The General Data Protection Regulation (GDPR) comes into effect in May 2018 and will apply to all organizations that process personal data. It requires organizations to be accountable, transparent, and protect individuals' rights regarding their personal data. Organizations must have a lawful basis for processing personal data, obtain consent for marketing communications, and provide privacy notices describing how data will be handled. The GDPR also imposes requirements for security policies, data protection officers, impact assessments, and penalties for non-compliance.
2. ARE YOU READY FOR
GENERAL DATA PROTECTION
REGULATIONS (GDPR)?
3. GENERAL DATA PROTECTION REGULATIONS
(GDPR)
GDPR comes into effect May 2018
Initially EU ‘driven’ – set to become a worldwide
standard - builds upon existing data protection
rules
Information Commissioner’s Office (ICO) is relevant
U.K. ‘body’
4. GENERAL DATA PROTECTION REGULATIONS
(GDPR)
Prompted by the growth in data processing
Evolution rather than revolution of the rules
Not a new Millennium Bug
Aim to achieve privacy by design and default
5. GENERAL DATA PROTECTION REGULATIONS
(GDPR)
Requires personal data (PD) to be respected
- Accountability
- Transparency
- Individuals’ rights
An obligation on all businesses/organisations
Severe penalties for non- compliance
6. GENERAL DATA PROTECTION REGULATIONS
(GDPR)
Important in terms of client reassurance
An opportunity to focus on client care
Positive use of GDPR
7. GENERAL DATA PROTECTION REGULATIONS
(GDPR)
Organisations are required to have a legal
basis to process
1. Contract
2. Consent
3. Vital Interest
4. Public Task
5. Comply with legal obligations
6. Legitimate Interests
8. GENERAL DATA PROTECTION REGULATIONS
(GDPR)
Segmentation appropriate i.e.
- Contract basis for preparing wills/LPAs etc.
- Consent basis for marketing communication
A ‘granular‘ approach required
- Consent cannot be ‘bundled’
Consent must be ‘active’
9. GENERAL DATA PROTECTION REGULATIONS
(GDPR)
Privacy statements to include:
- Legal basis for processing data
- What is to happen to the data
- What a client does if there’s a problem
On website and in terms of trading
10. GENERAL DATA PROTECTION REGULATIONS
(GDPR)
Imposes general obligation to implement
technical and organisational measures to
show that consideration has been given to
data protection when processing.
11. GENERAL DATA PROTECTION REGULATIONS
(GDPR)
IOC checklist:
Privacy Impact Assessment (PIA)
Audit and log what PD held and how it flows
Document who PD comes from - what you
do with it - with whom you share it
12. GENERAL DATA PROTECTION REGULATIONS
(GDPR)
Identify and document lawful basis for
processing PD
Review and record how consent is obtained
and recorded
Establish means to record/manage ongoing
consent
13. GENERAL DATA PROTECTION REGULATIONS
(GDPR)
Maintain registration with ICO
Ensure privacy notices readily available
Concise - easy to understand - identifies you
– confirms how PD to be handled - with whom
shared – how long to be retained
14. GENERAL DATA PROTECTION REGULATIONS
(GDPR)
Establish right for individuals to access PD
Establish process to keep PD accurate and up
to date (relevant for wills/LPAs?)
Provide for effective destruction of PD no
longer required.
15. GENERAL DATA PROTECTION REGULATIONS
(GDPR)
Establish procedure to respond to clients’
requests to restrict processing
Allow individuals to copy/move their PD
Reference to automated decision making
(NA)
16. GENERAL DATA PROTECTION REGULATIONS
(GDPR)
Ensure data protection policy in place and
review compliance periodically
Provide data protection training for all staff
Written contract with appropriately vetted
‘data processors’
17. GENERAL DATA PROTECTION REGULATIONS
(GDPR)
Clear security policies and procedures –
regularly reviewed
Ensure data protection is integrated into all
activities
Understand when and how Data Protection
Impact Assessments (DPIAs) should be used.
18. GENERAL DATA PROTECTION REGULATIONS
(GDPR)
Nominate Data Protection Officer (DPO)
Promote positive culture of data protection
Develop and maintain an information security
policy
19. GENERAL DATA PROTECTION REGULATIONS
(GDPR)
Special rules for any information transferred
beyond the EEA
Establish procedure to deal with identifying,
reporting, managing and resolving PD
breaches