GDPR

Communications
Officer Network
Meeting
February 2018
What we’ll cover today

1. Introduction to GDPR and the University’s

response
- Felicity Burchett, Council Secretariat

2. Advice for Communications Officers

- Max Todd, Council Secretariat

3. Q&A session
Introduction to
GDPR

Felicity Burchett
Council Secretariat
Content overview

• What is personal data – and why it’s important for us

• GDPR - what’s changing and what it’s all about

• Who this will affect

• How the University is preparing

• What support is available

What is personal data?

Any information that can be used to identify a living

person - directly and indirectly – or that relates to them.

What does that mean?

• This could be: name, an identification number, or

location data, like an IP address.

• It could also include other information that leads to an

individual being identified (which could be: physical,
genetic or cultural).

More care needs to be taken with sensitive personal data

eg. health data, religious beliefs
Why data privacy matters to us

• We care - we are responsible for handling people’s

most personal information

• This is an opportunity to make privacy central to what

we do

• By not handling personal data properly we could put

individuals at risk and the University’s reputation at
stake

• Getting it wrong could result in significant fines

• We need robust systems and processes in place to

make sure we use personal information properly and
comply
Overview
What?
The General Data Protection Regulation (GDPR) is a European
law that will replace the current Data Protection Act.

The UK government will still implement the rules after Brexit.

Why?
The aim is to strengthen and unify personal data protection for
all individuals living in the European Union.

Who?
The Information Commissioner’s Office (ICO) will lead on GDPR
in the UK and will hand out penalties for organisations who are
in breach of the new law.

When?
It will come in to force on 25 May 2018
What’s changing?

Many GDPR principles are similar to those in current the Data

Protection Act.

There are also new and strengthened requirements for how we

protect people’s data.

Changes include:

• new rights (e.g. ‘right to be forgotten’)

• greater emphasis on transparency and record-keeping
• mandatory data breach reporting
• much larger fines for when organisations get things wrong

We also need to remember the Privacy and Electronic

Communications Regulations (PECR) for electronic marketing
What is data privacy all about?

• Being open with people about how we use their information

• Not keeping their information longer than necessary

• Making sure it is accurate

• Making sure that it is safe

• Knowing what information we’ve got and what we can do

with it (eg. sharing)

• Recognising a breach and knowing what to do

Who does this affect?

All of us - we all have a responsibility to keep people’s

information safe.

Particularly those involved in:

• Student administration
• HR
• Development and alumni relations activities
• Research involving personal data and/or human participants
• Finance
• IT
How is the University preparing?

• University-wide improvement programme underway

• Core group with representatives from each division and key

services

• In addition to University-wide initiatives, improvements are

being taken forward locally, for example, system
improvements

• Step by step approach

• Currently, working with departmental administrators to create

registers of the personal data
– depending on your role, you may be asked to take part in
creating your department’s register
What support will I get?

• Web pages with up-to-date information and FAQs

• Other guidance/tools being developed eg. guidance on how

to identify breaches and what to do next

• There are “hub contacts” for divisions, departments and

sections

• Updates via these contacts and/or the Information

Compliance Team between now and May

• Training sessions planned for key data handlers

Communications
and GDPR
Communications about the GDPR Project

- Currently being managed by the GDPR Core Group

- Specific tasks at this stage, related to the data register

and other compliance activities

- There will be a wider campaign and training further

down the line - which will require some
communications input

- Speak to your Departmental Administrator before doing

any communications at this stage

- We will let you know when there are opportunities to

get involved
Managing the impact of GDPR on the
communications community
- Divisional Hub Contacts responsible for data within
divisions and departments in general – working with
Departmental Administrators

- Functional leads also working across the University

focusing on key professional communities:
- HR, student data, development etc.

- Communications is one of these functions

- Consultation through Communications Leads group

- Further guidance and support to follow

Communications Leads Group

AAD - Dan
Selinger
PAD - Annette
Cunningham

Medical Sciences - Alison Brindle

MPLS - Kirsty Heber-
Smith
Social Sciences - (Tanya Baldwin)
Humanities - (Karen Brill)
ContEd - Gail Anderson
GLAM - Susannah
Wintersgill

DevOff - Suzy Ingram

Finance - Laura Cooper
Estates Services - Sarah Walton
IT Services - Lisa Mansell
Personnel Services - Meghan Lawson
Advice for Comms
Officers
Max Todd
Council Secretariat
GDPR and Communications
External communications/marketing
• Student recruitment
• Outreach
• Departmental/Institutional marketing
• Public engagement
• Media Relations
• Alumni Relations
• Fundraising

Internal communications
• Current students
• Staff
External Communications - Main issues

• Legal basis for processing

• Different rules for marketing by (i) Email/text; (ii)

phone; (iii) print

• Definition of Consent

• Compliance strategy for existing contacts

Legal basis for processing

Must have a lawful basis for processing i.e. a

legitimate reason for using personal data

Two options for external marketing:

ַ Consent

ַ Legitimate interests
Consent vs Legitimate interests

• We can rely on legitimate interests for print

communications only and for holding the data in
the first place

• Consent is necessary for marketing by email or

text

• Mixture of legitimate interests and consent for

marketing calls
Legitimate interests

• Suitable basis when we use people’s data in

ways they would reasonably expect and which
have minimal impact on their privacy

• GDPR specifically recognises direct marketing as

an example of a legitimate interest

• Required to balance our interests against rights

and interests of individual
Legitimate Interests Assessment (LIA)

Must carry out a LIA in order to demonstrate

compliance (accountability principle). 3-part test

1. Purpose: What is our legitimate interest?

2. Necessity: Why do we need to process personal
data to achieve it?
3. Balancing of interests: Do the individual’s
interests override the legitimate interest?

