Welcome

GDPR Breakfast Briefing
Thursday 8 March

“the biggest change to data protection law for a generation”
Elizabeth Denham, Information Commissioner

Why GDPR now?

Why GDPR?
Data Protection Act(1998) is built on
the General Data Protection Directive
GDPR is the General Data Protect
Regulation
1 Regulation not 28 different variants

“"The introduction of the Data Protection Bill…will put in place one of the final pieces of
much needed data protection reform. Effective, modern data protection laws with robust
safeguards are central to securing the public's trust and confidence in the use of personal
information within the digital economy, the delivery of public services and the fight against
crime."
Elizabeth Denham, Information Commissioner

Some definitions
Personal Data ProcessingSpecial Category Data
Data that can identify a natural
person directly or indirectly
Anything you do with data –
even looking at it
• Racial
• Ethnic origin
• Political opinions
• Religious or philosophical
beliefs
• Trade Union membership
• Genetic data
• Biometric data
• Health
• Sex life
• Sexual orientation

Responsibilities
Controller
• Know the risks to the data subject
• Manage those risks
• Demonstrate processing inline with
regulation
• Only use processors who demonstrate
adherence the to Regulation
Processor
• Implement appropriate technical and
organisational measures.
• Not engage another processor without
permission.
• Ensure there is a contract in place with
the controller:
• Demonstrate compliance to Regulation.

So what can businesses do?

Everything they could before
Just in a way that balances the business’ needs
with the rights of data subjects

The Principles
1. Processed lawfully, fairly and in a transparent manner
2. Collected for specified, explicit and legitimate purposes
3. Adequate, relevant and limited to what is necessary
4. Accurate and where necessary kept up to date
5. Retained only for as long as necessary
6. Processed in an appropriate manner to maintain security
Subject must be told. Processing must match the
description. Processing must be for one of the purposes in
the regulation.
Must define up front what the data will be used for and
limit processing to only that necessary to meet that
purpose.
Data collected should only be that required in relation to
the purposes of the processing.
This is intended to protect the data subject from such
things as wrong decisions made regarding the data subject.
And it’s good business practice.
Data is kept for no longer than is required to process it for
the purpose originally stipulated.
This principle links closely with the ISMS covering
Confidentially Integrity and Availability (CIA)

Individuals Rights
• Right to information
• Right to access
• Right to rectification
• Right to be forgotten
• Right to restriction of processing
• Right to notification
• Right to portability
• Right to object
• Right to appropriate decision making

Lawfulness of Processing
Processing is lawful only if one of the following applies:
1. the data subject has given consent to the processing of his or her personal data for one or more
specific purposes;
2. processing is necessary for the performance of a contract to which the data subject is party or in
order to take steps at the request of the data subject prior to entering into a contract;
3. processing is necessary for compliance with a legal obligation to which the controller is subject;
4. processing is necessary in order to protect the vital interests of the data subject or of another
person;
5. processing is necessary for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller;
6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by
a third party, except where such interests are overridden by the interests or rights and freedoms of
the data subject which require protection of personal data, in particular where the data subject is
a child.

Consent
• Consent must be unambiguous, clear and affirmative
o Must be able to demonstrate that consent was given
o Silence or inactivity does not constitute consent
o Written consent must be clear, intelligible, easily accessible,
else not binding
o Consent can be withdrawn any time, and as easy to withdraw
consent as to give.
• Take appropriate measures to “provide information in a concise,
transparent, intelligible and easily accessible form, using clear and
plain language”

Consent – specific categories of data
• Special conditions apply for children (under 16, but UK could
lower to 13) to give consent
o Appropriate parental / guardian consent
o Controller has to make reasonable efforts to verify
authorisation
• Explicit consent must be given for processing sensitive
personal data
o Now includes “genetic data” and “biometric data” where
processed to uniquely identify a person

Lawfulness of Processing
Processing is lawful only if one of the following applies:
1. the data subject has given consent to the processing of his or her personal data for one or more
specific purposes;
2. processing is necessary for the performance of a contract to which the data subject is party or in
order to take steps at the request of the data subject prior to entering into a contract;
3. processing is necessary for compliance with a legal obligation to which the controller is subject;
4. processing is necessary in order to protect the vital interests of the data subject or of another
person;
5. processing is necessary for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller;
6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by
a third party, except where such interests are overridden by the interests or rights and freedoms of
the data subject which require protection of personal data, in particular where the data subject is
a child.

