eu gdpr - 12 steps to compliance
TRANSCRIPT
SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
Revised EU General Data Protection Regulation
12 steps to compliance.
Paul Sexby, Head of Strategic Practice
September 2016
IRM
SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
Whilst the GDPR does not come into force until April 2018, it is important that organisations are properly prepared for these changes in the context of operational need and business risk.
SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
In order to address the requirements introduced in the revised regulation, consider these 12 steps for compliance…
SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
The EU GDPR introduces changes and possible business impacts that all key stakeholders need to be conversant with.
Get properly briefed and armed with the facts to make accurate, informed and timely decisions.
1. EDUCATION & AWARENESS
SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
Organisations are required to be able to demonstrate how they comply with the Data Protection Principles.
Ensure you are aware of the data you hold so you can provide details of the personal information you store, process and transmit.
2. ACCOUNTABILITY
SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
3. LEGAL BASIS Individuals now have stronger rights that your business has to fulfil.
Be prepared to include ‘legal basis’ for processing within Privacy Notices and have a process in place to respond to Subject Access Requests.
SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
Data Controllers must be able to demonstrate that ‘consent’ was given. This could have potentially huge implication for some organisations.
Maintain and retain an ‘audit trail’ and ‘history’ for the life of the data you hold to avoid business disruption.
4. CONSENT
SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
Whilst this has been implicit within the current Data Protection Principles, the GDPR is explicit that this is a legal requirement.
Where high-risk processing takes place a Privacy Impact Assessment (PIA) will be required.
5. PRIVACY-BY-DESIGN
SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
Where organisations are likely to struggle is with regards to having information deleted and in facilitating data portability; though these have to be taken into context with legal obligations and responsibilities to retain information in accordance with other legal and contractual needs.
Have a clearly defined Data Retention Policy and supporting processes to meet the policy.
6. INDIVIDUAL’S RIGHTS
SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
Most organisations will have to revise their Privacy Notices to incorporate the obligations introduced within the GDPR to address elements such as the ‘legal basis’ for processing and defining data retention periods for personal information.
Make your Privacy notices CLEAR and UNAMBIGUOUS.
7. PRIVACY NOTICES
SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
Internal business processes and procedures for handling SARs will undoubtedly need to be revised.
Most organisations will no longer be able to charge a fee to comply with an SAR, which will have to be processed within a month (rather than 40 days currently allowed).
8. SUBJECT ACCESS REQUESTS
SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
The GDPR requires special protection in the form of ‘consent’ to process children’s personal information.
‘Consent’ has to be verifiable and where children’s data is collected ‘Privacy Notices’ must be written in a manner that children can, understand and comprehend.
9. CHILDREN
SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
This notification is to data subjects and not necessarily the ICO/Regulator – unless there is the potential for identity theft or loss of confidentiality to the individual.
Create and exercise your Data Breach plan to reduce the impact and exposure in the event of a breach. Failure to report a breach could result in a fine - in addition to any penalty that might arise from the breach itself.
10. DATA BREACH NOTIFICATION
SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
The latest iteration of the GDPR has stepped back from mandating that ALL organisations must have a DPO.
There is a requirement for “someone” to take ownership and responsibility for ensuring there is effective data protection compliance in place. Do not underestimate the time this functionality will require.
11. DATA PROTECTION OFFICER
SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
In its simplistic terms, the ‘Lead Authority’ for investigating a complaint is determined according to where your organisation makes key business decisions regarding data processing; in some cases this may be outside the UK.
Be aware of the locations your data is processed and educate your organisation on the rules and regulations to prepare in the event of a breach.
12. INTERNATIONAL OPERATIONS
SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
Organisations that wait for the changes to be finalised and implemented into National Law are unlikely to achieve the requirements in the time frames required.
This will potentially hand an advantage to your competitors.
SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
FURTHERINFORMATION
+44 (0)1242 255200
Paul Sexby
Head of Strategic Practice
Prepare for the EU GDPR with IRM’s EU Data Protection Assessment