Understanding GDPR: Key Points and Implications for University Communications Officers

In this February 2018 network meeting, a comprehensive overview of the General Data Protection Regulation (GDPR) was provided, covering important aspects such as personal data, data privacy, GDPR introduction, content overview, and the upcoming changes. The meeting emphasized the significance of handling personal information responsibly to avoid risks and comply with GDPR regulations. It highlighted the impact of GDPR on communication officers at the University and included insights on data protection principles, the role of Information Commissioner's Office (ICO), and the enforcement of GDPR rules.

• GDPR
• Data Protection Regulation
• Personal Data
• University Communications
• Information Security

alivia Follow

Uploaded on Aug 06, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. GDPR Communications Officer Network Meeting February 2018

3. What well cover today 1. Introduction to GDPR and the University s response - Felicity Burchett, Council Secretariat 2. Advice for Communications Officers - Max Todd, Council Secretariat 3. Q&A session

4. Introduction to GDPR Felicity Burchett Council Secretariat

5. Content overview What is personal data and why it s important for us GDPR - what s changing and what it s all about Who this will affect How the University is preparing What support is available

6. What is personal data? Any information that can be used to identify a living person - directly and indirectly or that relates to them. What does that mean? This could be: name, an identification number, or location data, like an IP address. It could also include other information that leads to an individual being identified (which could be: physical, genetic or cultural). More care needs to be taken with sensitive personal data eg. health data, religious beliefs

7. Why data privacy matters to us We care - we are responsible for handling people s most personal information This is an opportunity to make privacy central to what we do By not handling personal data properly we could put individuals at risk and the University s reputation at stake Getting it wrong could result in significant fines We need robust systems and processes in place to make sure we use personal information properly and comply

8. Overview What? The General Data Protection Regulation (GDPR) is a European law that will replace the current Data Protection Act. The UK government will still implement the rules after Brexit. Why? The aim is to strengthen and unify personal data protection for all individuals living in the European Union. Who? The Information Commissioner s Office (ICO) will lead on GDPR in the UK and will hand out penalties for organisations who are in breach of the new law. When? It will come in to force on 25 May 2018

9. Whats changing? Many GDPR principles are similar to those in current the Data Protection Act. There are also new and strengthened requirements for how we protect people s data. Changes include: new rights (e.g. right to be forgotten ) greater emphasis on transparency and record-keeping mandatory data breach reporting much larger fines for when organisations get things wrong We also need to remember the Privacy and Electronic Communications Regulations (PECR) for electronic marketing

10. What is data privacy all about? Being open with people about how we use their information Not keeping their information longer than necessary Making sure it is accurate Making sure that it is safe Knowing what information we ve got and what we can do with it (eg. sharing) Recognising a breach and knowing what to do

11. Who does this affect? All of us - we all have a responsibility to keep people s information safe. Particularly those involved in: Student administration HR Development and alumni relations activities Research involving personal data and/or human participants Finance IT

12. How is the University preparing? University-wide improvement programme underway Core group with representatives from each division and key services In addition to University-wide initiatives, improvements are being taken forward locally, for example, system improvements Step by step approach Currently, working with departmental administrators to create registers of the personal data depending on your role, you may be asked to take part in creating your department s register

13. What support will I get? Web pages with up-to-date information and FAQs Other guidance/tools being developed eg. guidance on how to identify breaches and what to do next There are hub contacts for divisions, departments and sections Updates via these contacts and/or the Information Compliance Team between now and May Training sessions planned for key data handlers

14. Communications and GDPR

15. Communications about the GDPR Project - Currently being managed by the GDPR Core Group - Specific tasks at this stage, related to the data register and other compliance activities - There will be a wider campaign and training further down the line - which will require some communications input - Speak to your Departmental Administrator before doing any communications at this stage - We will let you know when there are opportunities to get involved

16. Managing the impact of GDPR on the communications community - Divisional Hub Contacts responsible for data within divisions and departments in general working with Departmental Administrators - Functional leads also working across the University focusing on key professional communities: - HR, student data, development etc. - Communications is one of these functions - Consultation through Communications Leads group - Further guidance and support to follow

17. Communications Leads Group AAD PAD - - Dan Selinger Annette Cunningham Medical Sciences MPLS Social Sciences Humanities ContEd GLAM - - - - - - Alison Brindle Kirsty Heber-Smith (Tanya Baldwin) (Karen Brill) Gail Anderson Susannah Wintersgill DevOff Finance Estates Services IT Services Personnel Services Research Services - - - - - - Suzy Ingram Laura Cooper Sarah Walton Lisa Mansell Meghan Lawson Gaelle Jolly

18. Advice for Comms Officers Max Todd Council Secretariat

19. GDPR and Communications External communications/marketing Student recruitment Outreach Departmental/Institutional marketing Public engagement Media Relations Alumni Relations Fundraising Internal communications Current students Staff

20. External Communications - Main issues Legal basis for processing Different rules for marketing by (i) Email/text; (ii) phone; (iii) print Definition of Consent Compliance strategy for existing contacts

