The General Data Protection Regulation (GDPR) is an EU law that strengthens and unifies data protection for individuals within the EU. It has 6 key principles for processing personal data lawfully, including only keeping data for as long as necessary. Under GDPR, personal data is any information relating to an identifiable individual. The regulation affects marketing practices and requires clear consent for data collection and use. Non-compliance can result in fines of up to 20 million euros. Organizations must be able to prove they know where all personal data is located to comply with GDPR.

2. What is GDPR?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a
regulation by which the European Parliament, the Council of the European Union and the
European Commission intend to strengthen and unify data protection for all individuals
within the European Union (EU)
Regulation means LAW!

4. The six principles of GDPR
1. Processed lawfully, fairly and in a transparent manner
2. Collected for specified, explicit and legitimate purposes
3. Adequate, relevant and limited to what is necessary
4. Accurate and, where necessary, kept up to date
5. Retained only for as long as necessary
6. Processed in an appropriate manner to maintain security

5. Data protection issues:
- Fairness – can have intrusive effects, and not obviously
transparent
- Lawfulness – consent can be difficult and assessing
legitimate interests can be challenging
- Purpose limitation – how to ensure?
- Data minimisation – how to ensure?
- Accuracy – how to ensure and maintain?
- How to facilitate the exercise of rights by data subjects?
- Managing data security risks – breaches, leakages,
degradation, disposal and transfer

6. What is Personal Data?
‘personal data’ means any information relating to an identified or identifiable natural
person (‘data subject’); an identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more factors specific
to the physical, physiological, genetic, mental, economic, cultural or social identity of that
natural person;
Let’s see some examples:

7. What personal data will
be processed
Information about an individual
that is linked or linkable to an
individual
Information identifying personally
owned property, such as vehicle
registration number
Telephone numbers, mobile,
business, personal numbers
Personal characteristics, including
photo (face or distinguishing features),
finger prints, biometric data
(retina scan etc.)
Name such as full name,
maiden name, mothers maiden
name or alias)
Personal identification number,
such as NI number, passport
number, drivers licence, patient
identification number, financial
account or credit number
Address information, such as
street or email address
Date or birth, place of birth, race,
weight, religion, geographical indicators
employment information, medical
information, education information,
financial information

8. Key Changes to working practices:
• There is an increased territorial scope – it applies to all companies that process
personal data of people residing in the union, regardless of the company’s location
• You must give data subjects more information when you are collecting their personal
data
• There are new regulations for gaining consent to collect personal data. Both consent
and explicit consent now require clear affirmative action
• The age barrier for collecting data is rising from 13 to 16
• You must delete data that you are not using for its original purpose
• People can revoke their consent to data processing at any time, and it must be easy
for them to do so. More control must be given to the data subjects
• You have 72 hours to notify data breaches to regulators, unless the breach is unlikely
to result in a risk to data subjects
• There is a single national office for complaints
• Large data controllers must appoint a Data Protection Officer
• If you do not comply with the GDPR, you could face fines of up to €20,000,000
(roughly £18,000,000) or 4% of your total global annual turnover for the preceding
financial year

9. Major changes:
• Consent
• The right to be forgotten
• Data subject access requests
• Processors are now responsible too, not just the controller

10. How GDPR affects your marketing?
• This completely changes the way we think about handling data. Marketers will need to
demonstrate how their organisation meets the lawful conditions. If an organisation
cannot prove how they have obtained consent the likelihood is that they will be fined
• The collection of data needs to be relevant for the purpose. This means if you have run
a campaign or competition you can only use the information for that purpose
• Creating another purpose to use that information will need further consent from the
data subject. This is bad news for marketing as a common practice has been to grow
databases using these methods
• Marketing databases will need to be cleansed and reviewed to ensure your
organisation can identify if consent has been granted lawfully and fairly, whether it is
being used for explicit and legitimate purposes, what data has been collected, and the
accuracy of that information
• Consent must be given, not assumed
• Silent consent, pre-ticked boxes or inactivity should not constitute consent

11. 1. Processed lawfully, fairly and in a transparent manner
2. Collected for specified, explicit and legitimate purposes
3. Adequate, relevant and limited to what is necessary
4. Accurate and, where necessary, kept up to date
5. Retained only for as long as necessary
6. Processed in an appropriate manner to maintain security
Data Storage Rules are the 6 principles:

12. Future proofing your business:
1. System: Plan your systems with GDPR and Cyber Security in mind
2. Support: Use trusted partners to keep you infor
3. Govern: Getting a grasp on personal data starts with being able to define what
personal data means and then share this understanding across your organisation
4. Protect: Once the personal data inventory and governance model are established, it’s
time to set up the correct level of protection for the data
5. Audit: The fifth step in your journey to GDPR compliance involves auditing
6. Practitioner: You could employ a GDPR Practitioner to guide you through the process
Remember:
To address GDPR compliance, you can’t rely on common knowledge or perception of
where you think personal data might be. The regulation requires organisations to prove
that they know where personal data is – and where it isn’t.

13. How to gain compliance:
1. Access: The first step toward GDPR compliance is to access all your data sources
2. Identify: Once you’ve got access to all the data sources, the next step is to inspect
them to identify what personal data can be found in each
3. Govern: Getting a grasp on personal data starts with being able to define what
personal data means and then share this understanding across your organisation
4. Protect: Once the personal data inventory and governance model are established, it’s
time to set up the correct level of protection for the data
5. Audit: The fifth step in your journey to GDPR compliance involves auditing
6. Practitioner: You could employ a GDPR Practitioner to guide you through the process
Remember:
To address GDPR compliance, you can’t rely on common knowledge or perception of
where you think personal data might be. The regulation requires organisations to prove
that they know where personal data is – and where it isn’t.

14. Just in case this is not for you… Notorious Breaches

15. Questions?
In the need of GDPR contact:
Ray Snow
GASQ - GDPR Practitioner
T: 01702 480281
E: ray.snow@resinfo-tech.co.uk
W: www.thrive2distintion.co.uk