SlideShare a Scribd company logo

Game changing legislation

IRIS, profile picture
IRIS

This document summarizes a presentation given on GDPR legislation. The key points are: - GDPR introduces significant changes to data protection law, including expanded definitions of personal data, new lawful processing categories, increased fines and penalties, and enhanced data subject rights. - Organizations need to undertake various preparations activities to achieve GDPR compliance, including data discovery, policy reviews, training, and documenting accountability records. - Specific processes like risk assessments, breach notifications, and respecting data subject rights around access, rectification, objection and erasure must be established. Proper documentation will be critical to demonstrate compliance.

Economy & Finance
1 of 16
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
IRIS Customer Conference GDPR – Game Changing Legislation Will Richmond-Coggan, Pitmans Law 27 March 2018
GDPR – Game Changing Legislation We’re lawyers, so we always start with a disclaimer. The guidance that follows is in the nature of general information about the subject matter concerned – it is invariably the case that detailed legal advice requires a lot of fact-sensitive information that we will not have while discussing points today. As such, no reliance should be placed on the guidance given in this talk without first taking such detailed advice. Nevertheless, feel free to ask questions, even those embarrassing ones on behalf of your “friend” who couldn’t make it – it will help us to make sure that the content is as relevant as possible!
General overview – this talk I am going to cover as much of the following as possible! • An introduction to key concepts / main changes • Outlining a roadmap to GDPR readiness • The data subject’s rights
Core Concept – Personal data • Now includes identification numbers, location, online identifiers and factors specific to the individual's physical, physiological, genetic, mental, economic, cultural or social identity. • Still includes information about activities when linked to an identifier • Sensitive data now includes genetic and biometric data • Criminal records now occupy a separate category and are treated distinctly
Core Concept – Lawful processing • Contract – necessary for the formation or performance of a contract between the controller and subject • Obligation – necessary for performance of a legal obligation, or discharge of a statutory function • Vital interests – to protect the vital interests of the data subject or someone else • Legitimate interests – of the data processor and controller, but only where other rights aren’t affected
Lawful processing (cont.) – Consent • Consent must be freely given, specific, informed and unambiguous by “some form of clear affirmative action” • It cannot be signified by inaction, silence or be a pre- condition to other actions • It must be as easy for a subject to withdraw consent as to give it – form and substance • Remember that processing under consent gives the data subject wider rights than other lawfulness gateways
General overview – the legislation Key game-changers brought in by GDPR: • Direct accountability of data processors • Data controller/processor distinction • Limited scope to re-allocate risk contractually • Territorial extent • The “Global” Data Protection Regulation? • Third countries – nomination of a data regulator • And (of course) Brexit!
General overview – the legislation Key game-changers brought in by GDPR: • Breach notification and record keeping • “Accountability principle” – document intensive • Mandatory notification – data regulator • Mandatory notification – data subjects • Consequences are broader • Wider fines – the greater of EUR 10m or 2% of global group turnover for “minor” issues, it’s 4% / EUR 20m for major ones! • ICO audits; data subject compensation; reputation
Get ready with… D… P… R…
Roadmap - Data discovery Headline points: • What is “personal data” • Identification of an individual or information about activities • Where should the data be located… • Think about local drives, servers, cloud services, portable • …where else is it actually… • Think about personal devices, webmail, pen drives, offshore • …and data flows • Internal/external, compliant processing chains, cross-border
Roadmap – Policies for compliance Headline points: • Compliance with standards • e.g. Cyber-Essentials, ISO 27001, BS 10012:2017 • GDPR-specific procedures • Consent management, privacy protection systems, notifications • Policy and process review • System capabilities, gap analysis, develop and implement • Training and awareness at all levels • “Baked in” compliance – privacy by design and by default
Roadmap – Record keeping Headline points: • Accountability principle • Have to be able to “show” as well as “do” • Records are essential • Of data held, decisions taken, policies and procedures • ICO ability to audit • Including onsite inspection and requiring delivery of information • As part of a supply chain • Accountability up and down the chain
Processes – Risk assessment • Identify each of the processes of your business which engage personal data • Do you process as controller or processor – what is the lawfulness gateway? • Is the processing proportionate to the objectives? • What measures of safeguarding are appropriate – anonymisation/pseudonymisation; encryption; permissions; policies
Processes – Breach notification • Now mandatory for breaches: “leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data” • Notification must be made within 72 hours of detection • Data subjects must also be notified “without undue delay” where the breach poses a high risk to their rights • Think about the steps that will need to be taken in those 72 hours – processes need to be in place already
The Data Subject’s Journey Inform Access Rectify Restrict Transfer Object Erase
With Pitmans Law you can be assured of the quality of advice and service you demand from a city law firm – but with a distinction. The courage to stand apart, to think and act personably, with an uncompromising focus on achieving outstanding client outcomes. We say what we mean, matching our behaviours to our words. Established for over 150 years, Pitmans Law is headquartered in Reading with offices in London and Southampton. The lower overheads of a regional office ensure we can provide city quality legal advice at a competitive price to deliver exceptional value for our corporate and private clients locally, nationally and internationally. Pitmans provides legal advice to address our clients’ needs across a wide range of industry sectors and specialisms including particularly strong specialist teams in pensions advisory, real estate, dispute resolution as well as corporate and commercial law. Our clients draw confidence from the top tier recognition Pitmans achieves in the industry benchmarking directories, Legal 500 and Chambers UK. Reading, London, Southampton Pitmans Law is the founding UK member firm of the global legal network, Interact Law. Contact us T +44 (0)345 222 9222 E law@pitmans.com

