The slide deck provides an overview of key aspects of the General Data Protection Regulation (GDPR) that businesses need to be aware of and comply with. Some of the main points covered include:
1) GDPR requirements for obtaining and documenting valid consent for processing personal data, providing privacy notices, and respecting individual rights to access, rectify and erase their data.
2) The roles and responsibilities of controllers and processors of personal data and requirements for contracts between them.
3) Lawful bases for processing personal data and additional conditions for processing special categories of sensitive personal data.
4) Requirements for data protection by design and default, conducting data protection impact assessments, and managing data breaches.
25th May 2018 marks the enforcement date of EU’s General Data Protection Regulation. This new regulation strives to increase privacy for individuals and penalize businesses in breach. The complexity organizations face in managing consumer data is driving the growth of privacy tech solutions that decisively address a slew of privacy compliance challenges.
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...Harrison Clark Rickerbys
Slideshow from GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Directors, IT Directors & Ops Directors, on 7th March 2018 at Hilton Puckrup Hall
25th May 2018 marks the enforcement date of EU’s General Data Protection Regulation. This new regulation strives to increase privacy for individuals and penalize businesses in breach. The complexity organizations face in managing consumer data is driving the growth of privacy tech solutions that decisively address a slew of privacy compliance challenges.
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...Harrison Clark Rickerbys
Slideshow from GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Directors, IT Directors & Ops Directors, on 7th March 2018 at Hilton Puckrup Hall
Full GDPR toolkit: https://quality.eqms.co.uk/gdpr-general-data-protection-regulation-eu-toolkit
This free online training presentation provides you with information about how to comply with the General Data Protection Regulation, managing breaches, engaging employees, key requirements and more.
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
This GDPR primer highlights key aspects of the new EU regulation regarding the protection of EU citizens data. It also presents a basic approach and key activities for GDPR preparedness. Useful as a discussion starter with senior management.
With GDPR coming into effect, we can see a lot of changes in the privacy policies of companies doing business online. The presentation is a description of GDPR and its implications in India and worldwide. The main aim of the presentation is to identify the key issues of data privacy and the rights available to the consumer who's data is to be shared.
Explores:
1. Introduction to Privacy Regimes in the United States and Abroad
2. Mobile Applications and Devices
3. Lawful Collection and Use of “Big Data”
4. International Privacy and Cross-Border Data Transfers
5. Data Security Requirements and Data Breach Response
6. IT Outsourcing and the Cloud
7. Recent Developments and Emerging Issues
For more information visit https://www.brightpay.co.uk
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 with the aim of protecting all EU citizens from privacy and data breaches in an increasingly data driven world.
Employers process large amounts of personal data, not least in relation to their customers and their own employees. Consequently, the GDPR will impact most if not all areas of the business and the impact it will have cannot be overstated.
In this webinar, we will peel back the legislation to outline clearly:
What is GDPR and why is it being implemented?
Why employers need to take it seriously
How to prepare for GDPR
How we are working to help you
MWLUG - 2017
Tim Clark & Stephanie Heit
Tim & Steph explain the basics of GDPR and give some recommendations about what you can do to be ready.
Data sources are in the final slides.
For more information about how BCC can help you get your Domino data ready for GDPR please contact us here.
http://bcchub.com/bcc-domino-protect/
ABM Display Advertising Success in the World of GDPR [PPT]Kwanzoo Inc
In this webinar, see the specific impacts of GDPR on B2B companies as they plan, budget, launch and measure success from ABM advertising programs that reach and engage the 500 Million+ citizens of EU countries and the UK. Our panel of experts will cover the IT, Legal, Marketing, Data and Technology Provider side of GDPR compliance. All of these dimensions need to be addressed as you plan for the world of GDPR.
Introduction to EU General Data Protection Regulation: Planning, Implementati...Financial Poise
The GDPR changed the way the world collects, stores, and sends personal data.The GDPR is a broad EU regulation that requires businesses to protect the personal data of EU citizens, whether the business itself is in the EU or elsewhere. Since its implementation in 2018, companies that collect data on EU citizens must comply with strict rules for the protection of personal data or face heavy fines for non-compliance. This webinar will provide an overview of GDPR’s applicability and requirements, as well as how your organization may meet those standards.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-eu-general-data-protection-regulation-planning-implementation-and-compliance-2021/
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
Whether you’re an event or hospitality professional in a small, medium or large organization, the General Data Protection Regulation (GDPR) is going to affect you. Get prepared with Cvent and Debrah Harding of Market Research Society before the 25th May deadline. GDPR is a new EU regulation, designed for the digital age. GDPR will strengthen an individual's rights and increase business accountability for data privacy and holding personal information. Organizations found breaching the regulations can face fines of up to 20 million Euros or up to 4% of annual global turnover. At Cvent we are already on track to becoming GDPR compliant and we want to advise our industry partners on how to become compliant too.
Be careful what you wish for! How the GDPR even now it has been finalised may not solve the key problems of rthe tech community of what is personal data and what is anonymised/pseudonymous.
GDPR Guide: The ICO's 12 Recommended Steps To Take NowHackerOne
Recommendations from The United Kingdom's Information Commissioner's Office (ICO) to Prepare for May 2018.
