services. It is important that we do show the desire, subject any obligations they have on the possible consequences if they do not provide the detail required. 12. GDPR and Cookies: the whole issue off cookies on the way in which they are like Teoh be used has been quite controversial on. Of course, many people are worried about the possibilities off tracking back Yuki's whilst also see the benefits off. This ongoing you to have directed information. Two videos debases cookies, however, in the European Union were actually part off legislation or directive. The directive on privacy on electronic communications, otherwise known as E Privacy directive off 2011 is off particular north. Where's there was this directive? Some super visiting authorities have relaxed the initial enforcing of those requirements, moving away from enforcement towards advising on contacting. Those have ignored a directive. They're still, however, many who believe that this directive in itself was an effective part of some bureaucratic and got in the way off e commerce. In Gbps terms, the cookie may be interpreted as annoying, identifying due largely to the nature off the detail it quakes. This would mean that it falls under personal data on, therefore, the subject must consent to cookies. This is noted in recital 30 cookin ratifications therefore need to follow the rules for consent just as any other way of gathering information must be explicitly consented to. So supervisory authorities therefor shit, take action when non compliance our own notification off consent takes place in relation to the use of cookies. However, there is an exemption that doesn't really e commerce businesses friends since Teoh Bye kitties to certain situations organisations, for example, me trying someone's purchase before the ICT to actually buy that service. Our product for the processing off that data is a necessary step in the lead up to the contract that the data subject will be entering on consent is seen. At that point. Read that again. At no date we will come across that before it in relation to cookies under notion off consent. 13. L10 Data Held: in this lecture, we look at what details you hold. It is really important. Is part of the G d. P r. That we understand firstly, what detail we hold. Secondly, we have to look at the uses we put that deter to on if you have permission to use data in that week. We also need to look at how data is stored on charity shared with other people, if appropriate. What is really important under GDP are is that you document everything you do. In the case of documenting where the data came from, we have to firstly recognize what data we hold. This in itself may be a meter exercise if you can think of different organizations who may have essential iced function that told information. But perhaps individual staff members, the whole different information, perhaps on excel, spreadsheets and personal PCs, perhaps. And more documents on personal PCs. And so one. So the first step is your toe. Understand? And recognize. What did Toby hold? Remember, we have to justify why we hold that data we have to think about. Do we need to hold all bits of that data? If, for example, you hold someone state of paths. Why do we hold that particular data? That is why do we hold the person's data path? We have to justify why we hold Didato. Also, it is important that we understand were recorded data from on. We should document that too. In other words, that we buy the data from some data social. Did you get the data from a web forum that someone had completed on our website? Did we get the data from warranty or guarantee towns? And very importantly, having got that detail, Can we justify one? Why we have it on to that? You have the explicit permission off that detail subject to hold and use that data very explicitly for very specific reasons. Remember, it is no longer enough just to gather as much data as we want. Just in case we need it. We have to hold data that is accurate and relevant and limited to what we absolutely need to carry out our transaction. Importantly, remember that a data subject must have given you explicit permission to hold and use that data on to do so for a very specific purpose. Critically, we must document everything that we do for GDP are it is really important that should some case, the regulatory body or the supervisory authority wish to talk to us about data protection, they measure to challenge a complaint from someone who suggests were using their data inappropriately. It is much more likely that we can be successful in defending our actions. If we have written down and documented what did or we hold why we hold it on. Demonstrate. We have specific and explicit authority to use the detail in this week. Remember, too, that we must document where the detail came from. In the first place did we collected from a Web forum from a guarantee form. Did you buy it from 1/3 party, etcetera? Hello, your deep. You will not know all of the information held an organization. They should provide the standard temporary to record information. This will make it easy to ensure that all information is kept in a concise way on that people from across the organization will be able to look at each other's data. It will also make it easier for the deep eel to respond to any queries about data help, just to reiterate that it is important. We call the detail what you use for until it exits the organization. This is important because we may have to tell third parties on all the regulators about what we do with data. Although having to document what we do with data does seem rather tiresome and a bit of a burden that will help us prove that we comply with the six principles off GDP are on GDP are itself. This could save the organization a significant amount of time on monetary fines at a later date. If we're acting properly under can justify our decisions, we are brought together a simple checklist to help you. The following points may be useful. One. Where did they get this information from? In the first place. To what do I use the data for? Three. I need all of the data order needed at all. Four. Do I have explicit permission from the data subject to hold on to use the data in the way that I am using it? 0.5. Do I hold it? It's a secure sex capacity toe onto other people. Seven. Do I have a lawful right to pass that information on to others? eight dry the court, all of the above. And can I justify my actions in relation to this data? Nine. Do I meet the sex principles off GDP are on? Can I justify and evidence this? 14. L11 Processing Data Lawfully: thing. In this lesson, you'll get processing data lawfully. Essentially processing deter under the GDP Are is all about having the permission of the data subject. The person who owns the detail or who's the data is about unity a permission quite explicitly, and you need specific permission to use the data for a particular reason or purpose. That is essentially the key issue are in data processing. Hopefully within GDP are I should win before in previous lessons. It is no longer possible or correct to collect deter just for the sake of it, in the hope that it may prove useful in the future, we need explicit permission to use detail for a very specific purpose. We will now move on to a little bit more about waffle detail processing as well as requiring the data subject to have given you consent for the data be used for a specific purpose or purposes. You should not undertake any processing of data when you need not do so. Intervals. Emphasis is very much on Onley collecting the details require on then only processing it in the weeds that you required to do so at old times. You should have the permission off the data subject to do so. As we see later in this lesson, there are some places, such as the public interest, where this may not always apply. This may be around areas such as collision of statistics for the public sector to use em planning and development or services, or for such as in national census. That may, of course, be idiots. We are obliged. Do not only collect, but Prue says data. For legal reasons, there's been, such as you are employing someone you may Mr check on their qualifications, their previous work experience, work references or even criminal records. Of course, in these instances you should be talking to your human resource department or to your legal representatives and, of course, the DPL. And doing this you're protecting yourself that you're using detail in an appropriate way on were necessary, gaining the permission off the data subject to diesel. In addition, there are other areas where permission