The European Union’s  General Data Protection Regulation

1. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro The European Union’s   General Data Protection Regulation INDBC breakfast group David Sayce Digital Marketing Director South East London Chamber of Commerce & Digital Marketing Consultant

2. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro Share on Social! David Sayce Twitter @dsayce SELCC Twitter @SELondonChamber

3. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro General Data Protection Regulation, or GDPR, will overhaul how businesses process and handle data.

4. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro Europe's data protection rules will undergo their biggest changes in two decades. Since they were created in the 90s, the amount of digital information we create, capture, and store has vastly increased. Simply put, the old regime was no longer ﬁt for purpose. The solution is the mutually agreed European General Data Protection Regulation (GDPR), which will come into force on May 25 2018. It will change how businesses and public sector organisations can handle the information of customer

5. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro • The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. • The GDPR applies to ‘controllers’ and ‘processors’. • A controller determines the purposes and means of processing personal data. • A processor is responsible for processing personal data on behalf of a controller.

6. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro The largest penalty will be   your reputation!

7. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro Ready for GDPR?

8. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro Lots to do little time left

9. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro I am NOT a legal expert My work across digital marketing includes areas around legal and regulatory issues, these include Data Protection, from the 1995 Data Protection Act to GDPR. While I have worked with and advised SMEs and FTSE 100 companies, this presentation is for general information rather than speciﬁc advice. The GDPR is an evolving document, your needs and requirement may differ. Views, comments, information and advice are my own and not necessarily those of the South East London Chamber of Commerce.

10. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro Full ICO guidance coming soon • Transparency • Consent • and more… Follow the ICO and keep up to date

11. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro What we will (brieﬂy) cover • What is GDPR • The principles • Individuals rights • Consent • Breaches • Assessment

12. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro How old is your oldest data?

13. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro GDPR Principles

14. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro • Processed lawfully, fairly and in a transparent manner in relation to individuals; • Collected for speciﬁed, explicit and legitimate purposes • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; • Accurate and, where necessary, kept up to date • Kept in a form which permits identiﬁcation of data subjects for no longer than is necessary for the purposes for which the personal data are processed • Processed in a manner that ensures appropriate security of the personal data

15. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro Individuals Rights

16. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro Right to be informed The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice.

17. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro Right of access Individuals have the right to access their personal data and supplementary information.

18. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro Right to rectiﬁcation Individuals are entitled to have personal data rectiﬁed if it is inaccurate or incomplete.

19. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro Right to erasure The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in speciﬁc circumstances

20. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro Right to restrict processing Individuals have a right to ‘block’ or suppress processing of personal data

21. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro Right to data portability The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

22. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro Right to object You must inform individuals of their right to object “at the point of ﬁrst communication” and in your privacy notice.

23. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro Rights related to automated decision making including The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.

24. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro Consent • Should be explicit • Must retain proof of consent • Must have a choice in consent (not tied to T&C’s) Consent is one lawful basis for processing, but there are ﬁve others. Consent won’t always be the easiest or most appropriate.

25. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro …the other ﬁve… • 6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract • 6(1)(c) – Processing is necessary for compliance with a legal obligation • 6(1)(d) – Processing is necessary to protect the vital interests of a data subject or another person • 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of ofﬁcial authority vested in the controller. • 6(1)(f ) – Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

26. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro Privacy Notices • What information is being collected? • Who is collecting it? • How is it collected? • Why is it being collected? • How will it be used? • Who will it be shared with? • What will be the effect of this on the individuals concerned? • Is the intended use likely to cause individuals to object or complain?

27. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro Privacy Notices When planning privacy notices, you should be aware that more information may be needed than shown in the example above. Such information depends on what the user reasonably expects to happen to their data, and whether a lack of honesty/fairness might be levelled if pertinent information is not provided (e.g. use of personal data for proﬁling).

28. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro Repermissoning You don't already have permission??! Consent to send direct email marketing should have been requested at the point of collection. If you didn’t have the opportunity (data came from a third party or the data wasn’t intended to be used for marketing purposes) then consider appraising your data collection methods rather than repermissioning.

29. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro Data Breach • Notify ICO within 72 hours • Need for internal processes to report • Inform individuals of the nature of the breach (if data is sensitive) • ICO can issue a stop order

30. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro What is a data protection impact assessment? Data protection impact assessments (also known as privacy impact assessments or PIAs) are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. An effective DPIA will allow organisations to identify and ﬁx problems at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur.

31. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro When do I need to conduct a DPIA? You must carry out a DPIA when: • Using new technologies; and • The processing is likely to result in a high risk to the rights and freedoms of individuals.

32. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro What information should the DPIA contain? • A description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the controller. • An assessment of the necessity and proportionality of the processing in relation to the purpose. • An assessment of the risks to individuals. • The measures in place to address risk, including security and to demonstrate that you comply. • A DPIA can address more than one project.

33. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro In summary, a DPIA is: • A systematic description of the envisaged personal data processing operations and the purposes of the processing, including (where applicable) the legitimate interest pursued by the Data Controller. • An assessment of the necessity and proportionality of the personal data processing operations in relation to the purposes. • An assessment of the risks to the rights and freedoms of Data Subject. • The organisational and technical measures to secure the personal data and mitigate the absolute risk to an acceptable risk.

34. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro

35. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro Marketing Post GDPR • Should improve marketing! • Smaller data base of higher value • Greater trust • More realistic reporting / metrics Make sure all GDPR related work is documented!

36. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro

37. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro Things to do • Be familiar with GDPR and also PECR laws and regulations. https://ico.org.uk/ for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ • You should document what personal data you hold, where it came from and who you share it with. • Identify processes for handling, storing and deleting data • Check 3rd party suppliers are GDPR compliant • Document what you are doing

38. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro Things to do • Re-boot your thinking on Data Protection, be transparent and accountable • View GDPR as ‘by design & by default’ NOT a tick box exercise • DPIA Lite’ is a helicopter view of what you’re doing now that’s compliant with the GDPR, undertake an audit of all personal data processing activities carried out now or planned to be carried out in the future. • ensure that you have clear independently validated policies in place to prove that you meet the new data protection standards • Check supplier contracts for GDPR compliance

39. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro Things to do • Practice how you will deal with a personal data breach BEFORE it happens • Be a champion for change, foster a culture of monitoring, reviewing, and assessing data processing procedures • Be aware of cross border data transfers! • Be prepared to keep accurate and systamatic records of what changes and training have been carried out at your organisation.

40. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro ICO offers support to SMEs The phone service is aimed at people running small businesses or charities. To access the new service dial the ICO helpline on 0303 123 1113 and select option 4 to be diverted to staff who can offer support. Callers can also ask questions about current data protection rules and other legislation regulated by the ICO including electronic marketing and Freedom of Information.

41. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro THE EU GENERAL DATA PROTECTION REGULATION (GDPR) IS AN OPPORTUNITY, NOT A THREAT.

42. David Sayce | GDPR Introduction | Twitter: @dsayce #GDPRintro David Sayce Digital Marketing Consultant SEO - Improve your position on Google Strategy - Marketing planing & future thinking Technical Audits - Improve your website Training - Learn more about digital marketing www.dsayce.com hello@dsayce.com https://uk.linkedin.com/in/dsayce

43. Get your copy of the masthead

The European Union’s  General Data Protection Regulation

You are reading a preview.

Check these out next

The European Union’s  General Data Protection Regulation

More Related Content

Slideshows for you (20)

Similar to The European Union’s  General Data Protection Regulation (20)

Recently uploaded (20)