The European General Data Protection Regulation, better known as GDPR, will take effect on May 25, 2018. When it does, every business, organization, or government agency that collects information on European Union (EU) citizens (in other words, just about everyone) will be forced to radically change how it manages customer data and security. If you don’t, the cost of noncompliance is significant: fines can reach up to €20M ($23.5M) or 4 percent of annual sales, whichever is higher.
GDPR is coming for you whether you’re ready or not. Companies must show compliance by May 25, 2018. Take a look at the presentation to learn more about the new law that is going to change the way data is handled across the world. Read about the how it affects you and the steps you can take to make sure you’re GDPR ready!
About Extentia Information Technology:
Extentia is a global technology and services firm that helps clients transform and realize their digital strategies. With a focus on enterprise mobility, cloud computing, and user experiences, Extentia strives to accomplish and surpass your business goals. Our team is differentiated by an emphasis on excellent design skills that we bring to every project. Extentia’s work environment and culture inspire team members to be innovative and creative, and to provide clients with an exceptional partnership experience.
www.extentia.com
Preparing for GDPR: What Every B2B Marketer Must KnowIntegrate
Considering the consequences of non-compliance (up to €20M/$24M or 4% worldwide annual revenue), this translates to a major problem for B2B marketers.
How can your team ensure its lead gen processes are GDPR-compliant without undermining demand generation performance?
View this deck to see how Julian Archer (Sr. Research Director, SiriusDecisions) and Scott Vaughan (CMO, Integrate) educate B2B marketers on: developing a comprehensive GDPR compliance strategy, putting your compliance strategy into action, and applying software to support your compliance measures.
To watch the on-demand version of the webinar, click here:
https://www.integrate.com/gdpr-compliance-b2b-marketing-webinar
For more information visit https://www.thesaurus.ie or https://www.brightpay.ie
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 with the aim of protecting all EU citizens from privacy and data breaches in an increasingly data driven world.
Payroll bureaus process large amounts of personal data, not least in relation to their customers, their customers’ employees, and their own employees. Consequently, the GDPR will impact most if not all areas of the business and the impact it will have cannot be overstated.
In this CPD accredited webinar, we will peel back the legislation to outline clearly:
What is GDPR and why is it being implemented?
Why employers need to take it seriously
How it will impact payroll bureaus
How to prepare for GDPR
How we are working to help you
For more information visit https://www.brightpay.co.uk
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 with the aim of protecting all EU citizens from privacy and data breaches in an increasingly data driven world.
Employers process large amounts of personal data, not least in relation to their customers and their own employees. Consequently, the GDPR will impact most if not all areas of the business and the impact it will have cannot be overstated.
In this webinar, we will peel back the legislation to outline clearly:
What is GDPR and why is it being implemented?
Why employers need to take it seriously
How to prepare for GDPR
How we are working to help you
Full GDPR toolkit: https://quality.eqms.co.uk/gdpr-general-data-protection-regulation-eu-toolkit
This free online training presentation provides you with information about how to comply with the General Data Protection Regulation, managing breaches, engaging employees, key requirements and more.
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
This GDPR primer highlights key aspects of the new EU regulation regarding the protection of EU citizens data. It also presents a basic approach and key activities for GDPR preparedness. Useful as a discussion starter with senior management.
With GDPR coming into effect, we can see a lot of changes in the privacy policies of companies doing business online. The presentation is a description of GDPR and its implications in India and worldwide. The main aim of the presentation is to identify the key issues of data privacy and the rights available to the consumer who's data is to be shared.
Explores:
1. Introduction to Privacy Regimes in the United States and Abroad
2. Mobile Applications and Devices
3. Lawful Collection and Use of “Big Data”
4. International Privacy and Cross-Border Data Transfers
5. Data Security Requirements and Data Breach Response
6. IT Outsourcing and the Cloud
7. Recent Developments and Emerging Issues
For more information visit https://www.brightpay.co.uk
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 with the aim of protecting all EU citizens from privacy and data breaches in an increasingly data driven world.
Employers process large amounts of personal data, not least in relation to their customers and their own employees. Consequently, the GDPR will impact most if not all areas of the business and the impact it will have cannot be overstated.
In this webinar, we will peel back the legislation to outline clearly:
What is GDPR and why is it being implemented?
Why employers need to take it seriously
How to prepare for GDPR
How we are working to help you
MWLUG - 2017
Tim Clark & Stephanie Heit
Tim & Steph explain the basics of GDPR and give some recommendations about what you can do to be ready.
Data sources are in the final slides.
For more information about how BCC can help you get your Domino data ready for GDPR please contact us here.
http://bcchub.com/bcc-domino-protect/
ABM Display Advertising Success in the World of GDPR [PPT]Kwanzoo Inc
In this webinar, see the specific impacts of GDPR on B2B companies as they plan, budget, launch and measure success from ABM advertising programs that reach and engage the 500 Million+ citizens of EU countries and the UK. Our panel of experts will cover the IT, Legal, Marketing, Data and Technology Provider side of GDPR compliance. All of these dimensions need to be addressed as you plan for the world of GDPR.
