1 / 9

Incentive Marketing Association And the GDPR

Incentive Marketing Association And the GDPR. PLEASE PAY ATTENTION – GDPR IS A STO N KINGLY IMPORTANT SUBJECT FOR THE IMA. H ere’s why GDPR matters to IMA members. It’s New : Data Protection Directive > Data Protection Bill (last week) > In force in May 2018.

carolync
Download Presentation

Incentive Marketing Association And the GDPR

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Incentive Marketing AssociationAnd the GDPR

  2. PLEASE PAY ATTENTION – GDPR IS A STONKINGLY IMPORTANT SUBJECT FOR THE IMA

  3. Here’s why GDPR matters to IMA members • It’s New: Data Protection Directive > Data Protection Bill (last week) > In force in May 2018. • It’s Brexit Proof: ICO has confirmed this. • The time for preparing is now: Contracts = money • Fines can be huge: £20m (i.e. Euros) or 4% turnover

  4. Some essential concepts (and Audience Participation) • Data Controllers are… • Data Processors are… • Data Subjects are… • Definitions are broad e.g. “processing” and can have ET Effect • Data Processors can be fined (big time) for the first time • Underlying principle is CONSENT • Fall-back position is a “legitimate interest.”

  5. Contract Negotiation: “Who wears the trousers?” • Data Controllers • Are demanding indemnities from DPs re: liabilities • Are demanding warranties from DPs that they are GDPR compliant • Asking Data Processors to sign up to “model clauses” for data transfers • It’s all about: “who owns the risk?” • Data Processors • Demand confirmation of CONSENT from DCs vis a vis workforces. • Some DPs get CONSENT direct from workforces. • A “legitimate interest” can be a 2nd line of defence, absent consent. • Data Subjects can now pursue remedies against DPs and DCs

  6. Hacking and Mitigation • Hacking a massive risk • All the more so because ICO can now impose massive fines on DPs • Breaches to be reported to ICO within 72 hours, unless “de minimis” • “Appropriate technical and organisational measure in place to ensure the security of data.” • Reputational damage.

  7. Top 5 “take-aways”… Create your own GDRP Plan: what do you use data for? Who uses it? Where are the risks/holes? Get someone to own the issue IT Security: Are you fit for purpose? (a) BYO? (b) retention? Commercial Contracts (a) with commercial partners – warranties, indemnities etc; (b) with data subjects – consent? Internal Procedures: For (a) policies/protocols; (b) reporting breaches Record a “legitimate interest:” another defence to “consent.”

  8. My Contact Details • John Hayes, Principal, Constantine Law • 07769-137176; john.hayes@constantinelaw.co.uk • Link In with me • @JohnHayesCLaw

More Related