GDPR and paper records Why it’s not all cyber and fines Gary Shipsey Managing Director, Protecture Ruth Williams, Marketing Director, Restore Scan

Gary Shipsey Managing Director Protecture Ruth Williams Meet the Presenters Gary Shipsey Managing Director Protecture Ruth Williams Marketing Director Restore Scan

Revolution or Evolution Transparency and Accountability Significant Actual Resources (SARs)? Forget me (not)? Security GDPR and paper records - Why it’s not all cyber and fines

Revolution or Evolution? GDPR and paper Revolution or Evolution?

Revolution or Evolution? What happens next day…? 26th 27th 28th May June July 2018 / 19 /20 “I’ve heard about this new law…” “I know my rights…” “The Daily Mail / The Guardian says…” “You have now told me I have these rights...”

Transparency and Accountability GDPR and paper Transparency and Accountability

Transparency and Accountability Open up… 1. Tell them their rights 2. Tell them about your needs 3. Tell anyone about your handling of personal data

Transparency and Accountability Mandatory breach reporting Without undue delay… not later than 72 hours if likely to “…result in a risk to” person’s rights/freedoms if likely to “…result in a high risk” to person’s rights/freedoms Staff awareness + Internal reporting and incident management procedures + Assessment of risk / external reporting + Disciplinary process / proof

Transparency and Accountability Clarity of purpose and lawful basis How much to collect purposes of the processing the legal basis for each the legitimate interest* a record of consent* Who needs to see it Who to share it with How long to keep it * If you’re relying on it Extent to which people can use / enforce their rights Purpose Lawful basis

Transparency and Accountability Data Controller and Data Processor contracts Contract Contract + Data Controller Data Processor the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…

Significant Actual Resources? (SARs) GDPR and paper Significant Actual Resources? (SARs)

Significant Actual Resources (SARs) "Right of access by the data subject" ICO stats 2016-17

Significant Actual Resources (SARs) "Right of access by the data subject" Disproportionate effort “The DPA places a high expectation on you to provide information in response to a SAR... you should ensure that your information management systems are well-designed and maintained so that you can efficiently locate and extract information requested by the data subjects...” Sept 2017 Reason for the request https://www.protecture.org.uk/blog/2017/08/07/changes-to-the-ico-subject-access-code-of-practice/ http://www.privacy-regulation.eu/en/15.htm “Whether or not the applicant has a ‘collateral purpose’ (i.e. other than seeking to check or correct their personal data) for making the SAR is not relevant. However the court does have a wide discretion as to whether or not to order compliance with a SAR...”

Significant Actual Resources (SARs) "Right of access by the data subject" GDPR and subject access = very similar, but… Abolition of a £10 administration fee Shortening of the timescale: 30 calendar. Failure to uphold right of subject access = in the higher tier of penalties (max. 4% global turnover / £17m) Potential: people pursue their rights in court Sept 2017 https://www.protecture.org.uk/blog/2017/08/07/changes-to-the-ico-subject-access-code-of-practice/ http://www.privacy-regulation.eu/en/15.htm Disruption | Costs (resource / litigation) | Reputational damage = as significant (or more) than regulatory penalties? 

GDPR and paper Forget me (not)?

Forget me (not)? "Right to erasure ('right to be forgotten')" without undue delay where one of the following grounds applies... no longer necessary (for the purpose(s) they were processed) withdraws consent (+ no other legal ground for processing) objects* to the processing (+ no overriding legitimate grounds) * Task carried out in public interest * Legitimate interests Purpose Lawful basis

GDPR and paper Security

Security Certainly not all cyber… ICO stats 2016-17

PROVISION OF DOCUMENT SCANNING, ARCHIVING AND DESTRUCTION SERVICES Restore Document Management – Digital transformation, scanning and physical storage of documents through to confidential destruction 74% of FTSE 100 Companies 90% of top 100 UK Legal Practices 78% of top 50 UK Accountancy Companies 73% of UK National Health Service Trusts 54% of local authorities in England, Scotland and Wales

PROVISION OF GDPR AND PRIVACY SUPPORT SERVICES Protecture – Data Protection Newsletters Insights Events Services Do you agree? Getting consent projects right Updating consent Implications of the Flybe and Honda fines Better the devil you know Personal data breach reporting and GDPR

PROVISION OF GDPR AND PRIVACY SUPPORT SERVICES Protecture – Data Protection We are your DPO’s expert  For those with responsibility for data protection compliance across their organisation. Preparing for the GDPR | Audit | Training | Policies | Entry to our seminars | Ad-hoc advice | DP Impact Assessments | IRMS Retention Toolkit

Q&A Thank You Ruth Williams T: 07879 484 544 Ruth.williams@restore.co.uk www.restore.co.uk @RestoreDigital Q&A Gary Shipsey T: 020 3691 5731 Gary.shipsey@protecture.org.uk www.protecture.org.uk ‎@ProtectureDPO