The document discusses the General Data Protection Regulation (GDPR) which regulates how companies handle personal data of EU citizens. It provides an overview of GDPR including key events leading to its adoption and how it strengthens data protection rights. It highlights some notable differences between GDPR and the previous UK Data Protection Act. The document also outlines an approach for companies to become GDPR compliant including conducting a data assessment, updating policies and processes, and appointing a data protection officer if needed. It notes both the penalties for non-compliance and opportunities that GDPR presents organizations.
2. General Data Protection Regulation (GDPR)
Timeline of significant UK & EU data protection events
WHAT IS GDPR?
• GDPR is the new European Union legal
framework regulating how companies and
organisations protect the personal data of
EU citizens.
• It is binding on all EU member states and
replaces the discretionary Data Protection
Directive 95/46/EC.
• The GDPR is binding on all organisations
(based inside or outside the EU) handling,
storing or processing EU citizens data.
• The GDPR significantly strengthens the
rights of individuals to their personal data. 1995 Data Protection Directive (DPD) 95/46/EC created to regulate the
processing of personal data of EU citizens.
1998 The United Kingdom Parliament enacts the UK Data Protection Act
(DPA) to align British law with the EU DPD.
1998 -
2000
US Safe Harbour Privacy Principles developed to protect the
fundamental rights of Europeans where their data is transferred to
organisations in the United States.
2015 European Court of Justice rules that ‘safe harbour’ agreement is
invalid (new framework for transatlantic flows agreed in 2016).
2015 EU Parliament and Council agree text of the draft GDPR.
2016 EU Parliament and Council approve and adopt GDPR.
2018 25, May 2018: GDPR to become fully enforceable throughout the
European Union
1
GDPR: Moving from confusion to readiness
3. Notable links between UK DPA and GDPR
UK DPA
1. PERSONAL DATA: The GDPR broadens the
DPA’s scope of personal data by including more
detailed personal identifiers (e.g., IP, MAC
addresses, cookies etc).
2. MANUAL FILING SYSTEMS: The GDPR
applies to BOTH automated personal data and
to manual filing systems where personal data
are accessible according to specific criteria.
3. FINES: The UK Information Commissioner’s
Office (ICO) can currently issue fines of up to
£500K to any UK organisation that “seriously
breaches” the DPA. For major breaches, GDPR
raises the fines up to €20m, or 4% of their
annual global turnover (whichever is higher).
4. ACCOUNTABILITY : The GDPR introduces an
accountability principle which requires organisations to
demonstrate compliance through a series of actions and to
maintain (easy-to-read) documentation that evidences
those actions.
5. CONSENT: Consent under the GDPR MUST be
unambiguous and requires some form of clear affirmative
action from users. This consent must be verifiable. Where
consent has already been obtained under the DPA,
organisations will not be required to obtain fresh consent
(only) if it meets GDPR standards.
6. INDIVIDUAL RIGHTS: The GDPR strengthens the rights of
individuals to personal data including the:
• Right to be informed (concise, clear and free);
• Right of access (faster response times for SARs/free);
• Right to rectification (faster response times/3rd parties);
• Right to erasure (faster response times/3rd parties);
• Right to restrict processing;
• Right to data portability (automated processing only);
• Right to object; and
• Rights to automated decision making and profiling.
Organisations already compliant with the UK DPA will find that
they have a good foundation for moving to adopt the
requirements introduced by the GDPR. Some current DPA
components which have additional GDPR requirements are
listed here:
2
GDPR: Moving from confusion to readiness
4. Highlights of some GDPR ‘Game changers’
Data
Processors
Breach
notifications
Right to
erasure
Data
portability
Children’s
personal
data
Privacy by
design
Whereas the DPA did not require organisations
to report data breaches, GDPR mandates that
they “notify the supervisory authority without
undue delay and, where feasible, not later
than 72 hours after having become aware of
it.”
The GDPR places special legal obligations on
data processors to maintain records of
personal data and processing activities. This
brings cloud service providers and data brokers
into scope for liability.
Data subjects (employees and customers) now
have the power to request the deletion or
removal of their personal data, including from
backups, archived data and from third parties
(e.g., cloud storage).
Under the GDPR regime, individuals have the
right to initiate data portability requests to
obtain their personal data and reuse it as they
wish. Organisations are obliged to comply if
certain criteria are met.