One LIA for key activities within your area

Privacy and Electronic Communications
Regulations (PECR) - Scope

• Provides rules for unsolicited direct marketing

by electronic means (email, text, phone)

• Unsolicited: Not specifically requested

• Direct marketing: Targets particular individuals

• Marketing is not limited to commercial marketing

(sale of goods and services)

• Covers any advertising and promotional material,

including that promoting aims of not-for-profit
organisations, such as HEIs
 Rules of PECR - Emails/texts

• Prior consent required for e-mails or texts sent to

individuals

• Every email/text must have valid address to

enable individual to opt-out/unsubscribe

• PECR does not apply to business to business

emails/texts
 Rules of PECR - Calls

• No calls to people registered with Telephone

Preference Service (TPS) or those who have
otherwise objected

• Can only call TPS number with specific prior

consent

• OK to call non-TPS numbers but DPA/GDPR

applies i.e. person must be aware we have their
number and intend to use it to make marketing
calls
Consent under GDPR and PECR

• Specific, informed, freely given (genuine choice)

• Requires positive action i.e. opt-in

• Failure to opt-out is not consent

• Granular: separate consent for distinct activities

• Consent under PECR must be specific to sender

of marketing (college/University/department) and
to method of communication (email/text)
Methods of obtaining consent

• Tick box

• Signing a declaration/form

• Sending an email

• Selecting Yes/No options

• Oral statement

Whichever method is used, GDPR requires us to

keep evidence of consent (accountability)
Strategy for existing contacts
Do I need consent
under PECR? Send non-marketing
No
(Am I sending email as usual
marketing emails?)

Yes

Do I already have
valid consent No
(specific, informed,
opt-in)?
Draw up
Yes programme to
collect valid consent
+ evidence

Can I provide
evidence of that No
consent?

Yes

Send marketing
email
Existing contacts – Assess level of risk

• What happens if I can’t get consent by 25 May?

• Depends on level and type of engagement

• Risk will be lower where there is evidence of

engagement, particularly by email e.g. opening
emails, responding to emails

• Risk will be higher for those who have engaged in

other ways (updating paper contact details,
attending events, making donations)

• But latter group may be amenable to opting-in

Existing contacts – Stop bad practice

Identify and eliminate any bad practices NOW

• Sending emails to people who have opted out

• Sending emails with no opt-out

• Buying marketing lists without due diligence i.e.

without checking whether people gave consent to
marketing from OU

• Sending emails to those who have opted out to

ask whether they would like to opt-in
What happens if there is a complaint to
the ICO?

• ICO take a risk based approach to enforcement

• Many worse offenders under PECR

• But even a minor complaint will allow ICO to

examine our policies and procedures

• They will look for evidence that we understand

the rules and have plans to achieve compliance

• Don’t panic, but no complacency either

 Individual rights

• Right to withdraw consent at any time – Implicit

under DPA; explicit under GDPR

• Right to ask for erasure of data if consent

withdrawn (right to be forgotten)

• Unconditional right to object to processing for

direct marketing under DPA/GDPR

• Must comply with objection within one month

 Internal communications - 1

Q1. Do we need consent?

A1. No – Not marketing (or nor main purpose),

so PECR does not usually apply. Can rely on
legitimate interests and/or contract as basis for
processing. LIA necessary for former

Q2. Is an opt-out necessary?

A2. No – PECR does not apply. Minimal impact on

privacy
 Internal communications - 2

Q3. What should we do if someone objects?

A3. GDPR grants right to object to processing

based on legitimate interests. Person would need to
demonstrate harm rather than mere irritation.
Consider on a case by case basis. Refer to ICT in
difficult cases

Q4. Do we need consent for use of tracking

software?

A4. No, but need to tell staff and/or students that we

use it.
Next steps
Next steps

- These slides will be shared after today’s event

- Speak to your DA before communicating about the

GDPR project

- If you have a query about how GDPR will impact you,

speak to your DA in the first instance (University only)

- If you have any further concerns – or very specific

communications questions , speak to the relevant
member of the Comms Leads group

- We will keep you posted about the project as it

develops
Event for PR professionals in Oxford

- Data: The Good, the Bad and the GDPR

- Monday 5 March 2018, Jericho Tavern

- Speakers:

- Jon Gerlis, Senior Policy Officer, CIPR,

- Diego Bironzo and Nadin Vernon, PRIME Research
- Piers Schreiber, former VP of Corporate
Communications at Jumeirah Group

- Find out more and sign up at

www.publicrelationsoxford.co.uk/events
Questions and
answers
Dan Selinger, Academic Administration
Division
Charlotte Dewhurst, Development Office
Felicity Burchett, Council Secretariat
Max Todd, Council Secretariat