Getting ready for GDPR -...

Getting ready for GDPR Peter Galdies, Development Director, DQM GRC

www.dqmgrc.com

http://www.dqmgrc.com/

About DQM GRC

• Formed in 1996 to Protect the commercial rights of Data Providers

• Providing security and Data Protection solutions and advice for 20 years

• GDPR Radar – our unique assessment process

• Working with large data owners (CRA’s, Telco’s, Retail, Charities, Publishers)

• 25 GDPR assessments in the last year – on-site, interview based.

• Peter co-founder, 15 years previously in data processing in marketing environments. 36th year in Data!

2

The Workshop

• 3 hours…

• Interactive • I hate presenting – but I do like talking! • Slides are “text rich” for you to use after • Ask lots of questions – break in as often as you like. • Disagree – if I’m wrong then tell me. • Lets talk about it.

• Breaks

• Basic Self Assessment

• Aim to finish early so we can end with a general Q&A

3

The Agenda

• GDPR Reminder

• DQM GRC Findings

• Fundamentals for any successful programme

• 12 Building Blocks – with 4 breakout sessions

• Q&A

4

GDPR Reminder & Timeline

5

• processed lawfully, fairly and in a transparent manner

• collected for specified, legitimate and explicit purposes and not processed in a way

incompatible with them ("purpose limitation")

• adequate, relevant and limited to what is necessary in relation to purposes for

which it is processed ("data minimisation")

• accurate and, where necessary, kept up to date ("accuracy") - take every

reasonable step to erase/rectify inaccuracies without delay

• kept in a form which permits identification of data subjects for no longer than is

necessary for purposes for which it is processed ("storage limitation")

• processed in a way which ensures appropriate security of data ("integrity &

confidentiality")


6

• Stricter conditions for consent to processing data

• Need to maintain records of processing

• Wider subject access rights

Right to restrict processing

Right to Erasure

• Privacy Impact Assessments

• The controller shall be responsible for and able to

demonstrate compliance ("accountability“ principle )


7

• 4% of Global Turnover for breaches of CONSENT + other basic processing principles

• 2% for breaches of other articles

• Ability to claim damages

• Possibility of “Class Actions”

• Costs of Communication/Notification


8

25Th May 2018

It’s not just GDPR… E-privacy 2 • In Proposal – but in accelerated timescale to “go live” alongside GDPR

• Privacy rules will now also cover new providers of electronic communications services, such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage, etc

• Stronger and one single set of rules across the EU.

• Communications content and metadata (e.g. time of a call and location)

• Simpler rules on cookies: New rules will allow users to be more in control of their settings, providing an easy way to accept or refuse the tracking of cookies and other identifiers in case of privacy risks. no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history).

• Protection against spam: proposal bans unsolicited electronic communication by any means, e.g. by emails, SMS and in principle also by phone calls if users have not given their consent.

• Big impact on digital advertising – i.e. re-targetting/re-marketing

• ID’s, digital “fingerprints”, IP addresses all may be regarded as personal information

• More effective enforcement – same punitive regime as GDPR

9

GDPR Key Focus Areas

Key GDPR Focus

Client Compliance

Documentation & Policies

Data Retention & Disposal

Right to Erasure

Data/Information Security & Access

Data Breach Management

& Notification

Collection Notices, Permissions & Privacy Policy

Training & Awareness

Third Parties/Data Sharing (inc contracts)

