Slideshow from GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Directors, IT Directors & Ops Directors, on 7th March 2018 at Hilton Puckrup Hall
7. Why GDPR?
Data Protection Act(1998) is built on
the General Data Protection Directive
GDPR is the General Data Protect
Regulation
1 Regulation not 28 different variants
8. “"The introduction of the Data Protection Bill…will put in place one of the final pieces of
much needed data protection reform. Effective, modern data protection laws with robust
safeguards are central to securing the public's trust and confidence in the use of personal
information within the digital economy, the delivery of public services and the fight against
crime."
Elizabeth Denham, Information Commissioner
9. Some definitions
Personal Data ProcessingSpecial Category Data
Data that can identify a natural
person directly or indirectly
Anything you do with data –
even looking at it
• Racial
• Ethnic origin
• Political opinions
• Religious or philosophical
beliefs
• Trade Union membership
• Genetic data
• Biometric data
• Health
• Sex life
• Sexual orientation
10. Responsibilities
Controller
• Know the risks to the data subject
• Manage those risks
• Demonstrate processing inline with
regulation
• Only use processors who demonstrate
adherence the to Regulation
Processor
• Implement appropriate technical and
organisational measures.
• Not engage another processor without
permission.
• Ensure there is a contract in place with
the controller:
• Demonstrate compliance to Regulation.
12. Everything they could before
Just in a way that balances the business’ needs
with the rights of data subjects
13. The Principles
1. Processed lawfully, fairly and in a transparent manner
2. Collected for specified, explicit and legitimate purposes
3. Adequate, relevant and limited to what is necessary
4. Accurate and where necessary kept up to date
5. Retained only for as long as necessary
6. Processed in an appropriate manner to maintain security
Subject must be told. Processing must match the
description. Processing must be for one of the purposes in
the regulation.
Must define up front what the data will be used for and
limit processing to only that necessary to meet that
purpose.
Data collected should only be that required in relation to
the purposes of the processing.
This is intended to protect the data subject from such
things as wrong decisions made regarding the data subject.
And it’s good business practice.
Data is kept for no longer than is required to process it for
the purpose originally stipulated.
This principle links closely with the ISMS covering
Confidentially Integrity and Availability (CIA)
14. Individuals Rights
• Right to information
• Right to access
• Right to rectification
• Right to be forgotten
• Right to restriction of processing
• Right to notification
• Right to portability
• Right to object
• Right to appropriate decision making
15. Lawfulness of Processing
Processing is lawful only if one of the following applies:
1. the data subject has given consent to the processing of his or her personal data for one or more
specific purposes;
2. processing is necessary for the performance of a contract to which the data subject is party or in
order to take steps at the request of the data subject prior to entering into a contract;
3. processing is necessary for compliance with a legal obligation to which the controller is subject;
4. processing is necessary in order to protect the vital interests of the data subject or of another
person;
5. processing is necessary for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller;
6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by
a third party, except where such interests are overridden by the interests or rights and freedoms of
the data subject which require protection of personal data, in particular where the data subject is
a child.
16. Consent
• Consent must be unambiguous, clear and affirmative
o Must be able to demonstrate that consent was given
o Silence or inactivity does not constitute consent
o Written consent must be clear, intelligible, easily accessible,
else not binding
o Consent can be withdrawn any time, and as easy to withdraw
consent as to give.
• Take appropriate measures to “provide information in a concise,
transparent, intelligible and easily accessible form, using clear and
plain language”
17. Consent – specific categories of data
• Special conditions apply for children (under 16, but UK could
lower to 13) to give consent
o Appropriate parental / guardian consent
o Controller has to make reasonable efforts to verify
authorisation
• Explicit consent must be given for processing sensitive
personal data
o Now includes “genetic data” and “biometric data” where
processed to uniquely identify a person
18. Lawfulness of Processing
Processing is lawful only if one of the following applies:
1. the data subject has given consent to the processing of his or her personal data for one or more
specific purposes;
2. processing is necessary for the performance of a contract to which the data subject is party or in
order to take steps at the request of the data subject prior to entering into a contract;
3. processing is necessary for compliance with a legal obligation to which the controller is subject;
4. processing is necessary in order to protect the vital interests of the data subject or of another
person;
5. processing is necessary for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller;
6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by
a third party, except where such interests are overridden by the interests or rights and freedoms of
the data subject which require protection of personal data, in particular where the data subject is
a child.