is not always explicitly required. He's maybe, for example, quiting hostal detail or census data, which may be used for public service planning that's made in court. For example, the age of people in your household, the demographics in general or indeed, the annual incomes. This can help local authorities and other public sector bodies plan for such a skills. The number of skilled teachers required in the future and indeed other public services once again to recount consent must be given for each specific purpose that the data will be used . Once again, we cannot simply collect data and use it order on for various purpose ease. We must have specific permission for that purpose. Data subjects must also be able to draw consent for the use of data. And that should just be Azizi to withdraw consent as it was to give it in the first place. So, for example, if we could give consent by simply taking one box on a Web forum, we should not require them to rate a 40 page letter demanding that we should not use their data leg ways. It should be a simple tech box. It must be just Azizi, but to throw consent for the use of data, as it was to give it initially. Remember also that we have to document everything if we do not have written evidence off our thought processes on why we use data including permissions, etcetera. It simply did not happen in the eyes of the regulator 15. L12 Subject Data Access Request: welcome to this lesson on subject detail. Access requests, as you maybe aware under GDP, are some things have changed about subject data access requests and this lesson Milica teas . So under GDP are what are the rates of access that any individual data subject may have under the GDP. Are individuals of the rate trip teen one confirmation that the data is being processed to access to that personal detail On other supplementary information, supplementary information really corresponds with information that would be provided in your privacy notice. This will probably tell them what the information is used for. Aunt Holy Camera. Throw the rate of consent to the use off that information. It may also tell you where the information is held, how it is used in processed. So do subject theater access requests attract if he you may be able to charge a reasonable fee where you comm prove that request is manifestly unfounded or excessive, particularly if it is repetitive in animals. If the person is just asking for excessive information, to picture, to bother or to cause you expense. But if you decide to do this, I suggest you speak to your GP or as well as to your legal team. Normally you must provide off the information held on that person completely free of charge . This is different from other legislation or prior legislation to GDP are any in 80 kingdom . For example, prior to GDP are charges of up to 10 poems could be made for a copy of subject detail access requests. You may, however, also charge a reasonable fee for copies off the same information. In other words, if you have pervaded information before on, the Passion has mislead that information or requires another copy and asked you to do this , you, me charge a reasonable fee for the copy off that same information again, I would recommend you speak to the deep your prior to doing this even if you decide that you wish to charge for a subject detail access request, perhaps because the person has meat that request before i e. It is repetitive. This does not mean that any other subject detail access requests come in for that person you automatically are able to charge. Simply put, you are not. So how long do we have to respond to a subject data access request? The information must be pervaded without really Andi within one month. Off receipt. This does not mean you eat till D 29 or D 30 but that is a deadline. The information must be provided with throat dealing. You will, however, be able to extend the period by father. Two months were complex or numerous requirements are meat of year. If there's as the keys, however, you will have to tell the person requesting the subject detail access request in other words, the subject within one month, off the receipt off their request. No told me that you have to tell them that the time is being extended, but you have to explain why the extension is necessary, like everything else to do with GDP are it would be good practice to write down why you came to the decision that an extension was requested. I have no doubt that as GDP are develops, we will see case so established around people using the extension in ways that the data subject few were not necessary. So try your best were possible to not extend, impeded when you take to reply to any request, and if you do talk to your GP or on the show your quarter reasons under rational Well, in case you need that information to justify your actions in the future. If, however, you do believe that the subject access requests is manifestly unfounded or simply excessive , you can do two things. One you could charge a reasonable fee taking into account any administration course are pervading the information. Perhaps he he came to the time that will be taken, and then the costs of such as paper and so forth as an alternative to that give me simply refused to respond to a subject access requests. But I would certainly check with May Deep your first, where you actually refused to respond to a request. You will have to explain to that individual and tell them off the rate to complete a Boettcher refusal to the supervisory authority armed to a judicial remedy without undue Dulay and ability ist within one month off they're making that request. Obviously, the person can no take individual civil action against any organization who decides not to give information or inappropriately uses information as part of the GDP are. In addition, they will be able to respond to the supervisory authority as I have already said any or all of these actions are very go to involve significant cost implications to your organization . Therefore, I would not charge the reasonable fee or refuse to give someone any information who requested it to do with your subject detail access request. Unless I have previously spoken to the d. P O on possibly euro your team when pervading a response to a subject Lito Access request one of the first things we should do before pervading any information as to check on the identity of the person making the request Office Ophelia to do so could in itself with Tuas breaching GDP are perhaps by giving information to someone he is not entitled to it. So therefore, we have to identifying the person using reasonable means. Reasonable means could be such as asking for some identity card, a passport or driving licence, perhaps that has a photo attached. This will help us identifying that the passion is who the see the arm. In addition, we could ask for, such as a utility bill such as gas and right cheek or telephone within the last few months , that goes to the address that we have been told the person resides at. In taking these steps, we are showing that perhaps you have taken reasonable means to sure that the person asking for the information is that the subject and therefore isn't able to receive the information . If the person does make the request Elektronik Lee, it would be the norm that we should pervade the response. Elektronik lee on any common used Elektronik format. Simply, we mean that by responding and, for example, worked or PDF or some other well known format. It makes it easy for the person to read our responses, not to do so and to use some obscure package or fail structure could be seen as obstructive to that person on against the spirit of GDP are, and certainly not in meeting their six principles of G. D. P. R. Remember that increasingly, it is likely that organizations will be able to provide remote accents to a secure self service system. By this, I mean, someone may be able to have Iraqi in that they can go to the Internet and we get all information held by you on them. A number of employers do this already. Perhaps people can log on to secure each our system and see all of the each are details held on name staff, appraisals, salaries, income tax forums and so forth. It is likely that doesn't move forward. Customer information will be held in this way. Every provide remote access to a secure self service system for individuals to have direct access to that information, this kid be viewed as good practice as long. Of course it is secure. Remember the rate to obtain a copy of information and to access personal details. Three. Remotely access system should not adversely affect the rates and freedom of