SlideShare a Scribd company logo
1 of 16
A quick guide to GDPR
for Associates
1
A quick guide to GDPR
Like everybody else, over the last few months we have been trying to
read, understand, digest and interpret the new GDPR regulations.
This is our take on it and hope this will be a helpful guide.
NB - we strongly advise taking legal advise if you are unsure of how
these regulations affect you directly.
Remember these regulations will take time to settle and test cases are
likely in the coming months.
This guide is intended to provide guidance to associates on GDPR.
It is not as a comprehensive solution or legal advice. Each associate
should undertake their own steps to ensure compliance.
2
Areas in need of focus
1. The Headlines
2. ICO expectations
3. The 6 principles and Accountability
4. Data controllers vs. Data processors - which one
are you?
5. Enhanced Data subjects’ rights
6. Dealing with Subject Access Requests (SARs)
7. Privacy statements
8. Keeping data safe
9. In the event of a breach
3
The headlines
GDPR goes live on the 25th May 2018
• GDPR is new European-wide law that applies to every business in the UK
and EEA - big or small, sole trader or big corporate - that collects personal
data, even if you only undertake a few cases a year.
• The previous legislation was the Data protection Act of 1998….. 20 years
on, the world is a very different place due the explosion of technology and
social media. This regulation reflects the changes now needed to keep
data safe.
• The key focus is giving data subjects back their/our privacy and reflecting
the way they/we live our lives now.
• There are enhanced rights for data subjects.
4
The headlines
• Despite Brexit and even though Article 50 has been
triggered, it will take two years for our exit from the EU to
be agreed therefore the UK Government have made it
clear GDPR will become fully enforceable on 25th May
2018.
• The fines for breaches & non compliance are bigger- up to
4% of global turnover or up to £20 Million……….never mind
the reputational damage!
Tip - Make sure you have registered with the ICO- see link below for details on how and costs -
https://ico.org.uk/media/for-organisations/documents/2258205/dp-fee-guide-for-controllers-
20180221.pdf
TIP - Think about it as a cultural shift not just a tick box exercise.
5
ICO expectations
• That every business, big or small is taking it seriously – compliance
is mandatory
• That you are on route to GDPR compliance and can evidence what
you are doing. You are not expected to have everything in place by
the 25th May 2018.
• That there is evidence of what you have done and intend to do and
that your journey to GDPR compliance has begun.
The 3 big issues that ICO are likely to zoom in on are:
1. Handling a SAR
2. Managing and communicating a data breach
3. A Cyber attack
6
The 6 Principles
1. Lawfulness, fairness and transparency - Personal data shall be processed lawfully, fairly
and in a transparent manner in relation to the data subject.
2. Purpose limitation - Personal data shall be collected for specified, explicit and legitimate
purposes and not further processed in a manner that is incompatible with those purposes.
3. Data minimisation - Personal data shall be adequate, relevant and limited to what is
necessary in relation to the purposes for which it is processed.
4. Accuracy - personal data shall be accurate and, where necessary, kept up to date.
5. Storage limitation - Personal data shall be kept in a form which permits identification of
data subjects for no longer than is necessary for the purposes for which the personal data
are processed.
6. Integrity and confidentiality - Personal data shall be processed in a manner that ensures
appropriate security of the personal data, including protection against unauthorised or
unlawful processing and against accidental loss, destruction or damage, using appropriate
technical or organisational measures.
7
And Accountability……..
• The accountability principle in Article 5
(2) means that controllers are responsible for
and should be able to demonstrate their
compliance with the GDPR data processing
principles listed in Article 5 (1).
8
Controller or processor?
• “data controller” means a person who (either alone or jointly or in common with other
persons) determines the purposes for which and the manner in which any personal data are
to be processed.
• “data processor”, in relation to personal data, means any person (other than an employee of
the data controller) who processes the data on behalf of the data controller.
• “processing”, in relation to information or data means obtaining, recording or holding the
information or data or carrying out any operation or set of operations on the information or
data, including:
a) organisation, adaptation or alteration of the information or data,
b) retrieval, consultation or use of the information or data,
c) disclosure of the information or data by transmission, dissemination or otherwise making
available, or
d) alignment, combination, blocking, erasure or destruction of the information or data
• TIP – Familiarise yourself with the below:
