This document summarizes a presentation given on GDPR legislation. The key points are: - GDPR introduces significant changes to data protection law, including expanded definitions of personal data, new lawful processing categories, increased fines and penalties, and enhanced data subject rights. - Organizations need to undertake various preparations activities to achieve GDPR compliance, including data discovery, policy reviews, training, and documenting accountability records. - Specific processes like risk assessments, breach notifications, and respecting data subject rights around access, rectification, objection and erasure must be established. Proper documentation will be critical to demonstrate compliance.

1. IRIS Customer Conference
GDPR – Game Changing Legislation
Will Richmond-Coggan, Pitmans Law
27 March 2018

2. GDPR – Game Changing Legislation
We’re lawyers, so we always start with a disclaimer.
The guidance that follows is in the nature of general information about
the subject matter concerned – it is invariably the case that detailed
legal advice requires a lot of fact-sensitive information that we will not
have while discussing points today. As such, no reliance should be
placed on the guidance given in this talk without first taking such
detailed advice.
Nevertheless, feel free to ask questions, even those embarrassing
ones on behalf of your “friend” who couldn’t make it – it will help us to
make sure that the content is as relevant as possible!

3. General overview – this talk
I am going to cover as much of the following as
possible!
• An introduction to key concepts / main changes
• Outlining a roadmap to GDPR readiness
• The data subject’s rights

4. Core Concept – Personal data
• Now includes identification numbers, location, online identifiers
and factors specific to the individual's physical, physiological,
genetic, mental, economic, cultural or social identity.
• Still includes information about activities when linked to an
identifier
• Sensitive data now includes genetic and biometric data
• Criminal records now occupy a separate category and are
treated distinctly

5. Core Concept – Lawful processing
• Contract – necessary for the formation or performance of
a contract between the controller and subject
• Obligation – necessary for performance of a legal
obligation, or discharge of a statutory function
• Vital interests – to protect the vital interests of the data
subject or someone else
• Legitimate interests – of the data processor and
controller, but only where other rights aren’t affected

6. Lawful processing (cont.) – Consent
• Consent must be freely given, specific, informed and
unambiguous by “some form of clear affirmative action”
• It cannot be signified by inaction, silence or be a pre-
condition to other actions
• It must be as easy for a subject to withdraw consent as
to give it – form and substance
• Remember that processing under consent gives the data
subject wider rights than other lawfulness gateways

7. General overview – the legislation
Key game-changers brought in by GDPR:
• Direct accountability of data processors
• Data controller/processor distinction
• Limited scope to re-allocate risk contractually
• Territorial extent
• The “Global” Data Protection Regulation?
• Third countries – nomination of a data regulator
• And (of course) Brexit!

8. General overview – the legislation
Key game-changers brought in by GDPR:
• Breach notification and record keeping
• “Accountability principle” – document intensive
• Mandatory notification – data regulator
• Mandatory notification – data subjects
• Consequences are broader
• Wider fines – the greater of EUR 10m or 2% of global group
turnover for “minor” issues, it’s 4% / EUR 20m for major ones!
• ICO audits; data subject compensation; reputation

9. Get ready with… D… P… R…

10. Roadmap - Data discovery
Headline points:
• What is “personal data”
• Identification of an individual or information about activities
• Where should the data be located…
• Think about local drives, servers, cloud services, portable
• …where else is it actually…
• Think about personal devices, webmail, pen drives, offshore
• …and data flows
• Internal/external, compliant processing chains, cross-border

11. Roadmap – Policies for compliance
Headline points:
• Compliance with standards
• e.g. Cyber-Essentials, ISO 27001, BS 10012:2017
• GDPR-specific procedures
• Consent management, privacy protection systems, notifications
• Policy and process review
• System capabilities, gap analysis, develop and implement
• Training and awareness at all levels
• “Baked in” compliance – privacy by design and by default

12. Roadmap – Record keeping
Headline points:
• Accountability principle
• Have to be able to “show” as well as “do”
• Records are essential
• Of data held, decisions taken, policies and procedures
• ICO ability to audit
• Including onsite inspection and requiring delivery of information
• As part of a supply chain
• Accountability up and down the chain

13. Processes – Risk assessment
• Identify each of the processes of your business which
engage personal data
• Do you process as controller or processor – what is the
lawfulness gateway?
• Is the processing proportionate to the objectives?
• What measures of safeguarding are appropriate –
anonymisation/pseudonymisation; encryption;
permissions; policies

14. Processes – Breach notification
• Now mandatory for breaches: “leading to the destruction,
loss, alteration, unauthorised disclosure of, or access to,
personal data”
• Notification must be made within 72 hours of detection
• Data subjects must also be notified “without undue
delay” where the breach poses a high risk to their rights
• Think about the steps that will need to be taken in those
72 hours – processes need to be in place already

15. The Data Subject’s Journey
Inform
Access Rectify
Restrict Transfer
Object Erase

16. With Pitmans Law you can be assured of the quality of advice and service
you demand from a city law firm – but with a distinction. The courage to stand apart, to
think and act personably, with an uncompromising focus on achieving outstanding client
outcomes. We say what we mean, matching our behaviours to our words.
Established for over 150 years, Pitmans Law is headquartered in Reading with offices in
London and Southampton. The lower overheads of a regional office ensure we can
provide city quality legal advice at a competitive price to deliver exceptional value for our
corporate and private clients locally, nationally and internationally.
Pitmans provides legal advice to address our clients’ needs across a wide range
of industry sectors and specialisms including particularly strong specialist teams in
pensions advisory, real estate, dispute resolution as well as corporate and commercial
law. Our clients draw confidence from the top tier recognition Pitmans achieves in the
industry benchmarking directories, Legal 500 and Chambers UK.
Reading, London, Southampton
Pitmans Law is the founding UK member firm of the global legal network, Interact Law.
Contact us
T +44 (0)345 222 9222
E law@pitmans.com