LawBite is a UK-based online legal platform launched in 2013, headquartered in London. LawBite uses legal technology to streamline legal services for small and medium sized businesses (SMEs), providing access to legal document templates as well as a network of lawyers based in the UK and internationally.
The GDPR came into force on 25 May 2018. The changes that the GDPR makes to Data Protection legislation are far reaching and the GDPR introduces a number of new legal concepts.
The interactive webinar will provide you with details on the key changes that you need to be aware of under GDPR including:
1. Background to the GDPR
2. Key changes under GDPR
3. GDPR Data Protection Principles
4. Data Processing
5. Obtaining consent
6. Rights of data subjects
7. International data transfers
8. Data breaches
9. Data processors and data protection officers
10. What your organisation should be doing now
The webinar contains a 45 minute presentation with a Q&A at the end.
1. Getting ready for the
General Data Protection
Regulation (GDPR)
12.00pm start
London, 9th May 2018
www.lawbite.co.ukwww.lawbite.co.uk
2. Fully Regulated Law Firm
Easy, fast access through 24/7 online
platform
Great value - 50% or less of the cost
of a normal law firm
Expert and experienced solicitors,
barrister, mediators and arbitrators
LawBite - Democratising the Law for SME's
3. How can LawBite help you?
• Lawbite specialises in GDPR solutions
• Over 5,000 businesses have approached us for help
• Lawbite has an expert team of GDPR lawyers
• We’re working with over 250 GDPR clients at any time
• Businesses are overwhelmed by all the information
• Every business needs to know how GDPR will effect THEM
• We provide FREE assessment tools and practical help (including this
webinar!)
• Let us help you understand how GDPR applies to your business
4. Free GDPR Tools and Help
•GDPR webinar slides and Q&A document
•Use our GDPR hotline for any queries!
0845 241 1843
•Or simply enter your GDPR enquiry at: gdpr@lawbite.co.uk
•Our GDPR audit document identifies your EXACT needs
5. GDPR Compliance Products &
Services
We’re offering a 10% discount on all our GDPR compliance products and
services to webinar participants until 25th
May 2018 (call us on 0845 241 1843 and
mention this webinar!)
GDPR Documents Package and 30 minutes of legal advice, £345 + VAT
(versus £385+VAT)
Webinar Training tailored to your business 1hr, £265 + VAT (versus
£295+VAT)
GDPR Documents Package & tailored Webinar Training 1hr, £580 +
VAT (versus £645+VAT)
Bespoke GDPR Solution, £POA - 10%: Starts with a free Audit of your
needs
Our Bespoke GDPR solution is tailored to your business.
6. GDPR Rescue Package!!
If you have left it to the last minute don’t be
alarmed, help is at hand with our GDPR Rescue
Package!
Comprehensive GDPR documents package, 30
minute audit consultation and an additional 2
hours of specific GDPR legal advice at £495+
VAT (versus £675 +VAT)
8. Speaker
Alla Fairbrother is a solicitor qualified in England since 2009
with experience advising a wide range of businesses. Alla advises
clients on a wide range of commercial legal matters including data
protection and GDPR.
Alla
Fairbrother
LawBrief
9. Content of GDPR webinar
1. Background to the GDPR
2. Key changes under GDPR
3. GDPR Data Protection Principles
4. Data Processing
5. Obtaining consent
6. Rights of data subjects
7. International data transfers
8. Data breaches
9. Data processors and data protection officers
10. What your organisation should be doing now?
11. Action points
12. How we can help you
11. 1. Background to GPDR
Data Protection Act 1998
•Out of date
•Data used in multiple ways that were not envisaged in
the 90s
•Vulnerability in the current legislation
•General public expect to be protected
EU General Data Protection Regulation
(GDPR)
•Applies across all EU member states (expanded
territorial reach)
•Individual EU country data protection laws disappear
12. 1. Background to GDPR
cont.
GDPR already in force
• March to April 2016 – approved text is published
• May 2016 – enters into force
• 25 May 2018 – becomes applicable with a 2 year transition
period
UK implementation: Data Protection Bill 2018
13. 1. Background to GDPR
cont.
GDPR requires businesses to implement data
protection:
• “by design” (technical and organisational measures)
and
• “by default” (data minimisation).
14. 1. Background to GDPR
cont.
Breach of GDPR
- Breach of (mainly) record keeping, contracting and
security clauses – maximum fine of up to Euros 10
million or 2% of annual turnover worldwide
(whichever is greater)
- Breach of (mainly) basic principles, data subject
access requests, transfer to third countries and non-
compliance with ICO order – maximum fine of up to
Euros 20 million or 4% of annual turnover
worldwide (whichever is greater)
15. 2. Key changes under GDPR
What is Personal Data?
