After ensuring compliance as a controller and processor of data, Reddico created this presentation for the team - offering further guidance and information on our processes and how we've complied. For accuracy purposes, some information comes directly from the ICO's guidelines.
Introduction to GDPR
GDPR provides a set of guidelines for how companies should handle personal data. It gives strict rules
around the processing of information for all EU residents.
The British Government will be mirroring GDPR with its own set of regulations… when we leave the EU. The
regulations concern all EU residents and also impact non-EU businesses processing EU data.
GDPR replaces the Data Protection Act 1998.
Personal data is: Any information relating to an identified or identifiable natural person (‘data subject’).
• An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference
to an identifier such as name, an identification number, location data, an online identifier or to one or
more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity
of that natural person.
• This means that email addresses (both business and personal) and IP addresses are now considered
Multiple pieces of data can help create a persona, which can be traced back to one person
What is personal data?
There are six lawful basis under which data can be processed:
1. The data subject has given consent to the processing for one or more specific purposes
2. Processing is necessary for the performance of a contract or in order to take steps at the request of the
3. Processing is necessary for compliance with a legal obligation to which the controller is subject
4. Processing is necessary in order to protect the vital interests of the data subject
5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise
of official authority vested in the controller
6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a
These lawful basis for data processing aim to prevent passing on of third party information
Lawful basis for processing
• Tick boxes can no longer to pre ticketed as the data subject needs to know that they have knowingly
• Consent needs to be unbundled. Not acceptable to include consent to marketing via phone, post, SMS,
email, etc. in a single statement, each must be a separate opt in
• It is no longer acceptable to state “Your details may be shared with selected third parties”. This needs to
be explicit and details exactly which third parties your details will be shared with
• Consent can not longer be hidden in privacy policies or terms and conditions pages, but must be clear at
each stage where data is collected
• Proof of consent must be retained each time it is collected
New regulations on giving of consent should make people more aware of how their data is used
• GDPR relies on consent of the person whose data is being processed
• Companies can only process data in line with what has been contractually agreed, and based on
• This should see an end (or the beginning of the end…) to unsolicited emails and marketing, selling
of personal data, and grey areas in how personal data is processed
• Companies need to state what data they are collecting, why they are collecting it and who they’re
sharing it with
Personal data needs to be processed – but you now have a lot more rights on why and how
The crux of the matter…
There are huge penalties in place for companies that don’t comply with these regulations:
1) Up to €10 million, or 2% annual global turnover – whichever is higher.
2) Up to €20 million, or 4% annual global turnover – whichever is higher.
However, that doesn’t mean every breach will be costly… as long as situations are handled efficiently
and companies show a committed process to compliance.
You should report any data issues to Luke Kyte or email firstname.lastname@example.org
What if a business doesn’t comply?
There are 8 principles under the GDPR legislation:
1. Right to be informed
2. Right of access
3. Right to rectification
4. Right to erasure
5. Right to restrict processing
6. Right to data portability
7. Right to object
8. Rights related to automated decision making including profiling
These 8 principles apply to all EU members. Non-EU businesses must also comply
Right to be informed
You should be informed of how your data is being used. The key is transparency. By getting
this right you’ll increase trust in your brand – so don’t think of it as a limitation.
• Clear reasons for processing data
• Information must be provided at the time you collect data
• Privacy policies must be provided
• Information must be concise, transparent, and easy to understand
• Companies need to regularly review and update policies
Companies have a legal obligation to tell you what data is collected and how it’s processed
The right of access stipulates that you can ask companies for the data they hold on you at any time.
They have to provide this, and depending on the situation, you can exercise one of the other rights if
• Individuals have the right to access their personal data
• This is commonly referred to as subject access
• Individuals can make a subject access request verbally or in writing
• You have one month to respond to a request
• You cannot charge a fee to deal with a request in most circumstances (unless unreasonable or
Right of access
You can request access for the data held on you at any time
You have a right to ask for incorrect data to be corrected in a timely manner.
• The GDPR includes a right for individuals to have inaccurate personal data rectified, or
completed if it is incomplete
• Businesses have one calendar month to respond to a request
• This right is closely linked to the controller’s obligations under the accuracy principle of the
Right to rectification
If you discover any data to be wrong, you have the right to ask for this to be amended
Under GDPR legislation, you can choose for companies to erase your personal data from their
records. This isn’t absolute in every situation because of potential legal reasons for processing.
• The GDPR introduces a right for individuals to have personal data erased
• The right to erasure is also known as ‘the right to be forgotten’
• You have one month to respond to a request
• The right is not absolute and only applies in certain circumstances
• This right is not the only way in which the GDPR places an obligation on you to consider whether to
delete personal data.
Right to erasure
On your request, any company has to delete data they hold, unless held for a legitimate purpose
The restriction of what data is being processed gives you more power and control over your data,
ensuring it’s only processed in line with your wishes.
• Individuals have the right to request the restriction or suppression of their personal data
• When processing is restricted, you are permitted to store the personal data, but not use it
• You have one calendar month to respond to a request
• This right has close links to the right to rectification and the right to object.
