Leading employment lawyer Pam Loch, and digital expert Katie King share their advice on how to get to grips with the topic of the moment - GDPR. They look at who is liable, the impact of Brexit, how it affects marketing and what steps you can take to prepare.

1. General Data Protection Regulation
Pam Loch, Managing Director of Loch Associates Group
Katie King, Managing Director of Zoodikers

2. Introductions: Pam Loch
• Established the Loch Associates Group in 2007, incorporating:
• Loch Employment Law providing expert employment law
• HR Advise Me providing outsourced HR consultancy
• Loch Health - an employee wellness and absence management provider
• Loch Mediation which seeks to fix workplace relationships
• Chambers & Partners ranked as a Leading Individual in
Employment Law
• Prolific speaker at sector conferences, events and seminars
• Regular contributor to publications such as International
Workplace, Personnel Today and Jordans
• Pam provides regular commentary for the BBC, TV and Radio, on
employment law and HR issues
• She is also an accredited Mediator

3. Introductions: Katie King
• Managing Director of Zoodikers
Consulting. MBA
• Director of Transformation – Digital
Leadership Associates
• Co-founder of AIinFM
• TEDx speaker
• Chairperson of PRCA’s South
East/E.Anglia Group
• Regularly called on to commentate on
social media for BBC TV and radio
• Spoken and moderated at high-profile
industry events

4. What is the GDPR?

5. DPA to GDPR…
Why?
• To introduce greater harmonisation of data protection across the EU
• For businesses to bear the responsibility of assessing data risks and
their own processes with data
• “One-stop-shop” and uniform data protection across the EU
Data Protect Act 1998
Currently in force
General Data Protection
Regulation
25th May 2018
Comes into force

6. What does it mean?
Core concepts of the DPA remain unchanged:
GDPR applies to “personal data”
GDPR regulates the “processing” of
personal data, including:
• Information relating to an identifiable
person
• IT, Marketing, Finance etc.
• Also employee, HR and recruitment
information
• “Data Subject” - individuals whom the
data relates to
• Collection
• Storage
• Use
• Alteration
• Disclosure
• Destruction

7. There are six legal bases to process data under the GDPR:
1. Consent – The individual has given you consent to process his/her data for one or more
purposes
2. Contracts with an individual - Need to process personal data for performance of a contract
3. Compliance with a legal obligation – If UK or EU law requires the processing of their personal
data
4. Vital interests – When processing the data protects the subject’s life or someone else’s
5. Public tasks – Processing personal data is needed to fulfil your official function or perform a
task in the public interest
6. Legitimate interests – Where there is a genuine legitimate reason, including commercial
benefit, to process personal data. This is an important basis for the private sector.
Bases for processing data

8. Key aspects of GDPR
• Applies to ALL organisations that store or process EU citizen’s data
• The individual’s rights to their personal data are stronger
• Applies to physical filing systems AND electronic data
• GDPR breaches can incur fines of up €20 million or 4% of annual
global turnover – whichever is higher
• DPA fines were up to £500k by the ICO
• Organisations are held accountable for demonstrating compliance
• This needs to be evidenced
• Consent MUST be unambiguous – verifiable, clear & affirmative

9. Who is liable?
Data Controllers Data Processors
• Organisations that initially collect the
personal data
• Businesses & organisations included
• They dictate why the data is processed
and how it is processed
• Under GDPR, they are liable for the
contracts with Data Processors
• Those who actually process the data
• For example payroll companies and
internet service providers
• GDPR sets out the specific legal
obligations of Data Processors who
have more legal liability than before if
there is a breach

10. The Changes

11. New obligations - Summary
• Consent – clear and affirmative action
with detailed records
• Privacy Notices – more detailed
information about data held
• By Design & Default – data Protection
Impact Assessments (PIAs)
• Data processors – directly liable for some
breaches, heavy fines
• Notification rules – without delay and
within 72 hours
• Data subject rights – to rectification, to be
forgotten, to object to profiling
• Data Portability – right to have a copy of
personal data
• Subject Access Requests – response
within one month (DPA, 40 days)
• Pseudonymisation – data no longer
attributed to a specific individual
• Data Protection Officers – some
organisations need to appoint a DPA
• Binding Corporate Rules (BCRs) –
transferring data outside the EEA
• Increased enforcement powers – audits,
fines, more power

