This document provides an overview and agenda for a presentation on practical tips for complying with the General Data Protection Regulation (GDPR). The agenda includes introductions, an overview of data protection principles and GDPR regulations, how to create a data protection policy, auditing data, informed consent requirements, and opportunities presented by GDPR compliance. Key topics that will be discussed include what constitutes sensitive personal data, conditions for lawfully processing data, significant changes under GDPR, and important elements to include in a data protection policy such as accountability, data collection practices, and managing consent.

1. Practical Tips for
General Data Protection Regulations (GDPR)
Darren Wright

2. Agenda
9:30 Welcome and introductions
10:00 Introduction to data protection principles
10: 15 GDPR regulations
10:30 Making a data protection policy
11:00 Break
11:15 Auditing data - what, why and how
11:45 Informed consent - what does it mean and how
12:15 Opportunities of GDPR
12:30 Roundup and conclusion

3. Data Protection Principles
• Personal data should be processed fairly and lawfully
• Data should be collected for a clear purpose
• Collection should be adequate for that purpose
• Data shouldn’t be kept for too long
• People supplying data should understand their rights

4. What is sensitive personal data?
• Data that relates to racial or ethnic origin
• Data that relates to religious beliefs
• Data that relates to a physical or mental health condition
• Data that relates to someone’s sexual life
• Data that relates to political views
• New – Biometric and genetic data

5. Conditions for processing
One of the following must be met:-
• Individual has explicitly consented
• Processing is necessary to enter into a contract
• Processing is required as part of a legal obligation
• Processing is necessary to protect vital interests

6. GDPR Regulations
• Update of the Data Protection Directive 1995
• Three objectives:-
• One unified regulation for 27 member states
• Managing corporate data transfer rules outside the European Union
• Emphasising individual control over personal identifying data
• Compliance date of 25th May 2018

7. GDPR - Significant changes
• Removes the distinction between a data controller and data
processor
• Pays attention to how data moves across EU boundaries
• Greater fines (20 million euros or 4% of global turnover)
• Much more of a focus on consent and transparency
• Right to be forgotten and data portability
• Right to object to processing and automation

8. GDPR Resources
• Information Commissioners Office (https://ico.org.uk)
• Getting ready for GDPR checklist
• GDPR - What’s new?
• GDPR - Definitions

9. GDPR Key Elements
• Data Protection policy and procedure
• Knowing what data you collect
• Informed consent

10. Data protection policy
• Who is accountable and how they are accountable
• What do you collect, who can see it and why
• How you manage consent

11. Accountability
• How is data protection monitored at board level?
• Is your formal mechanism set out in the policy?
• Who is the accountable individual if there is a data breach?
• Do you meet the criteria for a Mandatory Data Protection Officer?
• How is policy communicated to staff (induction/training)?

12. Data collection
• Is your data schema incorporated into your policy?
• Do you record who has access to data?
• Do you have a process for removing access to data?
• Do you have a process for dealing with subject access requests?
• How and when do you remove data?

13. Consent
• Is your consent process incorporated into your policy?
• Do you carry out privacy impact assessments for projects? (data
protection by design)
• Review dates (for both consent and policy itself)

14. Data Protection Policy - Other
• Infrastructure – patch policy for IT equipment
• Password policy
• Basic cyber security
• Cyber Security Guidance for Business
• How do you manage a change in IT provider?

15. Break

16. All organisations collect four types of data
1. Demographics – Data that identifies individuals (Contact)
2. Activity – What has happened to an individual
3. Outcome – What benefits, or disbenefits, have been received
4. Satisfaction – How happy the individual is
Auditing data

17. Name Definition Examples Strengths Weaknesses
Demographic data The identifying
factors for
individuals
 Gender
 Age
 Ethnicity
 Can help to measure how
representative of a community
a service is
 Can be used as a comparator
for outcome data
 On its own it is not very useful
data
 Ease of collection can result in
excess collection
 Data protection issues
Activity data A measurement of
the inputs provided
by a service
 Number of people that have
used a service
 Number of referrals (in and
out)
 Number of sessions carried
out
 Easy to measure
 An important element in
calculating your costs
 More of a measure of how
busy a service is rather than
how effective
 Not a measure of quality
Outcome data A measurement of
the change in an
individual
 Clients that have given up
smoking
 Clients that have lost weight
 Clients accessing entitled
range of benefits.
 Much more focus on the
person receiving the service
 A measure of the quality of the
service you provide
 Can be used to compare with
other services
 Can be hard to measure
 Requires measurement at two
points
Satisfaction data Perception of the
intervention
 Client satisfaction surveys  Satisfaction is important in
assessing if people will return
to a service
 Can be used as a basis adding
a personal element to
reporting
 Inherently subjective
 Not comparable inside an
organisation let alone with
other organisations
 People liking a service doesn’t
mean it is a good service

