Norfolk Chamber delivered a morning conference based around the European General Data Protection Regulation (GDPR), which will come into force on May 25 2018. Delegates heared from a variety of GDPR expert speakers from legal, marketing, IT and Data Protection perspectives.
This Presentation explains what GDPR is and the impact it'll have for Companies who process data of EU Citizens.
This Guide explains the principles of GDPR, Consent, User Rights and also explains how to implement GDPR in your organization.
Originally appeared at
http://backlinkme.net/definitive-guide-for-general-data-protection-regulation-gdpr-compliance/
Full GDPR toolkit: https://quality.eqms.co.uk/gdpr-general-data-protection-regulation-eu-toolkit
This free online training presentation provides you with information about how to comply with the General Data Protection Regulation, managing breaches, engaging employees, key requirements and more.
MWLUG - 2017
Tim Clark & Stephanie Heit
Tim & Steph explain the basics of GDPR and give some recommendations about what you can do to be ready.
Data sources are in the final slides.
For more information about how BCC can help you get your Domino data ready for GDPR please contact us here.
http://bcchub.com/bcc-domino-protect/
How GDPR works : companies will be expected to be
fully compliant from 25 May 2018. The regulation
is intended to establish one single set of data
protection rules across Europe
Norfolk Chamber delivered a morning conference based around the European General Data Protection Regulation (GDPR), which will come into force on May 25 2018. Delegates heared from a variety of GDPR expert speakers from legal, marketing, IT and Data Protection perspectives.
This Presentation explains what GDPR is and the impact it'll have for Companies who process data of EU Citizens.
This Guide explains the principles of GDPR, Consent, User Rights and also explains how to implement GDPR in your organization.
Originally appeared at
http://backlinkme.net/definitive-guide-for-general-data-protection-regulation-gdpr-compliance/
Full GDPR toolkit: https://quality.eqms.co.uk/gdpr-general-data-protection-regulation-eu-toolkit
This free online training presentation provides you with information about how to comply with the General Data Protection Regulation, managing breaches, engaging employees, key requirements and more.
MWLUG - 2017
Tim Clark & Stephanie Heit
Tim & Steph explain the basics of GDPR and give some recommendations about what you can do to be ready.
Data sources are in the final slides.
For more information about how BCC can help you get your Domino data ready for GDPR please contact us here.
http://bcchub.com/bcc-domino-protect/
How GDPR works : companies will be expected to be
fully compliant from 25 May 2018. The regulation
is intended to establish one single set of data
protection rules across Europe
This webinar covers:
- An overview of the regulatory landscape and territorial scope
- Principles of the EU GDPR
- Breach notification rules
- Data subject rights
- Changes to consent
- Processor liabilities
- Role of the Data Protection Officer
A recording of this webinar is available here: https://www.youtube.com/watch?v=bEvXj2nhPd0
Understanding the EU's new General Data Protection Regulation (GDPR)Acquia
In 2016, the European Union (EU) approved its General Data Protection Regulation (GDPR) to protect European citizens’ data. As a regulation, the GDPR does not require the implementation of legislation, and will immediately become an applicable law as of the 25th of May, 2018.
What is GDPR exactly trying to accomplish? According to the official documents, the goal is the “protection of natural persons with regard to the processing of personal data and on the free movement of such data.”
In short, organizations that conduct business in the EU will need to be compliant with GDPR, and must come to terms with the huge fines that non-compliance can carry. Fines can be up to €20M or 4% of the annual turnover. For companies that experience breaches that result in the loss of personal data (such as Talk Talk, which lost 170,000 people’s data), the fines will be tremendous.
Join us for discussion about GDPR to learn more about:
The principles that organizations that use personal data need to adhere to
The consequences organizations can face if that do not adhere to this new regulation
How your organization can prepare for the future
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Qualsys Ltd
Preparing for the new General Data Protection Regulation? Here is a presentation to help you to engage your employees with their new information security requirements. In this ppt presentation, you will find out: why GDPR, steps to manage compliance, important information security facts and some of the key articles.
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
Whether you’re an event or hospitality professional in a small, medium or large organization, the General Data Protection Regulation (GDPR) is going to affect you. Get prepared with Cvent and Debrah Harding of Market Research Society before the 25th May deadline. GDPR is a new EU regulation, designed for the digital age. GDPR will strengthen an individual's rights and increase business accountability for data privacy and holding personal information. Organizations found breaching the regulations can face fines of up to 20 million Euros or up to 4% of annual global turnover. At Cvent we are already on track to becoming GDPR compliant and we want to advise our industry partners on how to become compliant too.
A DPIA is a well-ordered list of data processing methods and purposes
A DPIA is also a proactive measure to safeguard and protect data using certified security mechanisms.
