ENSURE YOUR BUSINESS IS GDPR COMPLIANT

GDPR
HANDBOOK
A COLLECTION OF ARTICLES
BY EXPERTS IN DATA PROTECTION AND COMPLIANCE
 GDPR
HANDBOOK
A COLLECTION OF ARTICLES
BY EXPERTS IN DATA PROTECTION AND COMPLIANCE
 CONTENTS
PAGE TITLES

01 The Basic Principles of GDPR

Steve Talbot, Managing Director, IT Efficient

07 Legal Basis for Data Processing

Rebecca Turner, Head of Compliance and Privacy, Trainline

11 Consent and When to Obtain it

Richard Riley, Commercial Lawyer, Slater Heelis LLP

15 Rights of the Individuals Under GDPR

Robin Caller, CEO, LolaGrove

19 Data Processing
Tim Hall, Chief Technology Officer, Blue Logic Computers

How to Report Data Breaches

23 Penny Heyes, Co-Founder, and
Carol Tullo, Associate Consultant at The Trust Bridge

27 The Regulated Use of Personal Data in Direct Marketing

Ruaraidh Thomas and Virginia Chinda-Coutts, DST Systems

31 Data Protection Officers

Jonathan Compton, Partner, DMH Stallard

35 Data Privacy Impact Assessments

David Clarke, Co-Founder of The TrustBridge

41 The Transfer of Data

David Fowler, Head of Digital Compliance, Act-On Software

Data Protection by Design

45 Mark Burnett, Certified GDPR Data Protection Officer and
Head of Privacy, ClearComm
 AUTHORS

Richard Riley, Associate Solicitor, Slater Heelis

Richard Riley is an Associate Solicitor in the corporate team at Manchester

law firm, Slater Heelis. He is experienced in commercial matters including
drafting and reviewing standard terms and conditions, legal issues relating
to online businesses, infringement and protection of intellectual property
rights, software development agreements, and franchise agreements and
has experience of dealing with the Information Commissioners Office in
respect of Data Protection Act and Freedom of Information Act issues.

Richard advises on corporate matters including business sales and

purchases, mergers and acquisitions, disposals, management buyouts and
group reorganisations. He also advises clients on corporate governance
matters including issues including drafting and advising on Articles of
Association and Shareholders Agreements.

David Fowler, Head of Digital Compliance, Act-On Software

As the head of privacy and digital compliance at Act-On, David is

responsible for email deliverability, privacy compliance, and industry
stewardship in regards to Act-On’s customers and Act-On’s corporate
objectives. David has over 20 years of experience providing senior
leadership in the marketing industry.

Robin Caller, Founder and CEO, Overmore and LolaGrove

Robin Caller is the founder and CEO of Overmore, and is the creative
driving force behind LolaGrove. Robin cut his teeth in the digital industry
selling domain names in 95, before heading up pan-European sales at
first-wave social network FortuneCity.com. Founding Goallover (now
Leadscale) in 2001, he built a display advertising business before a business
challenge posed by one of his clients Monster Inc. turned his focus to the
creation of software, and the delivery of solutions in the field of internet
leads. The solution he created is called LolaGrove.

Tim Hall is Chief Technology Officer, Blue Logic

Tim Hall is Chief Technology Officer at Blue Logic. He heads up Blue

Logic’s technical development of new and existing products and services,
working with vendors and partners to ensure Blue Logic are delivering
the best and latest solutions to customers. Tim has extensive experience
gained from over 10 years in the industry.
 AUTHORS

Mark Burnett, Head of Privacy Data Protection, ClearComm

Mark Burnett is a fully qualified GDPR Data Practitioner. He is an

experienced marketer and can offer a unique insight into how the GDPR
will impact on both the for-profit and third sectors. He is Head of Privacy
and Data Protection services at ClearComm which is a Kingston Smith
group company. He is also an Associate Consultant for the National
Council for Voluntary Organisation as well as a Committee member,
treasurer and recognised Trainer for the Institute of Fundraising South
East and London regions.

Jonathan Compton, Partner, DMH Stallard

Jonathan Compton is a dispute resolution and litigation Partner at

DMH Stallard. He is qualified both as a barrister and a solicitor, with
his experience as an advocate strongly underpinning his commercial
litigation work and employment practice. His practice is both domestic
and international and involves advising both private individuals and
commercial organisations of all sizes. Jonathan works across areas
including commercial dispute resolution including banking and finance,
employment and Queens Bench commercial practice. He is accredited as
an Arbitrator by the Chartered Institute of Arbitrators and holds a master’s
degree in European and Public International Law.

David Clarke, Co-Founder, The TrustBridge

David Clarke, is co-founder of the TrustBridge and a leading authority

on security issues with experience across Finance, Telecoms and the
Public Sector. A Fellow of the British Computer Society, the most senior
professional grade, David had a distinguished career at British Telecom
(BT) prior to joining forces with mesospheric to head up the security
practice.

At BT, David held a suite of senior security posts including Global Head
of Security Product Enablement, Global Head of Security Service Delivery
and Head of Global Security Infrastructure. His work included building
secure operations capabilities, often from scratch, and developing a full
Cyber incident response. Other projects included the development
of CERT on a Financial Intranet which handled 3.5 trillion dollars of
trading per day, rollout of managed security services with a 400 million
dollar global install base for which David headed up the architecture and
oversaw implementation. A recognised thought leader in the InfoSec
industry, David has over over 28,000 twitter followers and is the author of
a forthcoming book on cyber.
 AUTHORS

Penny Heyes, Co Founder, The Trust Bridge

Penny Heyes is the co-founder of The Trust Bridge, leading a team of

highly qualified experts who guide organisations through the processes
they need to ensure that they handle personal data rights and consent in
compliance with the General Data Protection Regulation, which comes
into force in May 2018. The Trust Bridge came together to offer businesses
a unique combination of expertise designed to ensure that they deliver
trusted, compliant services to their customers, in light of the new GDPR
regulations coming into force in May 2018.

Steve Talbot, Managing Director, IT Efficient

Steve is a data security expert with more than 20 years’ experience in the
industry. In the late 90s he served as MD of Capital Security Shredding
before setting up his own company, Lime, in 2002. Specialising in secure
disposal services, Lime served a variety of finance and media organisations
in the London area and under Steve’s guidance soon became the leading
service provider in the sector.

Steve was approached by support services conglomerate Restore Group

PLC to develop their business offering in the Records Management,
Scanning and Relocation sectors. In the few years since joining Restore,
Steve has overseen the acquisition of two IT Lifecycle companies, IT
Efficient and ITAD Works; thus enabling Restore to provide their clients
with a broad range of secure IT services. Restore’s customer base covers
a broad range of sectors including government, public sector, retail,
banking, utilities and manufacturing.

Steve additionally lends his expertise to various trade associations; namely

the Asset Disposition Industry Alliance (ADISA) and the National
Association for Information Destruction (NAID), which he founded.

Carol Tullo, Associate Consultant, The Trust Bridge

Carol Tullo is an Associate Consultant with The Trust Bridge. Carol was
until July 2017, Director of Information Policy and Services, Controller
and Queen’s Printer, National Archives, Carol was responsible for
providing leadership in information management and policy across
government and the wider public sector to improve the way information is
managed and exploited to deliver real benefit for those that use and access
this valuable resource. As Controller of Her Majesty’s Stationery Office,
Queen’s Printer of Acts of Parliament, Queen’s Printer for Scotland, and
Government Printer for Northern Ireland, she delivers a range of UK wide
official documents.
 AUTHORS

Ruaraidh Thomas, Managing Director, Applied Analytics at DST

With over 20 years’ experience in the data analytics and direct marketing
industries, Ruaraidh was a founding director of Lateral Group, which
has subsequently helped under-pin the development of DST Applied
Analytics.

He has specific expertise in how data and analytics can be used to drive
insight and intelligence for the financial services, retail, telecommunications
and government sectors. He is passionate about bringing data to life and
so understanding how it can be used it to its full potential for the benefit
of business and consumers alike. Ruaraidh features in the 2015, ‘16 & ‘17
Data IQ Big Data 100, is a Fellow of the Institute of Direct Marketing and
sits on the DMA Data Council. He judges various Industry Awards and
supports a number of Data Industry Association initiatives. Specialist areas
- big data, data security, digital & direct marketing, customer engagement

Rebecca Turner, Head of Compliance and Privacy, Trainline

Rebecca has been working within the information rights field for 8 years,
helping companies within media, healthcare and e-commerce meet a
range of different privacy compliance requirements. In the past three
years, she has been primarily focused on GDPR preparedness and has
been leading change and awareness programmes in this space.

Rebecca joined Trainline in May 2017, and is currently responsible for

leading the GDPR programme of work and compliance with privacy
matters.

Laura Edwards, Editor of GDPR.Report

Laura Edwards is the editor of GDPR.Report. She has established one of

the leading online data protection and cyber security publications since
it’s launch in early 2017. GDPR.Report publishes expert advice, news and
opinion on everything concerning GDPR.
INTRODUCTION
Published by GDPR.Report, this book has been written by a range of General Data Protection
Regulation (GDPR) experts to help businesses of all sizes understand the regulation and take the
necessary steps to compliance before the regulation comes into force on 25 May 2018.

GDPR.Report is an online publication that provides organisations with the latest news, information,
and advice on data protection and cyber security from thought leaders and sector experts.

GDPR is a new regulation that the European Parliament, the European Council, and the European
Commission have created to strengthen and unify data protection for individuals within the
European Union (EU).

The regulation follows a Europe-wide review of data protection law following significant changes in
technology over the past 20 years when the existing rules were conceived.

Part of its purpose is to remove inconsistencies in the way EU member states have approached the
implementation of the existing Data Protection Directive.

Why is it important?

The GDPR will affect every organisation in the world that processes personal information of EU
citizens. Regardless of whether an organisation is based in the EU, it will have to comply with
the regulation. This is particularly important for British businesses. Brexit has no bearing on the
requirement for organisations based in the UK to comply with the regulation.