18. • List every item of data you collect
• Identify which type of data it is
• List the function of collection
• List who has access to it
• If data has no purpose, stop collecting it
Audit your data

19. Data Schema
Data Element Data Description Where is data stored? Purpose Data type Who has acccess? Method of consent? Review date
Client Name Name of the client Client relationship management system Support contact of client Demographic Admin staff and case workers Client assessment form 03/03/2018
Client Address Client address Client relationship management system Support contact of client Demographic Admin staff and case workers Client assessment form 03/03/2018
Cleint Email Client email address Client relationship management system Support contact of client Demographic Admin staff and case workers Client assessment form 03/03/2018
Client Phone Clients phone number Client relationship management system Support contact of client Demographic Admin staff and case workers Client assessment form 03/03/2018
Client Preferrred contact method The client's preferred method of contact Client relationship management system Support contact of client Demographic Admin staff and case workers Client assessment form 03/03/2018
Staff Name Name of the staff member Staff database Support contact of staff Demographic Admin staff and HR New starter form 08/07/2018
Staff Address Staff address Staff database Support contact of staff Demographic Admin staff and HR New starter form 08/07/2018
Staff Email Staff email address Staff database Support contact of staff Demographic Admin staff and HR New starter form 08/07/2018
Staff Phone Staff phone number Staff database Support contact of staff Demographic Admin staff and HR New starter form 08/07/2018
Staff Preferrred contact method The staff preferred method of contact Staff database Support contact of staff Demographic Admin staff and HR New starter form 08/07/2018
Staff date of Birth The date of birth of staff member Staff database Part of employment check Demographic Admin staff and HR New starter form 09/07/2018
Client session Date of attendance at session Client relationship management system Contract monitoring for funder Activity Admin staff and case workers Session form 03/03/2018
Client Did Not Attend Dates that client did not attend session Client relationship management system Contract monitoring for funder Activity Admin staff and case workers Session form 03/03/2018
Client ethnicty Ethnicity that client self identifies Client relationship management system Equal opportunity monitoring Demographic Admin staff and case workers Client assessment form 03/03/2018
Client gender Gender that client self identifies Client relationship management system Equal opportunity monitoring Demographic Admin staff and case workers Client assessment form 03/03/2018
Client Date of Birth Client's date of birth Client relationship management system Equal opportunity monitoring Demographic Admin staff and case workers Client assessment form 03/03/2018
Email list name Contact name from email list Marketing spreadsheet To manage email list Demographic Marketing officer Email list signup 12/10/2018
Email list email address Contact email address from email list Marketing spreadsheet To manage email list Demographic Marketing officer Email list signup 12/10/2018

20. • Be clear on why data is being collected
• What are you going to do with it?
• Consent cannot be hidden in terms of conditions
• Consent cannot be a condition for receiving a service
• Consent cannot be given by opt out (pre-ticked boxes)
Managing Consent

21. • Must comply with right of access (subject access requests)
• Information must be provided within a month
• Two months if compliance can be shown to be complex
• Cannot charge for access unless request is “manifestly unfounded”
• Right of access requests should be able to be made electronically
Emphasis on the individual

22. • Right of erasure is not absolute
• Should erase when original purpose is no longer necessary
• When consent is withdrawn
• Information has been unlawfully processed
• To comply with legal obligation
Right to erasure

23. • Exercising right of freedom of expression
• To comply with legal obligation
• Public health purposes (public interest)
• Archiving purpose (public interest)
• Defence of legal claim
Right to erasure - Exemptions

24. There are three rights to object to processing
• Direct marketing (absolute)
• Research processing (relating to personal situation)
• Legitimate/public interest (compelling legitimacy or defence of legal
claim)
Right to object to processing

25. • You must inform 3rd parties you have shared data with when erasure takes
place
• The heart of consent is transparency of why you collect data and what
you do with it
• You must review your consent process to ensure it reflects the things you
use data for
• Consent must be in plain language
• Consent must be easily revoked
Consent – Things to remember

26. Next Steps
• Non-compliance will be highlighted by distress and annoyance of data
misuse
• The first examples of prosecution will come from issues raised by the
public
• Being outside of the EU makes no difference if your data crosses
borders

27. Opportunities
• Transparency builds relationships with customers
• Data has value to you, for business planning, and wider social benefit.
Understand that value.
• How you innovate with data will be a point of distinction
• Understanding the data you collect, and why, can reduce the data
burden
• Pseudonymisation is encouraged (privacy by design)