Introduction to EU General Data Protection Regulation: Planning, Implementati...Financial Poise
The GDPR changed the way the world collects, stores, and sends personal data.The GDPR is a broad EU regulation that requires businesses to protect the personal data of EU citizens, whether the business itself is in the EU or elsewhere. Since its implementation in 2018, companies that collect data on EU citizens must comply with strict rules for the protection of personal data or face heavy fines for non-compliance. This webinar will provide an overview of GDPR’s applicability and requirements, as well as how your organization may meet those standards.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-eu-general-data-protection-regulation-planning-implementation-and-compliance-2021/
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
Whether you’re an event or hospitality professional in a small, medium or large organization, the General Data Protection Regulation (GDPR) is going to affect you. Get prepared with Cvent and Debrah Harding of Market Research Society before the 25th May deadline. GDPR is a new EU regulation, designed for the digital age. GDPR will strengthen an individual's rights and increase business accountability for data privacy and holding personal information. Organizations found breaching the regulations can face fines of up to 20 million Euros or up to 4% of annual global turnover. At Cvent we are already on track to becoming GDPR compliant and we want to advise our industry partners on how to become compliant too.
Be careful what you wish for! How the GDPR even now it has been finalised may not solve the key problems of rthe tech community of what is personal data and what is anonymised/pseudonymous.
GDPR Guide: The ICO's 12 Recommended Steps To Take NowHackerOne
Recommendations from The United Kingdom's Information Commissioner's Office (ICO) to Prepare for May 2018.
The European General Data Protection Regulation, better known as GDPR, will take effect on May 25, 2018. When it does, every business, organization, or government agency that collects information on European Union (EU) citizens (in other words, just about everyone) will be forced to radically change how it manages customer data and security. If you don’t, the cost of noncompliance is significant: fines can reach up to €20M ($23.5M) or 4 percent of annual sales, whichever is higher.
GDPR is coming for you whether you’re ready or not. Companies must show compliance by May 25, 2018. Take a look at the presentation to learn more about the new law that is going to change the way data is handled across the world. Read about the how it affects you and the steps you can take to make sure you’re GDPR ready!
About Extentia Information Technology:
Extentia is a global technology and services firm that helps clients transform and realize their digital strategies. With a focus on enterprise mobility, cloud computing, and user experiences, Extentia strives to accomplish and surpass your business goals. Our team is differentiated by an emphasis on excellent design skills that we bring to every project. Extentia’s work environment and culture inspire team members to be innovative and creative, and to provide clients with an exceptional partnership experience.
www.extentia.com
Preparing for GDPR: What Every B2B Marketer Must KnowIntegrate
Considering the consequences of non-compliance (up to €20M/$24M or 4% worldwide annual revenue), this translates to a major problem for B2B marketers.
How can your team ensure its lead gen processes are GDPR-compliant without undermining demand generation performance?
View this deck to see how Julian Archer (Sr. Research Director, SiriusDecisions) and Scott Vaughan (CMO, Integrate) educate B2B marketers on: developing a comprehensive GDPR compliance strategy, putting your compliance strategy into action, and applying software to support your compliance measures.
To watch the on-demand version of the webinar, click here:
https://www.integrate.com/gdpr-compliance-b2b-marketing-webinar
For more information visit https://www.thesaurus.ie or https://www.brightpay.ie
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 with the aim of protecting all EU citizens from privacy and data breaches in an increasingly data driven world.
Payroll bureaus process large amounts of personal data, not least in relation to their customers, their customers’ employees, and their own employees. Consequently, the GDPR will impact most if not all areas of the business and the impact it will have cannot be overstated.
In this CPD accredited webinar, we will peel back the legislation to outline clearly:
What is GDPR and why is it being implemented?
Why employers need to take it seriously
How it will impact payroll bureaus
How to prepare for GDPR
How we are working to help you
For more information visit https://www.brightpay.co.uk
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 with the aim of protecting all EU citizens from privacy and data breaches in an increasingly data driven world.
Employers process large amounts of personal data, not least in relation to their customers and their own employees. Consequently, the GDPR will impact most if not all areas of the business and the impact it will have cannot be overstated.
In this webinar, we will peel back the legislation to outline clearly:
What is GDPR and why is it being implemented?
Why employers need to take it seriously
How to prepare for GDPR
How we are working to help you
For more information visit thesaurus.ie or brightpay.ie
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 with the aim of protecting all EU citizens from privacy and data breaches in an increasingly data driven world.
Employers process large amounts of personal data, not least in relation to their customers and their own employees. Consequently, the GDPR will impact most if not all areas of the business and the impact it will have cannot be overstated.
In this webinar, we will peel back the legislation to outline clearly:
What is GDPR and why is it being implemented?
Why employers need to take it seriously
How to prepare for GDPR
How we are working to help you
On 25 May 2018 the new General Data Protection Regulation (GDPR) will come into force, replacing all existing data protection regulations.
Payroll bureaus process large amounts of personal data in relation to their customers, their customers’ employees, and their own employees. Consequently, the GDPR will impact most if not all areas of the business and the impact it will have cannot be overstated.
BrightPay hosted a free CPD accredited webinar alongside Bright Contracts where we discussed everything that accountants, bookkeepers and payroll bureaus need to know about GDPR.
For more information visit https://www.brightpay.co.uk
EMMA’s EMEA Regional Director Joseph Yammine explains how the EU’s General Data Protection Regulation applies to the Health Care Industry and how you can prepare your team to follow the regulation and avoid any data breaches.
