GDPRforum London

GDPR
pragmatic.agency/GDPR
#GDPRforum
@pragmaticweb @pragmaticagency

GDPRForum
London
www.pragmatic.agency/GDPR
#GDPRforum @pragmaticweb

GDPR: the role of the digital agency
David Lockie // GDPR Forum // November 2017

What is GDPR?
@pragmaticweb pragmatic.agency d@pragmatic.agency

● General Data Protection Regulations
● Supersedes the UK Data Privacy Act 1998 (DPA)
● Starts 25th May 2018
● Governed by the ICO

Who does it apply to?

● Organisations operating within the EU, including the
UK, regardless of Brexit
● Organisations outside the EU that offer goods or
services to individuals in the EU
● ‘Controllers and Processors’

What information does
GDPR apply to?

● Personal data or PII
● Online identifiers such as IP address
● Automated data and manual filing systems
● Pseudonymised data - depending on degree
● Sensitive personal data especially

Tensions
Gen Z (21 or younger)
Group rights
Technology and data
Convenience
Innovation
Freedom
Previous generations
Individual rights
Traditional human institutions
Privacy
Maturity
Freedom

The role of the digital
agency

‘Agencies have a role to play in
safeguarding the people who use the
services we build. GDPR compliance
is a part of that.’
GDPR for business owners and senior executives - https://pragmatic.agency/GDPR

Getting the best
from your agency
Strategy Technical Operational

Discussion points
● Is the UK going to be able to make it’s own GDPR law compliant with the EU’s?
● Is this even going to be possible to enforce from a political/financial/realistic point of view?
● How will EU courts enforce against e.g. US companies?
● How will Brexit affect this?
● What’s an effective way of re-permissioning?
● Will this change the dynamic between email and other marketing channels for you?

Thanks!
@pragmaticweb
pragmatic.agency
d@pragmatic.agency
www.pragmatic.agency/GDPR

‘The first principle of data protection
is that personal data must be
processed fairly and lawfully.’
ICO -
https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/

Agency
Relationship
Client

Records,
information,
communication
Approach
Consent
Protect
individual
rights
Workflows

Records, information,
communication
● Document all the things!
● Privacy information notices
● Communicate to everyone in your organisation: provide
training
ICO -
https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-noticestransparency-and-control/privacy-noticesu
nder-the-eu-general-data-protectionregulation/

Consent
● Active
● Granular
● Unbundled
● Named
● No imbalance in the relationship
● Verifiable and documented

Protect individual rights
● Subject Access Requests
(SAR)
● Rectification and erasure
● Portability
● Profiling, targeting & marketing
● Data breach notifications
● Data security

Incorporation of GDPR
into workflows
GDPR requires privacy by design and
data protection by default.
GDPR for business owners and senior executives - https://pragmatic.agency/GDPR

Short term actions
● Organise training for your team
● Appoint a Data Privacy Officer
● Create a data strategy
● Create an inventory of all the data you hold
● Create privacy information notices for all products and services
● Review your consent processes across all projects
● Review your Subject Access Request process
● Be prepared to meet requests for data rectification and erasure
● Implement any data portability processes
● Review your data breach process
● Review your data security standards
● Implement PbD into your workflows for all future projects
● Review contracts with any third parties with whom you give or receive data
● Review your legal basis for sending or receiving data outside the EU
● Share our guide with your colleagues
● Start re-permissioning
● Give us your consent to add you to our newsletter list (ha ha)

• Europe-Wide – Unified
• Big Fines, Bigger Brand Fallout
• Data Breaches – 72hrs to comply
• Data Privacy & DPO’s – An Inside Job
• A Journey with No Destination – Beware FUD-Mongers & ‘Experts’

• “Any freely given, specific, informed and unambiguous indication of his/her
wishes, by which the data subject, either by statement or clear affirmative
action, signifies agreement to personal data related to them being processed”
• “Affirmative Action”
• “Freely Given”
• “Specific & Informed”
Consent is contextual, not absolute

• Name & Contact details of Controller
• Purpose of the processing
• Description of categories of data subjects and data
• Recipients to whom data will be disclosed including 3rd
parties
• Transfers of personal data to another country
• Time Limits – ‘shelf life’ for retention of data
• Security around how data is held

• Train & get staff onboard
• Bake into brand values, educate customers
• Admit vulnerability – we’re human!
• Don’t overlook offline
• The Weakest Link – tough questions for suppliers
• Speak with competitors

