Sales Ended

Multiple Dates

Carson McDowell GDPR seminar series - Putting The Pieces Together

Event Information

Share this event

Date and Time



The Factory, The MAC



United Kingdom

View Map

Event description


Carson McDowell has created a series of five GDPR workshops covering a range of areas starting in January 2018. These events, which will take place in the months leading up to the implementation of GDPR, will provide in-depth advice on the specific changes required and help you to create and implement an appropriate action plan.

We aim to give you a flavour of what the GDPR changes, which come into effect on 25th May 2018, will mean for your organisation. Our panel will highlight the risks surrounding personal information and how to mitigate them, as well as the steps needed to comply with the new Regulation.

Workshops Series

18 January - Notification of personal data breaches and fines

From a high level perspective, one of the key differences which is going to be introduced by the GDPR is a legal obligation to report certain types of data breaches to a relevant supervisory authority as well as (in certain circumstances) an obligation to notify individuals affected by the data breach. This is a departure from the current data protection regulations which do not impose a strict legal obligation to report personal data breaches.

With regards to fines, the potential fines which can be levied against an organisation in breach of its obligations under the GDPR are much more significant than under the current data protection regulations, with an infringement being capable of attracting a fine of up to 2% of total global annual turnover or €10m (whichever is the higher).

15 February - High risk processing and Data Protection Impact Assessments

* Please note that registration for this session commences at 9am on account of our Key Note Speaker (Rt. Hon. Lord Justice Stephens)

The GDPR imposes stricter requirements on controllers that engage in so called ‘high risk’ activities. For activities not considered ‘high risk’ controllers must still adopt measures appropriate to the risk level of the activity. But for those activities that are ‘high risk’ an organisation may be required to consult with a data protection authority and conduct a detailed privacy impact assessment before engaging in such an activity. Significantly, if a high risk data breach occurs, an organisation might also be required to notify potentially affected individuals. High risk processing activities are those that rely on new technology and are ‘likely to result in a high risk for the rights and freedoms of individuals’.

We will provide a step by step guide as to what your heightened requirements are for high risk activities and take you through a privacy impact assessment. We will deconstruct ‘risk’ and take you through examples of what a high risk activity is and illustrate how you can employ a risk analysis approach. We will arm you with a tool kit as to what your obligations are and explain when you might have to, ‘consult pre-processing’ or ‘notify - after the event’, the relevant supervisory authority. Finally, we will identify some action that you can take to mitigate high risk activities so that you can reduce the burden of the high risk requirements.

With our colleagues and workshop series we will ensure you are GDPR ready.

21 February - GDPR and employers

With GDPR coming into force on 25 May 2018 we will be looking at the GDPR obligations of organisations from an employment perspective to ensure that employers will be GDPR compliant. All organisations will need to be aware of the increased need to protect personal data as well as the potential fines, negative publicity and legal action that could potentially result following a data breach.

We will provide an overview of the GDPR and the role of the Data Protection Officer. We will also offer practical advice to organisations on their specific GDPR obligations from the recruitment of employees through to the retention of records for leavers.

15 March - Consent

Organisations will be familiar with the requirement under current data protection legislation to obtain an individual’s consent to process their personal data. The General Data Protection Regulation introduces a number of new requirements in relation to consent. In addition to the existing requirement that consent is freely given, specific and informed, consent must now be “unambiguous” and given “by a statement or clear affirmative action.” Consent, as a legal basis for processing, will be harder to obtain as greater specification around what is meant by consent has brought with it more detailed and onerous obligations.

In this workshop we will be taking a closer look at:
(i) The requirements for obtaining consent under the GDPR;
(ii) The rights of individuals to withhold consent; and
(iii) The processes you should consider adopting to ensure you are compliant with the new requirements.

19 April - Profiling and Transparency

The concept of transparency is not new to data protection legislation, as the current law already requires organisations to be open and honest about the ways in which they use information about individuals. However, the GDPR places an increased emphasis on transparency, requiring data controllers to process all data ‘lawfully, fairly and in a transparent manner in relation to the data subject’. As a result of the strengthened transparency requirement, data controllers will be obliged to comply with an expanded list of information to be made available to data subjects, as well as ensuring that such information is provided in clear and plain language, in writing and in easily accessible form. To ensure compliance with transparency obligations in the GDPR, data controllers may need to take steps to tailor their communications with data subjects (and keep these communications up to date) so that data subjects understand not just how a data controller handles information generally but how their personal data is held and processed. Data controllers need to be aware that observing the transparency obligations under the GDPR isn’t a one-off task but rather should form part of an organisation’s ongoing compliance with the new legislation.

We’ll take a closer look at:

  • What information does the GDPR require data controllers to make available to data subjects?

  • Updating privacy policies and statements.

  • How can data controllers integrate transparency compliance into their day-to-day operations?

Since the last significant overhaul of data protection legislation, there has been an abundance of technologies which allow data controllers to gather personal data and analyse it for a variety of purposes, including drawing conclusions about data subjects and potentially taking action in response to those conclusions such as target marketing, price differentiation, and so on. Whilst this form of “profiling” or “target marketing” is referred to by current law, it’s not specifically provided for or regulated and the GDPR is the first serious attempt of the legislature to do so. As such the GDPR will give individuals significant rights to avoid profile-based decisions being made about them and will restrict the extent and manner in which we are all subject to profiling, particularly in relation to our on-line activities.

We’ll take a closer look at:

  • The types of activities which will fall within the definition of profiling.

  • The rights of individuals in relation to profiling.

  • The ways in which profilers will be restricted.

  • The requirement for impact assessments for those who use profiling.

If you would like to attend please register for the seminars to confirm your place or email for more information.


The Factory, The MAC



United Kingdom

View Map

Save This Event

Event Saved