others. So, Wales, in a system that could perhaps be manual, we can take action to redact information that is not appropriate to that data subject that may not be quite so easily done in an electronics system. Therefore, we have to take care in giving access to remote systems 16. L13 Rectification Erasure of Data: in this lesson, you look at rectification on the region off data. The GDP are gives the two subjects the rate directed by data that is being held that is incorrect. It also gives them the rate Juries data when they do not wish it to be held. Although there are some one petitions to this most often original data will take place where the data should no longer be held because it is no longer necessary. It may seem fairly obvious, but if data held is inaccurate or incomplete, individuals are in Taito to have that director fight, as was subject data access requests. Anyone asking for a request or making a request for very rectification has to be responded to you within one month. Likewise, this can be extended by two months. Were that request for rectification is complex, as with subject detail access requests. If you do extend the period and if you're responding to that request, you must tell the individual within one month that you are extending the period and explain to them why. It is also important that you all can trick ORT that you have extended, repeated and why you should explain the rationale on give cancer the region as to how you could have cared to within one month. This is important an event off a complete being made by the individual again as a subject data access request. If you said to side you're not going to take action to someone's request for rectification , you have to explain why you will not rectify that data or take action. You have to tell them off the rate of complete to disapprove. Isar the authority on off the rate to Egypt. The short remedy. It is therefore important you have checked with your DP Oh, on perhaps taken legal advice before doing this as well as a rate of rectification. Did two subjects also half the rate to Eurasia. That means they have the right to have the information removed from wherever it is held. The right to rager is also known as a right to be forgotten. This shape is to enable an individual to request the delish in or removal off personal data where there is no reason for its continued processing. So what? Me it it a subject asked to be raised one example where data could be raised, Israel that deter is no longer necessary for the purpose for what it was originally collected or processed. There are many obvious examples off this, but one, maybe the holding off a person's bank account details. In order to pill money bomb direct debit for a sports club membership the person has resigned from the sports club on. The cop has no longer any need to take money from that account. Why, then, should it hold the personal data off that person's bank account details? In this case, this would seem it's junkies for a rager off. That data data may also be re raised when an individual withdraws consent for it to be hailed or used, you may need to consider any needed to retain, for example, for legal reasons. Or if, by taking that detail away, the person will no longer be able to receive a service. This would require to be explained to them. Data should also be raised when individual objects to processing on. There is no overriding legitimate interest to continuing the processing off that data. The personal data should be a raised when that personal detail was unlawfully processed in the first place. In other words it was originally in breach of the GDP are the personal data held must also be a raised if that is required in order to comply with illegal obligation, personal details may be removed if it is processed in relation to the offer off information services to each child. This simply means that the child may have signed up to some Web beast service, for example, on that may be removed at that time or art a little date on the wrist. It is possible un correct, to refuse the request for a region of data. In certain circumstances, we shall have a look at these circumstances. You need not comply with a request for a region if that personal data is processed for the following reasons, you may not need Treasuries data to exercise a right of freedom of expression and information to comply with illegal obligation or for the performance of a public interest, ask or exercise off official authority. You also may not require Cherries data if that data is held or being used for public health purpose ease in the public interest. In addition, if the data is held for archiving purposes in the public, interest, scientific research, historical research or statistical properties. You mean not to be required to freeze the data. Remember, however, that you have to explain this to the customer on Be able to justify your Russian Now, on reasons for refusal. It may also be possible that you should not agree to a region or be able to erase Deter if this data would help in exercise or defense off legal claims. If you hold deter in relation to Children, this may be a particular important aspect to you with Children's detail. You should pay particular attention to where a child has given consent on theory to request the region off that data regardless of the age at the time off the request. This may be particular. The keys and social working networking sites on Internet for on a child may not have been philia were off off the risks in the processing and use off that data when they initially consented to your holding on using the data. It is expected that organizations will be empathetic and working at these types of cases. Shoot you raise personal detail. It is obviously very important that you have to tell for parties about the region off that detail in order that the two can consider a region. You have to do this unless it is either impossible or involves eat disproportionate effort to do so. If you have to say did not to tell third parties about a region or personal data, it is critical that you record why you decided to do this on door out when what steps should did it take to do this but were unsuccessful on to consider? What else should we have been able to there? It is very important that those working on wine in on a marine environment who have made personal data public shouldn't for mothers who process that personal data series links to copies or replication off the personal detail in question. In other words, if you have been told on degree Terry's data, you must take all reasonable efforts to ensure that that detail is a raised from all sources, particularly where you have made that public or have shared that data. In this lesson, we have worked at various issues around rectification off incorrect data and indeed about raising data. Remember, GDP are is all but documenting a rational under decisions. The key question to ask always is, Did we conform to the GDP? Are and it's six principles and can be proved? This not only can be proved this now, but how we recorded or rational are thinking what actions we took and how we came to her decisions around GDP are This will very likely be important at some future date. 17. L14 Restrict Data Use: no GDP are gives data subjects the right to restrict their data use in certain circumstances. It is this that people cut in this lesson. When processing is restricted, you're still permitted to store personal data, but not to father process it. You can also retain enough information, a boat and individual to ensure that their restriction is respected in the future. In other words, she would have to identify that individual in some way alongside their data being restricted. You may, of course, also restricted the use off data. Where's your waiting to consider where an individual has objected to processing? If that data was necessary for the performance off a public interest, ask or the purpose of legitimate interests, you may take some time to consider if your organization's legitimate groans overrate those off the individual. In this case, it may well be the correct step to restrict the use of that data until a decision is made. It may be the case that your district, the use of data when processing is awful on the individual opposes a razor, but requests restriction instead where you do not need the data, but on individual needs it to establish exercise or defender, you claim you mean to say to keep that information or data on district issues instead, at least an interim. Remember as before. If you have to schools to 1/3 party or share data, tell them about the restriction on processing of this personal detail, unless it is impossible or it involves a disproportionate effort for you to do so. If this is a case, you should record why it is impossible or why you believe it involves a disproportionate effort to do so. This is important in case the individual makes a complaint in the future. You should also remember that if you're left a restriction on any processing, you must inform the individual concerned. 