What does the GDPR mean for charity communicators? | Scotland Networking Grou...CharityComms
David Freeland, senior policy officer at the Scottish Information Commissioner’s Office
Visit the CharityComms website to view slides from past events, see what events we have coming up and to check out what else we do: www.charitycomms.org.uk
GDPR: the Steps Event Planners Need to Followetouches
GDPR regulation is taking affect May 25th. While many event planners are nervous for what this means for their events, they don't have to be. This presentation gives an overview of the new regulation and what you need to do to stay compliant.
After ensuring compliance as a controller and processor of data, Reddico created this presentation for the team - offering further guidance and information on our processes and how we've complied. For accuracy purposes, some information comes directly from the ICO's guidelines.
General Data Protection Regulation (GDPR) tidal wave that has hit, are you ready? Is your organization prepared for the extensive privacy requirements GDPR puts forth for any organization handling EU Data Subjects' personal Data? At this point, organizations must have a complete inventory of personal data and have conducted a DPIA against it. A handful of supervisory authorities have issued compliance guidelines, but your organizations must be able to assess compliance with this ambiguous regulation at any time.
Many aspects of GDPR define the distinction between a data collector and a data processor, their respective responsibilities and compliance requirements. Those responsibilities will have an effect on the contracts you negotiate with third parties, the way in which you evaluate the risks involved with establishing a business relationship and the policies you develop to maintain compliance to the regulations.
Join this webinar to learn:
*More information about GDPR and what the industry is experiencing to date
*What minimum requirements you should have had in place by May 25, 2018
*What you should plan to do for the next 12-18 months if you are not completely ready
*What the SEC Privacy Shield program is and why you should self-certify
*How to continuously monitor vendor risk KPIs
Data Privacy and Data Protection: Rotary’s Compliance with GDPRRotary International
As stewards of personal data for more than 1.2 million Rotarians and friends of Rotary worldwide, Rotary takes data privacy and protection seriously. To ensure compliance with the European Union's new privacy law, the General Data Protection Regulation (GDPR), we will apply these standards globally. Find out more about these efforts and how they affect data privacy and protection for Rotary.
LawBite is a UK-based online legal platform launched in 2013, headquartered in London. LawBite uses legal technology to streamline legal services for small and medium sized businesses (SMEs), providing access to legal document templates as well as a network of lawyers based in the UK and internationally.
The GDPR came into force on 25 May 2018. The changes that the GDPR makes to Data Protection legislation are far reaching and the GDPR introduces a number of new legal concepts.
The interactive webinar will provide you with details on the key changes that you need to be aware of under GDPR including:
1. Background to the GDPR
2. Key changes under GDPR
3. GDPR Data Protection Principles
4. Data Processing
5. Obtaining consent
6. Rights of data subjects
7. International data transfers
8. Data breaches
9. Data processors and data protection officers
10. What your organisation should be doing now
The webinar contains a 45 minute presentation with a Q&A at the end.
Improving profitability for small businessBen Wann
In this comprehensive presentation, we will explore strategies and practical tips for enhancing profitability in small businesses. Tailored to meet the unique challenges faced by small enterprises, this session covers various aspects that directly impact the bottom line. Attendees will learn how to optimize operational efficiency, manage expenses, and increase revenue through innovative marketing and customer engagement techniques.
3.0 Project 2_ Developing My Brand Identity Kit.pptxtanyjahb
A personal brand exploration presentation summarizes an individual's unique qualities and goals, covering strengths, values, passions, and target audience. It helps individuals understand what makes them stand out, their desired image, and how they aim to achieve it.
Premium MEAN Stack Development Solutions for Modern BusinessesSynapseIndia
Stay ahead of the curve with our premium MEAN Stack Development Solutions. Our expert developers utilize MongoDB, Express.js, AngularJS, and Node.js to create modern and responsive web applications. Trust us for cutting-edge solutions that drive your business growth and success.
Know more: https://www.synapseindia.com/technology/mean-stack-development-company.html
Remote sensing and monitoring are changing the mining industry for the better. These are providing innovative solutions to long-standing challenges. Those related to exploration, extraction, and overall environmental management by mining technology companies Odisha. These technologies make use of satellite imaging, aerial photography and sensors to collect data that might be inaccessible or from hazardous locations. With the use of this technology, mining operations are becoming increasingly efficient. Let us gain more insight into the key aspects associated with remote sensing and monitoring when it comes to mining.
Affordable Stationery Printing Services in Jaipur | Navpack n PrintNavpack & Print
Looking for professional printing services in Jaipur? Navpack n Print offers high-quality and affordable stationery printing for all your business needs. Stand out with custom stationery designs and fast turnaround times. Contact us today for a quote!
Personal Brand Statement:
As an Army veteran dedicated to lifelong learning, I bring a disciplined, strategic mindset to my pursuits. I am constantly expanding my knowledge to innovate and lead effectively. My journey is driven by a commitment to excellence, and to make a meaningful impact in the world.
As a business owner in Delaware, staying on top of your tax obligations is paramount, especially with the annual deadline for Delaware Franchise Tax looming on March 1. One such obligation is the annual Delaware Franchise Tax, which serves as a crucial requirement for maintaining your company’s legal standing within the state. While the prospect of handling tax matters may seem daunting, rest assured that the process can be straightforward with the right guidance. In this comprehensive guide, we’ll walk you through the steps of filing your Delaware Franchise Tax and provide insights to help you navigate the process effectively.
