This page contains a Flash digital edition of a book.
70 roundtable ... continued from previous page


“Businesses will have to be very careful about how they do things,” said Hickley, while mentioning that advice could be gained by emailing the ICO.


Although not legally adequate, he advised that businesses, as a mitigating action, should start putting details of their data protection terms and proposed usage of any data gained on the bottom of all emails sent out.


Social media platforms, and those who access them, would also have to address the GDPR issues, added Brett.


Jerry Wilson


Welcome to the age of re-consent


Hickley detailed the two legal ways of accessing and processing EU data under the GDPR:


• Through legitimate interest • By gaining consent.


Existing consents, unless GDPR compliant, will not be valid.


‘Legitimate interest’ covers access and processing related to national security or law enforcement, or freedom of information requests, or where a business needs to do so for its own legitimate interests or those of the third party to whom the information is disclosed. The ‘grey area’ is that the legitimate interests of the business or third party must be balanced against any prejudice to the rights and freedoms or legitimate interests of the individual data subject.


Gaining explicit consent from the individual whose data is being processed, perhaps through an opt-in tick-box, was obviously the most secure way to comply with the GDPR. “In the next two years, organisations are going to have to go out and elegantly get re-consent from their data subjects – that’s active consent through explicitly opting in to the use.” Germany already has a double signature system – one signature covering terms and condition of use, and one signature for type and scope of use.


Opt-in rates tend to be quite low, only 30-40% of people when asked to decide, Hickley added.


Verbal opt-ins, even on calls advised as recorded for training purposes, could not be relied upon for legal purposes, added Kolah. “The difference between B2C and B2B almost evaporates with this new GDPR regulation.”


Again, the Roundtablers began to discuss the ramifications for targeted direct marketing, cold-calling and new business development operations.


businessmag.co.uk


No more cross-selling without consent?


As an insurance broker Wilson had a specific query. “When someone rings for a motor quote, do we now have to get their consent to pass their information on to third parties in order to get them the most suitable quote, or that we might contact them about other insurance lines?”


Under GDPR, Kolah said the person’s data could be lawfully processed for the performance of one such contract (ie the motor insurance) but it could not be used for anything else. “You’ll need to have their consent to send them other information.”


This highlighted the issue of product ‘piggy-backing’ or service cross-selling, prevalent in many business sectors.


From his personal experience Kolah felt banking was ‘up to speed’ with awareness of compliant personal data usage, but the insurance sector was still ‘behind the curve’.


Wilson admitted that before attending the Roundtable, he knew the GDPR was coming along and lost data had to be disclosed, “but this is so much more than I expected, and I have seen nothing in the insurance media talking about GDPR.”


Kolah explained his company, GO DPO – the strategic partner working with Henley Business School that developed the DPO Programme – was behind the the Journal of Data Protection and Privacy to be published globally by Henry Stewart Publications. In addition, there is a LinkedIn group for the JDPP that is a forum for the latest information, news and comment on GDPR and all other data protection and cyber issues around the world. Early next year, two books on the GDPR and a Data Protection Officer’s Handbook will also hit the booksehelves, published by Kogan Page.


GO DPO was also providing the Henley Business School’s vocational Data Protection Officer Programme (henley. ac.uk/dpo). Kolah added that Henley Business School is the only triple-rated business school in Europe providing such a rigorous programme for senior managers and practitioners that are the new breed of DPOs under the GDPR. who will receive the DPO Certificate of Completion provided that registrants successfully pass all assessments by 70% pass mark.


Debbie Evans


Wanted: publicity, education and training


Koloh said the major operational risk of GDPR was not actually the principles within it, but the understanding of those principles by employees using data within businesses.


“The first line of defence in protecting business continuity is awareness, education and training,” he added.


Evans mentioned that the ICO provides a 12-step guide to the GDPR. “It’s a good starter, although there is a lot more detail that needs to be fleshed out. It may help you to start chewing this massive cake.”


There are two residential elements at the start and at the end of the DPO Programme that are uniquely facilitated by a Supreme Court judge from Canada. In the middle are six modules, covering the first 100 days of the DPO, risk management, key principles of the GDPR, a comparison between the GDPR and the previous Data Protection Act 1998, data and security obligations and processing of data and cloud computing.


There was general Roundtable agreement that there needed to be more GDPR awareness generated by the Government and through industry bodies and business communities.


How do we get companies to come aboard?


While Wilson accepted that the insurance sector was often slow to respond, he was equally concerned about his insurance clients, such as individual online retailers and small companies having to tackle GDPR compliance. “They are well below the radar day-to-day, yet will be governed by the same rules and regulations as the multinationals.”


THE BUSINESS MAGAZINE – THAMES VALLEY – JUNE 2016


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68  |  Page 69  |  Page 70  |  Page 71  |  Page 72  |  Page 73  |  Page 74  |  Page 75  |  Page 76