On the 25th May 2018, all businesses across Europe and the UK will face dramatic changes to Data Privacy Laws. With fines of up to 4% of revenue for noncompliance, GDPR has huge potential for disruption if not adhered to.
The GDPRforum was held on 24th November 2017 to gain valuable insight from Data Privacy experts, teach people how to prepare for the new laws, and how to turn a crisis into an opportunity.
GDPR Speakers:
David Lockie – Pragmatic – Founder
Dan Hedley – Irwin Mitchell – Partner
Gilbert Hill – Independent Privacy Technologist
Ben Westwood – eBay – Senior Privacy Manager & Data Protection Officer UK
6. ● General Data Protection Regulations
● Supersedes the UK Data Privacy Act 1998 (DPA)
● Starts 25th May 2018
● Governed by the ICO
@pragmaticweb pragmatic.agency d@pragmatic.agency
7. Who does it apply to?
@pragmaticweb pragmatic.agency d@pragmatic.agency
8. ● Organisations operating within the EU, including the
UK, regardless of Brexit
● Organisations outside the EU that offer goods or
services to individuals in the EU
● ‘Controllers and Processors’
@pragmaticweb pragmatic.agency d@pragmatic.agency
10. ● Personal data or PII
● Online identifiers such as IP address
● Automated data and manual filing systems
● Pseudonymised data - depending on degree
● Sensitive personal data especially
@pragmaticweb pragmatic.agency d@pragmatic.agency
14. @pragmaticweb pragmatic.agency d@pragmatic.agency
‘Agencies have a role to play in
safeguarding the people who use the
services we build. GDPR compliance
is a part of that.’
GDPR for business owners and senior executives - https://pragmatic.agency/GDPR
16. @pragmaticweb pragmatic.agency d@pragmatic.agency
Discussion points
● Is the UK going to be able to make it’s own GDPR law compliant with the EU’s?
● Is this even going to be possible to enforce from a political/financial/realistic point of view?
● How will EU courts enforce against e.g. US companies?
● How will Brexit affect this?
● What’s an effective way of re-permissioning?
● Will this change the dynamic between email and other marketing channels for you?
18. @pragmaticweb pragmatic.agency d@pragmatic.agency
‘The first principle of data protection
is that personal data must be
processed fairly and lawfully.’
ICO -
https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/
21. @pragmaticweb pragmatic.agency d@pragmatic.agency
Records, information,
communication
● Document all the things!
● Privacy information notices
● Communicate to everyone in your organisation: provide
training
ICO -
https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-noticestransparency-and-control/privacy-noticesu
nder-the-eu-general-data-protectionregulation/
25. @pragmaticweb pragmatic.agency d@pragmatic.agency
Short term actions
● Organise training for your team
● Appoint a Data Privacy Officer
● Create a data strategy
● Create an inventory of all the data you hold
● Create privacy information notices for all products and services
● Review your consent processes across all projects
● Review your Subject Access Request process
● Be prepared to meet requests for data rectification and erasure
● Implement any data portability processes
● Review your data breach process
● Review your data security standards
● Implement PbD into your workflows for all future projects
● Review contracts with any third parties with whom you give or receive data
● Review your legal basis for sending or receiving data outside the EU
● Share our guide with your colleagues
● Start re-permissioning
● Give us your consent to add you to our newsletter list (ha ha)
31. • Europe-Wide – Unified
• Big Fines, Bigger Brand Fallout
• Data Breaches – 72hrs to comply
• Data Privacy & DPO’s – An Inside Job
• A Journey with No Destination – Beware FUD-Mongers & ‘Experts’
32.
33. • “Any freely given, specific, informed and unambiguous indication of his/her
wishes, by which the data subject, either by statement or clear affirmative
action, signifies agreement to personal data related to them being processed”
• “Affirmative Action”
• “Freely Given”
• “Specific & Informed”
Consent is contextual, not absolute
34.
35.
36. • Name & Contact details of Controller
• Purpose of the processing
• Description of categories of data subjects and data
• Recipients to whom data will be disclosed including 3rd
parties
• Transfers of personal data to another country
• Time Limits – ‘shelf life’ for retention of data
• Security around how data is held
37.