Get Ready for GDPR
NOW!
11 Weeks,15 hours, and
15 minutes

https://ico.org.uk/for-organisations/resources-and-
support/data-protection-self-assessment/getting-
ready-for-the-gdpr/

GDPR Overview Assessment
• Key Factors
1. Data protection policy, responsibility
and training
2. Registration, privacy notices and
subject access
3. Data quality, accuracy and retention
4. Security
5. Privacy impact assessments
Legal & HR
Operations &
Finance
Sales &
Marketing
IT Systems
Are you
GDPR
Ready?

Developing a GDPR Strategy –
moving towards compliance
• Assessment
o Gaps or areas of non-compliance
o Assess risk and prioritise tasks
• Agree change programme
• Build a cross-functional team – risk, compliance, IT, legal, finance, PR
• DPO – appointment and training
• Implementation
o Update privacy notices and terms and conditions
o Update data processor clauses in contracts extending into 2018
o New policies and training for carrying out DPIAs, data security, breach handling, personal data
handling and new data subject rights

GDPR Compliance Roadmap
•Know your data assets
•Map data flows and existing systems and processes that utilise personal data
•Collect existing policies, notices and vendor agreements
•Assess likely GDPR impact and identify gaps
•Conduct risk assessment and prioritise tasks
•Implementation (update documentation and vendor contracts, training and awareness etc.)
•Monitor implementation and compliance with regular compliance checks

Carry out a data audit

Know your data
• Why are you collecting it?
• Purposes
• How did you get it?
• Where do you store it?
• What do you do with it?
• Who has access to it?
• How long do you keep it?
• Where do you send it?

Documentation and Privacy by Design and Default
• Ensure and demonstrate compliance
• Maintain written records of all processing
• Adopt and implement measures which meet principles of
data protection by design and default
o Minimising processing
o Pseudonimisation
o Enable monitoring by data subject
• Data Protection Impact Assessments (DPIAs)
• Identify, Investigate and Manage a Data Breach

Data Protection Impact Assessment
• Assesses the risks to the data subject
• Mandatory
• Required:
• When implementing GDPR
• When implementing changes within
your organisation

Questions
To ask of your business

Have you registered with the ICO?
Tier 1 – Micro <10 Staff/£632,00 = £40
Tier 2 – SME <250 Staff/£36million = £60
Tier 3 = £2,900
Max penalty for unpaid/incorrect fee = £4,350

Registration Fee Exemptions
• Staff administration
• Advertising, marketing and public relations
• Accounts and records
• Not-for-profit purposes
• Personal, family or household affairs
• Maintaining a public register
• Judicial functions
• Processing personal information without an automated
system such as a computer

Have you updated your Privacy Policies?

Have the staff been trained in
data protection awareness?

Does your business need a DPO?

Data Protection Officer (DPO)
• Public authorities (not courts)
• Private companies (controllers and processors) whose core
activities require large scale
o regular and systematic monitoring of data subjects or
o processing of sensitive personal data or data relating to
criminal convictions
• Group may appoint single DPO

Are you prepared to deal with
a data breach?

Breach Notification
• Controller to notify regulator of breaches
o without undue delay; and
o within 72 hours if feasible
unless unlikely to result in risk to rights and freedoms of individuals
• If 72 hours not feasible must provide reasoned justification
• Controller to notify data subjects without undue delay if likely to result in high risk to rights and
freedoms of individuals
• Processor to notify controller of breaches without undue delay

Fines – The Reality
• Up to (the higher of) €20m or 4% global annual turnover for infringement of:
o Core principles
o Consent
o Data subjects’ rights
o International transfers
o Non-compliance with certain regulator orders
• Up to (the higher of) €10m or 2% global annual turnover for other breaches
• Not having records in place
• Failure to notify ICO (local Supervisory Authority)
• Not doing a DPIA
• Individuals’ actions
• Class actions

Fines – The Reality
• Issuing fines has always been and will continue to be, a last resort.
• Last year (2016/2017) 17,300 cases - 16 resulted in fines for the organisations concerned.
• Not yet invoked maximum powers.
“We intend to use those powers proportionately and judiciously” - Denham
• Suite of sanctions to help organisations comply – warnings, reprimands, corrective orders.
• Reputational damage.

