What’s happened to GDPR!!!

Judith O’Brien

EU GDPR Certified Practitioner

November, 2018

A Recap - What is GDPR • The General Data Protection Regulation is the new legal framework

in the EU.

• The new Regulations came in to force in the UK on 25 May 2018.

• There are similarities with the existing UK Data Protection Act 1998 (DPA) and it contains new and different requirements.

• It affects any organisation that does business in the EU.

• Having clear laws with safeguards in place is more important than ever given the growing digital economy.

• Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data.

• The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria.

GDPR Madness

• The regulation came in to effect 25th May, 2018.

• Madness prevailed in the lead up to it coming in to force.

• Everyone seemed to think it was all about Consent = millions of unnecessary and annoying emails’!!!

• A mixture of fear, avoidance, doom and gloom ensued.

• Lots of inaccurate and misleading messages.

• Over a third of organisations remained unaware of the new regulation.

• 25th May 2018 was only really the starting point as highlighted by Elizabeth Denham.

Importance of GDPR

• Superseded Data Protection Directive but still runs along other regulations such as DPA 2018 and PECR.

• Purpose essentially 2 fold – help further to stop marketing bad practice and more importantly, to ensure we are all fulfilling our responsibilities for protecting personal data.

• Cyber Security is a key component that supports GDPR and data protection.

• “Handling personal data correctly can add value to businesses and enhance reputation, as it increases public trust.”

Current Status / Update

• ICO resourcing is vastly improved • Enforcement teams are now in place • Almost daily updates on breaches and fines

under the new regulation • Significant fines being imposed • Fines also being imposed for non-payment of

registration fee (up to max of £4,350) • Not just large organisations affected*** • Cyber crime is fastest growing with states such as

North Korea and Russia posing increased threat

GDPR Principles GDPR implements 6 principles in Article 5.1: • Lawfulness, fairness and transparency –to process data

lawfully, fairly and transparently • b)Purpose limitation –to collect data for specified, explicit

and legitimate purposes only • c)Data minimisation –to ensure data is adequate, relevant

and limited to what is necessary • d)Accuracy –to keep data up to date and accurate • e)Storage limitation –to store data so it’s easily identified

and for no longer than required • f)Integrity and confidentiality –to protect data from loss,

damage, and unauthorised or unlawful processing

Data Controller still has accountability to demonstrate compliance

GDPR Principles

Consent & Children

• Complex area of GDPR

• Further guidance is expected from the ICO

• Parental consent may be required

• Verification of age may be necessary

• Automated decision making is not permitted for children

• Where services are offered directly to a child, you must ensure that your privacy notice is written in a clear, plain way that a child will understand.

GDPR Principles

Sensitive Personal Data • Organisations are prohibited from processing

sensitive personal data unless specifically exempted

• Sensitive personal data is defined as: - Racial or ethnic origin - Political opinion - Religious or philosophical beliefs or trade union membership - Processing of biometric or genetic data - Health data - Sexual orientation or sex life

What are the key changes?

Personal privacy Individuals have the right to: •Access their personal data •Correct errors in their personal data •Erase their personal data •Object to processing of their personal data •Export personal data

Transparent policies Transparent and easily accessible policies regarding: •Notice of data collection •Notice of processing •Processing details •Data retention/deletion

Controls and notifications •Strict security requirements •Breach notification obligation •Appropriate lawful basis for data processing •Confidentiality •Recordkeeping – evidence based

IT and training Need to invest in: •Privacy resources and employee training •Data policies •Data Protection Officer •Processor/Vendor contract

What are the lawful bases for processing? The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data: • (a) Consent: the individual has given clear consent for you to process their

personal data for a specific purpose. • (b) Contract: the processing is necessary for a contract you have with the

individual, or because they have asked you to take specific steps before entering into a contract.

• (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

• (d) Vital interests: the processing is necessary to protect someone’s life. • (e) Public task: the processing is necessary for you to perform a task in the

public interest or for your official functions, and the task or function has a clear basis in law.

• (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Individual’s Rights The rights of Data Subjects are:

1.The right to be informed

2.The right of access (SAR –subject access request)

3.The right to rectification

4.The right to erasure (RTBF –right to be forgotten)

5.The right to restrict processing

6.The right to data portability

7.The right to object

8.Rights in relation to automated decision making and profiling.

