Warwick Conferences, 8 th March 2018 Agency Engagement Committee - - PowerPoint PPT Presentation
Agency Engagement Meeting Warwick Conferences, 8 th March 2018 Agency Engagement Committee Amy Bewley Julie Shorrock (Chair) Prestige Reservations Hotel and Travel Solutions (HTS) Daniel Sweet Graham Upton First Choice Conference &
HBAA Setting the standards for the events and hospitality sector
HBAA @The_HBAA HBAA The_HBAA
Daniel Sweet First Choice Conference & Events Julie Shorrock (Chair) Hotel and Travel Solutions (HTS) Graham Upton Inspirational Venues Amy Bewley Prestige Reservations
HBAA Setting the standards for the events and hospitality sector
HBAA @The_HBAA HBAA The_HBAA
Connect to “Warwick Guest” network If the Warwick Guest Wireless web page does not open automatically open your web browser and attempt to access any online content If you do not have an account, click on the link to create one and select “Attending a Conference” Fill in the requested information and your new login details will be sent to your phone.
HBAA Setting the standards for the events and hospitality sector
HBAA @The_HBAA HBAA The_HBAA
HBAA Setting the standards for the events and hospitality sector
HBAA @The_HBAA HBAA The_HBAA
HBAA Setting the standards for the events and hospitality sector
HBAA @The_HBAA HBAA The_HBAA
HBAA Setting the standards for the events and hospitality sector
HBAA @The_HBAA HBAA The_HBAA
HBAA Setting the standards for the events and hospitality sector
HBAA @The_HBAA HBAA The_HBAA
“Survey Agent vs Hotels”
HBAA Setting the standards for the events and hospitality sector
HBAA @The_HBAA HBAA The_HBAA
Pre-Show Conference – Millennium Gloucester Hotel, London
clarkewillmott.com
clarkewillmott.com
clarkewillmott.com
clarkewillmott.com
Passed Second Reading 5 March 2018 and is now in Committee Stage “A Bill to make provision for the regulation of the processing of
information relating to individuals; to make provision in connection with the Information Commissioner's functions under certain regulations relating to information; to make provision for a direct marketing code of conduct; and for connected purposes.”
clarkewillmott.com
“Data protection by design” “Data protection by default” Transparency – increased rights of data subjects Right of data portability and right of erasure No differentiation between data controllers based on location
clarkewillmott.com
Penalties up to the higher of 4% global turnover or 20 million euros Non-EEA bodies caught by GDPR in respect of EEA-based activities Enhanced emphasis on demonstrable AND SPECIFIC legal bases for processing and recording them Obligation to notify ICO of data breach in 72 hours, data subject as soon as practicable End to registration of data controllers Increased obligations of data processors and with respect to selection and management of data processors.
clarkewillmott.com
Recording legal basis for processing personal data Subject access request changes:
– No specific form of request required – Thirty day turnaround – No fee for initial request
Increased emphasis on data processor/controller relationships (may cause issues with Cloud-based services)
clarkewillmott.com
Record processing purposes, data sharing and retention periods. May have to make the records available to ICO on request. Controllers and processors both have documentation obligations. More restricted obligations for small and medium-sized enterprises (<250 employees) but still have to record regular data processing. Information audits or data-mapping exercises can be valuable. Records must be kept in writing. Most organisations will benefit from maintaining their records electronically. Records must be kept up to date and reflect your current processing activities.
clarkewillmott.com
“Any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data…being processed” (old definition) “Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action signifies agreement to the processing of personal data…” (new) CONSENT MAY BE WITHDRAWN AT ANY TIME
clarkewillmott.com
“Consent is highly unlikely to be a legal basis for data processing at work, unless employees can refuse without adverse consequences.”
Article 29 Working Party Opinion 2/2017 on Data Processing at Work
clarkewillmott.com
Article 6 GDPR sets out six legal bases for processing, at least one of which must apply: 1. Consent to processing for a specific purpose 2. Necessary for the performance of contract with data subject 3. Necessary for compliance with legal obligation of controller 4. Necessary to protect vital interest of data subject
5. Necessary for public interest task or official
6. Necessary for controller’s legitimate interest, subject to data subjects interests, rights and freedoms
clarkewillmott.com
What is a Data Protection Officer and do we need one? What is a data privacy assessment, when should we carry one out and how? How do we manage document retention and purging under the new system?
clarkewillmott.com
Name of asset What does it do Location Owner Volume Personal data Access Shared Format Retention Risks
clarkewillmott.com
clarkewillmott.com
Data mistakes in general stem from overlooking or misreading the human element SO Solutions have to be people-driven not technology driven!
clarkewillmott.com
Type of breach
– “Confidentiality breach” - where there is an unauthorised or accidental disclosure of, or access to, personal data. – “Integrity breach” - where there is an unauthorised or accidental alteration of personal data. – “Availability breach” - where there is an accidental or unauthorised loss of access15 to, or destruction of, personal data.
Notify ICO if “risk to rights and freedoms of data subjects” within 72 hours “Tell it all, tell it fast, tell the truth.” ICO will advise on notifying data subjects but if serious risk to their rights and freedoms need to do so without delay.
http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612052
clarkewillmott.com
Informed engagement Policies, checklists, training and peer review Creation and maintenance of an information asset register Clean up data flows
clarkewillmott.com
Information Asset Register Data Flow Measurement and Recording Records of Processing Data Retention Policies – attached at appropriate place in the system.
clarkewillmott.com
“By design” and “By default” Ownership of data issues Small-scale pilots and soft-launches for new data systems Data protection impact assessment at outset and throughout implementation and post-implementation phases Disaster Planning
clarkewillmott.com
Susan Hall Partner t: 0345 209 1498 07712661939 e: susan.hall@clarkewillmott.com
HBAA Setting the standards for the events and hospitality sector
HBAA @The_HBAA HBAA The_HBAA