SlideShare a Scribd company logo

GDPR webinar for business leaders

Deeson, profile picture
Deeson

The document outlines the GDPR requirements for businesses, emphasizing the need for awareness, compliance, and improved data protection processes by the deadline of May 25, 2018. It details the rights of individuals regarding their personal data, the importance of privacy notices, and the responsibilities of organizations in documenting data processing activities and handling data breaches. Additionally, it addresses the role of data protection officers and the necessity of ensuring GDPR compliance in international data transfer scenarios.

Business
1 of 45
Downloaded 22 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
GDPR webinar 
 for business leaders Heather Burns for Deeson • 23 November 2017
GDPR is an opportunity to… ! Improve your internal processes ! Maintain your competitive advantage ! Protect your users from data risks ! Protect your users from political uncertainty
GDPR overview Deadline day 25 May 2018 (182 days…) What it does ! Replaces the 1995/1998 DPA ! Preserves existing principles ! Expands and modernises After Brexit ! GDPR will remain the UK’s data protection standard ! Data Protection Bill currently winding its way through Parliament ! Equivalence is necessary
What is personal data? Personal data ! “Any information relating to an identified or identifiable natural person.” ! This can be one piece of information or multiple data points combined to create a record. Sensitive personal data ! Racial or ethnic origin ! Political opinions ! Religious or philosophical beliefs ! Trade union membership ! Health data ! Sex life or sexual orientation ! Past or spent criminal convictions
1995: eight principles of data protection Personal data must be: ! Processed in a manner which is fair and lawful; ! Used only for the manner in which it was intended to be used; ! Processed in a manner which is adequate, relevant, and not excessive; ! Accurate and kept up to date; ! Not kept for longer than its intended purpose; ! Processed in accordance with the rights of the people the data is about; ! Protected by technical and organisational security measures; ! Not transferred to third countries outside the EU which do not guarantee an adequate measure of data protection.
What you have
 How you engage
 How you work
What you have