DPIA will help organisations to:
Identify
Fix problems at an early stage
Reducing the related costs
Damage to reputation
This webinar covers:
- An overview of the regulatory landscape and territorial scope
- Principles of the EU GDPR
- Breach notification rules
- Data subject rights
- Changes to consent
- Processor liabilities
- Role of the Data Protection Officer
A recording of this webinar is available here: https://www.youtube.com/watch?v=bEvXj2nhPd0
Understanding the EU's new General Data Protection Regulation (GDPR)Acquia
In 2016, the European Union (EU) approved its General Data Protection Regulation (GDPR) to protect European citizens’ data. As a regulation, the GDPR does not require the implementation of legislation, and will immediately become an applicable law as of the 25th of May, 2018.
What is GDPR exactly trying to accomplish? According to the official documents, the goal is the “protection of natural persons with regard to the processing of personal data and on the free movement of such data.”
In short, organizations that conduct business in the EU will need to be compliant with GDPR, and must come to terms with the huge fines that non-compliance can carry. Fines can be up to €20M or 4% of the annual turnover. For companies that experience breaches that result in the loss of personal data (such as Talk Talk, which lost 170,000 people’s data), the fines will be tremendous.
Join us for discussion about GDPR to learn more about:
The principles that organizations that use personal data need to adhere to
The consequences organizations can face if that do not adhere to this new regulation
How your organization can prepare for the future
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Qualsys Ltd
Preparing for the new General Data Protection Regulation? Here is a presentation to help you to engage your employees with their new information security requirements. In this ppt presentation, you will find out: why GDPR, steps to manage compliance, important information security facts and some of the key articles.
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
Whether you’re an event or hospitality professional in a small, medium or large organization, the General Data Protection Regulation (GDPR) is going to affect you. Get prepared with Cvent and Debrah Harding of Market Research Society before the 25th May deadline. GDPR is a new EU regulation, designed for the digital age. GDPR will strengthen an individual's rights and increase business accountability for data privacy and holding personal information. Organizations found breaching the regulations can face fines of up to 20 million Euros or up to 4% of annual global turnover. At Cvent we are already on track to becoming GDPR compliant and we want to advise our industry partners on how to become compliant too.
A DPIA is a well-ordered list of data processing methods and purposes
A DPIA is also a proactive measure to safeguard and protect data using certified security mechanisms.
DPIA will help organisations to:
Identify
Fix problems at an early stage
Reducing the related costs
Damage to reputation
GDPR: the Steps Event Planners Need to Followetouches
GDPR regulation is taking affect May 25th. While many event planners are nervous for what this means for their events, they don't have to be. This presentation gives an overview of the new regulation and what you need to do to stay compliant.
GDPR + Sales & Marketing A practical guide by Dan Smith DooghenoDaniel Smith
This is a practical guide for UK B2B sales and marketing professionals in relation to GDPR. This guide covers prospecting for new business including cold calling and cold email.
EMMA’s EMEA Regional Director Joseph Yammine explains how the EU’s General Data Protection Regulation applies to the Health Care Industry and how you can prepare your team to follow the regulation and avoid any data breaches.
Vanaf 25 mei 2018 moeten alle (Magento webshops) in Europa aan de nieuwe regelgeving van de Algemene Verordering Gegevensbescherming (AVG) of GDPR (General Data Protection Regulation (GDPR) voldoen. Wat betekent dit voor Magento webshops? Een analyse door Reach Digital.
Nederlands artikel op https://reachdigital.nl/blog/checklist-algemene-verordering-gegevensbescherming-AVG-GDPR-Magento-webshops
This presentation covers what you as a business owner need to do in order to be ready and compliant for GDPR. It shows you all of the different lawful basis that you can use for processing personal data, so that you do not have to rely on consent.
GDPR Guide: The ICO's 12 Recommended Steps To Take NowHackerOne
Recommendations from The United Kingdom's Information Commissioner's Office (ICO) to Prepare for May 2018.
The European General Data Protection Regulation, better known as GDPR, will take effect on May 25, 2018. When it does, every business, organization, or government agency that collects information on European Union (EU) citizens (in other words, just about everyone) will be forced to radically change how it manages customer data and security. If you don’t, the cost of noncompliance is significant: fines can reach up to €20M ($23.5M) or 4 percent of annual sales, whichever is higher.
This may feel like a long way off but the obligations on businesses are onerous and the time to prepare is now. The hefty fines that GDPR promises will come into force immediately so businesses are being given plenty of warning to put procedures in place to ensure they are compliant with the regulation. Read this essential guide to getting GDPR ready.
This webinar from Deeson with digital law specialist Heather Burns offers actionable guidance for business leaders to kick-start the GDPR compliance process.