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptxmy Pandit
Explore the world of the Taurus zodiac sign. Learn about their stability, determination, and appreciation for beauty. Discover how Taureans' grounded nature and hardworking mindset define their unique personality.
Explore our most comprehensive guide on lookback analysis at SafePaaS, covering access governance and how it can transform modern ERP audits. Browse now!
Putting the SPARK into Virtual Training.pptxCynthia Clay
This 60-minute webinar, sponsored by Adobe, was delivered for the Training Mag Network. It explored the five elements of SPARK: Storytelling, Purpose, Action, Relationships, and Kudos. Knowing how to tell a well-structured story is key to building long-term memory. Stating a clear purpose that doesn't take away from the discovery learning process is critical. Ensuring that people move from theory to practical application is imperative. Creating strong social learning is the key to commitment and engagement. Validating and affirming participants' comments is the way to create a positive learning environment.
Set off and carry forward of losses and assessment of individuals.pptx
GDPR Breakfast Briefing for Business Advisors
1.
2. This slide deck is copyright of Harrison Clark Rickerbys and is not to be shared
without prior permission. The information contained in the slide deck does not
constitute legal advice.
We would advise that you seek legal advice, before making a decision based on
the contents of these slides.
8. Why GDPR?
Data Protection Act(1998) is built on
the General Data Protection Directive
GDPR is the General Data Protect
Regulation
1 Regulation not 28 different variants
9. “"The introduction of the Data Protection Bill…will put in place one of the final pieces of
much needed data protection reform. Effective, modern data protection laws with robust
safeguards are central to securing the public's trust and confidence in the use of personal
information within the digital economy, the delivery of public services and the fight against
crime."
Elizabeth Denham, Information Commissioner
10. Some definitions
Personal Data ProcessingSpecial Category Data
Data that can identify a natural
person directly or indirectly
Anything you do with data –
even looking at it
• Racial
• Ethnic origin
• Political opinions
• Religious or philosophical
beliefs
• Trade Union membership
• Genetic data
• Biometric data
• Health
• Sex life
• Sexual orientation
11. Responsibilities
Controller
• Know the risks to the data subject
• Manage those risks
• Demonstrate processing inline with
regulation
• Only use processors who demonstrate
adherence the to Regulation
Processor
• Implement appropriate technical and
organisational measures.
• Not engage another processor without
permission.
• Ensure there is a contract in place with
the controller:
• Demonstrate compliance to Regulation.
13. Everything they could before
Just in a way that balances the business’ needs
with the rights of data subjects
14. The Principles
1. Processed lawfully, fairly and in a transparent manner
2. Collected for specified, explicit and legitimate purposes
3. Adequate, relevant and limited to what is necessary
4. Accurate and where necessary kept up to date
5. Retained only for as long as necessary
6. Processed in an appropriate manner to maintain security
Subject must be told. Processing must match the
description. Processing must be for one of the purposes in
the regulation.
Must define up front what the data will be used for and
limit processing to only that necessary to meet that
purpose.
Data collected should only be that required in relation to
the purposes of the processing.
This is intended to protect the data subject from such
things as wrong decisions made regarding the data subject.
And it’s good business practice.
Data is kept for no longer than is required to process it for
the purpose originally stipulated.
This principle links closely with the ISMS covering
Confidentially Integrity and Availability (CIA)
15. Individuals Rights
• Right to information
• Right to access
• Right to rectification
• Right to be forgotten
• Right to restriction of processing
• Right to notification
• Right to portability
• Right to object
• Right to appropriate decision making
16. Lawfulness of Processing
Processing is lawful only if one of the following applies:
1. the data subject has given consent to the processing of his or her personal data for one or more
specific purposes;
2. processing is necessary for the performance of a contract to which the data subject is party or in
order to take steps at the request of the data subject prior to entering into a contract;
3. processing is necessary for compliance with a legal obligation to which the controller is subject;
4. processing is necessary in order to protect the vital interests of the data subject or of another
person;
5. processing is necessary for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller;
6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by
a third party, except where such interests are overridden by the interests or rights and freedoms of
the data subject which require protection of personal data, in particular where the data subject is
a child.
17. Consent
• Consent must be unambiguous, clear and affirmative
o Must be able to demonstrate that consent was given
o Silence or inactivity does not constitute consent
o Written consent must be clear, intelligible, easily accessible,
else not binding
o Consent can be withdrawn any time, and as easy to withdraw
consent as to give.
• Take appropriate measures to “provide information in a concise,
transparent, intelligible and easily accessible form, using clear and
plain language”
18. Consent – specific categories of data
• Special conditions apply for children (under 16, but UK could
lower to 13) to give consent
o Appropriate parental / guardian consent
o Controller has to make reasonable efforts to verify
authorisation
• Explicit consent must be given for processing sensitive
personal data
o Now includes “genetic data” and “biometric data” where
processed to uniquely identify a person
19. Lawfulness of Processing
Processing is lawful only if one of the following applies:
1. the data subject has given consent to the processing of his or her personal data for one or more
specific purposes;
2. processing is necessary for the performance of a contract to which the data subject is party or in
order to take steps at the request of the data subject prior to entering into a contract;
3. processing is necessary for compliance with a legal obligation to which the controller is subject;
4. processing is necessary in order to protect the vital interests of the data subject or of another
person;
5. processing is necessary for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller;
6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by
a third party, except where such interests are overridden by the interests or rights and freedoms of
the data subject which require protection of personal data, in particular where the data subject is
a child.
