SlideShare a Scribd company logo

Gdpr in a nutshell

Matthew Butler, profile picture
Matthew Butler

The EU's General Data Protection Regulation (GDPR) goes into effect on May 25, 2018, and affects all entities handling European personal data, with significant penalties for non-compliance. New rights for individuals include the right to access, delete, and restrict their data, alongside strict consent requirements for data collection. While there are challenges and costs associated with GDPR implementation, there are also opportunities for businesses to enhance customer trust and improve data management practices.

Business
Related topics:
Data SecurityEnhancing Customer Experience Information Security
1 of 33
Downloaded 88 times
1
2
Most read
3
Most read
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
GDPR In A Nutshell The biggest change to our data protection laws in 20 years. Are you ready? Deadline: 25th May 2018
“Three quarters of us don’t trust businesses to do the right thing with our emails, phone numbers, preferences and bank details. I find that shocking.” Elizabeth Denham UK Information Commissioner
Who Does GDPR Apply To? On the 25th of May 2018 the EU’s General Data Protection Legislation (GDPR) will come into effect. It will impact millions of businesses, of every size. GDPR will apply to every entity that holds or uses European personal data both inside and outside of Europe. 3
Myths & Facts Leading To Complacency The truth is GDPR likely applies to you. You should start getting prepared now for May 2018. 48% of UK citizens are planning on using their new GDPR rights. 15% in the first month. Get ready! Businesses haven’t even heard about GDPR yet. ICO will be running an awareness campaign. It applies to businesses of ALL sizes and types. €20m or 4% of turnover, whichever is greater. The UK leaving the EU does not effect GDPR. It’s not only future data, it’s your current data too. €10m or 2% of turnover, whichever is greater. Having good data security is not enough. There isn’t much time left to become compliant. One in Three More Awareness Doesn’t Apply Serious Offenses Brexit Effect Current Data Lesser Offenses Only Security Have Time 4
GDPR And Fear-Mongering It’s true there are real consequences, and heavy penalties, for not complying with GDPR. However the new law is also an extremely positive development, and if anything, long overdue. Organisations should seize this opportunity to transform their company into a customer-centric, data-driven entity with the right internal controls and technology. of companies believe the cost of implementation was fully justified based on the benefits delivered. say the biggest benefit they saw was improved information security. Source: gdprcoalition.ie say the main factor for choosing to adopt and implement was to improve organisational structure. 52% 98% 69% 5
Non-Compliance Fines Up To 4% Of Revenue Class Action Lawsuits Data Encryption Disruption To Business No Case LawBrand Damage Fines Up To €20 million Streamlined Processes SecurityTransparency Better Internal Controls Risk Reduction Data Encryption Updated TechnologyLess long-term cost Efficient Data Management Compliance Opportunities & Consequences The focus is usually on the negatives of non-compliance, but there are a lot of positives businesses should take advantage of. 6
“Isn’t having customers’ trust a cornerstone to good business? Isn’t that intangible relationship with customers: loyalty, trust, repeat customers, something most companies want?” Elizabeth Denham UK Information Commissioner 7
PART 1 Your New Rights PART 2 Consent & Privacy PART 3 Personal Data PART 4 Action Plan The Four Key Areas This guide will be covering each, in our quest to transform you into a GDPR Guru! Note: we take no responsibility for the completeness or accuracy of this information. Please do your own research, or seek consultation around your own specific obligations. What new rights do people now have? How to get permission to use people’s data? What is it, and how to manage it? What steps must you take to comply? 8
PART 1 Your New Rights What new rights do individuals now have? Book Demo At VirtualCabinet.com There are a lot of new Rights people will be granted once GDPR comes into effect. A system like Virtual Cabinet can help you stay on top of them all!
Your New Rights: Overview Powerful new super-powers to control your Personal Data Individuals need to be informed when you collect or process their data. Individuals can ask to have all their data deleted from your records. Individuals can object to data being processed in marketing, research etc. Individuals can now ask for access to their data, and why you are processing it. Individuals can ‘block’ any further processing of their data. Safeguards to protect individuals against automated decisions & profiling. Data that is inaccurate or incomplete must be corrected on request. Individuals can obtain and reuse their data on different services if they choose. Right To be Informed Right To Be Forgotten Right To Object Right Of Access Right To Restrict Processing Automation & Profiling Rights Right To Rectification Right To Data Portability Tip: software can help you become GDPR compliant with the least effort. VirtualCabinet.com does a good job of this. Visit their site to book a demo and see if they can help. Part 1: Your New Rights 10
OK, But What Do ‘Rights’ Practically Mean? Skip to Part 2 if you want to avoid specifics. Or keep reading for a meaty breakdown of what each ‘Right’ practically means for you. Right To Be Forgotten You must erase personal data on request, or when you have finished processing it. You Must Erase Data When • When the data is no longer necessary for the original purpose it was collected for. • When an individual withdraws their consent. • When individual objects to processing. • When the data was obtained unlawfully. • When the law requests it. When Can You Refuse To Erase • When it obstructs your freedom of expression. • When the law requests it. • Public interest in the area of public health. • Archiving purposes in the public interest. • Exercise or defense of legal claims. Children’s Personal Data There are increased rights for children to request erasure. Third Party Erasure If data has been disclosed to any third parties, they must be informed about any data’s erasure, unless this involves disproportionate effort. Tip: Use software to automatically file incoming data into a centralised spot. Finding and deleting an individual’s data then becomes much easier. VirtualCabinet.com does this well. Part 1: Your New Rights 11
Individuals need to be informed when you collect or process their data: • In clear, plain, concise language • Free of charge If Collecting The Data Directly: You must inform the individual of: • Your Organisation’s identity. • Your Data Protection Officer’s identity. • The purpose of the data processing. • The legal basis for your data processing. • Details of transfer to any third country. • The retention period, or criteria. • The existence of the individual’s rights. • Their right to withdraw consent at any time. • Their right to complain to a supervisory authority. • Existence of any automated decision making, including profiling. • If provision is part of a statutory or contractual requirement, and consequences of not providing data. If Collecting The Data Indirectly You must inform the individual: • In a reasonable period (within 1 month). • When communicating with the individual. • When disclosing data to another party. And as well as all the information (to the left) you must supply when collecting the data Directly, you must also inform the individual of: • Categories of personal data. • The original source of the data, and if it was publicly accessible. • However, you do not need to explain whether the data provision is part of a statutory or contractual requirement. Right To Be Informed Part 1: Your New Rights 12
