GDPR in a Nutshell​
Generate Customer Confidence​
Focus of GDPR​
What is Personal Information? ​
Who has PII? ​
Lawful Processing of Personal Data

Introduction
Scope​
UK ICO’s View of the Scope​
Processing GDPR Definition​
Who Processes PII? ​
What is Special Data? ​
Legal Framework​
Timeline​ and Derogations​
Some Key Areas for Derogation​
Data Breaches/Personal Data Breach​
Consequences of Failure​
Governance Framework​

Key Roles​
Data Set​
Subject Access Request (SAR)​
Data Protection Impact Assessments (DPIA) ​
What Triggers a Data Protection Impact Assessment? ​
DPIA is Not Required
Processes to be Considered for a DPIA​
Responsibilities​
DPIA Decision Path​
DPIA Content​
How Do I Conduct a DPIA? ​
Signing Off the DPIA​
Mitigating Risks Identified by the DPIA​
Privacy by Design and Default​
External Transfers​
Profiling​
Pseudonymisation​
Principles, User Rights, and Obligations​
One Stop Shop​

Parts of the GDPR​
Format of the Articles​
Articles​ of the legislation

Introduction
Legality Principle​
How the Permissions Work Together​?
Lawfulness of Processing Conditions​
Lawfulness for Special Categories of Data
Criminal Offence Data​
Consent
Transparency Principle​
Fairness Principle​
Rights of Data Subjects​
Purpose Limitation Principle​
Minimisation Principle​
Accuracy Principle​
Storage Limitation Principle​
Integrity and Confidentiality Principle​
Accountability Principle​

Demonstrating Compliance with the GDPR ​
Impact of Compliance Failure​
Administrative Fines​
What Influences the Size of an Administrative Fine?
Joint Controllers​
Processor Liability Under GDPR​
Demonstrating Compliance
Protecting PII is Only Half the Job
What must be Recorded? ​
Additional Ways of Demonstrating Compliance​
Demonstrating a Robust Process​
PIMS (Personal Information Management System) ​
Cyber Essentials​
ISO 27017 Code of Practice for Information Security Controls​
Risk Management​

What is a Personal Data Breach? ​
Notification Obligations​
What Breaches Do I Need to Notify the Relevant Supervisory Authority About? ​
What Information Must Be Provided to the SA? ​
How do I Report a Breach to the SA? ​
Notifying Data Subjects​
What Should I do to Prepare for Breach Reporting? ​
Updating Policies and Procedures​
Breach Reporting and Responses ​
Ways to Minimise the Breach Impact​

What does the GDPR Makes Businesses Responsible For?
Difference Between a Data Controller and a Data Processor
How the Roles Split?
Controllers and Processors
Main Obligations of Data Controllers
Demonstrate Compliance
Joint Controllers and EU Representative
Controller-Processor Contract
Maintain Records and Keeping Records for Small Businesses
Cooperation with Supervisory Authorities
Keeping PII Secure
Data Breach Transparency
Role of the Data Processor
Controller-Processor Contract
Main Obligations of the Processor
Perform Only the Data Processing Defined by the Data Controller
Update the Data Controller
Sub-Process or Appointment
Keep PII Confidential
Maintaining Records
Cooperate with Supervisory Authorities
Security
Appoint a DPO – If Necessary
Transferring Data Outside the EU

Role of a Data Protection Officer
Involvement of the DPO
Main Responsibilities of the DPO
Working Environment for the DPO
Must We Have A DPO?
Public Body
What does Large Scale mean?
Systematic Monitoring
Who Can Perform the Role of DPO?
Skills Required
Monitoring Compliance
Training and Awareness
Data Protection Impact Assessments (DPIAs)
Risk-Based Approach
Business Support for the DPO
DPO Independence
DPO – Conflict of Interest

Key Differences Between the Data Protection Act and the GDPR
Highlights from the Data Protection Bill
Definition of Controller
Health, Social Work, Education, and Child Abuse
Age of Consent
Exemptions for Freedom of Expression
Research and Statistics
Archiving in the Public Interest

Specific Permission
Privacy by Design
Data Portability
Right to be Forgotten
Definitive Consent
Information in Clear Readable Language
Limits on the Use of Profiling
Everyone Follows the Same Law
Adopting Techniques

Subject Access Requests (SAR)
Dealing with SAR
Recognise the Request
Understand the Time Limitations
Dealing with Fees and Excessive Requests
Identify, Search, and Gather the Requested Data
Learn about What Information to Withhold
Developing and Sending a Response