19. Get Ready for GDPR
NOW!
11 Weeks, 1 day, 15 hours, and
15 minutes
21. GDPR Overview Assessment
• Key Factors
1. Data protection policy, responsibility
and training
2. Registration, privacy notices and
subject access
3. Data quality, accuracy and retention
4. Security
5. Privacy impact assessments
Legal & HR
Operations &
Finance
Sales &
Marketing
IT Systems
Are you
GDPR
Ready?
22. Developing a GDPR Strategy –
moving towards compliance
• Assessment
o Gaps or areas of non-compliance
o Assess risk and prioritise tasks
• Agree change programme
• Build a cross-functional team – risk, compliance, IT, legal, finance, PR
• DPO – appointment and training
• Implementation
o Update privacy notices and terms and conditions
o Update data processor clauses in contracts extending into 2018
o New policies and training for carrying out DPIAs, data security, breach handling, personal data
handling and new data subject rights
23. GDPR Compliance Roadmap
•Know your data assets
•Map data flows and existing systems and processes that utilise personal data
•Collect existing policies, notices and vendor agreements
•Assess likely GDPR impact and identify gaps
•Conduct risk assessment and prioritise tasks
•Implementation (update documentation and vendor contracts, training and awareness etc.)
•Monitor implementation and compliance with regular compliance checks
25. Know your data
• Why are you collecting it?
• Purposes
• How did you get it?
• Where do you store it?
• What do you do with it?
• Who has access to it?
• How long do you keep it?
• Where do you send it?
26. Documentation and Privacy by Design and Default
• Ensure and demonstrate compliance
• Maintain written records of all processing
• Adopt and implement measures which meet principles of
data protection by design and default
o Minimising processing
o Pseudonimisation
o Enable monitoring by data subject
• Data Protection Impact Assessments (DPIAs)
• Identify, Investigate and Manage a Data Breach
27. Data Protection Impact Assessment
• Assesses the risks to the data subject
• Mandatory
• Required:
• When implementing GDPR
• When implementing changes within
your organisation
29. Have you registered with the ICO?
Tier 1 – Micro <10 Staff/£632,00 = £40
Tier 2 – SME <250 Staff/£36million = £60
Tier 3 = £2,900
Max penalty for unpaid/incorrect fee = £4,350
30. Registration Fee Exemptions
• Staff administration
• Advertising, marketing and public relations
• Accounts and records
• Not-for-profit purposes
• Personal, family or household affairs
• Maintaining a public register
• Judicial functions
• Processing personal information without an automated
system such as a computer
34. Data Protection Officer (DPO)
• Public authorities (not courts)
• Private companies (controllers and processors) whose core
activities require large scale
o regular and systematic monitoring of data subjects or
o processing of sensitive personal data or data relating to
criminal convictions
• Group may appoint single DPO
36. Breach Notification
• Controller to notify regulator of breaches
o without undue delay; and
o within 72 hours if feasible
unless unlikely to result in risk to rights and freedoms of individuals
• If 72 hours not feasible must provide reasoned justification
• Controller to notify data subjects without undue delay if likely to result in high risk to rights and
freedoms of individuals
• Processor to notify controller of breaches without undue delay
37. Fines – The Reality
• Up to (the higher of) €20m or 4% global annual turnover for infringement of:
o Core principles
o Consent
o Data subjects’ rights
o International transfers
o Non-compliance with certain regulator orders
• Up to (the higher of) €10m or 2% global annual turnover for other breaches
• Not having records in place
• Failure to notify ICO (local Supervisory Authority)
• Not doing a DPIA
• Individuals’ actions
• Class actions
38. Fines – The Reality
• Issuing fines has always been and will continue to be, a last resort.
• Last year (2016/2017) 17,300 cases - 16 resulted in fines for the organisations concerned.
