GDPR: Data Breaches

GDPR: Data Breaches

Hopefully, you’re reading this before you’ve begun processing data and you’re not here because you’ve just accidentally posted a hundred people’s personal data on Twitter.

Data breach jokes aside, if your organisation has experienced one, this blog cannot help you. Seek legal advice as soon as possible and make sure you report the breach to the ICO within 72 hours.

Now the disclaimers are out of the way…

From a rogue-Morrison’s employee releasing the details of 100,000 members of staff (including their bank details) to Yahoo’s 2013 breach which leaked details of 3 billion accounts, data breaches have never been welcome in the news.

What is a breach?

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.

Personal data breaches must be reported within 72 hours of becoming aware of the breach.

You must inform individuals of the data breach if it is likely to be a high risk of affecting their rights and freedoms.

Have in place robust breach detection, investigation and internal reporting procedures.

Keep a record of any personal data breaches, regardless of whether you are required to notify.

 

What to tell the ICO

 A description of the nature of the personal data breach including:

  • the categories and approximate number of individuals data lost in the breach
  • the categories and approximate number of personal data records in the breach
  • the name and contact details of the data protection officer or other contact point
  • a description of the likely consequences of the personal data breach
  • a description of the measures taken, or proposed to be taken, to deal with the breach

What to tell affected individuals

You need to describe, in clear and plain language, the nature of the personal data breach and, at least:

  • the name and contact details of your data protection officer or other contact
  • a description of the likely consequences of the personal data breach
  • a description of the measures taken, or proposed to be taken, to deal with the breach

More detailed advice for GDPR can be found in the ICO’s GDPR Guide.

This is the final chapter in Part One of our GDPR series.

You can see all of the other blogs here or check back soon for event-industry specific advice, including how GDPR could affect your use of Helm Tickets.

POPULAR POSTS

Offline Event Marketing Ideas

For many businesses and events, digital marketing is key. Online ads and social media marketing have become incredibly accurate, and act as a measurable tool for reaching the target audience of your event.

GET WEEKLY EMAIL UPDATES

CONNECT WITH US

GDPR: Documenting your Processes

GDPR: Documenting your Processes

When adhering to GDPR, organisations need to accurately document their processes when dealing with personal data, including how you share data, how you store it and your process for destroying it.

The following documents are necessary and it’s advisable to speak to your entire workforce to find out how they each individually use data:

  • Up to date Privacy Policies and Terms & Conditions.
  • Data Processing Form: A record of all data stored, including why and where.
  • Data Protection Impact Assessment: A series of questions about data protection you must ask before undertaking any new project.
  • Subject access record
  • Data Breach Record
  • Data Protection policies
  • Data Audits
  • Internal HR Audits

Data protection impact assessments

Data protection impact assessments (also known as privacy impact assessments or PIAs) are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.

An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur.

You must carry out an assessment when:

  • using new technologies
  • the processing is likely to result in a high risk to the rights and freedoms of individuals. Data protection officers.

The GDPR makes it a requirement that organisations appoint a data protection officer (DPO) if you are:

  • carrying out large scale systematic monitoring of individuals (for example, online behaviour tracking)
  • carrying out large scale processing of special categories of data or data relating to criminal convictions and offences.

More detailed advice for GDPR can be found in the ICO’s GDPR Guide.

This is part of our ongoing series on GDPR. Find out more here and look out for our next blog on data breaches.

POPULAR POSTS

Offline Event Marketing Ideas

For many businesses and events, digital marketing is key. Online ads and social media marketing have become incredibly accurate, and act as a measurable tool for reaching the target audience of your event.

GET WEEKLY EMAIL UPDATES

CONNECT WITH US

GDPR: Individual Rights

GDPR: Individual Rights

The new GDPR regulations are designs to give power back to the individual, with regards to their personal data. With that in mind, here’s a brief rundown of the rights of individuals when it comes to their information.

  • The right to be informed Your obligation to provide ‘fair processing information’, typically through a privacy notice, with transparency over how you use personal data.
  • The right of access Individuals have the right to access their personal data and supplementary information this allows individuals to be aware of and verify the lawfulness of the processing.
  • The right to rectification Individuals have the right to have personal data rectified. Personal data can be rectified if it is inaccurate or incomplete.
  • The right to erase Also known as ‘the right to be forgotten’. An individual has the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
  • The right to restrict processing Individuals have a right to ‘block’ the processing of personal data. When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.
  • The right to data portability This allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
  • The right to object Individuals have the right to object to processing based on legitimate interests, direct marketing and processing for purposes of scientific/historical research and statistics.
  • Rights in relation to automated decision making and profiling Individuals have the right to not have their data processed solely by automated means without any human involvement including profiling (automated processing of personal data to evaluate certain things about an individual).

More detailed descriptions of these rights can be found in the ICO’s GDPR Guide.

POPULAR POSTS

Offline Event Marketing Ideas

For many businesses and events, digital marketing is key. Online ads and social media marketing have become incredibly accurate, and act as a measurable tool for reaching the target audience of your event.

GET WEEKLY EMAIL UPDATES

CONNECT WITH US

GDPR: Marketing Your Events

GDPR: Marketing Your Events

So, you know what GDPR is but how does it affect event organisers?

