GDPR Seminar Slides

Editor's Notes

• #4: GDPR will give more control to the individual and compliance certainty to the corporation GDPR will create new individual rights and new corporate obligations, putting an emphasis on privacy In effect: 25 May 2018 Businesses will need to manage, administer and protect personal data for B2B or B2C marketing
• #7: ASK for consent Check that consent is the most appropriate lawful basis for processing Ask for consent prominently & separately from your T&C’s Ask people to opt-in Don’t use pre-ticked boxes or any other type of consent by default Use clear, plain easy to understand language Tell individuals they can withdraw their consent, without detriment Consent is not a precondition of your service(s) For children age-verification and parental consent measures are required RECORD consent Keep a record of when and how you received consent from an individual Keep a record of exactly what they were told at the time MANAGE Consent Make it easy to withdraw consent at any time and show how to do so When consent is withdrawn act as soon as you can Don’t penalise individuals who want to withdraw their consent
• #8: Privacy notices - communicating to your customers Privacy notices are very important under GDPR, as the regulation sets out specific requirements for what you must tell someone when they give their data. It is important to be transparent about what you do with the data and use this to help develop trust with your customers. It is important to show the customer that they have a choice about how you intend to use the data. Customer understand now that data has value and showing them that you are open about what you do with their data, will build trust. Privacy information is important in the digital world, where the use of someone’s personal data, may not be at first obvious. This is especially important when the use to which the data is put, is likely to need consent. The correct information is fundamental to ensuring the consent you gain is valid. What do they need to contain? The minimum information is as follows: Who you are Sometimes is not completely obvious who the person is who will be controlling the data will be, so it needs to be made obvious to your customer who controls their data. What you are going to do with their information You should describe the processing of the data, so that the customer is made aware of the purpose of the processing and your legal reason for doing so. Who it will be shared with If you will be sharing the data with others, you need to tell your customer who and why. The more information you provide the customer and the more transparent and open you are with them, the more compliant with the GDPR you are likely to be. However, to comply with GDPR your privacy notices should be: Concise, transparent, intelligible and easily accessible Written in clear and plain language, particularly if addressed to a child Free of charge So the days of the privacy policy as a wall of words written in legalise, are over. Where should you deliver the privacy information? Many people consider that privacy notices are the standard web pages that all websites have, but in the new world of GDPR, they can be delivered in many different ways. It is important to consider the context of the data collection when choosing which media to use; here are some examples of the different ways of delivering privacy information. Privacy information can be delivered in person to person conversations. It would be important to document the process and keep records of the conversations. Electronic means can also be used to communicate privacy information, via web pages, emails, SMS, in app messaging systems and within apps themselves. The privacy information can be given in writing, via direct mail, forms and agreements or application forms. It can be included in advertisements, vouchers and other promotional material. Sometimes privacy information needs to be displayed on signage, in areas that process and track using personal data such as those using ibeacons, bluetooth, Wifi or CCTV. Although you can use many types of media, The ICO has advised that you should use the same media that you use to gather the data, to also deliver the privacy notice. For example, using a pop up privacy notice on the same web page that the date is being collected on. The ICO has specifically stated that it would not be acceptable to collect details on a web page and then email the privacy notice to the person. When should you communicate the privacy information? The choice of when you should deliver the privacy information, will be led by the type of processing you are doing and how expected or otherwise it might be by your customer. If you are undertaking processing that your customer is unlikely to expect, based on their likely level of knowledge, then the privacy information needs to be delivered as soon as possible. This is important as this processing is most likely to require consent, which to be valid, must be “informed”. If the processing is likely to be more expected by your customer, based on your relationship with them, you are likely to be processing the data under the legal basis of legitimate interest. In this case, the processing is less intrusive, so therefore the information needs to be readily available. You need to ask following questions when deciding how quickly to present the privacy information: Is the use unexpected Are you collecting sensitive information? Will you be sharing data in an unexpected way? If in doubt, undertake a privacy impact assessment. Breaking up the privacy information Sometimes, the amount of privacy information that you will be providing to your customer, will be too much to put on one page or document. And remember: as it needs to be easily understood, breaking it into bite size chucks, will help the information to be digestible to your customer. Place key information first Pick your key information first: who you are, a brief description of the processing, and who you will be sharing the data with. Then use this key information to link through to more detail on other pages. It doesn’t need to be on only two pages either. You could link the second stage to more detail if complex processing is undertaken, or links to other media, such as videos or downloadable documents. And finally… Document what you have done. Whatever method you choose, you must keep documented evidence of the information available to the customer and the process used, when they gave consent. Even when using legitimate interest as the legal basis for processing, the information made available at the time the customer gave you their data. If you are challenged in the future, it will be up to you as the data controller to prove valid consent. Failing to prove it, runs the risk of feeling the ICO’s big stick (or even bigger fines).
