Presentation is loading. Please wait.

Presentation is loading. Please wait.

General Data Protection Regulation (GDPR)

Published byBernadette Armstrong Modified over 6 years ago

Similar presentations

Presentation on theme: "General Data Protection Regulation (GDPR)"— Presentation transcript:

1

2 General Data Protection Regulation (GDPR)
What is it and what do I do about it? July 2017

3 What is GDPR? THE ORGANISATION Information Commissioners Office
“The principles are similar to those in the DPA, with added detail at certain points and new accountability requirement. The GDPR requires you to show how you comply with the principles – for example by documenting the decisions you take about a processing activity.” Information Commissioners Office THE INDIVIDUAL “The arrival of GDPR will put the control of personal data back into the hands of the individual, allowing a number of rights including access to their data and the ability to withdraw it. It also means that organisations cannot simply gather data without good reason and must prove that they are doing all they can to protect the data they do hold.” Independent, May 2017

4 What is GDPR? BUT IT IS AN OPPORTUNITY… Greater data integrity
Increased fine for non-compliance: 4% of annual turnover or £20million In addition to this, what is the income risk of non-compliance? BUT IT IS AN OPPORTUNITY… Greater data integrity More engaged contacts, better conversions Improved processes and chance to consider ‘why?’

5 What is your legal basis to process?
Consent “Unambiguous, specific, freely given consent” “Specific, granular, clear, prominent, Opt-in” “Properly documented” Retrospective Performance of a public task “if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” Legitimate interest “that the controller has a legitimate interest in processing those data, provided that such legitimate interest is not overridden by the rights or freedoms of the affected data subjects” Read more here

6 Will this matter post Brexit?
YES! The Queen said so. "Companies now have certainty that they will have to comply with tougher rules, and this gives them the incentive, and need to get their GDPR programme right." Find out more

7 Why does it matter to me? GDPR for CRM in HEI
We are data processors “Determines the purpose for which and the manner in which any personal data are, or are to be processed” We are data controllors “processes the data on behalf of the data controller” Data storage Data retention Consent Privacy statements It covers everything we do… …But it is bigger than just us

8 What has happened recently? Meetings with DCMS and ICO
Public Authority definition for FOI likely to be maintained – HEIs are a public authority However, universities should be able to rely on the ‘hybrid public authority’ Therefore, there is a split between ‘core’ and ‘non-core’ functions to determine a legal basis to process Read more here

9 What is core and non-core? … and why does it matter?
The delivery of education and research NON-CORE Everything else! Legal basis to process: Consent Process data in performance with a public task Legal basis to process: Consent Legitimate interest

10 What has happened recently? UCAS statement
“However, once personal data is transferred to a provider and, for example, used to populate a student record system, that provider becomes the data controller, responsible for making decisions about data protection compliance, such as retention, or deciding the types of communications to send to applicants. Our terms of service place obligations on UCAS and providers to ensure compliance with data protection legislation” BUT we are responsible for our supply chain. They are our data supplier, and vice versa. “We may slightly amend this wording as we review the information we provide to applicants about our uses of their data, but it’s unlikely to change significantly. In our view, post-GDPR implementation, providers will still be able to use personal data collected by UCAS, where this use is necessary to support the admissions process (such as communicating with Page 2 of 2 Document owner: Information Governance Manager 5 July 2017 applicants to support their application, or sharing it with employees necessarily involved in the admissions process), without seeking additional consent from applicants.” BUT this implies UCAS are not seeking an alternative basis to process than consent

11 What is your organisations position?
Interpretation No case law Deliberately vague definitions What is your organisations position?

12 STEP 1: Getting the team together
Representatives from across institution – including Legal Consider the reporting lines – actions vs decision-making Regular and scheduled meetings right up until May 2018 An area lead on each pathway GDPR working group Enquiry Applicant Current student Alumni

13 STEP 2: The Data Audit Document everything – the data audit is king!
Type Tool Usage Audience Data obtained Privacy statement used Where does it integrate to? Who can access it? Risk rating: Likelihood Risk rating: Impact Legal basis to process Form Gecko Student enquiry form All prospects (UG/PG/UK/EU/INT) Full name, , DOB, Mobile number, Proposed year of entry, Level of study of interest, Subject of interest (1+2), Course name (if known), Future marketing Privacy statement 1 (attached) Hobsons Connect Aimee Ellis Nick Jackson Sarah Dinham Brett Burnet Jessica Gibson Sara Sandford 5 Produce a data flow map Get a copy of contract To give you focus Get a copy all privacy statements What is personal data? What is sensitive personal data?

14 STEP 3: Assessing the risk
“You cannot eat a whole elephant, but you can eat it in bits” Likelihood vs Impact Privacy impact assessment (PIA)

15 STEP 4: Contact your suppliers
Copies of contracts/agreements/terms of reference Consider issuing a GDPR questionnaire for those you are currently in contract with Include GDPR compliance statement in future contracts and renewals What are their plans for GDPR?

16 STEP 5: Know your legal basis to process
Document why you are processing this data: 6(1)(a) – Consent of the data subject 6(1)(b) –  Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract 6(1)(c) – Processing is necessary for compliance with a legal obligation 6(1)(d) – Processing is  necessary to protect the vital interests of a data subject or another person 6(1)(e) –  Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller 6(1)(f ) – Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

17 STEP 5: Know your legal basis to process
Issues with consent for CRM Managers Verifiable: can you store your evidence in your CRM? Specific: have you covered all the ways you may use this data and can evidence that consent was given for each specific way? Easy to withdraw: can you be sure that all details will be removed from all areas of your system, and that of suppliers, should the request be made? Obtaining re-consent: resource behind seeking consent every two years and updating records that do no proactively opt in Purchased/obtained data: resource behind seeking consent and updating records for this data set in the required timeframes

18 314

19

20

21

22

23

24

25

Download ppt "General Data Protection Regulation (GDPR)"

Similar presentations

The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.

Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
GDPR 12 POINTS 679/2016 DATA LEX 2016.

GDPR 12 POINTS 679/2016 DATA LEX 2016.
Tony Sheppard Mobile Guardian

Tony Sheppard Mobile Guardian
General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)
Accountability & Structured Privacy Management

Accountability & Structured Privacy Management
GDPR (General Data Protection Regulation)

GDPR (General Data Protection Regulation)
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
GDPR – What’s it all about???

GDPR – What’s it all about???
General Data Protection Regulations: what you really need to know

General Data Protection Regulations: what you really need to know
Data Protection The Current Regime

Data Protection The Current Regime
General Data Protection Regulation

General Data Protection Regulation
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.

General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
Museums + Heritage webinar, 30 November 2017

Museums + Heritage webinar, 30 November 2017
GDPR Readiness Project

GDPR Readiness Project
GDPR Overview Gydeline – October 2017

GDPR Overview Gydeline – October 2017
GDPR support January GDPR support January 2018.

GDPR support January GDPR support January 2018.
GDPR Overview Gydeline – October 2017

GDPR Overview Gydeline – October 2017
The European Union General Data Protection Regulation (GDPR)

The European Union General Data Protection Regulation (GDPR)

Similar presentations

Ads by Google