Yes no no no no no Yes Yes

No Yes Yes no Yes Yes Yes Yes

no Yes YEs Yes no Yes Yes Yes

Yes Yes Yes Yes Yes Yes No Yes

Yes Yes Yes Yes No Yes Yes Yes

Yes Yes Yes Yes Yes YEs Yes Yes

Yes Yes Yes Yes Yes Yes Yes No

Yes Yes Yes Yes Yes Yes Yes Yes

Yes No Yes Yes Yes Yes Yes Yes

No Yes Yes Yes Yes Yes Yes No

Yes Yes No Yes Yes Yes Yes Yes

no Yes Yes Yes Yes Yes Yes No

no Yes no Yes no Yes Yes Yes



No Yes Yes Yes Yes Yes Yes No


GDPR Key Focus Areas cont…

Key GDPR Focus

Client

Data Audit, Accuracy &

Quality Management

PIA & PBD Records of Processing

Information

Risk Register &

Assessments DSAR's

Role of the DPO

Data Transfers

International Data Transfers

Data Governance Resource &

Board

no no No No No No No No No

Yes Yes Yes Yes Yes No No No No

no no no no no No Yes No Yes

Yes No No No No No No No No

No No No No Yes No No No No

no Yes no no No No No No No

Yes Yes No No No No No No No

no Yes No Yes Yes No No No No

no Yes No No No Yes No No No

no Yes Yes No Yes No No No No

no no No No No No No Yes No

Yes no No No Yes No No No Yes

no no Yes No No no no no YEs

Yes no no Yes Yes no Yes no no

no Yes no no Yes no Yes no no

Yes No no no no no no no Yes

no Yes Yes No Yes Yes no no Yes

Fundamentals - Accountability

12


13

In GDPR speak

Article 5 (2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility

Fundamentals – The long game • Privacy is not a “one time deal”

• Build an infrastructure for success • Teamwork and responsibility

• Think “business process” not one-time task

• Always consider “what if”

• PDCA

12 Key Building Blocks

1. Data Protection Officers

2. Building awareness &

getting “buy in”

3. Understanding the personal

Information you hold

4. Managing the legal basis for

processing personal data

5. Communicating privacy information

6. Managing & Building Consent

7. Coping with children & special

categories

8. Managing subject access

requests

9. Fulfilling Individuals' rights

10. How to handle a Data Breach

11. Data Protection by Design & Impact

Assessments

12. International transfers & other

complexities

1. Data Protection Officers (A37-39)

• Previously the appointment of a data protection officer (a DPO) was optional in most Member States but now required where

• (a) where the core activities of the organisation consist of processing operations which require “regular and systematic monitoring” of data subjects on “a large scale”; or

• (b) where the core activities consist of processing of special categories of data on a “large scale”; or (c) where required under Member State law

• Recent EU DPB Guidance gives clarification

• The DPO should report to the highest management level of the controller or processor (as appropriate) and must be supported in carrying out its functions, including with the necessary resources

• The DPO’s contact details must be notified to the Supervisory Authority so that he/she will be the first official contact point on any issues

18

1. Data Protection Officers – Considerations • Consider if you have to appoint a DPO and, if not, whether you should

• If multisite will a single DPO would be easily accessible from each ?

• How to give the various protections that the GDPR provides for and how to impose on the DPO the relevant obligations of secrecy and confidentiality – i.e. Make sure you contract well.

• Ensure that the DPO’s role involves at least :

• Informing the organisation and its employees who are processing personal data of their obligations under the GDPR

• Monitoring compliance with the GDPR

• Providing advice regarding privacy impact assessment

• Cooperating with Supervisory Authorities • Acting as a point of contact for the Supervisory Authorities

• Involve the DPO in privacy-by-design issues

• The DPO must report to the highest management level and must be involved in a timely manner in all relevant

• if the DPO carries out other tasks and duties, consider how they will not become a conflict of interest

• Ensure the DPO has the necessary resources (e.g. staffing resources, board support, budget)

• publish the DPO’s contact details and notify the relevant Supervisory Authorities of the same

19

DPO – Self Assessment

On a scale of 0 to 5 where 5 is the most positive…

If your organisation requires a DPO does their specification meet all of the GDPR’s requirements?

If perfect then 5

(If you genuinely do not need a DPO then score 5)

20

2. Building awareness & getting “buy in” (Articles 24, 37-39) • 2 Key Issues

• Getting senior management to buy into their responsibility

• Educating staff as to their responsibilities

• DPOs are under a specific obligation to implement appropriate training.

• Although not an express obligation where DPOs are not required, it is almost impossible for an organisation to demonstrate that it is able to achieve compliance without policies setting out how to comply coupled with evidenced training to bring those policies to life

21

2. Building awareness – Senior Management

• Getting “Buy in” is vital

• If you have no senior sponsor then your programme will fail.

• GDPR will make organisations change. Change requires seniority.

• Identify key senior stakeholders to support the programme – get them participating. Make a DP Board/Group/Steering.

• Your job is educative. Learning often doesn’t happen instantly so don’t give up.

• Fines and penalties may work – but often talking about the positives of customer trust and engagement can help.

• Don’t get lumbered - remember your responsibility. Failure is always an option.

