Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GDPR: Day 1 and beyond

1,734 views

Published on

Presentation slides from an NCVO webinar, presented by Gary Shipsey from Protecture, which took place on 15 March 2018. View the webinar recording: https://youtu.be/WxlyCKwsPzQ

Published in: Government & Nonprofit
  • Be the first to comment

  • Be the first to like this

GDPR: Day 1 and beyond

  1. 1. GETTING READY FOR GDPR: DAY 1 AND BEYOND 15 MARCH 2018 GARY SHIPSEY MANAGING DIRECTOR, PROTECTURE
  2. 2. (1) WHAT IS THE GDPR? HOW DOES GDPR DIFFER FROM THE CURRENT LAW? 2
  3. 3. Same • Principles-based law (not rule based) • Principles • Key definitions • Risk 3 Greater emphasis • Transparency • Accountability • Fines shall be responsible for and be able to demonstrate compliance with the principles
  4. 4. (2) ACCOUNTABILITY WHAT DOES THE GDPR REQUIRE? 4
  5. 5. 5 systematic monitoring public authority special categories / criminal convictions and offences. Core activities = large scale 1 2 3 Existing employee (if no conflict of interests) or contract out. Employer duties: • Reports > to highest management level. • Operates > independently • Adequate resources > so can meet their obligations. DPO
  6. 6. 6 IT Fundraisi ng HR Service delivery DPO / DP Lead • Document internal analysis and position • If choose DPO = same requirements apply • “DP Lead” – ensure there is no confusion regarding their title, status, position & tasks Staff Volunteer s Supplie rs Partner s
  7. 7. 7 Strategically accountable • Who is responsible at a senior level? Operational owner • Who drafts and updates the process / standard Tactical deliver •Which team(s) / role(s) are involved in the delivery of the process / standard
  8. 8. (3) WHAT IS YOUR RECORD OF PROCESSING ACTIVITY (ROPA) AND WHY IS IT KEY? 8
  9. 9. 9 Record of Processing Activity: A record of why, and on what basis, your organisation handles personal information to meet its business objectives. The completed ROPA will be used by your organisation to: • Assist the delivery of individual rights – e.g. know where to search • Meeting transparency obligations – e.g. informing them of lawful basis for processing
  10. 10. 10 • Provide information on the nature, scope, context and purposes of processing personal data, which is required for: • risk management with regards to your responsibilities as a Data Controller; • Data Protection by Design and by Default; • Data Protection Impact Assessments, and • risk-based decisions on information security
  11. 11. 11 Purpose Lawful basis Transparenc y  How much to collect  Who needs to see it  Who to share it with  How long to keep it Processing activities Extent to which people can use / enforce their rights Inform people / fairness “… specified, explicit and legitimate purposes …
  12. 12. (4) HOW CAN YOU ACHIEVE TRANSPARENCY? IS IT AS SIMPLE AS UPDATING YOUR PRIVACY POLICY? 12
  13. 13. 13 …user-centric rather than legalistic The practical (information) requirements are outlined in Art. 12 - 14 However, the quality, accessibility and comprehensibility of the information is as important as the actual content of the transparency information…” Article 29 Working Party Guidelines on transparency
  14. 14. 14 ‘Privacy notice’ to describe all the privacy information you need to make available to people. It must: • Be more detailed and specific • Make notices understandable and accessible • Be audience specific • Use house-style language …still discretion for [you] to consider where the information… should be displayed in different layers of a notice.
  15. 15. 15 Means of providing general privacy information Means of providing privacy information Baseline of specific privacy information (per Data Subject Category) Privacy Information AssessmentsUse to define how privacy information will be provide Three situations: A. Collected directly from an individual - e.g. via a form; verbally; in person. B. Come into the organisation from another source - e.g. a referral from another organisation; a public source. C. When existing personal data is to be used for a new purpose
  16. 16. (5) HOW DO YOU PREPARE FOR… • MANDATORY BREACH REPORTING • DATA PROTECTION BY DESIGN AND BY DEFAULT • HIGHER STANDARD CONSENT 16
  17. 17. 17 Mandatory breach reporting • Training • Process • Decision making Higher standard consent • What have you got now? • Re-permission where needed (methods are critical) Data Protection by Design and by Default • Touch-points • Assessment
  18. 18. (6) WHAT DOES APPROPRIATE SECURITY LOOK LIKE? 18
  19. 19. 19 Take into account:  state of the art + the costs of implementation  the nature, scope, context, purposes of processing  risk of varying likelihood  severity for the rights and freedoms of natural persons …the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…
  20. 20. (7) WHAT THE SIX STEPS TO TAKE TODAY 20
  21. 21. 21 Objectives • Establish whether your need to appoint a formal DPO • Decide and document who will lead on managing data protection risk • The resources you are committing • Your approach to data protection training and awareness Output A record of who is leading on data protection for your organisation; the resources committed and approach to training and awareness.
  22. 22. 22 Objectives Establish the extent to which your current procedures, policies and/or guidance deliver the GDPR’s key requirements, Make changes and/or create new procedures where required Output A set of policies, procedures and/or guidance that confirm how you will tactically deliver the key requirements of the GDPR. Objective Establish how you will monitor and report on compliance for each of the GDPR’s key requirements. Output Details of how you monitor and report on the key requirements of the GDPR.
  23. 23. 23 Objective Establish how you will monitor and report on compliance for each of the GDPR’s key requirements. Output Details of how you monitor and report on the key requirements of the GDPR. Objective Confirm strategic accountability and operational ownership of each key GDPR requirement. Output Confirmation of who is strategically accountability for each key GDPR Requirement Framework, and who owns each one at an operational level.
  24. 24. 24 Objective Create and maintain your Record of Processing Activity (ROPA) – the record of why, and on what basis, your organisation handles personal information to meet its business objectives. Output Your Record of Processing Activities (ROPA).
  25. 25. 25 #1 - Readiness Assessments #2 - Management & Delivery Of Key GDPR Requirements #3 - Record Of Processing Activity #4 - Data Journeys #5 - Privacy Information Strategy #6 - Relationships #7 - Information Security Data Protection Policy Framewor k

×