Introduction to GDPR
New data protection laws for 25 May 2018
Europe's data protection rules will undergo their biggest changes in two decades. Since they were created in the 90s, the amount of digital information we create, capture, and store has vastly increased. Simply put, the old regime was no longer fit for purpose.
The solution is the mutually agreed European General Data Protection Regulation (GDPR), which will come into force on May 25 2018. It will change how businesses and public sector organisations can handle the information of customer
The European Union’s General Data Protection Regulation
1. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
The European Union’s
General Data Protection Regulation
INDBC breakfast group
David Sayce
Digital Marketing Director
South East London Chamber of Commerce
&
Digital Marketing Consultant
2. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
Share on Social!
David Sayce Twitter
@dsayce
SELCC Twitter
@SELondonChamber
3.
4. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
General Data Protection Regulation,
or GDPR, will overhaul how
businesses process and handle data.
5. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
Europe's data protection rules will undergo their
biggest changes in two decades. Since they were
created in the 90s, the amount of digital information we
create, capture, and store has vastly increased. Simply
put, the old regime was no longer fit for purpose.
The solution is the mutually agreed European General
Data Protection Regulation (GDPR), which will come
into force on May 25 2018. It will change how
businesses and public sector organisations can
handle the information of customer
6. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
• The GDPR applies to ‘personal data’ meaning any information
relating to an identifiable person who can be directly or indirectly
identified in particular by reference to an identifier.
• The GDPR applies to ‘controllers’ and ‘processors’.
• A controller determines the purposes and means of processing
personal data.
• A processor is responsible for processing personal data on behalf
of a controller.
7.
8. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
The largest penalty will be
your reputation!
9. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
Ready for GDPR?
10. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
Lots to do
little time left
11. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
I am NOT a legal
expert
My work across digital marketing includes areas
around legal and regulatory issues, these include
Data Protection, from the 1995 Data Protection Act
to GDPR.
While I have worked with and advised SMEs and
FTSE 100 companies, this presentation is for
general information rather than specific advice.
The GDPR is an evolving document, your needs
and requirement may differ.
Views, comments, information and advice are my
own and not necessarily those of the South East
London Chamber of Commerce.
12. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
Full ICO guidance coming soon
• Transparency
• Consent
• and more…
Follow the ICO and keep up to date
13. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
What we will (briefly) cover
• What is GDPR
• The principles
• Individuals rights
• Consent
• Breaches
• Assessment
14. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
How old is your oldest data?
16. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
• Processed lawfully, fairly and in a transparent manner in relation to
individuals;
• Collected for specified, explicit and legitimate purposes
• Adequate, relevant and limited to what is necessary in relation to the
purposes for which they are processed;
• Accurate and, where necessary, kept up to date
• Kept in a form which permits identification of data subjects for no longer than
is necessary for the purposes for which the personal data are processed
• Processed in a manner that ensures appropriate security of the personal data
17. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
Individuals Rights
18. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
Right to be informed
The right to be informed encompasses your obligation to provide ‘fair processing
information’, typically through a privacy notice.
19. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
Right of access
Individuals have the right to access their personal data and supplementary information.
20. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
Right to rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
21. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
Right to erasure
The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a
right to have personal data erased and to prevent processing in specific circumstances
22. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
Right to restrict processing
Individuals have a right to ‘block’ or suppress processing of personal data
23. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
Right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for
their own purposes across different services.
24. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
Right to object
You must inform individuals of their right to object “at the point of first communication” and
in your privacy notice.
25. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
Rights related to automated decision making including
The GDPR provides safeguards for individuals against the risk that a potentially damaging
decision is taken without human intervention.
26. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
Consent
• Should be explicit
• Must retain proof of consent
• Must have a choice in consent (not
tied to T&C’s)
Consent is one lawful basis for
processing, but there are five
others.
Consent won’t always be the easiest
or most appropriate.
27. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
…the other five…
• 6(1)(b) – Processing is necessary for the performance of a contract with the data
subject or to take steps to enter into a contract
• 6(1)(c) – Processing is necessary for compliance with a legal obligation
• 6(1)(d) – Processing is necessary to protect the vital interests of a data subject or
another person
• 6(1)(e) – Processing is necessary for the performance of a task carried out in the
public interest or in the exercise of official authority vested in the controller.
• 6(1)(f ) – Necessary for the purposes of legitimate interests pursued by the
controller or a third party, except where such interests are overridden by the
interests, rights or freedoms of the data subject.
28. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
Privacy Notices
• What information is being collected?
• Who is collecting it?
• How is it collected?
• Why is it being collected?
• How will it be used?
• Who will it be shared with?
• What will be the effect of this on the
individuals concerned?
• Is the intended use likely to cause
individuals to object or complain?
29. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
Privacy Notices
When planning privacy notices, you
should be aware that more
information may be needed than
shown in the example above.
Such information depends on what
the user reasonably expects to
happen to their data, and whether a
lack of honesty/fairness might be
levelled if pertinent information is
not provided (e.g. use of personal
data for profiling).
30. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
Repermissoning
You don't already have permission??!
Consent to send direct email
marketing should have been
requested at the point of collection.
If you didn’t have the opportunity
(data came from a third party or the
data wasn’t intended to be used for
marketing purposes) then consider
appraising your data collection
methods rather than
repermissioning.
31. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
Data Breach
• Notify ICO within 72 hours
• Need for internal processes to
report
• Inform individuals of the nature of
the breach (if data is sensitive)
• ICO can issue a stop order
32. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
What is a data protection impact assessment?
Data protection impact assessments (also known as privacy impact
assessments or PIAs) are a tool which can help organisations
identify the most effective way to comply with their data protection
obligations and meet individuals’ expectations of privacy.
An effective DPIA will allow organisations to identify and fix
problems at an early stage, reducing the associated costs and
damage to reputation, which might otherwise occur.
33. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
When do I need to conduct a DPIA?
You must carry out a DPIA when:
• Using new technologies; and
• The processing is likely to result in a high risk to the rights and
freedoms of individuals.
34. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
What information should the DPIA contain?
• A description of the processing operations and the purposes, including,
where applicable, the legitimate interests pursued by the controller.
• An assessment of the necessity and proportionality of the processing in
relation to the purpose.
• An assessment of the risks to individuals.
• The measures in place to address risk, including security and to
demonstrate that you comply.
• A DPIA can address more than one project.
35. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
In summary, a DPIA is:
• A systematic description of the envisaged personal data processing
operations and the purposes of the processing, including (where
applicable) the legitimate interest pursued by the Data Controller.
• An assessment of the necessity and proportionality of the personal
data processing operations in relation to the purposes.
• An assessment of the risks to the rights and freedoms of Data Subject.
• The organisational and technical measures to secure the personal data
and mitigate the absolute risk to an acceptable risk.
36. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
37. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
Marketing Post GDPR
• Should improve marketing!
• Smaller data base of higher value
• Greater trust
• More realistic reporting / metrics
Make sure all GDPR related work is
documented!
38. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
39. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
Things to do
• Be familiar with GDPR and also PECR laws and regulations. https://ico.org.uk/
for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
• You should document what personal data you hold, where it came from and
who you share it with.
• Identify processes for handling, storing and deleting data
• Check 3rd party suppliers are GDPR compliant
• Document what you are doing
40. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
Things to do
• Re-boot your thinking on Data Protection, be transparent and accountable
• View GDPR as ‘by design & by default’ NOT a tick box exercise
• DPIA Lite’ is a helicopter view of what you’re doing now that’s compliant with
the GDPR, undertake an audit of all personal data processing activities carried
out now or planned to be carried out in the future.
• ensure that you have clear independently validated policies in place to prove
that you meet the new data protection standards
• Check supplier contracts for GDPR compliance
41. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
Things to do
• Practice how you will deal with a personal data breach BEFORE it happens
• Be a champion for change, foster a culture of monitoring, reviewing, and
assessing data processing procedures
• Be aware of cross border data transfers!
• Be prepared to keep accurate and systamatic records of what changes and
training have been carried out at your organisation.
42. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
ICO offers support to SMEs
The phone service is aimed at people
running small businesses or charities.
To access the new service dial the ICO
helpline on
0303 123 1113
and select option 4 to be diverted to
staff who can offer support.
Callers can also ask questions about
current data protection rules and other
legislation regulated by the ICO
including electronic marketing and
Freedom of Information.
43. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
THE EU GENERAL DATA
PROTECTION REGULATION (GDPR)
IS AN OPPORTUNITY, NOT A THREAT.
44.
45. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro
David Sayce
Digital Marketing Consultant
SEO - Improve your position on Google
Strategy - Marketing planing & future thinking
Technical Audits - Improve your website
Training - Learn more about digital marketing
www.dsayce.com
hello@dsayce.com
https://uk.linkedin.com/in/dsayce