Contenu connexe

Similaire à Reddico GDPR Presentation(20)


Reddico GDPR Presentation

  1. GDPR Reddico’s Data Protection Policies
  4. Introduction to GDPR GDPR provides a set of guidelines for how companies should handle personal data. It gives strict rules around the processing of information for all EU residents. The British Government will be mirroring GDPR with its own set of regulations… when we leave the EU. The regulations concern all EU residents and also impact non-EU businesses processing EU data. GDPR replaces the Data Protection Act 1998.
  5. Personal data is: Any information relating to an identified or identifiable natural person (‘data subject’). • An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. • This means that email addresses (both business and personal) and IP addresses are now considered personal data. Multiple pieces of data can help create a persona, which can be traced back to one person What is personal data?
  6. There are six lawful basis under which data can be processed: 1. The data subject has given consent to the processing for one or more specific purposes 2. Processing is necessary for the performance of a contract or in order to take steps at the request of the data subject 3. Processing is necessary for compliance with a legal obligation to which the controller is subject 4. Processing is necessary in order to protect the vital interests of the data subject 5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller 6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party These lawful basis for data processing aim to prevent passing on of third party information Lawful basis for processing
  7. • Tick boxes can no longer to pre ticketed as the data subject needs to know that they have knowingly opted in • Consent needs to be unbundled. Not acceptable to include consent to marketing via phone, post, SMS, email, etc. in a single statement, each must be a separate opt in • It is no longer acceptable to state “Your details may be shared with selected third parties”. This needs to be explicit and details exactly which third parties your details will be shared with • Consent can not longer be hidden in privacy policies or terms and conditions pages, but must be clear at each stage where data is collected • Proof of consent must be retained each time it is collected New regulations on giving of consent should make people more aware of how their data is used Consent
  8. • GDPR relies on consent of the person whose data is being processed • Companies can only process data in line with what has been contractually agreed, and based on legitimate interests • This should see an end (or the beginning of the end…) to unsolicited emails and marketing, selling of personal data, and grey areas in how personal data is processed • Companies need to state what data they are collecting, why they are collecting it and who they’re sharing it with Personal data needs to be processed – but you now have a lot more rights on why and how The crux of the matter…
  9. There are huge penalties in place for companies that don’t comply with these regulations: 1) Up to €10 million, or 2% annual global turnover – whichever is higher. 2) Up to €20 million, or 4% annual global turnover – whichever is higher. However, that doesn’t mean every breach will be costly… as long as situations are handled efficiently and companies show a committed process to compliance. You should report any data issues to Luke Kyte or email What if a business doesn’t comply?
  11. There are 8 principles under the GDPR legislation: 1. Right to be informed 2. Right of access 3. Right to rectification 4. Right to erasure 5. Right to restrict processing 6. Right to data portability 7. Right to object 8. Rights related to automated decision making including profiling GDPR Principles These 8 principles apply to all EU members. Non-EU businesses must also comply
  12. Right to be informed You should be informed of how your data is being used. The key is transparency. By getting this right you’ll increase trust in your brand – so don’t think of it as a limitation. • Clear reasons for processing data • Information must be provided at the time you collect data • Privacy policies must be provided • Information must be concise, transparent, and easy to understand • Companies need to regularly review and update policies Companies have a legal obligation to tell you what data is collected and how it’s processed
  13. The right of access stipulates that you can ask companies for the data they hold on you at any time. They have to provide this, and depending on the situation, you can exercise one of the other rights if you wish. • Individuals have the right to access their personal data • This is commonly referred to as subject access • Individuals can make a subject access request verbally or in writing • You have one month to respond to a request • You cannot charge a fee to deal with a request in most circumstances (unless unreasonable or excessive). Right of access You can request access for the data held on you at any time
  14. You have a right to ask for incorrect data to be corrected in a timely manner. • The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete • Businesses have one calendar month to respond to a request • This right is closely linked to the controller’s obligations under the accuracy principle of the GDPR. Right to rectification If you discover any data to be wrong, you have the right to ask for this to be amended
  15. Under GDPR legislation, you can choose for companies to erase your personal data from their records. This isn’t absolute in every situation because of potential legal reasons for processing. • The GDPR introduces a right for individuals to have personal data erased • The right to erasure is also known as ‘the right to be forgotten’ • You have one month to respond to a request • The right is not absolute and only applies in certain circumstances • This right is not the only way in which the GDPR places an obligation on you to consider whether to delete personal data. Right to erasure On your request, any company has to delete data they hold, unless held for a legitimate purpose
  16. The restriction of what data is being processed gives you more power and control over your data, ensuring it’s only processed in line with your wishes. • Individuals have the right to request the restriction or suppression of their personal data • When processing is restricted, you are permitted to store the personal data, but not use it • You have one calendar month to respond to a request • This right has close links to the right to rectification and the right to object. Right to restrict processing You can pause the processing of personal data for whatever reason