This book brings together some of Europe’s leading GDPR figures to analyse and advise on the ins
and outs of the regulation. It covers basic principles, the eight individual rights, the processing of
data, data breach reporting and accountability.
Key terms and principles

Before we get into the detail, here is a quick overview of some of the core elements of data protection
and GDPR.

Data subject

A data subject is an individual whose personal data is stored by an organisation. A data subject is
someone who can be identified by the data stored – i.e. the data includes their name, date of birth or
address, email address. A user ID number can also be classified as personal data as the number can
be linked to a specific person. Under the new law, there are several additions including IP addresses
and location data.

Someone who cannot be identified by the data stored, or someone who has died, is not a data subject.

Data processor

A data processor is a legal individual, public authority, agency, or body which processes personal
data on behalf of the controller.

Data controller

A data controller is the legal individual, public authority, agency or other body which, alone or
jointly with others, determines the purposes of processing personal data.

Under the Data Protection Act (1998), only the data controller is liable for data protection. However,
under GDPR, both processors and controllers will be held responsible. Processors will face more
legal obligations, and therefore be at risk of fines for non-compliance.

The Data Protection Act

The Data Protection Act (DPA) was implemented by the UK government in 1998 to control how
personal information is used by organisations and give legal rights to individuals.

The DPA includes strict ‘data protection principles’, stating that data must be:

• used fairly and lawfully

• used for limited, specifically stated, purposes
• used in a way that is adequate, relevant and not excessive
• accurate
• kept for no longer than is absolutely necessary
• handled according to people’s data protection rights
• kept safe and secure
• not transferred outside the European Economic Area without adequate protection

There is stronger legal protection for more sensitive information, such as:

• ethnic background
• political opinions
• religious beliefs
• health
• sexual health
• criminal records
You can find more information on the Data Protection Act by heading to:

www.gov.uk/data-protection/the-data-protection-act/

The explosion of data creation and usage in recent years has prompted the European Union to
overhaul data protection laws. The new regulation aims to better protect individuals’ data and give
them more control over how much of their data is stored and how it is used.

Such is the global nature of business in the modern age that these data protection laws must transcend
national borders, protecting the rights of all EU citizens. GDPR’s foundations lie very similar to the
UK’s Data Protection Act. However, it uses those foundations to build a far stronger regulation.

Some of the changes include:

Greater fines

Under the Data Protection Act (1998), the UK’s Information Commissioner’s Office (ICO) can issue
fines of up to £500,000 to any UK organisation that “seriously breaches” the Act.

GDPR will give regulators far greater power and authority to punish non-compliant organisations
with hefty fines. Those found to be guilty of breaching the regulation will face fines of up to €20
million or 4% of global turnover, whichever is greater, in the most serious cases. Even minor
violations could result in fines of €10 million or 2% of global turnover.

Accountability

Accountability will become much more of a focal point of data protection under GDPR. The
accountability principle states that organsations must ‘demonstrate their compliance through
a number of actions’. Organisations must be able to provide evidence that they have taken the
necessary steps to protect their customers’ data. Documentation demonstrating the steps taken to
achieve compliance must be produced and properly maintained.

Breach notifications

With cyber attacks on the rise globally, there is now a far greater threat to personal data than when
the Data Protection Act was introduced in 1998. Under GDPR, UK organisations will be required to
report cyber attacks to the ICO at the earliest possible time. However, organisations must report the
breach within 72 hours of becoming aware of it. In serious cases, where customer data is at serious
risk, the individuals concerned must be notified.

Right to erasure

This principle is commonly known as the ‘right to be forgotten’. GDPR enhances this concept to
give individuals more power to request the removal or deletion of their personal data. Depending
on the circumstances, organisations will also have to remove backups and archived data, as well as
information shared with third parties.

Right to portability

Data portability is a new principle for data subjects. It allows individuals to obtain their personal data
and reuse it elsewhere if they wish to. Organisations are obliged to comply with requests providing
the information in question meets a specific set of criteria and must be provided in a commonly used
and readable format.
Who is affected?

GDPR will affect any business or organisation that comes into contact with EU citizens’ data.

Businesses large and small will have to comply with the new regulations regarding the secure
collection, storage and usage of personal information. All organisations are legally obliged to comply
with the whole regulation, however, there are certain elements that don’t apply to organisations that
have fewer than 250 employees.

The following chapters provide greater depth and detail into the various elements of GDPR.
The Basic Principles of GDPR
Steve Talbot, Managing Director, IT Efficient

01
“ Infringement can bring fines of up to 4% of annual

global revenue or up to €20million and can be imposed

for both breaches and administrative errors

“
It’s undeniable that GDPR is a paradigm shift; its impact will oblige everyone to reassess their data
management and handling practices. And with good reason. The information age that we now live
in has given rise to an attitude of complacency.

This ‘liberal’ attitude has naturally crept into data storage and exchange practices within the business
realm, giving rise to an unprecedented risk of serious breach. This is brought into greater focus when
you consider that most organisations tend to keep far more historical information on-file than is
necessary and will often not have any procedure in place to manage this build up.

Worse still, the rapid advance of technology since the millennium has only exacerbated the risks
facing us all. Malicious software in varying degrees of sophistication continues to find its way past
protected networks, gaining access to highly confidential and business critical information. And the
issue of ‘real world’ threats remains ever present – it’s not uncommon to hear of criminals utilising
information that was considered innocuous when being disposed of or left in low security storage.
Technology has given us transformative powers like never before, but the threats arising from these
advances have followed closely behind. The need to get data handling and storage in check is now
more critical than ever.

The following chapter will explore the basic tenets of GDPR, the overarching principles of the
standard, and a definition of both ‘personal’ and ‘sensitive’ data under the new legislation.

The purpose of GDPR, what’s at stake, and who is liable?

In order to comprehensively cover the details of the new regulation, it’s important to understand it
in general terms. Broadly speaking the purpose of GDPR is to specify how consumer data should be
used and protected. It applies to anyone involved with the processing of data about individuals in the
context of a transaction of goods and services within the EU, irrespective of whether the organisation
in question is located within the EU. In other words, any organisation that handles confidential
personal information and operates within the EU is obliged to comply with the new standard –
GDPR is an all-encompassing regulation with far reaching implications and consequences. In
fact, failure to meet GDPR’s explicit requirements will result in heavy penalties and disruption to
operations as inspectors investigate an organisation’s data handling practices. Infringement can
bring fines of up to 4% of annual global revenue or up to €20million and can be imposed for both
breaches and administrative errors.

02
Importantly, GDPR, like previous data protection regulation, specifies between ‘controllers’ and
‘processors’. A controller ultimately dictates how and why personal data is processed, whereas the
processor acts on the controller’s behalf. That said, GDPR now places specific legal precedents on
processors which stands as a significant departure from previous regulatory standards. A processor
will, for example, be required to maintain records of all personal data and the corresponding
processing activities related to this information. The legal liabilities for this role are clear and
processors will carry the majority of ensuing litigation in the event of a breach. That said, controllers
are not entirely relieved of their obligations and are liable wherever a processor is involved. In
essence, a controller’s primary task is to ensure that the contracts they have with processors, whether
internal or external, are compliant.

The fundamental principles of GDPR

GDPR is dictated by seven fundamental principles that are ultimately in place to drive full
compliance. These ideas are not new, having been outlined in previous regulatory standards, namely
the Data Protection Directive, but GDPR now provides a more detailed definition of these ‘pillars’
and what actions they entail. They are as follows:

Accountability

Perhaps the most important principle of all; Accountability means the data controller(s) can
demonstrate an organisation’s data processing remains compliant with GDPR at all times. In effect,
this means the controller(s) can clearly indicate how handling and storage processes meet the
requirements of the six other GDPR principles. This is undeniably the most significant departure
from other regulatory measures. Whereas before it was acceptable to simply comply, under GDPR it
now must be demonstrable. If required, the controller(s) has to offer visible evidence that satisfactory
measures are being taken to achieve full compliance. Accountability is a simply defined yet hugely
powerful principle that asks different things of different organisations. Depending on operational
complexity, an organisation may need to put one or more of the following into action. This list is not
exhaustive, but offers an indication of what may need to be done to ensure an organisation remains
on the right side of the law. An organisation may need to:

• Appoint a Data Protection Officer or additional controllers/processors

• Create company literature to inform staff of regulatory policy and its requirements
• Create a personal data inventory
• Create a breach reporting mechanism
• Implement privacy notices
• Obtain all appropriate consents
• Install technology to protect data

Accuracy

This principle demands that personal data held on file is completely accurate, and where necessary,
kept fully up to date. Inaccurate or old data should be deleted or amended in a timely fashion.
Controllers are asked to take “every reasonable step” to comply with the data accuracy principle.
Indeed, one of the main reasons GDPR is pushing for greater data accuracy is down to the fact
many industries, from financial services to advertising, use software that relies on precise
information. While this principle places considerable emphasis on digital stores of data, businesses
and organisations should pay close attention to their physical historical data, especially in instances
where hard copies are needed on file as a matter of statutory compliance. It’s not uncommon for
even the most diligent business to have forgotten, but potentially confidential, files in ‘deep’ storage.

03
Data minimisation

Minimisation, linking closely to the principles of accuracy and limitation, asks that any information
requested is adequate for the processing task at hand. Any additional and unnecessary information
should be destroyed in an appropriate manner. GDPR specifies that data must be “adequate, relevant
and limited to what is necessary in relation to the purpose for which they are processed”. In other
words, controllers must ensure that the data they collect is ‘fit for purpose’ superfluous information
should be disposed of securely. For many, the act of minimisation will present some difficulties,
especially those with large archives of historical data. Organisations should seek data destruction
specialists to ensure residual meta data and physical liabilities are disposed of properly. Doing so will
ensure that transition to full compliance remains above board from beginning to end.

