1. GDPR Overview Gydeline – October 2017
This presentation gives a brief overview of the major points contained in the GDPR, the Gydeline approach and some next steps to think about. It should be noted that the website of the Information Commissioners Office is a great resource and should be considered the primary source for organisations in the UK. Gydeline takes the GDPR regulation and guidance from the ICO and gives output specific to a single organisation.

2. Where are we? Comes into force May 2018
Addresses personal ‘information’ & ‘data’ and how it is used in the 21st century
Gives new rights to data subjects
Applies to both ‘controllers’ and ‘processors’
Applies to organisations based in the EU and those that sell goods and services into the EU or in EU currencies/languages.
Here are some key overview points and context to consider when thinking about GDPR.

3. Personal data Name ID numbers Location data
Online identifiers (IP address/cookies etc)
Physical, genetic, mental, economic, social or cultural identifiers
of a natural person
stored in computer or paper based filing systems
In order to avoid confusion, the GDPR applies to personal data. Personal data is one of the following. Personal data relates to a natural person rather than any organisation. GDPR applies to the data irrespective of whether it is stored on electronic, paper or any other type of filing system. Filing implies that the data is structured and searchable in some way as opposed to random and unsearchable.

4. Special categories of data (sensitive)
Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Under 16s
Biometric data for the purpose of uniquely identifying a natural person
Health data or data concerning a natural person's sex life or sexual orientation
Some types of personal data attract special consideration under the GDPR and so are worth noting.

5. Basic GDPR Principles Fair, lawful and transparent processing
Correct, stated purpose
Data minimisation
Accurate and up to date
Kept no longer than necessary
Secure
Accountable
The GDPR enshrines some basic data protection principles. It also requires that organisations are able to demonstrate their compliance with the GDPR – the Gydeline software is one way of demonstrating an organisations compliance position.
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles”

6. How do we do this GDPR thing?
Identify a legal basis:
Consent
Performance of a contract
Necessary for compliance
Protection of vital interests (subject of another person)
Public Interest/Official authority vested in the controller
Legitimate interests
The first step when looking at GDPR should be to understand the legal basis upon which you are processing personal data. Consent is one method which is getting a lot of attention, however contracts will negate the need for consent in many instances as will vital and legitimate interests. By understanding your legal basis, an organisation may free itself from some requirements under the GDPR – or at least understand more clearly the scope which applies to them.

7. If using consent:
Clear, affirmative action (no silence or pre-ticking)
Auditable – record of consent needed
Can be withdrawn
Not a pre-condition of service
Extensive information to be provided
Special categories require additional conditions
Consent can be explicit or implicit (i.e. visiting a Doctor) but must be unambiguous
If consent is used as the basis of processing it must follow the following rules:

8. Rights of the data subject
The right to be informed (Privacy notice)
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
The right not to be subject to automated decision making and profiling
The GDPR gives rights to the data subject. Organisations should be aware of, and have processes, to support all these rights.

9. Implications of GDPR
This slide seeks to give a simple, easy to understand breakdown of the major areas of action organisations need to take. In terms of implementation, if an organisation does everything on this slide they will most likely be 99% compliant with the GDPR.

10. Governance considerations
Processing records
Consent records
Data Protection impact assessments
DPO requirements
Information provision (Privacy notice/policy)
Data policies (retention, destruction, backup etc etc)
Security policies (access, passwords, etc etc)
Regular review of measures/governance
There are many overriding governance considerations within GDPR. These need to be available and documented should the supervisory authority (ICO in the UK) request information.

11. DPO Required if: Qualifications Public Authority
Large scale processing (scope and schedule)
Special categories
More than 250FTE
Qualifications
Audit
IT Security
EU data protection law
Company knowledge
etc
Finding the correct Data Protection Officer, if required, can be challenging as there are few individuals with the requisite IT AND legal skills and experience.

12. Reporting Demonstrating compliance with GDPR
Notify supervisory authority about unmitigated risks
Breach
Contacts (DPO, Processor etc)
Demonstrating accountability
DP Policies
Staff training
Auditing and processing activities
Data minimisation
Pseudonymising
Security features (Identity and Access, Encryption, Classification, Rights, masking etc.)
Data Protection Impact Assessments
Building on the governance considerations there are specific reporting requirements under the GDPR which need to be met.

13. What does Gydeline do?
Checks for compliance against everything mentioned above
Enables proof of accountability
Changes as the regulation changes
Identifies specific actions
Makes GDPR simpler to understand
A basic overview of the Gydeline software. For more information go to or

14. End