GDPR Initials Made Easy

Gdpr initial

hello and welcome to i fax presentation aim to thing all of you awareness of the new EU general data protection regulation otherwise known as gdpr this is a new regulation that will come into effect on the 25th of may 2018 and will apply it to all firms involved as either controllers or processors of client data it will bring a considerable amount of work to bring you to compliance for this is where I FAC will come in assisting and guiding firms to compliance on time today I shall explain the main aspects of the gdpr you need to be aware of and I will highlight the changes to current UK data protection laws and are going for the effect this will have on firms I will also be discussing the package the IFAC is offering to support firms and the preparations for becoming GDP are compliant first of all then let's have a look at what the GDP are actually is the GDP r is an EU initiative which as i said will automatically become law on the 25th of May 2018 replacing the UK Data Protection Act of 1998 it will unify data protection regulations across au member states and interpretation by individual countries will no longer be allowed essentially the GDP r is a new set of regulations governing firm storage security and use of personal data and it also covers how this data should be protected it's really been brought in to reflect changes in technology and the way in which organizations collect information about people and it provides a more detailed and broader definition of personal data in the modern technological age release for example an online identifier such as an IP address is now classed as personal data the main aim of the gdpr is to promote individuals fight surrounding their personal data and increase firm's level of accountability this is where I FAC will assist firms both in terms of becoming compliant but also having the paper trail in place to prove your compliance it's worth remembering that the UK isn't scheduled to leave the EU until March 2019 this is almost a year after the gdpr comes into effect so you won't be able to rely on folks it for implement for not implementing the gdpr into your business and furthermore there's currently no indication that the UK would look to rewrite the GDP are after its EU exist anyway so the expectation must be that the GDP will be around for the foreseeable future turning now to the main elements of the GDP are the treaty powers articulated in 99 articles contained within 11 chapters of the regulation thankfully not all of these 99 articles will be relevant to every single firm and we'll just be discussing a few of them today the main elements for consideration and the ones most likely to affect you are displayed in the diagram I will talk through each of these in turn highlighting any changes to current UK data protection laws and the changes firms will need implement starting off with accountability and governance this is really an overarching principle of the gdpr and in essence it means that firms must be able to demonstrate that phyllis e of personal data is both an integral and a routine part of their way of working we suggest that firms appoint an individual or a committee to be responsible for taking the firm to compliance this person or persons will ensure this staff has been made aware that there's a record of where the data is modernized and their systems are updated for compliance that an audit file is in place and that data is easily accessible another part of the firm being accountable under 3d PR is being able to evidence that the viscous data breaches has been assessed and that the firm have taken steps to mitigate such risk to reduce the likelihood and depth of harm to individuals turning now to the further six subheadings which are all constituents of a firm's accountability with regards to its GDP our commitments okay so the first subheading is strengthened individuals rights this is really cemented as the foundation of GDP our is one of the reasons the EU wrote the GDP our includes several voice for individuals which our list now firstly the right to be informed secondly the right of access also the right to rectification the right to request of Asia the right to restrict processing the right today support ability the right to object and finally the right not to be subject to automated decision making including profiling okay so that's quite a few rights which for individuals which have been brought out under the GDP are what it means in practice is that it it is a furnace responsibility to ensure that individuals receive clear and concise information in language which is easy to understand it's imperative that clients understand what personal data of theirs is being stored why the firm needs it and what the firm is doing with it it should be abundantly clear the client why they have to share that data of the firm and what the firm's nor fund basis is possessing that that data it's worth just noting for a minute I mentioned the vite request of asia this isn't actually the same as the right automatically sure where there's a legal basis to keep the client's data which is not necessarily based on consent then the firm wouldn't have to fulfill a client's requests to delete their data this will all be documented there as part of the audit process that I'll come on to shortly another important change under the treaty PR and another strengthened individual light is that a firm were no longer has permission to charge a client to access their data so the ten-pound fee which he can currently charge if a client asks to see their data this would be scrapped and you went from the 25th of May you will have to provide the client with their data free of charge and in addition instead of the current 40 days the timeframe for providing a client with a copy of their data will be reduced down to one month okay moving now on to the personal data inventory this is the main aspect of the gdpr and it's the first stage that is responsible within firms will be concerned with it would require firms report and evidence