SlideShare une entreprise Scribd logo
1  sur  84
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Directors, IT Directors & Ops Directors
Welcome
GDPR Breakfast Briefing
Wednesday 7 March
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Directors, IT Directors & Ops Directors
“the biggest change to data protection law for a generation”
Elizabeth Denham, Information Commissioner
Why GDPR now?
Why GDPR?
Data Protection Act(1998) is built on
the General Data Protection Directive
GDPR is the General Data Protect
Regulation
1 Regulation not 28 different variants
“"The introduction of the Data Protection Bill…will put in place one of the final pieces of
much needed data protection reform. Effective, modern data protection laws with robust
safeguards are central to securing the public's trust and confidence in the use of personal
information within the digital economy, the delivery of public services and the fight against
crime."
Elizabeth Denham, Information Commissioner
Some definitions
Personal Data ProcessingSpecial Category Data
Data that can identify a natural
person directly or indirectly
Anything you do with data –
even looking at it
• Racial
• Ethnic origin
• Political opinions
• Religious or philosophical
beliefs
• Trade Union membership
• Genetic data
• Biometric data
• Health
• Sex life
• Sexual orientation
Responsibilities
Controller
• Know the risks to the data subject
• Manage those risks
• Demonstrate processing inline with
regulation
• Only use processors who demonstrate
adherence the to Regulation
Processor
• Implement appropriate technical and
organisational measures.
• Not engage another processor without
permission.
• Ensure there is a contract in place with
the controller:
• Demonstrate compliance to Regulation.
So what can businesses do?
Everything they could before
Just in a way that balances the business’ needs
with the rights of data subjects
The Principles
1. Processed lawfully, fairly and in a transparent manner
2. Collected for specified, explicit and legitimate purposes
3. Adequate, relevant and limited to what is necessary
4. Accurate and where necessary kept up to date
5. Retained only for as long as necessary
6. Processed in an appropriate manner to maintain security
Subject must be told. Processing must match the
description. Processing must be for one of the purposes in
the regulation.
Must define up front what the data will be used for and
limit processing to only that necessary to meet that
purpose.
Data collected should only be that required in relation to
the purposes of the processing.
This is intended to protect the data subject from such
things as wrong decisions made regarding the data subject.
And it’s good business practice.
Data is kept for no longer than is required to process it for
the purpose originally stipulated.
This principle links closely with the ISMS covering
Confidentially Integrity and Availability (CIA)
Individuals Rights
• Right to information
• Right to access
• Right to rectification
• Right to be forgotten
• Right to restriction of processing
• Right to notification
• Right to portability
• Right to object
• Right to appropriate decision making
Lawfulness of Processing
Processing is lawful only if one of the following applies:
1. the data subject has given consent to the processing of his or her personal data for one or more
specific purposes;
2. processing is necessary for the performance of a contract to which the data subject is party or in
order to take steps at the request of the data subject prior to entering into a contract;
3. processing is necessary for compliance with a legal obligation to which the controller is subject;
4. processing is necessary in order to protect the vital interests of the data subject or of another
person;
5. processing is necessary for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller;
6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by
a third party, except where such interests are overridden by the interests or rights and freedoms of
the data subject which require protection of personal data, in particular where the data subject is
a child.
Consent
• Consent must be unambiguous, clear and affirmative
o Must be able to demonstrate that consent was given
o Silence or inactivity does not constitute consent
o Written consent must be clear, intelligible, easily accessible,
else not binding
o Consent can be withdrawn any time, and as easy to withdraw
consent as to give.
• Take appropriate measures to “provide information in a concise,
transparent, intelligible and easily accessible form, using clear and
plain language”
Consent – specific categories of data
• Special conditions apply for children (under 16, but UK could
lower to 13) to give consent
o Appropriate parental / guardian consent
o Controller has to make reasonable efforts to verify
authorisation
• Explicit consent must be given for processing sensitive
personal data
o Now includes “genetic data” and “biometric data” where
processed to uniquely identify a person
Lawfulness of Processing
Processing is lawful only if one of the following applies:
1. the data subject has given consent to the processing of his or her personal data for one or more
specific purposes;
2. processing is necessary for the performance of a contract to which the data subject is party or in
order to take steps at the request of the data subject prior to entering into a contract;
3. processing is necessary for compliance with a legal obligation to which the controller is subject;
4. processing is necessary in order to protect the vital interests of the data subject or of another
person;
5. processing is necessary for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller;
6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by
a third party, except where such interests are overridden by the interests or rights and freedoms of
the data subject which require protection of personal data, in particular where the data subject is
a child.
Get Ready for GDPR
NOW!
11 Weeks, 1 day, 15 hours, and
15 minutes
https://ico.org.uk/for-organisations/resources-and-
support/data-protection-self-assessment/getting-
ready-for-the-gdpr/
GDPR Overview Assessment
• Key Factors
1. Data protection policy, responsibility
and training
2. Registration, privacy notices and
subject access
3. Data quality, accuracy and retention
4. Security
5. Privacy impact assessments
Legal & HR
Operations &
Finance
Sales &
Marketing
IT Systems
Are you
GDPR
Ready?
Developing a GDPR Strategy –
moving towards compliance
• Assessment
o Gaps or areas of non-compliance
o Assess risk and prioritise tasks
• Agree change programme
• Build a cross-functional team – risk, compliance, IT, legal, finance, PR
• DPO – appointment and training
• Implementation
o Update privacy notices and terms and conditions
o Update data processor clauses in contracts extending into 2018
o New policies and training for carrying out DPIAs, data security, breach handling, personal data
handling and new data subject rights
GDPR Compliance Roadmap
•Know your data assets
•Map data flows and existing systems and processes that utilise personal data
•Collect existing policies, notices and vendor agreements
•Assess likely GDPR impact and identify gaps
•Conduct risk assessment and prioritise tasks
•Implementation (update documentation and vendor contracts, training and awareness etc.)
•Monitor implementation and compliance with regular compliance checks
Carry out a data audit
Know your data
• Why are you collecting it?
• Purposes
• How did you get it?
• Where do you store it?
• What do you do with it?
• Who has access to it?
• How long do you keep it?
• Where do you send it?
Documentation and Privacy by Design and Default
• Ensure and demonstrate compliance
• Maintain written records of all processing
• Adopt and implement measures which meet principles of
data protection by design and default
o Minimising processing
o Pseudonimisation
o Enable monitoring by data subject
