1. Getting Ready For GDPR Simon Marks Director
Marks Investigation Services

2. Introduction
Back to basics
Significant changes
Sanctions, enforcement and recent examples of breaches…..
Disclaimer
No reliance should be placed on the guidance given in this talk without first taking such detailed professional legal advice.
Nevertheless, feel free to ask questions, I will do my best to answer them!

3. Data Protection is not a new concept
Data Protection legislation has been in place for 20 years (DPA 1998) and the key principles of that legislation are still very much in place and will be post-GDPR:
Fairly and lawfully processed.
Processed for limited purposes.
Adequate, relevant and not excessive.
Accurate.
Not kept for longer than is necessary.
Processed in line with subject’s rights.
Secure.

4. Data protection policy, responsibility, training
Has your business established an appropriate data protection policy?
Has it nominated a data protection lead?
Has it provided awareness training to all staff?

5. Registration, privacy notices, subject access
Has your organisation registered with the ICO?- you need to if you retain data on a computer
Have you produced privacy notices that are readily available to individuals?
Does it have a process in place to recognise and respond to Subject Access Requests (SAR)?

6. Subject Access Requests
The Right to Access is a fundamental requirement under GDPR
The Data Subject has the right to obtain confirmation that their data is being processed lawfully and securely, what information is being held and why?
Will you be able to respond to a SAR (at no cost to the subject) at short notice?
Your ability to respond to a SAR will be your acid test as to whether you have a process in place to understand and comply with your obligations under GDPR

7. Data quality, accuracy and retention
Is the personal data your organisation holds of sufficient quality to make decisions about individuals?
Is there a routine disposal of personal data that is no longer needed in line with agreed timescales?

8. Security
Has your business established an information security policy that is supported by appropriate security measures?
Does your business ensure an adequate level of protection for any personal data processed by others on your behalf (or transferred out of the EU)?

9. Privacy Impact Assessments (PIA’s)
Has your business established a process to ensure that new projects or initiatives are privacy proofed at the planning stage?

10. “Data protection by design”
The ICO describes PIA’s as follows:
The purpose of the PIA is to minimise privacy risks while meeting the aims of the project. Organisations can identify and address risks at an early stage by analysing how the proposed uses of personal information and technology will work in practice. They can test this analysis by consulting people who will be working on, or affected by, the project….conducting a PIA does not have to be complex or time consuming but there must be a level of rigour in proportion to the privacy risks arising.

11. Data protection by default
Key word: minimisation
GDPR requires the organisation (data controller) to implement appropriate technical and organisational measures to ensure that, by default, only personal data that is necessary for each specific purpose of the processing is processed.

12. Data Protection Officer or lead
The ICO says:
It is important that someone in your organisation, or an external data protection adviser, takes proper responsibility for your data protection compliance and has the knowledge, support and authority to carry out the role effectively.

13. Increased rights for data subjects
Right of data portability
Right to be forgotten

14. Consent
Consent must be freely given, specific, informed and unambiguous. It must involve clear and affirmative action.
Pre-ticked boxes will not do. Consent cannot be inferred from silence or inactivity
It must be kept separate from other terms and conditions and the individual must be notified of simple ways to withdraw it

15. Security
Information may be stored on servers all over the world. There may be complex chains of contractors and subcontractors. The organisation may not know in which jurisdiction data is held.
Current ICO guidance confirms that organisations must retain control of personal data sent to the Cloud. The Cloud must not expose the organisation to risks that would not have arisen if the data had remained in its possession. It is good practice to encrypt before transfer to the Cloud.
Under the GDPR, data processors such as server providers based in the EU, will have similar legal obligations to data controllers.

16. Data Processors will have similar obligations to Data Controllers
Data Processors will have similar obligations to Data Controllers. They must:
Obtain consent from the Data Controller before they subcontract
Maintain a record of processing activities like the Data Controller must do
Ensure appropriate security measures are in place
Train their staff in data protection compliance
Notify the Data Controller of any breaches
NB GDPR sets out guidance for the required content of data processing agreements

17. Reporting of data protection breaches
TELL IT ALL, TELL IT FAST, TELL THE TRUTH

18. Sanctions and enforcement
Two levels of fines:
Up to 2% of global turnover (or 10 million euro whichever is the greater)
Up to 4% of global turnover (or 20 million euro whichever is higher)

19. Cases
Data breaches by:
Sony (47,000 unique social security numbers stolen)
Zurich (46,000 customers’ data compromised. FSA imposed a fine of £2.2million)
Yahoo (3 billion users)
eBay (145 million users compromised)
Equifax (220,000 customers affected)
RSA Security (40 million records stolen)
Facebook/Cambridge Analytica????

20. GDPR – are you really going to be ready?
Only 6 weeks to go
But don’t panic……..
Any Questions?
Simon Marks