From DPA to GDPR: the key elements April 2018

This presentation is intended to help you understand aspects of the Data Protection Act 1998, the General Data Protection Regulation and related legislation. It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.

What Data Protection is about: 1  Protecting data Protecting people  Clients Service users Beneficiaries Employees Volunteers Trustees Donors Members Customers Supporters Professional contacts Keeping information in the right hands (and knowing what the ‘right hands’ are) Holding good quality data 4

What Data Protection is about: 2 Give us more money! Support our campaign! But of course we shared your data Privacy, transparency & choice

What Data Protection is about: 3 Recognise individual rights, such as: Right of Subject Access  Right to opt out of direct marketing Right to compensation for harm

The legislation Data Protection Act 1998 replaced on 25th May 2018 by General Data Protection Regulation (EU) 2016/679 supported by Data Protection [Act] 2018 meanwhile Privacy & Electronic Communications Regulations is under review and will (eventually) become new ePrivacy Regulation

Elements of GDPR Compliance Legal basis Principles Data Controller Processing Personal data

Breach notification Must notify serious breaches to ICO within 72 hours Must inform affected people if there might be serious consequences for them While anyone can make a mistake, failing to report a breach (or potential breach, or near miss) immediately is the worst thing you can do. Otherwise your organisation may not find out about a breach quickly enough to meet the 72hour deadline

Data Subject rights Direct Marketing refusal Subject Access (no fee & one month limit) Rectification (correction and completion) Erasure (“right to be forgotten”) in some situations Restriction of processing in some situations Portability Objection to profiling & automated decision-making Complaints and compensation

Keeping records Must be able to demonstrate how you are complying Basic information you must hold: The purposes of your processing The types of Data Subject and Personal Data you use Recipients you will disclose the data to Any overseas transfers Retention periods, where possible A general description of your security measures, where possible

Data Protection by design & by default Everyone responsible for starting projects or setting up systems must be aware of the need to incorporate Data Protection as a matter of course. Make Data Protection a standard check point before any project or system is signed off

Thank you Any questions: paul@paulticher.com