What value can GDPR add to your business?

What are you going to do next?

General Data Protection Regulation - GDPR
Give Data Proper Respect
Gordon Petrie
Augmentum
8th March 2018

The beauty of GDPR opinions if you don’t
like those you have heard there will be
another along in a minute

What has driven GDPR

Simply it is about “OUR” personal data
What is GDPR

Where is “OUR” personal data

Data versus Information – The GDPR opportunity
Common CRM Data inconsistency
How GDPR will impact on capturing and holding
data into information that has business value
Company Name First Name Last Name Job Title Phone Mobile Email Address Birthday City County Postcode Market Employees Turnover Product Service Competitor
Acme John Smith 0101 123 4567 john.smith@acme.com Berkshire RG1 1AB
Acme Limited John Smith Maaging Director 07777 123456 Reading
Acme Plc John Smith Managing Director 0101 123 4567 07777 123456 john.smith@acme.com 29th December Reading Berkshire RG1 1AB Manufacturing 250 £15M Widgets Maintenance Widgets Inc
And don’t forget employee data

TIME
Awareness of GDPR
Attend Public GDPR
events
Daunted by the scale of
GDPR
Start small with focused
workshop or live project
Implement a company specific
programme
Competitive Advantage curve
Early Adopters Early Majority Late Majority Laggards
Shock
Denial
Frustration
Depression
Experiment
Decision
Change success
Change curve

GDPR – Strategic Change scope
• Ownership – Internal, supply chain, business function
• Priorities – How does GDPR fit with existing priorities
• Communication – Who needs to know
• Risk – How do you assess it
• Time – What is involved
• Cost – Real and implied
• Opportunity – There is always one

Do you think that the availability of the right to data
portability, access and erasure will increase the
profits of your organisation?
Overall, data professionals show a high level of
uncertainty when asked to assess the benefits of
GDPR data rights. It is noteworthy that the in-depth
interviews revealed a lack of imagination and
preparedness in terms of the more far-reaching
impacts of GDPR, especially second-order effects such
as the emergence of new data-centric business
models and privacy & and data protection as a
competitive advantage. This suggests that the value of
the GDRP rights from consumers’ point of view does
not depend on consumers actively using their rights,
but that more widespread awareness of the scope of
personal data use might make the rights even more
valuable in the eyes of consumers. A stronger
regulatory framework is likely to mitigate the effect of
a localised loss of trust (i.e. a data breach affecting a
specific data controller), by reassuring consumers that
companies in general are incentivised (through rights
that allow user control etc.) to keep data safe, and to
react to a loss event by strengthening security.
Source: LE survey of data protection professionals (2017)

Typical questions for discussion
• What consent do I need?
• Do I need to get opt-in permission for existing
customers/prospects?
• What is legitimate interest?
• When do I have to be compliant?
• What data is included?
• How do I secure data in cloud software?
• What is the difference between business and personal data?
• How can I store data?
• What if I have printed data?
• Who owns the data?
• What level of security is needed for data and emails?
• What are my responsibilities for data shared with my supply chain?
• What do I need to do if there is other legislation in place regarding
retention of data?
• How can I do telemarketing?
• What is the impact for payroll and pensions for staff?
• How do I handle subject access requests and the confirmation of
identity?
• What level of education do I need for the company?

