With the GDPR and ePrivacy Regulation coming into effect on 25 May 2018, and the NIS Directive having to be implemented into national law by 7 May 2018, there is little time left to develop effective compliance strategies.
With mouth-watering fines for default, this conference, chaired by Robert Bond, will examine the major legal and practical issues and is delivered by a panel of leading experts.
Sarah Mumford | Richard Hodgson, Design Chambers | Robert Bond, Bristows | James Castro-Edwards, Wedlake Bell LLP | Rosemary Smith, Opt4
This Conference will cover the following topics:
9.30am – 10.15am: GDPR Compliance Planning – A Slice at a Time
It's not too late but focussed effort will be required for organisations to achieve compliance by May.
This session will look at some of the key stumbling points that have been found in practice and offer some practical suggestions on a way through:
- Road map – what is essential, what is nice to have
- Permissions and consents, getting it right and evidencing the result
- Retention and destruction, practical issues
- The supplier chain – being procured and doing the procuring
10.15am – 11.00am: Preparing for the impact of the E-Privacy Regulation
Richard Hodgson, Design Chambers
The forthcoming EU ePrivacy Regulation has the potential to affect greatly the business practices of many enterprises that have an on-line or even telephone presence.
This session will outline some of the important areas that should be considered now:
- The extension of certain existing e-Privacy provisions from traditional telecoms providers to anyone providing OTT (‘over the top’) communication services such as Skype and Whatsapp. Are these new provisions likely to ‘guarantee’ the privacy of electronic communications in practice?
- The important changes to ‘cookie’ consent. Will enterprises be able to place and make use of more cookies without consent?
- Commercial use of the content of communications, browsing, shopping habits, location and metadata of online users.
- The new rules attempting to prevent or at least reduce spam. Will they also be applicable to ‘cold calling’ telephone marketing?
- The vexed question of tracking walls
- Enforcement of the Regulation - could fines or worse really be that large?
11.15am – 12.00: Lawful Grounds For Processing
Robert Bond, Bristows
The GDPR and indeed the current law sets out six lawful grounds for processing personal data. So why is everyone focussing on consent as the only solution?
Even the ICO says consent is not the only solution. So how do controllers legitimise their current and future processing activities?
- Consent requires plain language and more express than implied permission
- Consent is not the only lawful ground, so what else works?
- How to legitimately use legitimate interests
12.00 – 12.45pm: Controller v Processors: What Now?
James Castro-Edwards, Wedlake Bell LLP
The GDPR introduces significant changes around data processors and data controllers. The changes will mean that organisations will need to review their arrangements with service providers.
A failure to properly appoint a data processor may be regarded as a breach of the controllers' security obligations. This session looks at the new rules under the GDPR, and how to address the risks.
- The new rules under the GDPR: scope, definitions and obligations.
- Obligations on data controllers: due diligence, processor contracts and transparency and DPIAs
- What happens when it goes wrong: breach reporting
- Practical compliance
12.45 – 1.00pm: Questions on Morning Session
2.00pm – 2.50pm: International Data Transfers
Robert Bond, Bristows
The UK Government recently published its thoughts on international data transfers pre and post Brexit. Current EU law and the GDPR set out a limited number of solutions to international data transfers.
This session will analyse the choices for both controllers and processors.
- GDPR and international data transfer solutions
- The future for Privacy Shield and Model Clauses
- Data transfers post Brexit
2.50pm – 3.40pm: Cyber Security
Richard Hodgson, Design Chambers
This session will outline the major provisions of the NIS Directive and the steps that private and public-sector bodies should be considering now to try and maximise compliance from May 2018.
- The Directive-designated state bodies and the Cyber Assessment Framework The need to keep abreast of and implement warnings issued by CSIRTs - could there be legal implications of not doing this?
- The public and private sectors covered by the NIS Directive
- How might other Operators of Essential Services be identified at the national level?
- Important obligations on an OES including the requirement to show effective plans to ensure resilience at times of power failure or environmental disasters.
- The position of micro and small entities - could they fall under the scope of the Directive?
- Some special provisions for DSPs, including cloud providers and online marketplaces
- Responding to a cyber incident
- The NIS Directive and cross over with the GDPR
- Liability, enforcement and an ability to impose severe penalties and fines - could the UK go beyond the requirements of the Directive?
3.55pm – 4.45pm: Understanding and Responding to Data Subject Rights
Rosemary Smith, Opt4
GDPR introduces new rights for data subjects and enhances some existing rights.
This session will cover:
- What are the rights data subjects will now have?
- Is the right to erasure absolute?
- Will you be affected by data portability?
- How will you deal with expanded rights to object?
- Are we all going to drown in a sea of SARS?
4.45pm – Close: Questions & Answers