Similar to DCH Data Protection Training Presentation (20)
Building Your Employer Brand with Social MediaLuanWise
Presented at The Global HR Summit, 6th June 2024
In this keynote, Luan Wise will provide invaluable insights to elevate your employer brand on social media platforms including LinkedIn, Facebook, Instagram, X (formerly Twitter) and TikTok. You'll learn how compelling content can authentically showcase your company culture, values, and employee experiences to support your talent acquisition and retention objectives. Additionally, you'll understand the power of employee advocacy to amplify reach and engagement – helping to position your organization as an employer of choice in today's competitive talent landscape.
Discover the innovative and creative projects that highlight my journey throu...dylandmeas
Discover the innovative and creative projects that highlight my journey through Full Sail University. Below, you’ll find a collection of my work showcasing my skills and expertise in digital marketing, event planning, and media production.
3.0 Project 2_ Developing My Brand Identity Kit.pptxtanyjahb
A personal brand exploration presentation summarizes an individual's unique qualities and goals, covering strengths, values, passions, and target audience. It helps individuals understand what makes them stand out, their desired image, and how they aim to achieve it.
The 10 Most Influential Leaders Guiding Corporate Evolution, 2024.pdfthesiliconleaders
In the recent edition, The 10 Most Influential Leaders Guiding Corporate Evolution, 2024, The Silicon Leaders magazine gladly features Dejan Štancer, President of the Global Chamber of Business Leaders (GCBL), along with other leaders.
Recruiting in the Digital Age: A Social Media MasterclassLuanWise
In this masterclass, presented at the Global HR Summit on 5th June 2024, Luan Wise explored the essential features of social media platforms that support talent acquisition, including LinkedIn, Facebook, Instagram, X (formerly Twitter) and TikTok.
Implicitly or explicitly all competing businesses employ a strategy to select a mix
of marketing resources. Formulating such competitive strategies fundamentally
involves recognizing relationships between elements of the marketing mix (e.g.,
price and product quality), as well as assessing competitive and market conditions
(i.e., industry structure in the language of economics).
LA HUG - Video Testimonials with Chynna Morgan - June 2024Lital Barkan
Have you ever heard that user-generated content or video testimonials can take your brand to the next level? We will explore how you can effectively use video testimonials to leverage and boost your sales, content strategy, and increase your CRM data.🤯
We will dig deeper into:
1. How to capture video testimonials that convert from your audience 🎥
2. How to leverage your testimonials to boost your sales 💲
3. How you can capture more CRM data to understand your audience better through video testimonials. 📊
Premium MEAN Stack Development Solutions for Modern BusinessesSynapseIndia
Stay ahead of the curve with our premium MEAN Stack Development Solutions. Our expert developers utilize MongoDB, Express.js, AngularJS, and Node.js to create modern and responsive web applications. Trust us for cutting-edge solutions that drive your business growth and success.
Know more: https://www.synapseindia.com/technology/mean-stack-development-company.html
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challengesHolger Mueller
Holger Mueller of Constellation Research shares his key takeaways from SAP's Sapphire confernece, held in Orlando, June 3rd till 5th 2024, in the Orange Convention Center.
2. Welcome to this Digital Compliance Hub training module.
Available as part of your Hub subscription.
We’re going to be covering data protection basics and what
you need to consider when working in your organisation.
3. You’ve probably heard of
the General Data
Protection Regulation or
GDPR – it was a new EU
data protection
regulation which became
law in the UK on 25th
May 2018.
6. 1. As we mentioned, the law has recently changed
2. Your organization needs to be compliant
3. It’s important that everyone in your organization
understands what it means to them
4. Everyone has a role to play in data protection
compliance
5. There’s penalties if we get it wrong
So why this training?
7. 1. As we mentioned, the law has recently changed
2. Your organisation needs to be compliant
3. It’s important that everyone in your organization
understands what it means to them
4. Everyone has a role to play in data protection
compliance
5. There’s penalties if we get it wrong
So why this training?
8. 1. As we mentioned, the law has recently changed
2. Your organisation needs to be compliant
3. It’s important that everyone in your organisation
understands what it means to them
4. Everyone has a role to play in data protection
compliance
5. There’s penalties if we get it wrong
So why this training?
9. 1. As we mentioned, the law has recently changed
2. Your organisation needs to be compliant
3. It’s important that everyone in your organisation
understands what it means to them
4. Everyone has a role to play in data protection
compliance
5. There’s penalties if we get it wrong
So why this training?
10. 1. As we mentioned, the law has recently changed
2. Your organisation needs to be compliant
3. It’s important that everyone in your organisation
understands what it means to them
4. Everyone has a role to play in data protection
compliance
5. There’s penalties if we get it wrong
So why this training?
11. What will we be covering?
Next steps for you
What if we get it wrong?