22

2. Building awareness – General Actions

• Design/purchase/develop specific training for GDPR – this may vary from role to role

• Align with your policies • Integrate with security training? • Make available on demand

• include Data Protection and Acceptable Use Policies, Data Breach and Business Continuity Plans, Data handling & collection where required.

• Identify all individuals that require training – frequency/starter and ensure it happens

• Identify those (including the DPO) that may need external input (new rules and regs) and provide

• Keep comprehensive records of attainment.

23

2. Building awareness – Use the tools

• Think like an educator/marketer

• Use all the tools you can

• Formal training (classroom)

• From powerpoint to e-learning modules

• Promote via internal newsletters/media

• Keep awareness up with simple ideas – posters, e-mail reminders etc.

• Build a comms programme

Self Assessment Question On a scale of 0 to 5 where 5 is the most positive…

How aware and engaged is your organisation with regard to GDPR and your internal programme?

If perfect then 5

(If you genuinely do not need a DPO then score 5)

3. Understanding the personal Information you hold • A controller must be able to demonstrate compliance with the data

protection principles in Article 5

• Under the GDPR, each data controller and, if any, the controller's representative, are required to maintain a record of processing activities under its responsibility.

• Smaller Org’s (<250 employees) may be exempt – consider carefully.

• Organisations are complex.. “Dark Data” resides everywhere…

26

3. Understanding the personal Information you hold – Data flow & process mapping

• Document all the data flows which contain personal data

• Include data type

• If “special categories”, children’s or other high risk data then highlight

• Identify those responsible

• Remember PDCA

• No right or wrong – do it the way that works for your org.

27

3. Understanding the personal information you hold – Records of processing (Art 30)

28

“each data controller … are required to maintain a record of processing activities”

• This record shall contain the following information:

• Name and contact details of the controller, DPO etc

• Purposes of the processing, a description of categories of data subjects and of the categories of personal data

• The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries

• Where applicable, transfers of data to a third country ++

• Where possible, time limits for erasure of the different categories of data

• Where possible, a general description of security measures referred to in Article 30(1)

3. Understanding the personal information you hold – Records of processing (Art 30)

29

“also maintain a record of all categories of personal data processing activities carried out”, containing:

• The name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and of the controller's or the processor’s representative, and the data protection officer, if any

• The categories of processing carried out on behalf of each controller

• Where applicable, transfers of data to a third country or an international organisation, including the identification of that third country or international organisation and, in case of transfers referred to in Article 44(1), the documentation of appropriate safeguards

• Where possible, a general description of the technical and organisational security measures referred to in Article 30(1)

• “Upon request… ..shall make the record available to the supervisory authority”

3. Understanding the personal information you hold – records of processing model

30

Self Assessment Questions

31

On a scale of 0 to 5 where 5 is the most positive… If requested how easily could you make the records of processing available? If perfect then 5 (If you genuinely do not need ROP then score 5)

Breakout session 1 (15 mins)

• Working in your groups please explore the last 3 assessment questions together

• come up with 3 ideas related to any of these areas to share with workshop

• Nominate a spokesperson to read out your responses

32

4. Managing the legal basis for processing personal data (Art 6) • GDPR provides several legal basis for processing

• Consent has been specifically provided

• Processing is necessary for contractual or legal obligation

• Processing is necessary to protect the vital interests of the data subject or is in the public interest

• Processing is for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

33

4. Managing the legal basis for processing personal data (Art 6) - Considerations • DPO’s must fully understand which legal basis’ are being

utilised

• Documentation must relate legal basis to processing

• Fair processing/collection notices must link to or provide this information

• Changes of basis can be tricky – particularly consent to legitimate interests (more)

• New processing should have the basis for processing formally identified prior to the processing commencing

• Privacy Impact assessments should be considered (risk based approach)

34

• Can only be used where the “balance of need” is clearly in the controllers favour.

• Such decisions should be documented

• “Direct Marketing” and Intra-company transfer purposes specifically allowed

• Doesn’t override the requirements of e-privacy regulation (see consent later)

• Other situations complex – legal opinion may be required

35

4. Managing the legal basis for processing personal data (Art 6) – Legitimate Interests


36

On a scale of 0 to 5 where 5 is the most positive… How clearly defined & understood are the basis for your personal data processing If well understood and documented then 5

5. Communicating privacy information

• Privacy Policies

• Fair Processing Notices (or collection notices)

• Agreements with 3rd Parties

37

5. Communicating privacy information - Policies • A Privacy Policy describes how your organisation collects, stores and

uses personal information

• You may need two: • Internal – to guide your organisation from within and to state to staff how you

will process their data

• External – to explain clearly to your prospects/customers/supporters/users how your organisation manages their personal information

• Policies are the most important tool in the box.