Integrity and confidentiality

Integrity and confidentiality can be seen as the ‘individual’ principle; it asks that personal data shall
be processed in a way that assures the security of the data subject. This naturally extends to protection
against unauthorised and unlawful processing, accidental loss, destruction, or damage through the
use of relevant technology and preventative measures. Both controllers and processors need to
deliberate on potential risk, install appropriate security measures to prevent breaches, and ensure
that this network is updated regularly. As mentioned, the fines for failing to meet GDPR guidelines
are severe. In 2017 alone, there have been a number of high-profile data protection breaches from
well-known household brands; the punishments for these failures will pale in comparison to the
potential fines that organisations could incur upon the arrival of GDPR. For an international brand,
the sanctions could potentially run into the tens of millions, or more. Ultimately, the severity of
these fines is testament to how serious regulatory bodies now regard the protection of personal
information.

Lawfulness, fairness and transparency

This principle firstly ensures that all personal information related to the data subject is processed
in accordance with the law. Secondly, it ensures the data subject’s information is handled fairly and
transparently. In effect, the data controller must provide the data subject with information relating
to their data processing in a succinct and clearly intelligible manner. Transparency is achieved by
informing the data subject about practices before and after collection, and whenever alterations are
made. The controller must additionally specify when there is a possibility of indirect data collection
from algorithms and other technology. GDPR clearly cites a mandatory list of information that must
be given to individuals about direct and indirect collection of personal data, how organisations
choose to notify individuals about these practices depends on chosen methods of communication
and audience. It’s highly likely that ‘small print’ will fail to meet the demands of GDPR, while the
practice of ‘opt-out’ consent will almost certainly not survive, so organisations need to ensure all
company literature presents its privacy policies in an easily accessible and legible manner, both
physically and online.

Purpose limitation

Purpose limitation decrees that all personal information accrued by an organisation is used for
clear and legitimate purposes. The same data shall not be processed for any additional purposes
other than ones explicitly outlined when collecting the information in the first instance. Processing
personal data for an additional purpose will require express legal consent from the data subject, with
the only exception being when the additional purpose directly relates to the original data process.
Data controllers need to ensure they fully understand the limitations of this exception. Drafting
clearly intelligible reasoning for this extra processing act will ensure the organisation doesn’t
fail GDPR guidelines, in terms of both demonstrable compliance and communication with data
subjects. Moreover, documents such as these will be used as supporting evidence for auditors in the

04
Storage limitation

This is perhaps the most straight forward concept. Storage limitation essentially asks organisations
to not hold personal information for longer than is absolutely necessary and outside the purposes
for which it was initially collected. This principle directs towards the need for a methodical cleansing
of databases and historical archives, again restating the need for professional consultation if an
organisation has failed to put these measures in place.

Distinctions between personal and sensitive data

• Personal data - GDPR has made the definition of personal data very simple: any information
relating to an identified or identifiable natural person. While this appears to be open to
misinterpretation, it’s effectively doing the opposite. GDPR’s definition of personal data now
makes it more detailed by referencing a number of different identifiers including name, online
IDs (such as handles or IP addresses) and geographical information.

• Sensitive data – Under GDPR this is any data that details the data subject’s racial or ethnic
origin, union memberships, political/religious/philosophical beliefs, genetic and biometric
data, medical and health data, and anything that concerns a natural person’s sex life or sexual
orientation. The only significant change from current regulation is the inclusion of genetic and
biometric information. Criminal convictions are now treated separately and are subject to even
stricter regulation and controls.

The grounds for processing both personal and sensitive data largely replicate the current regulatory
standards of the Data Protection Act of 1998. While, in some ways, GDPR has broadened the
understanding of personal and sensitive data, it has also firmly codified the actions around data
handling of this type – making it all but impossible to misinterpret the rules or definitions outlined
in regulatory standards.

Final thoughts

GDPR has essentially made it very difficult to bend the rules in favour of poor practice. As such, here
are the probable actions that organisations will need to review to achieve full compliance:

• Identify whether or not the organisation’s conditions for data handling and processing have an
effect on individuals’ rights. As part of this action, organisations need to ensure that processes
do not violate any of the principles outlined previously.

• Review existing data and decide whether the organisation needs to expand practices to
accommodate GDPR standards. As part of this, data processors, and more importantly
controllers, need to be completely aware of what constitutes an ‘identifiable natural person’.

• Review the organisational processes which constitute express legal consent around use of both
personal and sensitive data. If an organisation relies heavily on consent then the processes that
are used to obtain this must be checked against the higher standard outlined under GDPR.

05
06
 Legal Basis for Data Processing
Rebecca Turner, Head of Compliance and Privacy, Trainline

07
“ The data subject has given consent to the processing of his or

her personal data for one or more specific purposes

“
In this chapter, we will explain the data processing conditions contained in the GDPR, what they
mean in practise and the key changes from the existing Directive.

The GDPR requires that an organisation which processes personal data must have a lawful basis to
do so. This obligation is unchanged from the existing Directive, with a few important clarifications
to the processing conditions themselves and the types of bodies that can rely on them.

The first of these processing conditions pertains to consent.

Consent

The first processing conditions, provides that:

“the data subject has given consent to the processing of his or her personal data for one or more
specific purposes”

Consent remains a lawful basis for processing personal data and is discussed further in the next
chapter. In terms of the key changes from the Directive; it should be noted that the GDPR sets a
higher standard for consent.

Consent under the GDPR means offering people genuine choice and control over how their personal
information is used. Consent must now involve a clear affirmative action and the GDPR specifically
bans pre-ticked opt-in boxes. The Information Commissioners Office has explained that the changes
reflect a more dynamic idea of consent: consent as an organic, ongoing and actively managed choice,
and not simply a one-off compliance box to tick and file away.

Performance of a contract

The second of the processing conditions legitimises use of personal data where it is necessary for
the performance of a contract with a data subject (or to take steps at the request of a data subject).
This may include:

• processing details to deliver goods that a data subject has ordered; and
• processing bank and salary details to pay employees.

08
It is also important to note that this processing condition also covers situations that take place prior
to a data subject entering into a contract. This could include a request by the data subject to view a
company brochure to see what products they have available for purchase. The key thing to note here,
is that the activity must be initiated by the data subject. This processing condition has not changed
in terms of the wording from the current Directive.

Compliance with a legal obligation

The third processing condition may apply where it is necessary to process personal data for compli-
ance with a legal obligation to which the controller is subject.
“Compliance with legal obligations” remains a lawful basis for processing personal data from the
Directive. However, under the GDPR, the legal obligation must be an obligation of Member State
or EU law to which the controller is subject. The fact that this legal basis is explicitly limited to legal
obligations arising in the EU may place organisations that are subject to non-EU court orders in a
difficult position.

Necessity for vital interests

This condition provides a basis in law where it is necessary to process personal data to protect the
vital interests of the data subject or of another natural person.

Vital interests have been previously viewed in a very restrictive way under the EU Directive and
should only be used, effectively, in matters of life of death. It is not anticipated that this view will
become less restrictive under the GDPR. The key change from the Directive is that this condition
can also extend to other individuals (e.g., children of the data subject). This extension is seen as a
helpful clarification in this space.

Necessity in the public interest

This condition provides a basis for processing personal data where it is “necessary for the perfor-
mance of a task carried out in the public interest or in the exercise of official authority vested in the
controller”.

“Public interest” remains a lawful basis for processing personal data. It is also important to note that,
like legitimate interests, processing carried out on this basis may be subject to objections from data
subjects. Public authorities relying on this condition must ensure that they document the reasons
for this processing.

Legitimate interests

This condition makes it clear that processing may be permitted where it is necessary for purposes
of the legitimate interests pursued by the controller or by a third party. However, it may not apply
where such interests are overridden by the interests or fundamental rights and freedoms of the data
subject which require protection of personal data, (in particular where the data subject is a child).

The recitals in the GDPR provide examples of processing that could be necessary for the legitimate
interest of a data controller. These include:

Recital 47: processing for direct marketing purposes or preventing fraud;

Recital 49: processing for the purposes of ensuring network and information security, including
preventing unauthorised access to electronic communications networks and stopping damage to
computer and electronic communication systems.

09
The GDPR makes it clear that legitimate interests shall not apply to public authorities in the exercise
or discharge of their functions. Other than in the case of public authorities, “legitimate interests”, as
a basis for lawful processing, is not substantially changed by the GDPR.

When considering reliance on legitimate interests, the following should be considered:

• It will be necessary to demonstrate that you have balanced your interests with the interests and
rights of the individuals affected.
• Any assessment should be documented.
• Individuals must be informed that their personal data is being processed under this condition,
for example through fair processing information.
• Individuals have the right to object to such processing.

Other GDPR changes

The GDPR also introduces a provision for Member States to introduce additional lawful basis in
order to process data for limited purposes. This was designed to preserve certain national lawful
bases that currently exist. As this is a new power, it is not yet clear as to the extent and the utility of
this by Member States but this may result in a degree of variation across the EU.

Organisations who are used to relying on processing conditions under the Directive will recognise
most of the wording which has remained intact in the GDPR. It is one of the few areas of the GDPR
which has not resulted in major changes. Whilst most of the processing conditions remain broadly
the same; there are a few important clarifications. Some of these, such as the extension of the vital
interests’ condition will undoubtedly be helpful. Others are new and only time will tell as to how
these are utilised in practise.

10
Consent and When to Obtain it
Richard Riley, Commercial Lawyer, Slater Heelis LLP

11
 “
“ Consent cannot, therefore, be inferred from silence,

pre-ticked boxes or inactivity

The use of consent as a legal basis for processing personal data is not new and is already set out
under the DPA. When it comes in to force, the GDPR will raise the standard of consent with a view
to data controllers engaging more in the process of obtaining consent and allowing data subject to
better understand what they are (or are not) consenting to and how they can withdraw their consent.

When is it necessary to obtain consent?

In order to process personal data, organisations must to (amongst other things) identify a lawful
basis for doing so.

Consent of the data subject is only one of the grounds for lawfully processing personal data under
the current data protection regime but people are often unaware that others exist, and can be relied
on where consent might be impractical to obtain. This will continue to be the case under the GDPR.