20. Get Ready for GDPR
NOW!
11 Weeks,15 hours, and
15 minutes
22. GDPR Overview Assessment
• Key Factors
1. Data protection policy, responsibility
and training
2. Registration, privacy notices and
subject access
3. Data quality, accuracy and retention
4. Security
5. Privacy impact assessments
Legal & HR
Operations &
Finance
Sales &
Marketing
IT Systems
Are you
GDPR
Ready?
23. Developing a GDPR Strategy –
moving towards compliance
• Assessment
o Gaps or areas of non-compliance
o Assess risk and prioritise tasks
• Agree change programme
• Build a cross-functional team – risk, compliance, IT, legal, finance, PR
• DPO – appointment and training
• Implementation
o Update privacy notices and terms and conditions
o Update data processor clauses in contracts extending into 2018
o New policies and training for carrying out DPIAs, data security, breach handling, personal data
handling and new data subject rights
24. GDPR Compliance Roadmap
•Know your data assets
•Map data flows and existing systems and processes that utilise personal data
•Collect existing policies, notices and vendor agreements
•Assess likely GDPR impact and identify gaps
•Conduct risk assessment and prioritise tasks
•Implementation (update documentation and vendor contracts, training and awareness etc.)
•Monitor implementation and compliance with regular compliance checks
26. Know your data
• Why are you collecting it?
• Purposes
• How did you get it?
• Where do you store it?
• What do you do with it?
• Who has access to it?
• How long do you keep it?
• Where do you send it?
27. Documentation and Privacy by Design and Default
• Ensure and demonstrate compliance
• Maintain written records of all processing
• Adopt and implement measures which meet principles of
data protection by design and default
o Minimising processing
o Pseudonimisation
o Enable monitoring by data subject
• Data Protection Impact Assessments (DPIAs)
• Identify, Investigate and Manage a Data Breach
28. Data Protection Impact Assessment
• Assesses the risks to the data subject
• Mandatory
• Required:
• When implementing GDPR
• When implementing changes within
your organisation
30. Have you registered with the ICO?
Tier 1 – Micro <10 Staff/£632,00 = £40
Tier 2 – SME <250 Staff/£36million = £60
Tier 3 = £2,900
Max penalty for unpaid/incorrect fee = £4,350
31. Registration Fee Exemptions
• Staff administration
• Advertising, marketing and public relations
• Accounts and records
• Not-for-profit purposes
• Personal, family or household affairs
• Maintaining a public register
• Judicial functions
• Processing personal information without an automated
system such as a computer
35. Data Protection Officer (DPO)
• Public authorities (not courts)
• Private companies (controllers and processors) whose core
activities require large scale
o regular and systematic monitoring of data subjects or
o processing of sensitive personal data or data relating to
criminal convictions
• Group may appoint single DPO
37. Breach Notification
• Controller to notify regulator of breaches
o without undue delay; and
o within 72 hours if feasible
unless unlikely to result in risk to rights and freedoms of individuals
• If 72 hours not feasible must provide reasoned justification
• Controller to notify data subjects without undue delay if likely to result in high risk to rights and
freedoms of individuals
• Processor to notify controller of breaches without undue delay
38. Fines – The Reality
• Up to (the higher of) €20m or 4% global annual turnover for infringement of:
o Core principles
o Consent
o Data subjects’ rights
o International transfers
o Non-compliance with certain regulator orders
• Up to (the higher of) €10m or 2% global annual turnover for other breaches
• Not having records in place
• Failure to notify ICO (local Supervisory Authority)
• Not doing a DPIA
• Individuals’ actions
• Class actions
39. Fines – The Reality
• Issuing fines has always been and will continue to be, a last resort.
• Last year (2016/2017) 17,300 cases - 16 resulted in fines for the organisations concerned.
• Not yet invoked maximum powers.
“We intend to use those powers proportionately and judiciously” - Denham
• Suite of sanctions to help organisations comply – warnings, reprimands, corrective orders.
• Reputational damage.
47. Data versus Information – The GDPR opportunity
Common CRM Data inconsistency
How GDPR will impact on capturing and holding
data into information that has business value
Company Name First Name Last Name Job Title Phone Mobile Email Address Birthday City County Postcode Market Employees Turnover Product Service Competitor
Acme John Smith 0101 123 4567 john.smith@acme.com Berkshire RG1 1AB
Acme Limited John Smith Maaging Director 07777 123456 Reading
Acme Plc John Smith Managing Director 0101 123 4567 07777 123456 john.smith@acme.com 29th December Reading Berkshire RG1 1AB Manufacturing 250 £15M Widgets Maintenance Widgets Inc
And don’t forget employee data
48. TIME
Awareness of GDPR
Attend Public GDPR
events
Daunted by the scale of
GDPR
Start small with focused
workshop or live project
Implement a company specific
programme
Competitive Advantage curve
Early Adopters Early Majority Late Majority Laggards
Shock
Denial
Frustration
Depression
Experiment
Decision
Change success
Change curve
49. GDPR – Strategic Change scope
• Ownership – Internal, supply chain, business function
• Priorities – How does GDPR fit with existing priorities
• Communication – Who needs to know
• Risk – How do you assess it
• Time – What is involved
• Cost – Real and implied
• Opportunity – There is always one
50. Do you think that the availability of the right to data
portability, access and erasure will increase the
profits of your organisation?
