5. 2012 2013 2014 2015 2016 2017 2018
GDPR draft proposed
2012
GDPR enforced
from 25 May 2018
GDPR entered
into force May
2016
Four years lobbying &
negotiations
Some areas will need further
guidance provided by regulators
£
£
Non-compliance
Compliance
Rights of individualsNeeds of business
You are here
You should adopt a risk-based approach
6. Your timeline Day 0
6
Map your
data
Find out
where you
are
Educate, educate, educate
7. Remember the people!
7
GDPR is about giving people back
control of their personal data
Rectification
Correcting any errors
relating to your
personal data
Object
To processing
(e.g. marketing)
Erasure
Where data is no longer relevant
to purpose or consent is
withdrawn
Access
To your data processed
by the Controller
Automated decisions
Not to be subjected to decisions
based purely on automated
processing
Restriction
For a period where data is
contested or processing is
unlawful
Informed
Of the reasons for
processing
Portability
To transfer data
(processed automatically)
to another Controller
Provides data
subjects with
eight powerful
rights
8. You must be clear about your processing
8
Consent must
be freely given,
specific,
informed &
unambiguous
You must identify your legal basis
for processing personal data
Consent Contract Vital interest
Legal
Obligation
Public Interest Legitimate
interest
9. Design in privacy from the start
9
Applies to all areas of your
business
Map your data
You must you must know what
data you collect & process
Capture change
When a change is proposed to a process,
system, application, project or contract,
look at the privacy implications
IT
Marketing
HR
Operations
Sales
Legal
Development
Principles
Records
Procurement
10. 10
New mandatory measures apply to both controllers & processors
Data protection by
design & default
You will need to
demonstrate that
appropriate controls
& the rights of data
subjects are
integrated into your
organisation’s
processes
Supplier assurance
You will need to demonstrate
your suppliers provide
sufficient guarantees for
processing personal data on
your behalf (e.g. evidence of
risk assessments & appropriate
privacy clauses in your
contracts)
Maintain records of processing
To demonstrate effective policies,
processes, guidance supported by
associated records (authorisation, logs,
audits, etc.)
Security of processing
A broad topic which
includes everything from
physical security, staff
training to technical
controls
Data protection impact assessment
You will need to understand your privacy risks &
where there is a high risk to the rights & freedoms of
data subjects you need to inform the relevant
supervisory authority
11. Tougher rules around breach notification
11
Individuals
Need to be informed
without ‘undue delay’ if
there is high risk to their
rights & freedoms
Supervisory authority
Needs to be informed within
72 hours where there is a
risk to the rights &
freedoms of the data
subject
In any case you must maintain a log
12. You may need a data protection officer
12
Large scale processing of special
categories of personal data
Regular or
systematic
monitoring
Public body
13. So… GDPR
13
Time is running out. The
compliance date is less than a
year away
The implications of getting
it wrong are significant
But there is a lot you can
be doing now to prepare
£
Editor's Notes
Data Protection Impact Assessments must be done when:
Using new technologies;
The processing is likely to result in a “high risk to the rights & freedoms of individuals”.
You need a way of identifying processes/applications/systems/projects/contracts that need a DPIA.
Privacy Risk Screening (PRS) designed to reduce down the numbers to a manageable number.
Ensure that the PRS and/or DPIA are documented & signed off.
Change across the business must be picked up & the PRS and/or DPIA repeated if necessary.
If the risks identified cannot be mitigated advice must be sought from the Supervisory Authority before any processing takes place.
If you have a Data Protection Officer, they must be involved!
Data Protection Impact Assessments must be done when:
Using new technologies;
The processing is likely to result in a “high risk to the rights & freedoms of individuals”.
You need a way of identifying processes/applications/systems/projects/contracts that need a DPIA.
Privacy Risk Screening (PRS) designed to reduce down the numbers to a manageable number.
Ensure that the PRS and/or DPIA are documented & signed off.
Change across the business must be picked up & the PRS and/or DPIA repeated if necessary.
If the risks identified cannot be mitigated advice must be sought from the Supervisory Authority before any processing takes place.
If you have a Data Protection Officer, they must be involved!
Data Protection Impact Assessments must be done when:
Using new technologies;
The processing is likely to result in a “high risk to the rights & freedoms of individuals”.
You need a way of identifying processes/applications/systems/projects/contracts that need a DPIA.
Privacy Risk Screening (PRS) designed to reduce down the numbers to a manageable number.
Ensure that the PRS and/or DPIA are documented & signed off.
Change across the business must be picked up & the PRS and/or DPIA repeated if necessary.
If the risks identified cannot be mitigated advice must be sought from the Supervisory Authority before any processing takes place.
If you have a Data Protection Officer, they must be involved!
Data Protection Impact Assessments must be done when:
Using new technologies;
The processing is likely to result in a “high risk to the rights & freedoms of individuals”.
You need a way of identifying processes/applications/systems/projects/contracts that need a DPIA.
Privacy Risk Screening (PRS) designed to reduce down the numbers to a manageable number.
Ensure that the PRS and/or DPIA are documented & signed off.
Change across the business must be picked up & the PRS and/or DPIA repeated if necessary.
If the risks identified cannot be mitigated advice must be sought from the Supervisory Authority before any processing takes place.
If you have a Data Protection Officer, they must be involved!