An overview of GDPR and the starting points you need as you prepare for it's implementation in May 2018. It covers basic elements such as consent, data breaches, raising awareness, consumer rights, internationalism and communication.
4. Key personnel must be aware! Check, do they know about
GDPR?
Ensure they are factoring GDPR into all future plans and
identifying areas which may cause compliance issues.
Data controllers should be reviewing the risk management
processes.
IT should be considering the range of devices both in the office
and out in the field and how they are used and maintained.
* Gartner – October 2016
6. If you haven’t already, produce a log of all
the data you hold.
Ask and record;
• Why are you holding it?
• How did you obtain it?
• How long will you retain it?
• How secure is it, both in
terms of encryption and
accessibility?
• Do you ever share it with
third parties, why might you?
7. The GDPR’s accountability
principle, requires you to
document the ways in which
you comply with data
protection principles, when
transacting business. By
completing step two not only
are you compliant, the
inventory will also enable you
to amend incorrect data or
track third-party disclosures
in the future.
9. At present when collecting
data, you must inform your
customers of the following;
• Your company identity.
• Reasons for gathering the
data.
• What it will be used for.
• Who it will be disclosed to.
• If it is going to be
transferred out of the EU.
10. After Friday 28 May 2018,
before processing data you
will need too;
• State the legal reason for
processing data.
• Share data retention
periods.
• Give and share complaint
procedures.
• Explain if the data will be
subjected to automated
decision making.
12. So, what about your staff?
What should you tell them?
• Explain what gaps existed in
your data collection and
handling and how you have
plugged these.
• Explain the new service
agreement that you are
asking customers to agree
too.
• Ensure they fully understand
the additional criteria,
including complaints,
retention, legal basis and any
automated decisions.
14. GDPR’s rights for individuals
are mostly the same as
previous data acts. If you
already follow regulations,
transition should be easy.
Check your customers have;
• Subject access.
• Right to correct inaccuracies.
• Right to have information
erased.
• Right to object direct
marketing.
• Right to restrict processing.
• Right to portability.
15. Now check, do you have
procedures for the following,
should an individual make a
request;
• Detect and delete data from
ALL locations it is stored.
• Move the data to another
company.
Things to consider;
• Who makes decisions on
deletion?
• Do you know where all the data
is stored?
• Can you provide a commonly
used electronic format?
• Can you make the processes
timely?
17. The rules for access requests are changing under GDPR;
• You are no longer able to charge for a request.
• Processing a request should be completed within 1 month.
• Customers should be provided with the retention agreement.
• They should also be provided with the inaccuracies
agreement.
18. Any exceptions to the rules? Yes;
• If a request is deemed to be excessive or massively unfounded.
But, you must have a clear refusal policy and set procedure in
place in order to refuse. Enabling customers to be able to easily
access their information online means that you are prepared
and will can save potentially expensive administration costs.
20. Document the different
types of data processing you
do. Then, identify your legal
basis for carrying it out and
document this.
This is essential to identify
where consent is the sole
legal basis for processing
data.
21. If consent is the sole legal
purpose for processing data
the customer will have a
stronger right to have their
personal data deleted.
So, what do you do? You
need to explain your legal
basis for processing data in
your privacy note. Consider
how much personal data you
collect, and why.
Discontinue any that are
irrelevant. Keep data in its
raw format and apply
anonymization and
pseudonymisation.
22. If your company uses customer
consent, you should review how
you obtain and record it.
It should be;
• Given freely.
• Specific.
• Unambiguous.
The customer cannot be forced
or unaware that are giving
consent. It must be transparent
what the consent is for. You must
have a positive indication of
agreement. No pre-ticked boxes
or ‘opting out’.
23. If consent is the legal basis relied
upon to process personal data, it
needs to meet the standards set
by GDPR.
It should be;
• Verifiable – you must be able to
demonstrate consent was given.
• Clear that the individual knows
they have the right to withdraw
given consent.
Make sure you have an effective
recording trail for consent.
28. What is DPIA?
DPIA is a process of systematically considering the impact that a
project may have on the privacy of individuals. It should identify
privacy issues and how to mitigate them. A DPIA should include
discussions with all relevant parties and stakeholders. It will
determine the viability of a future projects. The GDPR makes
DPIA’s mandatory for companies who are involved in high-risk
data processing.
29. If your DPIA shows the risk to personal data cannot be
mitigated you will be required to consult the ICO before
engaging in the process.
If you require a DPIA consider;
• Who will carry it out?
• Who needs to be involved?
• Will it be local or central?
30. If you’re carrying out good practice then you will be
implementing privacy by design in your workflows through the
use if a PIA (Privacy Impact Assessments).
GDPR enforces privacy by design and privacy by default by
making it a legal requirement.
Services therefore must be privacy friendly and those being
developed should ensure privacy considerations from the
outset.
32. GDPR requires some companies
to have a DPO (Data Protection
Officer). This can be someone in
your organisation, or an external
who is shared. Ultimately, they
will take responsibility for your
data protection compliance and
has the knowledge, support and
authority to be effective.
33. Companies that will need a DPO
include;
• All public authorities and
bodies.
• Where core activities
(controller or processor)
consist of data processing
operations, which require
systematic monitoring of
individuals on a large scale.
• Where the core activities
consist of special categories of
data (i.e. health data) or
personal data relating to
criminal convictions or
35. The GDPR is the one-stop-shop for all organisations operating in
the EU member states.
Multinationals will deal with one authority referred to as a LSA
(Lead Supervisory Authority) in the country where they are
mainly established. The main establishment of an organisation
is determined by where its main administrations and decisions
about data are made. Map this out to find out your LSA.
36. Data security is more important than ever. It needs to be designed
and built into your business mobility from the beginning.
At Subsidium, we provide one of the most trusted Mobile Device
Management solutions, enabling you to take centralised control of
your fleet of devices. You will access the latest remote technology,
have rigorous device security, a 24-hour helpdesk and a global
tracking facility.
With BYOB, Manage-Your-Own and Fully managed options we are
here to prepare you for the mobile world.
Contact us and be ready to take control.