5. GDPR Myths
I don’t need to
do anything
until May 2018
We won’t be in
the EU soon, it
won’t apply
Consent is the
only way I can
process data
My database
is secure, I’m
ready
6. GDPR is Coming…
New law applies if:
• Established in the EU; or
• Offer goods and services to EU residents; or
• Monitor behaviour of EU residents.
Full enforcement: 25th May 2018
• Businesses large and small will need to meet the requirements
by 2018.
• From May 2018 a breach could cost up to €20 million or 4% of
annual turnover.
9. Who is responsible for
Data Protection within your business?
IT
HR
Marke+ng
Legal
Board of Directors
Staff
None of the above
10. Data Protection Officer (DPO)
Consider where this role sits with
organisational structure and
governance.
All organisations allocate somebody to take
responsibility for data protection compliance
Senior executive,
reporting to board.
11. Data Protection Officer
(DPO)
Assess whether your organisation needs to formally
designate the role of DPO.
• A public authority (except for courts acting in their
judicial capacity)
• An organisation that carries out the regular and
systematic monitoring of individuals on a large scale; or
• An organisation that carries out large scale processing
of special categories of data, such as health records, or
information about criminal convictions.
12. What is the attitude towards data
protection in your organisation?
14. Definition of Personal Data
• Personal data: is data about a living individual who can be
identified either directly from the data or indirectly by reference to
other information.
• Includes IP Address and Location data
** where dataset is small, a person may be identifiable without
their name being recorded **
15. Definition of
Personal Sensitive Data
• Personal Sensitive: Data consisting of racial or ethnic origin,
political opinions, religious beliefs, trade union membership,
genetic data, biometric data, data concerning health or data
concerning an individual’s sex life or sexual orientation
17. Personal Data
Most organisations collect, store, move
and access personal data in their daily activities
Sales
Customer
Relationship
Management
Marketing Recruitment
Employees Suppliers
Third party
Photos
CCTV
18. Personal data
Why are you holding personal data?
How are you going to use it?
What is your legal basis for processing personal
data?
19. Legal Basis for Processing
Personal Data
• Consent
• Contract
• Vital Interests
• Public Task
• Comply with legal obligation
• Legitimate Interests
20. Consent under GDPR
Yes I want your newsletter
Active (Opt in, not opt-out)
Freely given
Informed
Ability to withdraw at any time
Retrospective
21. Data Controller & Data Processor
Relationship
Must maintain register of data
processing activities
Must report every data breach to
the data controller
Check for data provenance
Data ProcessorData Controller
High duty of care
Contract to include details and
duration of processing
Contract to outline expectations -
e.g.data breach, audit assistance
23. Subject Access Requests
Dear Company A,
My name is Kellie Peters. I would
like to know what information
your company has about me?
How would you handle this request?
24. Right to Erasure
Dear Company A,
My name is Kellie Peters. I would
like you to delete the information
your company holds on me.
How would you handle this request?
25. Data Breaches
Information Commissioner’s Office (ICO) report found that the
majority of individuals do not trust organisations with their
personal data.
Customers, staff & regulators have zero tolerance towards data
breaches. Whether a breach was malicious or an accident, as a
business you have a responsibility to protect personal data
26. Data Breaches
What is your current approach to
dealing with a data breach?
Under GDPR, what timeframe MUST
you report a data breach within?
27. Data Accuracy
Inaccurate data leads to wasted
• marketing spend
• resources
• staff time
Potentially up to 12% of revenue according to Experian
Fundamental principle of data protection, currently & under
GDPR, is to only collect data that is needed and you must
maintain its accuracy
29. Data Protection by Design
• Data Privacy needs to be at the heart of all future
projects that involve personal/personal sensitive
data.
• Organisations need to be able to demonstrate their
compliance with GDPR principles, including:
• adopting “data protection by design” measures
e.g. the use of pseudonymisation techniques;
• detailed privacy impact assessment.
30. Be Transparent
• Tell people who you are, how you’ll use their data
and if you intend to share it
• Review privacy notices to include:
• legal basis for processing the data
• how long you’ll hold the data
• what to do if they believe there’s a problem with
your processing.
31. Employee Training
All staff involved in
processing personal data
must have a basic
understanding of data
protection
32. Employee Training
Staff with specialist skills such as:
Marketing
IT & Security
Database Management
HR
May need additional data protection
training to cover rules relevant to their role
34. Our Recommendations for
Action
• Involve people
• Set accountability
• Map data flows
• Determine legal basis
• Implement / Update processes
• Be transparent
• Engage people
How are you going to prepare?