• Data Protection Impact Assessments (DPIAs)
• Identify, Investigate and Manage a Data Breach
Data Protection Impact Assessment
• Assesses the risks to the data subject
• Mandatory
• Required:
• When implementing GDPR
• When implementing changes within
your organisation
Questions
To ask of your business
Have you registered with the ICO?
Tier 1 – Micro <10 Staff/£632,00 = £40
Tier 2 – SME <250 Staff/£36million = £60
Tier 3 = £2,900
Max penalty for unpaid/incorrect fee = £4,350
Registration Fee Exemptions
• Staff administration
• Advertising, marketing and public relations
• Accounts and records
• Not-for-profit purposes
• Personal, family or household affairs
• Maintaining a public register
• Judicial functions
• Processing personal information without an automated
system such as a computer
Have you updated your Privacy Policies?
Have the staff been trained in
data protection awareness?
Does your business need a DPO?
Data Protection Officer (DPO)
• Public authorities (not courts)
• Private companies (controllers and processors) whose core
activities require large scale
o regular and systematic monitoring of data subjects or
o processing of sensitive personal data or data relating to
criminal convictions
• Group may appoint single DPO
Are you prepared to deal with
a data breach?
Breach Notification
• Controller to notify regulator of breaches
o without undue delay; and
o within 72 hours if feasible
unless unlikely to result in risk to rights and freedoms of individuals
• If 72 hours not feasible must provide reasoned justification
• Controller to notify data subjects without undue delay if likely to result in high risk to rights and
freedoms of individuals
• Processor to notify controller of breaches without undue delay
Fines – The Reality
• Up to (the higher of) €20m or 4% global annual turnover for infringement of:
o Core principles
o Consent
o Data subjects’ rights
o International transfers
o Non-compliance with certain regulator orders
• Up to (the higher of) €10m or 2% global annual turnover for other breaches
• Not having records in place
• Failure to notify ICO (local Supervisory Authority)
• Not doing a DPIA
• Individuals’ actions
• Class actions
Fines – The Reality
• Issuing fines has always been and will continue to be, a last resort.
• Last year (2016/2017) 17,300 cases - 16 resulted in fines for the organisations concerned.
• Not yet invoked maximum powers.
“We intend to use those powers proportionately and judiciously” - Denham
• Suite of sanctions to help organisations comply – warnings, reprimands, corrective orders.
• Reputational damage.
What value can GDPR add to your business?
What are you going to do next?
Information Governance Services
Data Mapping
Business Intelligence systems to establish long term change
Tony Betts – Thursday 7 March 2018
06.06.2017
Information Governance Support
07.03.2018
What is the key difference between
DPA and GDPR?
DPA
Compliant
until proven
not to be
GDPR must
prove
compliance
from day 1
Key Legislative Changes – Managing our Data
Records of Processing Activities [Article 30]
This is the mechanism which requires organisations to evidence compliance
with the GDPR
RECORDS OF PROCESSING ACTIVITY
Information Asset
Register
Data Flow
Mapping
‘Privacy by
Design’ elements
Categories of Data
Recipients/ Subjects
Legal Basis/
Conditions for processing
What does the GDPR say?
• Recital 82
• In order to
demonstrate
compliance with this
Regulation, the
controller or
processor should
maintain records of
processing activities
under its
responsibility. Each
controller and
processor should be
obliged to cooperate
with the supervisory
authority and make
those records, on
request, available to
it, so that it might
serve for monitoring
those processing
operations
44
Categories of
data
Name and
contact
details
Categories of
recipient
Security
measures
Purposes of
processing
Transfers &
safeguards
Retention
Data Mapping - a foundational activity
45
Data
Mapping
Privacy
notices
Individual
rights
Data breach
DPIAs
Privacy by
design
Minimisation
Practical considerations
46
When to
start?
When are we
finished?
Who is
involved?
How to
maintain
records?
Manual vs
automation?
Benefits
47
Better data
Privacy
maturity
Accountability
Quicker
response
GDPR
enablement
Accountability
• The new
accountability
principle in
Article 5(2)
requires you
to
demonstrate
that you
comply with
the principles
and states
explicitly that
this is your
responsibility.
48
Accountability
Appropriate
measures
Data
mapping
DPO
Privacy by
design
DPIA
Codes of
conduct
Where do we start?
Requirement Activity
Know what data you use and
how you use it
Ensure you have an information Asset Register & Map your
data flows fully to create your Records of Processing Activity
Privacy by Design Review your data and ensure that your privacy notices and
other policies align (e.g. consent, PIA, outsourcing, risk etc.)
Roles & Responsibility Appoint a Data Protection Officer
Training & Awareness Arrange training for staff to ensure their understanding of the
requirements of the GDPR, an on-going requirement
Incident Management Have a robust policy and process to manage security
incidents
So what tools to are there to use
Product/Tool Description
CyberComply by Vigilant A very good tool developed in conjunction with industry experts
and provides everything required for GDPR and ISO27001
compliance.
https://www.vigilantsoftware.co.uk/topic/cyber-comply
OneTrust – Data Mapping
Automation
Another good tool in use in a lot of organisations and is fully
compliant with GDPR articles.
https://onetrust.com/products/data-mapping/
Spiron A good tool for data mapping used by over 10,000 organisations
https://www.spirion.com/compliance/gdpr/
Use you own Data Mapping
Methodology
Information gathering and initial consultation, Legal requirements,
Legal Assessment and follow up and Mapping
Simplify
We have the knowledge and experience to
simplify your challenges
Developing your GDPR Policies
and procedures to help drive
compliance
Your Privacy Policy – First contact - Collecting Personal Data.
Transparency in the who,
what, how and why?
• Any communications with a data
subject must be concise,
transparent, intelligible – plain
language.
• You must be transparent in
providing information about yourself
and the purposes of your
processing
• Controller must provide data
subject with information about their
rights
What information do you need to include in your Privacy
Policy?
• Identity and contact details of controller – who you are
• Purpose of processing
• What lawful basis you are relying on to process data
• Categories of personal data held
• Who the recipients might be (third parties?)
• If it is being transferred outside of the EU and how it is protected
• How long it will be stored for
• What rights the data subject has and how to exercise them – and withdraw
• The right to complain to the regulator
You must provide (amongst others) in your Privacy Policy, in clear and understandable form:
Getting the
right
Consent
Granular…
• Who you are
• Marketing Materials
• Promotions
• Opt-ins - method (e-mail
etc.)
• Third parties
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Directors, IT Directors & Ops Directors
Stay United – A bit too much?
Mandatory Requirements
• Providing information
to a data subject is a
requirement of the
GDPR.
• The easiest way to do
so is through a Privacy
Policy.
• Under the GDPR
specific information
needs to be included in
your privacy policy.
Creating your Privacy Policy
What should be in your Privacy Policy?
…what type of information are you collecting and why.
You need a “Lawful Basis” for Processing
In order to comply with the GDPR you must have a lawful basis in order to collect and process an individuals personal
data.
You need to chose and record the most appropriate lawful basis for your business
• Consent - to process data for a specific agreed purpose
• Contract – processing necessary for a contract you have with a DS