12. Consent
• All organisations must
• Demonstrate the data subject gave consent to
processing
• Keep detailed records as evidence
• Failing to un-tick a pre-ticked box will no longer be
valid consent
• Ticking a blank box is consent
• Consent can be withdrawn at any time
• Consent cannot be conditional
• E.g. as part of a contract or providing a service
• If not necessary to fulfil contract

13. More detailed Privacy Notices
• Businesses will need to provide more
detailed information such as:
• How long data will be stored for
• If data will be transferred to other
countries
• Information on the right to make a data
subject access request
• Information on the right to have personal
data deleted or rectified in certain
situations
• The information must be:
• Concise
• Transparent
• Intelligible
• Easily accessible
• Free of charge
• Written in clear and plain language
A privacy notice is the information that Data Controllers are required to give to
Data subjects/individuals

14. By design and default
Data protection by design
• Data protection risks taken into
account throughout the process
of creating and operating a
policy, process, product or
service
Data protection by default
• Procedures must be in place
within the business to ensure
that only personal data
necessary for each specific
purpose is processed and stored

15. New obligations for data processors…
• The GDPR does not remove the onus on data controllers to ensure
compliance
• It is likely to substantially impact processors in the following ways:
• Data processors will be directly liable for some breaches
Increased compliance
obligations and penalties
• Likely to result in an increase
in the cost of data
processing services
Negotiating data processing
agreements may become more
difficult
Processors may need to review
their existing data processing
agreements
• To ensure that they have
met their own compliance
obligations under the GDPR

16. Data breach notification rules
• All data breaches must be notified to the
data protection authority:
• Without undue delay;
• And where feasible within 72 hours
• Unless the data breach is unlikely to result in a
risk to the individuals
• If not possible it will have to justify the delay
to the data protection authority by way of a
“reasoned justification”
• Individuals must be informed if their rights
and freedoms are at risk from a data breach

17. New Data Subject Rights
• Right to Object to:
• Processing based on legitimate interests or on a public interests bases
• Direct marketing
• Processing for scientific or historical research
• Right to Rectification
• Request for personal data to be rectified if it is inaccurate or incomplete
• “Right to be Forgotten”
• Request a business to delete their personal data in certain circumstances
• E.g. if the data is not being used for the purpose it was originally collected

18. …New Data Subject Rights
• Right to Data Portability
• Right to obtain a copy of their personal data in a commonly used and
machine-readable format
• Data Subject Access Requests
• Similar to DSARs under the DPA
• Must respond within one month (no longer 40 days)
• More information required and no longer a £10 fee
• Organisations must comply with requests (although can object in
some circumstances)
• Requests must be responded to within one month (or two if complex)

19. Pseudonymisation
• New concept of “pseudonymisation”
• Processing of personal data in such a manner
that the personal data can no longer be
attributed to a specific individual, without
additional information
• Pseudonymous data will still be treated as
personal data
• But possibly subject to fewer restrictions on
processing if the risk of harm is low.
• EU wide guidelines are expected to be
produced to harmonise all the different EU
countries approaches

20. Data Protection Officers
• All public authorities and private companies involved in regular monitoring or
large scale processing of sensitive data will need to appoint a Data Protection
Officer
• E.g. organisations that conduct online behaviour tracking or health service providers
• Other organisations may want to appoint a DPO to ensure their compliance – but
this is not a legal requirement
Role of the DPO
• A single DPO can be appointed to act for a group of
companies
• Can be an existing employee – if their role does not
conflict with being a DPO e.g. decides how they
process personal data
• Monitors compliance with the GDPR
• Not personally responsible for non-compliance
• Must keep up to date with data protection rules
and regulations
• The first point of contact with supervisory
authorities and data subjects – contact details must
be available

21. Binding Corporate Rules (BCRs)
• BCRs are not a new concept
• Agreements used to lawfully transfer personal
data out of the European Economic Area (EEA)
• The GDPR formally recognises BCRs and
simplifies the process for gaining approval to
use BCRs from the relevant data protection
authority
• BCRs are available to both controllers and
processors
• Difficult to assess the effect on businesses yet
as the impact of the ECJ’s judgment on standard
contractual clauses and BCRs is still being
considered. Further guidance expected

22. The Impact

23. Impact on marketing
• Recent DMA Survey found that 70%
of marketers were most concerned
about how GDPR would affect
marketing consent.
• More concerning, only 54% of
businesses expect to be compliant by
the deadline.
• Chris Daly, chief executive of the
Chartered Institute of Marketing,
says: "There is a real lack of
awareness about this issue in our
sector - 60% thought it wouldn't
affect their business at all."

