GDPR takes effect on May 25, 2018. The document provides an overview of GDPR including its history, key definitions, what it covers, and what it means for businesses. It discusses areas like consent, data breaches, subject rights, and accountability. A readiness checklist is also included covering things like conducting a data audit and having a data protection officer. Some misconceptions about GDPR are addressed, such as there being a grace period or that it only affects EU organizations.
2. GDPR: Are you ready?
77%
#ReadyForGDPR 2
Feel ready for
compliance
Companies
aware of GDPR
34%
3. History of GDPR
#ReadyForGDPR 3
Post WWII, concerns about protection
of human rights.
1950, EU Convention on Human
Rights (ECHR) introduces privacy.
1981, EU Treaty 108
– Eight principles for protecting personal data
Convention for the Protection of Individuals with regard to Automatic
Processing of Personal Data
– Different Member States implemented their own laws to reflect this.
1998, all Member States transpose into law (e.g. UK’s DPA1998):
– Inconsistent protection of individual rights,
– Uneven organisational playing field.
2016, EU GDPR approved, becomes law
two years from publication.
1998, Human Rights Act (HRA 1998) – Article 8 ‘right to privacy’.
90% of the worlds data was created in the past 2 years
1950 1981 1998 2016
5. A few basic definitions
EU Directive is a legal act of the European Union, which requires member states to achieve a
particular result without dictating the means of achieving that result. It can be distinguished from
Regulations which are self-executing and do not require any implementing measures. The Directive
leaves member states with a certain amount of leeway as to the exact rules to be adopted.
Personal data
“any information relating to an identifiable person who can be directly or indirectly
identified in particular by reference to an identifier”
Special categories of personal data specifically including genetic and biometric data when
processed to uniquely identify an individual – used to known as “sensitive data”.
#ReadyForGDPR 5
7. What does GDPR cover?
#ReadyForGDPR 7
Personal Rights
The right to be informed.
The right of access.
The right to rectification.
The right to erasure.
The right to restrict processing.
The right to data portability.
The right to object.
Rights in relation to automated
decision making and profiling.
Boundaries &
Scope
Details the scope of what is covered
by GDPR.
Details the geographical boundaries
of GDPR
Responsibilities
Outlines the responsibilities of
both Controllers & Processors.
9. Key areas.
#ReadyForGDPR 9
Responsibility and
accountability
Consent
Pseudonymization
Data breaches Right to erase – “The
right to be forgotten”
Data portability
Records of
processing
activities
10. Accountability
#ReadyForGDPR 10
Article 5: Principles – personal data shall be:
1 Processed lawfully, fairly and in a transparent manner
2 Collected for specified, explicit and legitimate purposes
3 Adequate, relevant and limited to what is necessary
4 Accurate and, where necessary, kept up to date
5 Retained only for as long as necessary
6 Processed in an appropriate manner to maintain security
Accountability
11. Consent
#ReadyForGDPR 11
Unbundled
Should be separate from other T&CS
need to include an example e.g.
purchase can’t be refused if consent
isn’t given.
Active opt-in
Pre-ticked boxes are no
longer valid.
Named
3rd Parties listed.
Freely given
Not pressured into it.
Documented
List of when consent was given.
Easy to withdraw
As easy to withdraw as it is to give.
13. Data breaches
#ReadyForGDPR 13
Prepare
• Stop it before it happens
Protect
• Identify personal data
• Encrypt
• Enable only right people to access
• Patch systems, install AV and
anti-malware protection
Detect
• Evaluate existing technologies
• Identify vulnerabilities
• Monitor
• Test
Respond
• Mitigate the impact
• Report it
14. Data portability
The data subject shall have the right to receive the
personal data concerning him or her, which he or she
has provided to a controller, in a structured,
commonly used and machine-readable format and
have the right to transmit those data to another
controller without hindrance from the controller to
which the personal data have been provided...
#ReadyForGDPR 14
– EU GDPR Chapter 3, Article 20 &1.
15. What if you don’t comply?
• Fines and penalties
• Four per cent of your global annual turnover or €20m is
a large price to pay for direct breaches of the GDPR
principles, but even a minor breach is likely to cost you
2% or €10m at the bare minimum
• Legal action
• As long as businesses can demonstrate a sound and
practicable intent to enforce data security practices,
they should not be fearful of new data protection
regulations and European Union (EU)/ICO mega fines
• Keep working towards compliance once the deadline
has passed
#ReadyForGDPR 15
17. Preparation check-list
Conduct an audit of what data you hold
and where
Privacy information and policies
Processes for data breaches
Review consent process
Data Protection Officer
Employee Data
#ReadyForGDPR 17
18. Brexit
• Life after Brexit – Do we care?
• What is adequacy assessment and does
it help?
• Binding contractual agreements
#ReadyForGDPR 18
19. DPB (Data Protection Bill)
• The existing UK data protection laws have become increasingly
unwieldy, having been first introduced in 1998 – 10 years before
Apple’s first smartphone was released.
• The DPB (Data Protection Bill) is the UK’s answer to the GDPR,
evolving the country’s existing data protection laws for the 21st
century with the aim of ensuring uninterrupted data flows between
the UK and EU after Brexit.
#ReadyForGDPR 19
21. Misconceptions of GDPR
#ReadyForGDPR 21
GDPR only affects those in the EU.
• European approach
• Privacy and data protection are fundamental human rights
• Not tied to citizenship or nationality
• One overarching law for all member states
22. Misconceptions of GDPR
• There’s also a misconception among businesses that when GDPR is
introduced there will be a grace period, but the reality is that
organisations need to be preparing now.
