Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GDPR Workshop - WordPress Essex


Published on

With the imminent implementation of the General Data Protection Regulation (GDPR) almost every development agency, design studio, freelancer and website owner will be impacted by the changes to the law enforced from 25 May 2018. Presentation given at the WordPress Essex Meetup 19 April 2018

Published in: Law
  • Be the first to comment

  • Be the first to like this

GDPR Workshop - WordPress Essex

  1. 1. GDPR Workshop 🤓
  2. 2. I’m no legal expert 🖐
  3. 3. 😲
  4. 4. Myth Busting 🧠
  5. 5. Myth 1 💸 OMGMASSIVEFINES!!!!!
  6. 6. The Myth🦄
  7. 7. The Reality “Predictions of massive fines under the GDPR that simply scale up penalties we’ve issued under the Data Protection Act are nonsense Don’t get me wrong, the UK fought for increased powers when the GDPR was being drawn up. Heavy fines for serious breaches reflect just how important personal data is in a 21st century world. But we intend to use those powers proportionately and judiciously.” - Elizabeth Denham, Information Commissioner, 9 Aug. 2017 '
  8. 8. Myth 2 🙏 Consent with everything
  9. 9. The Myth “You have to have consent to process personal data” - Nearly everyone, all the time For example… “The Data Protection Bill will require explicit consent to be necessary for processing sensitive personal data.” - An actual DCMS press release (no, really) 🦄
  10. 10. The Reality q Consent is one possible basis for processing personal data. q There are 5 others: contractual necessity, legal obligation, protection of vital interests, public interest necessity and legitimate interests. ü NB additional requirements of an exemption for “special categories of data” q Consent is basically only really useful where you can’t rely on any of the others – typically, in relation to direct marketing. q Consent is hard to get right, easy to exceeds and easy to lose. q Basically, consent is rubbish. '
  11. 11. Myth 3 💩 Consent is all you need
  12. 12. The Myth “It’s all ok as long as you have consent” 🦄
  13. 13. The Reality (1) You probably don’t have consent, actually q Freely given, specific, informed? q Affirmative action? ü i.e. no “we will assume you consent unless” q Not ties to something that consent isn’t necessary for? ü i.e. no “by using our service you consent to us spamming you up the wazoo forever more” q Sufficiently granular? ü i.e. separate consent for each purpose q As easy to withdraw as to give? '
  14. 14. The Reality (2) Consent might be a legal basis on which you process, but you still have to do that processing in accordance with GDPR. Fairly, transparently Keep safe and secure Purpose limited, minimised Record keeping Accurate, not retained for longer than necessary Rights exercise '
  15. 15. Myth 4 👎 IT will sort it out
  16. 16. The Myth “Data protection is an IT issue” “Buy this ‘thingy’ and you’ll be compliant” 🦄
  17. 17. The Reality q Data protection is a boardroom issue q IT is involved, but so are Operations, HR, Sales, Marketing… q There is no turnkey solution to GDPR compliance ü People and Process first! ü Technology tools can help with particular issues e.g. data discovery, record keeping, data housekeeping, security etc. '
  18. 18. Myth 5 😳 Data Protection Officers
  19. 19. The Myth “All businesses have to appoint a Data Protection Officer.” “All businesses with more than 250 employees have to appoint a Data Protection Officer.” …or some variation on that theme. 🦄
  20. 20. The Reality q Most businesses will not be obliged to appoint a DPO q You must appoint a DPO only if: ü You’re a public authority ü Your core activities require regular and systematic monitoring of data subjects ü Your core activities consist of large scale processing of special categories of data q Otherwise, you don’t have to… but might want to anyway? '
  21. 21. Myth 6 🤮 Breach reporting
  22. 22. The Myth “All data breaches have to be reported within 72 hours” 🦄
  23. 23. The Reality q Not a straight myth, but only kinda true q Data breaches must be reported to the ICO by the controller UNLESS “unlikely to result in a risk to the rights and freedoms of the natural persons” ü Encrypted? ü Retrieved unopened? ü A bunch of corporate email addresses? q Obligation is “without undue delay and, where feasible, no later than 72 hours after having become aware of it” q Give (good) reasons if late, phased reporting '
  24. 24. A few things that aren’t myths q Still applies, Brexit notwithstanding q Extraterritorial effect q Primary obligations for data processors q Record keeping q New subject rights q New contractual requirements for processors q More prescriptive security requirements q Stricter rules on consent 🤟
  25. 25. #GDPRubbish 🥊 If watching a bunch of lawyers getting apoplectically angary is your idea of a good time…
  26. 26. #WPEssex 👍 Credit: Dan Hedley Irwin Mitchell LLP @DanHedleyIM
  27. 27. #WPEssex 👋 Dan Maby| @DanMaby Blue 37 | @blue37digital
  28. 28. I’m no legal expert ❤