There are six available lawful bases for processing. No single basis
is ’better’ or more important than the others
– which basis is most appropriate to use will depend on your purpose and
relationship with the individual.
The lawful bases for processing are set out in Article 6 of the GDPR. At least
one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their
personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the
individual, or because they have asked you to take specific steps before
entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with
the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in
the public interest or for your official functions, and the task or function has
a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate
interests or the legitimate interests of a third party unless there is a good
reason to protect the individual’s personal data which overrides those
legitimate interests. (This cannot apply if you are a public authority
processing data to perform your official tasks.)
It’s all about Consent!!!!
consent-is-not-the-silver-bullet-for-gdpr-compliance

Summary
• Most questions are common as is the confusion around what to do
• By thinking about how your business uses data it is possible to work
out a strategy
• GDPR is a strategic change so the right people in the organisation
MUST be involved starting at the top
• Thinking differently about the regulation makes it easier to decide on a
course of action
• There are opportunities to make GDPR a positive change
• Decide on the make up of the project team (Internal/External)
• GET STARTED

WHAT IS THE NEXT ACTION YOU
WILL TAKE?

Developing your GDPR Policies
and procedures to help drive
compliance

Your Privacy Policy – First contact - Collecting Personal Data.
Transparency in the who,
what, how and why?
• Any communications with a data
subject must be concise,
transparent, intelligible – plain
language.
• You must be transparent in
providing information about yourself
and the purposes of your
processing
• Controller must provide data
subject with information about their
rights

What information do you need to include in your Privacy
Policy?
• Identity and contact details of controller – who you are
• Purpose of processing
• What lawful basis you are relying on to process data
• Categories of personal data held
• Who the recipients might be (third parties?)
• If it is being transferred outside of the EU and how it is protected
• How long it will be stored for
• What rights the data subject has and how to exercise them – and withdraw
• The right to complain to the regulator
You must provide (amongst others) in your Privacy Policy, in clear and understandable form:

Getting the
right
Consent

Granular…
• Who you are
• Marketing Materials
• Promotions
• Opt-ins - method (e-mail
etc.)
• Third parties

Stay United – A bit too much?

Mandatory Requirements
• Providing information
to a data subject is a
requirement of the
GDPR.
• The easiest way to do
so is through a Privacy
Policy.
• Under the GDPR
specific information
needs to be included in
your privacy policy.
Creating your Privacy Policy

What should be in your Privacy Policy?
…what type of information are you collecting and why.

You need a “Lawful Basis” for Processing
In order to comply with the GDPR you must have a lawful basis in order to collect and process an individuals personal
data.
You need to chose and record the most appropriate lawful basis for your business
• Consent - to process data for a specific agreed purpose
• Contract – processing necessary for a contract you have with a DS
• Legitimate Interests
• Vital Interests (Life or Death situation)
• Public Interest
• Legal obligations
In practice, other than consent, you are most likely to rely on the performance of a contract or legitimate interests

1. CONSENT
Do you need consent?
Direct Marketing ….CONSENT REQUIRED
• New Services / Product Information / Sales information
• Newsletters (with adverts)
• Offers and Promotions
• Services not directly related to those you are already providing
Marketing relating to services you are providing
• marketing specifically relating to products and services that current
customers have bought from you.

Give clear
details about
your
marketing
activities…

You need to be very clear if you are processing
sensitive data

Other lawful grounds - Contract
CONTRACTUAL
“processing of Personal Data is necessary for the performance of a contract to which the individual is a party or
for the Controller to take pre-contractual steps at the request of the individual.”
PRE-CONTRACTUAL
“…pre-contractual steps at the request of the individual”
e.g. processing data to follow up on an estimate / provide a quote
Any current contracts to supply goods or services or to fulfil obligations under an employment contract.
But the only necessary processing would be to make that contract work. Can’t assume that we can send
marketing e-mails because the person signed the contract.

Performance of a Contract: Examples
An individual shopping around for car insurance requests a quotation. The
insurer needs to process certain data in order to prepare the quotation,
such as the make and age of the car.
When a data subject makes an online purchase, a controller processes the
address of the individual in order to deliver the goods.
This is necessary in order to perform the contract.

Telling people you will process their data in the
performance of their contract with you…

Relying on Legitimate Interests
“controllers may have a legitimate interest in getting to know their customers’ preferences so as to enable them to better personalise
their offers and ultimately, offer products and services that better meet the needs and desires of the customers”
• So what types of processing could be on the basis of legitimate interest?
• The most prevalent categories of legitimate interest i) fraud detection, money laundering and prevention and ii) website information
and system security – general security / IT security.
• Use of Employment Data - necessary for employee operational administration. Also e.g. call recording and monitoring for call centre
employees’ training and development purposes.
• B2B – event marketing and planning
• Others… suppression, updating customer details, product development website development and personalisation, web analytics,
intra-group transfers, or IT security as potential legitimate interests.