More Related Content

PPTX
Analytics in Action - Data Protection
Lee Schlenker
 
PDF
DAMA Ireland - GDPR
DAMA Ireland
 
PPTX
Privacy, Data Security and Anti-Spam Compliance
Dan Michaluk
 
PDF
GDPR what you should know and how to minimize impact on your business
Olivier BARROT
 
PPTX
Privacy 101
Trish McGinity, CCSK
 
PDF
12 02-14 information security managers - unannotated
wdsnead
 
PDF
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
DATUM LLC
 
PPTX
An Introduction to the General Data Protection Regulation (GDPR)
Bright
 
Analytics in Action - Data Protection
Lee Schlenker
 
DAMA Ireland - GDPR
DAMA Ireland
 
Privacy, Data Security and Anti-Spam Compliance
Dan Michaluk
 
GDPR what you should know and how to minimize impact on your business
Olivier BARROT
 
Privacy 101
Trish McGinity, CCSK
 
12 02-14 information security managers - unannotated
wdsnead
 
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
DATUM LLC
 
An Introduction to the General Data Protection Regulation (GDPR)
Bright
 

What's hot (19)

PDF
Csa privacy by design & gdpr austin chambers 11-4-17
Trish McGinity, CCSK
 
PPTX
Embedding GDPR Within Your Information and Library Service
CILIPScotland
 
PDF
20170323 are you ready the new gdpr is here
Richard Hogg,Global GDPR Offerings Evangelist
 
PPTX
BigID GDPR Compliance Automation Webinar Slides
Dimitri Sirota
 
PPTX
GDPR: Your Journey to Compliance
Cobweb
 
PDF
GDPR changes affect direct marketing
Spotler
 
PPTX
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
PPTX
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
Ardoq
 
PPTX
GDPR From the Trenches - Real-world examples of how companies are approaching...
Ardoq
 
PPTX
GDPR – The Practicalities of a New Reality
Susan Moran
 
PDF
Data Privacy & Security
Eryk Budi Pratama
 
PPTX
GDPR Presentation slides
Naomi Holmes
 
PPTX
GDPR practical info session for development
Tomppa Kuusi (formerly Järvinen)
 
PPTX
12 steps to gdpr compliance unleashed
Chris Gilmour
 
PPTX
Payroll Data & GDPR: What you need to know?
BrightPay Payroll and Auto Enrolment Software
 
PPT
S719a
ecommerce
 
PPTX
Human resources: protecting confidentiality
KelbySchwender
 
PPTX
Gdpr compliance. Presentation for Consulegis Lawyers network
Bart Van Den Brande
 
PPTX
GDPR for developers
Bozhidar Bozhanov
 
Csa privacy by design & gdpr austin chambers 11-4-17
Trish McGinity, CCSK
 
Embedding GDPR Within Your Information and Library Service
CILIPScotland
 
20170323 are you ready the new gdpr is here
Richard Hogg,Global GDPR Offerings Evangelist
 
BigID GDPR Compliance Automation Webinar Slides
Dimitri Sirota
 
GDPR: Your Journey to Compliance
Cobweb
 
GDPR changes affect direct marketing
Spotler
 
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
Ardoq
 
GDPR From the Trenches - Real-world examples of how companies are approaching...
Ardoq
 
GDPR – The Practicalities of a New Reality
Susan Moran
 
Data Privacy & Security
Eryk Budi Pratama
 
GDPR Presentation slides
Naomi Holmes
 
GDPR practical info session for development
Tomppa Kuusi (formerly Järvinen)
 
