0. André Bywater, Partner Cordery
Insight Technology Conference Manchester Central, Central Hall Tuesday 19 September 2017 GDPR – How will this affect your organisation?
André Bywater, Partner Cordery

1. Introduction What is GDPR?
= New EU General Data Protection Regulation to come into full applicability in May 2018
What does it mean for businesses?
A = Aims
B = Benefits
C = Consequences

2. Jargon Buster What’s what?
Personal Data = any information relating to an identified or identifiable person
Data Processing = any operation performed on personal data – it is of very wide scope
Who’s who?
Data Subjects = an individual who is the subject of the personal data
Data Controllers = a person or (legal) entity etc. that determines how and for what purposes personal data is processed
Data Processors = a person who processes personal data for a data controller (other than the controller’s employee)

3. New EU Data Protection Rules – Aims
Regulation not a Directive (but with carve-outs)
Data protection by Design/Default
Data Protection Impact Assessments
Suppliers outside the EU fall under the new rules
Toughened (local not centralised) enforcement bodies – audits & dawn raids
Distinction between data processor and controller diminishes
Data Protection Officers – obligatory in some cases
Transfers to 3rd countries – Binding Corporate Rules

4. New EU Data Protection Rules – Benefits
No general registration requirement
One-Stop-Shop
Consent requirement strengthened
Right To Be Forgotten
Right To Portability
Right to Object to Profiling
Enhanced Subject Access Request regime

5. New EU Data Protection Rules – Consequences
More to do for data controllers and processors
Liability & compensation (material or non-material damage)
Fines of up to 4% of global annual turnover
Regulators can order processing to cease
Shared investigations across the EU
Greater reputational risk

6. DPIAs – What are they? What is a Data Protection Impact Assessment?
“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data [...].”

7. Data Security – What is the obligation?
What is the security obligation?
“[...] the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”

8. Data Security – What is the obligation?
These measures may include:
“(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

9. Breaches – What are they?
What is a personal data breach ?
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

10. Breaches – Must I report a breach?
Breaches will have to be reported including what action has been done to mitigate them, to the relevant data protection regulator without delay and, “where feasible”, not later than 72 hours after a data controller has become aware of the breach - a reasoned justification must be provided where reporting is not made within the 72-hour period

11. Breaches – Are there any exceptions?
There is an important caveat to the breach reporting obligation - it will not apply where “the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals”

12. Breaches – Must I do anything else?
Communication of a breach to the data subject must also be carried out subject to certain conditions and “without undue delay”, but no actual time-limit has been set
Caveats to this obligatory communication also exist, for example where the data affected by the breach has been encrypted

13. Case Study: Fine level – TalkTalk & Boomerang
In October 2016 the ICO took action against TalkTalk over a breach of October 2015 who were given a record £400,000 fine for security failings that allowed a cyber attacker to access customer data “with ease” – the current maximum fine in the UK is £500,000
In June 2017 Boomerang Video Ltd failed to take basic steps to take its website being attacked and was fined £60,000 – the ICO said “Regardless of your size, if you are a business that handles personal data then data protection laws apply to you” – this is clear warning to SMEs

14. Case Study: Wider effects of a breach – Yahoo
After cyberattacks in 2013 and 2014 that compromised the data of some 1.5 billion Yahoo user accounts, Verizon in the US significantly reduced its acquisition of Yahoo’s core business
Huge sums have also been spent on investigating and remediating the breach, US regulatory and law enforcement have been extensively involved, there are class-actions pending, and the in-house counsel lost his job ...

15. Case Study – Marketing Emails: Flybe
Flybe are a European regional airline based in Exeter. The airline has a history of data protection issues and in September 2015 its CEO signed an undertaking to the UK data regulator, the Information Commissioner’s Office (ICO) promising that the airline would improve. 
The most recent case includes an campaign that Flybe undertook in August 2016.  They sent more than 3.3 million s entitled “Are your details correct?” to customers asking them to amend any out of date information and update any marketing preferences. The was an incentivized opt-in campaign – Flybe said that if customers updated their preferences they could be entered into a prize draw.
One of the recipients complained to the ICO.

16. Case Study – Marketing Emails: Flybe
An investigation by the ICO found that Flybe used a third party agent to send these s and it had instructed the agent to send s to customers that they knew had previously opted-out of direct marketing from Flybe. Flybe seemingly told the agency to do this because it wanted to clean up its database.
In March 2017 the ICO fined Flybe £70,000 under the Privacy and Electronic Communication Regulations (PECR).
The requirements in PECR often work in parallel to the requirements under the Data Protection Act 1998 (DPA 1998) but in this case the ICO made it clear that an attempt to improve compliance with the DPA 1998 (and the forthcoming GDPR) cannot excuse a breach of PECR.
The proposed EU E-Privacy Regulation will align electronic communications rules with GDPR.

17. Case Study – Marketing Emails: Honda
There was a separate investigation by the ICO into Honda Motor Europe Limited.
They sent 289,790 s to try, in their belief, to clean up their database to help them comply with data protection law.
Honda was unable to produce to the ICO any evidence that customers had given consent to receive this type of .
Honda was fined £13,000 under PECR, in March The ICO decided that Honda’s conduct was negligent rather than deliberate and the fine was less as a result.

18. Postscript – Brexit & GDPR
Government statements since autumn have said that GDPR will apply post-Brexit
In August 2017 the UK announced in a “Statement of Intent” that a new data protection bill will be introduced soon to implement GDPR.

19. What can I do next about GDPR?
Have an overall compliance plan – take a risk-based approach;
Put in place a DPIA process;
Have a proper data breach response plan;
Invest in proper technologies, a small investment can mitigate the risk of a large fine;
Review vendor contracts – you will need their help to report security breaches. Check you have the right contract with them;

20. What can I do next about GDPR?
Get your documents and records ready to produce in a regulatory audit;
Adjust generally to tougher/higher consent standard;
Make sure things like Subject Access Requests, the Right To Be Forgotten, the Right To Not Be Subject To Profiling etc are all covered in policies and procedures;
Brief the Board and look at annual reporting requirements;
Train staff on all aspects of the law;
Set up and undertake regular compliance audits/reviews; and,
Sense check your plans with specialist lawyers.

21. Resources EU Data Protection Regulation - www.bit.ly/gdprfaqs
GDPR film -
Right to be Forgotten -
Privacy Shield - shield-faqs/
Cordery news -
Podcasts -
EU Cyber Security Directive -
EU proposed E-Privacy Regulation regulation/

22. [Main presentation title here]
Questions
André Bywater
Cordery
+44 (0)
Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number Company number registered in England and Wales. VAT number:
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom