The document discusses the UK General Data Protection Regulation (GDPR) and highlights key components such as the right to be informed, lawful bases for processing personal data, and the importance of consent. It emphasizes the need for transparency, accountability, and specific protections for children's data in marketing contexts. Additionally, it encourages organizations to adopt data protection practices and provides resources for compliance with GDPR regulations.

1. Let’s talk GDPR:
Fair, transparent,
lawful and
accountable

2. UK Information Commissioner’s Office

3. General Data Protection
Regulation (GDPR)

4. UK Data Protection Bill

5. Fair and transparent

6. !?
Right to be informed
• Your contact details
• The purposes and lawful basis
• Any recipients of the personal data
• Any international transfers
• Retention periods
• The data subject’s rights

7. How you inform
• Concise
• Transparent
• Intelligible
• Easily accessible
• Clear and plain language
• Consider the audience

8. Lawful

9. Lawful basis for processing
Personal data
• Consent
• Contract with the individual
• Comply with a legal obligation
• Protecting vital interests
• Public function in the public
interest
• Exercise of official authority
• Legitimate interests of the data
controller, but not prejudicial to
the person
Special category data
• Explicit consent
• Employment, social security,
social protection law
• Vital interests
• Not for profit religious, political
or trade union bodies
• Put in public domain by the
person
• Legal proceedings/advice
• Substantial public interest
based on law
• Health, medical, social care
• Public health
• Archiving, research, statistical
• Additional conditions likely to
be in the new UK DP Bill

10. !?
Legitimate interests
• Direct marketing is a legitimate
interest
• It must not override the rights and
freedoms of the individual
• A legitimate interest must be within
an individual’s reasonable
expectation
Recital 47, GDPR

11. Consent must be:
• Able to be refused or withdrawn
• Freely given, specific, informed and unambiguous
• A clear, affirmative act
• Intelligible and easily accessible
• Requested in plain language
• Separate from other matters

12. Direct marketing
Section 11(3), Data Protection Act 1998
The communication (by whatever means) of any
particular advertising or marketing material
which is directed to particular individuals.
This includes material promoting the aims of not-
for-profit organisations.

13. { }
Children
“…specific protection should, in
particular, apply to the use of
personal data of children for the
purposes of marketing or
creating personality or user
profiles and the collection of
personal data with regard to
children when using services
offered directly to a child.”
Recital 38, GDPR

14. Privacy & Electronic Communication Regs 2003

15. ePrivacy Regulation

16. Right to object
The data subject shall have
the right to object at any time
to processing… for such
marketing.

17. Accountable

18. The Accountability Principle
The controller
shall be
responsible for,
and be able to
demonstrate
compliance.

19. Data protection by design and default

20. Data
Protection
Impact
Assessments

21. Data processors
Now liable if they do not follow your instructions
• You must only use a processor providing sufficient guarantees
that they can meet GDPR requirements
• Contract must govern data processing in detail
• Controller must provide documented instructions on what to do
with the data
• Contract must specify whether or not a sub-processor can be
engaged
• Processor must assist the controller as required to comply with
GDPR and must allow audits of the processing

22. Learn from the
mistakes of others

23. Charity fundraising practices

24. Flybe Limited
£70,000

25. Honda Motor Europe Ltd
£13,000

26. Support and resources

27. Tools to help you
get ready for the
GDPR

28. Existing ICO
guidance

29. Webinars

30. www.ico.org.uk/enewsletter

31. Working with the third sector
GDPR blogs and
regulatory
cooperation
OSCR/Panel SCVO
GDPR blogs and
conference
TSIs/Reps
Workshops

32. @iconews
Keep in touch
ICO Scotland
45 Melville Street
Edinburgh EH3 7HL
T: 0303 123 1115
E: Scotland@ico.org.uk

33. How would you
like to be treated?

34. Visit the CharityComms website
to view slides from past events,
see what events we have
coming up and to check out
what else we do:
www.charitycomms.org.uk

35. Making sense of
GDPR
Scotland Networking Group
6 February 2018
Edinburgh
#ccscots