The document summarizes key aspects of preparing for the General Data Protection Regulation (GDPR) that goes into effect in May 2018. It outlines requirements such as designating a data protection officer, mapping data flows, developing policies and notices, securing data, managing third party relationships, addressing individual rights to data access and correction, conducting privacy impact assessments, handling breaches, and maintaining accountability. The presentation provides an overview of the GDPR obligations and offers advice on developing a roadmap for compliance.

1. General Data Protection Regulation
May 2017, London

2. Welcome
Join in today with sli.do
• type sli.do into your browser bar
• enter the conference code # and BJ_GDPR17
then ‘join’
• click on the seminar event box
• use the tabs to ask questions or take part in polls.
No download
required

3. Join in with sli.do
Question:
Which statement best describes your organisation’s readiness for
GDPR?
• We have not taken any steps
• We have started planning for GDPR
• We have a high level plan in place
• We are proceeding with a highly detailed plan
• We are ready for GDPR

4. Join in with sli.do
Question:
Who is preparing your organisation for GDPR?
• In-house resource
• Accountancy firm
• Data protection consultant
• Law firm
• Other

5. Join in with sli.do
Question:
What is the most significant hurdle your organisation faces in
preparing for GDPR?
• Lack of awareness/training
• Lack of budget/team
• Organisation/system complexity
• Lack of legal certainty
• Lack of senior management buy-in
• Other

6. Today
• Understand the obligations
• Set out a roadmap to compliance
• Practical advice and real-life examples

7. Beware!

8. GDPR
• Probably the most lobbied piece of EU law ever
• Replaces the Data Protection Directive 1995 (DPD)
• Will be enforced in Member States from 25 May
2018
• EU Member State laws implementing the DPD will
no longer apply
• Creates a level-ish playing field across EU
• Will apply post-Brexit

9. Data governance structure
• Who should be responsible?
– Art. 27
• Do you need a DPO?
– Art. 37 and 38
– Working party guidance

11. Map data and data flows
• Review and record in writing all processing
activities
– Art. 30
– 250 employee exemption
• Record international transfers and mechanism
– Art. 45 to 49

13. Records of Processing

14. Policies
• Map legal obligations
• Convert obligations into policies and procedures
• Embed into business operations

15. Data protection policies
• Policy
– Art. 24
– Organisation wide
– Employee
– Customer
• Maintain

16. Notices
• Data privacy notices
– Art. 12-14
• Provide notices to data subjects
– Art. 13-14 and 21
• Maintain

17. Securing data and information
• Assess security risk
• Update information security and policy
– Art. 5 and 32
• Maintain security measures

18. Relationships with third parties
• Assess third party relationships
– Group
– Customers
– Partners
– Processors
– Art. 28, 29 and 32
• Appropriate contracts and controls
• Undertake due diligence and audits

19. Complying with individuals’
rights
• Complaint management
• Requests for information
– Art. 12
• Withdrawal of consent
– Art. 7
• Subject access
– Art. 15

20. Complying with individuals’
rights
• Rectification
– Art. 16 and 19
• Erasure (RTBF)
– Art. 17 and 19
• Restriction on processing
– Art. 18 and 19
• Data portability
– Art. 20

21. Privacy practices
• Privacy by design
– Art. 25
• Privacy impact assessments
– Art. 35
• Integrate, maintain and conduct
• Consultation with supervisory authorities
– Art. 36

22. Practical considerations
• Who will carry out the DPIA?
• Who identifies the need for a DPIA?
• What’s the process?
• How is this documented?
• Who signs off the DPIA?

24. Breach
• Personal data breach – Art. 4(12)
• Other breaches
• Incident plan
• Breach notification
– Controller to individuals – Art. 34
– Controller to supervisory authority – Art. 33
– Processor to controller – Art. 33
• Document breaches – Art. 33

25. Maintain accountability
• Continuous assessment
– Art. 25 and 39
• Maintain evidence
– Art. 5 and 24
• Monitor legal developments

26. Roadmap

27. How we can help

28. Thank you
Mark Gleeson – 0207 871 8534
mark.gleeson@brownejacobson.com
Helena Wootton – 0115 976 6108
helena.wootton@brownejacobson.com

29. All information correct at time of production.
The information and opinions expressed within this
document are no substitute for full legal advice. It is for
guidance only and illustrates the law as at the published
date. If in doubt, please telephone us on 0370 270 6000.
© Browne Jacobson LLP 2017 – The information contained
within this document is and shall remain the property of
Browne Jacobson. This document may not be reproduced
without the prior consent of Browne Jacobson.