GDPR Presentation Hilary term 2018_0

1、GDPRCommunications Officer Network MeetingFebruary 2018What well cover todayIntroduction to GDPR and the Universitys response- Felicity Burchett, Council SecretariatAdvice for Communications Officers- Max Todd, Council Secretariat3. Q&A sessionIntroduction to GDPRFelicity BurchettCouncil Secretariat

2、Content overviewWhat is personal data and why its important for usGDPR - whats changing and what its all aboutWho this will affectHow the University is preparingWhat support is availableWhat is personal data?Any information that can be used to identify a living person - directly and indirectly or th

3、at relates to them.What does that mean?This could be: name, an identification number, or location data, like an IP address.It could also include other information that leads to an individual being identified (which could be: physical, genetic or cultural).More care needs to be taken with sensitive p

4、ersonal data eg. health data, religious beliefsWhy data privacy matters to usWe care - we are responsible for handling peoples most personal informationThis is an opportunity to make privacy central to what we doBy not handling personal data properly we could put individuals at risk and the Universi

5、tys reputation at stakeGetting it wrong could result in significant finesWe need robust systems and processes in place to make sure we use personal information properly and complyOverviewWhat?The General Data Protection Regulation (GDPR) is a European law that will replace the current Data Protectio

6、n Act.The UK government will still implement the rules after Brexit. Why?The aim is to strengthen and unify personal data protection for all individuals living in the European Union.Who?The Information Commissioners Office (ICO) will lead on GDPR in the UK and will hand out penalties for organisatio

7、ns who are in breach of the new law.When?It will come in to force on 25 May 2018Whats changing?Many GDPR principles are similar to those in current the Data Protection Act.There are also new and strengthened requirements for how we protect peoples data.Changes include:new rights (e.g. right to be fo

8、rgotten)greater emphasis on transparency and record-keepingmandatory data breach reportingmuch larger fines for when organisations get things wrongWe also need to remember the Privacy and Electronic Communications Regulations (PECR) for electronic marketingWhat is data privacy all about?Being open w

9、ith people about how we use their informationNot keeping their information longer than necessaryMaking sure it is accurateMaking sure that it is safeKnowing what information weve got and what we can do with it (eg. sharing)Recognising a breach and knowing what to doWho does this affect?All of us - w

10、e all have a responsibility to keep peoples information safe.Particularly those involved in:Student administrationHR Development and alumni relations activities Research involving personal data and/or human participantsFinance ITHow is the University preparing?University-wide improvement programme u

11、nderwayCore group with representatives from each division and key services In addition to University-wide initiatives, improvements are being taken forward locally, for example, system improvementsStep by step approachCurrently, working with departmental administrators to create registers of the per

12、sonal data depending on your role, you may be asked to take part in creating your departments registerWhat support will I get?Web pages with up-to-date information and FAQsOther guidance/tools being developed eg. guidance on how to identify breaches and what to do nextThere are “hub contacts” for di

13、visions, departments and sectionsUpdates via these contacts and/or the Information Compliance Team between now and MayTraining sessions planned for key data handlersCommunications and GDPRCommunications about the GDPR ProjectCurrently being managed by the GDPR Core Group Specific tasks at this stage

14、, related to the data register and other compliance activitiesThere will be a wider campaign and training further down the line - which will require some communications input Speak to your Departmental Administrator before doing any communications at this stageWe will let you know when there are opp

15、ortunities to get involved Managing the impact of GDPR on the communications communityDivisional Hub Contacts responsible for data within divisions and departments in general working with Departmental Administrators Functional leads also working across the University focusing on key professional com

16、munities: HR, student data, development etc. Communications is one of these functionsConsultation through Communications Leads groupFurther guidance and support to follow Communications Leads GroupAAD- Dan SelingerPAD - Annette CunninghamMedical Sciences - Alison BrindleMPLS- Kirsty Heber-SmithSocia

17、l Sciences- (Tanya Baldwin)Humanities- (Karen Brill)ContEd- Gail Anderson GLAM- Susannah WintersgillDevOff- Suzy IngramFinance-Laura CooperEstates Services-Sarah WaltonIT Services -Lisa Mansell Personnel Services- Meghan Lawson Research Services - Gaelle JollyAdvice for CommsOfficersMax ToddCouncil

18、SecretariatGDPR and CommunicationsExternal communications/marketingStudent recruitmentOutreachDepartmental/Institutional marketingPublic engagementMedia RelationsAlumni RelationsFundraisingInternal communicationsCurrent studentsStaffExternal Communications - Main issues Legal basis for processingDif