• Must I Always Obey a Right?
• Rights and Third Parties
• Requests Made on Behalf of Other Data Subjects
• Guidelines for Children’s Maturity
• Responding to a Rights Request
• What is a Month?
• Rights Request Flow Chart
• Right to be Informed
  • When Should Information Be Provided?
  • Best Practice Guidance
• Right of Access
• Right to Rectification
• Right to Erasure
  • When can I Refuse to Comply with a Request for Erasure?
  • Erasing Children’s Data
• Right to Restrict Processing
  • When Processing Should be Restricted?
  • Protecting PII
  • Other Issues about Restricting Processing
• Right to Data Portability
• Right to Object
  • Complying with the Right to Object
  • Rejecting the Right to Object
  • Processing for Direct Marketing Purposes
  • Processing for Research Purposes
• Rights Related to Automated Decision Making and Profiling
  • When does the Right not apply?

Provenance
Overview: SARs
SAR is an Activity, Not a Title
How can a SAR be Submitted?
What Information Should the Response to a SAR Contain?
Additional Information
Replying to a SAR
Confirming a Data Subject’s Identity
Scope
Electronic Records
Non-Electronic Records
SARs Involving 3rd Party PII
Fees
Refusing a Subject Access Request
Access Requests from Employees
Credit Reference Agencies
Best Practice for SARs

Lawful Processing: A Reminder
User Rights Change Depending on the Justification
Lawfulness of Processing Conditions
Lawfulness for Special Categories of Data
UK ICO Tool
Consent
Key Points About Consent
Affirmative Action and Explicit Consent
Introduction of Affirmative Action
What is Not Affirmative Action?
Examples of Affirmative Action from the ICO
Introduction of Explicit Consent
Explicit Statement
Obtaining Explicit Consent
ICOs View of a Poor Form of Explicit Consent
Obtaining Consent for Scientific Research Purposes
Getting Consent
What Should Go into the Consent Request?
Consent Granularity
Right to Withdraw Consent
Children
Consent Records
ICOs Examples of Record Keeping
Key Points When Establishing Consent
Legitimate Interests
Getting the Balance Right
Consent or Legitimate Interest?
What Lawful Basis Can be Used for Processing Marketing PII?

Cross Border Transfers
Transfer Mechanisms
Derogations
Adequacy
Adequate Ways to Safeguard Transfers of PII
Consent
One-Off or Infrequent Transfers
Who is Responsible?
Transferring PII Between EEA Members
Adequate Countries Outside of the EEA
Binding Corporate Rules (BCR)
What a BCR Must Cover?
Authorisation for BCRs
EU-US Privacy Shield
Privacy Shield Overview
Privacy Shield: Mechanics
Model Clauses
Public Authority Agreements

Need to Secure
What is Appropriate?
Protecting PII – 3 Key Areas
Coverage
Defensive Design
Single Point of Failure (SPOF)
Incident Response
Data Breach Reporting Requirements
Incident Response Team

Introduction
What Triggers a Data Protection Impact Assessment?
Cases Where DPIA is Not Required
Benefits of DPIA
Processes to be Considered for a DPIA
Responsibilities
DPIA Decision Path
DPIA Content
How Do I Conduct A DPIA?
Signing Off the DPIA
Mitigating Risks Identified by the DPIA

Overview
Need-Want-Drop: Concept Diagram
Need-Want-Drop: Categorising Data
Need/Want/Drop Methodology

What is Cloud Computing?
Myths of Cloud
Cloud Challenges
Controller-Processor Contract
Checklist
Data Controller – Summary

Brexit and its Impact on the GDPR
Adequacy
What does this Mean in Practice?
EU and in the United Kingdom Representatives
Exemption Rule
One-Stop Shop

Lawful, Fair, and Transparent Processing
Limitation of Purpose, Data and Storage
Data Subject Rights
Consent
Personal Data Breaches
Privacy by Design
Data Protection Impact Assessment
Data Transfers
Data Protection Officer
Awareness and Training

Lawfulness, Fairness, and Transparency
Purpose Limitation
Data Minimisation
Accuracy
Storage Limitation
Integrity and Confidentiality

• Common Data Security Failures
• Consequences
  • Fines Relating to Data Breaches
  • Litigation from Customers Relating to Data Breaches
  • Directors, Officers, and Professional Advisors
  • Reputational Damage
• Lesson Learned
  • Knowing When and How to Communicate with Affected Individuals is Not Easy
  • GDPR is Important, as are Other Legal Frameworks