The other lawful bases for processing personal data under the GDPR (and the current regime is
broadly similar) are that the processing is necessary:

• in respect of a contract (or prospective contact) with the data subject

• for compliance with a legal obligation (other than a contract as above)
• in order to protect the vital interests of the data subject
• for the purposes of the legitimate interests of the data controller
• in respect of certain public interests or official authorities

If none of the above legal bases can be used in respect of the processing that an organisation
undertakes then consent will invariably need to be obtained and relied upon.

Is consent the best legal basis?

An understandable assumption that people make when they are looking at processing personal data
is that consent is the best and appropriate legal basis for processing, but there are two common
examples where this is not necessarily the case.

Employer/employee relationship

Employers will hold lots of personal data regarding their employees, including bank account details,
National Insurance details, and contact details. Most employers will include short consents to store
and process this data in their employment contracts.

However, given the imbalance of power between employer and employee, and the fact that an
employee could not realistically withhold consent, this means that consent obtained in this way is

12
unlikely to meet the GDPR standard as it is arguably not “freely” given. Alternative (and better) legal
bases for most types of processing in this type of relationship would be:

• it is necessary for the performance of the employment contract

• it is required by law (for things like processing of sickness absence data to facilitate the payment
of statutory sick pay)
• it is in the employer’s (and the employee’s) legitimate interests

It should, however, be noted that the above bases may not apply to all processing that an employer
wants to do. For example, if an employer wanted to pass over their employees’ contact details to a
third party for marketing purposes, then the first two bullet points above would definitely not be
satisfied, and the third bullet point is also unlikely to be satisfied (the employers legitimate interests
in disclosing these details are likely to be outweighed by the employees rights). Therefore, the
employer would be required to gain consent specifically for this type of data processing.

Online businesses that sell goods to customers

A business selling goods online to customers will have to obtain a lot of personal data from that
customer including their name, address, contact details and payment details. They will need to use
the payment details to process payment for the goods and the other details for delivery. Again, they
would have a legal basis for doing this by reason of the processing being necessary for performance
of the contract and it also being in the customers’ legitimate interests.

However, processing the data provided for marketing purposes starts to enter into a grey area. Whilst
it may be possible for a business to argue this being in both the customers’ and its own legitimate
interests, it would be better to rely on consent for this type of processing.

The key point here is that given the high threshold for consent and the fact that consent - and
therefore the legal basis for processing - can be withdrawn at any time by a data subject, it is better,
where possible, to look for alternative bases for processing personal data, only relying on consent is
none of the others can be satisfied.

Currently, many organisations seek to use the consent basis when they could legitimately, and more
appropriately, use another lawful basis for processing personal data. Practically, this does not seem
to cause too many problems but the ICO does advise that organisations should rely on the most
relevant basis. This is likely to become more pertinent under the GDPR as it requires businesses to
do more to identify the basis that they are using and document it together with the reasons why they
think it applies.

How the standard for consent is changing under GDPR

The GDPR makes significant changes the UK’s Data Protection Act, including major alterations to
the process of gaining consent from individuals to process their personal data.

The GDPR sets a very high standard for consent, which will need to be:

• given by a clear affirmative action

• freely given
• specific
• informed
• an unambiguous indication of the individual’s agreement to their personal data being processed

Consent cannot, therefore, be inferred from silence, pre-ticked boxes or inactivity. It will usually
need to be supported by some form of written statement or positive action.

13
Clauses where a data subject confirms consent should not be hidden away amongst lengthy terms
and conditions or privacy policies. And organisations will need to provide equally clear and simple
ways for people to withdraw consent, if they desire.

Businesses that rely on consent as a legal basis for processing personal data will need to review their
procedures in detail to ensure that they can demonstrate that any consent that obtained includes an
affirmative agreement from the data subject, rather than a failure to object. For most businesses, it
may also require the creation of new internal policies setting out how the business intends to comply
with the new regulations.

In order for consent to be informed and specific, businesses will need to give much more detail
around how they will process personal data, what they will do with it and/or who they will disclose
it to.

They will also need to ensure that consent is not a pre-requisite of the goods or service they provide
- if it is, then any consent given will not be “true” consent as it will not have been freely given. If
business leaders think they are at the stage where consent becomes a pre-requisite for any reason, it
is a good indication that they should instead be relying on one of the other legal bases.

It must be as easy to withdraw consent as it is to give it. Again, businesses should consider their
processes for doing this; update them if necessary and set them out clearly to data subjects. They
should also ensure that they have technological processes and systems in place that would actually
prevent further processing once consent is withdrawn - it is all well and good superficially saying
that data subjects are able to withdraw consent, but a business must be able to practically follow
through with it.

How to obtain consent

If an organisation decides that consent is required, the following is a guide to the key considerations
to ensure a consent mechanism meets the new requirements.

• Consent requires a positive opt-in action. A pre-ticked box will not be allowed. Instead,
unticked opt-in boxes, or an equivalent method which requires some positive action, must
be used.
• Consent must not be a precondition of signing up to receive goods or a service.
• The consent obtained must specifically relate to what it the data is being used for. This means
that consent must be sought for each type of processing that is undertaken, and what the
processing will involve is clearly and specifically set out.

In conclusion

While a key concept of the General Data Protection Regulation, obtaining consent is not necessarily
the best legal basis for processing person data.

However, organisations that do rely on individuals’ consent must make sure that they review
processes and procedures in order to comply with the higher standard of GDPR. So be specific, be
clear, use opt-ins, and make sure consent can be easily withdrawn.

GDPR compliance is likely to require organisation-wide changes for many organisations. Businesses
should understand that these changes may require a significant amount of time to implement and
should be planned ahead in order to ensure compliance when the regulation is enforced.

It should also be noted that whether or not an organisation is relying on consent, data subjects have
other rights in respect of processing their personal data. These are dealt with in later sections.

14
Rights of the Individuals Under GDPR
Robin Caller, CEO, LolaGrove

15
“ The good news is that there are ways an organisation can

protect itself against unnecessary disruption

“
As well as reinforcing individuals’ rights under the current Data Protection Act, the GDPR introduces
a range of additional rules that offer greater protection and bring UK and European legislation up
to date.

Rather than seeing it as just another hoop to jump through, organisations should view GDPR as a
very good reason to clean up databases, review what data is collected and why, how it is stored and
who it is shared with.

Compliance with GDPR does not simply mean operating within the law, it is also an opportunity
to improve sales and marketing teams’ performance. It will result in a higher quality, more engaged
database, which open and transparent data policies will entice greater trust and loyalty among
customers.

Businesses using personal data properly, with the right permissions and consents in place, can build
trust. By putting individuals in control of their own data, they are more likely to view an organisation
in a much more favourable light. Under GDPR, there are a number of rights the individuals hold
over how and why their data is stored and used.

So, what rights does the GDPR bring into force and how do organisations need to respond?

The right to be informed

Under GDPR, every consumer has the right to know if, when and how an organisation is using their
personal information.

So, whether a business is collecting the data itself or via a third party, if requested, it must be able to
provide details of the data controller and data protection officer involved, the purpose and legal basis
for using the personal information, how long the data will be retained for and who it will be sent to.

Any automated decision making used, such as profiling, will need to be clearly explained to data
subjects, including any contractual or other obligation requiring the provision of personal data, and
the reasons behind it.

An organisation using data not collected directly from a subject, must be able to provide evidence
that the supplier has received consent to share the data.

The rights of any data subject should be clearly set out, including their right to withdraw consent and

16
the right to complain to a supervisory authority, giving necessary details.

When collecting the data directly from a subject, any necessary information should be clear, present
and available to the subject at the time of collection. When the subject requests information, their
enquiry should be responded to in full within a month.

The right of access

Under the new legislation, any data subject has the right to access their information free of charge.
Under the existing Data Protection Act, subjects are required to pay a £10 fee. Organisations must
provide the data as soon as possible, but within one month of receiving the request at the latest.

The good news is that there are ways an organisation can protect itself against unnecessary
disruption. Where a large amount of data is stored on individuals, GDPR allows the data controller
to ask the subject to specify which information is required, avoiding the need for unnecessary work.

Organisations also have the right to charge for, or refuse, any requests that are considered to be
excessive or irrelevant. The fee should relate to necessary administration time spent. The reasons
behind any refusals must be fully and clearly explained, while outlining their right to appeal the
decision to the appropriate authority within a month.

The right to rectification

Anyone whose personal data is stored by an organisation also has the right to make alterations to
the data if they discover that the information is incorrect or incomplete. While giving individuals
greater control over their data, it also provides organisations with more accurate, and therefore
better quality, data. However, business leaders will need to consider how they enable individuals
to update and correct their data, and how they are verified and processed efficiently. Again, any
requests to amend personal data must be addressed and completed within one month.

Organisations can apply for more time to respond to such a request if the subject’s request is
particularly complex and would take a long time to implement. As with the right of access, any
refusal, or the need to extend the timeframe, to amend an individual’s data must be explained clearly,
with information on their rights to lodge a complaint to the relevant authorities.

The right to erasure

It gets a little more complex should someone want their personal information deleted. Under GDPR,
individuals have the right to ask how and why a company uses their information, to gain access to
their data, receive copies of the data, and also to have it deleted.

This right to erasure will no longer be limited to data processing that causes damage or distress to an
individual, as is the case under the Data Protection Act. Instead, to any data a company might hold
on an individual no matter how it’s being used.

The only real exception to the right to erasure is if the organisation has an overriding, legitimate
basis for retaining the data. This could be, for example, if erasure infringes freedom of expression or
information, is not in the public interest, or goes against a particular legal right.

If an organisation has shared the data with other parties, it must inform all recipients of request to
delete the information. If the data has been made public online, any business processing that data
must also be informed and delete any links or copies. This can be a particular challenge when dealing
with data on social media, forums and websites, but businesses must be able to demonstrate they
have made every effort to honour the request.

17
The right to restrict processing

Just as data subjects can ask for their data to be deleted, they can also ask for their information to no
longer be processed. This right to ‘block’ or ‘suppress’ data processing is nothing new as it features
in the Data Protection Act, so any organisation compliant with current regulations should be fine.

It is important to note that a request to stop processing an individuals’ data does not mean the
information must be deleted. It can be stored, but no longer processed.

There are also circumstances in which the processing of specific personal data should be suspend.
This includes when an individual has made a request to cease the processing or storage of their
information, or while a request to update data is being processed. Again, in these circumstances, any
third party with the information must also be informed that they are no longer able to process it.

The right to data portability

Under GDPR organisations must, on request, release personal information to data subjects in a
standard, commonly readable format, free of charge. At the time of publication, it is not yet clear
whether guidance will require the use of Word, Excel, CSV or other file types.

The data should be structured in such a way that specific elements can be extracted and given to
other organisations to process. If requested, businesses should also send any relevant data directly
to other parties, if possible.

The standard GDPR response time of a month applies from when an individual first requests the
sharing of any personal data. Again, under certain circumstances, the timeframe can be extended to
two months if legitimate reasons are explained. The subject must be notified of the extension with
one month, and given details of how to make a complaint.

The right to object

Any organisation conducting direct marketing, research or work with public or legal interest must
stop processing data on any people who object to their personal details being used.

With respect to research and public or legal interest cases, the objection should relate to the
individual’s particular situation. This does not apply to direct marketing, when processing of relevant
personal data should stop immediately after an objection has been registered. In all situations,
individuals should be informed of their right to object at the first point of contact, and in a privacy
notice. What’s more, individuals must be able to object online. Organisations are exempt while
conducting research that is in the public interest.

Rights in relation to automated decision making and profiling

While using automated decision making processes or customer profiling to analyse customer data,
organisations must protect individuals from any adverse effects that could arise.

According to the regulation, this involves providing clear information about the automated processes
involved, along with the significance of any possible consequences. Appropriate profiling techniques
should be applied and monitored to maximise accuracy and minimise risk, while keeping people’s
personal data secure.

Ultimately, people have the right not be the subject of a decision that has been made through
automatic data processing, and they have the right to challenge any such decision made.

18
 Data Processing
Tim Hall, Chief Technology Officer, Blue Logic Computers

19
“ Infringement can bring fines of up to 4% of annual

global revenue or up to €20million and can be imposed

for both breaches and administrative errors

“
One of the most important changes brought in by the GDPR is that it places direct responsibilities
on data processors for the first time at EU-wide level. Along with these obligations comes the
possibility of data subjects imposing their rights directly against data processors which places the
non-compliant data processor open to sanctions, including potentially hefty fines.

While organisations have a variety of business processes, from on-premise processors to cloud
service providers, the measures which will apply to them in respect of the processing of client
personal data are the same.

A ‘data processor’ is defined as a natural or legal person, public authority, agency or other body
which processes personal data on behalf of the controller. The ‘data controller’ is the natural or legal
person, public authority, agency or other body which, alone or jointly with others, determines the
purposes and means of processing of personal data.

There are several key compliance points data processors will need to meet within the scope of GDPR.

Am I a data processor or data controller?

The defining aspect is control rather than possession of personal data. The data controller is the
person (or business) who determines how and why personal data is processed. The data processor is
anyone who processes personal data on behalf of the data controller (excluding the data controller’s
own employees). This could include anything such as storage of the data on a third party’s servers, an
email or a CV received, or appointing a data analytics provider.

Data controllers may only appoint data processors which provide sufficient guarantees to implement
appropriate technical and organisational measures to ensure processing meets the requirements
of the GDPR. Data processors are then required to process personal data in accordance with the
controller’s instructions.

These significant requirements support all actions that need to be taken to comply with the GDPR.
All organisations should encourage the consideration of all these principles within any activities that
use personal data and develop a business culture that complies with the new guidelines.

20
Data processing

Under the GDPR, data controllers may only work with data processors that ‘‘provide sufficient
guarantees to implement appropriate technical and organisational measures in such a manner that
processing will meet the requirements of [the GDPR] and ensure the protection of the rights of the
data subjects.”

The GDPR endorses the general prohibition of processing of sensitive personal data previously
introduced by the Data Protection Directive. Thus, data controllers are not allowed to process
sensitive personal data, unless one of the justifications enumerated in the GDPR is applicable.

Since the approach to the processing of sensitive personal data remains largely unchanged, the entry
into force of the GDPR will not substantially affect the existing practice. However, it could be a good
moment to review the existing practices to ensure that no sensitive personal data is processed, unless
prior consent was obtained or other exceptions are applicable.

According to the ICO, for any data processing to be lawful under the GDPR, a lawful basis must be
identified before data can be processed. It is important that the lawful basis is not only identified,
but documented.

This becomes more of an issue under the GDPR because the lawful basis for processing influences
individuals’ rights. For example, relying on someone’s consent to process their data, will generally
result in them having stronger rights.

Processing sensitive data

The current Data Protection Act controls how information is used. Under the new GDPR regulations,
businesses will need to ensure all processing of data is correct and lawful.

According to the UK government website all organisations, including government, currently have to
abide by the rules and insure the information collected is:

• used fairly and lawfully

• used for limited, specifically stated purposes
• used in a way that is adequate, relevant and not excessive
• accurate
• kept for no longer than is absolutely necessary
• handled according to people’s data protection rights
• kept safe and secure
• not transferred outside the European Economic Area without adequate protection

Processing employee data

The new regulations, will have a large impact on HR. HR departments will need to ensure the correct
processes are in place, to ensure the protection of their employees’ rights. Details in GDPR article 88,
state personal data relating to the following must be considered:

• recruitment
• performance of the contract of employment
• including discharge of obligations laid down by law or by collective agreements, management
• planning and organisation of work
• equality and diversity in the workplace
• health and safety at work
• protection of employer’s or customer’s property

21
• purpose of the termination of the employment relationship

Processing children’s data

Under the GDPR, new provisions for the processing of children’s data has been implemented. The
GDPR contains new provisions in order to increase the protection of children’s personal data.

Privacy notices

If a service is offered directly to a child, then an organisation must ensure that a privacy notice is
written plainly and clearly in a way that a child will understand.

Online services offered to children

If an organisation offers an ‘information society service’ to children, consent must be obtained from
a parent or guardian to process the child’s data. Consent must be given for children aged 16 years
and under, however member states may be permitted to provide a lower age in law, but it cannot be
below 13 years.

Preventative or counselling services offered directly to a child is exempt from parent or guardian
consent.

More than IT

As GDPR covers data privacy, many business leaders consider it to only be an IT issue. Although
IT is certainly critical in achieving compliance, the GDPR goes way beyond the IT department. IT
will be central to shaping the processes and engineering of systems to create and implement record-
keeping duties. But the hiring of a data protection officer (DPO) will be crucial.

Businesses will need highly qualified people, trained to know exactly which requirements to meet
and what processes to put in place to achieve compliance. Still, there will be many other people
whose jobs involve working with data, who tend to be more aware of the opportunities than of the
risks this presents.

This is a list of questions and processes for businesses to follow. Key questions which will need
answering include,

• Where is the data stored?

• What rights do individuals have?
• Could the organisation company deal with a data breach?
• What measures are in place to prevent and respond to a data breach?
• Are all staff given data protection training?

Compliance is a company-wide effort

Marketing, HR, directors and sales all handle large amounts of personal data across numerous
processes. It is crucial that everyone who stores or handles data is up to speed on whichever pieces
of legislation are relevant to them, especially considering the interest that data may have to them in
terms of usage and application - and which they might like to play around with.

22
How to Report Data Breaches
Penny Heyes, Co-Founder, and
Carol Tullo, Associate Consultant of The Trust Bridge

23
“ It is important to have robust breach detection,

investigation and internal reporting procedures in place

“
The access, storage and tracking of personal data has changed our worlds. Protecting personal
information is what data protection is all about.

Research reports issued by the government in 2016 showed that more than 60% of companies
registered in the UK suffered a cyber attack of some sort in the previous 12 months. The majority
of these were caused by viruses or some sort of hack via malware or spyware. This comes as little
surprise and has been highlighted by many high profile cases in recent months. Data breaches can
of course be caused by simple human error or a gap in information systems, policies or processes.
Governance of key assets is a risk that should be on every organisation’s risk register. In our
experience, we find that when something goes wrong it focused senior minds on the importance of
their information assets. There is now a clear window to escalate good practice and get that house
in order.

One area that should be upper most in the mind of all senior managers is that of data breaches.
Given the frequency of data breaches reported around the world in recent years, organisations can
no longer bury their heads in the sand and hope for the best. And even if a data breach does occur,
leaders cannot hope to sweep it under the rug to save the PR backlash.

In September 2017, Equifax, the global information solutions company, eventually reported a major
data breach affecting 143 million consumers in the US. The breach - initially discovered on 29 July -
is thought to have revealed the names, Social Security numbers, birth dates and addresses of almost
half the US population. UK and Canadian customers were also affected. And yet the breach was only
made public six weeks later, resulting in the replacement of two senior staff members. As the breach
affected UK citizens, and therefore EU citizens, under GDPR, Equifax would have been required to
inform those affected within 72 hours.

Under the new GDPR legislation, all organisations will be obliged to report data breaches to the
relevant supervisory authority, and in some cases to the individuals affected. As we have seen in
recent high profile cases like Equifax, this has not always happened in a timely fashion. Failure to
minimise the risk of a data breach, or failure to adequately respond to a data breach, will attract very
significant fines: up to €10million or up to 2% of the previous year’s total worldwide annual turnover
of the organisation, whichever is higher.

What constitutes a data breach?

According to the ICO, a personal data breach means a breach of security leading to the destruction,
loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is
more than just losing personal data. A breach also refers to inappropriate access of data in the event
that proper controls are not in place.

24
When should a data breach be reported?

There is a requirement to report a data breach if it is perceived that there is a risk to the “rights and
freedoms of individuals”. This means that a breach must be reported to the authorities if it could
cause any financial loss, reputational damage, discrimination or the identification of data subjects.
All such breaches would need to be reported to the authorities, and in some cases to the individual
data subjects.

