These are the slides used in the presentation I gave alongside Haydn Thomas and Andrew Cross from Lightful. The presentation was to help charities understand the most pressing implications of GDPR as well from an operational and marketing standpoint. You can find out more about our organisations here: https://tech-trust.org/ https://www.lightful.com/ https://www.meetup.com/netsquaredlondon/

1. Charities and
GDPR
What you need to do

2. GDPR - What Will It
Mean for Your Charity?
November 15, 2017 #Lightful #GDPR

3. 3
Lightful
Haydn Thomas
@HMTIV
#Lightful #GDPR

4. Services
Lightful is a technology company for social good. We help
charities and social enterprises raise more funds, awareness
and support using digital and social
Platform Labs
#Lightful #GDPR

5. Our experience…
#Lightful #GDPR

6. Tell us about you…
#Lightful #GDPR

7. 7
GDPR – An Overview & What It Means For Charities
HAYDN THOMAS & ANDREW CROSS
@HMTIV @Crozzmeister
#Lightful #GDPR

8. 8
Data Protection Introduction
Data Protection Act (DPA) of 1998
Privacy, Electronic and Communications Regulation (PECR) of 2003
Freedom of Information Act of 2000
E-Privacy Regulation (2018, on course to launch with GDPR)
General Data Protection Regulation (GDPR) of 2016
(Compliance – NOW!, Enforced from May 25th 2018
Data Protection Bill (DPB); Implements GDPR with UK
Variations.
The story so far…
Which will become….
#Lightful #GDPR

9. 9
GDPR – The lowdown
What?
The General Data
Protection Regulation
(GDPR) and
EU Legislation for Data
Protection (DP)
When?
May 2016 >
25th May 2018
Who?
All EU Organisations that
process Personal Data or
organisations overseas that
process data on EU Citizens
How?
ICO Guidance,
Regulatory bodies,
Seminars
#Lightful #GDPR

10. 1
0E – Privacy lowdown
What?
Overhaul of PECR 2003
regarding processing of
electronic communications
data
When?
Likely 25th May
2018
Who?
As Before (EU States and
EU Citizens)
How?
ICO Guidance on how
to handle new e-
privacy regulation
#Lightful #GDPR

11. 1
1
VS
What Has Changed?
#Lightful #GDPR

12. 1
2
The 6 principles of GDPR
Process lawfully, fairly and in a transparent manner.
Collect for specified, explicit and legitimate purposes.
Only keep what is adequate , relevant and limited to what
is necessary.
Store accurate information and keep up to date.
Retain only for as long as necessary.
Process in an appropriate manner to maintain security.
And the bonus principal….accountability
#Lightful #GDPR

13. 1
3Consent
• Any freely given, specific, informed and unambiguous indication of his or her wishes by which
the data subject, either by a statement or by a clear affirmative action, signifies agreement to
personal data relating to them being processed
• What does this mean?
• Usually on point of Data Collection (Web Forms, Paper Forms or Via verbal pathways) that the
Data Subject is given a statement that corresponds to what their information is being used for,
usually including who will be storing the data (Data Controller); how they can find out more
(DP Policy Link); with clear information on how to opt out of certain processing.
Affirmative Opt-In boxes: Mail/Tel/Email/SMS
Clearly labelled Optional Information (Separate from the main form)
Re-Permissioning – Consent needs to be refreshed on a regular basis
Consent Centre – My Life Digital (MLD) , Lightful Salesforce Application and
Communities/Platform Preference Centre
What is consent?
What constitutes as “Valid” consent?
#Lightful #GDPR

14. 1
4
• CONSENT VS LEGITIMATE INTEREST
#Lightful #GDPR

15. 1
5GDPR - Data Subjects Rights
Data Subjects have the following rights:
Whilst the GDPR builds on the Data Protection Act which all entities within the UK need to adhere
to, the following represent the key changes for organisations.
1. The Right to be informed – How data will be used through a Fair Processing
Notice/Policies.
2. The Right to Rectification – To correct personal information If we possess
inaccurate/outdated data.
3. The Right to Erasure – To remove yourselves from our databases.
4. The Right to Object/Restrict Data Processing.
5. The Right to Object/Restrict Data Processing for Marketing Purposes.
6. The Right to Data Portability
7. The Right to Refuse Automated Profiling and Decision Making
8. The Right to Access your Information – (Formally Subject Access Request)
#Lightful #GDPR