What compliance means, day to day
Introduction to data protection
13. Data protection law has lots of definitions
but we’re just going to cover
the essentials…
14. Data protection law has lots of definitions
but we’re just going to cover
the essentials…
Personal
Data
Processing
Data
Subject
Data
Controller
Data
Processor
15. Personal Data
Personal data is any data that can be used to identify an
individual either directly or indirectly.
16. Personal Data
Personal data is any data that can be used to identify an
individual either directly or indirectly.
“Directly” means that it is data that is obviously personal,
so it may contain a name, an email address, postal
address, etc.
“Indirectly” means that on it’s own the data doesn’t look
personal, but when used with other information an
individual can be identified from it, e.g. location data on
it’s own may not identify an individual but when you
couple it with a customer database containing a postal
address, both sets of data become personal.
17. Personal Data
Personal data is any data that can be used to identify an
individual either directly or indirectly.
“Directly” means that it is data that is obviously personal,
so it may contain a name, an email address, postal
address, etc.
“Indirectly” means that on it’s own the data doesn’t look
personal, but when used with other information an
individual can be identified from it, e.g. location data on
it’s own may not identify an individual but when you
couple it with a customer database containing a postal
address, both sets of data become personal.
NOTE: there are “special categories” of data too. This
data is things like medical information, trade union
membership, biometric data used for ID, etc. The rules for
processing this data is even stricter than “normal”
personal data.
18. Processing of personal data is everything you do with that
data. It has a wide definition and includes more than why
you have collected the data in the first place. It includes:
Processing
19. Processing of personal data is everything you do with that
data. It has a wide definition and includes more than why
you have collected the data in the first place. It includes:
• Processing the data for the purpose for which you
collected it in the first place
• Storing data (including in the cloud)
• Editing or manipulating the data
• Sharing the data
• Deleting the data
Processing
20. Processing of personal data is everything you do with that
data. It has a wide definition and includes more than why
you have collected the data in the first place. It includes:
• Processing the data for the purpose for which you
collected it in the first place
• Storing data (including in the cloud)
• Editing or manipulating the data
• Sharing the data
• Deleting the data
Processing
NOTE: This also means that “processing” includes adding,
storing and using the data in online software systems
such as CRMs, cloud storage, MailChimp, GoogleDrive,
Dropbox, etc.
21. Data Subjects, Controllers & Processors
The Data Subject is the individual who’s personal data is
being processed
22. Data Subjects, Controllers & Processors
The Data Subject is the individual who’s personal data is
being processed
The Data Controller is the organisation who collects the
personal data from the Data Subject and determines how
it’s going to be processed
23. Data Subjects, Controllers & Processors
The Data Subject is the individual who’s personal data is
being processed
The Data Controller is the organisation who collects the
personal data from the Data Subject and determines how
it’s going to be processed
A Data Processor is an organisation who processes the
data on behalf of the Data Controller. Remember, that
wider definition of processing will mean that you may be
using Data Processors in all different ways across your
organisation.
25. Processing example: email marketing
Subscriber You
A subscriber gives you their email
address because they want to receive
your email newsletter.
26. Processing example: email marketing
Subscriber You
A subscriber gives you their email
address because they want to receive
your email newsletter.
Data Subject
Personal Data
Data Conroller
27. Processing example: email marketing
Subscriber You
You store their email address in email
marketing software, MailChimp…
Data Subject
Personal Data
Data Conroller
28. Processing example: email marketing
Subscriber You
You store their email address in email
marketing software, MailChimp…
Data Subject
Personal Data
Data Conroller
Data Processor
Processing
29. Processing example: email marketing
Subscriber You
…but ask a digital marketing company
to actually send your email newsletter
to your subscribers
Data Subject
Personal Data
Data Conroller
Data Processor
Processing
Agency
30. Processing example: email marketing
Subscriber You
…but ask a digital marketing company
to actually send your email newsletter
to your subscribers
Data Subject
Personal Data
Data Conroller
Data Processor
Data Processor
Processing
Agency
31. Data Protection Principles
There are a number of “rules”, called Principles
which set out what you can and can’t do with
personal data.
32. Data Protection Principles
There are a number of “rules”, called Principles
which set out what you can and can’t do with
personal data.
This means that if there is a law or
regulation that prevents you from
processing the data in the way you want to,
then you can’t process it. Plus there must be
a lawful basis for processing (which we’ll
come onto in a bit)
All processing must be:
Lawful
33. Data Protection Principles
There are a number of “rules”, called Principles
which set out what you can and can’t do with
personal data.
All processing must be:
Lawful
Fair
This means that a Data Subject shouldn’t be
surprised to find out you have their data, or
how you are processing it
34. Data Protection Principles
There are a number of “rules”, called Principles
which set out what you can and can’t do with
personal data.