18. L15 Objection to Processing: we should now look at the rate to object to both the storage and use off detail. Remember, GDP are is really about a spirit of openness and transparency. You must inform individuals off their right to object. You holding on using the information on data at the very first point of communication. Andi in your privacy in orders This must be explicitly brought to the attention of the data subject on should be presented clearly on separately from any other information. The emphasis here is that the right to object should not be had in amongst the subtext or a spore print or difficult to see. He was bringing to the attention of the data subject that they have the right to object to the holding Angus off their data. Did the subjects do have the right to object to processing, even with it is based on a legitimate interests or in a performance off a task, and the probably interest exercise off official authority, including profiling. This, of course, does not necessarily mean that their objection will be upheld. None noise individuals do have the rate to object. Theater subjects have the right to object to direct marketing including profiling, and did one of the key reasons off Objecting to holding and using data is likely to be spam many of us already feel in and et by email. We foot shorts exception from people we have had no previous contact with, nor that we would wish to have contact with this. Therefore, alos the passion to object to direct marketing organizations, sending them information in various forms. The right to object to direct marketing. Olson could a right to object to profiling. Remember, profiling simply were organizations hold, analyze and evaluate data with a view to guessing the decision making that you would like to take in the future? It could be, for example, profiling your ability to repay a loan, perhaps profiling the way in which our light or to forward at the general are other political election. So therefore, you have the right to object to direct marketing. I'm profiling on their G d. P R. Data subjects also have the right to object to processing for purposes off scientific historical research on statistics. If someone objects who using their data, you should stop unless 0.1 or two applies one, unless you can demonstrate a comparing legitimate groaned for the processing or berating the interest rates on freedoms off the individual. You should stop processing when individual objects to. Unless you can demonstrate that the processing is for the establishment, exercise or defense off legal claims, you should stop processing data at the point the individual objects. 19. L16 Profiling: welcome to this lecture on profiling. Pore over the best way to think about profiling. He shouldn't give her. Most of us have profiles in such a social media. If you can think about Facebook, could example. Many people have Facebook profiles. This includes stuff like age, gender, where you left your income scale. What's interesting. Half how many of the family have who your friends are, what their interests, each gender were to the live. Another was your given name. Watts of information and the judge and cold it your profile. So profiling is often about bringing bets of detail from different sources together. To really understand what makes you up this issues by people like Fee Speak to give, to advertise ALS, who can and try to sell you products and services that are directly applicable to you. But others use profiling to political organizations. Will use profiling to see if he can big measures off the every parent spent on marketing their service. The propaganda, their manifesto, if you like other, such as insurance companies, years profiles to of calculate risk and in doing so, to calculate premiums in the short lecture really get profiling on the were rich data issues. More importantly, in terms of data protection, we look at the rate sheer half in terms of how your data is used in profiling decisions. Individual rates The individuals rate is not to be subject to a decision when it is based on automatic processing. On board with it produces illegal or similarly significant effect on individual. I think that this is actually feeling subjective, and perhaps you will need to eat case law GPR develops on the wars actually tasted in Corp Why they see this? Because that's incubated in a little more detail. What if we are not basing our decision on an automated processing but manual processing situation yet that still has a significant effect on the individual. Perhaps more likely, however, is that we are using automated processing. But then we have to debate whether the result or the decision produces illegal or similar morally significant effect on the individual. I suspect this is very subjective. The extent off the degree of impact off anything on an individual would be quite subjective . I suspect that on some occasions the individual may see something as having a very significant impact on them. Where's the organization. Me see it quite different plans in these cases, it is likely will be tested in a court of law on from those decisions. We will get case law, which hopefully will make some of these phrases on what is meant by them a little clearer. Of course, these rates do not apply if it is necessary for entering two or the performance of a contract between you and the individual. In other words, times we have to exchange information on process information as part of the performance of any contract, and they're such the rates will be limited. Likewise, if they are authorized by law, it may be important to be able to process data, for example, for the purpose of fraud or tax evasion or prevention on door, where you're able to exchange and process data. We have explicit consent from that person to use the teeter any particular expose it way 20. L17 Data Portability: we shall now look at exploring the right to data portability, which is of course, right within the G d. P r. The right to data portability within GDP air exists to stop individuals having to repeat data already given out to one organization to another. This is often the case that people do not switch. Product providers, such as insurance companies for GDP are sets out the ability that data can be transferred from one organization to another in other boats. The rate to data portability all those individuals to get. Andre used the personal detail for better purposes across different services. The move. Copy or transfer personal details easily from one i t. Environment or organization to another in a safe and secure way within attendance to usability. Remember, you must give the personal data to the person or the other organization directly. In the structured, commonly used on machine readable forum. The's four months mating could open formats such a CSP fails that can then be brought into a number of applications and other organizations. Machine readable simply means that information is structured so that software can extract specific elements of that data. This enables other organizations to use the data. Remember, you should facilitate this in order that the person can easily move data from one organization to another or D. Just copy information you have to another organization. Try not to build artificial barriers as if this is done. You could be seem to be working against the Six Principles of GDP are Remember that a low you need not adopt or maintain processing systems. Simplicity. Ease compatibility under a sharing etcetera. You must. If requested, transmit the data directly to another organization. If it is technically feasible, remember once more, try not to build artificial barriers that restrict the ease of movement of data. If the person request portability F wherever you find it impossible or very difficult to meet that person's needs in terms of portability of data, you shouldn't share your document. The persons request on, of course, why you could not meet it as with other aspects of GDP, are. If someone requests theater portability, you must respond to their requests with it on Jubilee and certainly within one month. This can be extended by two months. Were complex or you have received a number of