GDPR: Are you Ready?
•Download as PPTX, PDF•
0 likes•164 views
GDPR takes effect on May 25, 2018. The document provides an overview of GDPR including its history, key definitions, what it covers, and what it means for businesses. It discusses areas like consent, data breaches, subject rights, and accountability. A readiness checklist is also included covering things like conducting a data audit and having a data protection officer. Some misconceptions about GDPR are addressed, such as there being a grace period or that it only affects EU organizations.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to GDPR: Are you Ready?
Similar to GDPR: Are you Ready? (20)
Recently uploaded
Recently uploaded (20)
GDPR: Are you Ready?
- 2. GDPR: Are you ready? 77% #ReadyForGDPR 2 Feel ready for compliance Companies aware of GDPR 34%
- 3. History of GDPR #ReadyForGDPR 3 Post WWII, concerns about protection of human rights. 1950, EU Convention on Human Rights (ECHR) introduces privacy. 1981, EU Treaty 108 – Eight principles for protecting personal data Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data – Different Member States implemented their own laws to reflect this. 1998, all Member States transpose into law (e.g. UK’s DPA1998): – Inconsistent protection of individual rights, – Uneven organisational playing field. 2016, EU GDPR approved, becomes law two years from publication. 1998, Human Rights Act (HRA 1998) – Article 8 ‘right to privacy’. 90% of the worlds data was created in the past 2 years 1950 1981 1998 2016
- 5. A few basic definitions EU Directive is a legal act of the European Union, which requires member states to achieve a particular result without dictating the means of achieving that result. It can be distinguished from Regulations which are self-executing and do not require any implementing measures. The Directive leaves member states with a certain amount of leeway as to the exact rules to be adopted. Personal data “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier” Special categories of personal data specifically including genetic and biometric data when processed to uniquely identify an individual – used to known as “sensitive data”. #ReadyForGDPR 5
- 6. Processor vs Controller #ReadyForGDPR 6 Data Subject. Data Processor. Sub-Processor. Sub-Processor. Data Controller. Data Processor.
- 7. What does GDPR cover? #ReadyForGDPR 7 Personal Rights The right to be informed. The right of access. The right to rectification. The right to erasure. The right to restrict processing. The right to data portability. The right to object. Rights in relation to automated decision making and profiling. Boundaries & Scope Details the scope of what is covered by GDPR. Details the geographical boundaries of GDPR Responsibilities Outlines the responsibilities of both Controllers & Processors.
- 8. #ReadyForGDPR 8 What does GDPR mean for your business?
- 9. Key areas. #ReadyForGDPR 9 Responsibility and accountability Consent Pseudonymization Data breaches Right to erase – “The right to be forgotten” Data portability Records of processing activities
- 10. Accountability #ReadyForGDPR 10 Article 5: Principles – personal data shall be: 1 Processed lawfully, fairly and in a transparent manner 2 Collected for specified, explicit and legitimate purposes 3 Adequate, relevant and limited to what is necessary 4 Accurate and, where necessary, kept up to date 5 Retained only for as long as necessary 6 Processed in an appropriate manner to maintain security Accountability
- 11. Consent #ReadyForGDPR 11 Unbundled Should be separate from other T&CS need to include an example e.g. purchase can’t be refused if consent isn’t given. Active opt-in Pre-ticked boxes are no longer valid. Named 3rd Parties listed. Freely given Not pressured into it. Documented List of when consent was given. Easy to withdraw As easy to withdraw as it is to give.
- 12. Subject Rights #ReadyForGDPR 12 Right to be forgotten. Right to access. Right to rectification.
- 13. Data breaches #ReadyForGDPR 13 Prepare • Stop it before it happens Protect • Identify personal data • Encrypt • Enable only right people to access • Patch systems, install AV and anti-malware protection Detect • Evaluate existing technologies • Identify vulnerabilities • Monitor • Test Respond • Mitigate the impact • Report it
- 14. Data portability The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided... #ReadyForGDPR 14 – EU GDPR Chapter 3, Article 20 &1.
- 15. What if you don’t comply? • Fines and penalties • Four per cent of your global annual turnover or €20m is a large price to pay for direct breaches of the GDPR principles, but even a minor breach is likely to cost you 2% or €10m at the bare minimum • Legal action • As long as businesses can demonstrate a sound and practicable intent to enforce data security practices, they should not be fearful of new data protection regulations and European Union (EU)/ICO mega fines • Keep working towards compliance once the deadline has passed #ReadyForGDPR 15
- 17. Preparation check-list Conduct an audit of what data you hold and where Privacy information and policies Processes for data breaches Review consent process Data Protection Officer Employee Data #ReadyForGDPR 17
- 18. Brexit • Life after Brexit – Do we care? • What is adequacy assessment and does it help? • Binding contractual agreements #ReadyForGDPR 18
- 19. DPB (Data Protection Bill) • The existing UK data protection laws have become increasingly unwieldy, having been first introduced in 1998 – 10 years before Apple’s first smartphone was released. • The DPB (Data Protection Bill) is the UK’s answer to the GDPR, evolving the country’s existing data protection laws for the 21st century with the aim of ensuring uninterrupted data flows between the UK and EU after Brexit. #ReadyForGDPR 19
- 20. 3 Misconceptions of GDPR. #ReadyForGDPR 20
- 21. Misconceptions of GDPR #ReadyForGDPR 21 GDPR only affects those in the EU. • European approach • Privacy and data protection are fundamental human rights • Not tied to citizenship or nationality • One overarching law for all member states
- 22. Misconceptions of GDPR • There’s also a misconception among businesses that when GDPR is introduced there will be a grace period, but the reality is that organisations need to be preparing now. • 25 May 2018 is when the General Data Protection Regulation (GDPR) comes into effect; the on-boarding period started two years ago in May 2016, and it has been on the horizon for three years • If you read into GDPR, it essentially builds on data privacy and security principles that organisations should already be abiding by – the Data Protection Act has been in force since 1998, after all #ReadyForGDPR 22 There will be a grace period.