12 steps to gdpr compliance unleashed
Chris Gilmour
 
Payroll Data & GDPR: What you need to know?
BrightPay Payroll and Auto Enrolment Software
 
S719a
ecommerce
 
Human resources: protecting confidentiality
KelbySchwender
 
Gdpr compliance. Presentation for Consulegis Lawyers network
Bart Van Den Brande
 
GDPR for developers
Bozhidar Bozhanov
 
Ad

Similar to Game changing legislation (20)

PDF
#HR and #GDPR: Preparing for 2018 Compliance
Dovetail Software
 
PDF
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 
PPTX
Prepare Your Firm for GDPR
MyComplianceOffice
 
PPTX
ABM Display Advertising Success in the World of GDPR [PPT]
Kwanzoo Inc
 
PPTX
GDPR Enforcement is here. Are you ready?
SecurityScorecard
 
PPTX
Vuzion Love Cloud GDPR Event
Vuzion
 
PPTX
GDPR Privacy Introduction
NiclasGranqvist
 
PPTX
Introduction to GDPR
Priyab Satoshi
 
PPTX
Getting to grips with General Data Protection Regulation (GDPR)
Zoodikers
 
PPTX
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
Harrison Clark Rickerbys
 
PPTX
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
PPTX
Global Data Privacy Regulation
Jatin Kochhar
 
PPTX
What does GDPR mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
PPTX
GDPR - 5 Months On!
BrightPay Payroll and Auto Enrolment Software
 
PPTX
Why We Require GDPR?
Jatin Kochhar
 
PPT
13687562.ppt
handywicaksono2
 
PDF
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 
PDF
GDPRforum London
Angry Creative (UK)
 
PDF
What's Next - General Data Protection Regulation (GDPR) Changes
Ogilvy Consulting
 
PPSX
Gdpr demystified - making sense of the regulation
James Mulhern
 
#HR and #GDPR: Preparing for 2018 Compliance
Dovetail Software
 
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 
Prepare Your Firm for GDPR
MyComplianceOffice
 
ABM Display Advertising Success in the World of GDPR [PPT]
Kwanzoo Inc
 
GDPR Enforcement is here. Are you ready?
SecurityScorecard
 
Vuzion Love Cloud GDPR Event
Vuzion
 
GDPR Privacy Introduction
NiclasGranqvist
 
Introduction to GDPR
Priyab Satoshi
 
Getting to grips with General Data Protection Regulation (GDPR)
Zoodikers
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
Harrison Clark Rickerbys
 
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
Global Data Privacy Regulation
Jatin Kochhar
 
What does GDPR mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
GDPR - 5 Months On!
BrightPay Payroll and Auto Enrolment Software
 
Why We Require GDPR?
Jatin Kochhar
 
13687562.ppt
handywicaksono2
 
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 
GDPRforum London
Angry Creative (UK)
 
What's Next - General Data Protection Regulation (GDPR) Changes
Ogilvy Consulting
 
Gdpr demystified - making sense of the regulation
James Mulhern
 
Ad

More from IRIS (10)

PPTX
IRIS World 2018 - Keynote 3 - Thrive in the Digital Economy
IRIS
 
PPTX
IRIS World 2018 - Keynote 4 - Thrive in the Digital Economy
IRIS
 
PPTX
IRIS World 2018 - Keynote 2 - Thrive in the Digital Economy
IRIS
 
PPTX
IRIS World 2018 - Keynote - Thrive in the Digital Economy
IRIS
 
PPTX
HMRC
IRIS
 
PDF
Software impact of gdpr
IRIS
 
PDF
Opportunity or burden
IRIS
 
PDF
Don't panic - cyber security for the faint hearted
IRIS
 
PDF
Happy clients happy compliance
IRIS
 
PDF
Whos role is it anyway
IRIS
 
IRIS World 2018 - Keynote 3 - Thrive in the Digital Economy
IRIS
 
IRIS World 2018 - Keynote 4 - Thrive in the Digital Economy
IRIS
 
IRIS World 2018 - Keynote 2 - Thrive in the Digital Economy
IRIS
 
IRIS World 2018 - Keynote - Thrive in the Digital Economy
IRIS
 
HMRC
IRIS
 
Software impact of gdpr
IRIS
 
Opportunity or burden
IRIS
 
Don't panic - cyber security for the faint hearted
IRIS
 
Happy clients happy compliance
IRIS
 
Whos role is it anyway
IRIS
 

Recently uploaded (20)