• 25 May 2018 is when the General Data Protection Regulation (GDPR)
comes into effect; the on-boarding period started two years ago in May
2016, and it has been on the horizon for three years
• If you read into GDPR, it essentially builds on data privacy and security
principles that organisations should already be abiding by – the Data
Protection Act has been in force since 1998, after all
#ReadyForGDPR 22
There will be a grace period.
23. Misconceptions of GDPR
• Comply with GDPR to make regulators but also customers happy
• Improved understanding of customer data lineage
• Collaboration across stakeholders
• Sharing consent with partners
• Improved customer experience
• GDPR competitive differentiation
#ReadyForGDPR 23
It will be much harder to
communicate with customers
and clients.
24. This will make your organisation trusted and authentic, inspiring
transparent relationships with your customers.
Put data protection at the
heart of your brand.
#ReadyForGDPR 24
http://www.information-age.com/5-eu-companies-ready-gdpr-compliance-alert-logic-123469223/ - varying compliance statistics.
This comes from our own research
Nigel to add Forrester article: Which sectors are most ready – finance being more vigiliant
Gen to add notes from Blog
90% of the worlds data was created in the past 2 years:: http://www.deleteagency.com/news/the-impact-of-general-data-protection-regulations-gdpr-on-your-customer-marketing
Create timeline reflecting and highlighting the key dates: 1950, 1981, 1998 and 2016
Time line effect design
EU Regulation is a legal act of the European Union that becomes immediately enforceable as law in all member states simultaneously.
EU Directive is a legal act of the European Union, which requires member states to achieve a particular result without dictating the means of achieving that result. It can be distinguished from regulations which are self-executing and do not require any implementing measures. The Directive leaves member states with a certain amount of leeway as to the exact rules to be adopted
We can produce a diagram which explains this in more detail – processor vs controller : https://lh3.googleusercontent.com/Mg8TMJS7-qXeaMifQcJRN7fVdqnD0-KGsRHJ41Nqt_HW5oiWnhwZi_tMaMyZZyQU4XzJBcqvGduEjbFeHoIU-MntozztlD5p0HTJS00bZLW7-DIJKPGL9VhQ4T32gR-PotITXeLM
Changes to Data controller and Data processor responsibilities
Controller “determines the purposes and means of the processing of personal data”, while a processor is “any person who processes personal data on behalf of the controller (other than a person who is an employee of the controller)”.
One of the major changes is that data processors have specific obligations under the GDPR – if a processor fails to report a data loss to their controller, then the processor can be subject to regulatory action from the commissioner, where that isn’t possible under the current Data Protection Act
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
Include icons per point
Can we add icons for your business – engaging icons
----- Meeting Notes (29/01/18 12:35) -----
PECR cross reference covering up to.
Consent can not be part of
the offering.
6 x icons
Example:
It’s given by ticking a box, it should possible to un-tick the box.
RECOMMENDED:
Bring your entire database up to GDPR standards, it seems required.
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
Include icons per point
Report must include likely consequences of the breach and the actions taken to mitigate impact on the data subjects
Visually creative with 4 steps: Prepare, Protect, Detect, Respond
Visually represent the importance of this slide – needs to stand out as a warning
Ask questions?
When the UK leaves the EU, it becomes what is known as a “third country”. According to Clause 31(7) of the DPB, this is “a country or territory other than a Member State”. If there is no deal in place, this could have massive repercussions for data sharing, as Clause 71(1) of the DPB states: “A company may not transfer data to a third country.
For the UK to share data with its European partners, an “adequacy assessment” will be needed. This is not as easy as it sounds, as adequacy assessments normally take more than a year. Likewise, an adequacy assessment endorsement cannot be issued to an existing Member State, as being a member precludes the necessity of having an adequacy assessment in the first place.
Should the UK leave the EU without a deal in place, EU organisations will need to have binding contractual arrangements in place every time they wish to share new information and data with their UK partners. Only once an adequacy assessment was in place could this be dispensed with.
The DPB aims to reinforce data protection regulation for new technologies, while allowing people to have more control over their data. This will be no easy task, as – given the definitions used in the DPB – the UK will have more than 60,000,000 data subjects (a person who has data stored about them) and approximately 500,000 data controllers (companies or organisations which store data about data subjects).
The UK Data Protection Bill is due to come into force this year, ahead of the EU General Data Protection Regulation in May 2018
The first draft of the Data Protection Bill (DPB) was released on 13 September 2017, following its second reading in the House of Lords. This bill is designed to bring the UK’s data protection laws in line with the European Union’s (EU) General Data Protection Regulation (GDPR).
Despite the UK government having triggered Article 50 of the Lisbon Treaty, and being in negotiations regarding leaving the EU, the UK will still be classed as a Member State when the GDPR compliance deadline is reached on 25 May 2018.
[may be removed in dry-run]
Graphics to add – quote big and
Have 1 as a big number. And title in big centred
Same as point 1.
Opportunities for your business – interactive diagram (3 x slides)
By placing respect for privacy at the heart of brand proposition.
Transforming the way it projects to customers, making every engagement human-centric.
This will ascribe organisation as trusted and authentic, inspiring transparent relationships with their customers.
Linked to next slide.
Health theme – a ‘core brand value’ similar to our retail whitepaper infographic messaging - some image here would be good to represent this
Have health theme image. Like an ad.