You have to be open and clear about how
you’re processing someone’s data
All processing must be:
Lawful
Fair
Transparent
35. Data Protection Principles
There are a number of “rules”, called Principles
which set out what you can and can’t do with
personal data.
This means that you can only process the
data for the original purpose for which you
collected it. If you want to do something
else with the data then you will need to
make sure it is lawful for you to do so and
another lawful basis for processing exists
All processing must be:
Lawful
Fair
Transparent
Specific
Purpose
36. Data Protection Principles
There are a number of “rules”, called Principles
which set out what you can and can’t do with
personal data.
All processing must be:
Lawful
Fair
This means you must only collect and
process the personal data that is relevant
for the purposes for which you want to
process it. So, if you don’t need to collect a
postal address or date of birth, then you
should not ask for that personal data. Transparent
Specific
Purpose
Relevant
37. Data Protection Principles
There are a number of “rules”, called Principles
which set out what you can and can’t do with
personal data.
All processing must be:
Lawful
Fair
You have a duty to make sure you update
your records if a Data Subject tells you their
data has changed, and when it is
appropriate for you to do so, you should
check that the data you hold is still accurate
and up to date. Transparent
Specific
Purpose
Relevant
Accurate
38. Data Protection Principles
There are a number of “rules”, called Principles
which set out what you can and can’t do with
personal data.
All processing must be:
Lawful
Fair
You must not keep data forever. If you no
longer need it and there is no lawful basis
for you to continue to process it then you
must delete it.
Transparent
Specific
Purpose
Relevant
Accurate
Not forever
39. Data Protection Principles
There are a number of “rules”, called Principles
which set out what you can and can’t do with
personal data.
All processing must be:
Lawful
Fair
All processing (remembering the wide
definition of processing) must be done so
with securely, so security of the data and
how you process it is very important (more
on that in a bit).
Transparent
Specific
Purpose
Relevant
Accurate
Not forever
Secure
40. Data Protection Principles
There are a number of “rules”, called Principles
which set out what you can and can’t do with
personal data.
All processing must be:
Lawful
Fair
This means that it’s not good enough that
you ARE compliant – you have to be able to
prove it! Accountability crops up throughout
the GDPR from recording your processing
activities to proving you have sought
consent (when you need it). Transparent
Specific
Purpose
Relevant
Accurate
Not forever
Secure
Accountable
41. Data Protection Principles
There are a number of “rules”, called Principles
which set out what you can and can’t do with
personal data.
PLUS:
There are a number of individuals’ rights
that apply to Data Subjects (e.g. subject
access right, right to be informed, etc.). You
must make sure that you have processes in
place to honour those rights.
Subject’s
Rights
42. Data Protection Principles
There are a number of “rules”, called Principles
which set out what you can and can’t do with
personal data.
PLUS:
And finally… there are strict rules about
processing personal data outside the EU.
You may only do so if there is adequate data
protection controls in place. Adequacy
means:
• The country has equivalent laws and are
approved by the EU
• There is an EU agreement in place (e.g.
the US Privacy Shield), or
• There is a contract (“model standard
clauses”) in place (provided by the EU)
Subject’s
Rights
International
43. Lawful Basis for Processing
For processing to be lawful there are a number of
44. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
45. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
1. CONSENT
46. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
1. CONSENT
• Consent means that the Data Subject has given you permission to process their data
47. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
1. CONSENT
• Consent means that the Data Subject has given you permission to process their data
• The law has specific requirements about what consent looks like
48. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
1. CONSENT
• Consent means that the Data Subject has given you permission to process their data
• The law has specific requirements about what consent looks like
• It is often thought that you need consent for all processing – this is NOT true
49. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
1. CONSENT
• Consent means that the Data Subject has given you permission to process their data
• The law has specific requirements about what consent looks like
• It is often thought that you need consent for all processing – this is NOT true
• Think of consent as a binary option; a YES or a NO
50. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
1. CONSENT
• Consent means that the Data Subject has given you permission to process their data
• The law has specific requirements about what consent looks like
• It is often thought that you need consent for all processing – this is NOT true
• Think of consent as a binary option; a YES or a NO
• If you need to process the data even when the answer is NO, then consent is not
going to be the right lawful basis for processing.
51. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
1. CONSENT
• Consent means that the Data Subject has given you permission to process their data
• The law has specific requirements about what consent looks like
• It is often thought that you need consent for all processing – this is NOT true
• Think of consent as a binary option; a YES or a NO
• If you need to process the data even when the answer is NO, then consent is not
going to be the right lawful basis for processing.