PPTX
social-studies-subject-for-high-school-globalization.pptx
villanuevajoealfred
 
PPTX
Introduction to Customs (June 2025) v1.pptx
josepheric420
 
PPTX
Unilever_Financial_Analysis_Presentation.pptx
HarisKaimKhani
 
PDF
Corporate Finance Fundamentals - Course Presentation.pdf
christygathoni
 
PDF
Mathematical Economics 23lec03slides.pdf
drmabdelnaby2060
 
PDF
ADVANCE TAX Reduction using traditional insurance
KumarKk13
 
PPTX
Understanding-Economic-Growth in macro..
marriumkhan920
 
PPTX
Introduction to Managemeng Chapter 1..pptx
BettyMonizB
 
PDF
ECONOMICS AND ENTREPRENEURS LESSONSS AND
ClarenceKennethCasta2
 
PPT
E commerce busin and some important issues
AssadLeo1
 
PDF
final_dropping_the_baton_-_how_america_is_failing_to_use_russia_sanctions_and...
AnastosiyaGurin1
 
PPTX
Introduction to Essence of Indian traditional knowledge.pptx
souravpoddarhith
 
PDF
Topic Globalisation and Lifelines of National Economy.pdf
ridamten1423
 
PPTX
Session 3. Time Value of Money.pptx_finance
2023mb21003
 
PPTX
Basic Concepts of Economics.pvhjkl;vbjkl;ptx
rboivakhriya
 
PDF
financing insitute rbi nabard adb imf world bank insurance and credit gurantee
robertclive1690
 
PDF
Is Retirement Income a Three Dimensional (3-D) problem_ What is the differenc...
Better Financial Education
 
PDF
NAPF_RESPONSE_TO_THE_PENSIONS_COMMISSION_8 _2_.pdf
Henry Tapper
 
PDF
Why Ignoring Passive Income for Retirees Could Cost You Big.pdf
Enterprise world
 
PDF
way to join Real illuminati agent 0782561496,0756664682
Real illuminati agent from Uganda Kampala call 0782561496/0756664682
 
social-studies-subject-for-high-school-globalization.pptx
villanuevajoealfred
 
Introduction to Customs (June 2025) v1.pptx
josepheric420
 
Unilever_Financial_Analysis_Presentation.pptx
HarisKaimKhani
 
Corporate Finance Fundamentals - Course Presentation.pdf
christygathoni
 
Mathematical Economics 23lec03slides.pdf
drmabdelnaby2060
 
ADVANCE TAX Reduction using traditional insurance
KumarKk13
 
Understanding-Economic-Growth in macro..
marriumkhan920
 
Introduction to Managemeng Chapter 1..pptx
BettyMonizB
 
ECONOMICS AND ENTREPRENEURS LESSONSS AND
ClarenceKennethCasta2
 
E commerce busin and some important issues
AssadLeo1
 
final_dropping_the_baton_-_how_america_is_failing_to_use_russia_sanctions_and...
AnastosiyaGurin1
 
Introduction to Essence of Indian traditional knowledge.pptx
souravpoddarhith
 
Topic Globalisation and Lifelines of National Economy.pdf
ridamten1423
 
Session 3. Time Value of Money.pptx_finance
2023mb21003
 
Basic Concepts of Economics.pvhjkl;vbjkl;ptx
rboivakhriya
 
financing insitute rbi nabard adb imf world bank insurance and credit gurantee
robertclive1690
 
Is Retirement Income a Three Dimensional (3-D) problem_ What is the differenc...
Better Financial Education
 
NAPF_RESPONSE_TO_THE_PENSIONS_COMMISSION_8 _2_.pdf
Henry Tapper
 
Why Ignoring Passive Income for Retirees Could Cost You Big.pdf
Enterprise world
 
way to join Real illuminati agent 0782561496,0756664682
Real illuminati agent from Uganda Kampala call 0782561496/0756664682
 