https://ico.org.uk/media/for-organisations/documents/1546/data-controllers-and-data-processors-dp-
guidance.pdf
Page 9 points 25-27 are important
9
Enhanced Data subjects’ rights
Data subjects have enhanced rights compared to the Data protection act 1998:
1. Right to be informed - can ask what information you are holding on them
2. Right to access - allows them to see what information you have on them
3. Right to rectification - allows them to have incorrect information corrected
4. Right to erasure/right to be forgotten (new**) - as it says, to have their
information removed completely
5. Right to restriction - as it says, data subjects can request restrictions around
what you share
6. Right to data portability (new**) - can request their information be transferred
to another place/company
7. Right to object - to direct marketing, scientific research etc.
TIP - Make sure you know what the new rights are so that you can respond quickly and effectively
to any requests that come through.
TIP - Ensure you know the new 6 principles and in particular the responsibilities within
‘accountability’
10
Dealing with a Subject Access Request
(SAR)
Requests can now be made via the phone as well as email or post but you should take
reasonable steps to verify who they are first.
1. You must respond to their request should they wish their information to be
removed, rectified or deleted – it is their right!
2. You must provide the info within 30 days of the request
3. You can not apply any charge to the request – For information see link below re
medical records
TIP - write yourself a simple process about how you would deal with this,
documenting it is important
TIP - Remember it is their right, don’t make it difficult for them to get hold of their
information
http://www.firstpracticemanagement.co.uk/blog/posts/charging-for-information-
requests-to-end-under-gdpr/
11
Privacy policy
A privacy policy is a statement or a legal document that discloses some or all of the ways a party
gathers, uses, discloses, and manages a customer or client's data. It fulfils a legal requirement to protect
a customer or client's privacy.
Being transparent and providing accessible information to individuals about how you will use their
personal data is a key element of the Data Protection Act 1998 (DPA) and the EU General Data
Protection Regulation (GDPR). The most common way to provide this information is in a privacy policy.
The document must state clearly:
1. Who you are
2. What you are going to do with their information
3. Who it will be shared with
4. Whether you share information with third parties
5. How they contact you if they have concerns
TIP - Write a simple, plain English document that says what information you receive, what you do with it
and how they can contact you if they need to?
12
Keeping data safe
It’s your responsibility to take all reasonable
steps to ensure any personal data you have
access to is safe and secure - that applies to
physical documents as well as electronic.
13
Keeping data safe
Physical
• Wherever you work in your home/office it
should be lockable and so should any cupboards
housing any physical personal data.
• Be careful if you carry paper documents around
with you /in your car on the train - are they
safe?
• Have a good filing system in place so you can
find documents quickly.
• Do you destroy paper documents securely?
• TIP - Think about conducting a mini risk
assessment and documenting things to show
what you have been thinking about and are
planning to do.
Below is an interesting article on LinkedIn about a
small business and their approach
GDPR- a small business case study (mine)
https://www.linkedin.com/pulse/gdpr-small-business-case-
study-mine-janine-coombes
Online
• Don’t keep sensitive data/photos on
your mobile. Transfer them to your
PC asap.
• Have you got sufficient anti-virus and
firewalls in place? Free versions are
sometimes deemed un-safe.
• Are you password protecting
documents when you transfer?
14
In the event of breach
It is your responsibility to inform the ICO of a breach as quickly as possible.
1. Call the ICO within 72 hours and advise them of what has occurred.
2. Be prepared with as much detail as possible i.e. what and how did the breach
occur?
3. What measures you have taken to address the issue - be open and honest -
The ICO do not take kindly to those who try and hide or are obstructive.
4. Be prepared to inform the data subject(s) who have been affected and provide
them with the same info as you provide the ICO - remember their enhanced
rights.
TIP - Write an easy guide on how you will deal with a breach should one occur and include the contact
telephone/email for the ICO, so you have it to hand easily.
TIP - Be honest and transparent with the ICO, they don’t take kindly to obstructions .
TIP - Don’t panic!
15
Still got questions?
• Check the ICO website https://ico.org.uk/for-
organisations/guide-to-the-general-data-protection-
regulation-gdpr/
• https://www.youtube.com/watch?v=tTeTm7hHC0U
• Free webinars area available through
http://www.virtual-administration.com/gdpr-
webinar/webinar-dates/
16