Awareness The most basic step involved in GDPR compliance is awareness. You can create a culture of healthy data protection by involving everyone in awareness of the ways the law is changing and how these changes will impact your work.
Awareness ! Do you understand what GDPR continues from the old Data Protection Act, and what is new? ! Are you confident that you are compliant with the existing Data Protection Act? ! Do your staff receive data protection training, and is that documented? ! Have you allocated appropriate human and technical resources to GDPR implementation both before and after May 2018? ! Have you spoken with your contractors and suppliers about their own GDPR implementation plans?
The next step in your GDPR journey is auditing what information you hold and process, where it is stored, what kinds of data it comprises, and whether it is still needed. If your data collection and processing is regular (meaning it is a core part of your business), includes sensitive personal data, or could threaten people’s rights and freedoms, you must keep a full record of all of your data collection and processing activities. Documentation
Documentation In-house ! What information do you hold online? ! What information do you hold offline? ! What information do you hold in archives? External ! What information do you share with third parties? ! What information do you receive from third parties?
A full audit of processing activities ! The purposes for which you are collecting and/or processing personal data; ! A description of the categories of individuals you are processing data about; ! A description of the categories of data you are processing; ! A description of the recipients of personal data you are transferring out of your organisation; ! A description of international (non-EU) transfers of personal data, including safeguards; ! Any privacy impact assessments you have carried out; ! A description of your data retention and deletion procedures; ! A description of what technical security measures you have taken; ! A description of your human security measures, including staff training and HR documentation; and ! A record of the steps you have put in place to deal with a data breach, including internal reporting mechanisms and contact structures
Privacy notices Under the previous data protection regime, privacy information notices become long, lazy, and legalistic. GDPR reclaims privacy notices as concise, transparent, and intelligible dialogues with your users. Everything you are doing with your users’ data - everything - needs to come out into the open.
Privacy notices Ensure that yours: ! Are written in plain English, with no “legalese”; ! Are broken down into clear sentences and short paragraphs; ! Contain granular, non zero-sum options Ensure that you: ! Review the privacy notices of the third parties you sent data to, or receive data from ! Include all the information and any formatting required…
Information required in your privacy notices ! What data is collected, how data is processed, how data is used, who data is shared with, and what the user’s rights are; ! If not based on consent, explain your lawful basis for processing user data; ! List all third party partners and service providers with whom you share data, and note what that data is and how it is used; ! Inform users about their rights, including who to contact for a subject access requests, and how they can complain to ICO if they feel you are not honouring their data; ! Provide clear granular options for consent, individual rights, and subject access requests; ! Provide clear contact details for your company, your point of contact for subject access requests, and your data protection officer, if applicable; ! Separate your privacy notice from general terms and conditions, particularly on your web sites and apps.
Information about children Ensure that you ! Provide extra safeguards for under-16s data ! Document evidence of parental consent ! Delete minors’ data with no hassle If you are collecting data directly from children, your privacy notices must be written in a way they can understand. This includes information about how you are using their data as well as the consent process.
How you engage
Individual rights We have always had rights over the uses of our information under the existing data protection regime. Under GDPR these individual rights are greatly expanded. For you, this means respecting those rights, implementing them into your planning structures, and being prepared to meet users’ invocation of these rights in an open and fast way.
Individual rights ! The right to be informed about what you are doing with data through privacy notices ! The right of users to access a copy of the data you hold on them; ! The right to correct any data that you hold; ! The right to erasure, meaning the right to request deletion of certain kinds of data you hold; ! The right to restrict processing, or the right to ask you to stop using data in certain ways; ! The right to data portability, or the right to take the data you hold about them to another service provider; ! The right to object to your uses of their data; and ! Their rights in relation to automated decision making and profiling, including data you use or share for the purposes of advertising, marketing, and behavioural analysis.
Individual rights How they work ! Individual rights are granular – any one can be invoked at any time ! You cannot charge users any administrative fee for invoking these rights, or any costs for the time you require to meet them How to meet them ! Publicise these rights in your privacy notices ! Review your internal processes for handling these requests ! Remember time limits
Subject access requests One way people can invoke their individual rights is known as a subject access request (SAR). The people whose data you store or process can file a SAR with you to receive ! Confirmation that you are processing their data; ! Access to a copy of the personal data that you hold on them; ! Any other information, such as details of the data you have passed to third parties that has already been confirmed in your privacy notice.
Subject access requests How they work ! Detail your process in your privacy notices ! Review your third parties’ SAR processes ! Review your systems Internal documentation ! How are SARs tallied in your organisation? Who receives them as the central point of contact? Who is informed of their receipt, their progress, and their completion? ! Is your SAR process documented in a way that would meet ICO approval?
Consent and legal basis In most circumstances, the data collection and processing you perform must be done with the consent of the people that data is about. If consent is not the basis, your use of data must be grounded in a legal basis. The consent mechanisms and legal bases you use to collect and process data must be clear, documented, and verifiable.
Consent must be ! Active: consent is freely given, specific, and unambiguous; ! Active consent is also positive, meaning you have not presumed consent from a pre-ticked box, inactivity, or not selecting any option; ! Privacy must be presented as granular multiple choices, and not a zero-sum in-or-out game. ! Unbundled: users cannot be forced to grant consent for one thing in order to receive another; ! Named: the user must be made aware of all specific third parties who will be receiving their data and why they will be receiving it; ! No imbalance in the relationship: consent must not create an unfair relationship between the user and the data processor; ! Verifiable and documented: you must be able to prove who gave their consent, how consent was given, what information they were given, what they agreed to, when they consented, and whether or not the user has withdrawn their consent.
Consent You must document ! Who gave their consent; ! How consent was given; ! What information they were given, ! What they agreed to; ! When they consented (ideally a timestamped record); and ! Whether or not the user has withdrawn their consent
Lawful bases for processing data ! Necessary for the performance of a contract; ! Necessary to comply with a legal obligation; ! Necessary to protect the person’s vital interests (for example, providing someone with emergency medical help); ! Necessary for the performance of a task in the public interest or in the exercise of official authority; ! Necessary for the purposes of the “legitimate interests” pursued by the controller or third party.
Preparing for consent and lawful bases Review your ! Internal documentation ! External privacy notices ! Third party contracts Modify your ! Consent mechanisms ! Privacy notices ! Data minimisation thresholds
How you work