requests for data portability from that person. Remember, if you refuse daily or otherwise prevent the passings data portability and sure that you woke the reasons why, as you may be asked to defend your position at Solyndra date, okay? 21. L18 Transfer outside of EU: we should know what the topic of transferring personal data to third countries or international organisations. Getting the straight is very important, if nothing else, for the fact that large fines and sanctions exist and can be used for people transferring personal detail inappropriately. Personal data may only be transferred outside of European Union or E A in compliance with conditions for transfer set out in Chapter five of the GDP are Essentially, This means that where the commission has decided that the country, a territory or one or more specific sectors in the third country or an international organization can share and adequate, however, or protection. We have to be weary of this as this is likely to change as countries and territories made one point meet the criteria on that. Others, not even countries such as the United States of America, who hard, hard for some time a safe harbor agreement with the year may not always be compliant with the needs of the European Union on GDP are It is therefore important that you make a decision based on where the commission has decided that that country does meet the requirements. It will also be important to continue to maintain on monitor the situation where you hold or use data overseas. The only transferred it outside of the year where the Commission has noted it meets the requirements off GDP are the latest information on which countries, territories and organizations meet. The requirements of GDP are will be published on the relevant your website. As already noted GDP are does note that adequacy decisions me not necessarily last indefinitely. It is therefore important that we check the European Commission website every and holding or using data outside of the European Union. With the previous information in mind, the European Commission will review at least every four years countries, territories, etcetera to ensure they meet the requirements off GDP are. The commission will also monitor on unknown going basis. Developments in third countries aren't international organizations that could affect the functioning off adequacy decisions that have already been taken by the commission. Pursuant to the directive or the GDP are itself. In essence, you be only transfer personal dancer outside of the European Economic Area or you to 1/3 country that has adequate data protection. The European Commission approves unnoticed countries who have been seen as providing an adequate level of detail protection. You should therefore ensure you check with the European Union Commission website that the country or territory where you're holding and using data is included in the list off permissible countries. One of the key reasons that businesses and organizations must ensure the meet the requirements off the GDP are regarding international transfers. Off data is the very significant fines and other sanctions that can be poised upon them. Businesses that infringe a GDP are may be subject to administer fines of up to 20 million euros or up to 4% of the total worldwide annual turnover off the proceeding financial year , whichever is higher. As you will see, these are very, very significant. Fines on would be worrying too vast majority off organizations. It is therefore of critical importance that we understand the requirements of GDP are in general, on in particular around international transfers or personal data. 22. Privacy Shield: So let's consider the European Union United States for privacy shield. Most of us have been around Internet and e commerce for any number of years, full of hair off the U. S. Privacy Shield arrangement. The United States, interestingly, does not have a general federal data protection law. Yet it is a requirement for the European Union to consider whether or not any known UT restriction gives adequate protection to European citizens. It is illegal for any U organization to transfer personal information, or P I to any country. There has not been in adequacy determination by the EU Commission. I'd appreciate determinations for different nations and states can be found on the relevant European Commission website as a result off there not being any U. S. Federal legislation in this matter on off the requirement off e organizations to be insured off adequacy arrangements. This led to the development off receive Harper Framework were regulated. States Organization Me register with the United States Department of Co meals. In doing this lady, clear that their information security practice about personal data on their given receive harbor from prosecution. In other words, this is a week in which United States companies can give some guarantee to you and other restrictions that they meet specific theater processing on holding requirements As you legislation on general international thinking about the importance of data protection, including some U. S. Practices and court cases became to evolve. There were some additional concern for the European Union about this ive Harper arrangements. The European Court of Justice declared in 2015 that save Harper arrangements were invalid under the safe harbor framework was not devoured mechanism for complying with existing U data protection legislation. Not remember this was in 2015. This led to the creation of the U. U S provisions shoot freemark. The U. S year privacy shield was adopted by the European Union and the European Commission in 2016 alone for more frictional Street to take place. So what about the privacy issue on GDP? Are the European Commission deemed that protections offered by the shield to European Union citizens are adequate in terms of GDP? Our requirements carving the international transfer off personal information note, however, that there are no categories off personal information that they're outside the school off GDP are on their four United States organizations with operations in you that simply wish to process or store each Our data relating to their own you staff are still required to comply with GDP are so Let's look at that again. What you're seeing that even if a US organization with operations in the U simply which is to put a process or story charred eater relating to his own you staff, they will still have to comply with GDP are aren't only to join the U. S. You privacy shield freemark off interest. The provision shield is administered by the I t A. The International Trade Administration. 23. L19 Data Protection Impact Assessments: we shall know we could. Data protection impact assessments, otherwise known as DP Eyes Dichter Protection Impact Assessment or GP eyes are a tool which can help most organizations firstly, identifying the most effective we to comply with the detection obligation and secondly, in doing so, meet individuals expectations off privacy. You may, of course, Cario deter protection impact assessments or D P. A is at any point on with any risk. However, you must carry out ADP ie when using new technologies on where the processing is likely to result any high risk to the rights and freedoms off individuals. You may, of course, Cario chur dp a. At any stage in a process, however, it would be ideal if you conducted a d. P i. E. At the very beginning of the process on probably before any information technology processes or even software etcetera have bean decided upon. If you conduct a d p. A as soon as possible and that the very air wastage is off a new project, you will be able to see that its findings and recommendations are actually built into the design off the process itself. This design at early stage by using DP IE is as part of the design works, is known as privacy by design. This simply means the embedding off theatre privacy, featuring into the very design of projects. This war for many benefits. No, at least the fight that individuals should be in a better position to be sure that their privacy is protected. We shall know what could the benefits of conducting a data protection impact assessment Conducting a DP A helps us make informed decisions about the acceptability of data protection risk on. We can communicate effectively with individuals affected a. D. P. A. Will also help us identify and mitigate against its protection risk plan for implementation off solutions to any of those risks on assess the viability of the project at a very early stage, hopefully at design stage. Good recordkeeping during your data protection impact