38.
39.
40. • Train & get staff onboard
• Bake into brand values, educate customers
• Admit vulnerability – we’re human!
• Don’t overlook offline
• The Weakest Link – tough questions for suppliers
• Speak with competitors
46. The Reality
“Predictions of massive fines under the GDPR that simply scale up
penalties we’ve issued under the Data Protection Act are nonsense.
Don’t get me wrong, the UK fought for increased powers when the
GDPR was being drawn up. Heavy fines for serious breaches reflect
just how important personal data is in a 21st century world. But we
intend to use those powers proportionately and judiciously.
And while fines may be the sledgehammer in our toolbox, we have
access to lots of other tools that are well-suited to the task at hand and
just as effective.”
- Elizabeth Denham, Information Commissioner, 9 August 2017
47.
48. The Myth
“You have to have consent to process personal data.”
- Nearly everyone, all the time
For example…
“The Data Protection Bill will require explicit consent to be
necessary for processing sensitive personal data.”
- An actual DCMS press release (no, really)
49. The Reality
• Consent is one possible basis for processing personal data.
• There are 5 others: contractual necessity, legal obligation, protection
of vital interests, public interest necessity and legitimate interests
– NB additional requirement of an exemption for “special categories of data”
• Consent is basically only really useful where you can’t rely on any of
the others – typically, in relation to direct marketing.
• Consent is hard to get right, easy to exceed, and easy to lose.
• Basically, consent is rubbish.
52. The Reality (1)
• You probably don’t have consent, actually
– Freely given, specific, informed?
– Affirmative action? (i.e. no “we will assume you
consent unless”)
– Not tied to something that consent isn’t necessary
for? (i.e. no “by using our service you consent to us
spamming you up the wazoo forever more”)
– Sufficiently granular? (i.e. separate consent for each
purpose)
– As easy to withdraw as to give?
53. The Reality (2)
• Consent might be legal basis on which you process, but
you still have to do that processing in accordance with
GDPR i..e
Fairly, transparently Kept safe and secure
Purpose limited,
minimised
Record keeping
Accurate, not retained
for longer than
necessary
Rights exercise
56. The Reality
• Data protection is a boardroom issue
• IT is involved, but so are Operations, HR, Sales, Marketing…
• There is no turnkey technology solution to GDPR compliance
– People and process first!
– Technology tools can help with particular issues e.g. data
discovery, record keeping, data housekeeping, security
57.
58. The Myth
“All businesses have to appoint a Data Protection Officer.”
“All businesses with more than 250 employees have to
appoint a Data Protection Officer.”
…or some variation on that theme.
59. The Reality
• Most businesses will not be obliged to appoint a DPO
• You must appoint a DPO only if:
– You’re a public authority
– Your core activities require regular and systematic monitoring of
data subjects
– Your core activities consist of large scale processing of special
categories of data
• Otherwise, don’t have to… but might want to anyway?
62. The Reality
• Not a straight myth, but only kinda true
• Data breaches much be reported to the ICO by the controller
UNLESS “unlikely to result in a risk to the rights and freedoms of
natural persons”
– Encrypted?
– Retrieved unopened?
– A bunch of corporate email addresses?
• Obligation is “without undue delay and, where feasible, not later than
72 hours after having become aware of it”
• Give (good) reasons if late, phased reporting
63. A few things that aren’t myths
• Still applies, Brexit notwithstanding
• Extraterritorial effect
• Primary obligations for data processors
• Record keeping
• Transparency
• New subject rights
• New contractual requirements for processors
• More prescriptive security requirements
• Stricter rules on consent
64. If watching a bunch of lawyers getting
apoplectically angry is your idea of a good
time…
#GDPRubbish
65. Or, if you’d just like some help …
Dan Hedley
Irwin Mitchell LLP
@DanHedleyIM
daniel.hedley@irwinmitchell.com
01293 742 717
68. Agenda:
• eBay Inc. overview
• Global privacy function
• eBay EMEA operations
• Implementation of the GDPR
• Preparation phases
• Three in-progress work streams
• Operations
• Champions
• Request management
• Article 30 records of processing
• Positives of the GDPR
• Questions
69. eBay Inc. at a Glance
Data as of Q3 2017 3
168M
Global active
buyers
380M
App
downloads
>100
Sites globally
12.6K
Members of staff
72. Implementation of the GDPR at eBay – Preparation Phases
Part 1: Preparation
• Raise awareness, start internal
communication
• Inform stakeholders, e.g. Business
Units, Marketing Teams, PR, etc.
