Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare



NetSquared London - GDPR for charities

These are the slides used in the presentation I gave alongside Haydn Thomas and Andrew Cross from Lightful.

The presentation was to help charities understand the most pressing implications of GDPR as well from an operational and marketing standpoint.

You can find out more about our organisations here:

NetSquared London - GDPR for charities

  1. 1. Charities and GDPR What you need to do
  2. 2. GDPR - What Will It Mean for Your Charity? November 15, 2017 #Lightful #GDPR
  3. 3. 3 Lightful Haydn Thomas @HMTIV #Lightful #GDPR
  4. 4. Services Lightful is a technology company for social good. We help charities and social enterprises raise more funds, awareness and support using digital and social Platform Labs #Lightful #GDPR
  5. 5. Our experience… #Lightful #GDPR
  6. 6. Tell us about you… #Lightful #GDPR
  7. 7. 7 GDPR – An Overview & What It Means For Charities HAYDN THOMAS & ANDREW CROSS @HMTIV @Crozzmeister #Lightful #GDPR
  8. 8. 8 Data Protection Introduction Data Protection Act (DPA) of 1998 Privacy, Electronic and Communications Regulation (PECR) of 2003 Freedom of Information Act of 2000 E-Privacy Regulation (2018, on course to launch with GDPR) General Data Protection Regulation (GDPR) of 2016 (Compliance – NOW!, Enforced from May 25th 2018 Data Protection Bill (DPB); Implements GDPR with UK Variations. The story so far… Which will become…. #Lightful #GDPR
  9. 9. 9 GDPR – The lowdown What? The General Data Protection Regulation (GDPR) and EU Legislation for Data Protection (DP) When? May 2016 > 25th May 2018 Who? All EU Organisations that process Personal Data or organisations overseas that process data on EU Citizens How? ICO Guidance, Regulatory bodies, Seminars #Lightful #GDPR
  10. 10. 1 0E – Privacy lowdown What? Overhaul of PECR 2003 regarding processing of electronic communications data When? Likely 25th May 2018 Who? As Before (EU States and EU Citizens) How? ICO Guidance on how to handle new e- privacy regulation #Lightful #GDPR
  11. 11. 1 1 VS What Has Changed? #Lightful #GDPR
  12. 12. 1 2 The 6 principles of GDPR Process lawfully, fairly and in a transparent manner. Collect for specified, explicit and legitimate purposes. Only keep what is adequate , relevant and limited to what is necessary. Store accurate information and keep up to date. Retain only for as long as necessary. Process in an appropriate manner to maintain security. And the bonus principal….accountability #Lightful #GDPR
  13. 13. 1 3Consent • Any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed • What does this mean? • Usually on point of Data Collection (Web Forms, Paper Forms or Via verbal pathways) that the Data Subject is given a statement that corresponds to what their information is being used for, usually including who will be storing the data (Data Controller); how they can find out more (DP Policy Link); with clear information on how to opt out of certain processing. Affirmative Opt-In boxes: Mail/Tel/Email/SMS Clearly labelled Optional Information (Separate from the main form) Re-Permissioning – Consent needs to be refreshed on a regular basis Consent Centre – My Life Digital (MLD) , Lightful Salesforce Application and Communities/Platform Preference Centre What is consent? What constitutes as “Valid” consent? #Lightful #GDPR
  15. 15. 1 5GDPR - Data Subjects Rights Data Subjects have the following rights: Whilst the GDPR builds on the Data Protection Act which all entities within the UK need to adhere to, the following represent the key changes for organisations. 1. The Right to be informed – How data will be used through a Fair Processing Notice/Policies. 2. The Right to Rectification – To correct personal information If we possess inaccurate/outdated data. 3. The Right to Erasure – To remove yourselves from our databases. 4. The Right to Object/Restrict Data Processing. 5. The Right to Object/Restrict Data Processing for Marketing Purposes. 6. The Right to Data Portability 7. The Right to Refuse Automated Profiling and Decision Making 8. The Right to Access your Information – (Formally Subject Access Request) #Lightful #GDPR
  16. 16. 1 6GDPR - Consequences • Tiers of monetary penalties, above and beyond the maximum £500,000 the ICO can currently dish out, this is circumstantial and depends upon the violation itself and if there has been any previous violation by the Data Controller or Data Processor. TIER 1: Up to 20 million Euros or 4% of Annual global turnover – Whichever is highest. TIER 2: Up to 10 million Euros or 2% of Annual global turnover – Whichever is highest. With both the Tier 1 and 2 fines it is likely there needs to be cases of precedence before there will be some general rules of thumb being dished out by the ICO. OTHER ACTIONS AS BEFORE COULD BE: Enforcement Action Undertakings Advise #Lightful #GDPR