• Legitimate Interests
• Vital Interests (Life or Death situation)
• Public Interest
• Legal obligations
In practice, other than consent, you are most likely to rely on the performance of a contract or legitimate interests
1. CONSENT
Do you need consent?
Direct Marketing ….CONSENT REQUIRED
• New Services / Product Information / Sales information
• Newsletters (with adverts)
• Offers and Promotions
• Services not directly related to those you are already providing
Marketing relating to services you are providing
• marketing specifically relating to products and services that current
customers have bought from you.
Give clear
details about
your
marketing
activities…
You need to be very clear if you are processing
sensitive data
Other lawful grounds - Contract
CONTRACTUAL
“processing of Personal Data is necessary for the performance of a contract to which the individual is a party or
for the Controller to take pre-contractual steps at the request of the individual.”
PRE-CONTRACTUAL
“…pre-contractual steps at the request of the individual”
e.g. processing data to follow up on an estimate / provide a quote
Any current contracts to supply goods or services or to fulfil obligations under an employment contract.
But the only necessary processing would be to make that contract work. Can’t assume that we can send
marketing e-mails because the person signed the contract.
Performance of a Contract: Examples
An individual shopping around for car insurance requests a quotation. The
insurer needs to process certain data in order to prepare the quotation,
such as the make and age of the car.
When a data subject makes an online purchase, a controller processes the
address of the individual in order to deliver the goods.
This is necessary in order to perform the contract.
Telling people you will process their data in the
performance of their contract with you…
Relying on Legitimate Interests
“controllers may have a legitimate interest in getting to know their customers’ preferences so as to enable them to better personalise
their offers and ultimately, offer products and services that better meet the needs and desires of the customers”
• So what types of processing could be on the basis of legitimate interest?
• The most prevalent categories of legitimate interest i) fraud detection, money laundering and prevention and ii) website information
and system security – general security / IT security.
• Use of Employment Data - necessary for employee operational administration. Also e.g. call recording and monitoring for call centre
employees’ training and development purposes.
• B2B – event marketing and planning
• Others… suppression, updating customer details, product development website development and personalisation, web analytics,
intra-group transfers, or IT security as potential legitimate interests.
Explain how you use data and on what lawful basis
you process it…
Make it clear where you are relying on legitimate
interest to process their data
Be clear where you share data with Third Party Processors
Data Processing Contracts – Your safeguard to protect
your customer / employee data
• Where processing is to be carried out on behalf of a controller, that processing must be governed by a
contract.
• That contract must set out:
Subject matter of the data processing
Duration of the processing
The nature and purpose of the processing
Type of personal data
Categories of data subjects
Only process on your instructions - Not pass data to third party without consent
That they will take all appropriate technical and organisational measures;
Keep data secure
Ensure that you can comply with data subjects rights – SARs / Erasure
Who processes your data?
• Any time a service or administrative function is outsourced to a third-party,
there could be personal data being transferred. This includes outsourcing to:
 payroll providers
 hosting providers
 Other third party service providers
• Where any such processing is then sub-contracted out to a third party, the
same data processing obligations must be passed on to the sub-contractor. If
the sub-processor fails to fulfil its obligations, the data controller is liable.
• N.B. Sharing data requires a processing agreement.
Data transfers outside of the EEA
• The GDPR imposes restrictions on the transfer of personal data outside the European
Union:
• Personal data may only be transferred outside of the EU in compliance with the conditions
for transfer set out in the GDPR.
• Generally:
A GDPR compliant processing contract in place
An adequate level of protection
(A country or one or more specific sectors a third country, or international
organisation which ensures an adequate level of protection / data protection controls.)
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Directors, IT Directors & Ops Directors
Data Retention – How long can you hold client data?
How long can you hold their data?
• Personal data that you process should not be kept for longer than is necessary for that purpose.
• Unless you obtain consent to retain personal data for a longer period:
- Marketing Activity - Immediately
- Contact data – [x] years.
- Website data [x] years following the date of last contact or dealing.
- Enquiry data will be retained for [x] months following the date of last contact.
- Payment data
- Employment data
- Other
• Question. How long do you need to retain data for? Can you minimize the data you hold?
• Do you need consent to hold that data for longer than might be deemed “legitimate interest” or in the performance of a
contract?
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Directors, IT Directors & Ops Directors
Other requirements - Access requests
Other requirements - Eight rights of data subjects
Other requirements - Information and DPO
Contract Management
• Review Privacy Policies and Consent (data collection forms)
Can you rely on existing consents? Is consent…
- Easy to understand / Unbundled / opt-in / Granular / Named / easy to withdraw / Recorded
- Is the data subject well informed about: how you plan to use data / how it will be processed / how long it will be
kept for / their Data Subject Rights
• Review and update your existing Privacy Policies
Employee Handbook / Managing GDPR Handbook (SARs / Breaches etc.)
• Review Agreements with Partners
- Requirement for Data Processing Agreements
- Have suitable GDPR processing clauses been included (e.g. right to be forgotten)
- Risk of non-compliance (up and down the supply chain)
• Review your own Terms and Conditions – reduce risk (customer relationship) / Insurance?
Panel
Question & Answer
Some of your questions
1. If businesses aren’t sure whether they have GDPR compliant consent for their e-mail mailing lists how do they go about
getting people to re-consent?
2. There is some confusion around whether business e-mail addresses are personal data. What do the rules say?
3. There’s quite a bit in the GDPR about retention and data minimisation, can you give some basic guidance on how long
businesses can keep customer data for.
4. Will most businesses need a DPO and who should be nominated?
5. Given that data breach reporting is mandatory, what constitutes a data breach and do they all really have to be reported?
6. What is the best way to document procedures for all the different elements that GDPR affects eg. is it best to have a GDPR
register of some sort or just document each area separately as part of a business area e.g. employment, quality control,
transport etc?
7. We currently publish our staff directory on our website – we don’t have consent to do this. Under the new GDPR would
this be classed as excessive and should the directory be taken down? Or should we be looking at obtaining consent?
8. I know that GDPR covers data held on systems/emails etc. but what about corresponding paper records please? I can’t find
that much definitive advice around this.
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Directors, IT Directors & Ops Directors

