3. On 25 May 2018 the GDPR…
• will give more control to the individual
• will create new individual rights and new corporate obligations
• will request businesses to manage, administer and protect
personal data for B2B or B2C marketing
4. Objectives of GDPR
• Unified legislation
• Clear Consent
• Putting people in control
• Focus on practical compliance
• Stronger enforcement powers
10. Right of access
Right to rectification
Right of deletion
Right to restriction of processing
Right to data portability
Right to object to the processing
Right on automated processing
13. DATA Audit
• What data do you hold and why?
• How do you collect the data?
• How and where is the data stored
• What do you do with the data?
• Who owns and controls the personal data?
• Retention and deletion
• Who is responsible for the data and
processors associated with data?
• Do you have adequate technology / process
to adequately manage data processing?
35. www.dynamicpath.i
o
Awareness
You should make sure that decision
makers and key people in you
organization are aware that the law is
changing to the GDPR. They need to
appreciate the impact this is likely to
have.
Information You Hold
You should document what personal data
you hold, where it came from and who
you share it with. You may need to
organize an information audit.
Communicating
Privacy
You should review your current privacy
notices and put a plan in place for
making any necessary changes in time for
GDPR implementation.
Legal Basis
You should look at the various types of
data processing you carry out, identify
your legal basis for carrying it out and
document it.
Consent
You should review how you are seeking,
obtaining an recording consent and
whether you need to make changes.
Privacy by Design &
DPIA
You should familiarize yourself now with
the guidance the ICO has produced on
Privacy Impact Assessments and work out
how and when to implement them in
your organization.
44. Dynamic Path
xData Processor Name
We work with companies to help inspire, shape and support the conversions that exist
within every customer journey. From the moment someone lands on their website for
the first time, through to following-up purchases in style and ensuring the journey is
truly cyclical.
We do it by putting the customer at the heart of everything we do.
www.dataprocessor.com/privacypolicy
Ta
gs
Retention
Storage Encryption
Technologi
es
Transfer
Sharing
+ Add New
Tag
Contact
…
Name Darryn Hall
Role Account Director
Email *************@dynamicpath.io
Tel *******1506
45. Summary
Don’t be the Boiled Frog!
Define your Team, Position & Direction
Stay Agile: Iterate, Communicate, Refine
Document Everything
Adopt a Continuous Improvement Mindset
www.dynamicpath.io
GDPR will give more control to the individual and compliance certainty to the corporation
GDPR will create new individual rights and new corporate obligations, putting an emphasis on privacy
In effect: 25 May 2018
Businesses will need to manage, administer and protect personal data for B2B or B2C marketing
ASK for consent
Check that consent is the most appropriate lawful basis for processing
Ask for consent prominently & separately from your T&C’s
Ask people to opt-in
Don’t use pre-ticked boxes or any other type of consent by default
Use clear, plain easy to understand language
Tell individuals they can withdraw their consent, without detriment
Consent is not a precondition of your service(s)
For children age-verification and parental consent measures are required
RECORD consent
Keep a record of when and how you received consent from an individual
Keep a record of exactly what they were told at the time
MANAGE Consent
Make it easy to withdraw consent at any time and show how to do so
When consent is withdrawn act as soon as you can
Don’t penalise individuals who want to withdraw their consent
Privacy notices - communicating to your customers
Privacy notices are very important under GDPR, as the regulation sets out specific requirements for what you must tell someone when they give their data. It is important to be transparent about what you do with the data and use this to help develop trust with your customers.
It is important to show the customer that they have a choice about how you intend to use the data. Customer understand now that data has value and showing them that you are open about what you do with their data, will build trust.
Privacy information is important in the digital world, where the use of someone’s personal data, may not be at first obvious. This is especially important when the use to which the data is put, is likely to need consent. The correct information is fundamental to ensuring the consent you gain is valid.
What do they need to contain? The minimum information is as follows:
Who you are
Sometimes is not completely obvious who the person is who will be controlling the data will be, so it needs to be made obvious to your customer who controls their data.
What you are going to do with their information
You should describe the processing of the data, so that the customer is made aware of the purpose of the processing and your legal reason for doing so.
Who it will be shared with
If you will be sharing the data with others, you need to tell your customer who and why.
The more information you provide the customer and the more transparent and open you are with them, the more compliant with the GDPR you are likely to be. However, to comply with GDPR your privacy notices should be:
Concise, transparent, intelligible and easily accessible
Written in clear and plain language, particularly if addressed to a child
Free of charge
So the days of the privacy policy as a wall of words written in legalise, are over.
Where should you deliver the privacy information?
Many people consider that privacy notices are the standard web pages that all websites have, but in the new world of GDPR, they can be delivered in many different ways.
It is important to consider the context of the data collection when choosing which media to use; here are some examples of the different ways of delivering privacy information.
Privacy information can be delivered in person to person conversations. It would be important to document the process and keep records of the conversations.
Electronic means can also be used to communicate privacy information, via web pages, emails, SMS, in app messaging systems and within apps themselves.
The privacy information can be given in writing, via direct mail, forms and agreements or application forms. It can be included in advertisements, vouchers and other promotional material.