Individuals will be able to access: • Confirmation their data is being processed • Access to their personal data • Other supplementary info How Long Do You Have To Comply? One month. Two months if requests are complex or numerous (but you must inform the individual). Can You charge a fee? No. It must be free unless the request is ‘manifestly unfounded or excessive’. What If The Request Is ‘manifestly unfounded or excessive?’ In this case, particularly if the request is repetitive, you can either: • Charge a fee based on administration costs. • Refuse to respond, explaining to why & their right to complain to a supervisory authority. How Should The Information Be Provided? • You must verify the identify of the person making the request using ‘reasonable means’. • If the request is electronic, you should provide the information electronically. • Where possible organisations should provide remote access to a self service system. Requests For Large Amounts Of Personal Information? You may ask the individual to specify the information the request relates to. You can use this as part of your consideration as to whether the request is ‘manifestly unfounded or excessive’. Right Of Access Tip: ensure you each document has an audit trail showing who has accessed it and why. VirtualCabinet.com does this automatically. Part 1: Your New Rights 13
A lot people feel they’ve lost control of their own data. People feel that keeping control of their most important information used to be simple, but that over the years, their sense of power over their personal data has slipped its moorings.” Elizabeth Denham UK Information Commissioner Part 1: Your New Rights 14
Right To Rectification Right To Data Portability Individuals can have personal data rectified if it is inaccurate or incomplete, without delay. Individuals can obtain & reuse their data for their own purposes across different services. They can use this data to find a better deal, or understand their spending habits. When Can This Be Used? • You must provide the data in a structured, commonly used, machine readable form. • You may need to transmit the data directly to another organisation if the individual requests it, if technically feasible. When Can This Be Used? If accurate or incomplete the data must be rectified, including informing third parties. The Rights Of Others • If the data concerns more than one individual, you must consider the rights of the other individual. Part 1: Your New Rights 15
Right To Restrict Processing Right To Object Individuals can ‘block’ you from processing their data. Individuals can object to the processing of their data. If The Data Is For Direct Marketing If it is, you must stop processing as soon as you receive the objection, and deal with it free of charge. When Can This Be Used? Processing must stop if an individual: • Contests the data’s accuracy. • Objects to processing. • Opposes erasure and requests restriction when processing is unlawful. • Needs the data to establish, exercise or defend a legal claim. Communication You must inform the individual if you unblock their data for processing. If The Data Is For A Legal Task, An Organisations Legitimate Interests, Or Research Work You must comply with a right to object unless: • You can demonstrate compelling legitimate grounds. • Processing is for the establishment, exercise or defense of legal claims. Part 1: Your New Rights 16
Automation And Profiling Rights A safeguard against the risk a damaging decision is taken without human intervention. E.g. an online credit application. When Can This Be Used? Individuals have the right not to be subject to a decision when: • It is based on automated processing. • It produces a legal effect. When Can’t This Be Used? • When entering a contract. • Authorised by law. • With consent. • With a child. • On special categories of data unless you have explicit consent, or it is necessary for public interest. What Do You Need To Do? You need to make sure individuals can: • Obtain human intervention. • Express their point of view. • Obtain an explanation, or challenge it. Profiling & Automation You must ensure safeguards are in place when processing data for profiling purposes: • Fair and transparent. • Meaningful information around logic. • Appropriate statistical procedures. • Minimise errors by employing measures. • Secure personal data & prevent discrimination. Part 1: Your New Rights 17
PART 2 Consent & Privacy How to get permission to use people’s data? 18 Book Demo At VirtualCabinet.com Once you obtain consent to use someone’s data, use a system like Virtual Cabinet ensure you uphold their privacy and protect their Rights.
The 12 Steps To Correct Consent Remember this list whenever you collect data. You should be aiming for a clear, affirmative statement of consent. • When any information is collected. • Positive, Opt-In boxes are accepted. • Consent by ‘non-action’ is prohibited. eg: Auto-Check Boxes, Opt-Out boxes. • Language should be clear, plain & accessible. • Data must be confidentially and securely processed by your data system. • Only authorised individuals should have access to the data consented to. • The purpose of collection must be clear. • State what the data is going to be used for. • Inform who the data will be shared with. • Disclose how long will you keep the data. • All data must have an expiry date. • The expiry date must be appropriate for the collected purpose. • If unsure, it is recommended consent be checked every 2 years. • Data cannot be stored indefinitely. • Personal information can only be collected for specific, explicit and legitimate purposes. • Only collect the minimum data you need. • You must ensure data is accurate and correct • This is to avoid distress or harm to the individual. When & How To Get Consent Data Integrity Be Transparent Data Time Limit Data Minimisation Data Accuracy Part 2: Consent & Privacy 1 4 5 6 2 3 19
12 Steps To Correct Consent Continued... • Individuals must be given a genuine choice. • Service cannot be conditional on consent. • Individuals be able to refuse, or withdraw consent without detriment. • Explain how to withdraw consent. • Withdrawing consent must be as easy as giving consent. • The Right to object to direct marketing must be clear. • Special data categories (race, health, genetic) require explicit consent. • Provide your identity and contact information. • Disclose your Data Protection Officer’s details, if relevant. • Must be able to change inaccurate data. • Must know what date has been collected and how it will be used. • Must be able to transfer the data to another system. • Must be able to withdraw consent. • Individuals under 16 cannot give consent. • The UK May lower its age of consent to 13. • Parental consent is required for anything other than counseling and preventative services. • Prepare a clear record of your consent policy. • Review and check it continuously. • Make sure your existing data has the correct consent. Genuine Choice Allow User Action Identify Yourself Uphold Individual Rights Children Documentation & Process Part 2: Consent & Privacy 7 10 11 12 8 9 20
“The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks.” Elizabeth Denham UK Information Commissioner Part 2: Consent & Privacy 21
Part 2: Consent & Privacy Privacy By Design GDPR wants you to think about privacy and data protection from the beginning, not as a bolted-on after-thought. This is ‘Privacy By Design’: Conduct assessments for personal data that is high risk to individuals. Only collect what is necessary. Only process data for the purpose that it was collected for. Only authorised individuals should be able to access data. Keep checking the confidentiality, availability & resilience of your systems. Note processing, data categories, erasure time & storage locations. Impact Assessment Limit Data Limit Processing Limit Access Keep Reviewing Record Keeping 22
