How we’ll prepare for the General Data Protection Regulation (GDPR) An overview for local trustees This presentation is to be delivered by the Chief Officer or Senior Manager to Trustee boards.

What is the GDPR? From 25 May 2018 all UK organisations, including Citizens Advice, will need to comply with a new data protection law, the General Data Protection Regulation (GDPR) The GDPR is an evolution of the Data Protection Act, not a revolution. It’s a good time to review how we look after personal data and make any changes to comply with the GDPR If we don’t comply with the law then we risk reputational damage and increased regulatory action

What are the key changes under the GDPR? We need to demonstrate how we comply with the law and that we have good governance structures We must document the data we hold, where it came from and who we share it with We need to clearly explain to clients how we’ll use their data - for example in our privacy notices We must be able to respond to requests from clients, staff and volunteers to delete, remove or change data we hold

What are the key changes under the GDPR? We have to report serious data breaches to the ICO within 72 hours Our consent to use or share data will need to be more specific and we’ll need to keep a record There are higher fines if the law is breached

How will we be supported? Citizens Advice will be supporting us to become compliant through: Updated tools, policies, templates, guidance and checklists Online webinars Training FAQs Phone and email support from the operations team and Relationship Managers We can also get support from the Information Commissioner's Office as they provide: Detailed guidance on each area of the GDPR An overview of the GDPR changes and legislation Online and telephone advice and support What Citizens Advice will do Provide updated policies, guidance, training and checklists to help you become compliant Hold monthly online surgeries where you can ask questions Continue to provide support through Operations Support and relationship managers ICO have resources and information available on their website Citizens Advice are planning to provide more guidance as GDPR draws nearer, for example: Consent, subject access request

What we’ll do when and how we’ll get support Phase 1 November Phase 2 December - January Phase 3 February - March Phase 4 April - May Identify who in our service looks after our data Make sure we share data we are handling it correctly Identify how we’ll respond to requests to see copies of the data you hold Look at how we get consent Document the data we hold Review whether we send any data outside of the EU Update our privacy notices Make sure we can carry out the GDPR rights of our clients Review whether we need to do a privacy impact assessment Make sure our staff and volunteers know what to do if there’s a data breach Review whether we support anyone under 16 years old Remind all staff and volunteers of best practice and our update policies Support pack Annual conference Join 1 of 3 webinars Support pack Chief Officers Forum Join 1 of 3 webinars Support pack Training Join 1 of 3 webinars Support pack Online drop-in surgery Join 1 of 3 webinars Ask the operations team, our Relationship Manager, or visit our FAQs

What do trustees need to do now? Identify a Trustee to act as an ‘accounting officer’ for information risk and GDPR Discuss GDPR as an agenda item at our board meetings Check that each step of the ‘Helping you get ready for GDPR’ pack is completed Ensure any data protection or privacy risks are included on the local Citizens Advice risk register

Thank you [Insert name of team or presenter] [Insert any contact details you want to share]