• Privacy policies and FPN’s are related – more on FPN’s to come

38

5. Communicating privacy information – Privacy Policies – Fair Processing Notices (Art 13-14) • The controller shall, at the time when personal data are obtained, provide

the data subject with information necessary to ensure fair and transparent processing…

• Those statements that are shown to data subjects at the point of data collection (where possible)

• Examples include the consent statements you may see when signing up for a service or agreeing to receive marketing

• Work “hand-in-hand” with Privacy Policies to provide the information that GDPR mandates you must provide to data subjects

• ICO / EUDP – Layered Approach may be acceptable. Clarification needed.

39

5. Communicating privacy information –– Information to be provided (Art 12-14) • Your identity and contact details (as the controller).

• Identity and contact details of the data protection officer (where needed)

• Who will use the data. (ICO guidence currently proposing specific names…)

• Purpose and legal basis for processing. If legitimate interest is being relied upon, details of that interest

• Details of transfers of personal data outside the EC, details of safeguards and how to get copies of transfer agreements.

• How long the data will be stored for, or how the retention period is calculated.

• A list of the data subjects rights including: the right to object/opt-out of direct marketing, the right to make a subject data access request and (a new right) the right to be “forgotten”.

• The right, at any time, to withdraw any consent previously given .

• Whether the data subject has to, by law, provide the information, or provide it as part of the contract with you and the consequences of not providing the information.

• The right to complain to a supervisory authority.

• Details of any automated decision making. 40

5. Communicating privacy information –– Considerations & Ideas • Transparency & clear language vital

• Ensure that privacy notices & policies are prominent and align across all data collection points including for those provided by 3rd parties.

• If not collecting personal information directly from the individual, ensure that access to the information is provided at the first available opportunity

• Consider layering carefully – guidance coming

• Formal version control important - be able to demonstrate wording from any point in time

41

5. Communicating privacy information – Privacy Policies – 3rd Parties • 3rd Parties need to understand how to work within your policy

frameworks

• Most data breaches involve 3rd parties – suppliers, partners, research agencies, marketing agencies

• Often not enough focus

• Clear expectations need to be provided

• No common standard (ISO or similar) – yet.

42


43

On a scale of 0 to 5 where 5 is the most positive… How centralised, consistent and compliant are your policies and FPN’s today? If completely compliant 5





44

6. Managing & Building Consent (Art 7)

• Use consent where other legal basis do not apply

• Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

• The data subject shall have the right to withdraw his or her consent at any time.

• It shall be as easy to withdraw consent as to give it.

• Must be freely given – “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”

45

6. Managing & Building Consent (Art 7) E-Privacy Regulation/PECR • Consent required for digital and telephone communications

• Overrides legitimate interest

• Requires “opt-in” permission (prior consent) for e-mail, online and other electronic communications (including 3rd party or tracking cookies)

• Exceptions for Customers (but not prospects?)

• Exceptions for Marketing for Corporates (but not sole-traders etc)

• Mandates TPS (already the case in the UK)

• Various controls over automated voice calls etc

46

6. Managing & Building Consent (Art 7) - Key issues • Consent Management is often complex in larger organisations

• Many collection points, many consents

• Documentation is key – making a record of consent history may be vital when demonstrating consent

• Wording • Date, time • Origin • Scope

• Aligning systems – centralise wording, data flows etc. Investment and time

• Customer Preference Centres – allow self management

47

6. Managing & Building Consent (Art 7) - Ideas & Considerations • Conduct a review of all consent statements currently used to collect customer/prospect consent,

update wording and/or mechanisms where necessary in order to comply with latest guidance

• Ensure relevant current system(s) are able to store the required enhanced customer consent information. Implement a programme of system development where required

• Identify and suppress contact data where it cannot be evidenced that adequate consent has been obtained from the data subject (or that FPN’s were not adequate at the time)

• Conduct a ‘marketing consents’ audit on the third-party list sources to ensure prospect data has been collected with the appropriate level of marketing consent

• The DPO to clarify ICO guidelines with regards to the future profiling and analysis of data subjects

• Develop a consent re-engagement strategy to protect customer consent volumes

• Don’t overlook Legitimate Interests for Direct Marketing

• Consider the investment in Permission Management Platform or similar

48


49

On a scale of 0 to 5 where 5 is the most positive… How compliant are your current consents and consent management processes to GDPR? If well understood and documented then 5

7. Coping with special categories & children

• Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

• Unless explicit consent or processing is necessary for obligations (plus specific rights in employment & social protection contexts)

• Plus other specific exclusions unlikely to apply to commercial contexts

50

7. Coping with special categories & children

• (Consent) in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old.

• Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

• Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.

• The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

51

7. Coping with special categories & children - considerations • Consider which of your services are “information society” i.e. interacted

and enacted in purely digital way? (signing up to a website for access is one…)

• If applicable - ensure you have a process for age verification on your website

• If below 16 then build a process for parental verification • Consider how you might prove/evidence/document this verification if

required • Consider restricting processing on existing data • Ensure your records of processing encompass this requirement • Use privacy impact assessments, legal advice and ICO when considering

new processing for special categories and consent cannot be gained.

52


53

On a scale of 0 to 5 where 5 is the most positive… If appropriate how well does your organisation differentiate between special categories, data from children and “normal” personal information? If you are sure that you do not process any special categories or children’s data then 5

8. Managing subject access requests • The Right of Access (Article 15) has been strengthened.

• Requests must be fulfilled within 1 month as opposed to 40 calendar days in the current act.

• Requests are fulfilled free of charge (£10 under current legislation) unless the information required is excessive (or a repeat)

• Extended and extensive list of information to be returned – in addition to a copy of the data itself.

• Where requested by electronic means then, by default, the data must be returned in a commonly used electronic form.

54

8. Managing subject access requests • The subject must be informed of:

• The purposes, categories and legal basis of the processing

• The recipients or categories of recipients of the personal data (i.e. 3rd parties)

• Whether the data has been sent to a third country or international organisation and the steps taken by the organisation to ensure adequate protection of the data

• The existence of various rights (restriction, erasure, rectification)

• Information as to the source (if not from the data subject)

• The period or criteria for retention

• The right to lodge a complaint

55

8. Managing subject access requests – Considerations & Ideas

• We believe these will increase dramatically (fuelled by damages)

• Using your data mapping and data register as a basis consider how you would fulfil these on a regular basis

• Engage the whole team and educate why this will be required

• Test the process periodically to ensure it is working

• If you can’t fulfil in a month then contact the data subject, explain why and document – you may have to let the ICO know.

• Ensure that when you send the information it is secure!

56


57

On a scale of 0 to 5 where 5 is the most positive… How well could your current SAR process cope with the GDPR requirements and a much larger scale of requests?

9. Fulfilling updated Individuals' rights

• Right to have inaccuracies rectified without undue delay

• NEW Right to erasure of personal data

• NEW Right to restrict processing

• NEW Right to data portability

• Rights to object

Action must be taken by controllers within 1 month of, or if complex within 3 months of, a request. Some exceptions to the rights are in the GDPR. The majority are set at a high level by the GDPR but are to be detailed by Member State legislation.

58

9. Fulfilling updated Individuals' rights The Right to Rectification The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

59

9. Fulfilling updated Individuals' rights The Right to Rectification - considerations • Not optional – although consider purposes carefully.

• “Downstream” communication to recipients unless impossible or disproportionate – document exceptions carefully

• Consider building a “Customer Portal” where data subjects can correct their own information – ensure that this applies to other systems.

• Build a business process to handle within 30 days

• Document thoroughly

60

9. Fulfilling updated Individuals' rights The Right to Erasure • “without undue delay” where:

• No longer necessary for the purposes for which they were collected

• Consent has been withdrawn (if consent was the legal basis) & no other legal grounds

• The data subject has objected to direct marketing

• Children’s information society data

• All reasonable steps to erase “downstream”

61

9. Fulfilling updated Individuals' rights The Right to Erasure - considerations • Not optional

• Assess your current data and consider what needs to go (not easy)

• Consider your technical platforms (and third party platforms) and plan for capability

• The “keeping for suppression” question

• Remember that anonymisation is a useful tool

• Build a business process to handle within 30 days

• Remember – employees may present you with this right too

• Document thoroughly

62

9. Fulfilling updated Individuals' rights The Right to Data Portability • New and “fundamental”

• Think “Super-SAR” but..

