Presentation to GTMC on GDPR

What is the GDPR? Harmonised Data Protection regulation across the EU ICO has indicated that Brexit will have no impact on adoption (one way or another…) Applies to organisations that hold data on EU citizens and residents Applies to Controllers (say how and why data is processed) and Processors (process data on behalf of controllers) Enhanced obligations over and above DPA, particularly on Processors

What data does GDPR apply to? Personal Data Broader definition of personal data Can include online identifiers (e.g. and IP address) Sensitive Personal Data Generally, sensitive information about an individual Again, broader definition applies (e.g. genetic and biometric data) Special rules for processing children’s data

Principles of the GDPR Similar to DPA. Data shall be… Lawful processing Data collected for a specific, legitimate purpose Adequate, relevant and limited to that purpose Accurate and kept up to date Kept for no longer than needed Kept secure Much enhanced principle of ACCOUNTABILITY

Accountability Critical new principle Organisations must DEMONSTRATE compliance This means… Documenting processing activities Appoint a DPO? Data Protection Impact Assessments DP “by design and by default” Maintain records of processing activities Must actively demonstrate compliance

Basis for Processing Have to demonstrate a legal basis for processing This can include: Consent Legitimate basis for processing (including performance of a contract) Public interest Importantly, consent is not the only acceptable basis for processing

Rights of Individuals Enhanced existing rights: Right to be informed Right of access Right of rectification Right to object Rights regarding automated processing New rights Right to restriction Right to erasure Right to data portability

Consent Important – consent is not the only acceptable legal basis for processing personal data But – consent MUST be sought for processing sensitive personal data Consent requires “clear, affirmative action” (i.e. not a pre-ticked box) It must be freely given, informed, specific, and verifiable. It can be withdrawn at any time

Breach notification & enforcement Breaches generally expected to be report within 72 hours (but also ‘without undue delay’) Extends mandatory breach reporting beyond ISPs and telcos to all controllers/processors Report to data controllers, regulators and – in some cases – affected data subjects FINES – up to €20m or 4% of global turnover for major breaches Up to €10m or 2% of global turnover for minor breaches

What are other companies doing? Mapping stored data for GDPR applicability Reviewing data processing processes and documenting what they have in place Appointing a DPO if not in place Considering record keeping and responses to GDPR requests (particularly erasure, data portability) Projects are very much in progress or planning, not complete

Thank you