With just 11 weeks to go until the General Data Protection Regulation (GDPR) comes into force, this article aims to banish the GDPR jargon and give you the basic information you need to ensure you are prepared for the incoming regulations.
GDPR is a regulation by which the European Parliament, The European Council, and the European Commission intend to strengthen and unite data protection for individuals within the European Union (EU) it also addresses the export of personal data outside the EU.
The primary objectives of GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international businesses by unifying the regulation within the EU.
1. Raise Awareness – Ensure that all key decision makers and individuals within your organisation are aware that the GDPR law is coming into force. It is essential that they appreciate the impact this is likely to have.
SES recommends a proactive approach to create of the GDPR regulations within your organisation. This may range from educating the key individuals within your organisation who interact with personal data to education for your entire company.
2. Document the Personal Information You Hold – You should document what personal information your organisation holds, where it comes from and who it is shared with. To do this you may need to organise an information audit.
Creating a customer data flow diagram for your network will give you a clearer indication of these data handlers/ controllers and processors so you can begin to map processes against these.
It is essential that you:
3. Renew and Update Your Privacy Policies and Notices – You should review your current privacy policies and notices and put a plan in place to make any necessary changes in time for the implementation of GDPR.
Make your own privacy notices clear and free from any jargon. They also need to clearly identify the following:
4. Know Individuals Rights – You should check your procedures to ensure that they cover all of the rights individuals have, including how you would delete personal data or provide data electronically in a commonly used format.
The main rights of individuals include:
5. Prepare for Subject Access Requests – Update your procedures so that you can handle subject access requests within shorter timescales. If you deal with a lot of requests, you may want to invest in online access.
It will be useful for you to look at how your organisation stores personal data and whether it is easy for your data controllers to access it, then review if this process can be sped up in a controlled way. Online access by the customer may speed this up, but you would need to reflect this in your risk register after presenting the data to the internet.
6. Have A Lawful Reason for Processing Personal Data – Identify the lawful basis for collecting and processing personal data. You need to be able to explain legitimate interest and informed consent must be obtained.
7. Consent – Consent from an individual to hold their personal data needs to be explicit and straightforward. Remember that consent can be revoked by the individual at any time.
Also, assess how you are obtaining consent to hold an individual’s data. Consent cannot be intended, it must be freely given, specific informed and unambiguous.
8. Children – You need to think about whether you need to put systems in place to verify individuals ages and to obtain parental or guardian consent for any data processing activity.
In the UK, a child is classed as someone younger than 13. You must identify these within your data and ensure that there are specific controls placed on these records.
Also, if your service targets or engages children, your privacy notice must be child centric. You must also gain consent from their parents or guardians.
9. Set Procedures for Data Breaches – Currently, not all organisations are required to notify the ICO when a breach occurs.
Under the GDPR regulations, all organisations will be required to report breaches within 72 hours, ensure that appropriate breach notification policies and procedures are in place and know how to use them.
10. Data Protection by Design and Data Protection Impact Assessments – Certain Activities such as automated processing or processing of sensitive data on a large scale, require a prior Privacy Impact Assessment (PIA). In addition, particular new systems and processes must be developed with privacy in mind so that the solutions comply with the privacy principles.
11. Appoint A Data Officer – Organisations which routinely monitor data or process sensitive data on a large scale should designate a data protection officer (DPO) to take responsibilities for data protection compliance.
12. International Organisations – If your organisation operates in more than one EU member state (i.e. you carry out cross border processing). You should determine your lead data protection supervisory authority. Article 39 working party guidelines will help you do this.
As part of our full suite of Cyber Security Services, SES can perform a GDPR Impact Assessment to determine how the introduction of GDPR will affect your organisation. To book your GDPR impact assessment or speak to us about any of our Cyber Security or Software Escrow services, please speak to one of our specialists.
© Financechain Limited trading as SES and ses-escrow.co.uk, 2019. Unauthorised use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Financechain Limited trading as SES and ses-escrow.co.uk, with appropriate and specific direction to the original content.