The content in this presentation largely derives from work carried - - PowerPoint PPT Presentation

The content in this presentation largely derives from work carried out by the UK’s Information Commissioner’s Office

THE BIGGEST THREAT TO ORGANISATIONS FROM THE GDPR IS MASSIVE FINES.

• THE LAW IS NOT ABOUT FINES. IT’S ABOUT PUTTING THE CONSUMER AND

CITIZEN FIRST. WE CAN’T LOSE SIGHT OF THAT.

• FOCUSING ON BIG FINES MAKES FOR GREAT HEADLINES, BUT THINKING

THAT GDPR IS ABOUT CRIPPLING FINANCIAL PUNISHMENT MISSES THE POINT.

YOU MUST HAVE CONSENT IF YOU WANT TO PROCESS PERSONAL DATA (1).

• THE GDPR IS RAISING THE BAR TO A HIGHER STANDARD FOR CONSENT.
• CONSENT IS ONE WAY TO COMPLY WITH THE GDPR, BUT IT’S NOT THE ONLY

WAY.

• FOR PROCESSING TO BE LAWFUL UNDER THE GDPR, YOU NEED TO IDENTIFY

A LAWFUL BASIS BEFORE YOU START.

YOU MUST HAVE CONSENT IF YOU WANT TO PROCESS PERSONAL DATA (2).

• ASSESS WHETHER YOU NEED IT.
• IF YOU THINK SO, THINK AGAIN.
• IF YOU STILL THINK SO, CHECK HOW YOU GOT IT.
• IF IT DIDN'T MEET GDPR STANDARDS, IT NEEDS TO BE RENEWED.

GDPR IS AN UNNECESSARY BURDEN ON ORGANISATIONS.

• THE NEW REGIME IS AN EVOLUTION IN DATA PROTECTION, NOT A

REVOLUTION.

• IF YOU ARE ALREADY COMPLYING WITH THE TERMS OF THE DATA

PROTECTION ACT, AND HAVE AN EFFECTIVE DATA GOVERNANCE PROGRAMME IN PLACE, THEN YOU ARE ALREADY WELL ON THE WAY TO BEING READY FOR GDPR.

ALL PERSONAL DATA BREACHES WILL NEED TO BE REPORTED.

• IT WILL BE MANDATORY TO REPORT A PERSONAL DATA BREACH UNDER THE

GDPR IF IT’S LIKELY TO RESULT IN A RISK TO PEOPLE’S RIGHTS AND FREEDOMS.

• THE THRESHOLD TO DETERMINE WHETHER AN INCIDENT NEEDS TO BE

REPORTED TO THE DP COMMISSIONER DEPENDS ON THE RISK IT POSES TO PEOPLE INVOLVED.

IF YOU DON’T REPORT IN TIME A FINE WILL ALWAYS BE ISSUED AND THE FINES WILL BE HUGE.

• FINES UNDER THE GDPR WILL BE PROPORTIONATE AND NOT ISSUED IN THE

CASE OF EVERY INFRINGEMENT.

• TELL IT ALL, TELL IT FAST, TELL THE TRUTH.