17Th Data Protection Compliance Conference, 11Th & 12Th October
Total Page:16
File Type:pdf, Size:1020Kb
11th & 12th October 2018 London, UK 17th Annual Data Protection Compliance Conference: Complying with the GDPR Keynote Speaker: James Dipple-Johnstone, Deputy Commissioner (Ops), ICO This year’s conference is dedicated to analysing the practical components of the GDPR and the DPA 2018 helping organisations to ensure they are fully compliant “ An excellent “ Speakers delivered “ Very relevant.” “ Very informative Conference: speakers, good insights into and well executed programme and various aspects of the Nicola Hermansson conference” organisation. ” GDPR. ” Ernst & Young Claire Robson Teresa Gudge Paul Woods Kent & Medway Airbus UK Government NHS Trust Legal Department First tier Conference sponsors: www.pdpconferences.com PRESENTATIONS - Day 1 Thursday 11th October 2018 Chair: Bridget Treacy - Partner, Hunton Andrews Kurth KEYNOTE: How the ICO will Exercise its New Powers James Dipple-Johnstone – Deputy Commissioner (Operations), ICO The New Transparency Obligations Estelle Dehon – Barrister, Cornerstone Barristers The UK Data Protection Act 2018 – gloss or substance? Rosemary Jay – Senior Consultant Attorney, Hunton Andrews Kurth GDPR Lessons Learned in Government Robert Clifford – Head of Data Strategy, Home Office The Long Term Viability of the Privacy Shield and Model Clauses Eduardo Ustaran – Partner, Hogan Lovells E-Marketing: Crisis Point or Business as Usual? Kate Brimsted – Partner, Bryan Cave Leighton Paisner Outsourcing - Overcoming the GDPR Challenges Naomi Vann – Managing Legal Counsel, RBS Consent or Legitimate Interests? Mark Watts – Partner, Bristows Details of the content of each Presentation is available online www.pdpconferences.com WORKSHOPS - Day 2 Friday 12th October 2018 Morning Workshops ( 9.30 am - 12.45 pm ) Afternoon Workshops ( 2.00 pm - 5.15 pm ) A Updated Rights under the GDPR New Rights and Their Implications Leonie Power – Director, Fieldfisher E for Organisations Alison Deighton – Partner, TLT Solicitors Complying with the rights of individuals continues to constitute an administrative burden on organisations under the new law. The GDPR introduces several new rights for individuals. This The GDPR tweaks the rules that relate to existing rights to make Workshop examines these news rights in detail and provides them more powerful. The dramatically enhanced fining regime practical advice for organisations on how to handle them. The now means that organisations have a strong incentive to get rights that are considered in this session include: things right when it comes to rights. This Workshop discusses the • right to erasure practical effects of the changes to the following rights: • right to restrict personal data processing • subject access • right to data portability • automated decision-taking • rights relating to profiling • right to object to processing • right to compensation Outsourcing and Data Processing F Arrangements under the GDPR Data Protection Impact Assessments – Peter Given – Legal Director, Womble Bond Dickinson B New Requirements and Methodology The GDPR brings important changes to the relationship Ashley Roughton – Barrister, Venner Shipley between controllers and processors, and some data protection For the first time in European data protection law, impact obligations now apply directly to processors. Controllers and assessments are now mandatory in many circumstances. This session processors must have in place contractual provisions to ensure looks at the practical implications of the new requirements, including: legal compliance and appropriate risk allocation under the • understanding when DPIAs must be carried out GDPR. This Workshop analyses the practical implications of the • methodology for the effective carrying out of a DPIA GDPR for outsourcing, including: • ways in which a DPIA can add value to your GDPR compliance • clarification of the distinction between controllers and programme and to the effectiveness or profitability of the processors, and their revised relationship under the GDPR organisation • new responsibilities of processors and the implications for controllers • understanding regulator expectations and recommendations • the role of sub-processors and how they should be engaged • the new mandatory contractual provisions and their practical effect Compulsory Documentation – • dealing with data protection liability in contracts C What is now Required of Organisations Compulsory Breach Notifications – Jenai Nissim – Legal Director, TLT Solicitors G How To Prepare In contrast to pre-GDPR law, several sets of documents must Liz Fitzsimons – Partner, Eversheds Sutherland now be created and be made available in order to demonstrate There is now an obligation to inform supervisory authorities