The GDPR contains new provisions to protect
children’s personal data. Privacy notices will
need to be written in clear, understandable
language and where services are targeted at
children, consent from a parent or guardian is
required.
Privacy-by-design means organisations need
to incorporate GDPR requirements in data
collection processes (considerations include
data minimisation and pseudonymisation) and
new tech e.g., IoT, digital platforms etc.
3
While the GDPR strengthens existing data protection laws, it also introduces a number of new requirements which will have
significant legal, process, and technology implications for many organisations. Some of those ‘game changers’ are described
below:
GDPR: Moving from confusion to readiness
5. GDPR: Benefits, opportunities, penalties and risks
For many organisations and industries, GDPR is the most disruptive data protection legislation in recent years. However, as
with most things, every challenge presents an opportunity. Some of these are outlined below:
4
Benefits and opportunities
• Organisations will seek to use their GDPR
preparedness and early compliance as a competitive
advantage / differentiator.
• There’s an opportunity to improve your
organisation’s approach to managing unstructured
data.
• Organisations have a chance to better catalog their
business data, improve data governance and
streamline business processes.
• Applying privacy-by-design principles will help
organisations build more secure software solutions.
• Some organisations may get scared by GDPR
regulations and stop innovating.
• In the event of a data breach, if the organisation is
found to be non-compliant with GDPR requirements,
financial penalties include regulatory fines (up to
€20m or 4% of global annual turnover for major
breaches), cost to repair reputation and risk of class
action / civil law suits.
• Although no formal requirement currently exists,
companies bidding for EU public sector work may
need to prove GDPR compliance in future.
Risks and penalties
GDPR: Moving from confusion to readiness
6. OPERATE
Getting ready for GDPR – an approach
(May 2018)
There is no ‘one-size-fits-all’ approach to becoming GDPR ready. However, a risk-based approach is recommended, one
which factors in your organisation’s business objectives, culture and industry constraints. Below is a basic approach to help
begin your organisation’s efforts.
5
GDPR: Moving from confusion to readiness
PLAN ASSESS EXECUTE
• Set up your GDPR
program team.
• Identify where and
how personal data
is collected/created,
stored, used,
transferred and
disposed of.
• Conduct a gap
assessment against
GDPR principles to
identify areas of
focus.
• Conduct Data
Protection Impact
Assessments (see
ICO templates).
• Assess relevant
areas of your
business for gaps
e.g., technology,
vendor
management,
governance etc.
• Appoint a DPO
where needed.
• Focusing on areas of
highest risk, apply
remedial measures to
technology, security,
business processes
and contracts.
• Update data breach
incident response and
notification processes.
• Review and update
privacy policies and
notices.
• Embed privacy-by-design
into BAU for new projects.
• Apply a Plan-Do-Check-Act
methodology to ensure
continuous improvement.
• Keep abreast of updates
from regulators.
7. These 8 activities will get you started…
1. Assign program management responsibility for
GDRP readiness.
2. Conduct data discovery of personally
identifiable information. Review data
collection, data flows, processing and storage.
3. Assess the need for a Data Protection Officer
and plan for the role if needed, including
reporting lines, independence and resources.
4. Review how your organisation seeks, records
and manages consent and whether changes are
required.
5. Update business processes to accommodate
new and enhanced rights of individuals to
their personal data (e.g., right to erasure).
6. Review and update breach response
processes, including breach notification.
7. Address data privacy requirements in
vendor/ third party service provider
agreements and contracts.
8. Update privacy notices and other internal
and external policies to bring them in-line
with GDPR requirements.
6
GDPR: Moving from confusion to readiness
8. Useful GDPR resources
GDPR: Moving from confusion to readiness
1. UK Information Commissioners Office, Overview
of the General Data Protection Regulation
(GDPR) https://ico.org.uk/for-
organisations/data-protection-reform/overview-
of-the-gdpr/
2. Hunton & Williams, Privacy and Information
Security Law Blog:
https://www.huntonprivacyblog.com/?s=GDPR
Image:LivariaLello,Porto@dipyourtoesin
9. General Data Protection Regulation
(GDPR) - Getting from confusion to
readiness
Image:Dubaifromtheskyby@dipyourtoesin
To discuss any aspects of this
presentation, contact: Omo Osagiede
GDPR: Moving from confusion to readiness