what personal data they approach assing the reason behind this and the lawful basis supporting it i fac have created a dedicated microsite which contains a pre-prepared personal data inventory which you can upload your client data onto and will help you in the record process it's a very easy process to upload the client data there's tick boxes and checklists and it'd be extremely easy for you to check all of your data is GDP our compliance firms must also report where personal data is being stored either on paper or electronically and if any suppliers or third parties oppose us and data in their behalf again I fact are here to help throughout this process firms may also need to organize an information audit and will need to cleanse their existing data this should be done as soon as possible especially if you have a large amount of personal data that you process to ensure that you don't miss the may 2018 deadline of becoming compliant ideally of course you should quit you should finish the personal data inventory stage ablating all your data onto a microsite while in advance of the deadline so the IFAC can then order that inventory and can you can have the paper trail in place in advance of the deadline but I think we'll work with you to find a workable solution where this made some difficulties just something back to the last point on strengthened individuals rights a reliable personal data inventory is crucial because they'll make it much easier for you to understand which of your data requires consent and which has another legal basis for holding it and therefore if an individual requests for their data to be arrays will make it much easier for you to see whether you need to meet that request or whether actually have another lawful basis for holding on to it and therefore you don't need to delete their data if you ask to do so okay so moving now on to consent as I mentioned already an individual's consent isn't always necessary to process their data but in cases where you are relying on consent it essentially this is freely given in a manner which is specific informed and unambiguous it must be on an opt-in rather an opt-out basis and silence in activity or fee text boxes will no longer be regarded as an acceptable form of consent personal data that has been obtained without this new tighter form of consent will either need to be deleted or new consent will need to be sought before the made of mine all of this will be recorded in the personal data inventory inventory which will prove vital in sightings which data requires an individual's consent and which does not again as I mentioned before the personal data inventory is all pre prepared for you on a fax microsites so a seal is a sign up to the package will be ready to go with creating your login for that okay moving now on to suppliers or third-party data processors for a firm to be gdpr compliant it must not only be aware of the personal data it itself is processing but it must also be aware of any third parties who face us soon Regine controllers in respect of its personal data under the tree DPR the firm is still accountable for the actions of third party data processors however the data processor will also now have additional legal obligations this is where firms will need to go through and review existing contracts and ensure that if necessary new contracts are drawn up between the firm and data processor I fight will be providing firms with a checklist for third party agreements and will also be available for individual inquiries where firms are not clear and these will also be audited as part of the compliance process that I fight Bergman's to you ok moving now on to privacy notices anyone who's ever bad or just attempted to read a full-length privacy policy will probably be aware that they are often long and complicated documents that are difficult to fully understand indeed it's been estimated they would take over 200 hours for an average person to read every Lucie policy for every website they visit in the year the GDP articles this impactful approach to privacy policies and whilst fidelity policies may remain much the same users MA initially be made aware of the salient fact in an easy-to-read notice at the point of consent or data collection this simplified privacy notice must be written and clear and plain language be provided free of charge and it should address the following key questions what information is being connected and by whom how is it collected and how will it be used why is it being collected and on what legal basis who will it be shared with and finally what will be the effect of this on the individuals concerned why was this simplified notice should be as concise and as transparent as possible individuals should still be directed to the food service II notice to read if they wish to do so I Fagin will be assisting firms with modified privacy policies we'll be providing you with a template for the C policy and we can also check your own ones over but this will happen once the inventory process you know once you've up is complete so once you've uploaded all of the data onto the personal data inventory on our microsite okay thinking though about data security and breach notification of course in the ideal world of breach won't occur but firms must of course be prepared for the worst case in our room and Italy DPR and must be able to act accordingly the worst did happen this means that firm lost money to pay policies and procedures and place to manage any data breaches in addition all firms whatever their size will have a duty to check investigate and report certain types of data breach to the ICO within 72 hours this also includes when a third party or supplier has breached data protection so that's why it's so important on the personal data inventory to extremely clear about what data you're sharing with whom say one of your third-party data processors did have a breach you would be able to notify the ICO of that within the 72 hour time frame not all data breaches will require reporting though days of my reporting