1. General Data Protection Regulation (GDPR)

2. GDPR
What is it?
GDPR replaces the Data Protection Act 1998, and comes in to force on 25th May 2018.
Approved by EU Parliament 14 April 2016, it will apply here regardless of Brexit and the Great Repeal Bill
It is “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
The regulation applies to personal data by automated AND non-automated means. There are two categories of personal data:
• Sensitive (including data about health, beliefs, sex life etc)
• Ordinary (everything else, with financial data as a special case)

3. GDPR What do organisations holding personal data need to do?
Carry out a data audit
Revisit your consents
Review Fair Processing Notices (FPN) and Privacy Policies
Set a Data Retention Policy
Audit contracts
Train staff
Write Privacy Impact Assessments
Set policies and procedures to deal with enhanced rights to individuals

4. GDPR What will happen if personal data is lost?
Notification of breaches will be compulsory. The ICO must be notified of breaches within 72 hours of awareness being gained, and each individual must be notified that there is a high risk to their rights and freedoms.
Reportable data breaches include:
• Wrong letter in a wrong envelope
• Laptop left on a train
• Personal data in a picture
• cc instead of a Bcc

5. Remember: GDPR comes in to force on 25th May 2018
What are the consequences for non-compliance?
The cost of a breach could be up to €10m or up to 2% of global turnover, whichever is higher.
Talk Talk’s breach cost £400k under DP act – it could have been £70M under the GDPR…
Remember: GDPR comes in to force on 25th May 2018