Personal data breaches must be reported to the supervisory authority “without undue delay and,
where feasible, not later than 72 hours after becoming aware of it”. There are exceptions to this
timeline if the personal data breach is deemed “unlikely to result in a risk to the rights and freedoms
of data subjects”

The breach notification must detail the following information:

• a description of the nature of the breach, including, where possible, the categories and
approximate number of data subjects and personal data records concerned;
• the name and contact details of the relevant Data Protection Officer (if the organisation has
appointed one) or another contact person
• the likely consequences of the data breach; and
• any measures that have been taken or are proposed by the controller to address the breach or
mitigate the effects of that breach

If a notification is made after the 72 hour period has expired, the data controller must explain the
reasons for the delay. The organisation can supply information over time if it is not all available at
the time. The regulatory body may require the organisation to notify the public if they consider the
breach to be serious enough.

Potentially more complex is the requirement to notify the data subjects. Again, GDPR states that
any communication with the individual must explain “in clear and plain language, the nature of the
breach”. The notification must include contact details of the organisation involved with the name
of the Data Protection Officer if there is one. It must explain the extent and the likely outcome and
consequences of the data breach and measures taken or proposed by the controller to address the
breach and/or mitigate its effects.

In some situations, organisations are not required to inform data subjects. The most common
examples are when the data has been encrypted or otherwise unusable by a third party. There is,
however, still an obligation to take necessary action. For example, a public announcement may
be considered sufficient by the regulatory authority depending on the exact circumstances and the
nature of the unauthorised data exposure.

Of course, organisations will hope that a breach never occurs and should take all necessary steps to
minimise the risk of one happening. However, all necessary steps should also be taken to implement
a clear and well-defined reporting procedure. A clear and well-thought out plan will not only ensure
minimise potential fines from supervisory authorities, it will also help to minimise any PR backlash
that may follow a poorly handled breach.

The ICO recommends that “in light of the tight timescales for reporting a breach - it is important to
have robust breach detection, investigation and internal reporting procedures in place”.

All organisations should have policies in place to assess risk and to be able to demonstrate compliance
as a minimum.

25
26
 The Regulated Use of Personal
Data in Direct Marketing
Ruaraidh Thomas and Virginia Chinda-Coutts, DST Systems

27
“ Measuring the accuracy with which customers are

contacted in terms of content, channel and timing, will

help to drive a better understanding of the most positive

types of contact for both the consumer and the brand

“
While marketers increasingly use the vast amount of customer data available to them to create a
competitive advantage, they could find that the consumer consent in place today will not be sufficient
in the post-GDPR world. Marketers should also be careful to review their partners and suppliers,
ensuring they also understand their responsibilities as data processors. They need to check their
vendors are complying with GDPR, that they are financially robust and will stand up to scrutiny
from regulators if there is ever a breach, whilst also ensuring that the new regulation is followed.

But GDPR is just one notable regulation marketers must comply with. They also need to fulfil the
obligations set out by the e-Privacy Directive of 2002, which was instigated by the European Union
to implement regulation around several aspects of data handling including confidentiality, treatment
of traffic data, spam and cookies. The obligations of this directive are simple: to provide security to
the subscribers of organisations that store their data, ensure subscribers are updated as and when
there is a particular risk to their data, and to maintain the confidentiality of information unless
consent is given otherwise.

Another important regulation to note is the UK Privacy and Electronic Communications Regulation
(PECR), which restricts unsolicited marketing by phone, fax, email, text or other electronic mail. The
regulation is clear; direct marketers must seek a person’s consent before sending them a marketing
message by involving some form of proactive action – ticking a box, sending an email, clicking
an icon etc. A record of these consents must then be stored adequately so that organisations can
respond to a withdrawal of consent request.

Understanding the data

At the heart of preparing for GDPR is the process of understanding the exact personal data a firm
holds, and ensuring that how it is collected and recorded is transparent. Before organisations get to
this stage however, to monitor compliance, public companies and any organisations that conducts
large scale monitoring of data subjects will need to have a DPO in place, as mentioned in previous
chapters. The DPO is an independent role, with responsibilities that include monitoring compliance
with GDPR, providing advice and guidance on data protection impact assessments, staff training
and the appropriate handling of personal data across the organisation.

28
Understanding the data

At the heart of preparing for GDPR is the process of understanding the exact personal data a firm
holds, and ensuring that how it is collected and recorded is transparent. Before organisations get to
this stage however, to monitor compliance, public companies and any organisations that conducts
large scale monitoring of data subjects will need to have a DPO in place, as mentioned in previous
chapters. The DPO is an independent role, with responsibilities that include monitoring compliance
with GDPR, providing advice and guidance on data protection impact assessments, staff training
and the appropriate handling of personal data across the organisation.

Hosting personal data

Helpfully, the ICO has created a 12-step guide for organisations to follow to prepare for GDPR, four
steps of which are particularly pertinent to the marketing sector. The way in which personal data is
hosted and how it is looked after is an important aspect for marketers to note. It is clear that firms
need to get all their ducks in a row if they are to ensure they have the correct procedures and systems
in place to host and look after their customers’ data.

Under GDPR, businesses are required to maintain their records of all data processing activities in
order to ensure accurate data portability, should their customers need to obtain their data for use
elsewhere. History has shown us customers can respond well to this. In 2013 certain banks started
to make it easier to transfer current accounts. Those who did, found that customers were more likely
to move as they suddenly felt less constrained and therefore more willing to try something new. In
this instance, the potential for marketers to acquire new customers by implementing procedures to
comply with GDPR could be considerable.

Handling data subject access requests

An important update to procedures and plans following the implementation of GDPR will be how
firms handle data subject access requests (DSARs), which are written requests made by or on behalf
of an individual which they are entitled to ask for under the Data Protection Act of 1998. To ensure
smooth operation, it is important to think about how this will be managed and how the process will
ultimately work. Likewise, measuring the accuracy with which customers are contacted in terms
of content, channel and timing, will help to drive a better understanding of the most positive types
of contact for both the consumer and the brand. This has the potential in turn to help manage the
volume of DSARs on the premise that if consumers feel they are being contacted responsibly with
relevant material, they may well be less likely to make a DSAR request.

29
Handling data subject access requests

An important update to procedures and plans following the implementation of GDPR will be how
firms handle data subject access requests (DSARs), which are written requests made by or on behalf
of an individual which they are entitled to ask for under the Data Protection Act of 1998. To ensure
smooth operation, it is important to think about how this will be managed and how the process will
ultimately work. Likewise, measuring the accuracy with which customers are contacted in terms
of content, channel and timing, will help to drive a better understanding of the most positive types
of contact for both the consumer and the brand. This has the potential in turn to help manage the
volume of DSARs on the premise that if consumers feel they are being contacted responsibly with
relevant material, they may well be less likely to make a DSAR request.

Recording consent

Lastly, the way in which organisations seek, record and manage consent, must be reviewed before
GDPR comes into effect. Consent will be subject to certain conditions under the regulation. The
consent request should be easily visible and provided separately from the other terms and conditions
wherever possible. Individuals should be provided with the correct information for them to be able
to actively opt-in. This will include the name of the firm, any third parties, why the data is required
and what the firm is planning on doing with the data. Crucially, it must be easy for individuals to
withdraw consent at any time that they choose.

Summary

The traditional way in which data controllers or data processors manage personal data is quickly
coming to an end. Many companies seem to be in project mode, making sure they get over the line
the best way they can by May 2018. However, this approach does not necessarily help brands plan
for the opportunities post-GDPR to improve and evolve, rather than just considering the costs of
compliance and risk.

Marketers who begin to take GDPR seriously will ultimately have access to the best quality of
information and opportunities to mine their data, ensuring that their customers receive far more
effective and valuable communication. Ideally GDPR should not be seen as an obstacle to overcome,
it is an empowerment tool, allowing organisations to be smarter with personal data whilst protecting
their customers.

30
Data Protection Officers
Jonathan Compton, Partner, DMH Stallard

31
“ Some of the key themes of the GDPR are transparency,

governance and accountability

“
Just as we were all settling into the smooth running of the Data Protection Act, someone thought it
would be fun to blow it up and start again.

Some of the key themes of the GDPR are transparency, governance and accountability. Someone, in
short, must ‘carry the can’. The old DPA was not as explicit as the GDPR in terms of accountability
and transparency. The GDPR is much more explicit in terms of these principles.

Businesses that fall within the provisions of the GDPR must have governance measures which are:
• Comprehensive
• Proportionate

So, if we look at the ICO, their best practice recommendations such as PIAs (Privacy Impact
Assessments) and PBDs (Privacy by Design) have now (under GDPR) been upgraded to legal
requirements.

In the ICO’s guidance, we can see the summary of the aim of the new measures.

“Ultimately, these measures should minimise the risk of breaches and uphold the protection of
personal data. Practically, this is likely to mean more policies and procedures for organisations,
although many organisations will already have good governance measures in place.”

In summary; more red tape, greater burden on business and more chance for error and consequent
litigation - we just have to (try to) make sense of the material and advise our clients the best we can.
With that in mind, let us look at the role of the Data Protection Officer.

Mandatory appointment of a Data Protection Officer?

• Public authorities must appoint DPOs (Interestingly, courts are excluded); or

• Any organisation undertaking systematic large scale monitoring of individuals will be required
to appoint (The ICO gives the example of online behaviour tracking,); or
• Any organisations that carry out data processing on a large scale will need to make the
appointment where that data relates to special categories of data or data dealing with to
criminal offences / convictions.

32
Optional appointment of a Data Protection Officer?

Not all organisations face a legal requirement to appoint a DPO. There are some questions that
business leaders can ask themselves in making a decision on the appointment of a DPO. How big is
the organisation? Larger ones, or a group of businesses, that do not fall into one of the mandatory
categories are advised, but not legally required, to appoint a DPO. What may be a surprise to some
is the freedom to appointment a single DPO to cover an entire group organisation, if the structure
is suitable.

Be warned

It is vital to note that while certain organisations do not have a legal obligation to appoint a Data
Protection Officer, the organisation must still abide by GDPR and its rules, meaning policies and
procedures need to be in place to ensure all staff understand their responsibilities.