PART 3 Personal Data What is it, and how to manage it? Book Demo At VirtualCabinet.com Consider managing your Personal Data with software like Virtual Cabinet. It automatically files your data in a central spot so you have better visibility, control and security over it. A big step towards GDPR compliance.
Name Physical Economic Number Physiological Cultural Location Genetic Social Online ID Mental Understand Your Data Special Categories What personal data do you hold? Where did it come from? Who is it shared with? Where do you keep it? Consider an information audit to fully document & appreciate your data. Certain categories of data require particular care: Race, Ethnic Origin, Politics, Religion, Trade Union Membership, Genetics, Biometrics, Health, Sex Life, Sexual Orientation. ACTION ACTION ‘Personal Data’ now includes any information relating to an identified natural person. This could include a broad range of data including: What Is Personal Data? Part 3: Personal Data 23
Personal Data: Principles Sticking to some simple principles will help you master your Personal Data collection, transfer and storage - Process data lawfully, fairly, transparently. - Properly inform individuals if you collect it. - Only store data for as long as necessary. - Ensure you have backups. - Minimize the data you are gathering - Only collect for defined a purpose. - Restrict access to authorised individuals. - Protect against loss and destruction. - Keep all your data up to date. - Audit data for errors continuously. - Remember individuals can request their data anytime, so know where it is located. Stay Ethical Storage Specific Purpose Security Accurate Visibility Part 3: Personal Data 24
Mandatory Data Protection Officer (DPO) It is mandatory to appoint a DPO if you process or store large amounts of personal data. One study predicts up to 28,000 DPO’s will have to be hired by May 2018! Part 3: Personal Data • Must operate independently, not taking instructions from their employer. • Cannot be dismissed for performing their duties. • Must be given sufficient resources. • Must report directly to the highest management level in your company. • Can be an existing employee. Or you can hire externally (including sharing the cost with other companies). • Train employees on GDPR compliance. • Undertake audits, and solve data issues. • Is your point of contact with the GDPR Supervisory Authority bodies. • Maintain all evidence and reporting. • Inform individuals how their data is being used, and how their rights are being upheld. • There are no specific technical qualifications asked for by the legislation. • The DPO must instead have ‘expert knowledge of data protection law and practices’. • Their expertise should be appropriate to your own company’s data processing operations. • The DPO’s information must be publicly shared with all regulatory agencies. Power & Position Responsibilities Qualifications Source: digitalguardian.com 25
Understand Your Data’s Journey From collection to destruction you should understand your Data’s journey Be Mindful Of Your Equipment Transfer Data Correctly Cloud Storage It is your responsibility to ask any online storage providers you use what their end of equipment life policy is. Review Equipment • What equipment is at the end of its life? • Eg. Computer Drives, Phones, Tablets, USD’s and Security Badges. Review Risk • Make sure you have a disposal policy. Data Security • During all stages of data transfer and rest. Safeguards • Encrypt your data, use pseudonymisation. Protection By Design • Should be fundamental to all systems. Impact Assessments • Conduct when a transfer is high risk. Destroy It • Devices must be physically shred to meet EU standards. • Can be shred internally (with equipment), or destruction can be outsourced. Stick To Good Principles • For example, only collect data you need. Data Retention • Maintain data retention schedules. Reporting • Document your process by collecting evidence. Part 3: Personal Data 26
PART 4 Action Plan What steps must you take to comply. Book Demo At VirtualCabinet.com Choose the right software is a great first step towards compliance & easy ongoing GDPR management. Try Virtual Cabinet to see if they can help.
7-Step Checklist To Compliance Part 4: Action Plan Raise Awareness Make sure key decision makers know what is happening with GDPR (share this guide with them!) Staff training: most breaches occur through staff ignorance. Get strong commitment from the board & C Level Officers to build compliance culture. Form A Team Form a cross functional data team including the IT team & business leadership. Appoint a Data Protection Officer (DPO) if needed. Team should be responsible for GDPR. Team should own the documentation process. Team should regularly review policies, processes and technology. Do An Audit Start with an information audit & risk assessment of your data. Audit risk of servers, storage, end- point devices & cloud locations. Ensure you have a legal basis for carrying out data processing. Make sure you have consent for all your Personal Data. Review existing policies. Conduct a data-flow analysis to see how data moves & is stored. STEP 1 STEP 2 STEP 3 28
7-Step Checklist To Compliance Part 4: Action Plan Create A Plan Be proactive, don’t think GDPR won’t affect you – it will. Create a list of recommendations. Prioritise recommendations and assign resources and budget. Put together a roadmap to achieve compliance. Review your plan regularly. Technology Move towards a single platform to organise all of your data. Get a single source of truth to better respond to data access, portability, erasure requests, data breaches, etc. Use technology from best vendor to stay ahead of the technology curve Try VirtualCabinet.com as a good software and systems solution. Communication Put together an incident response process. Ensure you have a strong governance process. Plan how you will handling data requests within 30 days at no cost to individuals. Individuals rights Be aware of the new Rights given to individuals under GDPR, as detailed in Part 1 of this guide. STEP 4 STEP 5 STEP 6 STEP 7 29
“Last year we issued more than one million pounds in fines for breaches of the Data Protection Act, so it’s not a power we’re afraid to use.” Elizabeth Denham UK Information Commissioner Part 4: Action Plan 30
Have you reviewed your processes to make sure they are managed securely? Potential penalties? Have you done risk planning? What’s your plan for personal data requests? Is your process documented? Can it be automated? Can it scale? Response timescale? Published data retention policies? When you capture consent for the use of Personal Data, do you explain why you need to have it and how it will be processed? Consent needs to be explicit. Individuals giving consent need to be fully informed. What personal data do you collect? Have you documented why it is captured? Do you obtain consent & explain how it will be processed? Have policies, forms & training been updated with new Personal Data categories? If a sub-contractor processes data on your behalf are their sufficient guarantees (especially expert knowledge, reliability & resources) to meet GDPR requirements? Procurement Source: gdprcoalition.ie Legal Finance IT HRMarketing Which systems hold Personal Data? Could you find all data relating to an individual and delete it? Is it stored securely (office + cloud)? Any potential security breaches? Process for breach notification within 72 hours? Part 4: Action Plan Top Questions To Ask Your Departments 31
Where Do I Start? Book Demo At VirtualCabinet.com The easiest way to become compliant is with the right system. Book in a demo with a leading software provider like Virtual Cabinet to see if they can help you with their Document Management and Online Portal Software. More GDPR Resources Are You Ready Quiz GDPR Resource Centre Or visit VirtualCabinet.com/GDPR/Overview Software Guide