16. 1
6GDPR - Consequences
• Tiers of monetary penalties, above and beyond the maximum £500,000 the ICO can currently dish out, this is
circumstantial and depends upon the violation itself and if there has been any previous violation by the Data Controller
or Data Processor.
TIER 1:
Up to 20 million Euros or 4% of Annual
global turnover – Whichever is highest.
TIER 2:
Up to 10 million Euros or 2% of Annual
global turnover – Whichever is highest.
With both the Tier 1 and 2 fines it is likely there needs to be cases of precedence before there will
be some general rules of thumb being dished out by the ICO.
OTHER ACTIONS AS BEFORE COULD BE:
Enforcement Action
Undertakings
Advise
#Lightful #GDPR

17. 1
7Subject Access Requests + Data Protection Officer
• Subject Access Requests – This is where the Natural Person enacts their right to obtain all the personal
data that your organisation holds on them; this request has to be done in writing and with proof of
identification, also at present a small fee can be chargeable (£10). This fee disappears under the
GDPR; however, for “excessive” cases there is some justification to make a charge.
Data Protection Officer– Do I need One?
The role of the Data Protection Officer, then comes into play and the assessment around the requirement for needing one also must
be evaluated. The GDPR stipulates that one is only required when one of the certain conditions are met:
* Exceptions do apply – (Courts acting in their judicial capacity)
The organisation in question is a public body*
The organisation carries out large scale monitoring of Individuals
The organisation carries out large scale processing of special categories of data
or processing of any data that relates to criminal convictions or offences
#Lightful #GDPR

18. 1
8What you need to do
Be able to report Data Breaches to the ICO within 72 hours
Be able to answer a Subject Access Request (SAR) within 30
Calendar Days
Have clear lines of accountability and a nominated representative
(DPO)
Have compliant data processes –Acquisition, use, retention,
deletion)
Document Data Privacy Impact Assessments
(DPIA)
Informed Consent documented and “Recent” or
reliance on Legitimate Interests clear
#Lightful #GDPR

19. 1
9
HAYDN THOMAS
3 Key
Takeaways
#Lightful #GDPR
@hmtiv

20. 2
0
#Lightful #GDPR
Thank you!

21. 2
1Appendix - Standard Terminologies I
Data Subject/Natural Person – This is the Living Individual that the Personal Data Relates to.
Personal Data – This is Data that can be used to personally identify the individual, would include things like Names, Addresses, Phone
Number, Email, Facebook Account, Twitter Handle.
Sensitive Personal Data – This would include things such as Religion, Ethnicity , Trade Union Membership, Medical records, Sexual
Orientation and Criminal convictions. Biometric and Genetic data are now included under sensitive with the GDPR
Data Controller – is an entity who (either alone or jointly or in common with other entities) determines the purposes for which and the
manner in which any personal data is, or is to be, processed.
Data Processor – This would be an entity that processes data on behalf of an organisation.
Data Privacy Impact Assessment (DPIA) – These are risk matrices that cover the realms of Data Protection.
Subject Access Request (SAR) – These are requests to an organisation asking for all information that they hold on the Data Subject.
Data Processing Agreement (DPA) – This is an agreement between the Data Controller, either to a Data Processor or another Data
Controller. The former is more common.
Non-Disclosure Agreement (NDA) – This is usually to protect Intellectual Property (IP) rights of an organisation and does in some context
exist as part of a Data Processing Agreement. This is more commonplace if the individual isn’t processing data on behalf of an
organisation, a creative designer for example.
#Lightful #GDPR

22. GDPR with a digital marketing hat

23. PECR

24. GDPR
25 May 2018

25. GDPR
25 May 2018
ePrivacy regulation

26. GDPR
25 May 2018
ePrivacy regulation

27. OTT cookie
consent
messages
&
OTTs

29. “It is therefore justified to require that consent of the end-
user is obtained before commercial electronic
communications for direct marketing purposes are sent to
end users in order to effectively protect… the legitimate
interest of legal persons.”
Recital 33
Consent > legitimate interest?

