This presentation provides a breakdown of the key changes organisations can expect from the GDPR

1. General Data Protection
Regulations: The Key Changes
Craig Clark Information Security & Compliance Manager

2. Topics
• What is the GDPR?
• European Law
• Key Dates for the GDPR
• Key changes from Data Protection Act
- Harmonisation
- Enforcement
- Off Shore Processing
- Governance
- One Stop Shop
- Consent
- Transparency
- Data Portability
- Data Processors
• Next Steps

3. What is the GDPR?
• A complete overhaul of data protection regulation with extensive updates of what can
be considered identifiable information
• Applies across all member states of the European Union
• Applies to all organisations processing the data of EU data subjects –wherever the
organisation is geographically based
• Specific and significant rights for data subjects to seek compensation, rights to erasure
and accurate representation
• Compensation can be sought against organisations and individuals employed by them
• Fines of up €20,000,00 or 4% global annual turnover
• Significant reduction in that amount based on the implementation of technical, or
organisational controls implemented

4. European Law Landscape
EU Legislation can be separated into two main branches:
Directives
• Require individual implementation in each Member State (Each State can
implement rules in their own way)
• Implemented by the creation of national laws approved by the parliaments of
each Member State
• European Directive 95/46/EC is a Directive
• Sets out a goal that a member state must achieve –room for tailoring
• UK Data Protection Act 1998

5. European Law Landscape
EU Legislation can be separated into two main branches:
Regulations:
• Immediately applicable in each Member State in a uniform manner
• Binding legislative Act
• Require no local implementing legislation – no tailoring
• EU GDPR is a Regulation
• Regulations are not negotiable by member states
• Regulations may apply to countries outside the EU if they affect EU subjects
(people who are originally from the EU)

6. Key Dates for GDPR
8 April 2016 the European Council adopted the Regulation.
14 April 2016 the Regulation was adopted by the European
Parliament.
4 May 2016, the official text of the Regulation was published
in the EU Official Journal in all the official languages.
The Regulation entered into force on 24 May 2016, and
applies from 25 May 2018.
This Regulation shall be binding in its entirety and directly
applicable in all Member States.

7. GDPR Structure
European Data Protection Board
Lead Supervising Authority
(Information Commissioners Office)
Data Processor
Data Controller
(Organisation)
Data Subject
(Individuals)
3rd Countries 3rd Party

8. GDPR Structure
• The European Data Protection Board will issue guidance for
controllers and processors
• They will facilitate the use of Data Protection Impact Assessments
• The ICO will oversee both Data Controllers and Data Processors
• Breaches and Notifications will be made to the ICO
• 3rd Countries – countries to which data is transferred
• At the centre of the GDPR is the protection of Personally
Identifiable Information

9. Key Changes Between DPA and GDPR
Harmonisation Across Member States:
• Adoption of a single set of rules on data protection, directly applicable in all
EU Member States: Even if the UK leave the EU the GDPR will apply for all EU
Data Subjects
• Each Member State has previously implemented data protection laws locally
which transpose the EU Data Protection Directive leading to fragmentation
in terms of compliance requirements across Member States.
• The GDPR is intended to adopt a harmonised approach to compliance across
all Member States by implementing legislation that will be directly applicable
in all 28 Member States. There will be no opportunity for local transposition.

10. Key Changes Between DPA and GDPR
Enforcement:
• A revised enforcement regime underpinned by power for supervising
authorities to levy heavy financial sanctions of up to 4% of the annual
worldwide turnover of the organisation or €20 Million, whichever is greater.
• Fines are designed to be effective and dissuasive and ensure that which will
non compliance is considered a significant risk for businesses.
• Supervisory authorities will have the power to impose these sanctions from
where the data subject habitually resides or in the territory that the breach
occurs. These changes will significantly increase the risk associated with
privacy non-compliance.

11. Key Changes Between DPA and GDPR
Off Shore Processing:
• Application of the GDPR to companies established outside the EU, if
they target EU citizens e.g. international students.
• The new rules have a broader territorial scope since they apply to non-
EU established companies targeting the EU market by either offering
their goods or services to EU citizens or by monitoring their behaviour.
• Currently, EU Data Protection legislation only applies to non-EU
established controllers if they make use of equipment on EU territory
for the purposes of processing personal data, and to processing taking
place in the EU.

