With GDPR now in effect and with the benefit of six months’ hindsight, what the problems and pitfalls you’ve experience and what lessons have been learned?
Managing Data Subject Rights and Requests
Has your organisation covered the provisions of GDPR which relate to data subject rights, comprising SARs and other rights and the implications of not complying with them which includes:
- Subject access requests
- Right of erasure
- Right to data portability
- Right to prevent automated decision making and profiling
- Other rights
- The cost of non-compliance
Data Protection Impact Assessments
One of the key requirements of the GDPR is the requirement for organisations to carry out data protection impact assessments (DPIAs) in certain circumstances. Under the previous rules there was no such compulsory requirement and therefore many organisations will not have any previous experience of what a DPIA entails. Failing to carry out a DPIA when required to do so could lead to enforcement action.
Have you summarised the key provisions relating to DPIAs which include:
- What is a DPIA?
- How is a DPIA different from a Privacy Impact Assessment?
- When is a DPIA required?
- What should be reviewed as part of a DPIA?
- In what circumstances will organisations need to consult with the ICO?
Age Verification for Online Services Offered to Children
Under the GDPR, online services ‘directly offered’ to children are subject to additional mandatory safeguards. One of these is establishing the age of the purported user.
The practical problem is trying to establish the actual age of the would-be user by methods that are not likely to put off the child or the person with parental responsibility but which will remain an effective, easy to use and cost-effective solution for the online service provider. Has your organisation considered some of the age verification means that have been used and guidance and proposals from regulators including the ICO and the BBFC (the British Board of Film Classification).
- The requirements of the GDPR in respect of children, including consent issues
- At what age can a child give data protection consent in the UK? Is it the same in the rest of the EU/EEA?
- When might an online service be held to be ‘directly offered’ to children?
- Can an online operator in practice safely rely on a basis other consent to circumvent age verification problems?
- An account of some online age-verification methods – their potential benefits and disadvantages
- A brief account of the BBFC age verification guidance: Suitable for GDPR purposes?
- Exemptions to the need for age verification
- If a child can give data protection consent without parental authorisation, might this in practice have any effect on the age requirements for the validity, formation or effect of a contract?
The ‘Right to be Forgotten’ Under the GDPR
The use of data protection law to control the dissemination of embarrassing or out-of-date material was a late and controversial development under the Data Protection Directive and the DPA 1998.
How will such attempts fare under the GDPR and the DPA 2018?
- The old and new regimes contrasted
- To what extent are the decisions in Google Spain and NT1/NT2 v Google reliable guides to how things will work in the future?
- Latest case law and guidance
- Practical steps for a client who is seeking to have their data erased
- Practical steps for a client faced with an erasure request
Transferring Personal Data Out of the EU/EEA – Some Forthcoming Problems?
Generally under the GDPR, any transfer of personal data to a third country (non-EEA) or to an international organisation can only take place if the conditions set out in its Articles 44 to 50 are complied with by the Controller and Processor.
Under the Data Protection Act 1998, much use was made of EC-approved Standard Contractual Terms (formerly Model Terms) to regularise and simplify such transfers. For transfers to the USA, the EU-US Privacy Shield was widely employed. The Shield replaced the discredited Safe Harbor mechanism and its underlying EC Decision which had been declared invalid by the European Court of Justice (CJEU).
Is your organisations aware of;
- The present position of Data Protection Standard Contractual Clauses (SCCs)
- Some of the perceived weaknesses of SCCs. Might their use for some countries be more problematic than for others?
- The forthcoming CJEU challenge to SCCs
- The EU-US Privacy Shield and its current implementation and operation in the USA. Its actual and apparent weaknesses. Might the Shield also be successfully challenged?
- The UK’s GDPR position post-Brexit
Preparing For and Responding to Data Incidents
Is your business aware of the whole process of the data incident, from identifying the problem issues in advance and designing policies to prevent and manage them through to minimising the fall-out on the reputation front and includes:
- Recognising internal and external threats
- Developing proactive threat prevention policies
- Understanding breach reporting requirements
- Managing the breach and the reputational issues
- Implementing an incident response policy
Post GDPR – Enforcement and Compensation Update
Since the 25 May, the ICO can fine organisations up to 20 million euros or 4% of global turnover whichever is the higher. This session will review examples of enforcement action that have taken place since the GDPR came into force, with particular emphasis on data security breaches. Relevant examples of compensation will also be discussed.
Is your organisation aware of;
- Summary of enforcement powers
- Details of recent enforcement examples
- ICO guidance on reporting and dealing with security breaches
- Latest position on awards of compensation
- Practical steps to limit risk
Still confused by GDPR? Contact our team of accredited HR Consultants today on 01223 855441 for GDPR advice, guidance and implementation.