Privacy by Design / Data Protection by Default GDPR requires the adoption of a culture of privacy by design and data protection by default. This means that all your internal processes and procedures, as well as your external products, services, and applications, must be designed with optimal privacy and data protection built in from the start, not bolted on as an afterthought or made contingent on the user activating a series of options (assuming they had any at all.)
Privacy by Design / Data Protection by Default Cultural integration ! Familiarise yourself with the basic principles of PbD (google “Smashing Magazine Privacy by Design”) ! Review your existing sites, apps, and processes for best PbD practice Workflow integration ! Adopt the PbD standard ! Create a data minimisation and deletion policy ! Create a Privacy Impact Assessment process for data-intensive projects
A simple Privacy Impact Assessment process ! A description of the data processing you are carrying out, including the legal basis for data processing; ! An evaluation of the necessity of the data processing; ! An evaluation of the proportionality of the data processing; ! A risk assessment regarding the data subjects; ! What measures you are putting in place to mitigate risk; and ! What security precautions you have taken
Data breaches GDPR requires you to do everything you can to prevent data breaches from happening. That said, it also requires you to prepare for data breaches in advance. Preparing for data breaches requires you to take an honest (and, possibly, quite uncomfortable) look at what aspects of your internal processes and cultures could contribute to a preventable breach.
Data breaches Technical measures ! Do you regularly audit your systems and processes for potential data breach risks? ! Do you know the criteria for a “high-risk”, reportable breach, as well as the information you would be required to report within 72 hours of discovery? Human measures ! Do you have an internal reporting mechanism in place to report potential data breaches before they happen? ! Can staff report an issue, either technical or human, which could lead to a data breach, without fear of reprisal?
Data protection officers GDPR introduces the concept of the Data Protection Officer, or the DPO. For organisations engaging in certain kinds of processing of personal data, the DPO is a named individual who carries legal and professional responsibility for that organisation’s GDPR compliance. You are only required to appoint a DPO if you engage in large-scale processing of sensitive personal data. That being said, those businesses which do not strictly require a DPO may wish to consider appointing one voluntarily all the same.
Data protection officers Internal responsibility ! Decide if you a) need one or 
 b) want one ! Give the role the resources and powers it requires Public accountability ! Publicise your DPO’s details in your privacy notices ! Submit your DPO’s details to ICO as the point of contact for privacy concerns
Working internationally One of the fundamental principles of EU data protection law, both past and future, is that personal data cannot be transferred outside of the EU to third countries unless that country ensures an equal and adequate level of data protection. This creates two issues: the safeguarding of your data at its origin and its destination, and the legal means by which that data moves between them.
Working internationally Who you work with ! Are all of your partners and third party service providers in non-EU countries working towards GDPR compliance? ! Are your US-based partners and third party service providers Privacy Shield compliant? ! Are you including and requiring GDPR compliance in your contracts with partners and service providers? Privacy notices ! Are all international transfers of data, and the uses of that data, made clear? ! Have you provided a means for users to object to their data being transferred outside the EU? ! If you work across European borders, have you identified your main country of establishment and lead supervisory authority in your privacy notices?
Here be dragons
#GDPRubbish ! Professional certifications ! “Accredited” courses ! Compliance software ! Consent panic ! DPOs as job creation schemes ! Fines fines fines fines fines fines!!!
Keep an eye on the whole picture Further GDPR awareness Regularly visit ICO’s web site for new guidance The Data Protection Bill Follow its progress and have your say The ePrivacy directive revamp Cookies, metadata, device fingerprinting, marketing consent
Your action plan
1. Learn the basic principles of data protection
 2. Raise awareness within your organisation
 3. Assess the information you hold
 4. Conduct an audit of processing activities
 5. Review and revamp your privacy notices
6. Provide for users' individual rights
 7. Review your subject access request process
 8. Review your consent and legal bases
 9. Implement PbD and DPbD principles
 10. Prevent data breaches, but prepare for them
11. Decide whether you need a DPO
 12. Review international data transfer structures
 13. Learn the warning signs of GDPRubbish
 14. Keep an eye on legal and political changes
 15. Become your organisation's privacy champion
Thank you! Heather Burns heather@webdevlaw.uk @webdevlaw https://webdevlaw.uk

More Related Content

PPTX
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
Harrison Clark Rickerbys
 
PPTX
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
PPTX
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
Harrison Clark Rickerbys
 
PDF
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 
PPTX
Intercity technology - GDPR your training toolkit
joshquarrie
 
PDF
Practical steps to take in preparation for the Protection of Personal Informa...
Werksmans Attorneys
 
PPTX
What does GDPR mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
PDF
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
Harrison Clark Rickerbys
 
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
Harrison Clark Rickerbys
 
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 
Intercity technology - GDPR your training toolkit
joshquarrie
 