21. Legal basis for processing Must have a lawful basis for processing i.e. a legitimate reason for using personal data Two options for external marketing: Consent Legitimate interests

22. Consent vs Legitimate interests We can rely on legitimate interests for print communications only and for holding the data in the first place Consent is necessary for marketing by email or text Mixture of legitimate interests and consent for marketing calls

23. Legitimate interests Suitable basis when we use people s data in ways they would reasonably expect and which have minimal impact on their privacy GDPR specifically recognises direct marketing as an example of a legitimate interest Required to balance our interests against rights and interests of individual

24. Legitimate Interests Assessment (LIA) Must carry out a LIA in order to demonstrate compliance (accountability principle). 3-part test 1. Purpose: What is our legitimate interest? 2. Necessity: Why do we need to process personal data to achieve it? 3. Balancing of interests: Do the individual s interests override the legitimate interest? One LIA for key activities within your area

25. Privacy and Electronic Communications Regulations (PECR) - Scope Provides rules for unsolicited direct marketing by electronic means (email, text, phone) Unsolicited: Not specifically requested Direct marketing: Targets particular individuals Marketing is not limited to commercial marketing (sale of goods and services) Covers any advertising and promotional material, including that promoting aims of not-for-profit organisations, such as HEIs

26. Rules of PECR - Emails/texts Prior consent required for e-mails or texts sent to individuals Every email/text must have valid address to enable individual to opt-out/unsubscribe PECR does not apply to business to business emails/texts

27. Rules of PECR - Calls No calls to people registered with Telephone Preference Service (TPS) or those who have otherwise objected Can only call TPS number with specific prior consent OK to call non-TPS numbers but DPA/GDPR applies i.e. person must be aware we have their number and intend to use it to make marketing calls

28. Consent under GDPR and PECR Specific, informed, freely given (genuine choice) Requires positive action i.e. opt-in Failure to opt-out is not consent Granular: separate consent for distinct activities Consent under PECR must be specific to sender of marketing (college/University/department) and to method of communication (email/text)

29. Methods of obtaining consent Tick box Signing a declaration/form Sending an email Selecting Yes/No options Oral statement Whichever method is used, GDPR requires us to keep evidence of consent (accountability)

30. Strategy for existing contacts Do I need consent under PECR? (Am I sending marketing emails?) Send non-marketing email as usual No Yes Do I already have valid consent (specific, informed, opt-in)? No Draw up programme to collect valid consent + evidence Yes Can I provide evidence of that consent? No Yes Send marketing email

31. Existing contacts Assess level of risk What happens if I can t get consent by 25 May? Depends on level and type of engagement Risk will be lower where there is evidence of engagement, particularly by email e.g. opening emails, responding to emails Risk will be higher for those who have engaged in other ways (updating paper contact details, attending events, making donations) But latter group may be amenable to opting-in

32. Existing contacts Stop bad practice Identify and eliminate any bad practices NOW Sending emails to people who have opted out Sending emails with no opt-out Buying marketing lists without due diligence i.e. without checking whether people gave consent to marketing from OU Sending emails to those who have opted out to ask whether they would like to opt-in

33. What happens if there is a complaint to the ICO? ICO take a risk based approach to enforcement Many worse offenders under PECR But even a minor complaint will allow ICO to examine our policies and procedures They will look for evidence that we understand the rules and have plans to achieve compliance Don t panic, but no complacency either

34. Individual rights Right to withdraw consent at any time Implicit under DPA; explicit under GDPR Right to ask for erasure of data if consent withdrawn (right to be forgotten) Unconditional right to object to processing for direct marketing under DPA/GDPR Must comply with objection within one month

35. Internal communications - 1 Q1. Do we need consent? A1. No Not marketing (or nor main purpose), so PECR does not usually apply. Can rely on legitimate interests and/or contract as basis for processing. LIA necessary for former Q2. Is an opt-out necessary? A2. No PECR does not apply. Minimal impact on privacy

36. Internal communications - 2 Q3. What should we do if someone objects? A3. GDPR grants right to object to processing based on legitimate interests. Person would need to demonstrate harm rather than mere irritation. Consider on a case by case basis. Refer to ICT in difficult cases Q4. Do we need consent for use of tracking software? A4. No, but need to tell staff and/or students that we use it.

37. Next steps

38. Next steps - These slides will be shared after today s event - Speak to your DA before communicating about the GDPR project - If you have a query about how GDPR will impact you, speak to your DA in the first instance (University only) - If you have any further concerns or very specific communications questions , speak to the relevant member of the Comms Leads group - We will keep you posted about the project as it develops

39. Event for PR professionals in Oxford - Data: The Good, the Bad and the GDPR - Monday 5 March 2018, Jericho Tavern - Speakers: - - - Jon Gerlis, Senior Policy Officer, CIPR, Diego Bironzo and Nadin Vernon, PRIME Research Piers Schreiber, former VP of Corporate Communications at Jumeirah Group - Find out more and sign up at www.publicrelationsoxford.co.uk/events

40. Questions and answers Dan Selinger, Academic Administration Division Charlotte Dewhurst, Development Office Felicity Burchett, Council Secretariat Max Todd, Council Secretariat