Overall, data professionals show a high level of
uncertainty when asked to assess the benefits of
GDPR data rights. It is noteworthy that the in-depth
interviews revealed a lack of imagination and
preparedness in terms of the more far-reaching
impacts of GDPR, especially second-order effects such
as the emergence of new data-centric business
models and privacy & and data protection as a
competitive advantage. This suggests that the value of
the GDRP rights from consumers’ point of view does
not depend on consumers actively using their rights,
but that more widespread awareness of the scope of
personal data use might make the rights even more
valuable in the eyes of consumers. A stronger
regulatory framework is likely to mitigate the effect of
a localised loss of trust (i.e. a data breach affecting a
specific data controller), by reassuring consumers that
companies in general are incentivised (through rights
that allow user control etc.) to keep data safe, and to
react to a loss event by strengthening security.
Source: LE survey of data protection professionals (2017)
51. Typical questions for discussion
• What consent do I need?
• Do I need to get opt-in permission for existing
customers/prospects?
• What is legitimate interest?
• When do I have to be compliant?
• What data is included?
• How do I secure data in cloud software?
• What is the difference between business and personal data?
• How can I store data?
• What if I have printed data?
• Who owns the data?
• What level of security is needed for data and emails?
• What are my responsibilities for data shared with my supply chain?
• What do I need to do if there is other legislation in place regarding
retention of data?
• How can I do telemarketing?
• What is the impact for payroll and pensions for staff?
• How do I handle subject access requests and the confirmation of
identity?
• What level of education do I need for the company?
52. There are six available lawful bases for processing. No single basis
is ’better’ or more important than the others
– which basis is most appropriate to use will depend on your purpose and
relationship with the individual.
The lawful bases for processing are set out in Article 6 of the GDPR. At least
one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their
personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the
individual, or because they have asked you to take specific steps before
entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with
the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in
the public interest or for your official functions, and the task or function has
a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate
interests or the legitimate interests of a third party unless there is a good
reason to protect the individual’s personal data which overrides those
legitimate interests. (This cannot apply if you are a public authority
processing data to perform your official tasks.)
It’s all about Consent!!!!
consent-is-not-the-silver-bullet-for-gdpr-compliance
53. Summary
• Most questions are common as is the confusion around what to do
• By thinking about how your business uses data it is possible to work
out a strategy
• GDPR is a strategic change so the right people in the organisation
MUST be involved starting at the top
• Thinking differently about the regulation makes it easier to decide on a
course of action
• There are opportunities to make GDPR a positive change
• Decide on the make up of the project team (Internal/External)
• GET STARTED
56. Your Privacy Policy – First contact - Collecting Personal Data.
Transparency in the who,
what, how and why?
• Any communications with a data
subject must be concise,
transparent, intelligible – plain
language.
• You must be transparent in
providing information about yourself
and the purposes of your
processing
• Controller must provide data
subject with information about their
rights
57. What information do you need to include in your Privacy
Policy?
• Identity and contact details of controller – who you are
• Purpose of processing
• What lawful basis you are relying on to process data
• Categories of personal data held
• Who the recipients might be (third parties?)
• If it is being transferred outside of the EU and how it is protected
• How long it will be stored for
• What rights the data subject has and how to exercise them – and withdraw
• The right to complain to the regulator
You must provide (amongst others) in your Privacy Policy, in clear and understandable form:
62. Mandatory Requirements
• Providing information
to a data subject is a
requirement of the
GDPR.
• The easiest way to do
so is through a Privacy
Policy.
• Under the GDPR
specific information
needs to be included in
your privacy policy.
Creating your Privacy Policy
63. What should be in your Privacy Policy?
…what type of information are you collecting and why.
64. You need a “Lawful Basis” for Processing
In order to comply with the GDPR you must have a lawful basis in order to collect and process an individuals personal
data.
You need to chose and record the most appropriate lawful basis for your business
• Consent - to process data for a specific agreed purpose
• Contract – processing necessary for a contract you have with a DS
• Legitimate Interests
• Vital Interests (Life or Death situation)
• Public Interest
• Legal obligations
In practice, other than consent, you are most likely to rely on the performance of a contract or legitimate interests
65. 1. CONSENT
Do you need consent?
Direct Marketing ….CONSENT REQUIRED
• New Services / Product Information / Sales information
• Newsletters (with adverts)
• Offers and Promotions
• Services not directly related to those you are already providing
Marketing relating to services you are providing
• marketing specifically relating to products and services that current
customers have bought from you.
67. You need to be very clear if you are processing
sensitive data
68. Other lawful grounds - Contract
CONTRACTUAL
“processing of Personal Data is necessary for the performance of a contract to which the individual is a party or
for the Controller to take pre-contractual steps at the request of the individual.”
PRE-CONTRACTUAL
“…pre-contractual steps at the request of the individual”
e.g. processing data to follow up on an estimate / provide a quote
Any current contracts to supply goods or services or to fulfil obligations under an employment contract.