Contenu connexe

Tendances

Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Andrew Sharpe
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Actmrmwood
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and PrivacyVertex Holdings
 
GDPR webinar for business leaders
GDPR webinar for business leadersGDPR webinar for business leaders
GDPR webinar for business leadersDeeson
 
The principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - ukThe principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - uk- Mark - Fullbright
 
Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...Werksmans Attorneys
 
Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Werksmans Attorneys
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Financial Poise
 
Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...
Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...
Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...Synopsys Software Integrity Group
 
GDPR in the Healthcare Industry
GDPR in the Healthcare IndustryGDPR in the Healthcare Industry
GDPR in the Healthcare IndustryEMMAIntl
 
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]Kwanzoo Inc
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protectionsp_krishna
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role HackerOne
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentationPriyanka Aash
 

Tendances (20)

Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)
 
Data Protection GDPR Basics
Data Protection GDPR BasicsData Protection GDPR Basics
Data Protection GDPR Basics
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Act
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and Privacy
 
Get you and your business GDPR ready
Get you and your business GDPR readyGet you and your business GDPR ready
Get you and your business GDPR ready
 
Gdpr for business full
Gdpr for business fullGdpr for business full
Gdpr for business full
 
GDPR webinar for business leaders
GDPR webinar for business leadersGDPR webinar for business leaders
GDPR webinar for business leaders
 
The principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - ukThe principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - uk
 
Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...
 
Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
 
Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...
Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...
Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...
 
GDPR in the Healthcare Industry
GDPR in the Healthcare IndustryGDPR in the Healthcare Industry
GDPR in the Healthcare Industry
 
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentation
 

Similaire à GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Directors, IT Directors & Ops Directors

Public sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, ExeterPublic sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, ExeterBrowne Jacobson LLP
 
Media_644046_smxx (1).pptx
Media_644046_smxx (1).pptxMedia_644046_smxx (1).pptx
Media_644046_smxx (1).pptxMichelleSaver
 
GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceCobweb
 
Reddico GDPR Presentation
Reddico GDPR PresentationReddico GDPR Presentation
Reddico GDPR PresentationLuke Kyte
 
Introduction to data protection
Introduction to data protectionIntroduction to data protection
Introduction to data protectionRachel Aldighieri
 
3A – DATA PROTECTION: ADVICE
3A – DATA PROTECTION: ADVICE3A – DATA PROTECTION: ADVICE
3A – DATA PROTECTION: ADVICECFG
 
Introduction to EU General Data Protection Regulation: Planning, Implementat...
 Introduction to EU General Data Protection Regulation: Planning, Implementat... Introduction to EU General Data Protection Regulation: Planning, Implementat...
Introduction to EU General Data Protection Regulation: Planning, Implementat...Financial Poise
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials  by QualsysGDPR: Training Materials  by Qualsys
GDPR: Training Materials by QualsysQualsys Ltd
 
What does the GDPR mean for charity communicators? | Scotland Networking Grou...
What does the GDPR mean for charity communicators? | Scotland Networking Grou...What does the GDPR mean for charity communicators? | Scotland Networking Grou...
What does the GDPR mean for charity communicators? | Scotland Networking Grou...CharityComms
 
Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...Forums financiers de Wallonie
 
Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)Zoodikers
 
GDPR: the Steps Event Planners Need to Follow
GDPR: the Steps Event Planners Need to FollowGDPR: the Steps Event Planners Need to Follow
GDPR: the Steps Event Planners Need to Followetouches
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? SecurityScorecard
 
GDPR webinar presentation | LawBite
GDPR webinar presentation | LawBiteGDPR webinar presentation | LawBite
GDPR webinar presentation | LawBiteClive Rich
 
Gdpr powerpoint 15.01.18
Gdpr powerpoint 15.01.18Gdpr powerpoint 15.01.18
Gdpr powerpoint 15.01.18Jon Rathbone
 
An introduction to data protection - Edinburgh
An introduction to data protection - EdinburghAn introduction to data protection - Edinburgh
An introduction to data protection - EdinburghRachel Aldighieri
 

Similaire à GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Directors, IT Directors & Ops Directors (20)

GDPR: What does it mean for your business?
GDPR: What does it mean for your business?GDPR: What does it mean for your business?
GDPR: What does it mean for your business?
 
GDPR: What does it mean for your business?
GDPR: What does it mean for your business?GDPR: What does it mean for your business?
GDPR: What does it mean for your business?
 
Public sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, ExeterPublic sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, Exeter
 
Media_644046_smxx (1).pptx
Media_644046_smxx (1).pptxMedia_644046_smxx (1).pptx
Media_644046_smxx (1).pptx
 
GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
 
Reddico GDPR Presentation
Reddico GDPR PresentationReddico GDPR Presentation
Reddico GDPR Presentation
 
Introduction to data protection
Introduction to data protectionIntroduction to data protection
Introduction to data protection
 
3A – DATA PROTECTION: ADVICE
3A – DATA PROTECTION: ADVICE3A – DATA PROTECTION: ADVICE
3A – DATA PROTECTION: ADVICE
 
Prepare Your Firm for GDPR
Prepare Your Firm for GDPRPrepare Your Firm for GDPR
Prepare Your Firm for GDPR
 
Introduction to EU General Data Protection Regulation: Planning, Implementat...
 Introduction to EU General Data Protection Regulation: Planning, Implementat... Introduction to EU General Data Protection Regulation: Planning, Implementat...
Introduction to EU General Data Protection Regulation: Planning, Implementat...
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials  by QualsysGDPR: Training Materials  by Qualsys
GDPR: Training Materials by Qualsys
 
What does the GDPR mean for charity communicators? | Scotland Networking Grou...
What does the GDPR mean for charity communicators? | Scotland Networking Grou...What does the GDPR mean for charity communicators? | Scotland Networking Grou...
What does the GDPR mean for charity communicators? | Scotland Networking Grou...
 
Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...
 
Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)
 
GDPR: the Steps Event Planners Need to Follow
GDPR: the Steps Event Planners Need to FollowGDPR: the Steps Event Planners Need to Follow
GDPR: the Steps Event Planners Need to Follow
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
GDPR webinar presentation | LawBite
GDPR webinar presentation | LawBiteGDPR webinar presentation | LawBite
GDPR webinar presentation | LawBite
 
Gdpr powerpoint 15.01.18
Gdpr powerpoint 15.01.18Gdpr powerpoint 15.01.18
Gdpr powerpoint 15.01.18
 
An introduction to data protection - Edinburgh
An introduction to data protection - EdinburghAn introduction to data protection - Edinburgh
An introduction to data protection - Edinburgh
 

Dernier

Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access
 
Anyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyAnyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyHanna Klim
 
Upgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsUpgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsIntellect Design Arena Ltd
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access
 
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfGraham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfAnhNguyen97152
 
Entrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizationsEntrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizationsP&CO
 
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfTalent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfCharles Cotter, PhD
 
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...Brian Solis
 
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...AustraliaChapterIIBA
 
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptxHELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptxHelene Heckrotte
 
Introduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptxIntroduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptxJemalSeid25
 
MC Heights construction company in Jhang
MC Heights construction company in JhangMC Heights construction company in Jhang
MC Heights construction company in Jhangmcgroupjeya
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Lviv Startup Club
 
NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023Steve Rader
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access
 
Plano de marketing- inglês em formato ppt
Plano de marketing- inglês  em formato pptPlano de marketing- inglês  em formato ppt
Plano de marketing- inglês em formato pptElizangelaSoaresdaCo
 
A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.mcshagufta46
 
PDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfPDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfHajeJanKamps
 
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...TalentView
 

Dernier (20)

Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024
 
Anyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyAnyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agency
 
Upgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsUpgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking Applications
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024
 
WAM Corporate Presentation Mar 25 2024.pdf
WAM Corporate Presentation Mar 25 2024.pdfWAM Corporate Presentation Mar 25 2024.pdf
WAM Corporate Presentation Mar 25 2024.pdf
 
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfGraham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
 
Entrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizationsEntrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizations
 
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfTalent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
 
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
 
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
 
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptxHELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
 
Introduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptxIntroduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptx
 
MC Heights construction company in Jhang
MC Heights construction company in JhangMC Heights construction company in Jhang
MC Heights construction company in Jhang
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)
 
NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024
 
Plano de marketing- inglês em formato ppt
Plano de marketing- inglês  em formato pptPlano de marketing- inglês  em formato ppt
Plano de marketing- inglês em formato ppt
 
A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.
 
PDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfPDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdf
 
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
 

GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Directors, IT Directors & Ops Directors