Game changing legislation

  • 1. IRIS Customer Conference GDPR – Game Changing Legislation Will Richmond-Coggan, Pitmans Law 27 March 2018
  • 2. GDPR – Game Changing Legislation We’re lawyers, so we always start with a disclaimer. The guidance that follows is in the nature of general information about the subject matter concerned – it is invariably the case that detailed legal advice requires a lot of fact-sensitive information that we will not have while discussing points today. As such, no reliance should be placed on the guidance given in this talk without first taking such detailed advice. Nevertheless, feel free to ask questions, even those embarrassing ones on behalf of your “friend” who couldn’t make it – it will help us to make sure that the content is as relevant as possible!
  • 3. General overview – this talk I am going to cover as much of the following as possible! • An introduction to key concepts / main changes • Outlining a roadmap to GDPR readiness • The data subject’s rights
  • 4. Core Concept – Personal data • Now includes identification numbers, location, online identifiers and factors specific to the individual's physical, physiological, genetic, mental, economic, cultural or social identity. • Still includes information about activities when linked to an identifier • Sensitive data now includes genetic and biometric data • Criminal records now occupy a separate category and are treated distinctly
  • 5. Core Concept – Lawful processing • Contract – necessary for the formation or performance of a contract between the controller and subject • Obligation – necessary for performance of a legal obligation, or discharge of a statutory function • Vital interests – to protect the vital interests of the data subject or someone else • Legitimate interests – of the data processor and controller, but only where other rights aren’t affected
  • 6. Lawful processing (cont.) – Consent • Consent must be freely given, specific, informed and unambiguous by “some form of clear affirmative action” • It cannot be signified by inaction, silence or be a pre- condition to other actions • It must be as easy for a subject to withdraw consent as to give it – form and substance • Remember that processing under consent gives the data subject wider rights than other lawfulness gateways
  • 7. General overview – the legislation Key game-changers brought in by GDPR: • Direct accountability of data processors • Data controller/processor distinction • Limited scope to re-allocate risk contractually • Territorial extent • The “Global” Data Protection Regulation? • Third countries – nomination of a data regulator • And (of course) Brexit!
  • 8. General overview – the legislation Key game-changers brought in by GDPR: • Breach notification and record keeping • “Accountability principle” – document intensive • Mandatory notification – data regulator • Mandatory notification – data subjects • Consequences are broader • Wider fines – the greater of EUR 10m or 2% of global group turnover for “minor” issues, it’s 4% / EUR 20m for major ones! • ICO audits; data subject compensation; reputation
  • 9. Get ready with… D… P… R…
  • 10. Roadmap - Data discovery Headline points: • What is “personal data” • Identification of an individual or information about activities • Where should the data be located… • Think about local drives, servers, cloud services, portable • …where else is it actually… • Think about personal devices, webmail, pen drives, offshore • …and data flows • Internal/external, compliant processing chains, cross-border
  • 11. Roadmap – Policies for compliance Headline points: • Compliance with standards • e.g. Cyber-Essentials, ISO 27001, BS 10012:2017 • GDPR-specific procedures • Consent management, privacy protection systems, notifications • Policy and process review • System capabilities, gap analysis, develop and implement • Training and awareness at all levels • “Baked in” compliance – privacy by design and by default
  • 12. Roadmap – Record keeping Headline points: • Accountability principle • Have to be able to “show” as well as “do” • Records are essential • Of data held, decisions taken, policies and procedures • ICO ability to audit • Including onsite inspection and requiring delivery of information • As part of a supply chain • Accountability up and down the chain
  • 13. Processes – Risk assessment • Identify each of the processes of your business which engage personal data • Do you process as controller or processor – what is the lawfulness gateway? • Is the processing proportionate to the objectives? • What measures of safeguarding are appropriate – anonymisation/pseudonymisation; encryption; permissions; policies
  • 14. Processes – Breach notification • Now mandatory for breaches: “leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data” • Notification must be made within 72 hours of detection • Data subjects must also be notified “without undue delay” where the breach poses a high risk to their rights • Think about the steps that will need to be taken in those 72 hours – processes need to be in place already
  • 15. The Data Subject’s Journey Inform Access Rectify Restrict Transfer Object Erase
  • 16. With Pitmans Law you can be assured of the quality of advice and service you demand from a city law firm – but with a distinction. The courage to stand apart, to think and act personably, with an uncompromising focus on achieving outstanding client outcomes. We say what we mean, matching our behaviours to our words. Established for over 150 years, Pitmans Law is headquartered in Reading with offices in London and Southampton. The lower overheads of a regional office ensure we can provide city quality legal advice at a competitive price to deliver exceptional value for our corporate and private clients locally, nationally and internationally. Pitmans provides legal advice to address our clients’ needs across a wide range of industry sectors and specialisms including particularly strong specialist teams in pensions advisory, real estate, dispute resolution as well as corporate and commercial law. Our clients draw confidence from the top tier recognition Pitmans achieves in the industry benchmarking directories, Legal 500 and Chambers UK. Reading, London, Southampton Pitmans Law is the founding UK member firm of the global legal network, Interact Law. Contact us T +44 (0)345 222 9222 E law@pitmans.com