Breakout BGDPR: how it affects our industry

Chairman: Jay Parmar; Director of Policy & Membership

Speakers: David Farnell; Partner at Shoosmiths LLP

Inderpal Lall; Head of Corporate Legal & Compliance Services International at Avis Budget Group

Breakout Session Sponsored by

GDPR is the most significant change to data protection legislation since 1998.

Our expert panellists will discuss how the changes will affect our businesses with specific reference to vehicle rental and leasing operations.

Breakout Session Sponsored by

GDPR: Main Changes to UK Data Law & Implications for Members

David Farnell

Partner at Shoosmiths LLP

Breakout Session Sponsored by

GDPR: Main Changes to UK Data Law & Implications for Members

A presentation to the BVRLA Outlook Conference

By David Farnell

Thursday 30 November 2017

www.shoosmiths.co.uk

Introduction: Why?• Global transfers of personal data and ECJ ruling in Maximillian Schell

• Concept of European “Safe Zone”

• GDPR will apply to all organisations in the EEA and others on the “White List”, eg. Guernsey, Isle of Man, Jersey

What changes will GDPR bring?• “Personal Data” and “Sensitive Personal Data” are more widely-defined

• Data processing must be fair and lawful, but also transparent

• Organisations may only collect and use data that is necessary and protect a data subject’s privacy by default

• New rights for data subjects – to data access, to object to kinds of processing, to “port”, to be forgotten and to know when their personal data is compromised

• Processors have obligations as well as controllers

What if there is a data breach?• ICO may impose more severe punishments than the current £500,000 maximum fine

• Controllers up to €20m or 4% of global group turnover

• Processors up to €10m or 2% of global group turnover

• Threat of data subjects claiming compensation (class actions)

• Uber

Contact Details

David Farnell

Partner – Finance Disputes

UK Direct Dial 03700 86 7336

Mobile +44 (0) 7736 502 986

Email david.farnell@shoosmiths.co.uk

The national UK law firm• 186 partners and 726 legal advisers

• Turnover of £116.7m to end April 2017

• The UK’s leading legal adviser by deal volume in 2016 (and 5th in Europe) – Experian

MarketIQ’s M&A Review

• Rated a ‘Best Employer’ for 13th consecutive year in 2017 - Legal Week

• ‘Real Estate Legal team of the Year’ finalist - Estates Gazette Awards 2016

• Recognised twice in the latest FT Most Innovative Law Firms report (and for the eighth

consecutive year)

• Gold Standard status - Investors in People

• ‘Best Talent Initiative Finalist’ - Business Leadership Summit & Awards 2016

• Authorised by the Financial Conduct Authority (FCA)

Getting GDPR ReadyInderpal Lall

Head of Corporate Legal & Compliance Services International at

Avis Budget Group

Breakout Session Sponsored by

Getting GDPR Ready

Inderpal S Lall

Thursday 30th November 2017

13

• Business Process Analysis

Where is personal data gathered?

Where and how is personal data stored?

Where and how is personal data transmitted…..outwith of the EEA?

To which third parties is personal data given?

• Technical Analysis

Technical testing of IT systems to instances of personal data.

Do not forget paper records !

Know Your Personal Data - Audit

14

• Must have a written contract with suitable provisions.

• Assess security measures taken by the third party to safeguard personal data.

• Only provide the personal data needed for the job……..duty to minimise.

• Must all done before the personal data is handed over.

• Records.

Third Parties and Personal Data

15

• Use-cases for personal data must fall into one of:

Performance of Contract;

Legitimate Interest;

Consent;

Legal Requirement.

Export of personal data outwith of EEA must be lawful.

Legal Basis For Processing Personal Data

16

• Update Privacy Policy.

• Data Processing Notices.

• Consent:

Fully informed, freely given and capable of withdrawal;

No pre-ticked boxes !!;

Records.

Must reflect use-cases and handling of personal data.

Privacy Policy and Consents

17

• Must know where your personal data is.

• Prudent to have a web-page/portal for requests.

• Establish robust processes to respond in time.

• Record keeping.

Connected Cars – data generated by internet enabled cars.

Don’t forget about personal data stored on cars.

Data Subject Rights

18

• Data Protection Audit – you know where your personal data is and what you do with it.

• Privacy Policy and Notices – accurate, up to date and maintained.

• Data Subject Rights – robust and demonstrable processes in place.

• Privacy by Design – be able to demonstrate this, embed in project processes, supplier evaluation, privacy impact assessments.

• Accountability Framework – Data Protection Officer, sound record keeping, ongoing commitment to compliance.

“Culture of Compliance”

Questions & AnswersYour chance to pose your questions to our speakers

Breakout Session Sponsored by

Thank you.Back to the Atrium for a coffee break.

Breakout Session Sponsored by