Explain how you use data and on what lawful basis
you process it…

Make it clear where you are relying on legitimate
interest to process their data

Be clear where you share data with Third Party Processors

Data Processing Contracts – Your safeguard to protect
your customer / employee data
• Where processing is to be carried out on behalf of a controller, that processing must be governed by a
contract.
• That contract must set out:
Subject matter of the data processing
Duration of the processing
The nature and purpose of the processing
Type of personal data
Categories of data subjects
Only process on your instructions - Not pass data to third party without consent
That they will take all appropriate technical and organisational measures;
Keep data secure
Ensure that you can comply with data subjects rights – SARs / Erasure

Who processes your data?
• Any time a service or administrative function is outsourced to a third-party,
there could be personal data being transferred. This includes outsourcing to:
 payroll providers
 hosting providers
 Other third party service providers
• Where any such processing is then sub-contracted out to a third party, the
same data processing obligations must be passed on to the sub-contractor. If
the sub-processor fails to fulfil its obligations, the data controller is liable.
• N.B. Sharing data requires a processing agreement.

Data transfers outside of the EEA
• The GDPR imposes restrictions on the transfer of personal data outside the European
Union:
• Personal data may only be transferred outside of the EU in compliance with the conditions
for transfer set out in the GDPR.
• Generally:
A GDPR compliant processing contract in place
An adequate level of protection
(A country or one or more specific sectors a third country, or international
organisation which ensures an adequate level of protection / data protection controls.)

Data Retention – How long can you hold client data?
How long can you hold their data?
• Personal data that you process should not be kept for longer than is necessary for that purpose.
• Unless you obtain consent to retain personal data for a longer period:
- Marketing Activity - Immediately
- Contact data – [x] years.
- Website data [x] years following the date of last contact or dealing.
- Enquiry data will be retained for [x] months following the date of last contact.
- Payment data
- Employment data
- Other
• Question. How long do you need to retain data for? Can you minimize the data you hold?
• Do you need consent to hold that data for longer than might be deemed “legitimate interest” or in the performance of a
contract?

Other requirements - Access requests

Other requirements - Eight rights of data subjects

Other requirements - Information and DPO

Contract Management
• Review Privacy Policies and Consent (data collection forms)
Can you rely on existing consents? Is consent…
- Easy to understand / Unbundled / opt-in / Granular / Named / easy to withdraw / Recorded
- Is the data subject well informed about: how you plan to use data / how it will be processed / how long it will be
kept for / their Data Subject Rights
• Review and update your existing Privacy Policies
Employee Handbook / Managing GDPR Handbook (SARs / Breaches etc.)
• Review Agreements with Partners
- Requirement for Data Processing Agreements
- Have suitable GDPR processing clauses been included (e.g. right to be forgotten)
- Risk of non-compliance (up and down the supply chain)
• Review your own Terms and Conditions – reduce risk (customer relationship) / Insurance?

Panel
Question & Answer

Some of your questions
1. If businesses aren’t sure whether they have GDPR compliant consent for their e-mail mailing lists how do they go about
getting people to re-consent?
2. There is some confusion around whether business e-mail addresses are personal data. What do the rules say?
3. There’s quite a bit in the GDPR about retention and data minimisation, can you give some basic guidance on how long
businesses can keep customer data for.
4. Will most businesses need a DPO and who should be nominated?
5. Given that data breach reporting is mandatory, what constitutes a data breach and do they all really have to be reported?
6. What is the best way to document procedures for all the different elements that GDPR affects eg. is it best to have a GDPR
register of some sort or just document each area separately as part of a business area e.g. employment, quality control,
transport etc?
7. We currently publish our staff directory on our website – we don’t have consent to do this. Under the new GDPR would
this be classed as excessive and should the directory be taken down? Or should we be looking at obtaining consent?
8. I know that GDPR covers data held on systems/emails etc. but what about corresponding paper records please? I can’t find
that much definitive advice around this.