- 23. Misconceptions of GDPR • Comply with GDPR to make regulators but also customers happy • Improved understanding of customer data lineage • Collaboration across stakeholders • Sharing consent with partners • Improved customer experience • GDPR competitive differentiation #ReadyForGDPR 23 It will be much harder to communicate with customers and clients.
- 24. This will make your organisation trusted and authentic, inspiring transparent relationships with your customers. Put data protection at the heart of your brand. #ReadyForGDPR 24
Editor's Notes
- http://www.information-age.com/5-eu-companies-ready-gdpr-compliance-alert-logic-123469223/ - varying compliance statistics. This comes from our own research Nigel to add Forrester article: Which sectors are most ready – finance being more vigiliant Gen to add notes from Blog
- 90% of the worlds data was created in the past 2 years:: http://www.deleteagency.com/news/the-impact-of-general-data-protection-regulations-gdpr-on-your-customer-marketing Create timeline reflecting and highlighting the key dates: 1950, 1981, 1998 and 2016 Time line effect design
- EU Regulation is a legal act of the European Union that becomes immediately enforceable as law in all member states simultaneously. EU Directive is a legal act of the European Union, which requires member states to achieve a particular result without dictating the means of achieving that result. It can be distinguished from regulations which are self-executing and do not require any implementing measures. The Directive leaves member states with a certain amount of leeway as to the exact rules to be adopted
- We can produce a diagram which explains this in more detail – processor vs controller : https://lh3.googleusercontent.com/Mg8TMJS7-qXeaMifQcJRN7fVdqnD0-KGsRHJ41Nqt_HW5oiWnhwZi_tMaMyZZyQU4XzJBcqvGduEjbFeHoIU-MntozztlD5p0HTJS00bZLW7-DIJKPGL9VhQ4T32gR-PotITXeLM Changes to Data controller and Data processor responsibilities Controller “determines the purposes and means of the processing of personal data”, while a processor is “any person who processes personal data on behalf of the controller (other than a person who is an employee of the controller)”. One of the major changes is that data processors have specific obligations under the GDPR – if a processor fails to report a data loss to their controller, then the processor can be subject to regulatory action from the commissioner, where that isn’t possible under the current Data Protection Act
- If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach. if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR. The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU. Include icons per point
- Can we add icons for your business – engaging icons
- ----- Meeting Notes (29/01/18 12:35) ----- PECR cross reference covering up to. Consent can not be part of the offering. 6 x icons Example: It’s given by ticking a box, it should possible to un-tick the box. RECOMMENDED: Bring your entire database up to GDPR standards, it seems required.
- If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach. if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR. The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU. Include icons per point
- Report must include likely consequences of the breach and the actions taken to mitigate impact on the data subjects Visually creative with 4 steps: Prepare, Protect, Detect, Respond
- Visually represent the importance of this slide – needs to stand out as a warning
- Ask questions?
- When the UK leaves the EU, it becomes what is known as a “third country”. According to Clause 31(7) of the DPB, this is “a country or territory other than a Member State”. If there is no deal in place, this could have massive repercussions for data sharing, as Clause 71(1) of the DPB states: “A company may not transfer data to a third country. For the UK to share data with its European partners, an “adequacy assessment” will be needed. This is not as easy as it sounds, as adequacy assessments normally take more than a year. Likewise, an adequacy assessment endorsement cannot be issued to an existing Member State, as being a member precludes the necessity of having an adequacy assessment in the first place. Should the UK leave the EU without a deal in place, EU organisations will need to have binding contractual arrangements in place every time they wish to share new information and data with their UK partners. Only once an adequacy assessment was in place could this be dispensed with.
- The DPB aims to reinforce data protection regulation for new technologies, while allowing people to have more control over their data. This will be no easy task, as – given the definitions used in the DPB – the UK will have more than 60,000,000 data subjects (a person who has data stored about them) and approximately 500,000 data controllers (companies or organisations which store data about data subjects). The UK Data Protection Bill is due to come into force this year, ahead of the EU General Data Protection Regulation in May 2018 The first draft of the Data Protection Bill (DPB) was released on 13 September 2017, following its second reading in the House of Lords. This bill is designed to bring the UK’s data protection laws in line with the European Union’s (EU) General Data Protection Regulation (GDPR). Despite the UK government having triggered Article 50 of the Lisbon Treaty, and being in negotiations regarding leaving the EU, the UK will still be classed as a Member State when the GDPR compliance deadline is reached on 25 May 2018. [may be removed in dry-run]
- Graphics to add – quote big and Have 1 as a big number. And title in big centred
- Same as point 1.
- Opportunities for your business – interactive diagram (3 x slides) By placing respect for privacy at the heart of brand proposition. Transforming the way it projects to customers, making every engagement human-centric. This will ascribe organisation as trusted and authentic, inspiring transparent relationships with their customers. Linked to next slide.
- Health theme – a ‘core brand value’ similar to our retail whitepaper infographic messaging - some image here would be good to represent this Have health theme image. Like an ad.