  17. 17. 1 7Subject Access Requests + Data Protection Officer • Subject Access Requests – This is where the Natural Person enacts their right to obtain all the personal data that your organisation holds on them; this request has to be done in writing and with proof of identification, also at present a small fee can be chargeable (£10). This fee disappears under the GDPR; however, for “excessive” cases there is some justification to make a charge. Data Protection Officer– Do I need One? The role of the Data Protection Officer, then comes into play and the assessment around the requirement for needing one also must be evaluated. The GDPR stipulates that one is only required when one of the certain conditions are met: * Exceptions do apply – (Courts acting in their judicial capacity) The organisation in question is a public body* The organisation carries out large scale monitoring of Individuals The organisation carries out large scale processing of special categories of data or processing of any data that relates to criminal convictions or offences #Lightful #GDPR
  18. 18. 1 8What you need to do Be able to report Data Breaches to the ICO within 72 hours Be able to answer a Subject Access Request (SAR) within 30 Calendar Days Have clear lines of accountability and a nominated representative (DPO) Have compliant data processes –Acquisition, use, retention, deletion) Document Data Privacy Impact Assessments (DPIA) Informed Consent documented and “Recent” or reliance on Legitimate Interests clear #Lightful #GDPR
  19. 19. 1 9 HAYDN THOMAS 3 Key Takeaways #Lightful #GDPR @hmtiv
  20. 20. 2 0 #Lightful #GDPR Thank you!
  21. 21. 2 1Appendix - Standard Terminologies I Data Subject/Natural Person – This is the Living Individual that the Personal Data Relates to. Personal Data – This is Data that can be used to personally identify the individual, would include things like Names, Addresses, Phone Number, Email, Facebook Account, Twitter Handle. Sensitive Personal Data – This would include things such as Religion, Ethnicity , Trade Union Membership, Medical records, Sexual Orientation and Criminal convictions. Biometric and Genetic data are now included under sensitive with the GDPR Data Controller – is an entity who (either alone or jointly or in common with other entities) determines the purposes for which and the manner in which any personal data is, or is to be, processed. Data Processor – This would be an entity that processes data on behalf of an organisation. Data Privacy Impact Assessment (DPIA) – These are risk matrices that cover the realms of Data Protection. Subject Access Request (SAR) – These are requests to an organisation asking for all information that they hold on the Data Subject. Data Processing Agreement (DPA) – This is an agreement between the Data Controller, either to a Data Processor or another Data Controller. The former is more common. Non-Disclosure Agreement (NDA) – This is usually to protect Intellectual Property (IP) rights of an organisation and does in some context exist as part of a Data Processing Agreement. This is more commonplace if the individual isn’t processing data on behalf of an organisation, a creative designer for example. #Lightful #GDPR
  22. 22. GDPR with a digital marketing hat
  23. 23. PECR
  24. 24. GDPR 25 May 2018
  25. 25. GDPR 25 May 2018 ePrivacy regulation
  26. 26. GDPR 25 May 2018 ePrivacy regulation
  27. 27. OTT cookie consent messages & OTTs
  28. 28. “It is therefore justified to require that consent of the end- user is obtained before commercial electronic communications for direct marketing purposes are sent to end users in order to effectively protect… the legitimate interest of legal persons.” Recital 33 Consent > legitimate interest?
  29. 29. “However, it is reasonable to allow the use of e-mail contact details within the context of an existing customer relationship for the offering of similar products or services.” (A bit further in) Recital 33 Actually no, it’s fine
  30. 30. “It is necessary to prohibit the masking of the identity and the use of false identities, false return addresses or numbers while sending unsolicited commercial communications for direct marketing purposes.” Recital 34 Don’t be an idiot
