Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GDPR Workshop - WordPress Essex

41 views

Published on

With the imminent implementation of the General Data Protection Regulation (GDPR) almost every development agency, design studio, freelancer and website owner will be impacted by the changes to the law enforced from 25 May 2018. Presentation given at the WordPress Essex Meetup 19 April 2018 https://wpessex.org

Published in: Law
  • Be the first to comment

  • Be the first to like this

GDPR Workshop - WordPress Essex

  1. 1. @danmabyblue37.com GDPR Workshop 🤓
  2. 2. @danmabyblue37.com I’m no legal expert 🖐
  3. 3. @danmabyblue37.com 😲
  4. 4. @danmabyblue37.com Myth Busting 🧠
  5. 5. @danmabyblue37.com Myth 1 💸 OMGMASSIVEFINES!!!!!
  6. 6. @danmabyblue37.com The Myth🦄
  7. 7. @danmabyblue37.com The Reality “Predictions of massive fines under the GDPR that simply scale up penalties we’ve issued under the Data Protection Act are nonsense Don’t get me wrong, the UK fought for increased powers when the GDPR was being drawn up. Heavy fines for serious breaches reflect just how important personal data is in a 21st century world. But we intend to use those powers proportionately and judiciously.” - Elizabeth Denham, Information Commissioner, 9 Aug. 2017 '
  8. 8. @danmabyblue37.com Myth 2 🙏 Consent with everything
  9. 9. @danmabyblue37.com The Myth “You have to have consent to process personal data” - Nearly everyone, all the time For example… “The Data Protection Bill will require explicit consent to be necessary for processing sensitive personal data.” - An actual DCMS press release (no, really) 🦄
  10. 10. @danmabyblue37.com The Reality q Consent is one possible basis for processing personal data. q There are 5 others: contractual necessity, legal obligation, protection of vital interests, public interest necessity and legitimate interests. ü NB additional requirements of an exemption for “special categories of data” q Consent is basically only really useful where you can’t rely on any of the others – typically, in relation to direct marketing. q Consent is hard to get right, easy to exceeds and easy to lose. q Basically, consent is rubbish. '
  11. 11. @danmabyblue37.com Myth 3 💩 Consent is all you need
  12. 12. @danmabyblue37.com The Myth “It’s all ok as long as you have consent” 🦄
  13. 13. @danmabyblue37.com The Reality (1) You probably don’t have consent, actually q Freely given, specific, informed? q Affirmative action? ü i.e. no “we will assume you consent unless” q Not ties to something that consent isn’t necessary for? ü i.e. no “by using our service you consent to us spamming you up the wazoo forever more” q Sufficiently granular? ü i.e. separate consent for each purpose q As easy to withdraw as to give? '
  14. 14. @danmabyblue37.com The Reality (2) Consent might be a legal basis on which you process, but you still have to do that processing in accordance with GDPR. Fairly, transparently Keep safe and secure Purpose limited, minimised Record keeping Accurate, not retained for longer than necessary Rights exercise '
  15. 15. @danmabyblue37.com Myth 4 👎 IT will sort it out
  16. 16. @danmabyblue37.com The Myth “Data protection is an IT issue” “Buy this ‘thingy’ and you’ll be compliant” 🦄
  17. 17. @danmabyblue37.com The Reality q Data protection is a boardroom issue q IT is involved, but so are Operations, HR, Sales, Marketing… q There is no turnkey solution to GDPR compliance ü People and Process first! ü Technology tools can help with particular issues e.g. data discovery, record keeping, data housekeeping, security etc. '
  18. 18. @danmabyblue37.com Myth 5 😳 Data Protection Officers
  19. 19. @danmabyblue37.com The Myth “All businesses have to appoint a Data Protection Officer.” “All businesses with more than 250 employees have to appoint a Data Protection Officer.” …or some variation on that theme. 🦄
  20. 20. @danmabyblue37.com The Reality q Most businesses will not be obliged to appoint a DPO q You must appoint a DPO only if: ü You’re a public authority ü Your core activities require regular and systematic monitoring of data subjects ü Your core activities consist of large scale processing of special categories of data q Otherwise, you don’t have to… but might want to anyway? '
  21. 21. @danmabyblue37.com Myth 6 🤮 Breach reporting
  22. 22. @danmabyblue37.com The Myth “All data breaches have to be reported within 72 hours” 🦄
  23. 23. @danmabyblue37.com The Reality q Not a straight myth, but only kinda true q Data breaches must be reported to the ICO by the controller UNLESS “unlikely to result in a risk to the rights and freedoms of the natural persons” ü Encrypted? ü Retrieved unopened? ü A bunch of corporate email addresses? q Obligation is “without undue delay and, where feasible, no later than 72 hours after having become aware of it” q Give (good) reasons if late, phased reporting '
  24. 24. @danmabyblue37.com A few things that aren’t myths q Still applies, Brexit notwithstanding q Extraterritorial effect q Primary obligations for data processors q Record keeping q New subject rights q New contractual requirements for processors q More prescriptive security requirements q Stricter rules on consent 🤟
  25. 25. @danmabyblue37.com #GDPRubbish 🥊 If watching a bunch of lawyers getting apoplectically angary is your idea of a good time…
  26. 26. @danmabyblue37.com #WPEssex 👍 Credit: Dan Hedley Irwin Mitchell LLP @DanHedleyIM
  27. 27. @danmabyblue37.com #WPEssex 👋 Dan Maby| @DanMaby Blue 37 | @blue37digital
  28. 28. @danmabyblue37.com I’m no legal expert ❤

×