Practical steps to take in preparation for the Protection of Personal Informa...
Werksmans Attorneys
 
What does GDPR mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 

What's hot (20)

PDF
Data Protection & GDPR Health Check Service Overview
DVV Solutions Third Party Risk Management
 
PPTX
HIPAA vs GDPR The How, What, and Why ?
Magda CHELLY, Ph.D, S-CISO, CISSP®
 
PDF
GDPR: What does it mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
PDF
GDPR: What does it mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
PPTX
Data Protection: Transitioning to the GDPR
ImogenRutherford
 
PDF
Complete Guide to General Data Protection Regulation (GDPR)
Happiest Minds Technologies
 
PPTX
Data Protection GDPR Basics
Elizabeth Dunne B.L. PC.dp
 
PDF
Gdpr in a nutshell
Matthew Butler
 
PPT
Data Protection Act
mrmwood
 
PPTX
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
PDF
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
dan hyde
 
PPTX
Gdpr powerpoint 15.01.18
Jon Rathbone
 
PPT
Personal Data Protection in Malaysia
MSC Malaysia Cybercentre @ Bangsar South City
 
PDF
Data Protection and Privacy
Vertex Holdings
 
PPTX
GDPR Presentation
CILIP Ireland
 
PDF
Key Issues on the new General Data Protection Regulation
Olivier Vandeputte
 
PDF
Privacy and Data Security
WilmerHale
 
PPTX
NetSquared London - GDPR for charities
Tech Trust
 
PPT
Building a register of data processing
Tim Gough
 
PPT
Merit Event - Understanding and Managing Data Protection
meritnorthwest
 
Data Protection & GDPR Health Check Service Overview
DVV Solutions Third Party Risk Management
 
HIPAA vs GDPR The How, What, and Why ?
Magda CHELLY, Ph.D, S-CISO, CISSP®
 
GDPR: What does it mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
GDPR: What does it mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
Data Protection: Transitioning to the GDPR
ImogenRutherford
 
Complete Guide to General Data Protection Regulation (GDPR)
Happiest Minds Technologies
 
Data Protection GDPR Basics
Elizabeth Dunne B.L. PC.dp
 
Gdpr in a nutshell
Matthew Butler
 
Data Protection Act
mrmwood
 
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
dan hyde
 
Gdpr powerpoint 15.01.18
Jon Rathbone
 
Personal Data Protection in Malaysia
MSC Malaysia Cybercentre @ Bangsar South City
 
Data Protection and Privacy
Vertex Holdings
 
GDPR Presentation
CILIP Ireland
 
Key Issues on the new General Data Protection Regulation
Olivier Vandeputte
 
Privacy and Data Security
WilmerHale
 
NetSquared London - GDPR for charities
Tech Trust
 
Building a register of data processing
Tim Gough
 
Merit Event - Understanding and Managing Data Protection
meritnorthwest
 
Ad

Similar to GDPR webinar for business leaders (20)

PDF
Gdpr for business full
Fionnuala Hendrick
 
PDF
GDPR Changing Mindset
NetworkIQ
 
PDF
UX & GDPR - Building Customer Trust with your Digital Experiences
Stephen Denning
 
PDF
UX & GDPR - Building Customer Trust with your Digital Experiences
User Vision
 
PPTX
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
PPTX
Gdpr presentation
Sudarsan Reddy
 
PPTX
The GDPR timeline - Stephen Bailey, NCC Group
BCS Data Management Specialist Group
 
PDF
Public sector breakfast club - October 2017, Exeter
Browne Jacobson LLP
 
PDF
GDPR - Sink or Swim
Guy Griffiths
 
PPTX
GDPR Practicalities - The Data Shed
Stewart Norriss
 
PPTX
GDPR in the Healthcare Industry
EMMAIntl
 
PDF
Gdpr presentation
Iain Wicks MCIPR
 
PDF
Guide to-the-general-data-protection-regulation
N N
 
PPTX
Associates quick guide to gdpr v 1.0
Aaron Banham
 
PDF
Horner Downey & Co Newsletter- GDPR
Jenny Ferguson
 
PPTX
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
PDF
GDPR Is Around the Corner - Don't Panic
eZ Systems
 
PDF
GDPR for Dummies
Caroline Boscher
 
PPTX
Things to know about GDPR in 2018
Webkul Software Pvt. Ltd.
 
