Brighton Chamber bitesize workshop with Cobb Digital - GDPR, are you compliant? Wednesday 25th October 2017.

1. Preparing for the GDPR
How to comply

2. Introduction to GDPR

3. UK privacy history
What is GDPR?
1995
1998
2009
2012
2018
First EU
Data
Protection
Directive
Data
Protection Act
First public consultation
with view to revise
European data
protection framework
First draft of
the GDPR
GDPR
comes into
force

4. • Trust
• Consumer control
• Transparency
Why is GDPR being enforced?

5. GDPR fines & penalties

6. Not complying can cost your business up to
€20million or 4% of the company’s annual
worldwide turnover (whichever is higher).
Fines & penalties

7. hello
Fines & penalties
• Sent 3.3 million emails under the title ‘Are your
details correct?’ to people who didn’t sign up to
marketing material.
• Fined £70,000 in March 2017.

8. hello
Fines & penalties
• Sent 289,790 emails clarifying whether
customers who hadn’t signed up
wanted to receive marketing
• Fined £13,000 in March 2017

9. GDPR consumer statistics

10. Trust in Personal Data: A UK Review

11. • 96% of respondents claim to understand the
term ‘personal data’ but less than 64% picked
the correct definition
• 79% of consumers believe the primary use of
personal data is for an organisations financial
gain
• 65% of consumers are unsure if data is being
shared without their consent
Trust in Personal Data: A UK Review

12. Trust in Personal Data: A UK Review

13. 6 key updates

14. 1. Lawfulness, fairness & transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Security
6 key updated principles from the
Data Protection Act

15. Individual’s rights & special
categories of data

16. The GDPR provides the following
rights for individuals:
1. The right to be informed
2. The right of access
3. The right to erasure
4. The right to object
5. Rights in relation to automated
decision making and profiling
6. The right to rectification
7. The right to restrict
processing
8. The right to data portability

17. The right to erasure: case study
• hi
Mario Costeja
González

18. Warning: Special categories of data
l
1. Racial or ethnic origin
2. Political opinions
3. Religious / philosophical beliefs
4.Trade union membership
5. Genetic data
6. Biometric data
7. Data containing health or sex life
8. Sexual orientation
9. Criminal data

19. Consent

20. Every submission of personal data must be:
• Freely given
• Specific
• Informed
• Unambiguous
Consent

21. Consent shouldn’t include:
• Pre-ticked boxes
• Assumptions
• Conditional consent
Consent

22. How do you persuade consumers to share
their data?
• Offer incentives
• Be completely clear on what
the consumer will receive
• Be completely clear on storage details
and who the information will be shared with
The consent challenge

23. The GDPR defines valid consent as
unambiguous, affirmative consent.
Consent

24. The consent challenge: Incentives

25. The consent challenge
Come up with an incentive to
encourage sign ups to
your mailing list

26. Can we still use a pre-ticked
box as consent?
Consent Q&A
No, GDPR doesn’t class a pre-ticked
box or any form of inactivity as valid
consent. The data subject must make
an affirmative action for
their consent to be valid.

27. What is the best way to gain valid consent
if purchasing a product or service?
Consent Q&A
The best way to ensure that you’re fully
compliant with the GDPR is to include a
separate opt-in option at the point a
consumer joins/purchases by
encouraging them to sign up to
receive updates via email.

28. We’ve got historic lists –
will they still be valid?
Consent Q&A
If your current data hasn’t specifically
been collected using affirmative consent
for all activities, or you don’t have a record
of the details required, then
you’ll have to gain fresh consent.

29. New database requirements

30. Database requirements
Organisations must be able to demonstrate that an
individual consented to the processing of
their personal data.
If consent is given
over the phone, you’ll
need a recording
If you collect consent
online, you’ll need to
record consent wording,
time & source

31. True or false

32. True or false
GDPR will stop dentists ringing patients
to remind them about appointments

33. True or false
All personal data breaches will need to
be reported to the ICO.

34. Existing data

35. Existing data

36. Existing data
Credit: Getty

37. Review your strategy

38. Data controller vs data processor

39. Are you a data controller
or data processor?
Data controller - the organisation that collects
personal data and decides how it will be used.
Data processor - the organisation that processes
personal data on behalf of the data controller.

40. Data controller obligations
• Collects data
• Which items of personal data to collect
• How the data will be used
• Whether to disclose the data, and if so,
who to
• Arranging access
• Storage

41. Data processor obligations
• To process data fairly
and lawfully
• Data is kept accurate
and up to date
• Data is only kept for
as long as necessary
• Adhere to all agreements in your
contract with the data controller

42. Data controller or data processor?
A local authority uses a cloud provider to store
data about its housing stock and residents, rather
than holding the data on its own IT system.
The cloud provider is also contracted to delete
certain data after a particular period and to grant
members of the public access to their own
records via a secure online portal.

43. Data controller or data processor?
An online retailer work in co-operation with a
third-party payment company to process
customers’ transactions.

44. Data protection officer

45. The data protection officer (DPO)
A data protection officer is responsible for
overseeing your data protection strategy and
implementation to ensure compliance
with GDPR.
• Inform
• Monitor
• Contact

46. Who needs a DPO?
x
• Public authorities
• Large scale systematic monitoring of individuals
• Large scale processing of special categories

47. Any questions?
Thank you
http://cobb.agency/digital | 01273 208 913