The document summarizes key aspects of preparing for the General Data Protection Regulation (GDPR) that goes into effect in May 2018. It outlines requirements such as designating a data protection officer, mapping data flows, developing policies and notices, securing data, managing third party relationships, addressing individual rights to data access and correction, conducting privacy impact assessments, handling breaches, and maintaining accountability. The presentation provides an overview of the GDPR obligations and offers advice on developing a roadmap for compliance.
2. Welcome
Join in today with sli.do
• type sli.do into your browser bar
• enter the conference code # and BJ_GDPR17
then ‘join’
• click on the seminar event box
• use the tabs to ask questions or take part in polls.
No download
required
3. Join in with sli.do
Question:
Which statement best describes your organisation’s readiness for
GDPR?
• We have not taken any steps
• We have started planning for GDPR
• We have a high level plan in place
• We are proceeding with a highly detailed plan
• We are ready for GDPR
4. Join in with sli.do
Question:
Who is preparing your organisation for GDPR?
• In-house resource
• Accountancy firm
• Data protection consultant
• Law firm
• Other
5. Join in with sli.do
Question:
What is the most significant hurdle your organisation faces in
preparing for GDPR?
• Lack of awareness/training
• Lack of budget/team
• Organisation/system complexity
• Lack of legal certainty
• Lack of senior management buy-in
• Other
6. Today
• Understand the obligations
• Set out a roadmap to compliance
• Practical advice and real-life examples
8. GDPR
• Probably the most lobbied piece of EU law ever
• Replaces the Data Protection Directive 1995 (DPD)
• Will be enforced in Member States from 25 May
2018
• EU Member State laws implementing the DPD will
no longer apply
• Creates a level-ish playing field across EU
• Will apply post-Brexit
9. Data governance structure
• Who should be responsible?
– Art. 27
• Do you need a DPO?
– Art. 37 and 38
– Working party guidance
10.
11. Map data and data flows
• Review and record in writing all processing
activities
– Art. 30
– 250 employee exemption
• Record international transfers and mechanism
– Art. 45 to 49
16. Notices
• Data privacy notices
– Art. 12-14
• Provide notices to data subjects
– Art. 13-14 and 21
• Maintain
17. Securing data and information
• Assess security risk
• Update information security and policy
– Art. 5 and 32
• Maintain security measures
18. Relationships with third parties
• Assess third party relationships
– Group
– Customers
– Partners
– Processors
– Art. 28, 29 and 32
• Appropriate contracts and controls
• Undertake due diligence and audits
19. Complying with individuals’
rights
• Complaint management
• Requests for information
– Art. 12
• Withdrawal of consent
– Art. 7
• Subject access
– Art. 15
20. Complying with individuals’
rights
• Rectification
– Art. 16 and 19
• Erasure (RTBF)
– Art. 17 and 19
• Restriction on processing
– Art. 18 and 19
• Data portability
– Art. 20
21. Privacy practices
• Privacy by design
– Art. 25
• Privacy impact assessments
– Art. 35
• Integrate, maintain and conduct
• Consultation with supervisory authorities
– Art. 36
22. Practical considerations
• Who will carry out the DPIA?
• Who identifies the need for a DPIA?
• What’s the process?
• How is this documented?
• Who signs off the DPIA?
23.
24. Breach
• Personal data breach – Art. 4(12)
• Other breaches
• Incident plan
• Breach notification
– Controller to individuals – Art. 34
– Controller to supervisory authority – Art. 33
– Processor to controller – Art. 33
• Document breaches – Art. 33