24. Impact on marketing
• Silence, opt-outs or inactivity
can’t be relied up on
• Active processes such as box-
ticking will have to be put in
place.
• You must be able to demonstrate
that consent has actually been
given.
• Ensure you put these processes in
place that meet these
requirements

25. The move to social…
• We’ve seen the recent
unprecedented announcement
that Wetherspoons was deleting
its marketing database of 700,000
customers rather than trying to
clean it!
• Rather than newsletters, the
company will now use its website
and social media accounts on
Twitter and Facebook to promote
deals and other relevant
information.

26. Impact on HR
• A fifth (21 per cent) of people plan to
use their rights under GDPR to ask
their employer or ex-employers to
delete their information, research has
revealed.
• The poll of 2,000 consumers by data
analytics company SAS also found
that a similar proportion of people
(22 per cent) intend to use the new
laws to access the data their
employer holds on them, and 21 per
cent would seek out human
intervention in favour of automated
process for performance reviews.

27. Data Breaches

28. Case study: local authority
• The UK data protection regulator, the
Information Commissioner’s Office
(ICO), fined a local authority £100,000
for failing to have security measures in
place to guard against the accidental
loss or destruction of data.
• Documents containing personal data of
around 100 people were found by the
purchaser of a disused building
previously used by the council.
This occurred when the local authority
moved out, leaving behind various
documents.

29. Increased enforcement powers
• Under the DPA, the maximum fine for non compliance in the UK is £500,000
• Significant increase in the maximum fines for data controllers and data processors
on a two-tier basis:
• Investigative powers extended to include a power to carry out audits, require
information to be provided, and obtain access to premises
Up to 2% of annual worldwide turnover of the
preceding financial year or €10 million
(whichever is the greater) for violations relating
to:
• internal record keeping
• data processor contracts
• data security and breach notification
• data protection officers
• data protection by design and default
Up to 4% of annual worldwide turnover of the
preceding financial year or €20 million
(whichever is the greater) for violations relating
to:
• breaches of the data protection principles
• conditions for consent
• data subjects rights
• international data transfers

30. What if a business fails to comply?
Negative impact on customer confidence and reputation
Increased penalties and enforcement powers under the GDPR
If a business breaches its obligations it may be subject to a fine of up to €20 million
or 4% of the undertaking’s worldwide annual turnover, whichever is the higher
The ICO will have the power to impose further sanctions including specific
compliance orders and a ban on processing personal data
Risk of a claim for compensation by individuals or bodies acting on their behalf

31. What next?

32. What are the next steps?
1. Understand the GDPR
2. Ensure key people know about the GDPR and the extent of the penalties
3. Audit your current data processes*
4. Identify high risk areas
5. Assess your legal grounds for processing data
6. Formulate a plan & timeline for compliance
*Loch Associates Group can conduct a GDPR audit of your HR, Marketing
and IT processes

33. Consider your data
• Make sure you realise the extent of ALL the data you process and keep
• For example, if you are a facilities management company of a shopping
centre you are likely to have personal information about:
• The employees of each shop
• Your employees
• Your suppliers – such as cleaning product companies & contacts
• Your clients (i.e. management of the shopping centre, and other if there are more)
• Any prospects (e.g. for marketing purposes you may have data on all the shopping
centres in Kent)
• The majority of the above is third party data – you will still be liable for a
breach of this information, should your processes be at fault

34. What about Brexit?
• Although GDPR applies to data processing
carried out by organisations operating
within the EU, it also applies to
organisations outside the EU offering
goods or services to EU citizens.
• The GDPR will replace the UK's Data
Protection Act 1998 from 25 May 2018
and the government has confirmed that
the UK's decision to leave the EU will not
change this.
• So Brexit is not a "get out of jail free" card

35. We’re here to help you
People are our business
Our HR Consultants
combine HR expertise
with a solutions
focussed, commercial
approach to provide cost
effective HR support
Our specialist
employment lawyers can
advise on all aspects of
Employment Law.
Our team of highly
qualified medical
professionals deliver
employee wellness
checks and bespoke First
Aid training
Our mediation service is
designed to assist in
resolving conflicts and
disputes quickly to limit
the damage and avoid
costly litigation

36. Thanks for your time
Please don’t hesitate to contact us
Pam Loch
pam.loch@lochassociates.group
Loch Associates Group
Katie King
katie@zoodikers.com
Zoodikers