• Concerns only the data provided by the Data Subject (including transactions)

• Without hindrance

• Controller-to-controller where feasible

• Consent or contractual

• Structured, commonly used, machine readable format

63

9. Fulfilling updated Individuals' rights The Right to Data Portability - Considerations

• Examine which data & processes this may stem from

• Look at your SAR process and expand

• Consider how you will handle the “inbound” part of the deal

• Standards will evolve – part of the EUDPB remit to encourage

• Consider automated solutions – some web based services already give similar functionality (google download your browsing history)

• Will involve investment… (“necessary resources”)

64

9. Fulfilling updated Individuals' rights The Rights to Restriction & Objection Restriction of processing is right where (either):

• Accuracy is contested by the data subject, for a period enabling verification; • the processing is unlawful, and the data subject optionally requests the restriction

of their use; • required by the data subject for the establishment, exercise or defence of legal

claims; • the data subject has objected (see below) and is pending the verification of the

over-riding legitimate grounds of the controller.

The right to object to processing: • at any time • based on legitimate or public interests • including profiling based on these provisions • unless the controller demonstrates compelling legitimate grounds • For direct marketing purposes – including profiling – immediate cessation

65

9. Fulfilling updated Individuals' rights The Rights to Restriction & Objection Considerations:

• Build business process to evaluate objections and legitimate interests

• Build technical solutions to enable restriction of processing

• Test there processes

• Document thoroughly (both the requests and the processes!)

• Provide easy methods of opting out (e-mail/web/phone) of DM

66


67

On a scale of 0 to 5 where 5 is the most positive… How prepared is your organisation to meet these new and updated rights by the 25th May 2018?





68

10. How to handle a Data Breach

69

• organisations are required to notify ICO within 72 hours of awareness

• unless the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals.

• a reasoned justification in cases where longer

• When the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the organisation must communicate the personal data breach to the data subject without undue delay

10. How to handle a Data Breach – Considerations and ideas

70

• Create a specific breach management process and policy including responsibility for:

• Establishing the scale of the breach and the customers who are affected

• Containing the breach

• Breach notification content and method – to the supervisory authority and to customers

• Root cause analysis

• Internal risk reporting and change management

• Document ‘lessons learned’ incorporate into training (PDCA!)

• Prepare internal and external response communication plans and share with the business areas

• Define, for all staff, how data breaches are identified and to whom any breach should be communicated

• Conduct “Fire Drills”. Different scenarios but obviously stop short of notification!

• Ensure representatives from across the organisation are included within the Incident Management Team

• Ensure 3rd parties who process PII are included in the response plan

• Consider senior managers training on press response techniques


71

On a scale of 0 to 5 where 5 is the most positive… How well can your organisation respond to the Supervisory Authority (ICO) within 72 hours if you suffer a data breach?

11. Privacy Impact Assessments & Data Protection by Design • PIA’s Mandatory under GDPR prior to processing likely to result in a

high risk for the rights and freedoms of individuals

• ensure this process becomes a central part of any project, system change, policy implementation, supplier contract or anything that could have an effect on personal information privacy

• PIA introduces the concept of Privacy by Design, meaning that an individual’s privacy should be considered at the start of any project and the organisation should seek to reduce the risk of any negative impact to individuals whether they be customers or staff.

• Assessments must be formal, documented and act as an audit trail and demonstrable process

72

The Privacy Impact Assessment should include but not be limited to:

• Seeking the advice of the Data Protection Officer

• A description of the envisaged processing operations and the purposes of the processing

• An assessment of the proposed processing operations in relation to the purposes for which the data was originally collected

• An assessment of the risks to the rights and freedoms of data subjects

• The measures envisaged to address these risks, including safeguards, security measures and mechanisms to ensure the protection of personal data

• Where appropriate seek the views of data subjects or their representatives on the intended processing

• Carry out subsequent reviews to assess if the processing of personal data is performed in compliance with the privacy impact assessment

• Where a privacy impact assessment has indicated that processing would result in a high risk (in the absence of measures taken by the controller to mitigate the risk) to contact the ICO prior to the processing

73

11. Privacy Impact Assessments & Data Protection by Design

• Ensure a process in in place for determining whether a PIA is required

• If it is determined that a PIA is required, ensure that there is a clear process for ensuring that PIAs are carried out appropriately across the organisation.

