GDPR has been updated to cover social, automated and manual data, adapted to suit the new technological environment. The spirit of the data privacy regulations remains practically unchanged. However, the data privacy change will be rapid, and therefore some significant additions should include:
- Clear rules and definitions for GDPR terms such as “Processing” and “Consent” that fits the size of the organisation;
- The role, requirement and responsibilities of the Data Protection Officer;
- The introduction of vastly increased penalties, with a likelihood of sanctions enforcement.
SARs are expected to be widely-invoked. Therefore organisations must be aware of the stored personal, where it resides and must be able to provide it when requested.
Further decisions on removing or masking the data, depending on the nature of the Data Subject’s request, are addressed I our seminars.
Data portability is the ability for Data Subjects to reuse their data across interoperable applications. Data Portability requires that an SAR is presented in a comprehensive, machine-readable format to the Data Subject to take ownership of the data and transfer it to another Data Controller.
In our seminars, we address the Data portability issues concerning identifying, contextualising and promoting data portability efforts when implementing GDPR.
- Start with a top-down view of your risks and get a GDPR project program up & running. Go thru the attached presentation step by step;
- Demonstrating that reasonable approach is taken to addressing GDPR compliance.
- We recommend not to attempt to close every issue or every gap in your compliance efforts but make sure that the security and data protection standards operate efficiently.
- Following a GDPR standard like ISO 27001/2 or similar.
- Understand the new (to you) and/or highlighted GDPR requirements
- Ensure that a working compliance program is established and include:
- Start with a top-down risk assessment, followed by a detailed data privacy assessments on your systems, processes and data.
- Review your current approach to archiving and deletion of data, and document retention in all areas where data is stored or processed and identify the GAPS.
- Identify and appoint responsible “data champions” and appoint a Data Protection Officer if suitable.
- Develop a corporate culture of privacy by design and by default when processing data.
- Introduce Change management, appropriate awareness and training programs.
- Develop processes for dealing with SARs and Data Portability requirements.
- Ensure that Breach Notification Process is in place and monitor its efficiency.
- Identify any third party contractors and sub-contractors who act as Data Processors.
- Ensure that processing standards are adequate
- Appropriate GDPR clauses must exist in all vendor contracts.
- Conduct a bottoms-up risk assessment, followed by a detailed Data Privacy Impact Analysis to assess systems, processes and data for GDPR compliance.
Category A; penalties are capped at the greater of either €10 million or 2% of your worldwide annual turnover. This category addresses preparedness and administrative or regulatory failures whereas actual breaches.
Category B fines can be up to €20 million Euro or 4% of global annual turnover – Category B addresses the significant failures in monitoring compliance.
The greater figure will apply in both categories.
Perhaps if the company can document that reasonable compliance effort is enforced and monitors a well-functioning GDPR program, leniency in fines could be granted the event of a violation.
Please note that not all punishments are financial. The local supervisory authority could enforce the immediate ceasing of dat processing. For some organisations, could be more dangerous than monetary penalties.
Our suggestion is that an organisation of a reasonable size selects a DPO considering the increasing emphasis on the importance of data privacy in the business environment If the large-scale processing of personal data is part of your core business, then appoint a DPO. Even if your organisation is exempt from the DPO requirement, you are still obliged to comply with all other aspects of the GDPR.
Appointing the CIO or an existing HR Manager as a DPO may not be the best solution. Due to the nature and scale of DPO’s responsibilities, it would be preferable for your DPO not to have other roles within the organisation.
In larger, more structured entities, it could be Legal and/or HR departments. GDPR is ultimately about Information Security and Compliance, as GDPR applies to personal data; individuals working in security, audit and internal controls are likely to have the framework and mindset which is inherently suitable for this responsibility.
Ultimately Compliance requires a high degree of collaboration. Therefore the recommendation is to identify “data champions” from different functions of the organisation and appoint them as equal partners in the compliance efforts.
GDPR is multi jurisdictional, and therefore one of the key components of GDPR is to ensure that their international partners or third parties are also compliant with GDPR. Even if the company does not operate outside of the UK, compliance with data protection regulations is mandatory.
The Privacy Shield is an arrangement (agreement) to safeguard transatlantic exchanges of data between the US and EU. The first annual review of the EU-U.S. Privacy Shield is scheduled for September 2017.
A. Have in place appropriate technical (“Privacy Enhancing Technology”) and organisational protective measures (“OPMs”) against unauthorised or unlawful processing, or the accidental loss, destruction, alteration, disclosure, access or unapproved use, sharing or breach of any Personal/Sensitive Data acquired or aggregated by it pursuant to this Agreement;
B. Take reasonable steps to ensure the reliability of the Supplier Personnel who have access to the Personal/Sensitive Data and that the organisation has an effective training and ongoing assurance programme;
C. Provide the Controller with such information, assistance and co-operation to provide detailed transactional logs regarding PII/Sensitive data, attacks against websites or social media sites, abuses of identity or privileges, validation of PII Data destruction, transfer of Data Controller; these events and the subsequent actions shall be maintained at evidential quality in accordance with applicable standards and maintain the chain-of-custody in support of eDiscovery; these logs and event actions are required to establish the Supplier’s and Supplier’s subcontractor's compliance with the obligations relating to data protection and Information Governance contained in the applicable data protection legislation; and
D. Inform the appropriate Authorities of the relevant members of the controller or Country Authority as soon as reasonably practicable, of any breach of security or any particular risk of which it becomes aware, to the security of any of the Personal/Sensitive Data being processed.
E. Inform the affected individuals, by said breach, by the applicable Laws regarding a reporting of events related to compromises to PII Data.
1. First, you need to identify and categorise where the gaps are; does it affect the policy, process, security, data management, understanding or compliance issues.
Therefore, the remedies could include policy specification, the establishment of a framework, the provision of procedural guidance, data discovery, data quality improvement, an awareness campaign, a staff training program, internal control enhancements and more, all depending on where the significance of the gap issue or where the root cause of the problem lies.
2. After identification and the categorisation, the next phase is to diagnose the gaps to the GDPR risks.
A robust risk management framework is a must.
If the companies data protection strategy is risk-based, then risk acceptance is a reliable option with remediation involving a number of compensating controls.
Depending on the gravity of the known risks, the gaps can either be addressed right away or gathered with similar findings from each category to avoid minor system changes. If a major risk or system exposure is identified, it is wise to address it immediately due to the complexity and to get guidance from other stakeholders for its solution.