PPTX
GDPR – what does it mean for charities and what you need to consider - Iain P...
m-hance
 
Gdpr for business full
Fionnuala Hendrick
 
GDPR Changing Mindset
NetworkIQ
 
UX & GDPR - Building Customer Trust with your Digital Experiences
Stephen Denning
 
UX & GDPR - Building Customer Trust with your Digital Experiences
User Vision
 
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
Gdpr presentation
Sudarsan Reddy
 
The GDPR timeline - Stephen Bailey, NCC Group
BCS Data Management Specialist Group
 
Public sector breakfast club - October 2017, Exeter
Browne Jacobson LLP
 
GDPR - Sink or Swim
Guy Griffiths
 
GDPR Practicalities - The Data Shed
Stewart Norriss
 
GDPR in the Healthcare Industry
EMMAIntl
 
Gdpr presentation
Iain Wicks MCIPR
 
Guide to-the-general-data-protection-regulation
N N
 
Associates quick guide to gdpr v 1.0
Aaron Banham
 
Horner Downey & Co Newsletter- GDPR
Jenny Ferguson
 
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
GDPR Is Around the Corner - Don't Panic
eZ Systems
 
GDPR for Dummies
Caroline Boscher
 
Things to know about GDPR in 2018
Webkul Software Pvt. Ltd.
 
GDPR – what does it mean for charities and what you need to consider - Iain P...
m-hance
 
Ad

Recently uploaded (20)

PPTX
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
PPTX
job Avenue by vinith.pptxvnbvnvnvbnvbnbmnbmbh
kaniece
 
PPTX
AI-assistance in Knowledge Collection and Curation supporting Safe and Sustai...
Barry Hardy
 
PDF
Lecture 3 - Risk Management and Compliance.pdf
Quan Risk
 
PPTX
ICG2025_ICG 6th steering committee 30-8-24.pptx
AtiarRahaman5
 
PDF
20250805_A. Stotz All Weather Strategy - Performance review July 2025.pdf
FINNOMENAMarketing
 
PPTX
Dragon_Fruit_Cultivation_in Nepal ppt.pptx
UmeshTimilsina1
 
PPT
Data mining for business intelligence ch04 sharda
salmaalsaeed3
 
PDF
Hindu Circuler Economy - Model (Concept)
Avijit Kumar Roy
 
PDF
Roadmap Map-digital Banking feature MB,IB,AB
Alemayehu
 
PPTX
HR Introduction Slide (1).pptx on hr intro
suhanidwivedi227
 
DOCX
Euro SEO Services 1st 3 General Updates.docx
AmirNazir49
 
PDF
Leading with Vision_ How Mohit Bansal Is Shaping Chandigarh’s Real Estate Ren...
mohitbansalchandigar4
 
DOCX
Business Management - unit 1 and 2
anithak410
 
PPT
340036916-American-Literature-Literary-Period-Overview.ppt
carinaherdiles611
 
DOCX
unit 2 cost accounting- Tender and Quotation & Reconciliation Statement
MANJU N
 
PDF
Unit 1 Cost Accounting - Cost sheet
MANJU N
 
PPTX
sales presentation، Training Overview.pptx
hamdullahazimi3
 
PDF
WRN_Investor_Presentation_August 2025.pdf
cmagee4
 
PDF
COST SHEET- Tender and Quotation unit 2.pdf
MANJU N
 
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
job Avenue by vinith.pptxvnbvnvnvbnvbnbmnbmbh
kaniece
 
AI-assistance in Knowledge Collection and Curation supporting Safe and Sustai...
Barry Hardy
 
Lecture 3 - Risk Management and Compliance.pdf
Quan Risk
 
ICG2025_ICG 6th steering committee 30-8-24.pptx
AtiarRahaman5
 
20250805_A. Stotz All Weather Strategy - Performance review July 2025.pdf
FINNOMENAMarketing
 
Dragon_Fruit_Cultivation_in Nepal ppt.pptx
UmeshTimilsina1
 
Data mining for business intelligence ch04 sharda
salmaalsaeed3
 
Hindu Circuler Economy - Model (Concept)
Avijit Kumar Roy
 
Roadmap Map-digital Banking feature MB,IB,AB
Alemayehu
 
HR Introduction Slide (1).pptx on hr intro
suhanidwivedi227
 
Euro SEO Services 1st 3 General Updates.docx
AmirNazir49
 
Leading with Vision_ How Mohit Bansal Is Shaping Chandigarh’s Real Estate Ren...
mohitbansalchandigar4
 