According to the Data Protection Act 1998:
Data which relates to a living individual who can be
identified…
➢From that data, or
➢From that data and other information which is in the
possession of, or is likely to come into the possession of, the
data controller, and
➢Includes any expression of opinion about the individual and
any indication of the intentions of the data controller or any
other person in respect of the individual.
16. 2. Key changes under GDPR cont.
What is Personal Data?
According to the GDPR:
‘Personal data’ means any information relating to an identified or
identifiable natural person (‘data subject’); an identifiable natural
person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as:
A name, an identification number, location data, an online identifier
or to one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that natural
person.
17. 2. Key changes under GDPR cont.
What is Sensitive Personal Data?
Under GDPR, the term used is Special Categories of
Personal Data:
•Racial or ethnic origin (e.g. passports and photographs)
•Political opinions
•Religious or philosophical beliefs
•Trade union membership
•Physical or mental health or condition
•Sexual life or sexual orientation
•Genetic data
•Biometric data (e.g. finger prints, eye scans)
N.B. – Explicit consent for processing
18. 2. Key changes under GDPR
cont.
GDPR Introduces:
1.Enhanced documentation to be kept by data controllers
2.Enhanced Privacy Notices
3.More prescriptive rules on what constitutes consent
4.Mandatory data breach notification requirement
5.Enhanced Data Subject Rights
6.New obligations on Data Processors
7.Expanded territorial scope
8.Appointment of Data Protection Officers
9.Significant increase in size of fines and penalties
19. 3. The Data Protection
Principles
• Good News: There are not significant changes to the
core principles of Data Protection.
• All the aims and objectives of the Eight Principles
of the DPA still apply.
• Only six principles are specifically referenced in
Article 5 of GDPR but two more (Data Subject Rights
and Data Transfers) are covered in other parts of the
Regulation.
20. 3. The Data Protection Principles –
DPA 1998
1.Process data fairly and lawfully
2.Only process data for specific and lawful purposes
3.Data processing must be adequate, relevant and not excessive
4.Data processing must be accurate and, where necessary, kept
up to date
5.Personal data should be kept no longer than is necessary
6.Act in accordance with the rights of data subjects
7.Take appropriate technical and organisational security measures
8.Data cannot be transferred to a country or territory outside the
European Economic Area unless adequate protections are in
place
21. 3. The Data Protection Principles -
GDPR
1.The Lawfulness and Transparency Principle
2.The Purpose Limitation Principle
3.The Data Minimisation Principle
4.The Accuracy Principle
5.The Storage Limitation Principle
6.The Integrity and Confidentiality Principle
7.[Data Subject Rights]
8.[Data Transfer]
22. 3.1 The Lawfulness, Fairness and
Transparency Principle
•Personal data shall be processed lawfully, fairly and in
a transparent manner in relation to the data subject.
•The concept of ‘transparency’ is key throughout the
GDPR.
•Evident in the provision that a privacy notice must be
given to an individual when collecting their data.
23. 3.2 The Purpose Limitation
Principle
•Personal data shall be collected for specified, explicit and
legitimate purposes and not further processed in a manner that
is incompatible with those purposes; further processing for
archiving purposes in the public interest; scientific or historical
research purposes or statistical purposes shall, in accordance with
Article 89(1), not be considered to be incompatible with the initial
purposes.
•Personal data shall be obtained only for one or more specified and
lawful purposes.
•Personal data may not be further processed in any manner
incompatible with those purposes.
•The purposes should be specified in privacy notices
24. 3.3 The Data Minimisation
Principle
• Personal Data shall be adequate, relevant and
limited to what is necessary in relation to the
purposes for which they are processed.
• Collecting information which is not needed would be a
breach of this principle
• How will your organisation ensure that this
principle is complied with?
25. 3.4 The Accuracy Principle
• Personal Data shall be accurate and, where necessary, kept
up to date; every reasonable step must be taken to ensure that
personal data that are inaccurate, having regard to the purposes
for which they are processed, are erased or rectified without
delay.
• There are obvious risks to data subjects if inaccurate data are
processed. Therefore controllers are responsible for taking all
reasonable steps to ensure that personal data are accurate.
The GDPR does not materially change the accuracy principle.
26. 3.5 The Storage Limitation
Principle
• Personal Data shall be kept in a form which permits identification
of data subjects for no longer than is necessary for the
purposes for which the personal data are processed;
• Personal data may be stored for longer periods insofar as
the personal data will be processed solely for archiving purposes
in the public interest; scientific or historical research purposes or
statistical purposes in accordance with Article 89(1) subject to
implementation of the appropriate technical and organisational
measures required by this Regulation in order to safeguard the
rights and freedoms of the data subject.