30. “However, it is reasonable to allow the use of e-mail contact
details within the context of an existing customer
relationship for the offering of similar products or services.”
(A bit further in) Recital 33
Actually no, it’s fine

31. “It is necessary to prohibit the masking of the identity and
the use of false identities, false return addresses or numbers
while sending unsolicited commercial communications for
direct marketing purposes.”
Recital 34
Don’t be an idiot

32. “In order to allow easy withdrawal of consent, legal or
natural persons conducting direct marketing
communications by email should present a link, or a valid
electronic mail address, which can be easily used by end-
users to withdraw their consent.”
Recital 35
Let people unsubscribe easily

33. MR. TICKLEX

34. “Data used to trace and identify the source and destination
of a communication, data on the location of the device
generated in the context of providing electronic
communications services, and the date, time, duration and
the type of communication.”
Article 4, 3(c)
Get consent for metadata

35. “ ‘Direct marketing communications’ means any form of advertising,
whether written or oral, sent to one or more identified or identifiable
end-users of electronic communications services, including the use of
automated calling and communication systems with or without
human interaction, electronic mail, SMS, etc.”
Article 4, 3(f)
‘Direct Marketing’ is broad

36. “The definition of and conditions for consent provided for
under Articles 4(11) and 7 of Regulation (EU) 2016/679/EU
shall apply.”
Article 9, 1
‘Consent’ comes from GDPR

37. “The providers of publicly available directories shall obtain
the consent of end-users who are natural persons to include
their personal data in the directory.”
Article 15
Directory providers: source consent

38. “Where a natural or legal person obtains electronic contact details for electronic
mail from its customer, in the context of the sale of a product or a service, in
accordance with Regulation (EU) 2016/679, that natural or legal person may use
these electronic contact details for direct marketing of its own similar products
or services only if customers are clearly and distinctly given the opportunity to
object, free of charge and in an easy manner, to such use.”
Article 16,2
Legitimate interest rules!.. Allow unsubscribes.

40. €10,000,000 or 2% of annual revenue:
Data breachers
Software providers
Directory providers
Unsubscribe ignorers
Article 23,2
Small <sic> fines

41. €20,000,000 or 4% of annual revenue:
“Infringements of the principle of confidentiality of communications,
permitted processing of electronic communications data, time limits
for erasure” or non-compliance with the ICO
Article 23,4
Big fines for wire tappers, networks and idiots

42. Don’t market electronically to
people unless you have consent
or a legitimate reason!

43. Don’t market electronically to
people unless you have consent
or a legitimate reason!
1. Consent (from GDPR)
2. Privacy policies
3. Contracts with processors

44. Consent and GDPR
DP Directive GDPR

45. Consent and GDPR
DP Directive GDPR
“any freely given, specific
and informed indication
of his wishes by which
the data subject signifies
his agreement to
personal data relating to
him being processed”
“any freely given, specific,
informed and unambiguous
indication of the data subject's
wishes by which he or she, by a
statement or by a clear affirmative
action, signifies agreement to the
processing of personal data
relating to him or her”

46. 1. Keeping records
2. Transparency of consent messages
3. Right to withdraw consent
4. Freely-given consent

47. 1. Transparency of consent messages
2. Right to withdraw consent
3. Freely-given consent
4. Keeping records
Be upfront

49. Records
1. Who consented?
2. When they consented
3. What they were told at the
time
4. How they consented
5. Whether they have withdrawn
consent (and if so, when)

50. 1
2
3

51. bit.ly/Net2GDPR
Consent and GDPR
ICO guidance (for consultation)

52. Legitimate interest
“The processing of
personal data for direct
marketing purposes may
be regarded as carried
out for a legitimate
interest.”
Recital 47

54. bit.ly/Net2GDPR2
Legitimate interest and GDPR
DPN guidance (white paper)

55. Controllers, processors & contracts

56. Controllers, processors & contracts
Data controllers
I
Data processors
I
Processors’ processors
Liability for breaches:

58. Controllers, processors & contracts
Processors have more liabilities, but controllers are
responsible – so make sure your contract is solid.

59. Privacy policies

60. 1. Contact details of controller / DPO
2. Purpose(s) of the processing
3. Categories of personal data
4. Types of people with access to personal data
5. Details of international transfers / safeguards
6. Retention period
7. All of the data subject’s rights
8. (The right to withdraw consent)
9. (Legitimate interests)
10. (The existence of automated decision-making)
Articles 13 & 14

63. bit.ly/Net2GDPR3
Privacy policies and GDPR
Econsultancy best/worst practice articles
bit.ly/Net2GDPR4

64. bit.ly/Net2GDPR5
Privacy policies and GDPR
ICO privacy policy checklist:

65. Fin

66. Q&A
Implications

67. THANK YOU
Pub?