Controller, Processor & Data Subject

Data Controller Data Processor Data Subjects

Party responsible for ensuring personal data is processed in accordance with the regulation

Party / Body which processes personal data on behalf of the controller

Individual that the personal data relates to

Becoming Compliant with GPDR

What are the drivers?

Where are we now?

Where do we want to

be?

What needs to be done?

How do we get there?

Did we get there?

How do we maintain /

keep momentum?

Preparing for the GDPR – 12 Steps to Take Now

1. Awareness - You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.

2. Information you hold - You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

3. Communicating privacy information - You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

4. Individuals’ rights - You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

5. Subject access requests - You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

6. Lawful basis for processing personal data - You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.

Preparing for the GDPR – 12 Steps to Take Now

7. Consent - You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.

8. Children - You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

9. Data breaches - You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

10. Data Protection by Design and Data Protection Impact Assessments - You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.

11. Data Protection Officers - You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.

12. International - If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.

GDPR & MARKETING The Direct Marketer's Association has provided top 8 tips to help B2B marketers on their journey to compliance:

1. The GDPR applies if an organisation is processing personal data. B2B marketers use personal data and therefore the GDPR will apply to them too.

2. In fact the GDPR definition of personal data is broad and includes cookies and IP addresses

3. The GDPR does NOT state that organisations need to obtain an opt-in consent for their marketing

4. The GDPR lays out 6 legal grounds for processing personal data. All are equally valid.

5. B2B marketers will be able to make use of the legitimate interest legal ground for their marketing activity in most instances.

6. Legitimate interest is a subjective legal ground so an organisation must justify their activity and consider the privacy risks for data subjects

7. Consent is black and white. It is a yes or a no. However, it is a robust standard which may be hard to achieve. If it is, the ICO have said legitimate interest might be the better choice.

8. GDPR is the overarching framework but there are specific rules for the marketing sector from PECR, which is being revised and will become the ePrivacy Regulation in the future

GDPR WILL EFFECT YOUR MARKETING

• If your existing customer data was collected in a way that is not GDPR-compliant then you can no longer use it once GDPR takes effect.

• You may need to update your data security and review any Cloud Based services you use

• Your opt-in processes will need to be reviewed / updated • Consent to contact customers will need to be explicit • It must be as easy to withdraw consent as it is to give it • Non-compliance could result in fines and reputational damage • Email marketing needs to be compliant • Both your Privacy & Cookie policies needs to be reviewed /

updated

What do you still need to do? • Register with ICO, as required. • Use the 12 steps from the ICO website – included in this

slide pack. • Complete the ICO’s self assessments – create an action

plan. • Data Audit is the main activity – what, why, where, when,

how. • Review your policies and processes – specifically around

your data protection, IT / phones etc. • Check your Information Security – remove any basic

weaknesses.!! • If you use CCTV, this is a complex area of data protection. • Most often, it’s simply a case of refining / improving what

you have in place already. • If you are a sole trader, download the latest information

from the ICO website.

Business Cyber Facts • The 2018 Cyber Security Breaches Survey found 19 per cent of

charities and 43 per cent of businesses had reported cyber security breaches or attacks in the last 12 months.

• The average financial impact was £3,100 for businesses and £1,030 for charities.

• Number of reported data breaches among charities is reported to have doubled over the last two years with education & childcare organisations reporting a 142% increase.

• Mid-year report 2017 by Cisco highlighted the Business Email Compromise along generated 1,500 reports on mandate fraud and cost to UK business was £32.2m.

• Most breaches caused by common vulnerabilities / basic weaknesses – easily addressed.

• Social engineering an increasingly major threat. • Cryptojacking likely to be major threat over the coming year. • NCSC stopped approx. 10 attacks on UK businesses per week in

their first 2 years. NCSC publish a weekly threat report

Key Resources

The Information Commissioners Office (ICO)will enforce the legislation in the UK. Information Commissioners Office (ICO) –

www.ico.org.uk

National Cyber Security Centre - www.ncsc.gov.uk

Get Safe Online - www.getsafeonline.org