How will your organisation monitor how long it is holding
data for?
27. 3.5 The Storage Limitation
Principle
Don’t keep any data for longer than you need to
•Have a retention policy which identifies how long it is necessary
to retain the data given the purposes it was collected for.
•Securely dispose of information when it is no longer needed for
those purposes, in line with your retention policy.
•Update, archive or securely dispose of information if it goes out of
date.
How will your organisation monitor how long it is
holding data for and dispose of unnecessary data?
28. 3.6 The Integrity and
Confidentiality Principle
• Personal data shall be processed in a manner that ensures appropriate security
of the personal data, including protection against unauthorised or unlawful
processing and against accidental loss, destruction or damage, using appropriate
technical or organisational measures.
Essentially the same as the original Principle 7
• Controllers and Processors must keep data secure from unauthorised or unlawful
processing, accidental loss or destruction, or damage.
What is ‘appropriate’?
• Consider:
➢the cost of implementing security measures
➢the nature, scope and context of the information in question
➢the harm that might result from improper use, or from accidental loss or destruction
29. 4. Data Processing
What is data processing?
Processing of personal data is lawful only if, and to the
extent that, it is permitted under EU data protection law.
If the controller does not have a lawful basis for a given
data processing activity then that activity is prima facie
unlawful.
30. 4. Data Processing cont.
GDPR is underpinned by the concept of Accountability
•The ICO will now have the right to audit organisations;
previous legislation could not audit organisations but could
prosecute.
•Organisations must be able to demonstrate that
comprehensive data protection compliance programmes, with
policies, procedures and compliance infrastructure, are in
place.
•The requirement to have documentary evidence of consent,
data processed and the legal basis for processing is
significantly enhanced.
31. 4. Data Processing cont.
Having a lawful basis for each processing is critical to an
organisation’s ability to comply with EU data protection law.
Legal basis available:
1.Consent – Not the only basis available!
2.Necessary for a Contract - To fulfil contract obligations
3.Legal Obligations – Governmental, HMRC, Social
Security etc.
4.Vital Interests of that Subject – Risk to health and safety
5.Public Interest – New for Government bodies
6.Legitimate Interests of the business to process – Very
useful legal basis
32. 4. Data Processing cont.
Enhanced documentation is required
Ensure that there are clear records of all data
processing activities
•Purposes for which data are being processed
•The categories of Data Subjects and Personal Data
within your organisation
•Any transfers of non-adequate countries and
appropriate safeguards deployed
•A general description of technical and organisational
security measures
33. 4. Data Processing cont.
GDPR requires documented data protection impact
assessments for high-risk processing activities.
In particular there is:
• Automatic processing that has legal or significant effects on the person
• Large scale Sensitive Data processing
• Monitoring of publicly accessible area on a large scale
• Others to come on recommendation of ICO
34. 5. Obtaining Consent
Lawful, Fair, and Transparent Data Processing
GDPR seeks to ensure that personal data is processed
lawfully, fairly, and transparently, without adversely
affecting the rights of the data subject.
If you are relying on consent then consent must be:
“freely given, specific, informed and
unambiguous”
N.B. Remember consent not the only way
forward
35. 5. Obtaining Consent cont.
• Consent cannot be assumed from silence on inaction
• Consent should be opt-in not pre-ticked boxes
• Consent should be explicit for processing sensitive personal data
• Separate consents should be obtained for distinct processing
activity
• Consent cannot be bundled with other written agreements or
declarations
• Name who will be relying on your consent
• Care should be taken with children’s personal data. Parent or
guardian must consent on their behalf
• Must be a process for Data Subjects to be able to withdraw
consent
• Review consent mechanisms, can businesses rely on old ones?
• Review procedure for obtaining consent. Is this procedure GDPR
compliant?
36. 6. Data Subject Rights
1.Access
2.Rectification
3.Erasure (‘Right to be Forgotten’)
4.Restriction of processing
5.Portability (in a format to enable transfer)
6.Object to processing
7.Automated decision making, including profiling
37. 6. Data Subject Rights cont.
Access
• To allow data subjects to enforce their data protection rights, EU data
protection law obliges controllers to provide data subjects with access
to their personal data.
• An individual who makes a written request is entitled to be told whether or
not any of their personal data is being processed.