are just those which likely to result in a risk to the rights and freedoms of individuals so example 3 choose which can result in individual discrimination damage to reputation financial loss loss of confidentiality or any other significant economic or social disadvantage where a breach was likely to result in a high risk to the rights and freedoms of individuals you will also have to notify those concerned directly I will be assisting without this though and we'll be there to help you with putting these procedures in place ok so having considered what the gdpr is we will now move on to thinking about how to prepare for it I would just go for a few frequently asked questions and say it first of all what if we haven't done anything yet is it too late ok it's no it's not you do have until the 25th of May of this year so there is still time but as you can probably see by now it is quite a lengthy process so you know it's not worth delaying it is worth starting as soon as you can secondly if you haven't completed by the 25th of May then yes you would be in breach because at the end of the day this is a European law which will be directly applicable to English law so if you haven't completed the GDP arts operations by the 25th of May you know you would be braising in English law however of course any steps that you have taken towards becoming 3dp are compliant would help to mitigate this and if you start now no reason that you should be in breach by the 25th of May there's essentially no shortcuts Bert becoming compliant with IFAC will make the process much more manageable and robust for firms the benefits of audits and forms of being able to show that you've taken the necessary steps towards compliance and having that paper trail and evidence in place if anyone asks what you have done it is worth noting now - that the tension fines for non-compliance with the gdpr are significantly higher than what they were under the Data Protection Act currently into the Data Protection Act the maximum fine you can face is 500,000 pounds for that skyrockets under the GDP are to 20 million euros or 4 percent of global turnover whichever is highest Satan in with such enormous fines in place for we know for breaching GDP are it's really not worth taking the risk ok so I FAC have put together a checklist of the main tasks for firms action before May 2018 we are here to assist you and we do realize that becoming and remaining freely GDP are compliant will take a significant chunk of time there's unfortunately no way of getting away from that but I five can take the stress out of much of it and hopefully provide you with peace of mind okay I am now going to look at the journey to GDP our compliance with IFAC so this is the compliance package that IFAC are offering you first of all today we are on the first stage that's increasing awareness that's making sure that anybody in your firm involves with personal data new handling or processing the personal data is aware of treaty PR and its impact and their responsibilities under GDP are ok if I was really today cetera is just to increase awareness the next step will be to consider whether it's necessary to a point a Data Protection Officer or who the responsible person within your firm is going to be whether that's one person or several people you will just depend on the volume of personal data that you process and the particular circumstances of the firm every firm they will need to delegate at least some form of responsibility in this regard whatever their size the next step will be you using a fax microsite to upload your client data and any other personal data onto the personal data inventory this is an this is an extremely easy process there's two possible ways of doing it you can either put all of your data into an Excel spreadsheet and then bulk upload on to the microsite or you can go on to the microsite and you can upload clients one by one this will also be set up to contain all future data it will involve you putting in basic information about a client to identify them and then answering a few gdpr related questions to ensure that each data piece you're uploading is fully gdpr compliant and if it's not then looking at what necessary action um needs to be taken I fight will of course actually help lyan Vios own or email throughout this process and we can also arrange one-to-one video calls if you need any support at this stage next I'm FAC will provide a checklist of the required steps in assessing on third-party contracts with processors or drone controllers and again you will need to record this as part of the inventory process and at this stage IFAC will complete an audit of the inventory say that you have the paper tray on in place firms will then receive comprehensive online training covering service Lea notices consent forms third-party contracts data breaches and individuals rights following on from this furnace will need to go away and put policies in place for how these will apply within their firm this again will all be checked and signed off by IFAC of course any individual issues that crop up will be dealt with by phone or insight audit visits and by the 25th of May all firms should be fully 3d PR compliant and will have C frame certificates for course completion and at this stage all firms should have a structure in place that they can use for ongoing compliance bespoke ongoing compliance and monitoring to ensure that firms remain gdpr compliant is a key element of effects package and this one involved online compliance audits there will also involve an IFAC online seminar which is a must for all employees of a firm which are involved with data the online seminars will be updated on a regular basis Shaylee say that you can show you where and you will also have the opportunity to set online examples to evidence your knowledge again this will be recorded for audit purposes and it will be repeated at working at intervals ok that is the end of today's presentation thank you for listening the hope that you now feel much more informed about the GDP our