GDPR - Sink or Swim
•
0 gefällt mir•178 views
Regina Lally from Databasix presentation from the Nov 2017 Sales & Retention Convention
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie GDPR - Sink or Swim
Ähnlich wie GDPR - Sink or Swim (20)
Mehr von Guy Griffiths
Mehr von Guy Griffiths (10)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
GDPR - Sink or Swim
- 1. GDPR: Sink or Swim 14th November 2017
- 2. Overwhelmed What should I do? Does it apply to me? What does it mean? Where is my data? Arrrggh! GDPR?!?
- 4. General Data Protection Regulation (GDPR) Accountability Transparency Individuals’ Rights
- 5. GDPR Myths I don’t need to do anything until May 2018 We won’t be in the EU soon, it won’t apply Consent is the only way I can process data My database is secure, I’m ready
- 6. GDPR is Coming… New law applies if: • Established in the EU; or • Offer goods and services to EU residents; or • Monitor behaviour of EU residents. Full enforcement: 25th May 2018 • Businesses large and small will need to meet the requirements by 2018. • From May 2018 a breach could cost up to €20 million or 4% of annual turnover.
- 8. People
- 9. Who is responsible for Data Protection within your business? IT HR Marke+ng Legal Board of Directors Staff None of the above
- 10. Data Protection Officer (DPO) Consider where this role sits with organisational structure and governance. All organisations allocate somebody to take responsibility for data protection compliance Senior executive, reporting to board.
- 11. Data Protection Officer (DPO) Assess whether your organisation needs to formally designate the role of DPO. • A public authority (except for courts acting in their judicial capacity) • An organisation that carries out the regular and systematic monitoring of individuals on a large scale; or • An organisation that carries out large scale processing of special categories of data, such as health records, or information about criminal convictions.
- 12. What is the attitude towards data protection in your organisation?
- 13. Data
- 14. Definition of Personal Data • Personal data: is data about a living individual who can be identified either directly from the data or indirectly by reference to other information. • Includes IP Address and Location data ** where dataset is small, a person may be identifiable without their name being recorded **
- 15. Definition of Personal Sensitive Data • Personal Sensitive: Data consisting of racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning an individual’s sex life or sexual orientation
- 16. Data Mapping When you think about your business data: • Do you know what personal data you have? • Do you know where your personal data is? • Do you know how long you can store the data?
- 17. Personal Data Most organisations collect, store, move and access personal data in their daily activities Sales Customer Relationship Management Marketing Recruitment Employees Suppliers Third party Photos CCTV
- 18. Personal data Why are you holding personal data? How are you going to use it? What is your legal basis for processing personal data?
- 19. Legal Basis for Processing Personal Data • Consent • Contract • Vital Interests • Public Task • Comply with legal obligation • Legitimate Interests
- 20. Consent under GDPR Yes I want your newsletter Active (Opt in, not opt-out) Freely given Informed Ability to withdraw at any time Retrospective
- 21. Data Controller & Data Processor Relationship Must maintain register of data processing activities Must report every data breach to the data controller Check for data provenance Data ProcessorData Controller High duty of care Contract to include details and duration of processing Contract to outline expectations - e.g.data breach, audit assistance
- 22. Process
- 23. Subject Access Requests Dear Company A, My name is Kellie Peters. I would like to know what information your company has about me? How would you handle this request?
- 24. Right to Erasure Dear Company A, My name is Kellie Peters. I would like you to delete the information your company holds on me. How would you handle this request?
- 25. Data Breaches Information Commissioner’s Office (ICO) report found that the majority of individuals do not trust organisations with their personal data. Customers, staff & regulators have zero tolerance towards data breaches. Whether a breach was malicious or an accident, as a business you have a responsibility to protect personal data
- 26. Data Breaches What is your current approach to dealing with a data breach? Under GDPR, what timeframe MUST you report a data breach within?
- 27. Data Accuracy Inaccurate data leads to wasted • marketing spend • resources • staff time Potentially up to 12% of revenue according to Experian Fundamental principle of data protection, currently & under GDPR, is to only collect data that is needed and you must maintain its accuracy
- 28. People
- 29. Data Protection by Design • Data Privacy needs to be at the heart of all future projects that involve personal/personal sensitive data. • Organisations need to be able to demonstrate their compliance with GDPR principles, including: • adopting “data protection by design” measures e.g. the use of pseudonymisation techniques; • detailed privacy impact assessment.
- 30. Be Transparent • Tell people who you are, how you’ll use their data and if you intend to share it • Review privacy notices to include: • legal basis for processing the data • how long you’ll hold the data • what to do if they believe there’s a problem with your processing.
- 31. Employee Training All staff involved in processing personal data must have a basic understanding of data protection
- 32. Employee Training Staff with specialist skills such as: Marketing IT & Security Database Management HR May need additional data protection training to cover rules relevant to their role
- 33. Question Data is awesome Business Insight Data is valuable Engaged staff Secure data Confident Next steps to take
- 34. Our Recommendations for Action • Involve people • Set accountability • Map data flows • Determine legal basis • Implement / Update processes • Be transparent • Engage people How are you going to prepare?