• There is also a problem with consent: it can’t be withdrawn, at anytime, by the Data
Subject and you cannot do anything about it
52. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
2. CONTRACT
53. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
2. CONTRACT
• If you are processing data as part of performing a contract or as agreed with a
customer/user, then this is the most applicable lawful basis for processing
54. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
2. CONTRACT
• If you are processing data as part of performing a contract or as agreed with a
customer/user, then this is the most applicable lawful basis for processing
• You don’t need to ask for consent to process as well
55. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
3. LEGAL OBLIGATION
56. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
3. LEGAL OBLIGATION
• If a law or regulation requires you to process data in a particular way then this is your
lawful basis for processing
57. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
3. LEGAL OBLIGATION
• If a law or regulation requires you to process data in a particular way then this is your
lawful basis for processing
• Examples include tax law, care law for those operating in the care sector, disclosing
data to law enforcement or government agents, etc.
58. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
4. DATA SUBJECT’S INTEREST
59. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
4. DATA SUBJECT’S INTEREST
• This is in a life of death situation
60. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
4. DATA SUBJECT’S INTEREST
• This is in a life of death situation
• It would be lawful for you to process personal data if it’s in the vital interests of the
Data Subject
61. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
4. DATA SUBJECT’S INTEREST
• This is in a life of death situation
• It would be lawful for you to process personal data if it’s in the vital interests of the
Data Subject
• An example would be if a colleague collapsed it would be lawful to disclose
information that might help the Paramedics care for your colleague, you wouldn’t
need to think about data protection, consent, etc.
62. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
5. PUBLIC INTEREST
63. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
5. PUBLIC INTEREST
• Public bodies (e.g. government, council, schools, universities, etc.) may rely on this
for carrying out certain public interest tasks
64. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
6. LEGITIMATE INTEREST
65. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
6. LEGITIMATE INTEREST
• Often thought as the default lawful basis (if not thinking about consent) because it
sounds as though you just need to be able to show it’s in your interest to process the
data
66. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
6. LEGITIMATE INTEREST
• Often thought as the default lawful basis (if not thinking about consent) because it
sounds as though you just need to be able to show it’s in your interest to process the
data
• But this is not the case. Legitimate interest can be tricky because you have to
demonstrate:
1. The purpose of processing in terms of why and that it is lawful
2. That the processing is necessary
3. That the processing is not harmful to the rights of the Data Subjects
68. Not everything discussed in this next section will
necessarily apply to you and your role.
But it’s important (a) that you know when it does and (b)
what else is necessary that your colleagues or perhaps the
Data Protection Officer or lead within your business need
to know about when you do process personal data
Compliance in Practice
69. When we collect data, we will:
Compliance in Practice:
Collecting Data
70. When we collect data, we will:
Only collect the data we actually need and not collect
or ask for anything extra, just in case
Compliance in Practice:
Collecting Data
71. When we collect data, we will:
Only collect the data we actually need and not collect
or ask for anything extra, just in case
We will make sure it is clear to the individual why we
need this data, and if it’s not…
Compliance in Practice:
Collecting Data
72. When we collect data, we will:
Only collect the data we actually need and not collect
or ask for anything extra, just in case
We will make sure it is clear to the individual why we
need this data, and if it’s not…
We’ll make sure we have a suitable Privacy Notice or
similar statement that explains everything
Compliance in Practice:
Collecting Data
73. Once we’ve collected the data, we will:
Compliance in Practice:
Using & Storing Data
74. Once we’ve collected the data, we will:
Only use it for the purpose we originally collected it
Compliance in Practice:
Using & Storing Data
75. Once we’ve collected the data, we will:
Only use it for the purpose we originally collected it
Only keep it for as long as we need or for as long as it is lawful for us to do
so (as per the lawful basis for processing),
Compliance in Practice:
Using & Storing Data
76. Once we’ve collected the data, we will:
Only use it for the purpose we originally collected it
Only keep it for as long as we need or for as long as it is lawful for us to do
so (as per the lawful basis for processing), delete it if we no longer need it
and…
Compliance in Practice:
Using & Storing Data
77. Once we’ve collected the data, we will:
Only use it for the purpose we originally collected it
Only keep it for as long as we need or for as long as it is lawful for us to do
so (as per the lawful basis for processing), delete it if we no longer need it
and don’t keep it “just in case”
Compliance in Practice:
Using & Storing Data
78. Once we’ve collected the data, we will:
Only use it for the purpose we originally collected it
Only keep it for as long as we need or for as long as it is lawful for us to do
so (as per the lawful basis for processing), delete it if we no longer need it
and don’t keep it “just in case”
Be mindful if we keep copies for local processing to delete them once
we’re finished (so we don’t leave copies of data lying around on our
computers or servers)
Compliance in Practice:
Using & Storing Data
79. When we process data, we will:
Compliance in Practice:
Security
80. When we process data, we will:
Do so securely
Compliance in Practice:
Security
81. When we process data, we will:
Do so securely
Make sure we protect the data from
unauthorised access or viewing
Compliance in Practice:
Security
82. When we process data, we will:
Do so securely
Make sure we protect the data from
unauthorised access or viewing
Only share data or take it out of the office in a
way that protects it and is secure
Compliance in Practice:
Security
83. When we process data, we will:
Do so securely
Make sure we protect the data from
unauthorised access or viewing
Only share data or take it out of the office in a
way that protects it and is secure
Avoid copying the data to our own personal
devices or online services
Compliance in Practice:
Security
84. When we process data, we will:
Do so securely
Make sure we protect the data from
unauthorised access or viewing
Only share data or take it out of the office in a
way that protects it and is secure
Avoid copying the data to our own personal
devices or online services
Tell the data protection lead if we see something
that might be a breach
Compliance in Practice:
Security
86. Data subjects have a number of rights which they can
exercise at any time, relating to the way we process their
data.