of compliance with the GDPR. This Workshop looks in detail at data breaches in many circumstances. There is an additional, and the requirements of the GDPR in terms of accountability, and different, requirement to inform all individuals potentially affected provides delegates with the knowledge and tools necessary to by a breach. The session examines these requirements, including: achieve compliance in their organisations, including: • the types of incidents that will trigger mandatory notification to • what policies must be drafted, and the necessary content of supervisory authorities those policies • the higher level of seriousness of incidents that will require • how existing data protection statements and privacy notices notification to individuals need to be altered and extended • practical advice on how to prepare for possible breach • how organisations can raise awareness of data protection in notifications (including incident response plans and opportunities their data protection policies and procedures to mitigate risk) • notifying regulators: what the Information Commissioner’s Office Data Protection by Design and by Default – D expects of organisations How to Implement an Effective Framework • how to maintain the compulsory internal breach register Bridget Treacy – Partner, Hunton Andrews Kurth • consequences of failing to notify Data protection by design, while not a new concept, is now a Cybersecurity and the GDPR requirement under the GDPR. It requires building data protection H Manish Soni – Senior Counsel, Macfarlanes into the design, operation and management of any project that involves the processing of personal data. Data protection The role of a data protection professional increasingly requires by default refers to the requirement to implement appropriate not only being an expert in the law but also being able to technical and organisational measures to ensure that, by default, readily apply this knowledge in various complex organisational only personal data which are necessary for each specific purpose contexts. This Workshop gives data protection professionals of the processing are processed. This Workshop provides the background they need to confidently talk about, and handle, delegates with practical steps to: cybersecurity matters, including: • understand exactly what needs to be changed in the • what exactly is “cybersecurity” and what is the security triad? organisation as a result of the design and default requirements • security “incidents” vs. “personal data breaches” • design an effective framework so that design and default • introduction to cryptography: encryption, at rest and in transit; elements are effectively built in hashing and salting • examine the concept from an organisational, regulatory and • introduction to the ontology of malware and typical technical perspective cyberattacks: botnets, viruses, worms, ransomware, Denial of • create necessary awareness amongst staff members Service (and DDoS) and Advanced Persistent Threats (APTs) www.pdpconferences.com BIOGRAPHIES Kate Brimsted is a Partner at Bryan Cave Leighton Paisner Jenai Nissim is Legal Director at TLT Solicitors. She has and heads BCLP’s UK Data Privacy and Cyber Security extensive experience advising UK and US businesses on practice. She has 20 years experience in commercial and European privacy requirements, negotiating multi-national contentious data privacy and advises clients on the GDPR and data transfer agreements, handing breach notifications and cyber security. Kate is familiar with advising on large, complex investigations and undertaking data protection audits. Jenai and multi-jurisdictional IT implementation projects where holds the Practitioner Certificate in Data Protection and personal data is central. recently wrote the ‘Accountability’ chapter of Data Protection - A Practical Guide to UK and EU Law (5th Edition). Robert Clifford is Head of Data in the Home Office, part of the department’s Digital, Data and Technology command. He Leonie Power is a Solicitor and Director in Fieldfisher’s has 14 years experience in the fields of information rights and Privacy, Security & Information Law Group. She provides data protection policy advising on sensitive and high profile strategic and practical advice on a full range of data public policy and privacy matters. Robert is currently dividing protection issues affecting business operations. She has his time between leading work to drive digital transformation particular experience advising on privacy issues affecting new in government’s approach to data sharing, whilst working with technologies and big data. legislative teams on the law enforcement data directive and implementation of the General Data Protection Regulation. Ashley Roughton is a barrister of 25 years call, specialising in privacy, cyber