2. www.data2action.co.uk
What we will cover
• Introduction to GDPR
• Key terms and roles
• Rights and Principles
• Risks and Liabilities
• Planning for Compliance
5. www.data2action.co.uk
• Harmonised privacy law & practices
• Lawful benchmark for Organisations
• Covers all EU residents
• Anyone offering goods / services
• Not ‘B2B’/’B2C’ specific
• Replaces the Data Protection Act
• Focus on improved control and security
• Increased trust & confidence in business
6. www.data2action.co.uk
PII - Personal Identifiable Information
Information relating to an identifiable natural person
(aka Data Subject)
Name, Id No
Location data, Online ID
Combination of the following factors:
• Physical, Physiological
• Genetic, Mental
• Economic, Cultural
• Social identity of that person
7. www.data2action.co.uk
Processing of Information
Obtaining, recording, holding or carrying out
any operation on the data including:
• Manipulation or Adaptation
• Alteration or Modification
• Use
• Transmitting
• Destroying, Blocking or Erasing
Includes any type of ‘customer’ or employee data
9. www.data2action.co.uk
Individuals now
have 8 Rights
DATA2ACTION Ltd
1) To be Informed
2) Access
3) Rectification
4) Erasure
5) Restrict processing
6) Data Portability
7) Object (to processing)
8) In relation to auto decision making
(profiling)
10. www.data2action.co.ukDATA2ACTION Ltd
• Processed lawfully, fairly & in transparent way.
• Collected for specific, explicit & authentic
purpose
• Data collected is relevant & limited to what is
needed
• Need to communicate why data is collected.
• Kept accurate & only retained for as long as
necessary
• Processed appropriately to maintain security.
Controllers must
ensure data is
12. www.data2action.co.uk
Consent and the GDPR
“Consent means offering individuals a real choice
and control”
Consent must be FREELY GIVEN, CLEAR,
UNAMBIGOUS and POSITIVE!
16. www.data2action.co.uk
Brexit
What is the impact of the GDPR and
Brexit?
The Information Commissioners Office
(ICO) and the British Government
have both said that companies in the
UK will need to implement the
provisions of the GDPR.
17. www.data2action.co.uk
Brexit
EU Companies can only do
business with other GDPR
compliant business! This therefore
includes businesses outside of the
EU e.g. America and UK post-
Brexit!
20. www.data2action.co.uk
Breach and
Incidents
Required to report to ICO :
• If presents risk to ‘rights and freedoms’ of people
• ASAP / within 72 Hours
If ‘High Risk’ – notify Individual(s)
No Report if data remains protected
Must have a policy/process/logs
Consequences
Significant brand/reputation damage
People may sue for damages
Fines/Scrutiny -Supervisory Authority
23. www.data2action.co.uk
Processes
• Data Audit - map & gap (later)
• Understand your role & who share data with
• Review/document your legal basis
• Review and update Privacy notices
• Ensure compliance - 8 rights / 7 principles
• Implement Privacy by design / DPIA process
• Conduct risk reviews
• External certification
• Register with ICO
24. www.data2action.co.uk
Summary
• All change from 25th May 2018
• New lawful benchmark; all EU residents
• Replaces DPA, unaffected by Brexit
• 4 ‘E’’s – Educate, Engage, Encourage,
Enforce
• Review People, Process and Technology
• Understand what you have & why you
need it
• Must produce & maintain documentation
to demonstrate compliance