Sometimes privacy information needs to be displayed on signage, in areas that process and track using personal data such as those using ibeacons, bluetooth, Wifi or CCTV.
Although you can use many types of media, The ICO has advised that you should use the same media that you use to gather the data, to also deliver the privacy notice.
For example, using a pop up privacy notice on the same web page that the date is being collected on.
The ICO has specifically stated that it would not be acceptable to collect details on a web page and then email the privacy notice to the person.
When should you communicate the privacy information?
The choice of when you should deliver the privacy information, will be led by the type of processing you are doing and how expected or otherwise it might be by your customer.
If you are undertaking processing that your customer is unlikely to expect, based on their likely level of knowledge, then the privacy information needs to be delivered as soon as possible.
This is important as this processing is most likely to require consent, which to be valid, must be “informed”.
If the processing is likely to be more expected by your customer, based on your relationship with them, you are likely to be processing the data under the legal basis of legitimate interest.
In this case, the processing is less intrusive, so therefore the information needs to be readily available. You need to ask following questions when deciding how quickly to present the privacy information:
Is the use unexpected
Are you collecting sensitive information?
Will you be sharing data in an unexpected way?
If in doubt, undertake a privacy impact assessment.
Breaking up the privacy information
Sometimes, the amount of privacy information that you will be providing to your customer, will be too much to put on one page or document.
And remember: as it needs to be easily understood, breaking it into bite size chucks, will help the information to be digestible to your customer.
Place key information first
Pick your key information first: who you are, a brief description of the processing, and who you will be sharing the data with. Then use this key information to link through to more detail on other pages. It doesn’t need to be on only two pages either.
You could link the second stage to more detail if complex processing is undertaken, or links to other media, such as videos or downloadable documents.
And finally…
Document what you have done. Whatever method you choose, you must keep documented evidence of the information available to the customer and the process used, when they gave consent.
Even when using legitimate interest as the legal basis for processing, the information made available at the time the customer gave you their data.
If you are challenged in the future, it will be up to you as the data controller to prove valid consent.
Failing to prove it, runs the risk of feeling the ICO’s big stick (or even bigger fines).
Quite shocking is this stat from the last ICO survey found that 75% of adults in the UK don’t trust businesses with their personal information.
"The issue of trust keeps resurfacing, The primary objective of the GDPR is to give individuals back control – it will empower individuals to choose how, and whether, businesses use their data. Because fundamentally people buy from people they trust.
In the Citizens Advice report, published in April 2016, they conclude that 'trust is sorely lacking in the online world. Consumers feel out of control of their information and choices. They feel they have an all-or-nothing choice to make when accepting the terms of the relationship' As a result, Citizens Advice call for a balanced and fair environment, easier ways to make decisions, and to have confidence that companies who overstep the mark will be held to account.” To the open-minded organisation the GDPR provides a road map to do just that."
Now is the time to create a truly consumer-centric approach to data governance and strategy, and to secure your customer’s place at the heart of your data-powered future.
Grab it with both hands – GDPR is an opportunity for transformation.
What data do you hold
Is it personal data / sensitive data / children’s data?
For all historic data, you need to be able to prove how you collected the data, what permissions you have and what it is being used for
You should only be keeping data if you are using it and have clear consent for that usee
You need to put in place a process for removing data which does not fit these criteria
How is the data collected?
You need to document all the methods both online and offline in which you collect personal data (this may include website, telephone, in person, mobile apps or and third parties)
You need to have well documented process of opt statements and privacy policies
There needs to be a process in place to store historic changes to wording and track any future changes
How and where is the data stored?
Document where the data is stored
List what applications you use to do this
Document how you process the data (are backups kept offsite or cloud based for example?)
Check that all places data is stored used have their own up-to-date data policies and that all places you use are clearly mentioned in your data processing policies
Questions to ask about what you do with your data
How do you process the data?
Where do you send it to?
What are your grounds and justifications for processing the data?
Ask: do you need the data? If you don’t need the data, don’t collect it and store it. If you do need the data, clearly explain to the user why and what you will be using it for.
Who owns and controls the data?
Are you a controller or processor of the data?
Who has access to it? (A question to ask both internally and externally)
Retention and deletion
How long do you keep the data?
What is your justification for the length of time you retain it?
What is the process for deleting data?
Remember: Make sure you have a clear policy on this and a process for implementing it
Who is responsible for the data and processors associated with data?
As well as a named data controller, it is important that within the organisation there is a clear guideline to who is responsible for the admin and upkeep of any data related policies. As part of the audit an ongoing process needs to be identified for historic data as well as newly- collected data.
Do you have adequate technology / process to adequately manage data processing?
Once you have identified what historic you can keep and need to keep and a strategy for collecting data moving forward you need to ensure your technology is able to do what you need to do. Some key things include being able to deal, remove data, store the permission given at the point of collection (including wording as well as time, date etc.) You should also document your justification for collecting, processing and storing the data and which of the six legal bases you are using to process the data. Remember: you could be using different legal bases for different types of data.
The six legal bases for processing data are:
Consent
Legitimate Interest
Contract
Legal obligation
Public interest
Vital interest of data subject