1. General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams

2. Hillyer McKeown LLP Commercial Law Firm
Chester, North Wales, Wirral, Liverpool
Over 100 staff
Diverse UK-wide client base
Legal 500
The team have been praised for the “first-class clarity and quality” of their advice.

3. What are the GDPR?
Replace current EU legislation on the processing and handling of data (including the Data Protection Act 1998)
Effective from 25th May 2018
Aim to harmonise and strengthen the data rights of EU citizens
Will apply to all EU member states, including the U.K.
The changes introduced substantially increase the responsibility of the data controllers and processors regarding the handling of individuals’ personal data.

4. What is data? Personal Data Sensitive Personal Data Data Subject
Data which relates to a living individual who can be identified from that data
Sensitive Personal Data
Data relating to a living individual’s racial / ethnic origin; religious beliefs; criminal offences; physical / mental health.
Data Subject
An individual who is the subject of personal data
Data Controller
A person who determines how personal data is to be processed
Data Processor
Any person who processes the data on behalf of the Data Controller

5. Why are the GDPR important? Five key changes:
Stricter rules on consent
Enhanced rights for data subjects
Accountability measures increased
Data breach notifications
Fines

6. Case Examples
GDPR is high profile following a number of recent data breaches:-
NHS
Equifax

7. Legitimate grounds for processing
Contractual necessity
Legitimate interests
Compliance with a legal obligation
Protection of vital interests
Public Interest / Official Authority
Consent

8. How do you ensure compliance?
Raise awareness of GDPR
Discuss the potential impact of GDPR at board level and throughout the business.
Roles and responsibilities
Find out who is accountable for the day to day control of collecting, storing and processing any personal data.
Appoint a data protection officer (DPO) and supporting team
Appoint a DPO and representatives from responsible departments to coordinate the organisational changes needed to comply with the new law.

9. How do you ensure compliance?
Data Protection Impact Assessment (DPIA) for personal data
Perform a risk assessment for each department, including the lawful basis for handling someone’s data.
Review consent
Define how you seek, record and manage consent for collecting, storing and processing types of personal data.
Audit trail
Review the processes and mechanisms in place to ensure security, accountability and transparency.

10. How do you ensure compliance?
Review legal documentation
Update individuals’ rights and privacy information such as privacy notices to make compliant with the new law.
Subject access requests
Define how your business plans to handle quests from people to access their data according to the new GDPR.
Update policies and procedures with third parties
Is the data you hold shared outside your organisation? If so, who? How? Where?

11. How do you ensure compliance?
Testing and review ready for 25th May 2018
Complete final staff training on updates to new policies, processes and procedures for aspect of personal data management.
Review and test personal data handling across the business, within departments and for key individuals who have responsibility for data.
Plan for ongoing GDPR compliance via comprehensive auditing and reporting. Ensure accurate, compliant and transparent data management.

12. Don’t panic! 5 steps to ensure compliance
Start the discussion and gather information
Decide who will be responsible (consider DPOs)
Training and Policies
Evidence and Accountability
Preparing for potential breaches

13. Five key questions businesses should be asking themselves now
Where do we currently store personal data, and is it secure?
Who has control of personal data at present?
What authority do we have to use and process personal data?
What are the current IT systems and processes relating to the data we hold? Is there a process of erasure?
Is the data we hold shared with any external contacts or third parties, and it is shared anywhere outside the European Economic Area (EEA)?

14. Contact Details David Jones Tel: (0151) 666 0747 Email:
Angharad Williams
Tel:
(01244)

15. Thank you, do you have any questions?