Business Management - unit 1 and 2
anithak410
 
340036916-American-Literature-Literary-Period-Overview.ppt
carinaherdiles611
 
unit 2 cost accounting- Tender and Quotation & Reconciliation Statement
MANJU N
 
Unit 1 Cost Accounting - Cost sheet
MANJU N
 
sales presentation، Training Overview.pptx
hamdullahazimi3
 
WRN_Investor_Presentation_August 2025.pdf
cmagee4
 
COST SHEET- Tender and Quotation unit 2.pdf
MANJU N
 

GDPR webinar for business leaders

  • 1. GDPR webinar 
 for business leaders Heather Burns for Deeson • 23 November 2017
  • 2. GDPR is an opportunity to… ! Improve your internal processes ! Maintain your competitive advantage ! Protect your users from data risks ! Protect your users from political uncertainty
  • 3. GDPR overview Deadline day 25 May 2018 (182 days…) What it does ! Replaces the 1995/1998 DPA ! Preserves existing principles ! Expands and modernises After Brexit ! GDPR will remain the UK’s data protection standard ! Data Protection Bill currently winding its way through Parliament ! Equivalence is necessary
  • 4. What is personal data? Personal data ! “Any information relating to an identified or identifiable natural person.” ! This can be one piece of information or multiple data points combined to create a record. Sensitive personal data ! Racial or ethnic origin ! Political opinions ! Religious or philosophical beliefs ! Trade union membership ! Health data ! Sex life or sexual orientation ! Past or spent criminal convictions
  • 5. 1995: eight principles of data protection Personal data must be: ! Processed in a manner which is fair and lawful; ! Used only for the manner in which it was intended to be used; ! Processed in a manner which is adequate, relevant, and not excessive; ! Accurate and kept up to date; ! Not kept for longer than its intended purpose; ! Processed in accordance with the rights of the people the data is about; ! Protected by technical and organisational security measures; ! Not transferred to third countries outside the EU which do not guarantee an adequate measure of data protection.
  • 6. What you have
 How you engage
 How you work
  • 8. Awareness The most basic step involved in GDPR compliance is awareness. You can create a culture of healthy data protection by involving everyone in awareness of the ways the law is changing and how these changes will impact your work.
  • 9. Awareness ! Do you understand what GDPR continues from the old Data Protection Act, and what is new? ! Are you confident that you are compliant with the existing Data Protection Act? ! Do your staff receive data protection training, and is that documented? ! Have you allocated appropriate human and technical resources to GDPR implementation both before and after May 2018? ! Have you spoken with your contractors and suppliers about their own GDPR implementation plans?
  • 10. The next step in your GDPR journey is auditing what information you hold and process, where it is stored, what kinds of data it comprises, and whether it is still needed. If your data collection and processing is regular (meaning it is a core part of your business), includes sensitive personal data, or could threaten people’s rights and freedoms, you must keep a full record of all of your data collection and processing activities. Documentation
  • 11. Documentation In-house ! What information do you hold online? ! What information do you hold offline? ! What information do you hold in archives? External ! What information do you share with third parties? ! What information do you receive from third parties?
  • 12. A full audit of processing activities ! The purposes for which you are collecting and/or processing personal data; ! A description of the categories of individuals you are processing data about; ! A description of the categories of data you are processing; ! A description of the recipients of personal data you are transferring out of your organisation; ! A description of international (non-EU) transfers of personal data, including safeguards; ! Any privacy impact assessments you have carried out; ! A description of your data retention and deletion procedures; ! A description of what technical security measures you have taken; ! A description of your human security measures, including staff training and HR documentation; and ! A record of the steps you have put in place to deal with a data breach, including internal reporting mechanisms and contact structures
  • 13. Privacy notices Under the previous data protection regime, privacy information notices become long, lazy, and legalistic. GDPR reclaims privacy notices as concise, transparent, and intelligible dialogues with your users. Everything you are doing with your users’ data - everything - needs to come out into the open.
  • 14. Privacy notices Ensure that yours: ! Are written in plain English, with no “legalese”; ! Are broken down into clear sentences and short paragraphs; ! Contain granular, non zero-sum options Ensure that you: ! Review the privacy notices of the third parties you sent data to, or receive data from ! Include all the information and any formatting required…