• Not yet invoked maximum powers.
“We intend to use those powers proportionately and judiciously” - Denham
• Suite of sanctions to help organisations comply – warnings, reprimands, corrective orders.
• Reputational damage.
41. Information Governance Services
Data Mapping
Business Intelligence systems to establish long term change
Tony Betts – Thursday 7 March 2018
06.06.2017
Information Governance Support
07.03.2018
42. What is the key difference between
DPA and GDPR?
DPA
Compliant
until proven
not to be
GDPR must
prove
compliance
from day 1
43. Key Legislative Changes – Managing our Data
Records of Processing Activities [Article 30]
This is the mechanism which requires organisations to evidence compliance
with the GDPR
RECORDS OF PROCESSING ACTIVITY
Information Asset
Register
Data Flow
Mapping
‘Privacy by
Design’ elements
Categories of Data
Recipients/ Subjects
Legal Basis/
Conditions for processing
44. What does the GDPR say?
• Recital 82
• In order to
demonstrate
compliance with this
Regulation, the
controller or
processor should
maintain records of
processing activities
under its
responsibility. Each
controller and
processor should be
obliged to cooperate
with the supervisory
authority and make
those records, on
request, available to
it, so that it might
serve for monitoring
those processing
operations
44
Categories of
data
Name and
contact
details
Categories of
recipient
Security
measures
Purposes of
processing
Transfers &
safeguards
Retention
45. Data Mapping - a foundational activity
45
Data
Mapping
Privacy
notices
Individual
rights
Data breach
DPIAs
Privacy by
design
Minimisation
48. Accountability
• The new
accountability
principle in
Article 5(2)
requires you
to
demonstrate
that you
comply with
the principles
and states
explicitly that
this is your
responsibility.
48
Accountability
Appropriate
measures
Data
mapping
DPO
Privacy by
design
DPIA
Codes of
conduct
49. Where do we start?
Requirement Activity
Know what data you use and
how you use it
Ensure you have an information Asset Register & Map your
data flows fully to create your Records of Processing Activity
Privacy by Design Review your data and ensure that your privacy notices and
other policies align (e.g. consent, PIA, outsourcing, risk etc.)
Roles & Responsibility Appoint a Data Protection Officer
Training & Awareness Arrange training for staff to ensure their understanding of the
requirements of the GDPR, an on-going requirement
Incident Management Have a robust policy and process to manage security
incidents
50. So what tools to are there to use
Product/Tool Description
CyberComply by Vigilant A very good tool developed in conjunction with industry experts
and provides everything required for GDPR and ISO27001
compliance.
https://www.vigilantsoftware.co.uk/topic/cyber-comply
OneTrust – Data Mapping
Automation
Another good tool in use in a lot of organisations and is fully
compliant with GDPR articles.
https://onetrust.com/products/data-mapping/
Spiron A good tool for data mapping used by over 10,000 organisations
https://www.spirion.com/compliance/gdpr/
Use you own Data Mapping
Methodology
Information gathering and initial consultation, Legal requirements,
Legal Assessment and follow up and Mapping
53. Your Privacy Policy – First contact - Collecting Personal Data.
Transparency in the who,
what, how and why?
• Any communications with a data
subject must be concise,
transparent, intelligible – plain
language.
• You must be transparent in
providing information about yourself
and the purposes of your
processing
• Controller must provide data
subject with information about their
rights
54. What information do you need to include in your Privacy
Policy?
• Identity and contact details of controller – who you are
• Purpose of processing
• What lawful basis you are relying on to process data
• Categories of personal data held
• Who the recipients might be (third parties?)
• If it is being transferred outside of the EU and how it is protected
• How long it will be stored for
• What rights the data subject has and how to exercise them – and withdraw
• The right to complain to the regulator
You must provide (amongst others) in your Privacy Policy, in clear and understandable form:
59. Mandatory Requirements
• Providing information
to a data subject is a
requirement of the
GDPR.
• The easiest way to do
so is through a Privacy
Policy.
• Under the GDPR
specific information
needs to be included in
your privacy policy.