More Related Content

PPTX
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
PDF
GDPR Demystified
SPIN Chennai
 
PDF
Managing Personally Identifiable Information (PII)
KP Naidu
 
PPTX
GDPR
Gopi PD
 
PDF
Data Protection and Privacy
Vertex Holdings
 
PDF
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
PDF
GDPR for Dummies
Caroline Boscher
 
PPTX
Introduction to GDPR
Priyab Satoshi
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
GDPR Demystified
SPIN Chennai
 
Managing Personally Identifiable Information (PII)
KP Naidu
 
GDPR
Gopi PD
 
Data Protection and Privacy
Vertex Holdings
 
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
GDPR for Dummies
Caroline Boscher
 
Introduction to GDPR
Priyab Satoshi
 

What's hot (20)

PPS
Introduction to Data Protection and Information Security
Jisc Scotland
 
PDF
Personal Data Protection in Indonesia
Eryk Budi Pratama
 
PPTX
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
PDF
Urgensi RUU Perlindungan Data Pribadi
Eryk Budi Pratama
 
PPTX
Privacy & Data Protection
sp_krishna
 
PDF
GDPR and Security.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
GDPR training
ASL
 
PPTX
skillcast-gdpr-training-presentation-q320.pptx
RahulGarg294918
 
PDF
Privacy and Data Security
WilmerHale
 
PPTX
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
PPTX
Gdpr presentation
Sudarsan Reddy
 
PPTX
GDPR Introduction and overview
Jane Lambert
 
PDF
Data Loss Threats and Mitigations
April Mardock CISSP
 
PDF
Overview on data privacy
Amiit Keshav Naik
 
PPTX
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
PPTX
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
CIO Edge
 
PPTX
Privacy in simple
Aurora Computer Studies
 
PPT
Cyber Laws In Pakistan
Taha Mehmood
 
PPT
Maticna plosca miran-alijagic_4ra
AirMiran
 
PPTX
Data protection ppt
grahamwell
 
Introduction to Data Protection and Information Security
Jisc Scotland
 
Personal Data Protection in Indonesia
Eryk Budi Pratama
 
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
Urgensi RUU Perlindungan Data Pribadi
Eryk Budi Pratama
 
Privacy & Data Protection
sp_krishna
 
GDPR and Security.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
GDPR training
ASL
 
skillcast-gdpr-training-presentation-q320.pptx
RahulGarg294918
 
Privacy and Data Security
WilmerHale
 
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
Gdpr presentation
Sudarsan Reddy
 
GDPR Introduction and overview
Jane Lambert
 
Data Loss Threats and Mitigations
April Mardock CISSP
 
Overview on data privacy
Amiit Keshav Naik
 
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
CIO Edge
 
Privacy in simple
Aurora Computer Studies
 
Cyber Laws In Pakistan
Taha Mehmood
 
Maticna plosca miran-alijagic_4ra
AirMiran
 
Data protection ppt
grahamwell
 
Ad

Similar to Gdpr in a nutshell (20)

PPTX
Reddico GDPR Presentation
Luke Kyte
 
PPTX
GDPR Practicalities - The Data Shed
Stewart Norriss
 
PPTX
GDPR – what does it mean for charities and what you need to consider - Iain P...
m-hance
 
PPTX
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
PDF
GDPR webinar for business leaders
Deeson
 
PPTX
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
PDF
GDPR Changing Mindset
NetworkIQ
 
PPTX
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
Harrison Clark Rickerbys
 
PDF
Are You Prepared for the GDPR?
PrivacyPolicies.com
 
PPTX
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
Harrison Clark Rickerbys
 
PDF
[REPORT PREVIEW] GDPR Beyond May 25, 2018
Altimeter, a Prophet Company
 
PDF
Public sector breakfast club - October 2017, Exeter
Browne Jacobson LLP
 
PPTX
Associates quick guide to gdpr v 1.0
Aaron Banham
 
PPTX
Things to know about GDPR in 2018
Webkul Software Pvt. Ltd.
 
PPTX
GDPR- GENERAL DATA PROTECTION REGULATION
Saurabh Pandey
 
PPTX
GDPR- GENERAL DATA PROTECTION REGULATION
Saurabh Pandey
 
PPTX
GDPR General Awarness for employees and personal data types
AbdullaFatiya3
 
PDF
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Financial Poise
 
PDF
GDPR - Sink or Swim
Guy Griffiths
 
PPSX
Gdpr demystified - making sense of the regulation
James Mulhern
 
Reddico GDPR Presentation
Luke Kyte
 
GDPR Practicalities - The Data Shed
Stewart Norriss
 
GDPR – what does it mean for charities and what you need to consider - Iain P...
m-hance
 
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
GDPR webinar for business leaders
Deeson
 
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
GDPR Changing Mindset
NetworkIQ
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
Harrison Clark Rickerbys
 
Are You Prepared for the GDPR?
PrivacyPolicies.com
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
Harrison Clark Rickerbys
 
[REPORT PREVIEW] GDPR Beyond May 25, 2018
Altimeter, a Prophet Company
 
Public sector breakfast club - October 2017, Exeter
Browne Jacobson LLP
 
Associates quick guide to gdpr v 1.0
Aaron Banham
 
Things to know about GDPR in 2018
Webkul Software Pvt. Ltd.
 