  • 15. Information required in your privacy notices ! What data is collected, how data is processed, how data is used, who data is shared with, and what the user’s rights are; ! If not based on consent, explain your lawful basis for processing user data; ! List all third party partners and service providers with whom you share data, and note what that data is and how it is used; ! Inform users about their rights, including who to contact for a subject access requests, and how they can complain to ICO if they feel you are not honouring their data; ! Provide clear granular options for consent, individual rights, and subject access requests; ! Provide clear contact details for your company, your point of contact for subject access requests, and your data protection officer, if applicable; ! Separate your privacy notice from general terms and conditions, particularly on your web sites and apps.
  • 16. Information about children Ensure that you ! Provide extra safeguards for under-16s data ! Document evidence of parental consent ! Delete minors’ data with no hassle If you are collecting data directly from children, your privacy notices must be written in a way they can understand. This includes information about how you are using their data as well as the consent process.
  • 18. Individual rights We have always had rights over the uses of our information under the existing data protection regime. Under GDPR these individual rights are greatly expanded. For you, this means respecting those rights, implementing them into your planning structures, and being prepared to meet users’ invocation of these rights in an open and fast way.
  • 19. Individual rights ! The right to be informed about what you are doing with data through privacy notices ! The right of users to access a copy of the data you hold on them; ! The right to correct any data that you hold; ! The right to erasure, meaning the right to request deletion of certain kinds of data you hold; ! The right to restrict processing, or the right to ask you to stop using data in certain ways; ! The right to data portability, or the right to take the data you hold about them to another service provider; ! The right to object to your uses of their data; and ! Their rights in relation to automated decision making and profiling, including data you use or share for the purposes of advertising, marketing, and behavioural analysis.
  • 20. Individual rights How they work ! Individual rights are granular – any one can be invoked at any time ! You cannot charge users any administrative fee for invoking these rights, or any costs for the time you require to meet them How to meet them ! Publicise these rights in your privacy notices ! Review your internal processes for handling these requests ! Remember time limits
  • 21. Subject access requests One way people can invoke their individual rights is known as a subject access request (SAR). The people whose data you store or process can file a SAR with you to receive ! Confirmation that you are processing their data; ! Access to a copy of the personal data that you hold on them; ! Any other information, such as details of the data you have passed to third parties that has already been confirmed in your privacy notice.
  • 22. Subject access requests How they work ! Detail your process in your privacy notices ! Review your third parties’ SAR processes ! Review your systems Internal documentation ! How are SARs tallied in your organisation? Who receives them as the central point of contact? Who is informed of their receipt, their progress, and their completion? ! Is your SAR process documented in a way that would meet ICO approval?
  • 23. Consent and legal basis In most circumstances, the data collection and processing you perform must be done with the consent of the people that data is about. If consent is not the basis, your use of data must be grounded in a legal basis. The consent mechanisms and legal bases you use to collect and process data must be clear, documented, and verifiable.
  • 24. Consent must be ! Active: consent is freely given, specific, and unambiguous; ! Active consent is also positive, meaning you have not presumed consent from a pre-ticked box, inactivity, or not selecting any option; ! Privacy must be presented as granular multiple choices, and not a zero-sum in-or-out game. ! Unbundled: users cannot be forced to grant consent for one thing in order to receive another; ! Named: the user must be made aware of all specific third parties who will be receiving their data and why they will be receiving it; ! No imbalance in the relationship: consent must not create an unfair relationship between the user and the data processor; ! Verifiable and documented: you must be able to prove who gave their consent, how consent was given, what information they were given, what they agreed to, when they consented, and whether or not the user has withdrawn their consent.
  • 25. Consent You must document ! Who gave their consent; ! How consent was given; ! What information they were given, ! What they agreed to; ! When they consented (ideally a timestamped record); and ! Whether or not the user has withdrawn their consent
  • 26. Lawful bases for processing data ! Necessary for the performance of a contract; ! Necessary to comply with a legal obligation; ! Necessary to protect the person’s vital interests (for example, providing someone with emergency medical help); ! Necessary for the performance of a task in the public interest or in the exercise of official authority; ! Necessary for the purposes of the “legitimate interests” pursued by the controller or third party.
