GDPR What It Means For Your Business

A Zymplify Guide

Michael GreenHead of Finance/Data Protection Officer

Certified GDPR Practitioner Chartered Accountant

michaelg@Zymplify.com

Contents

ZYMPLIFY 2017

• Introduction to Zymplify

• What is GDPR

• How does GDPR differ from the Data Protection Act

• Accountability & Governance Concepts

• Consent

• Privacy Notices

• Cookies

• Breach reporting and sanctions

• Summary

• How can Zymplify help?

• Q&A

Zymplify is Marketing as a Service

Reach More. Engage More. Sell More

Zymplify is a Marketing as a Service company.

We transform the way marketing and sales work by integrating them seamlessly with your business

Our All-In-One Solution gives businesses the ability to create, publish, track and analyse all your marketing campaigns and activities from one integrated dashboard.

What is GDPR?

• Places significant additional responsibilities on data controllers and processors

• It’s about personal data – it does not cover “business data” (e.g. accounts)

• Protection of personal data is a fundamental right, enshrined at EU Charter level

• It is about putting control back in the hands of the individual – forcing businesses to put data protection ‘front and center’

• Brexit proof – UK Government has confirmed that the decision to leave the EU will not affect the commencement of the GDPR

• Applies to processing carried out by organisations operating within the EU and organisations outside the EU that offer goods or services to individuals in the EU

ZYMPLIFY 2017

GDPR is the General Data Protection Regulation which will apply in the UK from 25th May 2018

GDPR – what’s new?

• Accountability and Data Governance

• Definition of personal data and sensitive personal data

• Data portability

• Rights to erasure

• Consent

• Transparency

• Profiling

• Punitive administrative fines

• Breach notification

• Data transfers

ZYMPLIFY 2017

Accountability Concept

• Article 5: Principles relating to processing of personal data:

• “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability'). “

1•Processed lawfully, fairly and in a transparent manner

2•Collected for specified, explicit and legitimate purposes

3•Adequate, relevant and limited to what is necessary

4•Accurate and, where necessary, kept up to date

5•Retained only for as long as necessary

6•Processed in an appropriate manner to maintain security

This statement raises the bar across the board and process will be key to demonstrating accountability.

The bottom line is businesses need to shift focus to a proactive approach to data protection

ZYMPLIFY 2017

Data Governance

• Data Protection Officers must be appointed by:

• Public bodies

• Organisations whose core activities consist of processing that requires regular systematic monitoring of data subjects on a large scale

• Organisations that process large quantities of special category data

• Organisations should create a culture of Data protection by design and default – “bake it in” to their business (DPDD)

• Data protection impact assessments (DPIA’s) – risk mitigation assessments which may be carried out “where there is a high risk to data subjects

• Develop processes to ensure that records records are processed and maintained accurately

ZYMPLIFY 2017

Article 4 : Consent

• ‘must be freely given, specific, informed and unambiguous’

• ‘Consent is presumed not to be freely given if it does not allow

separate consent to be given to different personal data processing

operations.’

• ‘The controller must be able to demonstrate that the data subject has consented to processing’

• ‘Data subjects have the right to withdraw consent at any time’

• It’s important to note that pre-ticked boxes on forms does not constitute consent – the data subject must manually click the button for consent to be valid

• Documentation of consent is crucial!

ZYMPLIFY 2017

Privacy Notices

ZYMPLIFY 2017

You should have a clear privacy notice and make people aware of it.

It should tell people:

What information is being collected?

Who is collecting it?

How is it collected?

Why is it being collected?

How will it be used?

Who will it be shared with?

ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/

Cookies

ZYMPLIFY 2017

• Sites will need an always-available opt-out: Even after getting valid consent,

there must be a route for people to change their mind.

• Soft opt-in is likely the best consent model: Website owners should give

visitors an opportunity to act before cookies are set on a first visit to a site.

• Consent will need to be specific to different cookie purposes: Sites that use

different types of cookies with different processing purposes will need valid

consent mechanisms for each purpose.

• If accepting cookies is as easy as clicking a link on a landing page then

withdrawal of consent must be just as simple.

Cookies

ZYMPLIFY 2017

Many businesses are now updating their cookie policies and acceptance processes

to ensure they are fully compliant with the legislation.

For example Easyjet will now not allow a new visitor onto their site without first

accepting their cookie policy – other companies have similar notices which require

a positive affirmation to proceed.

Breach reporting & sanctions

Data Breaches:

• Data breaches must be reported to the ICO within 72 hours

• Measures being taken to remedy should be outlined

• If rights or freedoms of individuals are at risk they must be informed without undue delay

Sanctions for failure to comply:

• Fines of up to €20mil or 4% of global annual turnover (whichever is greater)

• Individuals have the right to compensation

ZYMPLIFY 2017

Summary

• The clock is ticking – less than a year until this regulation comes into force

• Data protection by Design is key

• Accountability

• Review the use of consent

• Update privacy notices & cookie policies

• Opportunity or threat

• Protect your business

ZYMPLIFY 2017

Don’t wait until it’s too late – ACT NOW!

Companies need to act now to ensure that they are prepared for this new regulation –

you should be taking steps to identify what data you currently hold, whether you have a

lawful basis for processing this data and whether your systems are adequate for

ensuring that data is maintained in a compliant manner.

How can Zymplify help?

ZYMPLIFY 2017

• Bring all your marketing & sales activities into one centralised dashboard

How can Zymplify help?

ZYMPLIFY 2017

Manage Templates - By having a set of standard templates you can be sure that all of your marketing campaigns have transparent notices in place and when data subjects interact with your marketing campaigns you can tie this all back to the policy that was in place at the time ensuring you have a full audit trail on consent etc.

How can Zymplify help?

ZYMPLIFY 2017

Manage Consent - With a single customer view you can track every interaction with a data subject across all campaigns and channels.

You can also monitor the consent status of each individual covering SMS consent, Email Consent, Mail Consent, Telephone Consent, Consent to receive cookies, and consent in respect of profiling

How can Zymplify help?

ZYMPLIFY 2017

• 5 hours per month dedicated campaign management and compliance support

How can Zymplify help?

ZYMPLIFY 2017

• £299 per month gets you all this:

To book a free demo of the Zymplify platform please go to:

www.Zymplify.com

sales@Zymplify.com

ZYMPLIFY 2017