  31. 31. “In order to allow easy withdrawal of consent, legal or natural persons conducting direct marketing communications by email should present a link, or a valid electronic mail address, which can be easily used by end- users to withdraw their consent.” Recital 35 Let people unsubscribe easily
  32. 32. MR. TICKLEX
  33. 33. “Data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication.” Article 4, 3(c) Get consent for metadata
  34. 34. “ ‘Direct marketing communications’ means any form of advertising, whether written or oral, sent to one or more identified or identifiable end-users of electronic communications services, including the use of automated calling and communication systems with or without human interaction, electronic mail, SMS, etc.” Article 4, 3(f) ‘Direct Marketing’ is broad
  35. 35. “The definition of and conditions for consent provided for under Articles 4(11) and 7 of Regulation (EU) 2016/679/EU shall apply.” Article 9, 1 ‘Consent’ comes from GDPR
  36. 36. “The providers of publicly available directories shall obtain the consent of end-users who are natural persons to include their personal data in the directory.” Article 15 Directory providers: source consent
  37. 37. “Where a natural or legal person obtains electronic contact details for electronic mail from its customer, in the context of the sale of a product or a service, in accordance with Regulation (EU) 2016/679, that natural or legal person may use these electronic contact details for direct marketing of its own similar products or services only if customers are clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use.” Article 16,2 Legitimate interest rules!.. Allow unsubscribes.
  38. 38. €10,000,000 or 2% of annual revenue: Data breachers Software providers Directory providers Unsubscribe ignorers Article 23,2 Small <sic> fines
  39. 39. €20,000,000 or 4% of annual revenue: “Infringements of the principle of confidentiality of communications, permitted processing of electronic communications data, time limits for erasure” or non-compliance with the ICO Article 23,4 Big fines for wire tappers, networks and idiots
  40. 40. Don’t market electronically to people unless you have consent or a legitimate reason!
  41. 41. Don’t market electronically to people unless you have consent or a legitimate reason! 1. Consent (from GDPR) 2. Privacy policies 3. Contracts with processors
  42. 42. Consent and GDPR DP Directive GDPR
  43. 43. Consent and GDPR DP Directive GDPR “any freely given, specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed” “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
  44. 44. 1. Keeping records 2. Transparency of consent messages 3. Right to withdraw consent 4. Freely-given consent
  45. 45. 1. Transparency of consent messages 2. Right to withdraw consent 3. Freely-given consent 4. Keeping records Be upfront
  46. 46. Records 1. Who consented? 2. When they consented 3. What they were told at the time 4. How they consented 5. Whether they have withdrawn consent (and if so, when)
  47. 47. 1 2 3
  48. 48. Consent and GDPR ICO guidance (for consultation)
  49. 49. Legitimate interest “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” Recital 47
  50. 50. Legitimate interest and GDPR DPN guidance (white paper)
  51. 51. Controllers, processors & contracts
  52. 52. Controllers, processors & contracts Data controllers I Data processors I Processors’ processors Liability for breaches:
  53. 53. Controllers, processors & contracts Processors have more liabilities, but controllers are responsible – so make sure your contract is solid.
  54. 54. Privacy policies
  55. 55. 1. Contact details of controller / DPO 2. Purpose(s) of the processing 3. Categories of personal data 4. Types of people with access to personal data 5. Details of international transfers / safeguards 6. Retention period 7. All of the data subject’s rights 8. (The right to withdraw consent) 9. (Legitimate interests) 10. (The existence of automated decision-making) Articles 13 & 14
  56. 56. Privacy policies and GDPR Econsultancy best/worst practice articles
  57. 57. Privacy policies and GDPR ICO privacy policy checklist:
  58. 58. Fin
  59. 59. Q&A Implications
  60. 60. THANK YOU Pub?
  • Pascal-KOTTE

    Dec. 10, 2017
  • elijahv

    Nov. 28, 2017
  • EmmaWakeling1

    Nov. 20, 2017

These are the slides used in the presentation I gave alongside Haydn Thomas and Andrew Cross from Lightful. The presentation was to help charities understand the most pressing implications of GDPR as well from an operational and marketing standpoint. You can find out more about our organisations here:


Total views


On Slideshare


From embeds


Number of embeds