Cobb Digital Bitesize workshop - GDPR, are you compliant?
- 1. Preparing for the GDPR How to comply
- 3. UK privacy history What is GDPR? 1995 1998 2009 2012 2018 First EU Data Protection Directive Data Protection Act First public consultation with view to revise European data protection framework First draft of the GDPR GDPR comes into force
- 4. • Trust • Consumer control • Transparency Why is GDPR being enforced?
- 5. GDPR fines & penalties
- 6. Not complying can cost your business up to €20million or 4% of the company’s annual worldwide turnover (whichever is higher). Fines & penalties
- 7. hello Fines & penalties • Sent 3.3 million emails under the title ‘Are your details correct?’ to people who didn’t sign up to marketing material. • Fined £70,000 in March 2017.
- 8. hello Fines & penalties • Sent 289,790 emails clarifying whether customers who hadn’t signed up wanted to receive marketing • Fined £13,000 in March 2017
- 10. Trust in Personal Data: A UK Review
- 11. • 96% of respondents claim to understand the term ‘personal data’ but less than 64% picked the correct definition • 79% of consumers believe the primary use of personal data is for an organisations financial gain • 65% of consumers are unsure if data is being shared without their consent Trust in Personal Data: A UK Review
- 12. Trust in Personal Data: A UK Review
- 13. 6 key updates
- 14. 1. Lawfulness, fairness & transparency 2. Purpose limitation 3. Data minimisation 4. Accuracy 5. Storage limitation 6. Security 6 key updated principles from the Data Protection Act
- 15. Individual’s rights & special categories of data
- 16. The GDPR provides the following rights for individuals: 1. The right to be informed 2. The right of access 3. The right to erasure 4. The right to object 5. Rights in relation to automated decision making and profiling 6. The right to rectification 7. The right to restrict processing 8. The right to data portability
- 17. The right to erasure: case study • hi Mario Costeja González
- 18. Warning: Special categories of data l 1. Racial or ethnic origin 2. Political opinions 3. Religious / philosophical beliefs 4.Trade union membership 5. Genetic data 6. Biometric data 7. Data containing health or sex life 8. Sexual orientation 9. Criminal data
- 19. Consent
- 20. Every submission of personal data must be: • Freely given • Specific • Informed • Unambiguous Consent
- 21. Consent shouldn’t include: • Pre-ticked boxes • Assumptions • Conditional consent Consent
- 22. How do you persuade consumers to share their data? • Offer incentives • Be completely clear on what the consumer will receive • Be completely clear on storage details and who the information will be shared with The consent challenge
- 23. The GDPR defines valid consent as unambiguous, affirmative consent. Consent
- 24. The consent challenge: Incentives
- 25. The consent challenge Come up with an incentive to encourage sign ups to your mailing list
- 26. Can we still use a pre-ticked box as consent? Consent Q&A No, GDPR doesn’t class a pre-ticked box or any form of inactivity as valid consent. The data subject must make an affirmative action for their consent to be valid.
- 27. What is the best way to gain valid consent if purchasing a product or service? Consent Q&A The best way to ensure that you’re fully compliant with the GDPR is to include a separate opt-in option at the point a consumer joins/purchases by encouraging them to sign up to receive updates via email.
- 28. We’ve got historic lists – will they still be valid? Consent Q&A If your current data hasn’t specifically been collected using affirmative consent for all activities, or you don’t have a record of the details required, then you’ll have to gain fresh consent.
- 30. Database requirements Organisations must be able to demonstrate that an individual consented to the processing of their personal data. If consent is given over the phone, you’ll need a recording If you collect consent online, you’ll need to record consent wording, time & source
- 31. True or false
- 32. True or false GDPR will stop dentists ringing patients to remind them about appointments
- 33. True or false All personal data breaches will need to be reported to the ICO.
- 34. Existing data
- 35. Existing data
- 38. Data controller vs data processor
- 39. Are you a data controller or data processor? Data controller - the organisation that collects personal data and decides how it will be used. Data processor - the organisation that processes personal data on behalf of the data controller.
- 40. Data controller obligations • Collects data • Which items of personal data to collect • How the data will be used • Whether to disclose the data, and if so, who to • Arranging access • Storage
- 41. Data processor obligations • To process data fairly and lawfully • Data is kept accurate and up to date • Data is only kept for as long as necessary • Adhere to all agreements in your contract with the data controller
- 42. Data controller or data processor? A local authority uses a cloud provider to store data about its housing stock and residents, rather than holding the data on its own IT system. The cloud provider is also contracted to delete certain data after a particular period and to grant members of the public access to their own records via a secure online portal.
- 43. Data controller or data processor? An online retailer work in co-operation with a third-party payment company to process customers’ transactions.
- 45. The data protection officer (DPO) A data protection officer is responsible for overseeing your data protection strategy and implementation to ensure compliance with GDPR. • Inform • Monitor • Contact
- 46. Who needs a DPO? x • Public authorities • Large scale systematic monitoring of individuals • Large scale processing of special categories
- 47. Any questions? Thank you http://cobb.agency/digital | 01273 208 913
Editor's Notes
- #30: Database requirements – this is one of the areas that will take some time to set up and get ready. You’ll have to make sure that software / database that you use has the capability to record what you need (like sign up wording).