1. General Data Protection Regulations: what you really need to know
12 October 2017
Stephen Thompson & Fflur Jones

2. A little over 7 months to get ready
GDPR
Implementation date:
25 May 2018
A little over 7 months to get ready

3. Common myths about GDPR
1. Now the UK is leaving the EU, the GDPR won’t apply
False: the government has confirmed that the GDPR will be unaffected by Brexit
2. WE’RE A CHARITY SO THE GDPR WON’T APPLY TO US
False: the GDPR applies to all organisations regardless of whether they are registered charities

4. Common myths about GDPR
3. The GDPR will only apply in relation to data we obtain after May Our current database is unaffected False: all data obtained must comply with the GDPR so most businesses will need to obtain fresh consent from their database unless they have another lawful basis for processing 4. We don’t need to worry about GDPR – our data is outsourced to a cloud service or IT company False: just because data is with a third party does not mean your business is exempt from the rules

5. Key purpose of GDPR
The real purpose is to harmonise the rules across the EU member states
To ensure that individuals understand how their data is being used, have more control over their data, and to understand how to make a complaint about the use of their data

6. Current awareness
Many organisations don’t really have an understanding of the data they collect, or their duties in relation to protecting that data.

7. What Data does the GDPR apply to?
The GDPR only applies to personal data
2 categories:
“personal data”
“sensitive personal data”
If data is completely anonymised, it will fall outside of the GDPR. However, beware that complete anonymisation can be difficult to achieve.

8. Dealing with data
Organisations are still entitled to deal with data providing they have a legal basis for doing so
Compliance with a legal obligation (including employment obligations)
Performance of a contract with the data subject
Consent of the data subject
Consent must be:
“freely given, specific, informed
and unambiguous”

9. Legal basis for processing
More than just consent
BUT you need to think about what your justification for using data is:
Complying with a legal obligation will not give a blanket authorisation to use an individual’s data for other purposes
You will be relying on different grounds to process data depending on your relationship with the individual

10. Key changes to be aware of
1. Structural/cultural changes
“data impact assessments”
records of processing operations
appointment of a data protection officer
consent must be “freely given, specific, informed and unambiguous”

11. Key changes to be aware of
“Freely given, specific, informed & unambiguous consent”
From this common wording:
We will contact you from time to time with marketing information about our services and events. If you do not wish to hear from us, please let us know by ticking this box.
To this:
If you are happy for us to contact you from time to time by with marketing information about our services and events, please tick this box.

12. Key changes to be aware of
2. Additional individual rights
more transparency
a “right to be forgotten”
3. Breaches and penalties
“breach” is more than just loss of data
“significant” breaches must be notified to the ICO with 72 hours
Two tiers of potential fines:
the higher of €10million or 2% of your global turnover
The higher of €20million or 4% of your global turnover

13. Employment issues
Processing employees’ data includes CCTV footage, internet records and monitoring s; most of the sensitive personal data you process will be that of your employees
The majority of Subject Access Requests are made by disgruntled employees
So: need to be careful with your contracts, policies and in practice
GDPR requires much more detail to be given by employers about their reasons for processing and employees’ rights to object

14. What should you do to comply?
First 2 months:
conduct an internal audit of your current policies & procedures
consider what data you actually need from individuals and what you need to do with it
educate / train your staff about the GDPR
consider whether you need to appoint a data protection officer

15. What should you do to comply?
Months 3-5
review the contracts you have in place with third party suppliers
draft an internal strategy to deal with data
update your privacy policy and terms and conditions
Review your contracts of employment and staff handbook
refresh your existing database

16. What should you do to comply?
Months 6-7
ensure that updated policies and terms are finalised
conduct refresher training for staff
make sure all new employment contracts/consent forms are signed and returned to you, and staff have read your policies
ensure that your technology strategy is implemented and reviewed

17. Conclusion The GDPR is coming and will affect all businesses
The key is to take steps to comply as best as you can
Don’t panic, but ensure that you and the individuals you deal with understand what data you collect & what you do with it
Educate your staff

18. Further information www.ico.org.uk
Lots of useful guidance and information on the ICO website. Their guidance is being updated all the time

19. Further information www.waspi.org
Many 3rd sector organisations are signed up to WASPI which has a number of useful templates available particularly for data sharing

20. Thank you for coming
@DarwinGrayLLP
Darwin Gray LLP