  17. Data portability gives you an opportunity to request data in an easy-to-read format, before transferring it elsewhere – even to rival companies. Businesses have to comply, even if they don’t necessarily want to. • The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services • It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability • Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits • The right only applies to information an individual has provided to a controller Right to data portability You have the right to access your data in an easy-to-read format, to take elsewhere
  18. You can object to any of your data being processed for a period of time, or even indefinitely. This is linked to other rights and again, gives you ultimate control. • The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances • Individuals have an absolute right to stop their data being used for direct marketing • In other cases where the right to object applies you may be able to continue processing if you can show that you have a compelling reason for doing so • You must tell individuals about their right to object • You have one calendar month to respond to an objection. Right to data object You can object to any part of your data being processed by any company
  19. If you apply for a loan of credit card, for example, an automatic decision could be made based on your credit history and the records a company has on you. This right gives you the chance to ask for human intervention. The GDPR has provisions on: A. automated individual decision-making (making a decision solely by automated means without any human involvement) B. profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process. • The GDPR applies to all automated individual decision-making • Companies must identify whether any processing falls under this and, if so, make sure individuals are given information about the processing, with simple ways for them to request human intervention or challenge a decision Rights related to automated decision making Automated decision making helps consumers get quicker answers without human intervention
  21. Although simple, providing this agenda brings everyone onto the same page – with no confusion For the team... • Implemented a right of data access • Sent out privacy notice update to the team • Sent out employee consent forms • Reviewed data breach policies and processes • Amended employee contracts to include GDPR regulations • Completed GDPR forms for HR and employee data - giving information on what personal data we collect, who has access to it, and how it's stored / used • Extra protection: Two-step verification, anti-virus checks, password updates • Presented GDPR PowerPoint to all employees to ensure they're aware of GDPR, what they should / shouldn't be doing, and how to react to a breach of date We’ve asked for your permission to process data in accordance with regulations
  22. We’ve ensured our third party processes comply with regulations and agree to our terms Website & third parties... • Data Protection Policy • Website tick box • Remove unsuccessful applicant data every 12 months. • Ensure unsuccessful applicants are reminded that their data will be stored for this period. • Sent data agreements to existing processors of data
  23. Business data isn’t personal – but names, email addresses, IP addresses etc. are For clients... • Updated new supplier contracts to include GDPR regulations. • Sent out supplier agreements to ensure third parties are complying with GDPR regulations • Updated client contracts to include new data protection clause • Implemented a client data deletion process • Implemented a right of data access
  24. We’ve taken a lot of steps to ensure not only compliance, but top level data security General compliance... • Registered with the ICO as a Data Controller & Processor • Reviewed outreach systems and processes to ensure compliance • Installed a cookie information opt in • Upgrading to a higher security router • Will be carrying out data audits on an annual basis to ensure processes and terms are compliant • Taken out cyber security business Insurance • Have a privacy policy and security policy in place for the website • Appointed a GDPR Officer to be responsible for compliance. • Created an email address for data requests to be lodged
  26. If you want access to your personal data, or a client requests it from us, or you want to exercise one of the other principles under GDPR: • Speak to our Data Protection Officer or email • Complete the online form: You can exercise any of the GDPR principles at any time Exercising a principle
  27. Personal data breaches can take many forms and include, but are not limited to: • Access by an unauthorised third party • Deliberate or accidental action (or inaction) by a controller or processor • Sending personal data to an incorrect recipient • Computing devices containing personal data being lost or stolen • Alteration of personal data without permission • Loss of availability of personal data. A data breach is any loss or unauthorised access of personal data. Remain vigilant What is a data breach?
  28. The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. • Reddico must do this within 72 hours of becoming aware of the breach, where feasible • If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we must also inform those individuals without undue delay • Reddico must also keep a record of any personal data breaches, regardless of whether we are required to notify If someone in the team becomes aware of a personal data breach they MUST report this immediately to our Data Protection Officer or email A data breach must be reported within 72 hours Reporting a data breach
  30. • Know GDPR: Be aware of what GDPR is and what constitutes personal data. Ensure strict care when handling sensitive data • It’s real: Non-compliance can be very costly – up to €20m! • GDPR principles: You, or Reddico’s clients, have the right to exercise any of the 8 principles • Client requests: Direct clients to our DPO, or the online form • Data breaches: Report any data breach immediately to the DPO. Time is of the essence • Data sensitivity: Don’t pass data to third parties without having contracts in place. Don’t send mass emails Reddico is compliant – but everyone needs to respect data processing and its importance Key Takeaways
  32. For accuracy purposes, some of the information used in this presentation has been taken from the International Commissioner’s Office’s (ICO) guidelines on GDPR regulations: For expert advice on data protection and how to ensure your business complies with the law changes, contact the ICO directly. The ICO will also be able to provide tailored help and advice to your business. Contact the ICO for help and advice on meeting GDPR regulations for your business Sources