Speaker 1: When the GDPR came into effect on the 25th of May 2018, it was the first major update to European data protection law for over 20 years. The regulation gives individuals, known as data subjects, much greater control over how organizations process or control the processing of their personal data. Personal data consists of information such as names, location data, email addresses, health records and photos, to name a few. Essentially, anything that could identify a living person. In the UK, the GDPR is also supplemented by a new Data Protection Act, which fills in sections of the regulation that were left to individual member states to interpret and implement, and which applies the GDPR's provisions to certain areas that are outside the regulation's scope. Failing to comply with the GDPR's requirements will leave organizations open to considerably higher penalties than they faced under the 1998 Data Protection Act, with maximum fines of up to €20 million or 4% of annual global turnover, whichever is greater. But it's not all about increased obligations and penalties. There are great advantages to GDPR compliance too. The new law promotes greater transparency and accountability, and aims to increase public trust by giving individuals more control over their data. By getting data protection right, organizations will enhance their reputation and build better, trusted relationships with existing and potential customers. Moreover, by implementing and maintaining the technical and organizational measures required by the GDPR, organizations will benefit from greater levels of information governance and cyber resilience, which will help them mitigate the daily onslaught of cyber attacks. If your organization still falls short of compliance, it's by no means too late to take steps to ensure your compliance with the law. So, what do you need to do? First, it's important to understand some of the terminology the regulation uses. The GDPR defines personal data as any information relating to an identified or identifiable natural person, including names, identification numbers, location data, online identifiers, and one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity. Processing is any operation or set of operations that's performed on personal data, whether by automated means or not. Data processors are responsible for processing personal data on behalf of data controllers, and data controllers determine the purposes and means of the processing. Data controllers are responsible for and must demonstrate compliance with six data processing principles. Personal data must be processed lawfully, fairly, and in a transparent manner, collected for specified, explicit, and legitimate purposes, adequate, relevant, and limited to what is necessary, accurate, and where necessary, kept up to date, retained only for as long as necessary, and processed in an appropriate manner to maintain security. There are also six lawful bases for processing. Except for special categories of personal data, whose processing is prohibited except under certain circumstances, personal data can only be processed if it's necessary to meet contractual obligations entered into by the data subject, to comply with the data controller's legal obligations, to protect the data subject's vital interests, for tasks in the public interest or exercise of authority vested in the data controller, or for the purposes of legitimate interests pursued by the data controller, or if the data subject gives their explicit consent. Many people focus on consent, but it's arguably the weakest lawful basis for processing because it can be withdrawn at any time. It has to be as easy for individuals to withdraw their consent as it was to give it, and they can withdraw their consent via any medium. When consent is withdrawn, your organization will be obliged to erase the individual's data if they request you to, unless you can demonstrate a lawful reason to retain it. It's therefore always worth determining whether another lawful basis for processing can apply. In many cases, organizations will be able to rely on legitimate interests. As the most flexible of the six lawful basis for processing, it could theoretically apply to any type of processing carried out for any reasonable purpose, although the onus will be on you to balance your legitimate interests against the interests, rights and freedoms of the data subjects. Whichever lawful basis for processing you deem appropriate for each processing activity, your organization must keep a record of it. This will also help you when writing privacy notices, which must be provided to data subjects as part of their right to be informed when their personal data is collected, whether it's collected directly or indirectly. As well as the right to be informed, data subjects have a number of other rights which data controllers must be able to facilitate. These are the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and rights in relation to automated decision-making and profiling. Data security is an important part of GDPR compliance. Among other requirements, your organization must implement appropriate and proportionate technical and organizational measures to protect personal data, as will any third-party organization that processes data on your behalf. And if your organization suffers a data breach, reporting it is now mandatory. Data processors must report all breaches of personal data to the data controllers, and data controllers are required to report breaches to the Information Commissioner's office within 72 hours of their discovery, if there is a risk to data subjects' rights and freedoms. Data subjects themselves must be notified without undue delay if there is a high risk to their rights and freedoms. If the data is anonymized or encrypted to the extent that it is no longer possible to identify data subjects, there is no risk. GDPR compliance is not just a matter of ticking a few boxes. Demonstrating compliance with the regulation's data processing principles involves taking a risk-based approach to data protection, ensuring appropriate policies and procedures are in place to deal with provisions for transparency, accountability, and individuals' rights, and building a workplace culture of data privacy and security. If you're still at the beginning of your GDPR compliance journey, you can find expert support and resources ranging from accessible implementation guides to expert consultancy at idgovernance.co.uk