• Involve all relevant departments – use the opportunity to educate the consequences of failure and success!

• Develop and use a standardised approach

• Maintain a record of all PIA assessments, store centrally and securely

• Check periodically if system changes have occurred

• If using third parties (developers etc.) ensure they are also aware

• Devise a plan for handing rejection objections

74

11. Privacy Impact Assessments & Data Protection by Design – PIA Considerations

Controllers should take steps to show that they have taken data protection compliance into consideration, and have implemented appropriate compliance measures, in relation to their data processing activities. In particular, controllers should adopt internal policies and measures which meet the principles of privacy by design and data protection by default

75

11. Privacy Impact Assessments & Data Protection by Design

• Develop a PIA framework and approval mandate across the business to ensure that the organisation can evidence that privacy impact assessments are being conducted, approved and actioned in line with the agreed framework

• Privacy by Design methodology should also be embedded into all data centric development, approval and onboarding processes

• Implement a Project Gateway process with clear controls to govern the development of future data driven applications/systems incorporating PIA and PBD principles

• Liaise with the Communication Team to assist with Skills and Awareness of the PIA, PBD and formal project controls

• Carry out subsequent reviews to assess if the processing or personal data is performed in compliance with the documented privacy impact assessment

76

11. Privacy Impact Assessments & Data Protection by Design – PBD Considerations


77

On a scale of 0 to 5 where 5 is the most positive… How well adopted are PIA and PBD practices in your organisation?

12. International transfers & territoriality • Processing data outside of the EEA & other approved territories is

complex.

• USA Privacy Shield in place but under review

• Other areas require either: • Approved contractual clauses (to be defined..)

• Binding Corporate rules (very complex – see your Lawyer)

• Informed prior consent (information on the risks must be provided)

• Necessity for the performance of a contract

78

12. International transfers & territoriality Considerations and Ideas: • Perform an assessment of your processing to identify any existing

international transfers.

• Question third parties carefully (web hosts, cloud services etc.) as to the location of their servers

• Move processing where possible and where no legitimacy exists

• Build into procurement processes the necessary questions and limitations

• Larger co’s might consider Binding Corporate Rules – explore with suitable legal resources

79


80

On a scale of 0 to 5 where 5 is the most positive… How well identified and documented are your international data processes? (Note please consider carefully all processors including cloud based services)





81

Final Points

82

• Lot’s to do but a year to do it • Get the organisation on your side • Build your documentary framework • Get the resources you need • Keep educating your teams • Keep listening to the regulators Good luck and thank you.

You can contact us for advice and assistance with your GDPR programme at: [email protected] Tel: 01494 442900 www.dqmgrc.com

mailto:[email protected]

GDPR Documentation checklist Data Protection Policy Training Policy Fair Processing Procedure Subject Access Request procedure Subject Access Request Form Data retention policy Data retention schedule Privacy Impact Assessment Procedure Breach notification Procedure Breach notification form

Transfer of personal data outside the EEA Marketing Consent Procedure Removal of Consent Procedure Managing of any sub contract Processes Fair Process Notice Data Protection Officer job description Data Inventory (Information asset register) Data Mapping Documentation Information Classification policy and procedure End User Access Process Storage Removal procedure 3rd party contracts Schedule of authorities and key suppliers Information security policy Managing security incidents procedure Privacy Policy Data erasure process Data Portability Process

External:

• Identify data capture points (e.g. online forms, registrations, call centres)

•What are people told about how their data will be used? (check policies, statements and notices)

•Are any consents currently obtained?

•Put in place template external notifications for data breaches

•Publish details of DPO and provide DPO's details to DPA

• Identify key processors or customers

Internal:

•Gather information about future business use of data

• Identify all existing processing operations

•Undertake privacy by design and impact assessments as required

•Review existing record keeping arrangements

•Put in place DPO structure and support/resources

•Map international data flows and keep up to date with changing solutions

•Audit suppliers or be prepared to support customer audit

•Update standard form contracts and prepare standard form addenda

Policies and procedures:

• Identify current policies and update where required

•Assess and update guidance for staff and contractors

•Provide training (focus on core groups and then expand)

•Update procurement processes to address detailed contractual requirements

Quick Practical tips and action points

Getting ready for GDPR -...

Documents

Transcript of Getting ready for GDPR -...