As we explained in the Lawful use of Data blog, you have to have a legal basis for processing personal data. In event management, some of the 6 bases are more likely – consent (they opted in), contract (as part of you providing the service sold with their ticket) and legitimate interests (they have attended before or might genuinely be interested in attending in the future).

Promoting the Event

If you’re marketing your event and have found contact details for potential attendees in the public domain (i.e. their website), you can contact them. The information is freely available and you’re sure they have legitimate interest in what you’re organising.

You can also contact individuals if they’ve attended a similar event before and gave consent for you to use their data in this way – they have a legitimate interest and you’ve got consent!

Contacting Previous Guests

If you have the details of guests who have previously attended an event you organise and you may be able contact them about the same or a similar upcoming event.

However, now you have their details you can’t send them details about every facet of your business – if someone attended a networking event for the construction industry, it’s unlikely they’d have a legitimate interest in attending your dog grooming course.

As part of the new regulations, it’s important to track all of your processes and data – so make sure you have a record of where and when contacts on your mailing list opted in.

Hopefully, here we’ve given some useful contextual examples for how GDPR could affect your event management. Next up in the series, we’ll go into more detail about how GDPR impacts your use of Helm Tickets.

Remember, our blog isn’t all-encompassing advice, so you may want to consult your legal advisors. More information about the regulations can be found in the ICO’s Guide.

POPULAR POSTS

Offline Event Marketing Ideas

For many businesses and events, digital marketing is key. Online ads and social media marketing have become incredibly accurate, and act as a measurable tool for reaching the target audience of your event.

GET WEEKLY EMAIL UPDATES

CONNECT WITH US

GDPR: Lawful use of Data

GDPR: Lawful use of Data

What is legal?

You must have a valid lawful basis in order to process personal data.

There are six available lawful bases for processing. Which basis is most appropriate to use will depend on your purpose and relationship with the individual.

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of the following must apply whenever you process personal data:

  • Consent: the individual has given clear consent for you to process their personal data for a specific purpose. Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation.
  • Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  • Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  • Vital interests: the processing is necessary to protect someone’s life.
  • Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  • Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.Legitimate interests can be the most flexible lawful basis for processing but you cannot assume it will always be the most appropriate. It is likely to be most appropriate where you use people’s data in ways they would reasonably expect, and which have a minimal privacy impact, or where there is a compelling justification for the processing.

If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.

More detailed descriptions of each lawful basis can be found in the ICO’s GDPR Guide. 

 

Essentially, any data processing you perform must be necessary. If you can achieve the same outcome without the data, you won’t have lawful basis.

If you do have a lawful basis, make sure you document this before undertaking the processing. You should have your lawful basis detailed in your privacy notice.

 

Next up in our GDPR series, we’ll look at individuals rights. Once we’ve gone over the basics we’ll move into Part 2 of the series. This will include how GDPR applies to those in event management and Organisers using Helm Tickets.

POPULAR POSTS

Offline Event Marketing Ideas

For many businesses and events, digital marketing is key. Online ads and social media marketing have become incredibly accurate, and act as a measurable tool for reaching the target audience of your event.

GET WEEKLY EMAIL UPDATES

CONNECT WITH US

GDPR: Who, what, where?

GDPR: Who, what, where?

What is GDPR?

General Data Protection Regulation (GDPR) is a way of bringing data protection legislation into line with new, previously unforeseen ways that data is now used online. Currently, the UK relies on the Data Protection Act 1998. The introduction of GDPR will see tougher fines for non-compliance and breaches, and gives individuals more say over what companies can do with their data. GDPR comes in to force on the 25th May 2018.

GDPR applies to personal data relating to a living individual. This includes any information relating to a person that can be directly or indirectly identified by reference to an ‘identifier’ i.e. name, identification numbers, location data or even online identifiers. GDPR also applies to sensitive personal data including any genetic or biometric data processed to identify an individual – also data relating to criminal convictions and offences.

Who & Where?

GDPR applies to any business processing personal data belonging to EU residents. This includes businesses within and outside of the EU that offer goods/services to people within the EU.

How to Operate

You will need to determine who is the ‘controller and ‘processor’ or all data held within your business.

  • A controller – is a person who (either alone or jointly with other persons) determines the purposes and manner in which any personal data is processed. 
  • A processor – is a person who processes the data on behalf of the data controller. You will need to determine who is the ‘controller’ and ‘processor’ for all data held within the business. Both have legal liability if there is a data breach within the company.

“Processing” means obtaining, recording or holding information or data and carrying out any operation or set of operations on the information or data. This includes: a) any organisation, adaptation or alteration b) retrieval, consultation or use c) disclosure or distribution d) arrangement, grouping, blocking, erasure or destruction.

What can I do with data?

You must have a valid lawful basis in order to process personal data, this will be covered in our next blog.

POPULAR POSTS

Offline Event Marketing Ideas

For many businesses and events, digital marketing is key. Online ads and social media marketing have become incredibly accurate, and act as a measurable tool for reaching the target audience of your event.

GET WEEKLY EMAIL UPDATES

CONNECT WITH US