General Data Protection Regulations: what you really need to know 12 October 2017 Stephen Thompson & Fflur Jones
A little over 7 months to get ready GDPR Implementation date: 25 May 2018 A little over 7 months to get ready
Common myths about GDPR 1. Now the UK is leaving the EU, the GDPR won’t apply False: the government has confirmed that the GDPR will be unaffected by Brexit 2. WE’RE A CHARITY SO THE GDPR WON’T APPLY TO US False: the GDPR applies to all organisations regardless of whether they are registered charities
Common myths about GDPR 3. The GDPR will only apply in relation to data we obtain after May 2018. Our current database is unaffected False: all data obtained must comply with the GDPR so most businesses will need to obtain fresh consent from their database unless they have another lawful basis for processing 4. We don’t need to worry about GDPR – our data is outsourced to a cloud service or IT company False: just because data is with a third party does not mean your business is exempt from the rules
Key purpose of GDPR The real purpose is to harmonise the rules across the EU member states To ensure that individuals understand how their data is being used, have more control over their data, and to understand how to make a complaint about the use of their data
Current awareness Many organisations don’t really have an understanding of the data they collect, or their duties in relation to protecting that data.
What Data does the GDPR apply to? The GDPR only applies to personal data 2 categories: “personal data” “sensitive personal data” If data is completely anonymised, it will fall outside of the GDPR. However, beware that complete anonymisation can be difficult to achieve.
Dealing with data Organisations are still entitled to deal with data providing they have a legal basis for doing so Compliance with a legal obligation (including employment obligations) Performance of a contract with the data subject Consent of the data subject Consent must be: “freely given, specific, informed and unambiguous”
Legal basis for processing More than just consent BUT you need to think about what your justification for using data is: Complying with a legal obligation will not give a blanket authorisation to use an individual’s data for other purposes You will be relying on different grounds to process data depending on your relationship with the individual
Key changes to be aware of 1. Structural/cultural changes “data impact assessments” records of processing operations appointment of a data protection officer consent must be “freely given, specific, informed and unambiguous”
Key changes to be aware of “Freely given, specific, informed & unambiguous consent” From this common wording: We will contact you from time to time with marketing information about our services and events. If you do not wish to hear from us, please let us know by ticking this box. To this: If you are happy for us to contact you from time to time by e-mail with marketing information about our services and events, please tick this box.
Key changes to be aware of 2. Additional individual rights more transparency a “right to be forgotten” 3. Breaches and penalties “breach” is more than just loss of data “significant” breaches must be notified to the ICO with 72 hours Two tiers of potential fines: the higher of €10million or 2% of your global turnover The higher of €20million or 4% of your global turnover
Employment issues Processing employees’ data includes CCTV footage, internet records and monitoring emails; most of the sensitive personal data you process will be that of your employees The majority of Subject Access Requests are made by disgruntled employees So: need to be careful with your contracts, policies and in practice GDPR requires much more detail to be given by employers about their reasons for processing and employees’ rights to object
What should you do to comply? First 2 months: conduct an internal audit of your current policies & procedures consider what data you actually need from individuals and what you need to do with it educate / train your staff about the GDPR consider whether you need to appoint a data protection officer
What should you do to comply? Months 3-5 review the contracts you have in place with third party suppliers draft an internal strategy to deal with data update your privacy policy and terms and conditions Review your contracts of employment and staff handbook refresh your existing database
What should you do to comply? Months 6-7 ensure that updated policies and terms are finalised conduct refresher training for staff make sure all new employment contracts/consent forms are signed and returned to you, and staff have read your policies ensure that your technology strategy is implemented and reviewed
Conclusion The GDPR is coming and will affect all businesses The key is to take steps to comply as best as you can Don’t panic, but ensure that you and the individuals you deal with understand what data you collect & what you do with it Educate your staff
Further information www.ico.org.uk Lots of useful guidance and information on the ICO website. Their guidance is being updated all the time www.ico.org.uk
Further information www.waspi.org Many 3rd sector organisations are signed up to WASPI which has a number of useful templates available particularly for data sharing www.waspi.org
Thank you for coming @DarwinGrayLLP Darwin Gray LLP