GDPR – what is it?
A new data protection
framework which puts
individuals back in control
of their personal data
1. Awareness
2. Document the personal data you hold
3. Communicating privacy information
4. Individuals rights
5. Subject access requests
6. Lawful process for processing personal data
7. Consent
8. Children
9. Data breaches
10. Data protection by design and default
11. Data Protection Officer
12. International
Watch the video here… www.moneyinfo.com/Videos/GDPR12Steps
ICO 12 steps to GDPR compliance
Make sure key people in your organisation are aware that the law is changing. Get a
team together involving compliance, HR and key decision makers and look at what
needs to be done for May 2018.
Step 1: Awareness
• What information do you hold?
• What is it’s purpose?
• Where is it stored?
• Where is it shared?
Step 2: Document the personal data you
hold
Owner Who is responsible for this information asset?
Name A way to identify the information asset.
Description A description of what the information asset is and what It records. Specifically note if your
information asset contains personal or sensitive information.
Format e.g. SQL Database, Excel Spreadsheet
Purpose Why do you hold this information and what it is used for.
Location Where is the information stored?
Security How is the information secured? E.g. password protected, encryption etc.
Users Who has access to this information asset?
Retention Period How long is the data kept for and why?
Risks/Impacts What would be the impact of losing the information asset? Consider loss of confidentiality i.e. a
data breach, loss of availability and loss of integrity.
What would be the cost of replacing the information?
External Sharing Is this information shared externally with any third parties?
Legal basis What is your basis for processing this information? e.g. consent, legitimate interest
Information Asset Register
“a concise, transparent,
intelligible and easily
accessible form, using clear
and plain language…”
ARTICLE 12
Step 3: Communicating privacy
information
• the right to be informed
• the right of access
• the right to be forgotten
• the right to restrict processing
• the right to data portability
• the right to object
• The right not to be subject to
automated decision-making
including profiling
Step 4: Individuals’ rights
“Where possible, the
controller should be able
to provide remote access
to a secure system which
would provide the data
subject with direct access
to his or her personal
data.”
RECITAL 63
Step 5: Subject access requests
• consent
• necessary for the performance of a contract
• compliance with a legal obligation
• to protect the vital interest of a data subject
• for tasks in the public interest
• legitimate interests
DETERMINE WHAT IT IS AND DOCUMENT IT
Step 6: Lawful basis for processing
personal data
Step 7: Consent
When capturing consent “…include:
• the name of your organisation;
• the name of any third party controllers who will rely on
the consent;
• why you want the data;
• what you will do with it; and
• that individuals can withdraw consent at any time.”
INFORMATION COMMISSIONERS OFFICE
Gain consent from someone
with parental responsibility
Apply consent rules when capturing
and recording consent
Step 8: Children
• lost?
• destroyed?
• corrupted?
• disclosed?
Step 9: Data breaches
RECOGNISE
INVESTIGATE
NOTIFY
MITIGATE
Step 9: Data breaches
“In order to be able to
demonstrate compliance with this
regulation, the controller should
adopt internal policies and
implement measures which meet
in particular the principles of data
protection by design and data
protection by default.”
RECITAL 78
Step 10: Data Protection by Design and
Data Protection Impact Assessments
“… description of the envisaged
processing operations…
…assessment of the necessity…
… assessment of the risks to the
rights and freedoms of subjects…
…measures envisaged to address
the risks…”
ARTICLE 35
Step 10: Data Protection by Design and
Data Protection Impact Assessments
You need to appoint someone in your
organisation, or an external adviser,
who has the knowledge, support and
authority to take responsibility for your
data protection compliance.
Step 11: Data Protection Officer
Determine your lead
supervisory authority
.
Step 12: International
The do’s and don’ts for keeping data
safe
Data Access
Data Quality
Data Privacy by Design
Secure communications
Subject Access Requests
Data Portability
.
How can technology help?
.
How can technology help?
.
How can technology help?
.
How can technology help?
.
How can technology help?
.
How can technology help?
.
How can technology help?
.
How can technology help?
.
@moneyinfotech
www.moneyinfo.com
How can technology help?