240 likes | 251 Views
Get a clear understanding of the General Data Protection Regulation (GDPR) and how it affects your business. Prepare for GDPR with a 12-step guide and avoid potential fines.
E N D
Presented by Trevor Butler Representation Media & Choose Leads | trevor@representationmedia.co.uk
ABOUT ME AND MY EXPERIENCE. • Start off producing high volumes of direct mail (almost 25 years ago) • Set up my first marketing agency ‘Epsilon Media’ specialising in online brand and audience building using methods such as SEO & PPC • Created a price comparison web site holidayholiday.co.uk • Head up a travel technology company Vertical Systems • Built a bespoke marketing platform for high end luxury hotels grossing over 25 Million in year one. • Joint the board of a large travel company as the ‘Group Director of Online’. • Now – Rebuilding a new marketing agency and partner in a large data/lead generation company (Representation Media/Choose Leads)
Before we start …. Lets make one thing very clear!!! GDPR EXPERTS DO NOT EXIST! ALWAYS REFER TO THE ICO IF YOU ARE IN DOUBT – THE RISKS ARE TO HIGH
WHAT IS GDPR? The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). Also be aware of PECR … The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act. They give people specific privacy rights in relation to electronic communications.
WHAT IS GDPR? IN A NUTSHELL … The current Directive (Data Protection Act, 1998) is largely out-dated. It was incorporated when Google was in it's infancy, social media was unheard of and data had to be sent by tape or printed and posted. In a nutshell, GDPR brings data privacy into the 21st Century and gives more power to the individual with regards to the use of their data.
WHAT IS THE PURPOSE OF GDPR? The purpose of the GDPR is to provide a set of standardised data protection laws across all the member countries. This should make it easier for EU citizens to understand how their data is being used, and also raise any complaints, even if they are not in the country where its located.
BUT WHAT DOES GDPR REALLY MEAN TO ME? • Access to purchase data will become very difficult. • Data will become more expensive but more responsive. • Data collection points will need to be checked for GDPR compliance. • Opt-in will need to be clean and concise to the client. • ‘Third Party’ use will not be compliant. • GDPR is retrospective! • Current databases will need proof of compliant opt-in. • You may need to ‘re opt-in’ current databases or stop marketing to them? • You may need to appoint a Data Protection Officer? • Profiling and use of child data will not be allowed under GDPR. • Potentially HUGE fines if you don’t comply!
HOW DO I PREPARE FOR GDPR? 12 STEP GUIDE YOU SHOULD BE THINKING ABOUT … 1. Awareness You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR. It would be useful to start by looking at your organisation’s risk register, if you have one. Implementing the GDPR could have significant resource implications, especially for larger and more complex organisations. You may find compliance difficult if you leave your preparations until the last minute.
HOW DO I PREPARE FOR GDPR? 12 STEP GUIDE YOU SHOULD BE THINKING ABOUT … 2. Information you hold You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit across the organisation or within particular business areas. The GDPR requires you to maintain records of your processing activities. It updates rights for a networked world.
HOW DO I PREPARE FOR GDPR? 12 STEP GUIDE YOU SHOULD BE THINKING ABOUT … 3. Communicating privacy information You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information.
HOW DO I PREPARE FOR GDPR? 12 STEP GUIDE YOU SHOULD BE THINKING ABOUT … 4. Individuals’ rights You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. The GDPR includes the following rights for individuals: * the right to be informed; * the right of access; * the right to rectification; * the right to erasure; * the right to restrict processing; * the right to data portability; * the right to object; and * the right not to be subject to automated decision-making including profiling.
HOW DO I PREPARE FOR GDPR? 12 STEP GUIDE YOU SHOULD BE THINKING ABOUT … 5. Subject access requests You should update your procedures and plan how you will handle requests to take account of the new rules: * In most cases you will not be able to charge for complying with a request. * You will have a month to comply, rather than the current 40 days. * You can refuse or charge for requests that are manifestly unfounded or excessive. * If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month.
HOW DO I PREPARE FOR GDPR? 12 STEP GUIDE YOU SHOULD BE THINKING ABOUT … 6. Lawful basis for processing personal data You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it. Many organisations will not have thought about their lawful basis for processing personal data. Under the current law this does not have many practical implications. However, this will be different under the GDPR because some individuals’ rights will be modified depending on your lawful basis for processing their personal data. The most obvious example is that people will have a stronger right to have their data deleted where you use consent as your lawful basis for processing.
HOW DO I PREPARE FOR GDPR? 12 STEP GUIDE YOU SHOULD BE THINKING ABOUT … 7. Consent You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard. Detailed: https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf
HOW DO I PREPARE FOR GDPR? 12 STEP GUIDE YOU SHOULD BE THINKING ABOUT … 8. Children You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity. For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. If your organisation offers online services (‘information society services’) to children and relies on consent to collect information about them, then you may need a parent or guardian’s consent in order to process their personal data lawfully.
HOW DO I PREPARE FOR GDPR? 12 STEP GUIDE YOU SHOULD BE THINKING ABOUT … 9. Data breaches You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. Some organisations are already required to notify the ICO (and possibly some other bodies) when they suffer a personal data breach. The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals. You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
HOW DO I PREPARE FOR GDPR? 12 STEP GUIDE YOU SHOULD BE THINKING ABOUT … 10.Data Protection by Design and Data Protection Impact Assessments It has always been good practice to adopt a privacy by design approach and to carry out a Privacy Impact Assessment (PIA) as part of this. However, the GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’. It also makes PIAs – referred to as ‘Data Protection Impact Assessments’ or DPIAs – mandatory in certain circumstances.
HOW DO I PREPARE FOR GDPR? 12 STEP GUIDE YOU SHOULD BE THINKING ABOUT … 11. Data Protection Officers You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
HOW DO I PREPARE FOR GDPR? 12 STEP GUIDE YOU SHOULD BE THINKING ABOUT … 12. International If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this. The lead authority is the supervisory authority in the state where your main establishment is. Your main establishment is the location where your central administration in the EU is or else the location where decisions about the purposes and means of processing are taken and implemented.
Did I mention? GDPR officially comes into effect on 25th May 2018 DON’T MAKE THE MISTAKE AND WAIT UNTIL THIS DATE.
WHAT SHOULD I DO TODAY TO PREPARE? • Check your data collection points and make sure you have a GDPR compliant opt-in? • Look at your existing marketing databases? Do they fall inline with GDPR compliance? If no, what are you going to do about it? • Start talking to the marketing teams/sales teams. • Start to review processes around data breaches, data processing, data buying etc. • Start thinking about changes to privacy policies and how you communicate the changes. • Educate senior management/directors about GDPR and the risks!
FINALLY … GDPR IS ABOUT ACCOUNTABILITY & RESPONSIBILITY! It will be about you proving you are correct and not the consumer proving you was wrong! We will shortly be launching a new online product to help organisations prove GDPR historical and future compliance which we expect & hope will dramatically reduce the number of successful data prosecutions under the new GDPR rules potentially saving thousands of pounds/euros in unnecessary court/legal costs. Feel free to email me for more info : trevor@representationmedia.co.uk
I NEARLY FORGOT … UNDER GDPR, THE ABUSE OF DATA, PRIVACY & RULES WILL POTENTIALLY RESULT IN HUGE FINES OF UPTO £20,000,000 (MILLIONS) OR 4% OF WORLDWIDE TURNOVER (NOT PROFIT)
THANK YOU … If you have any question or require help around GDPR Or if you would like to become a beta tester for our new GDPR software please feel free to email me trevor@representationmedia.co.uk