Creating your Privacy Policy
60. What should be in your Privacy Policy?
…what type of information are you collecting and why.
61. You need a “Lawful Basis” for Processing
In order to comply with the GDPR you must have a lawful basis in order to collect and process an individuals personal
data.
You need to chose and record the most appropriate lawful basis for your business
• Consent - to process data for a specific agreed purpose
• Contract – processing necessary for a contract you have with a DS
• Legitimate Interests
• Vital Interests (Life or Death situation)
• Public Interest
• Legal obligations
In practice, other than consent, you are most likely to rely on the performance of a contract or legitimate interests
62. 1. CONSENT
Do you need consent?
Direct Marketing ….CONSENT REQUIRED
• New Services / Product Information / Sales information
• Newsletters (with adverts)
• Offers and Promotions
• Services not directly related to those you are already providing
Marketing relating to services you are providing
• marketing specifically relating to products and services that current
customers have bought from you.
64. You need to be very clear if you are processing
sensitive data
65. Other lawful grounds - Contract
CONTRACTUAL
“processing of Personal Data is necessary for the performance of a contract to which the individual is a party or
for the Controller to take pre-contractual steps at the request of the individual.”
PRE-CONTRACTUAL
“…pre-contractual steps at the request of the individual”
e.g. processing data to follow up on an estimate / provide a quote
Any current contracts to supply goods or services or to fulfil obligations under an employment contract.
But the only necessary processing would be to make that contract work. Can’t assume that we can send
marketing e-mails because the person signed the contract.
66. Performance of a Contract: Examples
An individual shopping around for car insurance requests a quotation. The
insurer needs to process certain data in order to prepare the quotation,
such as the make and age of the car.
When a data subject makes an online purchase, a controller processes the
address of the individual in order to deliver the goods.
This is necessary in order to perform the contract.
67. Telling people you will process their data in the
performance of their contract with you…
68. Relying on Legitimate Interests
“controllers may have a legitimate interest in getting to know their customers’ preferences so as to enable them to better personalise
their offers and ultimately, offer products and services that better meet the needs and desires of the customers”
• So what types of processing could be on the basis of legitimate interest?
• The most prevalent categories of legitimate interest i) fraud detection, money laundering and prevention and ii) website information
and system security – general security / IT security.
• Use of Employment Data - necessary for employee operational administration. Also e.g. call recording and monitoring for call centre
employees’ training and development purposes.
• B2B – event marketing and planning
• Others… suppression, updating customer details, product development website development and personalisation, web analytics,
intra-group transfers, or IT security as potential legitimate interests.
69. Explain how you use data and on what lawful basis
you process it…
70. Make it clear where you are relying on legitimate
interest to process their data
71. Be clear where you share data with Third Party Processors
72. Data Processing Contracts – Your safeguard to protect
your customer / employee data
• Where processing is to be carried out on behalf of a controller, that processing must be governed by a
contract.
• That contract must set out:
Subject matter of the data processing
Duration of the processing
The nature and purpose of the processing
Type of personal data
Categories of data subjects
Only process on your instructions - Not pass data to third party without consent
That they will take all appropriate technical and organisational measures;
Keep data secure
Ensure that you can comply with data subjects rights – SARs / Erasure
73. Who processes your data?
• Any time a service or administrative function is outsourced to a third-party,
there could be personal data being transferred. This includes outsourcing to:
payroll providers
hosting providers
Other third party service providers
• Where any such processing is then sub-contracted out to a third party, the
same data processing obligations must be passed on to the sub-contractor. If
the sub-processor fails to fulfil its obligations, the data controller is liable.
• N.B. Sharing data requires a processing agreement.
74. Data transfers outside of the EEA
• The GDPR imposes restrictions on the transfer of personal data outside the European
Union:
• Personal data may only be transferred outside of the EU in compliance with the conditions
for transfer set out in the GDPR.
• Generally:
A GDPR compliant processing contract in place
An adequate level of protection
(A country or one or more specific sectors a third country, or international
organisation which ensures an adequate level of protection / data protection controls.)
76. Data Retention – How long can you hold client data?
How long can you hold their data?
