Presentation is loading. Please wait.

Presentation is loading. Please wait.

General Data Protection Regulations: what you really need to know

Similar presentations


Presentation on theme: "General Data Protection Regulations: what you really need to know"— Presentation transcript:

1 General Data Protection Regulations: what you really need to know
12 October 2017 Stephen Thompson & Fflur Jones

2 A little over 7 months to get ready
GDPR Implementation date: 25 May 2018 A little over 7 months to get ready

3 Common myths about GDPR
1. Now the UK is leaving the EU, the GDPR won’t apply False: the government has confirmed that the GDPR will be unaffected by Brexit 2. WE’RE A CHARITY SO THE GDPR WON’T APPLY TO US False: the GDPR applies to all organisations regardless of whether they are registered charities

4 Common myths about GDPR
3. The GDPR will only apply in relation to data we obtain after May Our current database is unaffected False: all data obtained must comply with the GDPR so most businesses will need to obtain fresh consent from their database unless they have another lawful basis for processing 4. We don’t need to worry about GDPR – our data is outsourced to a cloud service or IT company False: just because data is with a third party does not mean your business is exempt from the rules

5 Key purpose of GDPR The real purpose is to harmonise the rules across the EU member states To ensure that individuals understand how their data is being used, have more control over their data, and to understand how to make a complaint about the use of their data

6 Current awareness Many organisations don’t really have an understanding of the data they collect, or their duties in relation to protecting that data.

7 What Data does the GDPR apply to?
The GDPR only applies to personal data 2 categories: “personal data” “sensitive personal data” If data is completely anonymised, it will fall outside of the GDPR. However, beware that complete anonymisation can be difficult to achieve.

8 Dealing with data Organisations are still entitled to deal with data providing they have a legal basis for doing so Compliance with a legal obligation (including employment obligations) Performance of a contract with the data subject Consent of the data subject Consent must be: “freely given, specific, informed and unambiguous”

9 Legal basis for processing
More than just consent BUT you need to think about what your justification for using data is: Complying with a legal obligation will not give a blanket authorisation to use an individual’s data for other purposes You will be relying on different grounds to process data depending on your relationship with the individual

10 Key changes to be aware of
1. Structural/cultural changes “data impact assessments” records of processing operations appointment of a data protection officer consent must be “freely given, specific, informed and unambiguous”

11 Key changes to be aware of
“Freely given, specific, informed & unambiguous consent” From this common wording: We will contact you from time to time with marketing information about our services and events. If you do not wish to hear from us, please let us know by ticking this box. To this: If you are happy for us to contact you from time to time by with marketing information about our services and events, please tick this box.

12 Key changes to be aware of
2. Additional individual rights more transparency a “right to be forgotten” 3. Breaches and penalties “breach” is more than just loss of data “significant” breaches must be notified to the ICO with 72 hours Two tiers of potential fines: the higher of €10million or 2% of your global turnover The higher of €20million or 4% of your global turnover

13 Employment issues Processing employees’ data includes CCTV footage, internet records and monitoring s; most of the sensitive personal data you process will be that of your employees The majority of Subject Access Requests are made by disgruntled employees So: need to be careful with your contracts, policies and in practice GDPR requires much more detail to be given by employers about their reasons for processing and employees’ rights to object

14 What should you do to comply?
First 2 months: conduct an internal audit of your current policies & procedures consider what data you actually need from individuals and what you need to do with it educate / train your staff about the GDPR consider whether you need to appoint a data protection officer

15 What should you do to comply?
Months 3-5 review the contracts you have in place with third party suppliers draft an internal strategy to deal with data update your privacy policy and terms and conditions Review your contracts of employment and staff handbook refresh your existing database

16 What should you do to comply?
Months 6-7 ensure that updated policies and terms are finalised conduct refresher training for staff make sure all new employment contracts/consent forms are signed and returned to you, and staff have read your policies ensure that your technology strategy is implemented and reviewed

17 Conclusion The GDPR is coming and will affect all businesses
The key is to take steps to comply as best as you can Don’t panic, but ensure that you and the individuals you deal with understand what data you collect & what you do with it Educate your staff

18 Further information www.ico.org.uk
Lots of useful guidance and information on the ICO website. Their guidance is being updated all the time

19 Further information www.waspi.org
Many 3rd sector organisations are signed up to WASPI which has a number of useful templates available particularly for data sharing

20 Thank you for coming @DarwinGrayLLP Darwin Gray LLP


Download ppt "General Data Protection Regulations: what you really need to know"

Similar presentations


Ads by Google