• Thanks!
• Gilbertmhill@gmail.com
• Twitter: @gilbertHill

The Myth
- The Sun, 28 July 2017

The Reality
“Predictions of massive fines under the GDPR that simply scale up
penalties we’ve issued under the Data Protection Act are nonsense.
Don’t get me wrong, the UK fought for increased powers when the
GDPR was being drawn up. Heavy fines for serious breaches reflect
just how important personal data is in a 21st century world. But we
intend to use those powers proportionately and judiciously.
And while fines may be the sledgehammer in our toolbox, we have
access to lots of other tools that are well-suited to the task at hand and
just as effective.”
- Elizabeth Denham, Information Commissioner, 9 August 2017

The Myth
“You have to have consent to process personal data.”
- Nearly everyone, all the time
For example…
“The Data Protection Bill will require explicit consent to be
necessary for processing sensitive personal data.”
- An actual DCMS press release (no, really)

The Reality
• Consent is one possible basis for processing personal data.
• There are 5 others: contractual necessity, legal obligation, protection
of vital interests, public interest necessity and legitimate interests
– NB additional requirement of an exemption for “special categories of data”
• Consent is basically only really useful where you can’t rely on any of
the others – typically, in relation to direct marketing.
• Consent is hard to get right, easy to exceed, and easy to lose.
• Basically, consent is rubbish.

The Myth
“It’s all ok as long as you have consent.”

The Reality (1)
• You probably don’t have consent, actually
– Freely given, specific, informed?
– Affirmative action? (i.e. no “we will assume you
consent unless”)
– Not tied to something that consent isn’t necessary
for? (i.e. no “by using our service you consent to us
spamming you up the wazoo forever more”)
– Sufficiently granular? (i.e. separate consent for each
purpose)
– As easy to withdraw as to give?

The Reality (2)
• Consent might be legal basis on which you process, but
you still have to do that processing in accordance with
GDPR i..e
Fairly, transparently Kept safe and secure
Purpose limited,
minimised
Record keeping
Accurate, not retained
for longer than
necessary
Rights exercise

The Myth
“Data protection is an IT issue.”
“Buy this ‘thingy’ and you’ll be compliant.”

The Reality
• Data protection is a boardroom issue
• IT is involved, but so are Operations, HR, Sales, Marketing…
• There is no turnkey technology solution to GDPR compliance
– People and process first!
– Technology tools can help with particular issues e.g. data
discovery, record keeping, data housekeeping, security

The Myth
“All businesses have to appoint a Data Protection Officer.”
“All businesses with more than 250 employees have to
appoint a Data Protection Officer.”
…or some variation on that theme.

The Reality
• Most businesses will not be obliged to appoint a DPO
• You must appoint a DPO only if:
– You’re a public authority
– Your core activities require regular and systematic monitoring of
data subjects
– Your core activities consist of large scale processing of special
categories of data
• Otherwise, don’t have to… but might want to anyway?

The Myth
“All data breaches have to be reported within 72 hours.”

The Reality
• Not a straight myth, but only kinda true
• Data breaches much be reported to the ICO by the controller
UNLESS “unlikely to result in a risk to the rights and freedoms of
natural persons”
– Encrypted?
– Retrieved unopened?
– A bunch of corporate email addresses?
• Obligation is “without undue delay and, where feasible, not later than
72 hours after having become aware of it”
• Give (good) reasons if late, phased reporting

A few things that aren’t myths
• Still applies, Brexit notwithstanding
• Extraterritorial effect
• Primary obligations for data processors
• Record keeping
• Transparency
• New subject rights
• New contractual requirements for processors
• More prescriptive security requirements
• Stricter rules on consent

If watching a bunch of lawyers getting
apoplectically angry is your idea of a good
time…
#GDPRubbish

Or, if you’d just like some help …
Dan Hedley
Irwin Mitchell LLP
@DanHedleyIM
daniel.hedley@irwinmitchell.com
01293 742 717

Case Study:
Reviewing Process,
Procedure and
Reporting for GDPR
Ben Westwood:
Senior Privacy Manager &
UK Data Protection Officer
24 November 2017

