General Data Protection Regulations what you really need

  • Slides: 20
Download presentation
General Data Protection Regulations: what you really need to know 12 October 2017 Stephen

General Data Protection Regulations: what you really need to know 12 October 2017 Stephen Thompson & Fflur Jones Clear Thinking. Smart Results. 1

GDPR Implementation date: 25 May 2018 A little over 7 months to get ready

GDPR Implementation date: 25 May 2018 A little over 7 months to get ready Clear Thinking. Smart Results. 2

Common myths about GDPR 1. NOW THE UK IS LEAVING THE EU, THE GDPR

Common myths about GDPR 1. NOW THE UK IS LEAVING THE EU, THE GDPR WON’T APPLY False: the government has confirmed that the GDPR will be unaffected by Brexit 2. WE’RE A CHARITY SO THE GDPR WON’T APPLY TO US False: the GDPR applies to all organisations regardless of whether they are registered charities Clear Thinking. Smart Results. 3

Common myths about GDPR 3. THE GDPR WILL ONLY APPLY IN RELATION TO DATA

Common myths about GDPR 3. THE GDPR WILL ONLY APPLY IN RELATION TO DATA WE OBTAIN AFTER MAY 2018. OUR CURRENT DATABASE IS UNAFFECTED False: all data obtained must comply with the GDPR so most businesses will need to obtain fresh consent from their database unless they have another lawful basis for processing 4. WE DON’T NEED TO WORRY ABOUT GDPR – OUR DATA IS OUTSOURCED TO A CLOUD SERVICE OR IT COMPANY False: just because data is with a third party does not mean your business is exempt from the rules Clear Thinking. Smart Results. 4

Key purpose of GDPR • The real purpose is to harmonise the rules across

Key purpose of GDPR • The real purpose is to harmonise the rules across the EU member states • To ensure that individuals understand how their data is being used, have more control over their data, and to understand how to make a complaint about the use of their data Clear Thinking. Smart Results. 5

Current awareness Many organisations don’t really have an understanding of the data they collect,

Current awareness Many organisations don’t really have an understanding of the data they collect, or their duties in relation to protecting that data. Clear Thinking. Smart Results. 6

What Data does the GDPR apply to? • The GDPR only applies to personal

What Data does the GDPR apply to? • The GDPR only applies to personal data • 2 categories: – “personal data” – “sensitive personal data” • If data is completely anonymised, it will fall outside of the GDPR. However, beware that complete anonymisation can be difficult to achieve. Clear Thinking. Smart Results. 7

Dealing with data Organisations are still entitled to deal with data providing they have

Dealing with data Organisations are still entitled to deal with data providing they have a legal basis for doing so – Compliance with a legal obligation (including employment obligations) – Performance of a contract with the data subject – Consent of the data subject – Consent must be: “freely given, specific, informed and unambiguous” Clear Thinking. Smart Results. 8

Legal basis for processing • More than just consent • BUT you need to

Legal basis for processing • More than just consent • BUT you need to think about what your justification for using data is: – Complying with a legal obligation will not give a blanket authorisation to use an individual’s data for other purposes – You will be relying on different grounds to process data depending on your relationship with the individual Clear Thinking. Smart Results. 9

Key changes to be aware of 1. Structural/cultural changes – “data impact assessments” –

Key changes to be aware of 1. Structural/cultural changes – “data impact assessments” – records of processing operations – appointment of a data protection officer – consent must be “freely given, specific, informed and unambiguous” Clear Thinking. Smart Results. 10

Key changes to be aware of “Freely given, specific, informed & unambiguous consent” From

Key changes to be aware of “Freely given, specific, informed & unambiguous consent” From this common wording: We will contact you from time to time with marketing information about our services and events. If you do not wish to hear from us, please let us know by ticking this box. To this: If you are happy for us to contact you from time to time by e-mail with marketing information about our services and events, please tick this box. Clear Thinking. Smart Results. 11

Key changes to be aware of 2. Additional individual rights – more transparency –

Key changes to be aware of 2. Additional individual rights – more transparency – a “right to be forgotten” 3. Breaches and penalties – “breach” is more than just loss of data – “significant” breaches must be notified to the ICO with 72 hours – Two tiers of potential fines: • the higher of € 10 million or 2% of your global turnover • The higher of € 20 million or 4% of your global turnover Clear Thinking. Smart Results. 12

Employment issues - Processing employees’ data includes CCTV footage, internet records and monitoring emails;

Employment issues - Processing employees’ data includes CCTV footage, internet records and monitoring emails; most of the sensitive personal data you process will be that of your employees - The majority of Subject Access Requests are made by disgruntled employees - So: need to be careful with your contracts, policies and in practice - GDPR requires much more detail to be given by employers about their reasons for processing and employees’ rights to object Clear Thinking. Smart Results. 13

What should you do to comply? • First 2 months: – conduct an internal

What should you do to comply? • First 2 months: – conduct an internal audit of your current policies & procedures – consider what data you actually need from individuals and what you need to do with it – educate / train your staff about the GDPR – consider whether you need to appoint a data protection officer Clear Thinking. Smart Results. 14

What should you do to comply? • Months 3 -5 – review the contracts

What should you do to comply? • Months 3 -5 – review the contracts you have in place with third party suppliers – draft an internal strategy to deal with data – update your privacy policy and terms and conditions – Review your contracts of employment and staff handbook – refresh your existing database Clear Thinking. Smart Results. 15

What should you do to comply? • Months 6 -7 – ensure that updated

What should you do to comply? • Months 6 -7 – ensure that updated policies and terms are finalised – conduct refresher training for staff – make sure all new employment contracts/consent forms are signed and returned to you, and staff have read your policies – ensure that your technology strategy is implemented and reviewed Clear Thinking. Smart Results. 16

Conclusion • The GDPR is coming and will affect all businesses • The key

Conclusion • The GDPR is coming and will affect all businesses • The key is to take steps to comply as best as you can • Don’t panic, but ensure that you and the individuals you deal with understand what data you collect & what you do with it • Educate your staff Clear Thinking. Smart Results. 17

Further information Lots of useful guidance and information on the ICO website. Their guidance

Further information Lots of useful guidance and information on the ICO website. Their guidance is being updated all the time www. ico. org. uk Clear Thinking. Smart Results. 18

Further information Many 3 rd sector organisations are signed up to WASPI which has

Further information Many 3 rd sector organisations are signed up to WASPI which has a number of useful templates available particularly for data sharing www. waspi. org Clear Thinking. Smart Results. 19

Thank you for coming @Darwin. Gray. LLP Darwin Gray LLP Clear Thinking. Smart Results.

Thank you for coming @Darwin. Gray. LLP Darwin Gray LLP Clear Thinking. Smart Results. 20