Incentive Marketing Association And the GDPR Brief introduction CL, how you know JG and Elevator Pitch JPH a leading employment lawyer re: understanding of and litigation of confidential data This is a participative post lunch session, so please pay attention JPH around for questions, and drinks afterwards.

PLEASE PAY ATTENTION – GDPR IS A STONKINGLY IMPORTANT SUBJECT FOR THE IMA The real problem is the concept of “data” – it is numbers; it is payroll records; it is databases. It is BORING. RIGHT? Wrong! This is the lifeblood of what your businesses do: if you think that data, and the management of data, is boring then you either need to get a new job, or sell your businesses and get a new job. The GDPR is, in fact, shiny, new and important and like all shiny new and important things you need to understand it to get the best out of it. Key purpose: to increase and protect the rights of EU data subjects by creating clear lines of accountability over data processing. Key risk: significantly increased exposure to IMA members + More aware and litigious data users/consumers.

Here’s why GDPR matters to IMA members It’s New: Data Protection Directive > Data Protection Bill (last week) > In force in May 2018. It’s Brexit Proof: ICO has confirmed this. The time for preparing is now: Contracts = money Fines can be huge: £20m (i.e. Euros) or 4% turnover Prescient timing of this event to coincide, precisely with the DP Bill. Well done Jonathan A single unifying DP law, across all member states Like all other things Brexit we are going to find that we will go through a helluva polava, to only to get back precisely where we started. For the international sharing of data, this is a blessed relief The time to start doing things about this is NOW – the commercial contracts that are affected by GDPR need to be negotiated now, before May 2018.

Some essential concepts (and Audience Participation) Data Controllers are… Data Processors are… Data Subjects are… Definitions are broad e.g. “processing” and can have ET Effect Data Processors can be fined (big time) for the first time Underlying principle is CONSENT Fall-back position is a “legitimate interest.” PARTICIPATION TIME & PRIZE Who here thinks they are a Data Controller? A company which controls data relating to Data Subjects (e.g. employers) Who here thinks they are a Data Processor? The classic service provider (the IMA), acting on instructions of Data Controllers Who here thinks they are a Data Subject? – The Individual. Who here things they are all 3? Who here is a business owner? CONSENT – DPs and DCs are entitled to collect and use data where they demonstrate consent from the data subject.

Contract Negotiation: “Who wears the trousers?” Data Controllers Are demanding indemnities from DPs re: liabilities Are demanding warranties from DPs that they are GDPR compliant Asking Data Processors to sign up to “model clauses” for data transfers It’s all about: “who owns the risk?” Data Processors Demand confirmation of CONSENT from DCs vis a vis workforces. Some DPs get CONSENT direct from workforces. A “legitimate interest” can be a 2nd line of defence, absent consent. Data Subjects can now pursue remedies against DPs and DCs Legitimate interest can be a viable alternative to consent as a lawful basis for processing data. Under GDPR employers will need to provide employees with sig. more information (including how long data is stored for, if it will be transferred to other countries, DSAR requests etc.)

Hacking and Mitigation Hacking a massive risk All the more so because ICO can now impose massive fines on DPs Breaches to be reported to ICO within 72 hours, unless “de minimis” “Appropriate technical and organisational measure in place to ensure the security of data.” Reputational damage. Positive obligation to prove compliance for both DCs and DPs.

Top 5 “take-aways”… Create your own GDRP Plan: what do you use data for? Who uses it? Where are the risks/holes? Get someone to own the issue IT Security: Are you fit for purpose? (a) BYO? (b) retention? Commercial Contracts (a) with commercial partners – warranties, indemnities etc; (b) with data subjects – consent? Internal Procedures: For (a) policies/protocols; (b) reporting breaches Record a “legitimate interest:” another defence to “consent.” E.g. the recent Romanian Case Under the GDPR, employees will have increased rights to object to certain processing, to have data corrected or to restrict how data is used, and to be forgotten (i.e. to have their personal data deleted).   Under the new “right to be forgotten”, employees will be entitled to require their employer to erase personal data about them in certain circumstances. This may be the case where data is no longer necessary for the purpose for which it was originally collected, or where the employee has withdrawn his/her consent

John Hayes, Principal, Constantine Law My Contact Details John Hayes, Principal, Constantine Law 07769-137176; john.hayes@constantinelaw.co.uk Link In with me @JohnHayesCLaw Prescient timing of this event to coincide, precisely with the DP Bill. Well done Jonathan A single unifying DP law Like all other things Brexit we are going to find that we will go through a helluva polava, to only to get back precisely where we started. For the international sharing of data, this is a blessed relief The time to start doing things about this is NOW – the commercial contracts that are affected by GDPR need to be negotiated now, before May 2018.