Agenda:
• eBay Inc. overview
• Global privacy function
• eBay EMEA operations
• Implementation of the GDPR
• Preparation phases
• Three in-progress work streams
• Operations
• Champions
• Request management
• Article 30 records of processing
• Positives of the GDPR
• Questions

eBay Inc. at a Glance
Data as of Q3 2017 3
168M
Global active
buyers
380M
App
downloads
>100
Sites globally
12.6K
Members of staff

eBay Global Privacy Team:
USA & APAC EMEA

5
Overview of eBay EMEA operations

Implementation of the GDPR at eBay – Preparation Phases
Part 1: Preparation
• Raise awareness, start internal
communication
• Inform stakeholders, e.g. Business
Units, Marketing Teams, PR, etc.
• Choose project name
Part 2: Gap Analysis
• Carry out gap analysis per data
controller
• Carry out interviews with Legal
Teams and Business Units
• Draft gap analysis report/use metrics
• Compile list of action items
• Determine work streams
Part 3: Budget/Resource
• According to data controllers
• According to list of action
items
6
January 2016 May 2016 September 2016

Privacy Operations
• Privacy Impact Assessments
o Project lifecycle
o Vendor assessment
• Privacy platforms
• Privacy Hub
• Training and awareness
Privacy Champions
• Global recruitment
• Defined categories
• Incentives
Privacy Request Management
• Consistent
• Timely
• Accurate
7
Implementation of the GDPR at eBay – 3 In-Progress Work Streams

US
8 sec
3 min
13 sec
UK
14 sec
5 sec
2 min
DE AU
22 sec
14 sec
14 sec
50 sec
14 sec
9 sec
Vendor Security / Privacy Impact Assessment Platform
Launched in 2016 in collaboration with Group Information Security
• Tracks assessment of all vendors / suppliers
• Documents all data types being processed
o Categories of personal data
o Categories of data subjects
• Documents all processing purposes
• Documents all processing locations
• Collates all vendor documentation
• Automated tracking and management

Privacy Impact Assessment Platform
Launching in 2017
• Allow business units to manage their risk
• Provides holistic risk view to Privacy Team
• Built upon our documented data lifecycle
• Designed to enable automated assessments

Privacy Champion Program:
Two distinct groups
1. Builders
2. Defenders
Resources & Support
Social collaboration
Career development
Enhanced training
Sense of community
IAPP Membership
Free membership
Discounted certifications
CIPP as the baseline
10
Global Recruitment
Utilising existing networks
Subject matter experts
Business contacts
Privacy advocates

Why promote Privacy Champions?

Why promote Privacy Champions?
Practical advantages
• Builders - Prevention rather than cure
• Defenders - First responders
• Open lines of communication
• GDPR policies, standards and processes
• Raise organisational awareness of privacy
• Develop a culture of privacy compliance
Culture of privacy
“It’s about moving away from seeing the law as a box
ticking exercise, and instead to work on a framework
that can be used to build a culture of privacy that
pervades an entire organisation”
Elizabeth Denham – UK Information Commissioner

13
a) Subject Access Requests
b) Privacy Enquires & Complaints
Phase 1
• Gap analysis review
• Deep dive compliance audits
• On-site interviews
• Electronic surveys
• Documented and reported findings
• Recommendations for improvements
Privacy Request Management:

Privacy Request Management:
Phase 2
1) Procedural documentation (paper shield)
2) Process reengineering
3) People, process and technology
4) Solution building
Measuring success
1) Consistent request handling
2) Timely response management
3) Metrics and reporting
4) Accountability

Records of Data Processing
15
Name and
contact details
of the controller The purposes of
the processing
The categories of
personal data
The categories of
data subjects
Name and contact
details the data
protection officer
Retention
schedules
The mechanism use to
permit data transfer
outside of the EEA
Details of
recipients outside
of the EEA
Description of
the security
measures
The categories of
recipients of the data
Article 30

Positives of the GDPR
• Consumer trust
• An opportunity to get your house in order
• Privacy is in the spotlight – internally and externally
• High fines gain interest from high level managment
• Privacy matters are discussed at C-level
• Increased budget and resources for privacy functions
• DPO position gains more influence
• Opportunities to challenge processes and decisions
• Opportunity to really enhance Privacy within your company

GDPRforum London

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to GDPRforum London

Similar to GDPRforum London (20)

More from Angry Creative (UK)

More from Angry Creative (UK) (15)

Recently uploaded

Recently uploaded (20)

GDPRforum London