Right to restrict processing
You can pause the processing of personal data for whatever reason
Data portability gives you an opportunity to request data in an easy-to-read format, before transferring
it elsewhere – even to rival companies. Businesses have to comply, even if they don’t necessarily want
• The right to data portability allows individuals to obtain and reuse their personal data for their own
purposes across different services
• It allows them to move, copy or transfer personal data easily from one IT environment to another in
a safe and secure way, without affecting its usability
• Doing this enables individuals to take advantage of applications and services that can use this data
to find them a better deal or help them understand their spending habits
• The right only applies to information an individual has provided to a controller
Right to data portability
You have the right to access your data in an easy-to-read format, to take elsewhere
You can object to any of your data being processed for a period of time, or even indefinitely. This is
linked to other rights and again, gives you ultimate control.
• The GDPR gives individuals the right to object to the processing of their personal data in certain
• Individuals have an absolute right to stop their data being used for direct marketing
• In other cases where the right to object applies you may be able to continue processing if you can
show that you have a compelling reason for doing so
• You must tell individuals about their right to object
• You have one calendar month to respond to an objection.
Right to data object
You can object to any part of your data being processed by any company
If you apply for a loan of credit card, for example, an automatic decision could be made based on
your credit history and the records a company has on you. This right gives you the chance to ask
for human intervention.
The GDPR has provisions on:
A. automated individual decision-making (making a decision solely by automated means without
any human involvement)
B. profiling (automated processing of personal data to evaluate certain things about an
individual). Profiling can be part of an automated decision-making process.
• The GDPR applies to all automated individual decision-making
• Companies must identify whether any processing falls under this and, if so, make sure
individuals are given information about the processing, with simple ways for them to request
human intervention or challenge a decision
Rights related to automated decision making
Automated decision making helps consumers get quicker answers without human intervention
Although simple, providing this agenda brings everyone onto the same page – with no
For the team...
• Implemented a right of data access
• Sent out privacy notice update to the team
• Sent out employee consent forms
• Reviewed data breach policies and processes
• Amended employee contracts to include GDPR regulations
• Completed GDPR forms for HR and employee data - giving information on what personal data we
collect, who has access to it, and how it's stored / used
• Extra protection: Two-step verification, anti-virus checks, password updates
• Presented GDPR PowerPoint to all employees to ensure they're aware of GDPR, what they
should / shouldn't be doing, and how to react to a breach of date
We’ve asked for your permission to process data in accordance with regulations
We’ve ensured our third party processes comply with regulations and agree to our terms
Website & third parties...
• Data Protection Policy
• Website tick box
• Remove unsuccessful applicant data every 12 months.
• Ensure unsuccessful applicants are reminded that their data will be stored for this period.
• Sent data agreements to existing processors of data
Business data isn’t personal – but names, email addresses, IP addresses etc. are
• Updated new supplier contracts to include GDPR regulations.
• Sent out supplier agreements to ensure third parties are complying with GDPR
• Updated client contracts to include new data protection clause
• Implemented a client data deletion process
• Implemented a right of data access
We’ve taken a lot of steps to ensure not only compliance, but top level data security
• Registered with the ICO as a Data Controller & Processor
• Reviewed outreach systems and processes to ensure compliance
• Installed a cookie information opt in
• Upgrading to a higher security router
• Will be carrying out data audits on an annual basis to ensure processes and terms are
• Taken out cyber security business Insurance
• Appointed a GDPR Officer to be responsible for compliance.
• Created an email address for data requests to be lodged
If you want access to your personal data, or a client requests it from us, or you want to exercise one of
the other principles under GDPR:
• Speak to our Data Protection Officer or email email@example.com
• Complete the online form: https://reddico.co.uk/data-preferences/
You can exercise any of the GDPR principles at any time
Exercising a principle
Personal data breaches can take many forms and include, but are not limited to:
• Access by an unauthorised third party
• Deliberate or accidental action (or inaction) by a controller or processor
• Sending personal data to an incorrect recipient
• Computing devices containing personal data being lost or stolen
• Alteration of personal data without permission
• Loss of availability of personal data.
A data breach is any loss or unauthorised access of personal data. Remain vigilant
What is a data breach?
The GDPR introduces a duty on all organisations to report certain types of personal data breach to the
relevant supervisory authority.
• Reddico must do this within 72 hours of becoming aware of the breach, where feasible
• If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms,
we must also inform those individuals without undue delay
• Reddico must also keep a record of any personal data breaches, regardless of whether we are
required to notify
If someone in the team becomes aware of a personal data breach they MUST report this immediately
to our Data Protection Officer or email firstname.lastname@example.org
A data breach must be reported within 72 hours
Reporting a data breach
• Know GDPR: Be aware of what GDPR is and what constitutes personal data. Ensure strict care when
handling sensitive data
• It’s real: Non-compliance can be very costly – up to €20m!
• GDPR principles: You, or Reddico’s clients, have the right to exercise any of the 8 principles
• Client requests: Direct clients to our DPO, email@example.com or the online form
• Data breaches: Report any data breach immediately to the DPO. Time is of the essence
• Data sensitivity: Don’t pass data to third parties without having contracts in place. Don’t send mass
Reddico is compliant – but everyone needs to respect data processing and its importance
For accuracy purposes, some of the information used in this presentation has been taken from the
International Commissioner’s Office’s (ICO) guidelines on GDPR regulations: https://ico.org.uk/
For expert advice on data protection and how to ensure your business complies with the law changes,
contact the ICO directly.
The ICO will also be able to provide tailored help and advice to your business.
Contact the ICO for help and advice on meeting GDPR regulations for your business