Preparing for the GDPR

How to comply

Introduction to GDPR

UK privacy history

What is GDPR?

1995

1998

2009

2012

2018

First EU

Data

Protection

Directive

Data

Protection Act

First public consultation

with view to revise

European data

protection framework

First draft of

the GDPR

GDPR

comes into

force

• Trust

• Consumer control

• Transparency

Why is GDPR being enforced?

GDPR fines & penalties

Not complying can cost your business up to

€20million or 4% of the company’s annual

worldwide turnover (whichever is higher).

Fines & penalties

hello

Fines & penalties

• Sent 3.3 million emails under the title ‘Are your

details correct?’ to people who didn’t sign up to

marketing material.

• Fined £70,000 in March 2017.

hello

Fines & penalties

• Sent 289,790 emails clarifying whether

customers who hadn’t signed up

wanted to receive marketing

• Fined £13,000 in March 2017

GDPR consumer statistics

Trust in Personal Data: A UK Review

• 96% of respondents claim to understand the term ‘personal data’ but less than 64% picked the correct definition

• 79% of consumers believe the primary use of personal data is for an organisations financial gain

• 65% of consumers are unsure if data is being shared without their consent

Trust in Personal Data: A UK Review

Trust in Personal Data: A UK Review

6 key updates

1. Lawfulness, fairness & transparency

2. Purpose limitation

3. Data minimisation

4. Accuracy

5. Storage limitation

6. Security

6 key updated principles from the

Data Protection Act

Individual’s rights & special

categories of data

The GDPR provides the following

rights for individuals:

1. The right to be informed

2. The right of access

3. The right to erasure

4. The right to object

5. Rights in relation to automated

decision making and profiling

6. The right to rectification

7. The right to restrict

processing

8. The right to data portability

The right to erasure: case study

• hiMario Costeja González

Warning: Special categories of data

l1. Racial or ethnic origin2. Political opinions3. Religious / philosophical beliefs4. Trade union membership5. Genetic data6. Biometric data7. Data containing health or sex life8. Sexual orientation9. Criminal data

Consent

Every submission of personal data must be:

• Freely given

• Specific

• Informed

• Unambiguous

Consent

Consent shouldn’t include:

• Pre-ticked boxes

• Assumptions

• Conditional consent

Consent

How do you persuade consumers to share

their data?

• Offer incentives

• Be completely clear on what

the consumer will receive

• Be completely clear on storage details

and who the information will be shared with

The consent challenge

The GDPR defines valid consent as

unambiguous, affirmative consent.

Consent

The consent challenge: Incentives

The consent challenge

Come up with an incentive to

encourage sign ups to

your mailing list

Can we still use a pre-ticked

box as consent?

Consent Q&A

No, GDPR doesn’t class a pre-ticked

box or any form of inactivity as valid

consent. The data subject must make

an affirmative action for

their consent to be valid.

What is the best way to gain valid consent

if purchasing a product or service?

Consent Q&A

The best way to ensure that you’re fully

compliant with the GDPR is to include a

separate opt-in option at the point a

consumer joins/purchases by

encouraging them to sign up to receive updates via email.

We’ve got historic lists –

will they still be valid?

Consent Q&A

If your current data hasn’t specifically

been collected using affirmative consent

for all activities, or you don’t have a record

of the details required, then

you’ll have to gain fresh consent.

New database requirements

Database requirements

Organisations must be able to demonstrate that an individual consented to the processing of their personal data.

If consent is given

over the phone, you’ll

need a recording

If you collect consent

online, you’ll need to

record consent wording,

time & source

True or false

True or false

GDPR will stop dentists ringing patients to remind them about appointments

True or false

All personal data breaches will need to be reported to the ICO.

Existing data

Existing data

Existing data

Credit: Getty

Review your strategy

Data controller vs data processor

Are you a data controller or data processor?

Data controller - the organisation that collects personal data and decides how it will be used.

Data processor - the organisation that processes personal data on behalf of the data controller.

Data controller obligations

• Collects data

• Which items of personal data to collect

• How the data will be used

• Whether to disclose the data, and if so,

who to

• Arranging access

• Storage

Data processor obligations

• To process data fairly

and lawfully

• Data is kept accurate

and up to date

• Data is only kept for

as long as necessary

• Adhere to all agreements in your

contract with the data controller

Data controller or data processor?

A local authority uses a cloud provider to store

data about its housing stock and residents, rather

than holding the data on its own IT system.

The cloud provider is also contracted to delete

certain data after a particular period and to grant

members of the public access to their own

records via a secure online portal.

Data controller or data processor?

An online retailer work in co-operation with a

third-party payment company to process

customers’ transactions.

Data protection officer

The data protection officer (DPO)

A data protection officer is responsible for overseeing your data protection strategy and implementation to ensure compliance with GDPR.

• Inform

• Monitor

• Contact

Who needs a DPO?x

• Public authorities

• Large scale systematic monitoring of individuals

• Large scale processing of special categories

Any questions?

Thank you

http://cobb.agency/digital | 01273 208 913