12. Key Changes Between DPA and GDPR
Governance:
Area of major change
• Increased responsibility and accountability on organisations to manage how they
control and process personal data.
• Controllers must ensure all personal data is processed in compliance with the
Regulation and be able to demonstrate compliance to a supervisory authority if
requested.
• There is now a requirement to keep extensive and detailed records of processing
operations.
• Organisations must perform Data Privacy Assessments for all high risk activities.
• A Data Protection Officer must be formally appointed and recognised with a
number of stipulations added for ensuring impartiality.

13. Key Changes Between DPA and GDPR
Governance Continued:
• When notifying the regulator of data breaches, Controllers will be required to notify
the Information Commissioners Office, and in some cases the data subjects
involved of significant data breaches within 72 Hours.
• Privacy by design - taking privacy risk into account throughout the process of
designing a new product or service, rather than treating it as an afterthought. Now
required to assess and implement appropriate technical and organisational
measures and procedures from the outset to ensure that processing complies with
the Regulation and protects the rights of the data subjects.
• Privacy by default - ensuring mechanisms are applied retrospectively to ensure
that, by default, only as much personal data is collected, used and retained for each
processing task, both in terms of the amount of data collated and time for which it
is kept.

14. Key Changes Between DPA and GDPR
One Stop Shop:
• Ability to nominate a single national data protection authority as the
lead regulator for all compliance issues in the EU, where the
organisation has multiple points of presence across the EU

15. Key Changes Between DPA and GDPR
Consent:
Area of major change
• The DPA allows a controller to lawfully process data with the "consent"
of the data subject. Consent can be either express or implied consent -
or where the processing is necessary for the "legitimate interests" of
the controller in circumstances that do not cause undue prejudice to
the individual.
• GDPR redefines consent. Now, consent must be freely given, specific,
informed and unambiguous. Implied consent, (e.g., by just staying on a
website or not responding to a request) will not be sufficient.

16. Key Changes Between DPA and GDPR
Consent Continued:
• Requiring consent from an end user in order to give that person access to a service,
where these personal data are not necessary to perform the contract, will no longer
be allowed.
• Controllers will be expected to provide much more consideration in their working
practices as to what the data subject would like and expect their data to be used
for.
• Consent can be withdrawn any time, and as easy to withdraw consent as give it
• Data subject must give consent for specific purposes - blanket consent no longer
allowed –This has significant implications in information sharing, processing and
retention
• One month to respond to subject access and no charges can be applied
• Must be able to supply evidence that consent for each specific purpose was given

17. Key Changes Between DPA and GDPR
Transparency:
• Any communications with a data subject must be concise, transparent,
intelligible
• Controller must be transparent in providing information about itself and the
purposes of the processing
• Controller must provide data subject with information about their rights.
• Policies must explain to data subjects both how their personal data will be
processed and what their individual rights are and how they may be
exercised.
• This must be provided in an intelligible form, using clear and plain language
that will be understood by the target audience.

18. Key Changes Between DPA and GDPR
Data Portability:
• The Regulation introduces a new right to data portability, which grants
data subjects the right to receive personal data concerning him or her,
which he or she has provided to a controller, in a structured and
commonly used and machine-readable format.
• The data subject is also entitled to have the data transmitted directly
from one controller to another, where this is technically feasible.
• A statutory "right to be forgotten" has been included which will allow
individuals the right to require a controller to delete data files relating
to them if there are no legitimate grounds for retaining it – including
when a subject has withdrawn consent.

19. Key Changes Between DPA and GDPR
Data Processors:
• The GDPR directly regulates Data Processors
• Processors will be required to comply with a number of specific obligations,
including to maintain adequate documentation, implement appropriate
security standards, carry out routine data protection impact assessments,
appoint a data protection officer, comply with rules on international data
transfers and cooperate with national supervisory authorities.
• Processors will be liable to sanctions at the same level as controllers if they
fail to meet these criteria.
• Information Sharing Agreements will help ensure that Controllers give clear
instructions to processors on how they expect and require their data to be
handled.

20. Next Steps
• Meet with top management and form a Working Group to ensure that
compliance with GDPR before it is enforced.
• Follow the ICO’s ‘12 Point Plan’ for actions to take prior to introduction.
• Obtain specialist knowledge in the implementation of changes required
and ongoing compliance with GDPR.
• ITIBGQ offer Foundation and Practitioner certification in EU GDPR – in
my view these certifications are essential for Information Security
managers so that they can provide the skills and advice required to
ensure compliance.