CPD Hours Level
Conference expert panelInformation 6 UpdateInformation
SRA Competency B


With GDPR now in effect, this conference chaired by Robert Bond (Bristows LLP) examines, with the benefit of six months’ hindsight, what the problems and pitfalls have been and what lessons have been learned.

Conference Agenda

This conference will cover the following:

9.30am - 10.15am: Managing Data Subject Rights and Requests

Chair: Robert Bond, Bristows

This session will cover the provisions of GDPR which relate to data subject rights, comprising SARs and other rights and the implications of not complying with them and includes:

  • Subject access requests
  • Right of erasure
  • Right to data portability
  • Right to prevent automated decision making and profiling
  • Other rights
  • The cost of non-compliance

10.15am - 11.00am: Data Protection Impact Assessments

Keith Markham, Keith Markham Limited

One of the key requirements of the GDPR is the requirement for organisations to carry out data protection impact assessments (DPIAs) in certain circumstances. Under the previous rules there was no such compulsory requirement and therefore many organisations will not have any previous experience of what a DPIA entails. Failing to carry out a DPIA when required to do so could lead to enforcement action.

This session summarises the key provisions relating to DPIAs and will include:

  • What is a DPIA?
  • How is a DPIA different from a Privacy Impact Assessment?
  • When is a DPIA required?
  • What should be reviewed as part of a DPIA?
  • In what circumstances will organisations need to consult with the ICO?

11.15am - 12.00pm: Age Verification for Online Services Offered to Children

Richard Hodgson, Design Chambers

Under the GDPR, online services ‘directly offered’ to children are subject to additional mandatory safeguards. One of these is establishing the age of the purported user.

The practical problem is trying to establish the actual age of the would-be user by methods that are not likely to put off the child or the person with parental responsibility but which will remain an effective, easy to use and cost-effective solution for the online service provider. This session will consider some of the age verification means that have been used and guidance and proposals from regulators including the ICO and the BBFC (the British Board of Film Classification).

This session will cover:

  • The requirements of the GDPR in respect of children, including consent issues
  • At what age can a child give data protection consent in the UK? Is it the same in the rest of the EU/EEA?
  • When might an online service be held to be ‘directly offered’ to children?
  • Can an online operator in practice safely rely on a basis other consent to circumvent age verification problems?
  • An account of some online age-verification methods - their potential benefits and disadvantages
  • A brief account of the BBFC age verification guidance: Suitable for GDPR purposes?
  • Exemptions to the need for age verification
  • If a child can give data protection consent without parental authorisation, might this in practice have any effect on the age requirements for the validity, formation or effect of a contract?

12.00pm - 12.45pm: The ‘Right to be Forgotten’ Under the GDPR

Aidan Eardley, One Brick Court

The use of data protection law to control the dissemination of embarrassing or out-of-date material was a late and controversial development under the Data Protection Directive and the DPA 1998.

How will such attempts fare under the GDPR and the DPA 2018?

This session will cover:

  • The old and new regimes contrasted
  • To what extent are the decisions in Google Spain and NT1/NT2 v Google reliable guides to how things will work in the future?
  • Latest case law and guidance
  • Practical steps for a client who is seeking to have their data erased
  • Practical steps for a client faced with an erasure request

12.45pm - 1.00pm: Questions on Morning Session

2.00pm - 2.50pm: Transferring Personal Data Out of the EU/EEA - Some Forthcoming Problems?

Richard Hodgson, Design Chambers

Generally under the GDPR, any transfer of personal data to a third country (non-EEA) or to an international organisation can only take place if the conditions set out in its Articles 44 to 50 are complied with by the Controller and Processor.

Under the Data Protection Act 1998, much use was made of EC-approved Standard Contractual Terms (formerly Model Terms) to regularise and simplify such transfers. For transfers to the USA, the EU-US Privacy Shield was widely employed. The Shield replaced the discredited Safe Harbor mechanism and its underlying EC Decision which had been declared invalid by the European Court of Justice (CJEU).

This session will cover:

  • The present position of Data Protection Standard Contractual Clauses (SCCs)
  • Some of the perceived weaknesses of SCCs. Might their use for some countries be more problematic than for others?
  • The forthcoming CJEU challenge to SCCs
  • The EU-US Privacy Shield and its current implementation and operation in the USA. Its actual and apparent weaknesses. Might the Shield also be successfully challenged?
  • The UK's GDPR position post-Brexit

2.50pm - 3.40pm: Preparing For and Responding to Data Incidents

Robert Bond, Bristows

This session covers the whole process of the data incident, from identifying the problem issues in advance and designing policies to prevent and manage them through to minimising the fall-out on the reputation front and includes:

  • Recognising internal and external threats
  • Developing proactive threat prevention policies
  • Understanding breach reporting requirements
  • Managing the breach and the reputational issues
  • Implementing an incident response policy

3.55pm - 4.45pm: Post GDPR - Enforcement and Compensation Update

Keith Markham, Keith Markham Limited

Since the 25 May, the ICO can fine organisations up to 20 million euros or 4% of global turnover whichever is the higher. This session will review examples of enforcement action that have taken place since the GDPR came into force, with particular emphasis on data security breaches. Relevant examples of compensation will also be discussed.

This session will include:

  • Summary of enforcement powers
  • Details of recent enforcement examples
  • ICO guidance on reporting and dealing with security breaches
  • Latest position on awards of compensation
  • Practical steps to limit risk

4.45pm - Close: Questions & Answers

Book now

Added to basket

Conference | 06.11.2018

London | 9:30am - 5:15pm

GDPR 6 Months On - 2018 Conference

Continue Shopping
9:30am - 5:15pm
Prices (ex VAT)
Plan Information
Ticket Information
Group bookings
Discounts are available for multiple conference places. Please telephone 0161 793 0984 or information@mblseminars.com for details.
Can’t Make the Date?

Please let us know if you wish to be notified when new dates are added for this programme

Related Events