  • 5. “the biggest change to data protection law for a generation” Elizabeth Denham, Information Commissioner
  • 7. Why GDPR? Data Protection Act(1998) is built on the General Data Protection Directive GDPR is the General Data Protect Regulation 1 Regulation not 28 different variants
  • 8. “"The introduction of the Data Protection Bill…will put in place one of the final pieces of much needed data protection reform. Effective, modern data protection laws with robust safeguards are central to securing the public's trust and confidence in the use of personal information within the digital economy, the delivery of public services and the fight against crime." Elizabeth Denham, Information Commissioner
  • 9. Some definitions Personal Data ProcessingSpecial Category Data Data that can identify a natural person directly or indirectly Anything you do with data – even looking at it • Racial • Ethnic origin • Political opinions • Religious or philosophical beliefs • Trade Union membership • Genetic data • Biometric data • Health • Sex life • Sexual orientation
  • 10. Responsibilities Controller • Know the risks to the data subject • Manage those risks • Demonstrate processing inline with regulation • Only use processors who demonstrate adherence the to Regulation Processor • Implement appropriate technical and organisational measures. • Not engage another processor without permission. • Ensure there is a contract in place with the controller: • Demonstrate compliance to Regulation.
  • 11. So what can businesses do?
  • 12. Everything they could before Just in a way that balances the business’ needs with the rights of data subjects
  • 13. The Principles 1. Processed lawfully, fairly and in a transparent manner 2. Collected for specified, explicit and legitimate purposes 3. Adequate, relevant and limited to what is necessary 4. Accurate and where necessary kept up to date 5. Retained only for as long as necessary 6. Processed in an appropriate manner to maintain security Subject must be told. Processing must match the description. Processing must be for one of the purposes in the regulation. Must define up front what the data will be used for and limit processing to only that necessary to meet that purpose. Data collected should only be that required in relation to the purposes of the processing. This is intended to protect the data subject from such things as wrong decisions made regarding the data subject. And it’s good business practice. Data is kept for no longer than is required to process it for the purpose originally stipulated. This principle links closely with the ISMS covering Confidentially Integrity and Availability (CIA)
  • 14. Individuals Rights • Right to information • Right to access • Right to rectification • Right to be forgotten • Right to restriction of processing • Right to notification • Right to portability • Right to object • Right to appropriate decision making
  • 15. Lawfulness of Processing Processing is lawful only if one of the following applies: 1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes; 2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; 3. processing is necessary for compliance with a legal obligation to which the controller is subject; 4. processing is necessary in order to protect the vital interests of the data subject or of another person; 5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; 6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
  • 16. Consent • Consent must be unambiguous, clear and affirmative o Must be able to demonstrate that consent was given o Silence or inactivity does not constitute consent o Written consent must be clear, intelligible, easily accessible, else not binding o Consent can be withdrawn any time, and as easy to withdraw consent as to give. • Take appropriate measures to “provide information in a concise, transparent, intelligible and easily accessible form, using clear and plain language”
  • 17. Consent – specific categories of data • Special conditions apply for children (under 16, but UK could lower to 13) to give consent o Appropriate parental / guardian consent o Controller has to make reasonable efforts to verify authorisation • Explicit consent must be given for processing sensitive personal data o Now includes “genetic data” and “biometric data” where processed to uniquely identify a person
  • 18. Lawfulness of Processing Processing is lawful only if one of the following applies: 1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes; 2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; 3. processing is necessary for compliance with a legal obligation to which the controller is subject; 4. processing is necessary in order to protect the vital interests of the data subject or of another person; 5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; 6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
  • 19. Get Ready for GDPR NOW! 11 Weeks, 1 day, 15 hours, and 15 minutes
  • 21. GDPR Overview Assessment • Key Factors 1. Data protection policy, responsibility and training 2. Registration, privacy notices and subject access 3. Data quality, accuracy and retention 4. Security 5. Privacy impact assessments Legal & HR Operations & Finance Sales & Marketing IT Systems Are you GDPR Ready?
  • 22. Developing a GDPR Strategy – moving towards compliance • Assessment o Gaps or areas of non-compliance o Assess risk and prioritise tasks • Agree change programme • Build a cross-functional team – risk, compliance, IT, legal, finance, PR • DPO – appointment and training • Implementation o Update privacy notices and terms and conditions o Update data processor clauses in contracts extending into 2018 o New policies and training for carrying out DPIAs, data security, breach handling, personal data handling and new data subject rights
  • 23. GDPR Compliance Roadmap •Know your data assets •Map data flows and existing systems and processes that utilise personal data •Collect existing policies, notices and vendor agreements •Assess likely GDPR impact and identify gaps •Conduct risk assessment and prioritise tasks •Implementation (update documentation and vendor contracts, training and awareness etc.) •Monitor implementation and compliance with regular compliance checks
  • 24. Carry out a data audit
  • 25. Know your data • Why are you collecting it? • Purposes • How did you get it? • Where do you store it? • What do you do with it? • Who has access to it? • How long do you keep it? • Where do you send it?
  • 26. Documentation and Privacy by Design and Default • Ensure and demonstrate compliance • Maintain written records of all processing • Adopt and implement measures which meet principles of data protection by design and default o Minimising processing o Pseudonimisation o Enable monitoring by data subject • Data Protection Impact Assessments (DPIAs) • Identify, Investigate and Manage a Data Breach
  • 27. Data Protection Impact Assessment • Assesses the risks to the data subject • Mandatory • Required: • When implementing GDPR • When implementing changes within your organisation
  • 28. Questions To ask of your business
  • 29. Have you registered with the ICO? Tier 1 – Micro <10 Staff/£632,00 = £40 Tier 2 – SME <250 Staff/£36million = £60 Tier 3 = £2,900 Max penalty for unpaid/incorrect fee = £4,350
  • 30. Registration Fee Exemptions • Staff administration • Advertising, marketing and public relations • Accounts and records • Not-for-profit purposes • Personal, family or household affairs • Maintaining a public register • Judicial functions • Processing personal information without an automated system such as a computer
  • 31. Have you updated your Privacy Policies?
  • 32. Have the staff been trained in data protection awareness?
  • 33. Does your business need a DPO?
  • 34. Data Protection Officer (DPO) • Public authorities (not courts) • Private companies (controllers and processors) whose core activities require large scale o regular and systematic monitoring of data subjects or o processing of sensitive personal data or data relating to criminal convictions • Group may appoint single DPO
  • 35. Are you prepared to deal with a data breach?
  • 36. Breach Notification • Controller to notify regulator of breaches o without undue delay; and o within 72 hours if feasible unless unlikely to result in risk to rights and freedoms of individuals • If 72 hours not feasible must provide reasoned justification • Controller to notify data subjects without undue delay if likely to result in high risk to rights and freedoms of individuals • Processor to notify controller of breaches without undue delay
  • 37. Fines – The Reality • Up to (the higher of) €20m or 4% global annual turnover for infringement of: o Core principles o Consent o Data subjects’ rights o International transfers o Non-compliance with certain regulator orders • Up to (the higher of) €10m or 2% global annual turnover for other breaches • Not having records in place • Failure to notify ICO (local Supervisory Authority) • Not doing a DPIA • Individuals’ actions • Class actions
  • 38. Fines – The Reality • Issuing fines has always been and will continue to be, a last resort. • Last year (2016/2017) 17,300 cases - 16 resulted in fines for the organisations concerned. • Not yet invoked maximum powers. “We intend to use those powers proportionately and judiciously” - Denham • Suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. • Reputational damage.
  • 39. What value can GDPR add to your business?
  • 40. What are you going to do next?
  • 41. Information Governance Services Data Mapping Business Intelligence systems to establish long term change Tony Betts – Thursday 7 March 2018 06.06.2017 Information Governance Support 07.03.2018
  • 42. What is the key difference between DPA and GDPR? DPA Compliant until proven not to be GDPR must prove compliance from day 1
  • 43. Key Legislative Changes – Managing our Data Records of Processing Activities [Article 30] This is the mechanism which requires organisations to evidence compliance with the GDPR RECORDS OF PROCESSING ACTIVITY Information Asset Register Data Flow Mapping ‘Privacy by Design’ elements Categories of Data Recipients/ Subjects Legal Basis/ Conditions for processing
  • 44. What does the GDPR say? • Recital 82 • In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations 44 Categories of data Name and contact details Categories of recipient Security measures Purposes of processing Transfers & safeguards Retention
  • 45. Data Mapping - a foundational activity 45 Data Mapping Privacy notices Individual rights Data breach DPIAs Privacy by design Minimisation
  • 46. Practical considerations 46 When to start? When are we finished? Who is involved? How to maintain records? Manual vs automation?
  • 48. Accountability • The new accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility. 48 Accountability Appropriate measures Data mapping DPO Privacy by design DPIA Codes of conduct