More Related Content

Recently uploaded

Catheterization Procedure by Anushri Srivastav.pptx
Catheterization Procedure by Anushri Srivastav.pptxCatheterization Procedure by Anushri Srivastav.pptx
Catheterization Procedure by Anushri Srivastav.pptx
AnushriSrivastav
 
Healthcare Market Overview, May 2024: Funding, Financing and M&A, from Oppenh...
Healthcare Market Overview, May 2024: Funding, Financing and M&A, from Oppenh...Healthcare Market Overview, May 2024: Funding, Financing and M&A, from Oppenh...
Healthcare Market Overview, May 2024: Funding, Financing and M&A, from Oppenh...
Levi Shapiro
 
تقرير منظمة الصحة العالمية الخاص بالغذاء د حاتم البيطار.pdf
تقرير منظمة الصحة العالمية الخاص بالغذاء د حاتم البيطار.pdfتقرير منظمة الصحة العالمية الخاص بالغذاء د حاتم البيطار.pdf
تقرير منظمة الصحة العالمية الخاص بالغذاء د حاتم البيطار.pdf
د حاتم البيطار
 

Recently uploaded (20)

The Docs PPG - 30.01.2024.pptx..........
The Docs PPG - 30.01.2024.pptx..........The Docs PPG - 30.01.2024.pptx..........
The Docs PPG - 30.01.2024.pptx..........
 
Session-16-HIV-and-Replacement-Feeding-revised-2012.ppt
Session-16-HIV-and-Replacement-Feeding-revised-2012.pptSession-16-HIV-and-Replacement-Feeding-revised-2012.ppt
Session-16-HIV-and-Replacement-Feeding-revised-2012.ppt
 
An overview of Muir Wood Adolescent and Family Services teen treatment progra...
An overview of Muir Wood Adolescent and Family Services teen treatment progra...An overview of Muir Wood Adolescent and Family Services teen treatment progra...
An overview of Muir Wood Adolescent and Family Services teen treatment progra...
 
clostridiumbotulinum- BY Muzammil Ahmed Siddiqui.pptx
clostridiumbotulinum- BY Muzammil Ahmed Siddiqui.pptxclostridiumbotulinum- BY Muzammil Ahmed Siddiqui.pptx
clostridiumbotulinum- BY Muzammil Ahmed Siddiqui.pptx
 
Mike Lowe’s cancer fight lowe strong shirt
Mike Lowe’s cancer fight lowe strong shirtMike Lowe’s cancer fight lowe strong shirt
Mike Lowe’s cancer fight lowe strong shirt
 
Session-3-Promoting-Breastfeeding-During-Pregnancy.ppt
Session-3-Promoting-Breastfeeding-During-Pregnancy.pptSession-3-Promoting-Breastfeeding-During-Pregnancy.ppt
Session-3-Promoting-Breastfeeding-During-Pregnancy.ppt
 
LTM Session-8-Practices-that-assist-BF..ppt
LTM Session-8-Practices-that-assist-BF..pptLTM Session-8-Practices-that-assist-BF..ppt
LTM Session-8-Practices-that-assist-BF..ppt
 