• Choose project name
Part 2: Gap Analysis
• Carry out gap analysis per data
controller
• Carry out interviews with Legal
Teams and Business Units
• Draft gap analysis report/use metrics
• Compile list of action items
• Determine work streams
Part 3: Budget/Resource
• According to data controllers
• According to list of action
items
6
January 2016 May 2016 September 2016
73. Privacy Operations
• Privacy Impact Assessments
o Project lifecycle
o Vendor assessment
• Privacy platforms
• Privacy Hub
• Training and awareness
Privacy Champions
• Global recruitment
• Defined categories
• Incentives
Privacy Request Management
• Consistent
• Timely
• Accurate
7
Implementation of the GDPR at eBay – 3 In-Progress Work Streams
74. US
8 sec
3 min
13 sec
UK
14 sec
5 sec
2 min
DE AU
22 sec
14 sec
14 sec
50 sec
14 sec
9 sec
Vendor Security / Privacy Impact Assessment Platform
Launched in 2016 in collaboration with Group Information Security
• Tracks assessment of all vendors / suppliers
• Documents all data types being processed
o Categories of personal data
o Categories of data subjects
• Documents all processing purposes
• Documents all processing locations
• Collates all vendor documentation
• Automated tracking and management
75. Privacy Impact Assessment Platform
Launching in 2017
• Allow business units to manage their risk
• Provides holistic risk view to Privacy Team
• Built upon our documented data lifecycle
• Designed to enable automated assessments
76. Privacy Champion Program:
Two distinct groups
1. Builders
2. Defenders
Resources & Support
Social collaboration
Career development
Enhanced training
Sense of community
IAPP Membership
Free membership
Discounted certifications
CIPP as the baseline
10
Global Recruitment
Utilising existing networks
Subject matter experts
Business contacts
Privacy advocates
78. Why promote Privacy Champions?
Practical advantages
• Builders - Prevention rather than cure
• Defenders - First responders
• Open lines of communication
• GDPR policies, standards and processes
• Raise organisational awareness of privacy
• Develop a culture of privacy compliance
Culture of privacy
“It’s about moving away from seeing the law as a box
ticking exercise, and instead to work on a framework
that can be used to build a culture of privacy that
pervades an entire organisation”
Elizabeth Denham – UK Information Commissioner
79. 13
a) Subject Access Requests
b) Privacy Enquires & Complaints
Phase 1
• Gap analysis review
• Deep dive compliance audits
• On-site interviews
• Electronic surveys
• Documented and reported findings
• Recommendations for improvements
Privacy Request Management:
80. Privacy Request Management:
Phase 2
1) Procedural documentation (paper shield)
2) Process reengineering
3) People, process and technology
4) Solution building
Measuring success
1) Consistent request handling
2) Timely response management
3) Metrics and reporting
4) Accountability
81. Records of Data Processing
15
Name and
contact details
of the controller The purposes of
the processing
The categories of
personal data
The categories of
data subjects
Name and contact
details the data
protection officer
Retention
schedules
The mechanism use to
permit data transfer
outside of the EEA
Details of
recipients outside
of the EEA
Description of
the security
measures
The categories of
recipients of the data
Article 30
82. Positives of the GDPR
• Consumer trust
• An opportunity to get your house in order
• Privacy is in the spotlight – internally and externally
• High fines gain interest from high level managment
• Privacy matters are discussed at C-level
• Increased budget and resources for privacy functions
• DPO position gains more influence
• Opportunities to challenge processes and decisions
• Opportunity to really enhance Privacy within your company