With a fine of up to 4% of an organisation’s annual turnover on the line, Individuals accountable and responsible for data protection are actively seeking clarification and advice regarding the impending changes to the EU General Data Protection Regulation.
The question now? How prepared are you to meet the EU General Data Protection Regulation?
IRM’s resident Data Protection expert Paul Sexby, addresses the areas that need to be considered in order to prepare for the new requirements.
1. SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
Revised EU General Data
Protection Regulation
12 steps to compliance.
Paul Sexby,
Head of Strategic Practice
September 2016
IRM
2. SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
Whilst the GDPR does not come into force
until May 2018, it is important that
organisations are properly prepared for
these changes in the context of operational
need and business risk.
3. SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
In order to address the requirements introduced in
the revised regulation, consider these 12 steps for
compliance…
4. SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
The EU GDPR introduces changes and possible business
impacts that all key stakeholders need to be conversant with.
Get properly briefed and armed with the
facts to make accurate, informed and timely
decisions.
1. EDUCATION & AWARENESS
5. SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
Organisations are required to be able to demonstrate how
they comply with the Data Protection Principles.
Ensure you are aware of the data you hold
so you can provide details of the personal
information you store, process and transmit.
2. ACCOUNTABILITY
6. SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
3. LEGAL BASIS
Individuals now have stronger rights that your business has to
fulfil.
Be prepared to include ‘legal basis’ for
processing within Privacy Notices and have
a process in place to respond to Subject
Access Requests.
7. SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
Data Controllers must be able to demonstrate that ‘consent’
was given. This could have potentially huge implication for
some organisations.
Maintain and retain an ‘audit trail’ and
‘history’ for the life of the data you hold to
avoid business disruption.
4. CONSENT
8. SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
Whilst this has been implicit within the current Data
Protection Principles, the GDPR is explicit that this is a legal
requirement.
Where high-risk processing takes place a
Privacy Impact Assessment (PIA) will be
required.
5. PRIVACY-BY-DESIGN
9. SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
Where organisations are likely to struggle is with regards to
having information deleted and in facilitating data portability;
though these have to be taken into context with legal
obligations and responsibilities to retain information in
accordance with other legal and contractual needs.
Have a clearly defined Data Retention Policy
and supporting processes to meet the policy.
6. INDIVIDUAL’S RIGHTS
10. SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
Most organisations will have to revise their Privacy Notices to
incorporate the obligations introduced within the GDPR to
address elements such as the ‘legal basis’ for processing and
defining data retention periods for personal information.
Make your Privacy notices CLEAR and
UNAMBIGUOUS.
7. PRIVACY NOTICES
11. SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
Internal business processes and procedures for handling SARs
will undoubtedly need to be revised.
Most organisations will no longer be able to
charge a fee to comply with an SAR, which
will have to be processed within a month
(rather than 40 days currently allowed).
8. SUBJECT ACCESS REQUESTS
12. SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
The GDPR requires special protection in the form of ‘consent’
to process children’s personal information.
‘Consent’ has to be verifiable and where
children’s data is collected ‘Privacy Notices’
must be written in a manner that children
can, understand and comprehend.
9. CHILDREN
13. SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
This notification is to data subjects and not necessarily the
ICO/Regulator – unless there is the potential for identity theft or
loss of confidentiality to the individual.
Create and exercise your Data Breach plan
to reduce the impact and exposure in the
event of a breach. Failure to report a breach
could result in a fine - in addition to any
penalty that might arise from the breach
itself.
10. DATA BREACH NOTIFICATION
14. SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
The latest iteration of the GDPR has stepped back from
mandating that ALL organisations must have a DPO.
There is a requirement for “someone” to
take ownership and responsibility for
ensuring there is effective data protection
compliance in place. Do not underestimate
the time this functionality will require.
11. DATA PROTECTION OFFICER
15. SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
In its simplistic terms, the ‘Lead Authority’ for investigating a
complaint is determined according to where your organisation
makes key business decisions regarding data processing; in
some cases this may be outside the UK.
Be aware of the locations your data is
processed and educate your organisation on
the rules and regulations to prepare in the
event of a breach.
12. INTERNATIONAL
OPERATIONS
16. SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
Organisations that wait for the changes to be finalised and
implemented into National Law are unlikely to achieve the
requirements in the time frames required.
This will potentially hand an advantage to
your competitors.
17. SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM
FURTHER
INFORMATION
+44 (0)1242 255200
hello@irmsecurity.com
Paul Sexby
Head of Strategic
Practice
Prepare for the EU
GDPR with IRM’s EU
Data Protection
Assessment