But the only necessary processing would be to make that contract work. Can’t assume that we can send
marketing e-mails because the person signed the contract.
69. Performance of a Contract: Examples
An individual shopping around for car insurance requests a quotation. The
insurer needs to process certain data in order to prepare the quotation,
such as the make and age of the car.
When a data subject makes an online purchase, a controller processes the
address of the individual in order to deliver the goods.
This is necessary in order to perform the contract.
70. Telling people you will process their data in the
performance of their contract with you…
71. Relying on Legitimate Interests
“controllers may have a legitimate interest in getting to know their customers’ preferences so as to enable them to better personalise
their offers and ultimately, offer products and services that better meet the needs and desires of the customers”
• So what types of processing could be on the basis of legitimate interest?
• The most prevalent categories of legitimate interest i) fraud detection, money laundering and prevention and ii) website information
and system security – general security / IT security.
• Use of Employment Data - necessary for employee operational administration. Also e.g. call recording and monitoring for call centre
employees’ training and development purposes.
• B2B – event marketing and planning
• Others… suppression, updating customer details, product development website development and personalisation, web analytics,
intra-group transfers, or IT security as potential legitimate interests.
72. Explain how you use data and on what lawful basis
you process it…
73. Make it clear where you are relying on legitimate
interest to process their data
74. Be clear where you share data with Third Party Processors
75. Data Processing Contracts – Your safeguard to protect
your customer / employee data
• Where processing is to be carried out on behalf of a controller, that processing must be governed by a
contract.
• That contract must set out:
Subject matter of the data processing
Duration of the processing
The nature and purpose of the processing
Type of personal data
Categories of data subjects
Only process on your instructions - Not pass data to third party without consent
That they will take all appropriate technical and organisational measures;
Keep data secure
Ensure that you can comply with data subjects rights – SARs / Erasure
76. Who processes your data?
• Any time a service or administrative function is outsourced to a third-party,
there could be personal data being transferred. This includes outsourcing to:
payroll providers
hosting providers
Other third party service providers
• Where any such processing is then sub-contracted out to a third party, the
same data processing obligations must be passed on to the sub-contractor. If
the sub-processor fails to fulfil its obligations, the data controller is liable.
• N.B. Sharing data requires a processing agreement.
77. Data transfers outside of the EEA
• The GDPR imposes restrictions on the transfer of personal data outside the European
Union:
• Personal data may only be transferred outside of the EU in compliance with the conditions
for transfer set out in the GDPR.
• Generally:
A GDPR compliant processing contract in place
An adequate level of protection
(A country or one or more specific sectors a third country, or international
organisation which ensures an adequate level of protection / data protection controls.)
78.
79. Data Retention – How long can you hold client data?
How long can you hold their data?
• Personal data that you process should not be kept for longer than is necessary for that purpose.
• Unless you obtain consent to retain personal data for a longer period:
- Marketing Activity - Immediately
- Contact data – [x] years.
- Website data [x] years following the date of last contact or dealing.
- Enquiry data will be retained for [x] months following the date of last contact.
- Payment data
- Employment data
- Other
• Question. How long do you need to retain data for? Can you minimize the data you hold?
• Do you need consent to hold that data for longer than might be deemed “legitimate interest” or in the performance of a
contract?
84. Contract Management
• Review Privacy Policies and Consent (data collection forms)
Can you rely on existing consents? Is consent…
- Easy to understand / Unbundled / opt-in / Granular / Named / easy to withdraw / Recorded
- Is the data subject well informed about: how you plan to use data / how it will be processed / how long it will be
kept for / their Data Subject Rights
• Review and update your existing Privacy Policies
Employee Handbook / Managing GDPR Handbook (SARs / Breaches etc.)
• Review Agreements with Partners
- Requirement for Data Processing Agreements
- Have suitable GDPR processing clauses been included (e.g. right to be forgotten)
- Risk of non-compliance (up and down the supply chain)
• Review your own Terms and Conditions – reduce risk (customer relationship) / Insurance?
86. Some of your questions
1. If businesses aren’t sure whether they have GDPR compliant consent for their e-mail mailing lists how do they go about
getting people to re-consent?
2. There is some confusion around whether business e-mail addresses are personal data. What do the rules say?
3. There’s quite a bit in the GDPR about retention and data minimisation, can you give some basic guidance on how long
businesses can keep customer data for.
4. Will most businesses need a DPO and who should be nominated?
5. Given that data breach reporting is mandatory, what constitutes a data breach and do they all really have to be reported?
6. What is the best way to document procedures for all the different elements that GDPR affects eg. is it best to have a GDPR
register of some sort or just document each area separately as part of a business area e.g. employment, quality control,
transport etc?
7. We currently publish our staff directory on our website – we don’t have consent to do this. Under the new GDPR would
this be classed as excessive and should the directory be taken down? Or should we be looking at obtaining consent?
8. I know that GDPR covers data held on systems/emails etc. but what about corresponding paper records please? I can’t find
that much definitive advice around this.
87. This slide deck is copyright of Harrison Clark Rickerbys and is not to be shared
without prior permission. The information contained in the slide deck does not
constitute legal advice.
We would advise that you seek legal advice, before making a decision based on
the contents of these slides.