Your Code of Conduct: Data Protection & Compliance Your Code of Conduct: Data Protection & Compliance for Charities Steve Henderson Compliance Officer, Communicator

Your Code of Conduct: Data Protection & Compliance EXPERTS IN PERFORMANCE

Your Code of Conduct: Data Protection & Compliance INTRODUCTION… Recent data breaches, like TalkTalk and Sony £130,000 ICO fine for Pharmacy2U in October Over 4000 breaches in local councils in just 3 years Every major bank in the UK reporting data breaches Misuse of data, hitting the charity industry hard We need organisations to focus on data protection

Your Code of Conduct: Data Protection & Compliance Etherington Review and PACAC Report Failure of Trustees to fulfil their responsibilities “It would be a sad and inexcusable failure of charities to govern their own behaviour, should statutory regulation became necessary.” “I have made it clear that the sector has one last chance to prove that self regulation can work, but I am willing to step in and impose statutory regulation if necessary.” Rob Wilson, Minister For Civil Society, Jan 2016 The good work done by most within the sector can be undermined very easily. Good governance in general is about sustainability of reputation in the long-term

Your Code of Conduct: Data Protection & Compliance ConsumersOrganisationsMarketersRegulators

Your Code of Conduct: Data Protection & Compliance Consumers InformationChoiceControlCompensation Organisations Fines and compensation Enforcement Data protection by design Right to be forgotten Marketers Smart use of data PlanningOpenness Copywriting challenges Scrutiny and influence Regulators Greater powersMore resourceLess discretion More consumer contact Consumers InformationChoiceControl Compensation

Your Code of Conduct: Data Protection & Compliance Information Clear and transparent information Organisations’ use of data Risks, rules, rights and safeguards Choice Consent can’t be a condition of a service Right to be forgotten Choose not to have data stored or used Ability to exercise control over their data Compensation Understanding their rights Easy access to compensation Obtain full compensation from any controller or processor GDPR - Changes for consumers

Your Code of Conduct: Data Protection & Compliance Identity of controller Identity and contact details of the controller or controller's representative and the contact details of the data protection officer Purposes Purposes of the processing and any related legal basis for that processing Legitimate interests The legitimate interests pursued by the controller or by a third party 3rd parties Any intended 3rd party recipients of the data must be named or be in a defined categories of 3rd party recipients of the personal data Overseas transfer Any intended data transfer to a third country or international organisation, the existence or absence of an adequacy decision, and the appropriate safeguards Storage duration The timescales or criteria defining the period for which the data will be stored Data rights The existence of the right to request access to, rectification or erasure of the data; to request restriction of processing; and the right to data portability Consent withdrawal The right to withdraw any given consent Complaints procedure The right to lodge a complaint with the supervisory authority (ICO, in the UK) Data necessity The existence of any statutory or contractual necessity for the data Automated profiling The existence and significance of any automated profiling or decision-making EXAMPLE: Information to be provided at the point of data collection “It should be transparent what data is collected and used, for what specific purposes, the existence and consequences of profiling, who is doing this processing, for what time periods and who will receive the data. The individual should be informed about Individuals should be made aware of risks, rules and safeguards.”

Your Code of Conduct: Data Protection & Compliance Consumers InformationChoiceControlCompensation Organisations Fines and compensation Enforcement Data protection by design Right to be forgotten Marketers Smart use of data PlanningOpenness Copywriting challenges Scrutiny and influence Regulators Greater powersMore resourceLess discretion More consumer contact Organisations Fines and compensation Enforcement Data protection by design Right to be forgotten

Your Code of Conduct: Data Protection & Compliance GDPR - Changes for organisations Accountability Data Protection Officer Accountability for decision-makers Fines and compensation Effective, proportionate and dissuasive Up to €20 million or 4% of global revenue Enforcement Greater supervisory powers International enforcement cooperation Data protection by design Data protection to become part of every set of software, website, data and process requirements Right to be forgotten Anonymous purchases Anonymous analytics Data deletion

Your Code of Conduct: Data Protection & Compliance Consumers InformationChoiceControlCompensation Organisations Fines and compensation Enforcement Data protection by design Right to be forgotten Marketers Smart use of data PlanningOpenness Copywriting challenges Scrutiny and influence Regulators Greater powersMore resourceLess discretion More consumer contact Marketers Smart use of data PlanningOpenness Copywriting challenges Scrutiny and influence

Your Code of Conduct: Data Protection & Compliance Smart use of data Privacy by design Adequate, relevant and not excessive Data limited to what is necessary Deleted after used for stated purposes Planning Information and choice obligations Data adequacy requirements Openness Clear and transparent information Consent can’t be a condition of a service Risk of fines if anything is hidden Copywriting challenges Clear language requirements Large amounts of information Legal language “creepy” processing Scrutiny and influence Fines - Management and director liability DPO Risk of Trial by Media GDPR - Changes for marketers

Your Code of Conduct: Data Protection & Compliance

Your Code of Conduct: Data Protection & Compliance

Your Code of Conduct: Data Protection & Compliance Consumers InformationChoiceControlCompensation Organisations Fines and compensation Enforcement Data protection by design Right to be forgotten Marketers Smart use of data PlanningOpenness Copywriting challenges Scrutiny and influence Regulators Greater powersMore resourceLess discretion More consumer contact Regulators Greater powers More resource Less discretion More consumer contact

Your Code of Conduct: Data Protection & Compliance Greater powers Investigative Corrective Advisory More resource Larger teams and more resource Proactive Work and progress in 2015 to continue Less discretion Regulators held accountable for enforcing GDPR More consumer contact Crowdsourced intelligence More information, advice and publicity around rights and recourse GDPR - Changes for regulators

Your Code of Conduct: Data Protection & Compliance Consumers InformationChoiceControlCompensation Organisations Fines and compensation Enforcement Data protection by design Right to be forgotten Marketers Smart use of data PlanningOpenness Copywriting challenges Scrutiny and influence Regulators Greater powersMore resourceLess discretion More consumer contact

Your Code of Conduct: Data Protection & Compliance Decision makers Be responsible Be transparent Be supportive Marketers Take ownership Make intelligent decisions Be transparent Set high expectations 2016 –The Year of Your Personal Code of Conduct

Download our free guides THANK YOU ANY QUESTIONS?

2 Old College Court, 29 Priory Street, Ware, Hertfordshire, SG12 0DE For more information, contact us at : Your telephone no. Your address Your website address CHASE2016 Sponsors