• If this is the case then they are entitled to the following information:
➢A description of the personal data, the purposes for which it is being
processed, recipients, retention period and rights of rectification,
erasure, restriction and objections
➢Any existence of automated decision making
➢Any transfer safeguards that exist
• A data subject has a right to be given a copy of the information
comprising the data; and given details of the source of the data.
38. 6. Data Subject Rights cont.
Under GDPR
• A fee is no longer payable by the data subject for
subject access requests
• An elevated risk that individuals will attempt to
exercise these rights merely because they can, or as a
cheap but effective means of protest against an
organisation.
• Information must now be supplied within 1 month, not
40 days
• Data can include opinions, voice recordings and
manual records
39. 7. International data transfers
International Data Transfer
Data is considered to be ‘transferred’ across borders
when:
- It is physically transferred across borders
- It is accessed across borders (i.e. remote access)
Transfer ‘Rules’
Transfer is not restricted with 28 EU members plus 3
EEA Countries (Iceland, Norway & Liechtenstein)
(Broadly the same rules at DPA 1998)
40. 7. International data transfers cont.
No longer self-assess now need safeguards for
international data transfer:
1.Adequacy filings
2.Privacy Shield
3.Consent
4.Necessary for performance of a contract
5.Vital interests
6.Contractual safeguards
7.Binding corporate rules
8.Certification and Code of Conduct
41. 7. Expanded Territorial
Reach
• If a business operates in more than one member
state it will need to decide which EU member state is
the lead supervisory authority
• Lead supervisory authority will be the state where the
main business establishment/central
administration/place where decisions about data
processing are held
• Only relevant where have multiple establishments
carrying out cross-border data processing activities
42. 8. Data Breach
The GDPR definition of a data breach:
"A personal data breach is a breach of security leading
to the accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or access to,
personal data transmitted, stored or otherwise
processed”.
43. 8. Data Breach
User GDPR controllers and processors must
implement appropriate technical and organisational
measures, taking into account:
• The costs of implementation
• The nature, scope, context, and purposes of the processing
• The risk of varying likelihood and severity for the rights and
freedoms of natural persons
44. 8. Data Breach cont.
Currently there is no legal requirement to report
a data breach
• Under GDPR when a data breach occurs you must
notify the ICO:
➢Where feasible within 72 hours
➢Unless breach is unlikely to result in risk to individuals – this
is a major change
• There is also a requirement to notify individuals if
breach is likely to result in high risk to the individuals
affected
45. 9. Data processors, data controllers
and data protection officers
GDPR covers “controllers” and “processors”
Data Controllers
• According to the Data Protection Act 1998:
A person who (either along or jointly or in common with
other persons) determines the purposes for which and
the manner in which any personal data are, or are to
be, processed
• According to GDPR:
The natural or legal person, public authority, agency or
other body which, alone or jointly with others,
determines the purposes and means of the processing
of personal data.
46. 9. Data processors, data controllers
and data protection officers, cont.
Data Processors
• According to the Data Protection Act 1998:
Any person (other than an employee of the data
controller) who processes the data on behalf of the data
controller.
• According to GDPR:
A natural or legal person, public authority, agency or
other body which processes personal data on behalf of
the controller.
Processors can now receive fines and penalties
47. 9. Data processors and data
protection officers cont.
Data Controller
Responsible for most aspects of compliance even when
engaging a Data Processor to process Personal Data
on its behalf.
Data Processor
• Act only under the instructions of the Data Controller.
• Keep personal data secure from unauthorised
access, loss or destruction.
Data processors must now have a written agreement
48. 9. Data processors and data
protection officers cont.
DATA PROCESSING
In relation to the information or data it means:
• Obtaining, recording
• Or holding the information or data, or carrying out any operation or set of operations on
the information or data
It includes
• Access, storage, retrieval, disclosure and erasure/destruction
Data controllers may only appoint data processors which provide sufficient
guarantees to implement appropriate technical and organisational measures to
ensure processing meets the requirements of the GDPR. Processors are required to
process personal data in accordance with the controller's instructions.
49. 9. Data Protection Officer
(DPO)
• DPO senior role
• Responsible for compliance GDPR
• Allocation of responsibility
• No general obligation to appoint a DPO but
the following must appoint a DPO:
• Public authorities (with some minor exceptions)
• Any organisation whose core activities require:
➢ “regular and systematic monitoring” of data subjects “on a large scale”; or
➢ “large scale” processing of Sensitive Data or criminal records; and
➢ Those obliged to do so by local law (countries such as Germany are likely to
fall into this category).
50. 10. Key Take Outs
• Key decision makers within businesses must be made aware that the law is changing
and all staff should be trained
• Businesses should review the impact of GDPR extra-territorial scope on its business.