19、ferent rules for marketing by (i) Email/text; (ii) phone; (iii) printDefinition of ConsentCompliance strategy for existing contactsLegal basis for processingMust have a lawful basis for processing i.e. a legitimate reason for using personal dataTwo options for external marketing:Consent Legitimate i

20、nterestsConsent vs Legitimate interestsWe can rely on legitimate interests for print communications only and for holding the data in the first placeConsent is necessary for marketing by email or textMixture of legitimate interests and consent for marketing callsLegitimate interestsSuitable basis whe

21、n we use peoples data in ways they would reasonably expect and which have minimal impact on their privacyGDPR specifically recognises direct marketing as an example of a legitimate interestRequired to balance our interests against rights and interests of individualLegitimate Interests Assessment (LI

22、A) Must carry out a LIA in order to demonstrate compliance (accountability principle). 3-part testPurpose: What is our legitimate interest?Necessity: Why do we need to process personal data to achieve it?Balancing of interests: Do the individuals interests override the legitimate interest? One LIA f

23、or key activities within your areaPrivacy and Electronic Communications Regulations (PECR) - ScopeProvides rules for unsolicited direct marketing by electronic means (email, text, phone)Unsolicited: Not specifically requestedDirect marketing: Targets particular individualsMarketing is not limited to

24、 commercial marketing (sale of goods and services)Covers any advertising and promotional material, including that promoting aims of not-for-profit organisations, such as HEIsRules of PECR - Emails/textsPrior consent required for e-mails or texts sent to individualsEvery email/text must have valid ad

25、dress to enable individual to opt-out/unsubscribePECR does not apply to business to business emails/textsRules of PECR - CallsNo calls to people registered with Telephone Preference Service (TPS) or those who have otherwise objectedCan only call TPS number with specific prior consentOK to call non-T

26、PS numbers but DPA/GDPR applies i.e. person must be aware we have their number and intend to use it to make marketing callsConsent under GDPR and PECRSpecific, informed, freely given (genuine choice)Requires positive action i.e. opt-in Failure to opt-out is not consent Granular: separate consent for

27、 distinct activitiesConsent under PECR must be specific to sender of marketing (college/University/department) and to method of communication (email/text)Methods of obtaining consentTick boxSigning a declaration/formSending an emailSelecting Yes/No optionsOral statementWhichever method is used, GDPR

28、 requires us to keep evidence of consent (accountability)Strategy for existing contacts Do I need consent under PECR?(Am I sending marketing emails?)YesCan I provide evidence of that consent?YesYesSend marketing emailSend non-marketing email as usualNoNoNoDraw up programme to collect valid consent +

29、 evidenceDo I already have valid consent (specific, informed, opt-in)?Existing contacts Assess level of riskWhat happens if I cant get consent by 25 May?Depends on level and type of engagement Risk will be lower where there is evidence of engagement, particularly by email e.g. opening emails, respon

30、ding to emailsRisk will be higher for those who have engaged in other ways (updating paper contact details, attending events, making donations)But latter group may be amenable to opting-inExisting contacts Stop bad practiceIdentify and eliminate any bad practices NOWSending emails to people who have

31、 opted outSending emails with no opt-outBuying marketing lists without due diligence i.e. without checking whether people gave consent to marketing from OUSending emails to those who have opted out to ask whether they would like to opt-inWhat happens if there is a complaint to the ICO?ICO take a ris

32、k based approach to enforcement Many worse offenders under PECRBut even a minor complaint will allow ICO to examine our policies and proceduresThey will look for evidence that we understand the rules and have plans to achieve compliance Dont panic, but no complacency eitherIndividual rightsRight to

33、withdraw consent at any time Implicit under DPA; explicit under GDPRRight to ask for erasure of data if consent withdrawn (right to be forgotten)Unconditional right to object to processing for direct marketing under DPA/GDPRMust comply with objection within one monthInternal communications - 1Q1. Do

34、 we need consent?A1.No Not marketing (or nor main purpose), so PECR does not usually apply. Can rely on legitimate interests and/or contract as basis for processing. LIA necessary for formerQ2. Is an opt-out necessary?A2. No PECR does not apply. Minimal impact on privacy Internal communications - 2Q3. What should we do if someone objects?A3.GDPR grants right to object to processing based on legitimate interests. Person would need to demonstrate