Giudeline: Adverse event CTCAE version 5.pdf
Giudeline: Adverse event CTCAE version 5.pdfGiudeline: Adverse event CTCAE version 5.pdf
Giudeline: Adverse event CTCAE version 5.pdf
 
Catheterization Procedure by Anushri Srivastav.pptx
Catheterization Procedure by Anushri Srivastav.pptxCatheterization Procedure by Anushri Srivastav.pptx
Catheterization Procedure by Anushri Srivastav.pptx
 
Healthcare Market Overview, May 2024: Funding, Financing and M&A, from Oppenh...
Healthcare Market Overview, May 2024: Funding, Financing and M&A, from Oppenh...Healthcare Market Overview, May 2024: Funding, Financing and M&A, from Oppenh...
Healthcare Market Overview, May 2024: Funding, Financing and M&A, from Oppenh...
 
Pulse Check Decisions - RRT and Code Blue Workshop
Pulse Check Decisions - RRT and Code Blue WorkshopPulse Check Decisions - RRT and Code Blue Workshop
Pulse Check Decisions - RRT and Code Blue Workshop
 
Session-10-Infants-with-Special-meeds.ppt
Session-10-Infants-with-Special-meeds.pptSession-10-Infants-with-Special-meeds.ppt
Session-10-Infants-with-Special-meeds.ppt
 
تقرير منظمة الصحة العالمية الخاص بالغذاء د حاتم البيطار.pdf
تقرير منظمة الصحة العالمية الخاص بالغذاء د حاتم البيطار.pdfتقرير منظمة الصحة العالمية الخاص بالغذاء د حاتم البيطار.pdf
تقرير منظمة الصحة العالمية الخاص بالغذاء د حاتم البيطار.pdf
 
Unlock the Secrets to Optimizing Ambulatory Operations Efficiency and Change ...
Unlock the Secrets to Optimizing Ambulatory Operations Efficiency and Change ...Unlock the Secrets to Optimizing Ambulatory Operations Efficiency and Change ...
Unlock the Secrets to Optimizing Ambulatory Operations Efficiency and Change ...
 
Best Way 30-Days Keto Meal Plan For Diet
Best Way 30-Days Keto Meal Plan For DietBest Way 30-Days Keto Meal Plan For Diet
Best Way 30-Days Keto Meal Plan For Diet
 
Module-3-Quality_Mohana Thakkar_23 Sep 2022 (1).pdf
Module-3-Quality_Mohana Thakkar_23 Sep 2022 (1).pdfModule-3-Quality_Mohana Thakkar_23 Sep 2022 (1).pdf
Module-3-Quality_Mohana Thakkar_23 Sep 2022 (1).pdf
 
PSYCHOLOGICAL ASPECTS OF REHAB. IN PHYSIOTHERAPY..pdf
PSYCHOLOGICAL ASPECTS OF REHAB. IN PHYSIOTHERAPY..pdfPSYCHOLOGICAL ASPECTS OF REHAB. IN PHYSIOTHERAPY..pdf
PSYCHOLOGICAL ASPECTS OF REHAB. IN PHYSIOTHERAPY..pdf
 
Personnel and Equipment - Code and Rapid Response Workshop
Personnel and Equipment - Code and Rapid Response WorkshopPersonnel and Equipment - Code and Rapid Response Workshop
Personnel and Equipment - Code and Rapid Response Workshop
 
Session-5-Birthing-Practices-Breastfeeding (1).ppt
Session-5-Birthing-Practices-Breastfeeding (1).pptSession-5-Birthing-Practices-Breastfeeding (1).ppt
Session-5-Birthing-Practices-Breastfeeding (1).ppt
 
Session-1-MBFHI-A-part-of-the-Global-Strategy.ppt
Session-1-MBFHI-A-part-of-the-Global-Strategy.pptSession-1-MBFHI-A-part-of-the-Global-Strategy.ppt
Session-1-MBFHI-A-part-of-the-Global-Strategy.ppt
 