• International businesses should consider which member state is the main data
processing entity
• Businesses should document the personal data which it processes as a Data
Controller and/or Data Processor
• Businesses need to review and update privacy notices in line with GDPR requirements
• Businesses need to consider and update Data Protection Policies and Procedures in
line with GDPR requirements – including staff and third party policies
• Businesses should have a GDPR implementation plan – regular review meetings to up
May 2018
• Businesses should ensure that they are able to access personal data easily and have
searchable databases
• Businesses should in place a procedure for dealing with data subject access requests
to align with GDPR, and make sure that it can respond effectively
51. 11. Key Take Outs
• Businesses should document the legal basis on which they are processing each
category of personal data
• Businesses should review and map key international data flows. Consider what data
transfer mechanisms the business should have in place, whether these will continue to
be appropriate and whether they are GDPR compliant
• Businesses should review all third party supplier and partner contracts and plan to
update as necessary
• Businesses should ensure that they have in place appropriate security measures
• Businesses should consider how they will keep information up to date and accurate
• Businesses should consider how they will manage the duration they are holding
information for and prepare a data retention policy
• Review process for obtaining consent. Is it GDPR compliant? Are current consents
GDPR compliant?
• Consider whether the business needs a DPO
52. 12. How can Lawbite help you?
1.GDPR advice
2.GDPR Audits and Privacy Impact Assessments
3.Data Protection Officer support
4.Review/draft data protection policies and privacy statements
5.Review/draft of contracts and terms and conditions
6.Review and update staff policies
7.Draft appropriate consent forms
8.Provide in-house training for Management, Data Protection Officers
and staff
9.PIA
10. GDPR Audit
53. Free GDPR Tools and Help
•GDPR webinar slides and Q&A document
•Use our GDPR hotline for any queries!
0845 241 1843
•Or simply enter your GDPR enquiry at: gdpr@lawbite.co.uk
•Our GDPR audit document identifies your EXACT needs
54. GDPR Rescue Package!!
If you have left it to the last minute don’t be
alarmed, help is at hand with our GDPR Rescue
Package!
Comprehensive GDPR documents package, 30
minute audit consultation and an additional 2
hours of specific GDPR legal advice at £495+
VAT (versus £675 +VAT)
58. How to contact LawBite
You can email us at: gdpr@lawbite.co.uk
Or call the GDPR hotline: 0845 241 1843
You can review our GDPR solutions at: https://www.lawbite.co.uk/gdpr
Ref: GDPR
Notas del editor
Notes
A lot of information but LawBite are here to help
Different ways of using data – electronic records, iCloud providers, more travelling
We've had nearly 2 years to become compliant. Data Protection Bill 2018 – supports GDPR, Law Enforcement Directirve, provisions for law enforcement and intelligence services
If there is a new line of business – think about personal data from the "design" stage. B2B business expanding to sell to consumers. Using a new electronic storage provider or an IT provider.
Current principles
New principles. We will cover each in more detail.
Transparency – privacy notices or policies, links on nearly every website. Clearly written and straight forward.
Purpose. If personal data collected for the purpose of complying with "contract" – to process order, send invoice, process payment, then cannot send marketing emails under the same "purpose".
If you don't need DOB, photographs, marital status or any other unnecessary personal data – don't collect/process.
Process for keeping personal data up to date – links in communications and similar.
Data Retention Policy. Set limits and follow. Not unusual to keep for 6-7 years where there is a risk of litigation or for accounting / tax purposes. 10 years plus for Corporate records. A few weeks to a few months for CCTV recordings. But depends on the nature or business.
Security measures – not set in stone under GDPR. Sensitive medical data v B2B customer data. Size and resources of the business.
1 lawful basis for each type of processing. Record in GDPR documents. In more detail later.
Consent – marketing, special categories (photos, medical, biometric data, religious, political, etc.). Contract – confirmation emails, orders, deliveries, invoices and similar. Legitimate interests – need to make sure full analysis is recorded in data protection policy and privacy policy.
Opt-in boxes. Does not always have to be in writing but follow procedures and keep records if obtained in telephone conversations – script for obtaining consent, procedure for records keeping.
Will talk about each of these.
Travelling with laptops, accessing a server from another country (remote access)
Appropriate security measures to prevent loss of personal data
Data controller – in relation to marketing, employees, customers and similar. Data processor – provider of services, such as accountants, IT support, storage of documents. But need to establish whether can make decisions in relation to personal data.
Taking customer details, keeping them on local drives or remote servers, using details for processing orders, delivery, invoicing.