Morning Workshops 

Workshop A:  Sharing Personal Data With Confidence

John Fitzsimons -Barrister, Cornerstone Barristers

Public and private sector organisations regularly share personal data with other third party organisations and joint controllers. However, it’s important to remember that a whole host of detailed data protection obligations are engaged when such sharing takes place. This Workshop provides practical guidance for delegates in relation to sharing personal data, and in particular:

• Dispels common misconceptions about data sharing
• Provides guidance on when it is appropriate to share personal data
• Considers how to ensure that personal data are shared lawfully
• Discusses the considerations involved with one-off disclosures
• Analyses the use of data sharing agreements and best practice for drafting and implementing them
• Addresses what security measures should be in place when sharing personal data
• Explains how to ensure individuals can continue to exercise their data subject rights when their personal data have been shared

WORKSHOP B:  Direct Marketing Masterclass

Peter Given - Associate Partner - EY Law

Direct marketing – whether by email, text, phone or post – is an area fraught with danger for organisations. The frequency and extent of regulatory enforcement in this area is a reminder of the risks for the unwary. This Workshop is run as a masterclass for those wishing to understand the data protection legal requirements around direct marketing, and how to avoid falling foul of the law. The session is highly practical and draws on real life examples and case studies to bring the materials to life. Among other things, the Workshop covers:

• What exactly is direct marketing, and what is the legal framework around it?
• What is the difference between a ‘service communication’ and a ‘marketing communication’ and why does it matter?
• What has happened to the EU ePrivacy Regulation and why should we care?
• Where do organisations get it wrong, and how can we avoid making the same mistakes?

WORKSHOP C:  International Transfers Post-Brexit and Post-Schrems – Where We Are Now

James Clark - Senior Associate, DLA Piper

Since the landmark Schrems II judgment in 2020, there has been considerable focus on the increasingly complex area of international data transfers. The requirement to conduct ‘transfer impact assessments’ can be challenging (perhaps even bewildering) to address in practice, especially when simultaneously rolling out new standard contractual clauses. If that wasn’t enough, from a UK perspective organisations have to understand the ICO’s position on these issues, which is subtly different from the EU position, and of course have to get to grips with the new International Data Transfer Agreement (the ICO’s answer to the new EU standard contractual clauses), as well as the ‘UK Addendum’ to the EU clauses. This Workshop analyses all the relevant developments, from Schrems II onwards, explaining how to implement an achievable and proportionate approach to compliance. Issues covered include:
 

• Re-cap of the implications of Schrems II, and why it remains relevant post-Brexit
• Examining and comparing the various options for data transfer agreements - the ICO’s new ‘IDTA’, the EU SCCs and the UK Addendum
• Transfer Impact Assessments – what are they, how do we do them?
• Key takeaways from the ICO and EDPB guidance.
• Setting up an international transfer programme – how do you operationalise compliance in this area.
• The UK regime post-Brexit – how do things compare with the EU today, and how are they set to change further?

Afternoon Workshops

WORKSHOP D:  Cyber Incident Response - Getting it Right When it Goes Wrong

Philip Tansley - Partner, Osborne Clarke

Cyber incidents give rise to a whole host of issues beyond simply containing the incident and making the necessary regulatory notifications. In this Workshop delegates are taken through a case study based on real incidents and consider the legal and regulatory issues which arise and how to manage them. Topics include:

• Setting the scene – understanding what has happened
• Experts – selection and appointment
• Regulators – what, when and who to notify
• Subject notifications – what to tell people (and what not to)
• Cyber insurance – coverage and tips for managing insurer relationships
• Follow on litigation – what to look out for and how to reduce potential loss

WORKSHOP E:  Reasonable and Lawful Monitoring at Work in the 21st Century

Liz Fitzsimons - Partner, Eversheds

The last two years have seen huge changes in remote working and, as a result, related monitoring of workers and of social media. In particular, new technologies are facilitating increased and more intrusive monitoring, from online recordings, through use of camera and video, to logging activity and workflow. As a result, monitoring and surveillance is an area of increasing regulatory concern. For many organisations, finding the right balance between ensuring appropriate work activity and privacy is increasingly complex. This Workshop helps delegates to:

• Consider the data protection legal issues they need to understand and the risks they should be aware of;
• In particular, address the challenges that are presented by home working;
• Understand the key differences between general monitoring of staff and specific purpose monitoring e.g. for investigation;
• Explore GDPR and related privacy requirements relevant to monitoring;
• Address these requirements and issues in a practical way  

WORKSHOP F:   Implementing a Records Management Programme to Support Data Protection Compliance

John Wilson - Records Management Consultant

Good records management underpins the ability of organisations to meet their obligations under data protection legislation. Therefore, organisations need to have a fit-for-purpose records management programme to ensure the effective and compliant management of the personal data that they hold. This Workshop provides delegates with the tools they need to:

• Make the business case for the implementation or improvement of a records management programme, focusing on the links between good records management and data protection compliance
• Gain and maintain management support for the programme
• Embed good records management across the organisation
• Measure benefits and monitoring compliance