Featured

Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Saba Software
 

Featured (20)

Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity -  Best PracticesTime Management & Productivity -  Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy Presentation
 
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
 

Associates quick guide to gdpr v 1.0

  • 1. A quick guide to GDPR for Associates 1
  • 2. A quick guide to GDPR Like everybody else, over the last few months we have been trying to read, understand, digest and interpret the new GDPR regulations. This is our take on it and hope this will be a helpful guide. NB - we strongly advise taking legal advise if you are unsure of how these regulations affect you directly. Remember these regulations will take time to settle and test cases are likely in the coming months. This guide is intended to provide guidance to associates on GDPR. It is not as a comprehensive solution or legal advice. Each associate should undertake their own steps to ensure compliance. 2
  • 3. Areas in need of focus 1. The Headlines 2. ICO expectations 3. The 6 principles and Accountability 4. Data controllers vs. Data processors - which one are you? 5. Enhanced Data subjects’ rights 6. Dealing with Subject Access Requests (SARs) 7. Privacy statements 8. Keeping data safe 9. In the event of a breach 3
  • 4. The headlines GDPR goes live on the 25th May 2018 • GDPR is new European-wide law that applies to every business in the UK and EEA - big or small, sole trader or big corporate - that collects personal data, even if you only undertake a few cases a year. • The previous legislation was the Data protection Act of 1998….. 20 years on, the world is a very different place due the explosion of technology and social media. This regulation reflects the changes now needed to keep data safe. • The key focus is giving data subjects back their/our privacy and reflecting the way they/we live our lives now. • There are enhanced rights for data subjects. 4
  • 5. The headlines • Despite Brexit and even though Article 50 has been triggered, it will take two years for our exit from the EU to be agreed therefore the UK Government have made it clear GDPR will become fully enforceable on 25th May 2018. • The fines for breaches & non compliance are bigger- up to 4% of global turnover or up to £20 Million……….never mind the reputational damage! Tip - Make sure you have registered with the ICO- see link below for details on how and costs - https://ico.org.uk/media/for-organisations/documents/2258205/dp-fee-guide-for-controllers- 20180221.pdf TIP - Think about it as a cultural shift not just a tick box exercise. 5
  • 6. ICO expectations • That every business, big or small is taking it seriously – compliance is mandatory • That you are on route to GDPR compliance and can evidence what you are doing. You are not expected to have everything in place by the 25th May 2018. • That there is evidence of what you have done and intend to do and that your journey to GDPR compliance has begun. The 3 big issues that ICO are likely to zoom in on are: 1. Handling a SAR 2. Managing and communicating a data breach 3. A Cyber attack 6
  • 7. The 6 Principles 1. Lawfulness, fairness and transparency - Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. 2. Purpose limitation - Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. 3. Data minimisation - Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. 4. Accuracy - personal data shall be accurate and, where necessary, kept up to date. 5. Storage limitation - Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. 6. Integrity and confidentiality - Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. 7
  • 8. And Accountability…….. • The accountability principle in Article 5 (2) means that controllers are responsible for and should be able to demonstrate their compliance with the GDPR data processing principles listed in Article 5 (1). 8
  • 9. Controller or processor? • “data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are to be processed. • “data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. • “processing”, in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including: a) organisation, adaptation or alteration of the information or data, b) retrieval, consultation or use of the information or data, c) disclosure of the information or data by transmission, dissemination or otherwise making available, or d) alignment, combination, blocking, erasure or destruction of the information or data • TIP – Familiarise yourself with the below: https://ico.org.uk/media/for-organisations/documents/1546/data-controllers-and-data-processors-dp- guidance.pdf Page 9 points 25-27 are important 9
