Wired Sussex Breakfast Session presentation by Scott Appleton (Commercial and IP Lawyer at Moore Law).

1. GDPR – Big Bang
or Data Evolution?

3. OVERVIEW
 Moore Law
• What’s the fuss?
• Big Bang Theory?
• Reality = Evolution?
• Accountability
• Compliance / Privacy by Design
• Demonstrating Consent
• ‘Appropriate’ Measures
• Opportunities (& Competitive Edge)
 Contacts

4. What’s the Fuss?
 “GDPR affects anyone holding data on EU citizens.
A survey of 1350 companies around the world by
cybersecurity firm NTT found that a lot of them
have no clue about this yet, even Europeans
seemed unaware. The Brits were the worst. 39% of
UK companies realised that they were subject to
the regulation.” TheRegister.co.uk
 ‘Personal Data' – Employees, clients, users / suppliers
 Presumption of application to businesses
 Enhanced enforcement / fines for data protection
breaches
 Deadline for implementation = 25 May 2018

5. Big Bang Theory?
 1995 EU Data Protection Directive –>DPA 98
 Applies broadly to the collection and processing of data able
to identify living individuals (filing system) = ‘Person Data”
 DPA 98 introduced 6 x Data Principles:
 Lawfulness, fairness and transparency
 Purpose limitation
 Data Minimisation
 Accuracy
 Storage Limitation
 Integrity & Confidentiality
 Definitions: ‘Data Controller’ / ‘Data Processor’ / ‘Sensitive
Personal Data’/ ‘Consent’
 Roles: Data Protection Officer (DPO)

6. Reality = Evolution
 GDPR = accepts the world has moved and extends the existing Principles:
• All EU-based businesses
• Any business targeting EU citizens (USA, Australia, etc)
• All EU citizens
 Regulation vs Directive
• GDPR = Direct Effect
• No domestic Member State law required
• Intended to promote greater harmonisation and consistency across EU in
terms of application and interpretation
 Reverses DPA 98 position
• Register with Information Commissioner’s Office (ICO) –> inference of
application
• DPA 98 -> Data Protection Bill (Post-Brexit)

7. Accountability
 Accountability
• Move away from mere lip service. Businesses have to demonstrate
(ongoing) compliance, often in written form:
• Internal policies and processes that are GDPR-compliant
• Implementation of the policies and processes
• Effective internal compliance measures.
• External controls & contracting (model clauses)
 Demonstrable protections for specific types of data / subjects:
• Sensitive Personal Data (genetic, biometric)
• Children (16+ / 13+)
 Introduces new concepts
• Data Protection Risk Assessment
• Pseudonymisation (vs anonymisation) to better protect data

8. Compliance/
Privacy by Design
 Day-to-day compliance –> Obligation to justify data position to Regulator (ICO)
• What is the purpose the data will be used for
• Retained solely to fulfil the stated purpose
• Where it will be stored (UK / EU / EEA)
• Not keep for longer than necessary (2 years?)
• Uphold data subjects rights (right of access / right to be forgotten / data
portability)
• Data Controllers and Data Processers are treated equally (previous focus on DCs)
• Data Controllers required to perform due diligence on Data Processers (supply chain)
• DPO requirement (or justify why not have one)
 Breaches – Obligation to Report
 Regulator will look at what has happened, why, and whether ‘appropriate’ measures
put in place to safeguard data.
 ICO extended powers £500,000 -> €20,000,000 / 4% Global Turnover (+ PR DAMAGE)

9.  Specific (6) justifications for collecting data: performance of
contract / compliance with legal obligation / vital interests / public
interest / legitimate interests of DC / consent
• Implied consent no longer valid – ICO / pre-checked boxes /
‘continue to use our site accept our Ts&Cs’
 Have to be able to prove actual consent: ‘freely given, specific,
informed & unambiguous’
 Children: must be able to demonstrate steps to show capability
• GDPR @ 16+
• Member State discretion @ 13+ (UK)
 Death of Data
• Reassess sign-up / consent processes -> compliant
• Death of data – can’t rely on past consent for post May 2018
Demonstrating Consent

10.  Must be able to demonstrate ‘appropriate technical and
organisational measures’ for data compliance / protection
• Demonstrate how and why collect personal data
• ‘Consent’ / Privacy Policy / Terms & Conditions / Terms of Use
 Internal processes
• Data risk Impact Assessment / Data Use Policy / Data Retention
Policy / Employment Contracts
 Awareness of GDPR principles - Staff training / DPO (qualified)
 Contractual Relationships - GDPR model clauses incorporated
 Breach Obligations
• Requirement to log breaches
• Report to the Regulator (and potentially data subjects) within 72
hours of a notifiable breach
‘Appropriate’ Measures

11.  GDPR is a reality
 Brexit – GDPR continue to apply if businesses target EU will apply
• -> Data Protection Bill
• -> UK require an ‘equivalent’ regime
 Businesses need to assess own situation / audit
• how & why collect data (consent, etc) / how protect data / enforcement
policies (internal & external) / supplier terms.
 Case Studies
• Clients wanting to get their house in order – Compliance = Biz Dev
• Breach = costly (£££) + PR / Reputational risk
 Bigger businesses doing GDPR due diligence:
• expect their supply chains to have ‘adequate’ measures in place
• want to see policies (privacy / data protection / data retention)
• expect awareness of GDPR implications
• practical importance of new concepts – i.e. pseudonymisation
Opportunities
(& Competitive Edge)

12.  Scott Appleton
 scottappleton@moore-law.co.uk
 T 01237 704789
 M 07557 447054
 @TalkingLawyer