assessment process will you to demonstrate on evidence compliance with the GDP are it will also minimize the risk of any new project, creating legal difficulties that have not bean anticipated Jurin ADP i e. You should be identifying risks looking at possible solutions on finally making decisions on news risks. Solutions aren't other comments you should of course with everything with GDP, our record what? Your thoughts Where and why you took the decision. You did this shit prove useful. If there is ever a complaint from an individual or group about your GDP, our compliance you should take some time till cut this slide in effect. This is a DP IE process. Firstly, of course, we need to identifying any DP I need. Is it likely that this project will have data risks involved and if so, is it what they offer? Dp I It is probably likely that even in simple projects, a simple DP a year would be good to complete if it is not too onerous on time and resources . Simply we discuss and describe the information for herders A guitar Enter this process. What do we do with it during the process on how does it exit the process? If a toll by exit I simply mean to be passed the data to other people or organizations or by default, do we rid ourselves off the data after a certain time or criteria is met? At each point off this process, we should be identifying any data protection, unrelated risks and identifying any risks. We should be also considering the solution to those risks. Off course. We will look at costs time implementation issues, etcetera on. Make a judgment as to whether the solution should be implemented or not, or if the process could be adopted to minimize risk. Once you have conducted such an investigation, it is important that someone signs off the outcomes off the d. P. A. That may be the process owner, or maybe the deep eel off course. Once you have to say, need any ways that we can register our eliminate risk, we should integrate any data protection solutions into the project. Remember that a war many people in organization are greatly to be responsible for carrying out a TPE. It is organizations data controller who is ultimately responsible for ensuring d. P I ease are carried out, were necessary while they did. Second drawer is ultimately responsible for ensuring that d p I ease or carried out were necessary. The dp I should be driven by people with experience and knowledge off the project in question. This is of course only go to be the data control for themselves. If you don't have sufficient expertise and experience within the organization. You may wish to bring an external specialist to consult on or carrier the DP are you? This will inform the organization as to risks that are likely to a car and holding me mitigate against them. It is likely that within your organization there may be a template for conducting. DP IE is some of the issues that DP ie is me consult are involved are such ours as the process necessary in the first place? Do we require all of the details we are going to collect to conduct the process? Aunt, how long do we need to hold the data for before perching it from our storage? In other works, we need to assess the necessity and proportionality off the process, its self. We also have to look at the assessment off the risks to individuals by conducting this processing. Once we have identified risks, we are able to measure what we can do to ensure that the risk is mitigating. What security can be put in, please. And how can we address risk in order to demonstrate compliance with the requirements of GDP are on that six principles. There are very many occasions when a DP i e will be required to be completed. But here are some examples the gathering of public social media detail for generating profiles about the users with an O potentiality require 80 p. I. A. A company who is systematically monitoring employee activities, including the rock station on Internet activity, would require ADP IE to be conducted because of the level of risk to that individual. An organization who were using intelligent video analysis to single oath cars and use automatic number plate recognition, for example, is also likely to require 80 p a. 24. L20 Breach Notification: Welcome to this lecture on breach notification. Remember, you should notify the relevant supervisory authority if it is likely to result in the risk to the rates on freedom off individuals. You must also inform the individual concerned if it is like to have a significant detrimental effect on them for example, every disciple to result in discrimination, damage to the reputation, financial or other loss. You must also tell the individual or individuals concerned that the data breach has taken please on the nature off that bridge we have a breach of data has later high risk to the rates and freedom off individuals. It is your responsibility as an organization to inform that individual directly that the pictures of carved the nature of the breach and the possible impact Remember in the GTP are you must inform the supervisory authority within 72 hours off becoming a were off any detail breach. That is a major change to previous legislation in the United Kingdom. So please be aware of this tape timescale in somebody you must have formed supervising authority within 72 hours off any data breach being identified. In addition, remember that if there is a high risk to any individual or individuals concerned. As result off the detail week quality to reach, you must consider informing that individual or individuals also in get time. 25. Fines and minicases: So what are the penalties for breaching G. P R. The supervisory authorities, which in the United Kingdom would be the information commissioner's office, can take away drink of actions. These include the following. Fines are monetary fine can be imposed on the organization as we will see elsewhere in this course. These fines can be somewhat hefty and potentially very damaging to organizations. The Super Visitor Authority can also issued a warning or reprimand to the organization. The supervisory authority can impose either temporary or a permanent bomb or not organization being over to process data, obviously, depending on the organization's take, a business that could be fatal. The supervisor authority importantly, can order that the organization rectifying data held I don't restrict or a raise data better already being held by them. Importantly, the supervisory authority can suspend data chance sales from that organization to third countries. I hope you will see there is always a range of things that the supervisory authority can do when any organization preaches the GDP are regulation. The maximum fine under Judy PR is 4% off annual global turnover, or 20 million euros, whichever is greater for any organization that infringes the requirements of GDP are. I think it's fair to see this is a lot of money elsewhere in this course. We also give some case studies that will keep the recent penalties that have been imposed by GDP are supervisory authorities. You will see that some of them are several hundreds off millions off euros. Well, look here at some examples and feigns when the GDP are defines. At the time of publication of this course, I'm not phenyl Andrea Wheat, the company on super visit authorities of any other member state to make representation before finalization. Nonetheless, the cases in themselves are one important onto very interesting. This illustrates how important your understanding of GDP, ours to your business, success or otherwise. So let's look very quickly. Some of the sizes after fines 200 on 4.6 million euros that's trained to 4.6 million euros fight has been given to British Aires. We are Glater at the nature of the case and find such a massive fain was deemed appropriate . 119.39 billion euros to money it international, 50 million euros. Google Inc. France, on 2.6 million euros to the Data Protection Commission off Bulgaria. The British areas feign off 204.6 million euros at the time of publication of this course represents the largest fine given the families to a cyber incident which involved use of traffic to the British Airways website being diverted to be fraudulent. ST. There was a massive impact on the customer bees. Around half a 1,000,000 customers were compromised in this instant, leading to a massive headache. For Pretty. Sherri's information was compromised by Pierre. Security of vengeance, therefore, be a was at fault. This included organs, payment card, information, travel, booking details on the underdressed information. As you can see, there are a multitude of personal information here and information that could be damaging to that individual on organizations involved. The case of married international on define of 110.39 million euros. This again related to a cyber incident with a personal detail off, 313 8 million guests globally were compromised. 