• Personal data that you process should not be kept for longer than is necessary for that purpose.
• Unless you obtain consent to retain personal data for a longer period:
- Marketing Activity - Immediately
- Contact data – [x] years.
- Website data [x] years following the date of last contact or dealing.
- Enquiry data will be retained for [x] months following the date of last contact.
- Payment data
- Employment data
- Other
• Question. How long do you need to retain data for? Can you minimize the data you hold?
• Do you need consent to hold that data for longer than might be deemed “legitimate interest” or in the performance of a
contract?
81. Contract Management
• Review Privacy Policies and Consent (data collection forms)
Can you rely on existing consents? Is consent…
- Easy to understand / Unbundled / opt-in / Granular / Named / easy to withdraw / Recorded
- Is the data subject well informed about: how you plan to use data / how it will be processed / how long it will be
kept for / their Data Subject Rights
• Review and update your existing Privacy Policies
Employee Handbook / Managing GDPR Handbook (SARs / Breaches etc.)
• Review Agreements with Partners
- Requirement for Data Processing Agreements
- Have suitable GDPR processing clauses been included (e.g. right to be forgotten)
- Risk of non-compliance (up and down the supply chain)
• Review your own Terms and Conditions – reduce risk (customer relationship) / Insurance?
83. Some of your questions
1. If businesses aren’t sure whether they have GDPR compliant consent for their e-mail mailing lists how do they go about
getting people to re-consent?
2. There is some confusion around whether business e-mail addresses are personal data. What do the rules say?
3. There’s quite a bit in the GDPR about retention and data minimisation, can you give some basic guidance on how long
businesses can keep customer data for.
4. Will most businesses need a DPO and who should be nominated?
5. Given that data breach reporting is mandatory, what constitutes a data breach and do they all really have to be reported?
6. What is the best way to document procedures for all the different elements that GDPR affects eg. is it best to have a GDPR
register of some sort or just document each area separately as part of a business area e.g. employment, quality control,
transport etc?
7. We currently publish our staff directory on our website – we don’t have consent to do this. Under the new GDPR would
this be classed as excessive and should the directory be taken down? Or should we be looking at obtaining consent?
8. I know that GDPR covers data held on systems/emails etc. but what about corresponding paper records please? I can’t find
that much definitive advice around this.
Notes de l'éditeur
Introduction to the Programme.
Feedback on how people interacted when they initially met – leads onto Networking
Half day on personality DISC profiling for the attendees
The European General Data Protection Directive(GDPD) is now over 20 years old. This Directive is the basis of our current Data Protection Act (DPA) which came into force in 1998. As a Directive, the approach to legislating the GDPD across member states has differed significantly. This has made it increasingly difficult for EU citizens to know how their how their rights are protected across Europe and for organisations to know which laws they need to comply with as they trade across the member states.
The General Data Protection Regulation aims to unify those laws and have a common understanding of how Personally Identifiable Information (PII) should be managed across Europe. The new regulations come in to force on 25 May 2018. All businesses in the UK that handle personal data will be expected to comply with new regulation. The changes will require a large degree of change within many organisations and the Information Commissioner has strongly recommended that business start to prepare now.
Introduction to the Programme.
Feedback on how people interacted when they initially met – leads onto Networking
Half day on personality DISC profiling for the attendees
Introduction to the Programme.
Feedback on how people interacted when they initially met – leads onto Networking
Half day on personality DISC profiling for the attendees
THIS SLIDE BUILDS on Clicks.
Processed fairly and lawfully – One of the biggest changes and as such we will cover in a section on its own.
The rest of the narrative is covered on the slides – each principle builds on a click
SLIDE BUILDS CLICK TO SHOW THE CHANGES
Right to information – on and access to personal information. The Data Controller must provide a minimum level of information to data subjects to prove their data is fairly collected and processed. This must be made available free of charge.
Right to access – Data subjects have the right to access to: Copy of their personal data, the purposes of processing, categories of the data being processes and the third parties who have access or who have received will receive the data.
