Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


ITVP (Final) [Part 2] GDPR - All Hands

No description

Patrick Burton

on 4 October 2018

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of ITVP (Final) [Part 2] GDPR - All Hands

Everyone at Warner Bros. has a responsibility to help protect and safeguard data
Example Privacy Notice
Stages of Production
Sharing personal data
WB Production Road
For consent to be valid, it must be:

Freely given



Unambiguous and affirmative
Examples of when we may need to obtain consent:

Processing RPII (e.g. conducting criminal record checks and reviewing medical reports from doctors/psychologists)

Sending marketing communications

The Privacy Protocol is a guide we have developed to help you when handling personal data. It covers:

Journalism exemption

Obtaining consent – when and how



Sharing, security and storage

GDPR basics

Privacy Protocol

Gaps and addressing risks





Don’t share personal data with any third party without considering the following:

Why you are sharing it

Whether you can achieve the same objective without sharing it or by sharing less personal data

Whether we have been transparent about the way we will share it

The potential benefits vs risk to the individuals

Vol XCIII, No. 311
ITVP Casting and Production

We can only keep personal data for as long as necessary for the purposes it was collected

Example retention periods for Production as per the WB Records Retention Schedule:


Unsuccessful applicants - 3 years

Contributors featured in the programme - for as long as the show is being broadcast (this may be a long time)

Historic casting databases


CVs of unsuccessful applicants - 6 months

Employee files - termination of employment + 12 years

Security & Storage
Keep personal data secure:

Check attachments before sending so you are not inadvertently sharing personal data (e.g. sending completed documents)

Consider password protecting documents, especially those containing RPII

Limit access to documents containing personal data to those who require it

Consider pseudonymising (e.g. when sending applicants’ personal data to broadcasters)

Shred any unnecessary paperwork with personal data when no longer needed and in any event, at the end of the production process

Be extra vigilant when travelling, don’t leave documents on tubes, buses, trains

Runners – keep a log of what documents are being transported and where

When on location, back up all media immediately onto an encrypted external hard drive

Security cont.
Be careful when discussing personal data in public – can you be overheard?

If sending a casting call to a large group via email, ensure you ‘BCC’, never ‘CC’

WhatsApp is not WB approved, but if you do use it, do so ONLY for logistics purposes.

Never include any RPII

Screenshot any problematic messages for our records and conduct any further communication over email

Keep contributor contacts separate by adding WB/name of the production at the beginning of their name

At the end of a production:

If there are any relevant business communications, provide the production office with a copy

Delete all correspondence

Delete contributor contacts

Development & Research



Casting - Applications
Filming in Public

When sending materials (e.g. to editors, broadcasters):
Use a WB approved tool


Legal will review the relationship with the broadcaster and amend the broadcaster agreement accordingly.

Please reach out to us if you receive any new agreements from broadcasters.

Provide contributors with notice and obtain consent when collecting RPII in forms, for example:

Personal disclosure form
Psych/Medical assessment forms
Criminal records disclosure form

Updated DP wording in contributor agreement:

Provides notice of how we use contributor’s personal data
New second signature block to obtain consent to process RPII

Crew management
Updated data protection language in crew agreements
Now refers to the new Productions Data Protection Policy (provides notice on how we process a crew member’s personal data)

Filming notices must be displayed
You may collect information available in the public domain (e.g. in newspaper articles, public social media accounts):

Invite them to apply or permanently delete

Working with third party service providers (e.g. consultants, genealogists or archivists):

They must obtain consent from the individual and ensure they comply with all the data protection laws.

We need to do a Privacy Impact Assessment (PIA) whenever there is processing of personal data that could be deemed “high risk”.

A PIA helps to identify and manage privacy risks, and to think about how best to minimise the impact on individuals’ rights.

Examples of when to carry out a PIA:

Filming using drones over private property

Processing DNA (e.g.
Long Lost Families

Using high volumes of minors’/vulnerable people’s personal data (e.g. substance abusers)

If you plan to track people, including crew

Asking people for details of their sexual history/preferences (e.g.
First Dates Hotel

Filming in locations where there is a higher expectation of privacy (e.g. prisons, hospitals, care homes)

Casting - Applications (Without use of a tool)
Only in exceptional circumstances. You will need to ensure:
A Privacy Notice is provided
Consent is tracked (e.g. DP or marketing consents) and recorded in a searchable record

Email casting -
Set up email bounce back message directing applicants to the privacy notice

Flyers -
Similar wording to bounce back message will direct applicants to the privacy notice

Unsolicited messaging -
Only in exceptional circumstances

First do further casting on social media pages and advertise in the relevant places
Keep message brief and to the point to ensure it’s not a marketing communication
Individual must have already ‘liked’ or be ‘followed’ the programme page
Send direct messages only by the programme official social media accounts to the individuals by private message
If finding contact details online (e.g. soccer club) try to call first to see if they are interested (check TPS).

Casting - Applications (Tool)
- must have a legal basis for the processing

- tell people what we will do with their data

- only use the data for the purposes described in our notice (e.g. not using an applicant's personal data for one programme to cast them for other programmes unless they have agreed to this)

Data minimisation
- only collect what is relevant and necessary

Most personal data will be collected at this stage

Don’t collect more than you need

Be transparent – ensure a privacy notice is provided

WB privacy notice explains:

How we use an applicant’s personal data

The legal basis we rely on

Details of how we store data and for how long

Who we share it with

How an individual can enforce their data rights

Vol XCIII, No. 311
ITVP Casting and Production

Casting Tool - BOTS/ eTribez/ other WB approved tool

Marketing consent guidance note (tracks consent automatically)

Online privacy notice

The ITVP Casting Process was identified as a high risk area for GDPR compliance

No consistent process - different methods of collection in use across the territories

No common tools - both manual and system based
WB wanted a standard approach to be used on all productions to ensure data compliance

Flexible solution to meet the creative needs of the production

Risk based decision tree to determine whether system is required

WB approved platforms: eTribez or Be On The Show (BOTS). Other candidates possible after InfoSec and Contract review

Must follow Legal guidelines for 3rd Party or manual casting processes
Discovery Findings & Solution
Determine whether a tool is required
Casting Solution
3. Casting Solution
If a Manual Casting approach has been approved data should be handled in line with the casting protocol outlined by legal.

Particular attention should be given to the following when setting up a manual casting processes:

Organised to allow quick and accurate processing of Subject Access Requests (SARs), Deletion of PII data, Restricted processing of RPII

Store RPII in an encrypted drive

Must track candidate consents and which version has been consented to

The Manual Solution
2. Assess Risk
1. New Format
Records Management
Deleting, Recycling or Shredding:
Which of the following is an example of a data breach incident you must report to InfoSec?

A) A lost laptop, USB or other mobile device

B) Any suspicion of a virus or warning on a computer or mobile device

C) Any other suspicious or unusual event involving Warner Bros. data, facilities or systems.

D) All of the above
Which documents should not be deleted immediately?

A) Expired documents

B) Unnecessary works in progress

C) Junk

D) Legal Hold

Which of the following is restricted information?

A) Job Title

B) Marital Status

C) Social Security Number

D) Work Address
What does RRS stand for?

Who do you call to report an incident?

A) Infosec

B) Jimmy

C) Helpdesk
Full transcript