Compliance in Practice:
Individuals’ Rights
87. Data subjects have a number of rights which they can
exercise at any time, relating to the way we process their
data.
We’re not going to go through all of them, but will cover
the important ones
Compliance in Practice:
Individuals’ Rights
89. Compliance in Practice:
Individuals’ Rights
What data is
being processed,
why & for how
long
Subject Access
An individual has the right to ask
Who has access
to the data
For a copy of the
data and other
information
We have to:
90. Compliance in Practice:
Individuals’ Rights
What data is
being processed,
why & for how
long
Subject Access
An individual has the right to ask
Who has access
to the data
For a copy of the
data and other
information
We have to:
Verify their
identity
Deal within
1 month
Provide
FREE
92. Compliance in Practice:
Individuals’ Rights
Their data is
deleted
Right to Erasure (or Right to be Forgotten)
An individual has the right to request
But only if we
don’t need it (it’s
not an absolute
right!)
We have to:
93. Compliance in Practice:
Individuals’ Rights
Their data is
deleted
Right to Erasure (or Right to be Forgotten)
An individual has the right to request
But only if we
don’t need it (it’s
not an absolute
right!)
We have to:
Verify their
identity
Deal within
1 month
Delete for
FREE
95. Compliance in Practice:
Individuals’ Rights
A machine
readable export
of the data they
provided
Right to Portability
An individual can request
We have to:
96. Compliance in Practice:
Individuals’ Rights
A machine
readable export
of the data they
provided
Right to Portability
An individual can request
We have to:
Verify their
identity
Deal within
1 month
Provide for
FREE
98. Compliance in Practice:
Individuals’ Rights
Change their
mind about
consent
Withdraw Consent
An individual has an absolute right to
Ask us to stop
processing
We have to:
99. Compliance in Practice:
Individuals’ Rights
Change their
mind about
consent
Withdraw Consent
An individual has an absolute right to
Ask us to stop
processing
We have to:
Verify their
identity
STOP!
Processing
106. Compliance in Practice:
Accountability
Data
Controllers
Data
Processors
&
When we use third-parties to process our data we must:
Only use
processors who
are compliant
Carry out due
diligence on all
third-party
processors
Put in place legal
contracts with
our third-parties
So be mindful that a processor could be a cloud service, software, as well as a company or individual
107. Compliance in Practice:
Accountability
Data
Controllers
Data
Processors
&
Us
Organisations who
process our data
When we use third-parties to process our data we must:
Only use
processors who
are compliant
Carry out due
diligence on all
third-party
processors
Put in place legal
contracts with
our third-parties
So be mindful that a processor could be a cloud service, software, as well as a company or individual
Make sure your Data Protection Lead knows about any third-parties you are using
111. Compliance in Practice:
Accountability
Data Protection Impact
Assessments (DPIA)
mean we have to
Consider data protection in everything we do
Carry out a DPIA every time we plan on doing something different with our
data
112. Compliance in Practice:
Accountability
Data Protection Impact
Assessments (DPIA)
mean we have to
Consider data protection in everything we do
Carry out a DPIA every time we plan on doing something different with our
data
It’s a risk assessment essentially: what’s the risk from the processing?
114. Compliance in Practice:
Accountability
Data Breaches
A personal data breach means a breach of security which leads to
the “accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, personal data”.
115. Compliance in Practice:
Accountability
Data Breaches
This means that a data breach is more than your typical cyber-
security hacking incident. It can also include someone looking at
your data “over your shoulder”, accidentally deleting someone’s
data, loss of a device containing personal data, sending the wrong
person someone else’s data, etc.
116. Compliance in Practice:
Accountability
Data Breaches
The law says that if there is a risk to the Data Subjects we have to
tell the Information Commissioner (ICO) and if there is HIGH risk to
the Data Subjects we have to tell the Data Subjects too (so they
can protect themselves, e.g. from ID fraud).