  • 27. Preparing for consent and lawful bases Review your ! Internal documentation ! External privacy notices ! Third party contracts Modify your ! Consent mechanisms ! Privacy notices ! Data minimisation thresholds
  • 29. Privacy by Design / Data Protection by Default GDPR requires the adoption of a culture of privacy by design and data protection by default. This means that all your internal processes and procedures, as well as your external products, services, and applications, must be designed with optimal privacy and data protection built in from the start, not bolted on as an afterthought or made contingent on the user activating a series of options (assuming they had any at all.)
  • 30. Privacy by Design / Data Protection by Default Cultural integration ! Familiarise yourself with the basic principles of PbD (google “Smashing Magazine Privacy by Design”) ! Review your existing sites, apps, and processes for best PbD practice Workflow integration ! Adopt the PbD standard ! Create a data minimisation and deletion policy ! Create a Privacy Impact Assessment process for data-intensive projects
  • 31. A simple Privacy Impact Assessment process ! A description of the data processing you are carrying out, including the legal basis for data processing; ! An evaluation of the necessity of the data processing; ! An evaluation of the proportionality of the data processing; ! A risk assessment regarding the data subjects; ! What measures you are putting in place to mitigate risk; and ! What security precautions you have taken
  • 32. Data breaches GDPR requires you to do everything you can to prevent data breaches from happening. That said, it also requires you to prepare for data breaches in advance. Preparing for data breaches requires you to take an honest (and, possibly, quite uncomfortable) look at what aspects of your internal processes and cultures could contribute to a preventable breach.
  • 33. Data breaches Technical measures ! Do you regularly audit your systems and processes for potential data breach risks? ! Do you know the criteria for a “high-risk”, reportable breach, as well as the information you would be required to report within 72 hours of discovery? Human measures ! Do you have an internal reporting mechanism in place to report potential data breaches before they happen? ! Can staff report an issue, either technical or human, which could lead to a data breach, without fear of reprisal?
  • 34. Data protection officers GDPR introduces the concept of the Data Protection Officer, or the DPO. For organisations engaging in certain kinds of processing of personal data, the DPO is a named individual who carries legal and professional responsibility for that organisation’s GDPR compliance. You are only required to appoint a DPO if you engage in large-scale processing of sensitive personal data. That being said, those businesses which do not strictly require a DPO may wish to consider appointing one voluntarily all the same.
  • 35. Data protection officers Internal responsibility ! Decide if you a) need one or 
 b) want one ! Give the role the resources and powers it requires Public accountability ! Publicise your DPO’s details in your privacy notices ! Submit your DPO’s details to ICO as the point of contact for privacy concerns
  • 36. Working internationally One of the fundamental principles of EU data protection law, both past and future, is that personal data cannot be transferred outside of the EU to third countries unless that country ensures an equal and adequate level of data protection. This creates two issues: the safeguarding of your data at its origin and its destination, and the legal means by which that data moves between them.
  • 37. Working internationally Who you work with ! Are all of your partners and third party service providers in non-EU countries working towards GDPR compliance? ! Are your US-based partners and third party service providers Privacy Shield compliant? ! Are you including and requiring GDPR compliance in your contracts with partners and service providers? Privacy notices ! Are all international transfers of data, and the uses of that data, made clear? ! Have you provided a means for users to object to their data being transferred outside the EU? ! If you work across European borders, have you identified your main country of establishment and lead supervisory authority in your privacy notices?
  • 39. #GDPRubbish ! Professional certifications ! “Accredited” courses ! Compliance software ! Consent panic ! DPOs as job creation schemes ! Fines fines fines fines fines fines!!!
  • 40. Keep an eye on the whole picture Further GDPR awareness Regularly visit ICO’s web site for new guidance The Data Protection Bill Follow its progress and have your say The ePrivacy directive revamp Cookies, metadata, device fingerprinting, marketing consent
  • 42. 1. Learn the basic principles of data protection
 2. Raise awareness within your organisation
 3. Assess the information you hold
 4. Conduct an audit of processing activities
 5. Review and revamp your privacy notices
  • 43. 6. Provide for users' individual rights
 7. Review your subject access request process
 8. Review your consent and legal bases
 9. Implement PbD and DPbD principles
 10. Prevent data breaches, but prepare for them
  • 44. 11. Decide whether you need a DPO
 12. Review international data transfer structures
 13. Learn the warning signs of GDPRubbish
 14. Keep an eye on legal and political changes
 15. Become your organisation's privacy champion