Right to rectification - subject has the right to have any errors rectified and the data controller has to ensure this is done not only in the data they have, but any suppliers and recipients
Right to be forgotten – data subjects can request data to be erased without undue delay. The Data Controller has few reasons not to comply and has to satisfy the data subject that data has been removed from all possible locations.
Right to restrict processing – This gives data subjects the right to restrict processing of their data under certain circumstances.
Right to notification – not a right that the data subject will exercise, but a responsibility of the data controller to inform the data subject of their data is changed or the processing of data is change. Also if the Subject invokes one of their rights the data controller has a responsibility to inform recipients of data of what the data subject has requested
Right to Portability – the data controller has to be able provide the data subject or a person of the data subjects choosing data in a commonly used machine readable format
The right to object – the data controller has top provide clear routes for the data subject to raise objections about the processing of personal. Once an objection is received the onus is onus is on the data controller to demonstrate the legitimacy of the processing.
The right to appropriate decision making – Data subjects have the right “not to be subject decisions based solely on automated processing, including profiling, which produces legal affects concerning [them] of similarly significantly affects [them]. So data subjects must be able to trigger human intervention.
All of these right are going to require the review of processes and technology. For example, can you ‘hand on heart’ say your organisation knows all the data it holds, where it all is and who it has been shared with. If I rocked up tomorrow and asked for all of my data could you provide it quickly and cheaply.
SLIDE BUILDS
Consent is only one of the lawful means of processing. There are 5 others. If it is proving had to get consent then either the wrong data is being collected for the wrong purpose or consent is not the appropriate purpose. One of the other purposes should be considered
2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; This is likely to be as part of a sale, insurance, mortgage etc.
3. processing is necessary for compliance with a legal obligation to which the controller is subject; Again a mortgage
4. processing is necessary in order to protect the vital interests of the data subject or of another person; Health would be a good example
5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; The law
6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party
CLICK – For the PA Exemption
SLIDE BUILDS
Consent is only one of the lawful means of processing. There are 5 others. If it is proving had to get consent then either the wrong data is being collected for the wrong purpose or consent is not the appropriate purpose. One of the other purposes should be considered
2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; This is likely to be as part of a sale, insurance, mortgage etc.
3. processing is necessary for compliance with a legal obligation to which the controller is subject; Again a mortgage
4. processing is necessary in order to protect the vital interests of the data subject or of another person; Health would be a good example
5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; The law
6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party
CLICK – For the PA Exemption
Introduction to the Programme.
Feedback on how people interacted when they initially met – leads onto Networking
Half day on personality DISC profiling for the attendees
Introduction to the Programme.
Feedback on how people interacted when they initially met – leads onto Networking
Half day on personality DISC profiling for the attendees
Introduction to the Programme.
Feedback on how people interacted when they initially met – leads onto Networking
Half day on personality DISC profiling for the attendees
This section expands on the DPIA as one of the mandated processes in the GDPR – we need to emphasise in this section that a DPIA should not be conducted in isolation to the organisations other risks. Is should be integral and reference them.
Mention Talk Talk
Ask how many organisations consider the risks to data when they set off on a new project.
Introduction to the Programme.
Feedback on how people interacted when they initially met – leads onto Networking
Half day on personality DISC profiling for the attendees
Introduction to the Programme.
Feedback on how people interacted when they initially met – leads onto Networking
Half day on personality DISC profiling for the attendees
Introduction to the Programme.
Feedback on how people interacted when they initially met – leads onto Networking
Half day on personality DISC profiling for the attendees
Introduction to the Programme.
Feedback on how people interacted when they initially met – leads onto Networking
Half day on personality DISC profiling for the attendees
Introduction to the Programme.
Feedback on how people interacted when they initially met – leads onto Networking
Half day on personality DISC profiling for the attendees
Introduction to the Programme.
Feedback on how people interacted when they initially met – leads onto Networking
Half day on personality DISC profiling for the attendees
Introduction to the Programme.
Feedback on how people interacted when they initially met – leads onto Networking
Half day on personality DISC profiling for the attendees
Introduction to the Programme.
Feedback on how people interacted when they initially met – leads onto Networking
Half day on personality DISC profiling for the attendees