Presentation given by Stephen Bailey, NCC Group at the BCS DMSG/ DAMA UK seminar on GDPR on 12/6/17

1. The GDPR timeline
June 2017

2. The areas we will be covering
2
A reminder
What does the timeline look like
Key areas to focus on now
Getting started …

3. What’s it all about?

4. What is personal data?

5. 2012 2013 2014 2015 2016 2017 2018
GDPR draft proposed
2012
GDPR enforced
from 25 May 2018
GDPR entered
into force May
2016
Four years lobbying &
negotiations
Some areas will need further
guidance provided by regulators
£
£
Non-compliance
Compliance
Rights of individualsNeeds of business
You are here
You should adopt a risk-based approach

6. Your timeline Day 0
6
Map your
data
Find out
where you
are
Educate, educate, educate

7. Remember the people!
7
GDPR is about giving people back
control of their personal data
Rectification
Correcting any errors
relating to your
personal data
Object
To processing
(e.g. marketing)
Erasure
Where data is no longer relevant
to purpose or consent is
withdrawn
Access
To your data processed
by the Controller
Automated decisions
Not to be subjected to decisions
based purely on automated
processing
Restriction
For a period where data is
contested or processing is
unlawful
Informed
Of the reasons for
processing
Portability
To transfer data
(processed automatically)
to another Controller
Provides data
subjects with
eight powerful
rights

8. You must be clear about your processing
8
Consent must
be freely given,
specific,
informed &
unambiguous
You must identify your legal basis
for processing personal data
Consent Contract Vital interest
Legal
Obligation
Public Interest Legitimate
interest

9. Design in privacy from the start
9
Applies to all areas of your
business
Map your data
You must you must know what
data you collect & process
Capture change
When a change is proposed to a process,
system, application, project or contract,
look at the privacy implications
IT
Marketing
HR
Operations
Sales
Legal
Development
Principles
Records
Procurement

10. 10
New mandatory measures apply to both controllers & processors
Data protection by
design & default
You will need to
demonstrate that
appropriate controls
& the rights of data
subjects are
integrated into your
organisation’s
processes
Supplier assurance
You will need to demonstrate
your suppliers provide
sufficient guarantees for
processing personal data on
your behalf (e.g. evidence of
risk assessments & appropriate
privacy clauses in your
contracts)
Maintain records of processing
To demonstrate effective policies,
processes, guidance supported by
associated records (authorisation, logs,
audits, etc.)
Security of processing
A broad topic which
includes everything from
physical security, staff
training to technical
controls
Data protection impact assessment
You will need to understand your privacy risks &
where there is a high risk to the rights & freedoms of
data subjects you need to inform the relevant
supervisory authority

11. Tougher rules around breach notification
11
Individuals
Need to be informed
without ‘undue delay’ if
there is high risk to their
rights & freedoms
Supervisory authority
Needs to be informed within
72 hours where there is a
risk to the rights &
freedoms of the data
subject
In any case you must maintain a log

12. You may need a data protection officer
12
Large scale processing of special
categories of personal data
Regular or
systematic
monitoring
Public body

13. So… GDPR
13
Time is running out. The
compliance date is less than a
year away
The implications of getting
it wrong are significant
But there is a lot you can
be doing now to prepare
£