30 million of those related to residents off 31 countries in the European Economic Area and seven million off those were Yuki residents. The vulnerability began when the systems of the Starwood Hotels for Compromised in 2014 Monnet then purchased Starwood's with House Group but failed to undertake the appropriate Georgians when it bought, started and should have taken more care in ensuring that had secured it. Systems on that they were appropriate for GDP are on did for processing purposes. As such, the regulatory authority hasn't pause, defying up 110.3 million euros on Mari it international. 26. Case Buivids v Latvian DPD: in this keys, Privy disperses the Latvian Data Protection Authority. This is a very important on critical keys as it touches on some very important issues around freedom of speech, data protection, the legal definition of journalism. And in today's world, Arial journalists are regionals. When we put something on your chip or put something on Twitter or Facebook, what is the role of a journalist? And here is a journalist. You look here, the role of the protection, but also looking at a long say that they assure and academic freedom, artistic and literary expression. We won't cover all here. This is simply a chance to reflect and think about the importance of such cases as GDP are handed protection more evolves. So therefore, the kiss. Those raise fundamental questions with the protection but along say that the ambit of personal or household exemption this has been our home test eat. We have thinking particular way in the UK or British courts, where there has been much opportunity for individuals to effectively see anything about anyone without any hint off prosecution. But no individuals can easily put their own views across to the world on millions of people , conceals Where is the lane between amateur family individuals or amateur journalists or professional journals? So not only national legislators have a view and nets, but suitable must records and regulators on Deeble. How active and important rules within the space. The forthcoming case off stunt will require course to think more of boat this afternoon. Consider whether the national courts should to supply the ban on prepublication injunctions against special expression processing Soto in uki data protection legislation. So therefore, even the future off prepublication injunctions we actually be in some contradiction to the quietness of GDP, our privacy and, of course, waiting. That's up against freedom of speech, freedom of journalism, academic freedom of expression and so one. So, as I said earlier, this is a critical case. And if you just follow this four chart it attained of tells us for the keys is about essentially this individual. Meet a video recording in a Latvian police station, which showed police officers going about their normal DT jetties. But the fundamental issue, then is that perhaps he moves on from being uninterested, individual, perhaps videoing something for his own or family use or entertainment. He then publishes this on you chip, which of course has massive circulation on that is not controlled the ivy In data protection, authorities held that he had actually infringed detection by feeling separate those police officers in the police station with the transparency notice or telling them how he was. According things. What was being recorded on explosive were telling them where they would be published or processed on what it would be used for the DP A. Therefore ordered that the removed the video from your chip on other websites. The individual, however, argued that he wanted to bring attention to society off something which he considered to constitute unlawful conduct on the part off the police. In effect, this is a boat national liberties, the ability to highly corruption or public sector deficiencies, or just wrong doings in general, and perhaps beginning to look at the role of the journalist where the actually exposed such doings. So the lane here is between someone recording something for the room private individual family use, and 21 we're publishing it on your chip pitched into the public, the mean and also the reasoning that the person used for recording it is much more. One of public interest and therefore we have to reflect on whether this is actually of a journalism rather than on individual or family using information or data. Where is the complaint? Says she? The Court of Justice off the European Union, defended according on up wording. Activity was within the score awfully GPD on there was no exemption appropriate for family use, exceptional the recorded images but that sure, the police officers, the officers were identifiable and saw the court road that actually the recording was personal that out. He also ruled that the personal data had been subject to deter processing through the individuals digital photo camera since the carol started, according on he continues to base, namely the memory off that camera and therefore one personal data had been captured by the camera on it had also been processed by the camera. The Court of Justice also recognized that by awarding the data onto your chip on Internet, there's also constituted ah father act off that are processing on again to reiterate the issue around exempted context of purely personal or household activities. The court phoned that by disseminating the video by publishing it in the public space in this case, namely the Internet on your chip. The individual had avoid and not restricted the publication of the video on had given access the personal data that is the images and contained and discussions off those police officers to an indefinite number of people. And doing so. This processing could not be seen to fall within the exemption off pure personal or household activities. Again, we are perhaps moving into the situation where, because of their availability of, for example, more oil telephone cameras, etcetera on mobile, the race is on the ability of people to publish instantly to millions of people. Go boy. The lanes between personal hostal activities on the heat off journalism are becoming increasingly board on. Therefore, so dishes Aaron, such as freedom off expression on journalistic and academic over their eyes. So the court pointers on this very important debate on that partners in the we that it understands the importance of the rate to the freedom of expression and every democratic society. It was necessary, therefore, to interpret notions relating for freedom such a journalism very brightly, and to think really about what you mean by journalism. Another was the journalistic delegation or definition can t simply be about someone who is an institution, for example, in newspaper or filmmaker or muse Mika, all indeed unnecessarily to simply someone who is a professional journalist but journalistic. The irrigation is actually applicable to every person engaged in journalism, so that seemed slightly clearer. Have ever. The court then ruled that you could not take a view that all information published on the Internet involving personal data comes under the concept of journalistic activities. I guess it depends to a large extent the reason for the paths and poising information on the Internet and whether it relates to issues such as freedom of expression or perhaps publicizing some wrongdoing by a legitimate person, such perhaps as a public body, a minister of state, politician or, indeed, celebrity. However, these do become complex on more don't be fucked are thought thread as GDP are on relevant cases of over. So without believing the point, this whole journalism question the defending court, it was told by the European court to consider whether the recording and publishing off the video where in the so intended to the schools, information, opinions or ideas to the public or for some other reason. The UK Information Commissioners Office has started clean has felt very justifying over many years, which it considers that any complete meat against an individual who has posted personal data where was acting any personal capacity. No matter how on fear, Dirac, gritty or distressing, this post me be is somehow protected. In this case, though, the individual has significant implications for the possible conflicts between on one hand , the need for data protection. And they need to protect the privacy of people