By: Thomas Goddard
Now the new rules are in play, they won’t be going away. You might start off fully compliant, but how do you ensure you stay that way, stay within the law as new systems come on board, new protocols for customer contact are set in place, and innovative new communication methods are invented, for example, unforeseen and exciting new types of technology, social and marketing media?
Approach to GDPR readiness:
- Document data processing activities
- Review/update policies
- Review/update contacts
- Review/update security processes
- Plan education/communication
- Create governance/change management
What can we expect to happen?
- Regulators themselves aren’t sure exactly sure what enforcement will look like
- Data subjects will likely lead regulators to the problems
- Technology Change
Triggers For Re-Assessing Readiness Status
External:
- Regulatory Body Interpretations
- EU court clarifications of GDPR
- New data privacy regulations in other counties/regions
- Customers’ expectations around data privacy
- Technology Innovations – State of the Art
Internal:
- New Personal Data
- Business changes
- Transferring data to non-EU country
- Policy Changes
- M&A
- New Vendors/Partners
- New application or processes
New Personal Data
This definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and what organisations collect information about people.
Such as:
- Name
- Identification Number (NI, Passport, driver’s licence…)
- Location data
- Online identifier
- Online behaviour
- Identifying factors (physical, mental, cultural, political opinions…)
- Genetic and biometric data
- Identifiers provided by digital devices & applications (most have never been viewed as PII)
- Dynamic IP addresses
- Browser Cookies
- Device IDs, RFID
Triggers – Policy Changes
- Employee Privacy Notice
- Information Classification Standards and Controls
- Global HR Data Protection Policy
- Employee Rights under EU GDPR
- Responding to Customer Employee & Customer Rights Requests Procedure
- Data Retention Policy and Procedure
- Vendor Management IT Privacy and Security Policy
- DPIA Policy and Procedure
- Information Security Policy
- Privacy and Compliant Policy
- Data Handling and Storage Guidelines
- Incident Response Plan
- New application or processes
- On-Premises to cloud migration
- New websites
- Upgrade to existing application
- New reporting/analytics
- New marketing or other process
IT and GDPR Compliance
- IT Security
- IT Asset Register and Audit
- Data Remediation / Cleansing
- Employee Training
An organisation needs to ensure personal data security at four levels for GDPR compliance; namely; Use, Database, Application and Datacentre / Cloud. In support of that they need to maintain IT Asset Register and conduct internal audit at least once in a year (preferably every 6 months). As per GDPR and Data Protection Act 2018, an organisation needs to store minimum personal data for the purpose and duration that is required. This is possible by means of data remediation / cleansing periodically. GDPR implementation is unique to each organisation and hence they must include GDPR training as part of Employee Induction to ensure each new employee is aware about GDPR and Data Protection Act 2018 policies from the start which will lead to prevention of data breach at user level at least.
Outputs You Should Have
- List of systems showing data flows
- Record of processing activities
- Updated policies, processes, and notices
- Data Protection Impact Assessment (DPIA)
- List of vendors/partners
- Updated contacts
On Going Responsibilities under GDPR
- Monitor Compliance
- Ensure new processes and technology compliance
- Employee training
- Privacy by Design
- PID
- ROPA
- Breach notification
- Responses to Data subject rights
- And more…
Key Takeaways
Governance is crucial
GDPR Does not have to slow your business down but you do need to address issues up front
- Educate, educate, educate
- Have a data privacy mind-set
- Create an innovation roadmap
To Contact us: www.gdprconsultancy.net