When a breach occurs, the ICO will first ask for the DPO’s name. If a business does not have a
DPO, it will then ask who is in charge of data handling, and request a copy of training records,
qualifications and any courses attended.

What are the duties of DPO?

The duties of a Data Protection Officer are set out in Article 39 of regulations:

A data protection officer must, AT LEAST:

• Educate and instruct the organisation’s directors and employees on how to comply with GDPR
and any other data protection
• monitor the organisation and its employees to ensure compliance with the GDPR and other
data protection laws
• Provide advice on data protection impact assessments (DPIAs)
• Monitor how internal data protection activities are managed
• Provide or arrange training for employees/workers and contractors working on relevant
activities within the organisation
• Be the first point of contact for the ICO and any other authorities
• And conduct internal audits

The EU, in its wisdom, has allowed a ‘get out’ clause in Article 37(6). The Working Party on DPOs
provides the following guidance:

“According to Article 37(6), the DPO may be a staff member of the controller or the processor
(internal DPO) or ‘fulfil the tasks on the basis of a service contract’. This means that the DPO
can be external, and in this case, his/her function can be exercised based on a service contract
concluded with an individual or an organisation”.

For the sake of legal clarity and good organisation, the Guidelines recommend to have, in the
service contract, a clear allocation of tasks within the external DPO team and to assign a single
individual as a lead contact and person ‘in charge’ of the client. WP 243 (annex)

Be warned. If an organisation provides DPO services on a commercial basis to other organisations,

a nominated team leader must be in place. Likewise, there must be a nominated team leader if an
organisation outsources its DPO function under Article 37(6).

Does a data protection officer need qualifications?

33
The good news is that data protection officers do not need formal qualifications. However, the ICO
does mandate that they must have:

“professional experience and knowledge of data protection law. This should be proportionate to the
type of processing your organisation carries out, taking into consideration the level of protection the
personal data requires.”

Employing the work experience student will not go down well. I would recommend that the
appointee has at least, for a larger organisation, between 5 to 10 years of management experience and
has attended a two-day course from a recognised provider, some data protection background will be
expected. For smaller companies, 1- 5 years with a recognised course will likely suffice.

What does the board need to do?

In terms of the data protection officer’s role, as a minimum, the organisation must ensure that:

• The DPO reports to the board of directors or trustees or, if other, then the highest management
level of the organisation.
• The DPO operates independently. The DPO must not be dismissed for carrying out their
responsibilities correctly, even if it is at a detriment to the business. The ICO will investigate
the dismissal and failure to provide justifiable reasons could result in punishment.
• Adequate resources are made available to allow and permit the DPO to discharge their duties
under the GDPR and other applicable data protection legislation.

Are DPOs personally liable for breaches?

Data protection compliance is the job of the controller or the processor. Under article 24(1), the
DPO is the person tasked with compliance. But it is the data controller that carries the burden of
responsibility, should a breach occur.

Data Protection Impact Assessments (DPIAs)

Those of you who have managed to read this article to this point will have noticed my reference
above to a DPIA. Most of the duties of a DPO are straight forward and common sense in the sense
that those duties can be readily understood, even if their discharge is painstaking and precise.

The technical requirements of the DPIA require a breakdown, which will be explored in further
detail in the next chapter.

34
Data Privacy Impact Assessments
David Clarke, Co-Founder of The TrustBridge

35
 “
“ DPIA is required if high risk processing is present

Companies which process and store personal information of the consumers must protect their
information. Hence, Data Privacy Impact Assessment (DPIA) under the GDPR is a tool for managing
risks to the rights of the data subjects. DPIA is often conducted from the data subjects’ point of view
since it involves the personal information of the customers.

When is DPIA required?

DPIA is required if high risk processing is present. To give a better idea of when DPIA is necessary,
if one of the below processes occur, DPIA is generally required.

• Evaluation/scoring/profiling/predicting of the subject

• Systematic monitoring in public area
• Large scale processing of data
• Datasets which are matched or combined

Who is responsible for carrying out DPIA?

The data controller is the organisation responsible for carrying out the DPIA. However, if there is
more than one data controller, the data obligations have to be redefined. The data controller should
use professionals, external expertise and the Data Protection Officer if required. Additionally, data
processors involved have to assist the data controller/s. Although DPIAs can be outsourced, the
responsibility still remains with the controller.

Organisations do not need to publish DPIAs but it would be wise to revisit older high risk processing
since DPIA is compulsory for new data processing after May 2018.

Purpose of DPIA

There are many purposes of a DPIA. Firstly, it serves as a statutory report and record. As a result, it
should be reviewed every three years to see if any changes should be made to the components of the
DPIA. Additionally, high risk data has to be documented.

Apart from that, it helps to identify if residual risk is mitigated. In the case that the residual risk is
not resolved, the company should consult the DPIA and the data subjects. The advice of DPO has to
be obtained where necessary.

Consequence of failure to do DPIA

Failure to comply can occur in three ways which are: executing a DPIA while the process of a DPIA
is taking place; incorrect method of DPIA and failure to consult the supervisory authority when it
is required.

As a result, a company could have to pay a fine of up to €10 million or, if a case is made, it could
result in up to 2% of the total worldwide annual turnover of the preceding financial year; whichever
is higher.

36
How to conduct DPIA?

Organisations simply have to carry out six steps which identify if a DPIA is needed; describe the
information flows, identify privacy and related risks, come up with privacy solutions, sign off and
record the PIA outcomes and lastly integrate PIA in projects.

Step 1: Is DPIA needed?

We have covered this in when is DPIA required. However, a few additional notes are that organisations
have to describe the:

a) function and the outcome and benefits of the data processing

b) explain the link to other relevant documents and diagrams related to the project
c) state the legitimate interest
d) provide details of the risks to data subject and lastly
e) create a list for the purpose of processing

Step 2: Describing the flow of information

The second step needs to explain clearly what is the flow of information

The chart illustrates the process of how the

3rd Party

collection and uses of data flow from web chat

External

Web Data Collection to CRM processing. The security domains

are on the left. Personal data and storage are
in green while data processed are in purple.
3rd Party

It shows clearly who are the individuals

Portal

involved. As mentioned before, if there is a

need to consult a DPO or experts, the data
controller is required to do so.
Laptop
IT
Develop.

Laptop

My SQ1 Database MS CRM Data Warehouse

Analysis
Legal
Control 3rd
External
Access

Party

3rd Party Inbox Office 365

3rd Party
Tools

Web Analytics Data Collected Anonymised

37
Step 3: Identify privacy and related risks

Now it is time to pinpoint the risks in relation to privacy issues as well as other matter. The six
principles of GDPR and data breach definitions are the rules which would help in identifying if
there is a risk.

7 principles of GDPR

Is there a documented process

Personal data shall be processed
that shows how the data
Lawfulness, fairness and lawfully, fairly and in a
subject’s rights are fulfilled and
transparency transparent manner in relation to
the legal basis for collection of
the data subject
the data?
Is there a documented process
Personal data shall be collected
that is approved by law and
Purpose limitation for specified, explicit and
thereby reduce and mitigate
legitimate purposes
risk?
Personal data shall be adequate,
Is there a documented process,
relevant and limited to what
technology and Design
Data minimisation is necessary in relation to the
Governance which can reduce
purposes for which they are
and mitigate risk?
processed

Is there a timetabled review

Personal data shall be accurate
process of data along with
Accuracy and, where necessary, kept up
retention schedule on a regular
to date
basis to ensure data is accurate?

Personal data shall be kept in a

Is data classified, marked and
form which permits identification
Storage limitation aligned with the retention
of data subjects for no longer than
policy and schedule?
is necessary
Personal data shall be
Is the data classified, marked,
processed in a manner that
privilege managed aligned with
ensures appropriate security
the retention process, SARS
of the personal data, including
Integrity and (Subject Access Requests),
protection against unauthorised
confidentiality Information Rights, Breach
or unlawful processing, accidental
Mitigation and proper
loss, destruction and/or damage,
management that can reduce
using appropriate technical or
and mitigate risk?
organisational measures

Is there an evidenced
governance capability that has
The controller shall be responsible
documented actions, audit,
Accountability for, and be able to demonstrate
training and decision making
compliance with the GDPR
aligned to the risk management
of personal data?

38
Breach definition according to GDPR

There are five types of breaches:

Breaches Solution

Failure to disclose Privilege Management and DLP (Data Leakage Prevention)

Loss of data Stronger encryption and routine backup

Destruction of data Backup the data

Alteration of data Proper audit trail, digital approval process and file integrity monitoring

Easy access Strong authentication, multi factor authentication and strong passwords

Step 4: Privacy solutions

The table below shows actions which can mitigate the risks.

Evaluation: Does
implementation
Result: Is risk
impact data
Risk Solution(s) eliminated, reduced,
solution compliant,
or accepted?
proportionate and
appropriate response?

Risk is reduced so
that the right person Yes, it is the best
Disclosure risk Privilege management
only will have access industry practice
to the data

Automated retention Risk is managed and Using industry best

Storage limitation
schedule alerting reduced practice

39
 Step 5: Sign of and record PIA outcomes

Risk Approved solution Approved by

Disclosure risk Privilege management Board-level officer

Automated retention schedule

Storage limitation Board-level officer
alerting

Step 6: Integrate PIA in projects

Date for completion Responsibility for

Action to be taken
of actions action

Privilege management 24/5/2018 Privacy project officer

Automated retention schedule

24/5/2018 Privacy project officer
alerting

The Privacy project officer is the contact for all privacy concerns.

40
 The Transfer of Data
David Fowler, Head of Digital Compliance, Act-On Software

41
“ Despite the overall ‘hype’ around securing data, other

sectors of the regulation directly concerns the consumer

a lot more such as ‘the right to be forgotten’ where

consumers can revoke any personal data

businesses may hold

“
This chapter will cover ‘the transfer of data’ in GDPR with a particular focus on the transfer of data
to countries outside of the European Union and international organisations, referred to as “third
countries”.

What does the ‘transfer of data’ and the ‘adequate level of protection’ mean?

