EU Data Protection Regulation: Time to get organised in the UK

25/05/2016

Browne Jacobson, London

Click here to view the programme

Participants click here to view the slides

This conference will provide businesses and the public sector in the United Kingdom with a clear path of how you should adapt your business operations to the heavier legal duties which will be imposed by the European Union Data Protection Regulation. It will give you the information and tools that you need to comply with the law.

The conference will feature speakers from Browne Jacobson, Privacy Laws & Business, and the Information Commissioner’s Office. Public sector organisations and private sector companies will also share with us the ways in which they are preparing for the Regulation. How will your organisation adapt? Each session will be followed by time allocated to discussion.

What are the changes and what do you need to do? The conference will focus on the UK but will provide, as an underlying theme, an insight into the continuing importance of the EU-wide dimension, regardless of whether the UK remains in or leaves the European Union.

By the end of the day, you will have gained practical advice on what to do next.

In particular we will focus on the following:

1. What are individuals’ additional rights? As the purpose of the EU Data Protection Regulation is to provide and protect individuals’ rights, one session will identify their new stronger rights, some enhanced versions of current rights while others are completely new in the UK.

2. How the ICO aims to ensure that  the EU DP Regulation is implemented effectively (and why this matters to all of us) A speaker from the Information Commissioner’s Office (ICO) will explain to us the Commissioner’s priorities in helping ensure that public and private sector organisations are complying with the new Regulation which is directly applicable in UK law. The tools available to the ICO include warning letters, audits, investigations in response to complaints, prosecutions and fines. How should you respond to such regulatory actions?

3. International transfers: Many organisations which focus mainly on the UK need to process personal data in other countries outside the European Economic Area (EEA). This could be because you have clients, employees, self-employed staff or associates or suppliers outside the EEA, or outsource certain functions, or you use cloud services. Which aspects of the law is changing? The EU-US Safe Harbor is no longer valid, and the EU-US Privacy Shield is untested. So how can you stay on the safe side without incurring legal difficulties?

4. Collecting and using personal data: Collecting and using personal data, whether on paper, e-mail, websites or social media remain a minefield. What is the difference between “unambiguous consent” and “explicit consent”? How clear do you need to be in explaining how you will use your clients’ and prospects’ data? What does a “right to object” mean in practice? How often do you need to review and update your privacy notices?

5. Information security and breach notification requirements The person responsible for implementing data protection law within your organisation needs to coordinate with the person(s) taking responsibility for data security. While both will be aware of the risk of the loss or theft of personal data, one has to take responsibility to inform the ICO in terms of what and when. In which ways will data processors now have enhanced responsibilities? What is the reporting situation regarding hacking? When is the Computer Misuse Act relevant? When do you need to inform the police?

6. What should I do next? The last session will provide you with the results of small group discussions on how the participants are planning to integrate new legal requirements into their business processes. Action points to be covered by a panel of the speakers include your mandatory record-keeping responsibilities and how you should revise your documentation. To communicate the complexities of the new legal requirements you will need to create training programmes which communicate to relevant staff what they, in particular, need to know. While you revise your Data Protection Act audit methodology, you will, of course, be thinking of how you would cope if the ICO investigation or audit team come to visit you.

The day will round off with insights into how to keep up to date with new developments followed by drinks and canapés.

Click here to view the programme

This event qualifies for 6 CPD hours.

Every Privacy Laws & Business event qualifies for accredited CPD hours for the purposes of the England and Wales Solicitors Regulation Authority’s requirements. Please quote AQJ/PLBU when applying for the points with the SRA.