• #9: Quite shocking is this stat from the last ICO survey found that 75% of adults in the UK don’t trust businesses with their personal information. "The issue of trust keeps resurfacing, The primary objective of the GDPR is to give individuals back control – it will empower individuals to choose how, and whether, businesses use their data. Because fundamentally people buy from people they trust. In the Citizens Advice report, published in April 2016, they conclude that 'trust is sorely lacking in the online world. Consumers feel out of control of their information and choices. They feel they have an all-or-nothing choice to make when accepting the terms of the relationship' As a result, Citizens Advice call for a balanced and fair environment, easier ways to make decisions, and to have confidence that companies who overstep the mark will be held to account.” To the open-minded organisation the GDPR provides a road map to do just that." Now is the time to create a truly consumer-centric approach to data governance and strategy, and to secure your customer’s place at the heart of your data-powered future. Grab it with both hands – GDPR is an opportunity for transformation.
• #14: What data do you hold Is it personal data / sensitive data / children’s data? For all historic data, you need to be able to prove how you collected the data, what permissions you have and what it is being used for You should only be keeping data if you are using it and have clear consent for that usee You need to put in place a process for removing data which does not fit these criteria How is the data collected? You need to document all the methods both online and offline in which you collect personal data (this may include website, telephone, in person, mobile apps or and third parties) You need to have well documented process of opt statements and privacy policies There needs to be a process in place to store historic changes to wording and track any future changes How and where is the data stored? Document where the data is stored List what applications you use to do this Document how you process the data (are backups kept offsite or cloud based for example?) Check that all places data is stored used have their own up-to-date data policies and that all places you use are clearly mentioned in your data processing policies Questions to ask about what you do with your data How do you process the data? Where do you send it to? What are your grounds and justifications for processing the data? Ask: do you need the data? If you don’t need the data, don’t collect it and store it. If you do need the data, clearly explain to the user why and what you will be using it for. Who owns and controls the data? Are you a controller or processor of the data? Who has access to it? (A question to ask both internally and externally) Retention and deletion How long do you keep the data? What is your justification for the length of time you retain it? What is the process for deleting data? Remember: Make sure you have a clear policy on this and a process for implementing it Who is responsible for the data and processors associated with data? As well as a named data controller, it is important that within the organisation there is a clear guideline to who is responsible for the admin and upkeep of any data related policies. As part of the audit an ongoing process needs to be identified for historic data as well as newly- collected data. Do you have adequate technology / process to adequately manage data processing? Once you have identified what historic you can keep and need to keep and a strategy for collecting data moving forward you need to ensure your technology is able to do what you need to do. Some key things include being able to deal, remove data, store the permission given at the point of collection (including wording as well as time, date etc.) You should also document your justification for collecting, processing and storing the data and which of the six legal bases you are using to process the data. Remember: you could be using different legal bases for different types of data. The six legal bases for processing data are: Consent Legitimate Interest Contract Legal obligation Public interest Vital interest of data subject
• #47: Questions 