GDPR- GENERAL DATA PROTECTION REGULATION
Saurabh Pandey
 
GDPR- GENERAL DATA PROTECTION REGULATION
Saurabh Pandey
 
GDPR General Awarness for employees and personal data types
AbdullaFatiya3
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Financial Poise
 
GDPR - Sink or Swim
Guy Griffiths
 
Gdpr demystified - making sense of the regulation
James Mulhern
 
Ad

Recently uploaded (20)

PDF
Chapter 5_Foreign Exchange Market in .pdf
sophatphoniu
 
DOCX
Business Management - unit 1 and 2
anithak410
 
PDF
BsN 7th Sem Course GridNNNNNNNN CCN.pdf
ZAMANYousufzai1
 
PDF
Ôn tập tiếng anh trong kinh doanh nâng cao
thaoonguyenn2311
 
PDF
Katrina Stoneking: Shaking Up the Alcohol Beverage Industry
CIO WOMEN MAGAIZNE CIO WOMEN MAGAIZNE
 
PPTX
ICG2025_ICG 6th steering committee 30-8-24.pptx
AtiarRahaman5
 
PDF
kom-180-proposal-for-a-directive-amending-directive-2014-45-eu-and-directive-...
nlusch08
 
PDF
Elevate Cleaning Efficiency Using Tallfly Hair Remover Roller Factory Expertise
farsookmon97766765
 
PDF
Deliverable file - Regulatory guideline analysis.pdf
Quan Risk
 
PDF
NewBase 12 August 2025 Energy News issue - 1812 by Khaled Al Awadi_compresse...
Khaled Al Awadi
 
PPT
Chapter four Project-Preparation material
argachewbochena1
 
PDF
Outsourced Audit & Assurance in USA Why Globus Finanza is Your Trusted Choice
Globus finanza
 
PPTX
Dragon_Fruit_Cultivation_in Nepal ppt.pptx
UmeshTimilsina1
 
PPTX
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
PPTX
svnfcksanfskjcsnvvjknsnvsdscnsncxasxa saccacxsax
ergvedfvef sdvsfvdvd
 
PDF
Reconciliation AND MEMORANDUM RECONCILATION
MANJU N
 
PPTX
New Microsoft PowerPoint Presentation - Copy.pptx
itsmesumedh96
 
PDF
Solara Labs: Empowering Health through Innovative Nutraceutical Solutions
The lifescience magaizne
 
PDF
Stem Cell Market Report | Trends, Growth & Forecast 2025-2034
Claight Corporation
 
PPTX
3. HISTORICAL PERSPECTIVE UNIIT 3^..pptx
ZAMANYousufzai1
 
Chapter 5_Foreign Exchange Market in .pdf
sophatphoniu
 
Business Management - unit 1 and 2
anithak410
 
BsN 7th Sem Course GridNNNNNNNN CCN.pdf
ZAMANYousufzai1
 
Ôn tập tiếng anh trong kinh doanh nâng cao
thaoonguyenn2311
 
Katrina Stoneking: Shaking Up the Alcohol Beverage Industry
CIO WOMEN MAGAIZNE CIO WOMEN MAGAIZNE
 
ICG2025_ICG 6th steering committee 30-8-24.pptx
AtiarRahaman5
 
kom-180-proposal-for-a-directive-amending-directive-2014-45-eu-and-directive-...
nlusch08
 
Elevate Cleaning Efficiency Using Tallfly Hair Remover Roller Factory Expertise
farsookmon97766765
 
Deliverable file - Regulatory guideline analysis.pdf
Quan Risk
 
NewBase 12 August 2025 Energy News issue - 1812 by Khaled Al Awadi_compresse...
Khaled Al Awadi
 
Chapter four Project-Preparation material
argachewbochena1
 
Outsourced Audit & Assurance in USA Why Globus Finanza is Your Trusted Choice
Globus finanza
 
Dragon_Fruit_Cultivation_in Nepal ppt.pptx
UmeshTimilsina1
 
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
svnfcksanfskjcsnvvjknsnvsdscnsncxasxa saccacxsax
ergvedfvef sdvsfvdvd
 
Reconciliation AND MEMORANDUM RECONCILATION
MANJU N
 
New Microsoft PowerPoint Presentation - Copy.pptx
itsmesumedh96
 
Solara Labs: Empowering Health through Innovative Nutraceutical Solutions
The lifescience magaizne
 
Stem Cell Market Report | Trends, Growth & Forecast 2025-2034
Claight Corporation
 
