cobb digital bitesize workshop - gdpr, are you compliant?
TRANSCRIPT
Preparing for the GDPR
How to comply
Introduction to GDPR
UK privacy history
What is GDPR?
1995
1998
2009
2012
2018
First EU
Data
Protection
Directive
Data
Protection Act
First public consultation
with view to revise
European data
protection framework
First draft of
the GDPR
GDPR
comes into
force
• Trust
• Consumer control
• Transparency
Why is GDPR being enforced?
GDPR fines & penalties
Not complying can cost your business up to
€20million or 4% of the company’s annual
worldwide turnover (whichever is higher).
Fines & penalties
hello
Fines & penalties
• Sent 3.3 million emails under the title ‘Are your
details correct?’ to people who didn’t sign up to
marketing material.
• Fined £70,000 in March 2017.
hello
Fines & penalties
• Sent 289,790 emails clarifying whether
customers who hadn’t signed up
wanted to receive marketing
• Fined £13,000 in March 2017
GDPR consumer statistics
Trust in Personal Data: A UK Review
• 96% of respondents claim to understand the term ‘personal data’ but less than 64% picked the correct definition
• 79% of consumers believe the primary use of personal data is for an organisations financial gain
• 65% of consumers are unsure if data is being shared without their consent
Trust in Personal Data: A UK Review
Trust in Personal Data: A UK Review
6 key updates
1. Lawfulness, fairness & transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Security
6 key updated principles from the
Data Protection Act
Individual’s rights & special
categories of data
The GDPR provides the following
rights for individuals:
1. The right to be informed
2. The right of access
3. The right to erasure
4. The right to object
5. Rights in relation to automated
decision making and profiling
6. The right to rectification
7. The right to restrict
processing
8. The right to data portability
The right to erasure: case study
• hiMario Costeja González
Warning: Special categories of data
l1. Racial or ethnic origin2. Political opinions3. Religious / philosophical beliefs4. Trade union membership5. Genetic data6. Biometric data7. Data containing health or sex life8. Sexual orientation9. Criminal data
Consent
Every submission of personal data must be:
• Freely given
• Specific
• Informed
• Unambiguous
Consent
Consent shouldn’t include:
• Pre-ticked boxes
• Assumptions
• Conditional consent
Consent
How do you persuade consumers to share
their data?
• Offer incentives
• Be completely clear on what
the consumer will receive
• Be completely clear on storage details
and who the information will be shared with
The consent challenge
The GDPR defines valid consent as
unambiguous, affirmative consent.
Consent
The consent challenge: Incentives
The consent challenge
Come up with an incentive to
encourage sign ups to
your mailing list
Can we still use a pre-ticked
box as consent?
Consent Q&A
No, GDPR doesn’t class a pre-ticked
box or any form of inactivity as valid
consent. The data subject must make
an affirmative action for
their consent to be valid.
What is the best way to gain valid consent
if purchasing a product or service?
Consent Q&A
The best way to ensure that you’re fully
compliant with the GDPR is to include a
separate opt-in option at the point a
consumer joins/purchases by
encouraging them to sign up to receive updates via email.
We’ve got historic lists –
will they still be valid?
Consent Q&A
If your current data hasn’t specifically
been collected using affirmative consent
for all activities, or you don’t have a record
of the details required, then
you’ll have to gain fresh consent.
New database requirements
Database requirements
Organisations must be able to demonstrate that an individual consented to the processing of their personal data.
If consent is given
over the phone, you’ll
need a recording
If you collect consent
online, you’ll need to
record consent wording,
time & source
True or false
True or false
GDPR will stop dentists ringing patients to remind them about appointments
True or false
All personal data breaches will need to be reported to the ICO.
Existing data
Existing data
Existing data
Credit: Getty
Review your strategy
Data controller vs data processor
Are you a data controller or data processor?
Data controller - the organisation that collects personal data and decides how it will be used.
Data processor - the organisation that processes personal data on behalf of the data controller.
Data controller obligations
• Collects data
• Which items of personal data to collect
• How the data will be used
• Whether to disclose the data, and if so,
who to
• Arranging access
• Storage
Data processor obligations
• To process data fairly
and lawfully
• Data is kept accurate
and up to date
• Data is only kept for
as long as necessary
• Adhere to all agreements in your
contract with the data controller
Data controller or data processor?
A local authority uses a cloud provider to store
data about its housing stock and residents, rather
than holding the data on its own IT system.
The cloud provider is also contracted to delete
certain data after a particular period and to grant
members of the public access to their own
records via a secure online portal.
Data controller or data processor?
An online retailer work in co-operation with a
third-party payment company to process
customers’ transactions.
Data protection officer
The data protection officer (DPO)
A data protection officer is responsible for overseeing your data protection strategy and implementation to ensure compliance with GDPR.
• Inform
• Monitor
• Contact
Who needs a DPO?x
• Public authorities
• Large scale systematic monitoring of individuals
• Large scale processing of special categories
Any questions?
Thank you
http://cobb.agency/digital | 01273 208 913