3. UK privacy history
What is GDPR?
1995
1998
2009
2012
2018
First EU
Data
Protection
Directive
Data
Protection Act
First public consultation
with view to revise
European data
protection framework
First draft of
the GDPR
GDPR
comes into
force
6. Not complying can cost your business up to
€20million or 4% of the company’s annual
worldwide turnover (whichever is higher).
Fines & penalties
7. hello
Fines & penalties
• Sent 3.3 million emails under the title ‘Are your
details correct?’ to people who didn’t sign up to
marketing material.
• Fined £70,000 in March 2017.
8. hello
Fines & penalties
• Sent 289,790 emails clarifying whether
customers who hadn’t signed up
wanted to receive marketing
• Fined £13,000 in March 2017
11. • 96% of respondents claim to understand the
term ‘personal data’ but less than 64% picked
the correct definition
• 79% of consumers believe the primary use of
personal data is for an organisations financial
gain
• 65% of consumers are unsure if data is being
shared without their consent
Trust in Personal Data: A UK Review
16. The GDPR provides the following
rights for individuals:
1. The right to be informed
2. The right of access
3. The right to erasure
4. The right to object
5. Rights in relation to automated
decision making and profiling
6. The right to rectification
7. The right to restrict
processing
8. The right to data portability
17. The right to erasure: case study
• hi
Mario Costeja
González
18. Warning: Special categories of data
l
1. Racial or ethnic origin
2. Political opinions
3. Religious / philosophical beliefs
4.Trade union membership
5. Genetic data
6. Biometric data
7. Data containing health or sex life
8. Sexual orientation
9. Criminal data
22. How do you persuade consumers to share
their data?
• Offer incentives
• Be completely clear on what
the consumer will receive
• Be completely clear on storage details
and who the information will be shared with
The consent challenge
23. The GDPR defines valid consent as
unambiguous, affirmative consent.
Consent
26. Can we still use a pre-ticked
box as consent?
Consent Q&A
No, GDPR doesn’t class a pre-ticked
box or any form of inactivity as valid
consent. The data subject must make
an affirmative action for
their consent to be valid.
27. What is the best way to gain valid consent
if purchasing a product or service?
Consent Q&A
The best way to ensure that you’re fully
compliant with the GDPR is to include a
separate opt-in option at the point a
consumer joins/purchases by
encouraging them to sign up to
receive updates via email.
28. We’ve got historic lists –
will they still be valid?
Consent Q&A
If your current data hasn’t specifically
been collected using affirmative consent
for all activities, or you don’t have a record
of the details required, then
you’ll have to gain fresh consent.
30. Database requirements
Organisations must be able to demonstrate that an
individual consented to the processing of
their personal data.
If consent is given
over the phone, you’ll
need a recording
If you collect consent
online, you’ll need to
record consent wording,
time & source
39. Are you a data controller
or data processor?
Data controller - the organisation that collects
personal data and decides how it will be used.
Data processor - the organisation that processes
personal data on behalf of the data controller.
40. Data controller obligations
• Collects data
• Which items of personal data to collect
• How the data will be used
• Whether to disclose the data, and if so,
who to
• Arranging access
• Storage
41. Data processor obligations
• To process data fairly
and lawfully
• Data is kept accurate
and up to date
• Data is only kept for
as long as necessary
• Adhere to all agreements in your
contract with the data controller
42. Data controller or data processor?
A local authority uses a cloud provider to store
data about its housing stock and residents, rather
than holding the data on its own IT system.
The cloud provider is also contracted to delete
certain data after a particular period and to grant
members of the public access to their own
records via a secure online portal.
43. Data controller or data processor?
An online retailer work in co-operation with a
third-party payment company to process
customers’ transactions.
45. The data protection officer (DPO)
A data protection officer is responsible for
overseeing your data protection strategy and
implementation to ensure compliance
with GDPR.
• Inform
• Monitor
• Contact
46. Who needs a DPO?
x
• Public authorities
• Large scale systematic monitoring of individuals
• Large scale processing of special categories
Database requirements – this is one of the areas that will take some time to set up and get ready.
You’ll have to make sure that software / database that you use has the capability to record what you need (like sign up wording).