  • 10. Enhanced Data subjects’ rights Data subjects have enhanced rights compared to the Data protection act 1998: 1. Right to be informed - can ask what information you are holding on them 2. Right to access - allows them to see what information you have on them 3. Right to rectification - allows them to have incorrect information corrected 4. Right to erasure/right to be forgotten (new**) - as it says, to have their information removed completely 5. Right to restriction - as it says, data subjects can request restrictions around what you share 6. Right to data portability (new**) - can request their information be transferred to another place/company 7. Right to object - to direct marketing, scientific research etc. TIP - Make sure you know what the new rights are so that you can respond quickly and effectively to any requests that come through. TIP - Ensure you know the new 6 principles and in particular the responsibilities within ‘accountability’ 10
  • 11. Dealing with a Subject Access Request (SAR) Requests can now be made via the phone as well as email or post but you should take reasonable steps to verify who they are first. 1. You must respond to their request should they wish their information to be removed, rectified or deleted – it is their right! 2. You must provide the info within 30 days of the request 3. You can not apply any charge to the request – For information see link below re medical records TIP - write yourself a simple process about how you would deal with this, documenting it is important TIP - Remember it is their right, don’t make it difficult for them to get hold of their information http://www.firstpracticemanagement.co.uk/blog/posts/charging-for-information- requests-to-end-under-gdpr/ 11
  • 12. Privacy policy A privacy policy is a statement or a legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. It fulfils a legal requirement to protect a customer or client's privacy. Being transparent and providing accessible information to individuals about how you will use their personal data is a key element of the Data Protection Act 1998 (DPA) and the EU General Data Protection Regulation (GDPR). The most common way to provide this information is in a privacy policy. The document must state clearly: 1. Who you are 2. What you are going to do with their information 3. Who it will be shared with 4. Whether you share information with third parties 5. How they contact you if they have concerns TIP - Write a simple, plain English document that says what information you receive, what you do with it and how they can contact you if they need to? 12
  • 13. Keeping data safe It’s your responsibility to take all reasonable steps to ensure any personal data you have access to is safe and secure - that applies to physical documents as well as electronic. 13
  • 14. Keeping data safe Physical • Wherever you work in your home/office it should be lockable and so should any cupboards housing any physical personal data. • Be careful if you carry paper documents around with you /in your car on the train - are they safe? • Have a good filing system in place so you can find documents quickly. • Do you destroy paper documents securely? • TIP - Think about conducting a mini risk assessment and documenting things to show what you have been thinking about and are planning to do. Below is an interesting article on LinkedIn about a small business and their approach GDPR- a small business case study (mine) https://www.linkedin.com/pulse/gdpr-small-business-case- study-mine-janine-coombes Online • Don’t keep sensitive data/photos on your mobile. Transfer them to your PC asap. • Have you got sufficient anti-virus and firewalls in place? Free versions are sometimes deemed un-safe. • Are you password protecting documents when you transfer? 14
  • 15. In the event of breach It is your responsibility to inform the ICO of a breach as quickly as possible. 1. Call the ICO within 72 hours and advise them of what has occurred. 2. Be prepared with as much detail as possible i.e. what and how did the breach occur? 3. What measures you have taken to address the issue - be open and honest - The ICO do not take kindly to those who try and hide or are obstructive. 4. Be prepared to inform the data subject(s) who have been affected and provide them with the same info as you provide the ICO - remember their enhanced rights. TIP - Write an easy guide on how you will deal with a breach should one occur and include the contact telephone/email for the ICO, so you have it to hand easily. TIP - Be honest and transparent with the ICO, they don’t take kindly to obstructions . TIP - Don’t panic! 15
  • 16. Still got questions? • Check the ICO website https://ico.org.uk/for- organisations/guide-to-the-general-data-protection- regulation-gdpr/ • https://www.youtube.com/watch?v=tTeTm7hHC0U • Free webinars area available through http://www.virtual-administration.com/gdpr- webinar/webinar-dates/ 16