  • 49. Where do we start? Requirement Activity Know what data you use and how you use it Ensure you have an information Asset Register & Map your data flows fully to create your Records of Processing Activity Privacy by Design Review your data and ensure that your privacy notices and other policies align (e.g. consent, PIA, outsourcing, risk etc.) Roles & Responsibility Appoint a Data Protection Officer Training & Awareness Arrange training for staff to ensure their understanding of the requirements of the GDPR, an on-going requirement Incident Management Have a robust policy and process to manage security incidents
  • 50. So what tools to are there to use Product/Tool Description CyberComply by Vigilant A very good tool developed in conjunction with industry experts and provides everything required for GDPR and ISO27001 compliance. https://www.vigilantsoftware.co.uk/topic/cyber-comply OneTrust – Data Mapping Automation Another good tool in use in a lot of organisations and is fully compliant with GDPR articles. https://onetrust.com/products/data-mapping/ Spiron A good tool for data mapping used by over 10,000 organisations https://www.spirion.com/compliance/gdpr/ Use you own Data Mapping Methodology Information gathering and initial consultation, Legal requirements, Legal Assessment and follow up and Mapping
  • 51. Simplify We have the knowledge and experience to simplify your challenges
  • 52. Developing your GDPR Policies and procedures to help drive compliance
  • 53. Your Privacy Policy – First contact - Collecting Personal Data. Transparency in the who, what, how and why? • Any communications with a data subject must be concise, transparent, intelligible – plain language. • You must be transparent in providing information about yourself and the purposes of your processing • Controller must provide data subject with information about their rights
  • 54. What information do you need to include in your Privacy Policy? • Identity and contact details of controller – who you are • Purpose of processing • What lawful basis you are relying on to process data • Categories of personal data held • Who the recipients might be (third parties?) • If it is being transferred outside of the EU and how it is protected • How long it will be stored for • What rights the data subject has and how to exercise them – and withdraw • The right to complain to the regulator You must provide (amongst others) in your Privacy Policy, in clear and understandable form:
  • 56. Granular… • Who you are • Marketing Materials • Promotions • Opt-ins - method (e-mail etc.) • Third parties
  • 58. Stay United – A bit too much?
  • 59. Mandatory Requirements • Providing information to a data subject is a requirement of the GDPR. • The easiest way to do so is through a Privacy Policy. • Under the GDPR specific information needs to be included in your privacy policy. Creating your Privacy Policy
  • 60. What should be in your Privacy Policy? …what type of information are you collecting and why.
  • 61. You need a “Lawful Basis” for Processing In order to comply with the GDPR you must have a lawful basis in order to collect and process an individuals personal data. You need to chose and record the most appropriate lawful basis for your business • Consent - to process data for a specific agreed purpose • Contract – processing necessary for a contract you have with a DS • Legitimate Interests • Vital Interests (Life or Death situation) • Public Interest • Legal obligations In practice, other than consent, you are most likely to rely on the performance of a contract or legitimate interests
  • 62. 1. CONSENT Do you need consent? Direct Marketing ….CONSENT REQUIRED • New Services / Product Information / Sales information • Newsletters (with adverts) • Offers and Promotions • Services not directly related to those you are already providing Marketing relating to services you are providing • marketing specifically relating to products and services that current customers have bought from you.
  • 64. You need to be very clear if you are processing sensitive data
  • 65. Other lawful grounds - Contract CONTRACTUAL “processing of Personal Data is necessary for the performance of a contract to which the individual is a party or for the Controller to take pre-contractual steps at the request of the individual.” PRE-CONTRACTUAL “…pre-contractual steps at the request of the individual” e.g. processing data to follow up on an estimate / provide a quote Any current contracts to supply goods or services or to fulfil obligations under an employment contract. But the only necessary processing would be to make that contract work. Can’t assume that we can send marketing e-mails because the person signed the contract.
  • 66. Performance of a Contract: Examples An individual shopping around for car insurance requests a quotation. The insurer needs to process certain data in order to prepare the quotation, such as the make and age of the car. When a data subject makes an online purchase, a controller processes the address of the individual in order to deliver the goods. This is necessary in order to perform the contract.
  • 67. Telling people you will process their data in the performance of their contract with you…
  • 68. Relying on Legitimate Interests “controllers may have a legitimate interest in getting to know their customers’ preferences so as to enable them to better personalise their offers and ultimately, offer products and services that better meet the needs and desires of the customers” • So what types of processing could be on the basis of legitimate interest? • The most prevalent categories of legitimate interest i) fraud detection, money laundering and prevention and ii) website information and system security – general security / IT security. • Use of Employment Data - necessary for employee operational administration. Also e.g. call recording and monitoring for call centre employees’ training and development purposes. • B2B – event marketing and planning • Others… suppression, updating customer details, product development website development and personalisation, web analytics, intra-group transfers, or IT security as potential legitimate interests.
  • 69. Explain how you use data and on what lawful basis you process it…
  • 70. Make it clear where you are relying on legitimate interest to process their data
  • 71. Be clear where you share data with Third Party Processors
  • 72. Data Processing Contracts – Your safeguard to protect your customer / employee data • Where processing is to be carried out on behalf of a controller, that processing must be governed by a contract. • That contract must set out: Subject matter of the data processing Duration of the processing The nature and purpose of the processing Type of personal data Categories of data subjects Only process on your instructions - Not pass data to third party without consent That they will take all appropriate technical and organisational measures; Keep data secure Ensure that you can comply with data subjects rights – SARs / Erasure
  • 73. Who processes your data? • Any time a service or administrative function is outsourced to a third-party, there could be personal data being transferred. This includes outsourcing to:  payroll providers  hosting providers  Other third party service providers • Where any such processing is then sub-contracted out to a third party, the same data processing obligations must be passed on to the sub-contractor. If the sub-processor fails to fulfil its obligations, the data controller is liable. • N.B. Sharing data requires a processing agreement.
  • 74. Data transfers outside of the EEA • The GDPR imposes restrictions on the transfer of personal data outside the European Union: • Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in the GDPR. • Generally: A GDPR compliant processing contract in place An adequate level of protection (A country or one or more specific sectors a third country, or international organisation which ensures an adequate level of protection / data protection controls.)
  • 76. Data Retention – How long can you hold client data? How long can you hold their data? • Personal data that you process should not be kept for longer than is necessary for that purpose. • Unless you obtain consent to retain personal data for a longer period: - Marketing Activity - Immediately - Contact data – [x] years. - Website data [x] years following the date of last contact or dealing. - Enquiry data will be retained for [x] months following the date of last contact. - Payment data - Employment data - Other • Question. How long do you need to retain data for? Can you minimize the data you hold? • Do you need consent to hold that data for longer than might be deemed “legitimate interest” or in the performance of a contract?
  • 78. Other requirements - Access requests
  • 79. Other requirements - Eight rights of data subjects
  • 80. Other requirements - Information and DPO
  • 81. Contract Management • Review Privacy Policies and Consent (data collection forms) Can you rely on existing consents? Is consent… - Easy to understand / Unbundled / opt-in / Granular / Named / easy to withdraw / Recorded - Is the data subject well informed about: how you plan to use data / how it will be processed / how long it will be kept for / their Data Subject Rights • Review and update your existing Privacy Policies Employee Handbook / Managing GDPR Handbook (SARs / Breaches etc.) • Review Agreements with Partners - Requirement for Data Processing Agreements - Have suitable GDPR processing clauses been included (e.g. right to be forgotten) - Risk of non-compliance (up and down the supply chain) • Review your own Terms and Conditions – reduce risk (customer relationship) / Insurance?
  • 83. Some of your questions 1. If businesses aren’t sure whether they have GDPR compliant consent for their e-mail mailing lists how do they go about getting people to re-consent? 2. There is some confusion around whether business e-mail addresses are personal data. What do the rules say? 3. There’s quite a bit in the GDPR about retention and data minimisation, can you give some basic guidance on how long businesses can keep customer data for. 4. Will most businesses need a DPO and who should be nominated? 5. Given that data breach reporting is mandatory, what constitutes a data breach and do they all really have to be reported? 6. What is the best way to document procedures for all the different elements that GDPR affects eg. is it best to have a GDPR register of some sort or just document each area separately as part of a business area e.g. employment, quality control, transport etc? 7. We currently publish our staff directory on our website – we don’t have consent to do this. Under the new GDPR would this be classed as excessive and should the directory be taken down? Or should we be looking at obtaining consent? 8. I know that GDPR covers data held on systems/emails etc. but what about corresponding paper records please? I can’t find that much definitive advice around this.