in this case, the police officers going about their daily jetty against the freedom of expression or indeed, the freedom to express, to demonstrate, to publicize any wrongdoings which may or may not have been the case in this particular case to the general public, it isn't the the very complex and feign lane on one, which is continually being strange as we see easier accessibility to recording devices in our tapes of the means 27. Case The Journalism or not question: in this keys, Privy disperses the Latvian Data Protection Authority. This is a very important on critical keys as it touches on some very important issues around freedom of speech, data protection, the legal definition of journalism. And in today's world, Arial journalists are regionals. When we put something on your chip or put something on Twitter or Facebook, what is the role of a journalist? And here is a journalist. You look here, the role of the protection, but also looking at a long say that they assure and academic freedom, artistic and literary expression. We won't cover all here. This is simply a chance to reflect and think about the importance of such cases as GDP are handed protection more evolves. So therefore, the kiss. Those raise fundamental questions with the protection but along say that the ambit of personal or household exemption this has been our home test eat. We have thinking particular way in the UK or British courts, where there has been much opportunity for individuals to effectively see anything about anyone without any hint off prosecution. But no individuals can easily put their own views across to the world on millions of people , conceals Where is the lane between amateur family individuals or amateur journalists or professional journals? So not only national legislators have a view and nets, but suitable must records and regulators on Deeble. How active and important rules within the space. The forthcoming case off stunt will require course to think more of boat this afternoon. Consider whether the national courts should to supply the ban on prepublication injunctions against special expression processing Soto in uki data protection legislation. So therefore, even the future off prepublication injunctions we actually be in some contradiction to the quietness of GDP, our privacy and, of course, waiting. That's up against freedom of speech, freedom of journalism, academic freedom of expression and so one. So, as I said earlier, this is a critical case. And if you just follow this four chart it attained of tells us for the keys is about essentially this individual. Meet a video recording in a Latvian police station, which showed police officers going about their normal DT jetties. But the fundamental issue, then is that perhaps he moves on from being uninterested, individual, perhaps videoing something for his own or family use or entertainment. He then publishes this on you chip, which of course has massive circulation on that is not controlled the ivy In data protection, authorities held that he had actually infringed detection by feeling separate those police officers in the police station with the transparency notice or telling them how he was. According things. What was being recorded on explosive were telling them where they would be published or processed on what it would be used for the DP A. Therefore ordered that the removed the video from your chip on other websites. The individual, however, argued that he wanted to bring attention to society off something which he considered to constitute unlawful conduct on the part off the police. In effect, this is a boat national liberties, the ability to highly corruption or public sector deficiencies, or just wrong doings in general, and perhaps beginning to look at the role of the journalist where the actually exposed such doings. So the lane here is between someone recording something for the room private individual family use, and 21 we're publishing it on your chip pitched into the public, the mean and also the reasoning that the person used for recording it is much more. One of public interest and therefore we have to reflect on whether this is actually of a journalism rather than on individual or family using information or data. Where is the complaint? Says she? The Court of Justice off the European Union, defended according on up wording. Activity was within the score awfully GPD on there was no exemption appropriate for family use, exceptional the recorded images but that sure, the police officers, the officers were identifiable and saw the court road that actually the recording was personal that out. He also ruled that the personal data had been subject to deter processing through the individuals digital photo camera since the carol started, according on he continues to base, namely the memory off that camera and therefore one personal data had been captured by the camera on it had also been processed by the camera. The Court of Justice also recognized that by awarding the data onto your chip on Internet, there's also constituted ah father act off that are processing on again to reiterate the issue around exempted context of purely personal or household activities. The court phoned that by disseminating the video by publishing it in the public space in this case, namely the Internet on your chip. The individual had avoid and not restricted the publication of the video on had given access the personal data that is the images and contained and discussions off those police officers to an indefinite number of people. And doing so. This processing could not be seen to fall within the exemption off pure personal or household activities. Again, we are perhaps moving into the situation where, because of their availability of, for example, more oil telephone cameras, etcetera on mobile, the race is on the ability of people to publish instantly to millions of people. Go boy. The lanes between personal hostal activities on the heat off journalism are becoming increasingly board on. Therefore, so dishes Aaron, such as freedom off expression on journalistic and academic over their eyes. So the court pointers on this very important debate on that partners in the we that it understands the importance of the rate to the freedom of expression and every democratic society. It was necessary, therefore, to interpret notions relating for freedom such a journalism very brightly, and to think really about what you mean by journalism. Another was the journalistic delegation or definition can t simply be about someone who is an institution, for example, in newspaper or filmmaker or muse Mika, all indeed unnecessarily to simply someone who is a professional journalist but journalistic. The irrigation is actually applicable to every person engaged in journalism, so that seemed slightly clearer. Have ever. The court then ruled that you could not take a view that all information published on the Internet involving personal data comes under the concept of journalistic activities. I guess it depends to a large extent the reason for the paths and poising information on the Internet and whether it relates to issues such as freedom of expression or perhaps publicizing some wrongdoing by a legitimate person, such perhaps as a public body, a minister of state, politician or, indeed, celebrity. However, these do become complex on more don't be fucked are thought thread as GDP are on relevant cases of over. So without believing the point, this whole journalism question the defending court, it was told by the European court to consider whether the recording and publishing off the video where in the so intended to the schools, information, opinions or ideas to the public or for some other reason. The UK Information Commissioners Office has started clean has felt very justifying over many years, which it considers that any complete meat against an individual who has posted personal data where was acting any personal capacity. No matter how on fear, Dirac, gritty or distressing, this post me be is somehow protected. In this case, though, the individual has significant implications for the possible conflicts between on one hand , the need for data protection. And they need to protect the privacy of people in this case, the police officers going about their daily jetty against the freedom of expression or indeed, the freedom to express, to demonstrate, to publicize any wrongdoings which may or may not have been the case in this particular case to the general public, it isn't the the very complex and feign lane on one, which is continually being strange as we see easier accessibility to recording devices in our tapes of the means