117. Compliance in Practice:
Accountability
Data Breaches
The law says that if there is a risk to the Data Subjects we have to
tell the Information Commissioner (ICO) and if there is HIGH risk to
the Data Subjects we have to tell the Data Subjects too (so they
can protect themselves, e.g. from ID fraud).
We have 72 hours to report it!!!
120. Compliance in Practice:
Accountability
Data Breaches
Make sure you know how to identify a breach
Make sure you know what to do if a breach
occurs
So what does this mean in practice?
121. Compliance in Practice:
Accountability
Data Breaches
Make sure you know how to identify a breach
Make sure you know what to do if a breach
occurs
Make sure you tell whoever it is who is
responsible for data protection within your
organisation
So what does this mean in practice?
122. Compliance in Practice:
Accountability
Data Breaches
Make sure you know how to identify a breach
Make sure you know what to do if a breach
occurs
Make sure you tell whoever it is who is
responsible for data protection within your
organisation
DON’T ignore anything you suspect is a breach
So what does this mean in practice?
131. There’s plenty of
examples of action
taken…
• Uber failure to secure data (£385,000 fine)
• Heathrow Airport for USB loss (£120,000 fine)
132. There’s plenty of
examples of action
taken…
• Uber failure to secure data (£385,000 fine)
• Heathrow Airport for USB loss (£120,000 fine)
• GP Surgery Secretary for unlawful (unnecessary) access
133. There’s plenty of
examples of action
taken…
• Uber failure to secure data (£385,000 fine)
• Heathrow Airport for USB loss (£120,000 fine)
• GP Surgery Secretary for unlawful (unnecessary) access
• Bayswater Medical Centre for leaving medical records in
empty building (£35,000 fine)
134. There’s plenty of
examples of action
taken…
• Uber failure to secure data (£385,000 fine)
• Heathrow Airport for USB loss (£120,000 fine)
• GP Surgery Secretary for unlawful (unnecessary) access
• Bayswater Medical Centre for leaving medical records in
empty building (£35,000 fine)
• Gain Credit LLC failure to deal with subject access
request (enforcement notice – criminal penalty if ignored)
136. …but there’s one
case that stands out
& highlights wider
concerns
Morrisons Supermarket
137. Morrisons Supermarket
• An employee stole payroll data and leaked it online – he’s now serving a prison
sentence
• Morrisons were vindicated of any wrong doing – it was the employees fault that
there was a breach, nothing to do with Morrisons’ compliance
• But the employees have been able to demonstrate they have suffered harm and
are suing Morrisons for damages
138. Morrisons Supermarket
• An employee stole payroll data and leaked it online – he’s now serving a prison
sentence
• Morrisons were vindicated of any wrong doing – it was the employees fault that
there was a breach, nothing to do with Morrisons’ compliance
• But the employees have been able to demonstrate they have suffered harm and
are suing Morrisons for damages
• It has been through various court proceedings and the courts have so far
concluded that Morrisons have “vicarious liability” meaning that whilst it wasn’t
their fault they have a duty of care to their employees who have suffered thanks
to the breach!
140. • Familiarise yourself with company data protection
policies✓
• Know what to do if someone asks for their data or
wishes to complain about how their data is being
used✓
• Make sure you ask your data protection lead if you
are unsure about a data protection issue or
whether it’s lawful to use data✓
• Make sure you pay attention to any internal
communications updating you on developments or
changes✓
141. • Familiarise yourself with company data protection
policies✓
• Know what to do if someone asks for their data or
wishes to complain about how their data is being
used✓
• Make sure you ask your data protection lead if you
are unsure about a data protection issue or
whether it’s lawful to use data✓
• Make sure you pay attention to any internal
communications updating you on developments or
changes✓
142. • Familiarise yourself with company data protection
policies✓
• Know what to do if someone asks for their data or
wishes to complain about how their data is being
used✓
• Make sure you ask your data protection lead if you
are unsure about a data protection issue or
whether it’s lawful to use data✓
• Make sure you pay attention to any internal
communications updating you on developments or
changes✓
143. • Familiarise yourself with company data protection
policies✓
• Know what to do if someone asks for their data or
wishes to complain about how their data is being
used✓
• Make sure you ask your data protection lead if you
are unsure about a data protection issue or
whether it’s lawful to use data✓
• Make sure you pay attention to any internal
communications updating you on developments or
changes✓
144. • Familiarise yourself with company data protection
policies✓
• Know what to do if someone asks for their data or
wishes to complain about how their data is being
used✓
• Make sure you ask your data protection lead if you
are unsure about a data protection issue or
whether it’s lawful to use data✓
• Make sure you pay attention to any internal
communications updating you on developments or
changes✓
If in doubt: ask the person
responsible for data protection