3. HISTORICAL PERSPECTIVE UNIIT 3^..pptx
ZAMANYousufzai1
 

Gdpr in a nutshell

  • 1. GDPR In A Nutshell The biggest change to our data protection laws in 20 years. Are you ready? Deadline: 25th May 2018
  • 2. “Three quarters of us don’t trust businesses to do the right thing with our emails, phone numbers, preferences and bank details. I find that shocking.” Elizabeth Denham UK Information Commissioner
  • 3. Who Does GDPR Apply To? On the 25th of May 2018 the EU’s General Data Protection Legislation (GDPR) will come into effect. It will impact millions of businesses, of every size. GDPR will apply to every entity that holds or uses European personal data both inside and outside of Europe. 3
  • 4. Myths & Facts Leading To Complacency The truth is GDPR likely applies to you. You should start getting prepared now for May 2018. 48% of UK citizens are planning on using their new GDPR rights. 15% in the first month. Get ready! Businesses haven’t even heard about GDPR yet. ICO will be running an awareness campaign. It applies to businesses of ALL sizes and types. €20m or 4% of turnover, whichever is greater. The UK leaving the EU does not effect GDPR. It’s not only future data, it’s your current data too. €10m or 2% of turnover, whichever is greater. Having good data security is not enough. There isn’t much time left to become compliant. One in Three More Awareness Doesn’t Apply Serious Offenses Brexit Effect Current Data Lesser Offenses Only Security Have Time 4
  • 5. GDPR And Fear-Mongering It’s true there are real consequences, and heavy penalties, for not complying with GDPR. However the new law is also an extremely positive development, and if anything, long overdue. Organisations should seize this opportunity to transform their company into a customer-centric, data-driven entity with the right internal controls and technology. of companies believe the cost of implementation was fully justified based on the benefits delivered. say the biggest benefit they saw was improved information security. Source: gdprcoalition.ie say the main factor for choosing to adopt and implement was to improve organisational structure. 52% 98% 69% 5
  • 6. Non-Compliance Fines Up To 4% Of Revenue Class Action Lawsuits Data Encryption Disruption To Business No Case LawBrand Damage Fines Up To €20 million Streamlined Processes SecurityTransparency Better Internal Controls Risk Reduction Data Encryption Updated TechnologyLess long-term cost Efficient Data Management Compliance Opportunities & Consequences The focus is usually on the negatives of non-compliance, but there are a lot of positives businesses should take advantage of. 6
  • 7. “Isn’t having customers’ trust a cornerstone to good business? Isn’t that intangible relationship with customers: loyalty, trust, repeat customers, something most companies want?” Elizabeth Denham UK Information Commissioner 7
  • 8. PART 1 Your New Rights PART 2 Consent & Privacy PART 3 Personal Data PART 4 Action Plan The Four Key Areas This guide will be covering each, in our quest to transform you into a GDPR Guru! Note: we take no responsibility for the completeness or accuracy of this information. Please do your own research, or seek consultation around your own specific obligations. What new rights do people now have? How to get permission to use people’s data? What is it, and how to manage it? What steps must you take to comply? 8
  • 9. PART 1 Your New Rights What new rights do individuals now have? Book Demo At VirtualCabinet.com There are a lot of new Rights people will be granted once GDPR comes into effect. A system like Virtual Cabinet can help you stay on top of them all!
  • 10. Your New Rights: Overview Powerful new super-powers to control your Personal Data Individuals need to be informed when you collect or process their data. Individuals can ask to have all their data deleted from your records. Individuals can object to data being processed in marketing, research etc. Individuals can now ask for access to their data, and why you are processing it. Individuals can ‘block’ any further processing of their data. Safeguards to protect individuals against automated decisions & profiling. Data that is inaccurate or incomplete must be corrected on request. Individuals can obtain and reuse their data on different services if they choose. Right To be Informed Right To Be Forgotten Right To Object Right Of Access Right To Restrict Processing Automation & Profiling Rights Right To Rectification Right To Data Portability Tip: software can help you become GDPR compliant with the least effort. VirtualCabinet.com does a good job of this. Visit their site to book a demo and see if they can help. Part 1: Your New Rights 10
  • 11. OK, But What Do ‘Rights’ Practically Mean? Skip to Part 2 if you want to avoid specifics. Or keep reading for a meaty breakdown of what each ‘Right’ practically means for you. Right To Be Forgotten You must erase personal data on request, or when you have finished processing it. You Must Erase Data When • When the data is no longer necessary for the original purpose it was collected for. • When an individual withdraws their consent. • When individual objects to processing. • When the data was obtained unlawfully. • When the law requests it. When Can You Refuse To Erase • When it obstructs your freedom of expression. • When the law requests it. • Public interest in the area of public health. • Archiving purposes in the public interest. • Exercise or defense of legal claims. Children’s Personal Data There are increased rights for children to request erasure. Third Party Erasure If data has been disclosed to any third parties, they must be informed about any data’s erasure, unless this involves disproportionate effort. Tip: Use software to automatically file incoming data into a centralised spot. Finding and deleting an individual’s data then becomes much easier. VirtualCabinet.com does this well. Part 1: Your New Rights 11
  • 12. Individuals need to be informed when you collect or process their data: • In clear, plain, concise language • Free of charge If Collecting The Data Directly: You must inform the individual of: • Your Organisation’s identity. • Your Data Protection Officer’s identity. • The purpose of the data processing. • The legal basis for your data processing. • Details of transfer to any third country. • The retention period, or criteria. • The existence of the individual’s rights. • Their right to withdraw consent at any time. • Their right to complain to a supervisory authority. • Existence of any automated decision making, including profiling. • If provision is part of a statutory or contractual requirement, and consequences of not providing data. If Collecting The Data Indirectly You must inform the individual: • In a reasonable period (within 1 month). • When communicating with the individual. • When disclosing data to another party. And as well as all the information (to the left) you must supply when collecting the data Directly, you must also inform the individual of: • Categories of personal data. • The original source of the data, and if it was publicly accessible. • However, you do not need to explain whether the data provision is part of a statutory or contractual requirement. Right To Be Informed Part 1: Your New Rights 12