Notes de l'éditeur

  1. Introduction to the Programme. Feedback on how people interacted when they initially met – leads onto Networking Half day on personality DISC profiling for the attendees
  2. The European General Data Protection Directive(GDPD) is now over 20 years old. This Directive is the basis of our current Data Protection Act (DPA) which came into force in 1998. As a Directive, the approach to legislating the GDPD across member states has differed significantly. This has made it increasingly difficult for EU citizens to know how their how their rights are protected across Europe and for organisations to know which laws they need to comply with as they trade across the member states. The General Data Protection Regulation aims to unify those laws and have a common understanding of how Personally Identifiable Information (PII) should be managed across Europe. The new regulations come in to force on 25 May 2018. All businesses in the UK that handle personal data will be expected to comply with new regulation. The changes will require a large degree of change within many organisations and the Information Commissioner has strongly recommended that business start to prepare now.
  3. Introduction to the Programme. Feedback on how people interacted when they initially met – leads onto Networking Half day on personality DISC profiling for the attendees
  4. Introduction to the Programme. Feedback on how people interacted when they initially met – leads onto Networking Half day on personality DISC profiling for the attendees
  5. THIS SLIDE BUILDS on Clicks. Processed fairly and lawfully – One of the biggest changes and as such we will cover in a section on its own. The rest of the narrative is covered on the slides – each principle builds on a click
  6. SLIDE BUILDS CLICK TO SHOW THE CHANGES Right to information – on and access to personal information. The Data Controller must provide a minimum level of information to data subjects to prove their data is fairly collected and processed. This must be made available free of charge. Right to access – Data subjects have the right to access to: Copy of their personal data, the purposes of processing, categories of the data being processes and the third parties who have access or who have received will receive the data. Right to rectification - subject has the right to have any errors rectified and the data controller has to ensure this is done not only in the data they have, but any suppliers and recipients Right to be forgotten – data subjects can request data to be erased without undue delay. The Data Controller has few reasons not to comply and has to satisfy the data subject that data has been removed from all possible locations. Right to restrict processing – This gives data subjects the right to restrict processing of their data under certain circumstances. Right to notification – not a right that the data subject will exercise, but a responsibility of the data controller to inform the data subject of their data is changed or the processing of data is change. Also if the Subject invokes one of their rights the data controller has a responsibility to inform recipients of data of what the data subject has requested Right to Portability – the data controller has to be able provide the data subject or a person of the data subjects choosing data in a commonly used machine readable format The right to object – the data controller has top provide clear routes for the data subject to raise objections about the processing of personal. Once an objection is received the onus is onus is on the data controller to demonstrate the legitimacy of the processing. The right to appropriate decision making – Data subjects have the right “not to be subject decisions based solely on automated processing, including profiling, which produces legal affects concerning [them] of similarly significantly affects [them]. So data subjects must be able to trigger human intervention. All of these right are going to require the review of processes and technology. For example, can you ‘hand on heart’ say your organisation knows all the data it holds, where it all is and who it has been shared with. If I rocked up tomorrow and asked for all of my data could you provide it quickly and cheaply.
  7. SLIDE BUILDS Consent is only one of the lawful means of processing. There are 5 others. If it is proving had to get consent then either the wrong data is being collected for the wrong purpose or consent is not the appropriate purpose. One of the other purposes should be considered 2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; This is likely to be as part of a sale, insurance, mortgage etc. 3. processing is necessary for compliance with a legal obligation to which the controller is subject; Again a mortgage 4. processing is necessary in order to protect the vital interests of the data subject or of another person; Health would be a good example 5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; The law 6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party CLICK – For the PA Exemption
  8. SLIDE BUILDS Consent is only one of the lawful means of processing. There are 5 others. If it is proving had to get consent then either the wrong data is being collected for the wrong purpose or consent is not the appropriate purpose. One of the other purposes should be considered 2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; This is likely to be as part of a sale, insurance, mortgage etc. 3. processing is necessary for compliance with a legal obligation to which the controller is subject; Again a mortgage 4. processing is necessary in order to protect the vital interests of the data subject or of another person; Health would be a good example 5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; The law 6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party CLICK – For the PA Exemption
  9. Introduction to the Programme. Feedback on how people interacted when they initially met – leads onto Networking Half day on personality DISC profiling for the attendees
  10. Introduction to the Programme. Feedback on how people interacted when they initially met – leads onto Networking Half day on personality DISC profiling for the attendees
  11. Introduction to the Programme. Feedback on how people interacted when they initially met – leads onto Networking Half day on personality DISC profiling for the attendees
  12. This section expands on the DPIA as one of the mandated processes in the GDPR – we need to emphasise in this section that a DPIA should not be conducted in isolation to the organisations other risks. Is should be integral and reference them. Mention Talk Talk Ask how many organisations consider the risks to data when they set off on a new project.
  13. Introduction to the Programme. Feedback on how people interacted when they initially met – leads onto Networking Half day on personality DISC profiling for the attendees
  14. Introduction to the Programme. Feedback on how people interacted when they initially met – leads onto Networking Half day on personality DISC profiling for the attendees
  15. Introduction to the Programme. Feedback on how people interacted when they initially met – leads onto Networking Half day on personality DISC profiling for the attendees
  16. Introduction to the Programme. Feedback on how people interacted when they initially met – leads onto Networking Half day on personality DISC profiling for the attendees
  17. Introduction to the Programme. Feedback on how people interacted when they initially met – leads onto Networking Half day on personality DISC profiling for the attendees
  18. Introduction to the Programme. Feedback on how people interacted when they initially met – leads onto Networking Half day on personality DISC profiling for the attendees
  19. Introduction to the Programme. Feedback on how people interacted when they initially met – leads onto Networking Half day on personality DISC profiling for the attendees
  20. Introduction to the Programme. Feedback on how people interacted when they initially met – leads onto Networking Half day on personality DISC profiling for the attendees