General Data Protection Regulation SET Overview: What does it mean and what should we do? Scott Mulholland 27th March 2017

Content Introduction Obligations Risk and opportunity Action required

Introduction EU privacy legislation on data and information relating to identified or identifiable natural persons. Replaces Data Protection Act 1998 Effective from 25th May 2018 Brexit won’t help Extensive new obligations Enhanced sanctions (4% of worldwide revenue)

Obligations There are 99 articles with many new or enhanced obligations. These include: Consent - legitimate use no longer sufficient The right to be forgotten, portability, rectification Data protection by design and default Privacy notices for data subjects Disclosure of breaches, civil and criminal liability

Risk and opportunity The reputational and financial consequences of a breach are very severe and we have serious weaknesses to address: No single view of data subject Huge amounts of old data held just in case Lack of awareness and strategy Scarcity of expertise and capacity However, there are significant business benefits to be gained by turning these into strengths.

Action required A risk based approach is recommended beginning with structured data and information. Information Security and Data Quality Group GDPR Action plan and project Training and communication Information asset audit and register Data lifecycles and privacy impact assessments Retention schedules (Nb. redundant data purge)