  • 13. Individuals will be able to access: • Confirmation their data is being processed • Access to their personal data • Other supplementary info How Long Do You Have To Comply? One month. Two months if requests are complex or numerous (but you must inform the individual). Can You charge a fee? No. It must be free unless the request is ‘manifestly unfounded or excessive’. What If The Request Is ‘manifestly unfounded or excessive?’ In this case, particularly if the request is repetitive, you can either: • Charge a fee based on administration costs. • Refuse to respond, explaining to why & their right to complain to a supervisory authority. How Should The Information Be Provided? • You must verify the identify of the person making the request using ‘reasonable means’. • If the request is electronic, you should provide the information electronically. • Where possible organisations should provide remote access to a self service system. Requests For Large Amounts Of Personal Information? You may ask the individual to specify the information the request relates to. You can use this as part of your consideration as to whether the request is ‘manifestly unfounded or excessive’. Right Of Access Tip: ensure you each document has an audit trail showing who has accessed it and why. VirtualCabinet.com does this automatically. Part 1: Your New Rights 13
  • 14. A lot people feel they’ve lost control of their own data. People feel that keeping control of their most important information used to be simple, but that over the years, their sense of power over their personal data has slipped its moorings.” Elizabeth Denham UK Information Commissioner Part 1: Your New Rights 14
  • 15. Right To Rectification Right To Data Portability Individuals can have personal data rectified if it is inaccurate or incomplete, without delay. Individuals can obtain & reuse their data for their own purposes across different services. They can use this data to find a better deal, or understand their spending habits. When Can This Be Used? • You must provide the data in a structured, commonly used, machine readable form. • You may need to transmit the data directly to another organisation if the individual requests it, if technically feasible. When Can This Be Used? If accurate or incomplete the data must be rectified, including informing third parties. The Rights Of Others • If the data concerns more than one individual, you must consider the rights of the other individual. Part 1: Your New Rights 15
  • 16. Right To Restrict Processing Right To Object Individuals can ‘block’ you from processing their data. Individuals can object to the processing of their data. If The Data Is For Direct Marketing If it is, you must stop processing as soon as you receive the objection, and deal with it free of charge. When Can This Be Used? Processing must stop if an individual: • Contests the data’s accuracy. • Objects to processing. • Opposes erasure and requests restriction when processing is unlawful. • Needs the data to establish, exercise or defend a legal claim. Communication You must inform the individual if you unblock their data for processing. If The Data Is For A Legal Task, An Organisations Legitimate Interests, Or Research Work You must comply with a right to object unless: • You can demonstrate compelling legitimate grounds. • Processing is for the establishment, exercise or defense of legal claims. Part 1: Your New Rights 16
  • 17. Automation And Profiling Rights A safeguard against the risk a damaging decision is taken without human intervention. E.g. an online credit application. When Can This Be Used? Individuals have the right not to be subject to a decision when: • It is based on automated processing. • It produces a legal effect. When Can’t This Be Used? • When entering a contract. • Authorised by law. • With consent. • With a child. • On special categories of data unless you have explicit consent, or it is necessary for public interest. What Do You Need To Do? You need to make sure individuals can: • Obtain human intervention. • Express their point of view. • Obtain an explanation, or challenge it. Profiling & Automation You must ensure safeguards are in place when processing data for profiling purposes: • Fair and transparent. • Meaningful information around logic. • Appropriate statistical procedures. • Minimise errors by employing measures. • Secure personal data & prevent discrimination. Part 1: Your New Rights 17
  • 18. PART 2 Consent & Privacy How to get permission to use people’s data? 18 Book Demo At VirtualCabinet.com Once you obtain consent to use someone’s data, use a system like Virtual Cabinet ensure you uphold their privacy and protect their Rights.
  • 19. The 12 Steps To Correct Consent Remember this list whenever you collect data. You should be aiming for a clear, affirmative statement of consent. • When any information is collected. • Positive, Opt-In boxes are accepted. • Consent by ‘non-action’ is prohibited. eg: Auto-Check Boxes, Opt-Out boxes. • Language should be clear, plain & accessible. • Data must be confidentially and securely processed by your data system. • Only authorised individuals should have access to the data consented to. • The purpose of collection must be clear. • State what the data is going to be used for. • Inform who the data will be shared with. • Disclose how long will you keep the data. • All data must have an expiry date. • The expiry date must be appropriate for the collected purpose. • If unsure, it is recommended consent be checked every 2 years. • Data cannot be stored indefinitely. • Personal information can only be collected for specific, explicit and legitimate purposes. • Only collect the minimum data you need. • You must ensure data is accurate and correct • This is to avoid distress or harm to the individual. When & How To Get Consent Data Integrity Be Transparent Data Time Limit Data Minimisation Data Accuracy Part 2: Consent & Privacy 1 4 5 6 2 3 19
  • 20. 12 Steps To Correct Consent Continued... • Individuals must be given a genuine choice. • Service cannot be conditional on consent. • Individuals be able to refuse, or withdraw consent without detriment. • Explain how to withdraw consent. • Withdrawing consent must be as easy as giving consent. • The Right to object to direct marketing must be clear. • Special data categories (race, health, genetic) require explicit consent. • Provide your identity and contact information. • Disclose your Data Protection Officer’s details, if relevant. • Must be able to change inaccurate data. • Must know what date has been collected and how it will be used. • Must be able to transfer the data to another system. • Must be able to withdraw consent. • Individuals under 16 cannot give consent. • The UK May lower its age of consent to 13. • Parental consent is required for anything other than counseling and preventative services. • Prepare a clear record of your consent policy. • Review and check it continuously. • Make sure your existing data has the correct consent. Genuine Choice Allow User Action Identify Yourself Uphold Individual Rights Children Documentation & Process Part 2: Consent & Privacy 7 10 11 12 8 9 20
  • 21. “The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks.” Elizabeth Denham UK Information Commissioner Part 2: Consent & Privacy 21
  • 22. Part 2: Consent & Privacy Privacy By Design GDPR wants you to think about privacy and data protection from the beginning, not as a bolted-on after-thought. This is ‘Privacy By Design’: Conduct assessments for personal data that is high risk to individuals. Only collect what is necessary. Only process data for the purpose that it was collected for. Only authorised individuals should be able to access data. Keep checking the confidentiality, availability & resilience of your systems. Note processing, data categories, erasure time & storage locations. Impact Assessment Limit Data Limit Processing Limit Access Keep Reviewing Record Keeping 22
  • 23. PART 3 Personal Data What is it, and how to manage it? Book Demo At VirtualCabinet.com Consider managing your Personal Data with software like Virtual Cabinet. It automatically files your data in a central spot so you have better visibility, control and security over it. A big step towards GDPR compliance.