The transfer of data simply refers to the transfer of individuals’ personal data. The GDPR will
establish restrictions on the transfer of this data to third countries and in international organisations,
to safeguard consumers’ and individuals’ personal data.

This can take place if the European Commission has decided that the third-party country or
international organisation will guarantee an ‘adequate level’ of protection of the individuals’ data. So
far, the Commission has recognised a selection of third countries that offer this level of protection:
Andorra, Argentina, Canada (only for certain kinds of processing), Faroe Islands, Guernsey, Israel,
Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay.

An additional form of adequacy includes the US’ Privacy Shield certification programme, which has
been deemed to be an adequate transfer method from the EU to the US. This affects businesses that
are based in the US, or group companies with a US-based company wanting to transfer individuals’
personal from the EU. There are a few requirements for US organisations, including compliance with
Privacy Shield principles which will provide individuals with key information about their data and
give them an option to opt out when data is to be disclosed to a third party.

To ensure that countries and organisations are compliant, they will undergo periodic reviews every
four years. The label of ‘adequacy’ can then be revoked or suspended by the Commission if necessary.

42
What other options are there to transfer personal data, without being adequate?

If a third country or international organisation are not deemed as ensuring an ‘adequate level’ of
protection over individuals, personal data may be transferred if the organisation receiving the
personal data has provided ‘appropriate safeguards’.

1) Data subject’s consent

If the transfer of personal data is intended to be shared to a third country or international

organisation that has not received an adequate level of protection, the company can rely on the data
subject’s consent for allowing the transfer. This consent must be free, clear and explicit which could
be difficult for companies to assess.

2) Model Contracts Clauses

Model Contract Clauses, commonly referred to as standard contractual clauses, play a similar role
to Binding Corporate Rules and act as another adequate safeguard to protect the rights of personal

43
data for individuals. These contracts follow four sets of model clauses that have been approved by
the Commission, laying out the relationship between the data controller (entity that determines the
purposes, conditions and means of the processing of personal data - i.e. companies) and the data
processor (the entity that processes data on behalf of the Data Controller - i.e. internal IT services)
to ensure adequate safeguards for the rights and freedoms of individuals.

3) Binding Corporate Rules

Binding Corporate Rules are internal, legal regulations, adopted by multinational companies, which
define obligations for the protection of individuals’ data and are shared across the company. This
will streamline multinational companies’ processes, as they will not have to sign clauses for all data
transfers. However, these can be very expensive and take a long time to implement.

The transfer of data will affect all businesses within the EU, as well as global companies. Companies
that aren’t located within the EU but trade or have branches within the EU will still be affected, and
will have to comply with these new regulations that are coming into place. High penalties will be
faced, especially for global companies, if they do not comply with these regulations.

Overall

This section of the GDPR applies much more to businesses than it does to the everyday consumer.
Despite the overall ‘hype’ around securing data, other sectors of the regulation directly concerns the
consumer a lot more such as ‘the right to be forgotten’ where consumers can revoke any personal
data businesses may hold. However, individuals’ data will be a lot more secure and thus consumers
will have more control over their data whilst the burden of proof for consumer consent shifts from
people to organisations.

44
 Data Protection by Design
Mark Burnett, Certified GDPR Data Protection Officer, and
Head of Privacy, ClearComm

45
“ There is no point in having a well-thought-out policy

framework if the staff do not know what it means and

how to apply it; without training the organisation is

probably already in breach of data protection

and the GDPR.

“
Article 5 of the GDPR, “Principles relating to processing of personal data”, specifically discusses
security, appropriate measures, robust procedures to prevent loss and damage, and restricted access
to data and the equipment used to process it. However, there are many other sections that emphasise
the need for a thorough and granular review of security.

The dictionary definition of protection is: “A legal or other formal measure intended to preserve civil
liberties and rights.”

An organisation’s security policies should include the means to prevent attempted cyber-attacks on,
but, just as importantly, how data is accessed by staff and shared with processors must be reviewed.
Human error accounts for most breaches of data security. For example, more than 50% of all
instances published by the ICO are ‘Disclosure Errors’, or sharing data with an unauthorised third
party. On top of this, we humans do like to break the rules; ignoring procedures and finding ways
around corporate guidelines are so common they can become indistinguishable from the actual
rules themselves and part of the office culture.

This isn’t the staff ’s fault. This is a management issue and, most likely, the tip of the iceberg. Regular
minor data breaches are often an indication of a far greater underlying issue. It is essential to make
sure the GDPR compliance policies enable full operational functionality, are best practice and
essentially preventative, not remedial.

The GDPR recommends using pseudonyms as a way of encrypting data and enhancing security. This
is a process that ensures personal data cannot be attributed to a specific data subject; it effectively
fictionalises any subject identifiers and reduces concerns for data sharing that are in breach. Only the
data controller has the necessary ‘key’ to re-identify people.

46
When sharing data with a processor or third party, the GDPR recommends clear processes,
contractual agreements and a well-thought-out procedure. Remember, you need to make sure that
processors have a data protection policy equivalent in scale to yours. This will include data processor
agreements which explain the mutual understanding of the security measures required, and the
responsibilities and liabilities if things go wrong. Importantly, this also includes who might have
access to the data, the way it will be transferred and how it will be deleted once the task is complete.
The recommendation is to audit every data processor regularly to ensure compliance. It isn’t only the
loss of data that might constitute a breach, it could be the accidental alteration or destruction too.
Therefore, your processors will play a vital role in the down-stream data processing journey.

Staff will also need to be regularly reminded why data security is so important to the organisation
and to the data that is held. GDPR awareness training is vital to ensure policies, procedures and
guidelines are fully understood. There is no point in having a well-thought-out policy framework
if the staff do not know what it means and how to apply it; without training the organisation is
probably already in breach of data protection and the GDPR.

Another key issue is remote out-of-office working arrangements and use of personal devices. The
chance of data being shared inappropriately or lost during this time clearly has a heightened level
of risk. Rock solid procedures should be in place and written into user agreements or contracts
of employment, particularly when employees are not issued with corporate equipment, including
phones and laptops. Encryption of these devices will be paramount. A password policy is necessary
to ensure staff aren’t, for example, using the same login as their Facebook account; an organisation’s
vulnerability to a data breach is greatest at the weakest link.

There is always risk when storing and processing data, but especially so when a new project is
undertaken. This could be the implementation of a new CRM system, the launch of a new product or
service that involves the collection of data, or the processing of data for a new purpose. In all of these
examples, a Privacy Impact Assessment (PIA) should be conducted. As explained earlier, this will
effectively be an interrogation of current processes, the procedures used, how people access the data,
the impact on potential data subjects and the likelihood of failure. This really is an essential exercise
that will reveal potential threats and the vulnerability of an organisation and the risks it may face.
Importantly, it isn’t just about data protection. This assessment should also seek to measure risk to
privacy in general - this is about common sense. As well as upholding the rules, we need to carefully
consider the privacy of data subjects and how our project impacts on their lives.

In 2014, the Samaritans launched an app called Samaritans Radar. It was a project to help identify
individuals who might be vulnerable or potentially suicidal by allowing other people to register them
without their knowledge. The system allowed the third party to monitor tweets that might indicate a
heightened level of depression or desperation. The app was taken down after just one week because
many people had complained. The intrusion and breach of privacy, with the benefit of hindsight,
was so very clear. If a thorough PIA had been completed, if the project had been considered from all
points of view and common sense had been applied, the app would never have seen the light of day.
This is a good example of where a risk assessment is of enormous value.

The GDPR would also like organisations to identify particular individuals to ensure security is
upheld. A Senior Information Rights Owner (SIRO) will assume responsibility for security at the
highest level. This person is usually a member of the Senior Management Team or a Trustee of the
charity. Having a focal point for risk will help to develop a culture of protecting data, ensuring it’s
always on the agenda and guaranteeing that incidents are properly investigated to improve security
in the future. The SIRO will have full knowledge and oversight of the Information Asset Register,
which is a comprehensive inventory of all data assets processed by the organisation. The SIRO will
have appointed one or more Information Access Owners (IAO) to assist them in protecting each
asset. The IAO is the champion for that particular asset, keeping it up-to-date and sharing it with
care. This hierarchy helps to ensure that data protection has a foothold in every department and

47
throughout the fabric of the organisation.

To conclude

These appointments and the development of proper processes will help organisations to fully
implement data protection by design. To achieve this, organisations need to unravel every process
involving data and install appropriate technical and organisational processes. Aside from secure
handling, processing and transfer of data, this will also include making sure the processing is always
fair and transparent, limited to what is necessary, accurate and appropriate. Ensuring data protection
is by design and default ultimately means the organisation will uphold the rights and freedoms of
every data subject.

48
49
SUMMARY
The aim of the GDPR is to make data protection fit for purpose in the digital era as well and creating
consistency across EU member states.

More power will be given to individuals to control their personal data, meaning that organisation
will find it much to bend the rules in favour of poor practice.

GDPR will apply to every organisation in the world that processes personal information of EU
residents and will no doubt be a mammoth task for organisation to comply. By firstly understanding
the importance of GDPR and what it entails will help organisations on their way to GDPR compliance.
If organisations implement GDPR correctly, then it will increase customer trust on organisations
and potentially create competitive advantage.

To achieve GDPR compliancy, organisations must review all their current processes and work
through each one to find out what changes should be made.

This book has been designed by GDPR.Report to provide readers with a comprehensive
understanding of the upcoming General Data Protection Regulation. Written by some of the leading
figures in data protection and GDPR, to help organisations on their roadmap to GDPR compliancy.

To stay up-to-date with the latest news and comment on GDPR, visit GDPR.Report:

https://gdpr.report/

To attend one of our leading GDPR events, visit GDPR Summit London:

http://www.gdprsummit.london/

Follow the GDPR Summit Series YouTube channel to hear from more GDPR experts:

https://www.youtube.com/channel/UCwlTq3gRfiKtSsK787gMtMQ

50
 No.

TO FIND OUT MORE, PLEASE SCAN THE QR CODE:

WWW.GDPRCONFERENCE.EU

DESIGN BY AMPLIFIED BUSINESS CONTENT