  • 24. Name Physical Economic Number Physiological Cultural Location Genetic Social Online ID Mental Understand Your Data Special Categories What personal data do you hold? Where did it come from? Who is it shared with? Where do you keep it? Consider an information audit to fully document & appreciate your data. Certain categories of data require particular care: Race, Ethnic Origin, Politics, Religion, Trade Union Membership, Genetics, Biometrics, Health, Sex Life, Sexual Orientation. ACTION ACTION ‘Personal Data’ now includes any information relating to an identified natural person. This could include a broad range of data including: What Is Personal Data? Part 3: Personal Data 23
  • 25. Personal Data: Principles Sticking to some simple principles will help you master your Personal Data collection, transfer and storage - Process data lawfully, fairly, transparently. - Properly inform individuals if you collect it. - Only store data for as long as necessary. - Ensure you have backups. - Minimize the data you are gathering - Only collect for defined a purpose. - Restrict access to authorised individuals. - Protect against loss and destruction. - Keep all your data up to date. - Audit data for errors continuously. - Remember individuals can request their data anytime, so know where it is located. Stay Ethical Storage Specific Purpose Security Accurate Visibility Part 3: Personal Data 24
  • 26. Mandatory Data Protection Officer (DPO) It is mandatory to appoint a DPO if you process or store large amounts of personal data. One study predicts up to 28,000 DPO’s will have to be hired by May 2018! Part 3: Personal Data • Must operate independently, not taking instructions from their employer. • Cannot be dismissed for performing their duties. • Must be given sufficient resources. • Must report directly to the highest management level in your company. • Can be an existing employee. Or you can hire externally (including sharing the cost with other companies). • Train employees on GDPR compliance. • Undertake audits, and solve data issues. • Is your point of contact with the GDPR Supervisory Authority bodies. • Maintain all evidence and reporting. • Inform individuals how their data is being used, and how their rights are being upheld. • There are no specific technical qualifications asked for by the legislation. • The DPO must instead have ‘expert knowledge of data protection law and practices’. • Their expertise should be appropriate to your own company’s data processing operations. • The DPO’s information must be publicly shared with all regulatory agencies. Power & Position Responsibilities Qualifications Source: digitalguardian.com 25
  • 27. Understand Your Data’s Journey From collection to destruction you should understand your Data’s journey Be Mindful Of Your Equipment Transfer Data Correctly Cloud Storage It is your responsibility to ask any online storage providers you use what their end of equipment life policy is. Review Equipment • What equipment is at the end of its life? • Eg. Computer Drives, Phones, Tablets, USD’s and Security Badges. Review Risk • Make sure you have a disposal policy. Data Security • During all stages of data transfer and rest. Safeguards • Encrypt your data, use pseudonymisation. Protection By Design • Should be fundamental to all systems. Impact Assessments • Conduct when a transfer is high risk. Destroy It • Devices must be physically shred to meet EU standards. • Can be shred internally (with equipment), or destruction can be outsourced. Stick To Good Principles • For example, only collect data you need. Data Retention • Maintain data retention schedules. Reporting • Document your process by collecting evidence. Part 3: Personal Data 26
  • 28. PART 4 Action Plan What steps must you take to comply. Book Demo At VirtualCabinet.com Choose the right software is a great first step towards compliance & easy ongoing GDPR management. Try Virtual Cabinet to see if they can help.
  • 29. 7-Step Checklist To Compliance Part 4: Action Plan Raise Awareness Make sure key decision makers know what is happening with GDPR (share this guide with them!) Staff training: most breaches occur through staff ignorance. Get strong commitment from the board & C Level Officers to build compliance culture. Form A Team Form a cross functional data team including the IT team & business leadership. Appoint a Data Protection Officer (DPO) if needed. Team should be responsible for GDPR. Team should own the documentation process. Team should regularly review policies, processes and technology. Do An Audit Start with an information audit & risk assessment of your data. Audit risk of servers, storage, end- point devices & cloud locations. Ensure you have a legal basis for carrying out data processing. Make sure you have consent for all your Personal Data. Review existing policies. Conduct a data-flow analysis to see how data moves & is stored. STEP 1 STEP 2 STEP 3 28
  • 30. 7-Step Checklist To Compliance Part 4: Action Plan Create A Plan Be proactive, don’t think GDPR won’t affect you – it will. Create a list of recommendations. Prioritise recommendations and assign resources and budget. Put together a roadmap to achieve compliance. Review your plan regularly. Technology Move towards a single platform to organise all of your data. Get a single source of truth to better respond to data access, portability, erasure requests, data breaches, etc. Use technology from best vendor to stay ahead of the technology curve Try VirtualCabinet.com as a good software and systems solution. Communication Put together an incident response process. Ensure you have a strong governance process. Plan how you will handling data requests within 30 days at no cost to individuals. Individuals rights Be aware of the new Rights given to individuals under GDPR, as detailed in Part 1 of this guide. STEP 4 STEP 5 STEP 6 STEP 7 29
  • 31. “Last year we issued more than one million pounds in fines for breaches of the Data Protection Act, so it’s not a power we’re afraid to use.” Elizabeth Denham UK Information Commissioner Part 4: Action Plan 30
  • 32. Have you reviewed your processes to make sure they are managed securely? Potential penalties? Have you done risk planning? What’s your plan for personal data requests? Is your process documented? Can it be automated? Can it scale? Response timescale? Published data retention policies? When you capture consent for the use of Personal Data, do you explain why you need to have it and how it will be processed? Consent needs to be explicit. Individuals giving consent need to be fully informed. What personal data do you collect? Have you documented why it is captured? Do you obtain consent & explain how it will be processed? Have policies, forms & training been updated with new Personal Data categories? If a sub-contractor processes data on your behalf are their sufficient guarantees (especially expert knowledge, reliability & resources) to meet GDPR requirements? Procurement Source: gdprcoalition.ie Legal Finance IT HRMarketing Which systems hold Personal Data? Could you find all data relating to an individual and delete it? Is it stored securely (office + cloud)? Any potential security breaches? Process for breach notification within 72 hours? Part 4: Action Plan Top Questions To Ask Your Departments 31
  • 33. Where Do I Start? Book Demo At VirtualCabinet.com The easiest way to become compliant is with the right system. Book in a demo with a leading software provider like Virtual Cabinet to see if they can help you with their Document Management and Online Portal Software. More GDPR Resources Are You Ready Quiz GDPR Resource Centre Or visit VirtualCabinet.com/GDPR/Overview Software Guide