Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GDPR the really simple guide


Published on

This is a really simple guide to implementing the GDPR for small to medium-sized businesses. For more detail download the eBook: Implementing the GDPR by Ian Tomlin on iTUNES.

Published in: Business
  • D0WNL0AD FULL ▶ ▶ ▶ ▶ ◀ ◀ ◀ ◀
    Are you sure you want to  Yes  No
    Your message goes here

GDPR the really simple guide

  1. 1. GDPR: A Really Simple Guide Ian Tomlin A preface to the eBook now available on Amazon Kindle Get the eBookAboveAndBeyond Series Guidebooks
  2. 2. What is the GDPR? • The General Data Protection Regulation is legislation enacted by the European Union to protect the data privacy rights of its citizens • Because it’s a Regulation, not a Directive, it becomes law in all member states immediately. • Since May 2018, the EU has been able to enforce it • The EU regulation impacts on all organizations, anywhere in the world that employ EU citizens or have EU citizens as customers
  3. 3. Wherethe GDPR came from EU regulators became concerned about the legal imbalance between individual EU citizens wishing to protect their data, and corporations handling and processing their data poorly. Legal cases like Edward Snowden evidenced how poorly the personally identifiable data of individuals was being protected—and the challenges individuals faced in holding organizations to task. This led to the formation of legal countermeasures by the EU to ensure that the data privacy rights of its citizens were protected. Now, as we are all individuals that face a risk of big brother taking our privacy data rights too lightly, that's a good thing - right?
  4. 4. • Get your compliance to the GDPR badly wrong and you could face fines to the tune of 4% of your global annual turnover • There are other undesirable outcomes of noncompliance such as the impact on brand reputation. • Nearly all organizations will face significant cost of change—the IT, legal and consultancy spending required to change operating behaviors may turn out to be the bigger story in the long term.
  5. 5. WHO should care? • The GDPR applies to the handling and processing of personal data of any living EU citizen over the age of consent by businesses regardless of whether the processing takes place in the EU or not. • For this reason, it’s set to have an impact on everyone in business, particularly those responsible for the welfare of the people in the organization they serve. • The senior managers of any organization managing or processing personal data—or those involved in commercial negotiations and supplier selection decisions—should understand its ramifications.
  6. 6. Highlights There are 99 pages of legal text to get through if you want to really get intimate with the regulation, so I've summarized some of the key-points below. • New challenges for data processors—Data processors can no longer avoid regulatory fines for the processing activities they carry out for data controllers. If you work for a company that is processing data on behalf of another business (and therefore acting as a data processor) a fundamental change that the GDPR ushers in is the rebalancing of regulatory liability between the data controller and their data processors. • Data breach reporting—Notice must be provided “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” If notification is not made within 72 hours, the controller must provide reasons for the delay. In the event of a personal data breach, data controllers must notify the supervisory authority "competent under Article 55" which is most likely (looking to Article 56(1)) the supervisory authority of the member state where the controller has its main establishment or only establishment. • Cross-border transfer—Organizations need to know where all their data is at geographically level. The act of transferring privacy data outside the European Economic Area ( EEA)—such as outsourcing partners based outside of the EU, or cloud services based outside of the EU etc.—without permission of the data subject is prohibited unless there is an adequacy decision or derogations or additional safeguards in a country outside the EEA. • Data mapping—Organizations need to know where their data is systematically & geographically. • Data protection impact assessments—DPIAs are mandatory for organizations with technologies and processes that are likely to result in a high risk to the rights of the data subjects. Article 35 of the GDPR states that data protection impact assessments (DPIA) are mandatory for organizations with technologies and processes that are likely to result in a high risk to the rights of the data subjects; especially, if an organization performs: • Privacy by Design/Default—Privacy must be documented as being built into the design. The GDPR installs an important systems engineering design concept called ‘privacy by design/default’. • Accountability—Everything must be documented – no more permissive standards. The GDPR introduces a legal accountability obligation to European data protection law. Accountability principle requires data controllers to implement appropriate technical and organizational measures to show the compliance of the GDPR. ...and this isn't even the full list!
  7. 7. This illustration shows what’s involved in transitioning the ‘business-as-usual’ of an organization to embrace the GDPR. Plans will vary according to the specific circumstances of the organization performing the change.
  8. 8. A top-line Implementation Plan DISCOVERY PHASE—To qualify the current situation and capture insights needed to frame prioritization and project design process. DESIGN PHASE—To prioritize go-forward actions into an actionable implementation plan giving feedback to stakeholders; to then make changes to the way the Organization governs data, and behaves in accordance with the GDPR, installing mechanisms and new approaches. (IMPLEMENT FOR) OPERATIONAL PHASE—To manage the data protection activities day-to-day in line with the GDPR. REVIEW PHASE—To review progress by reporting on progress, adapt plans and re-balance perceptions of risk. Explore more here
  9. 9. Howyou can move forward… Read more about the subject. Why not take a moment to read my AboveandBeyond Guide that offers an implementation plan and useful tools that will help you to plan out your change project ;-) Also, check out the UK Information Commissioner’s Office website at It’s packed with more advice… 1 Find out what the plan is for your GDPR program and who is leading it. If nobody is, share some content with senior execs. It’s important—nobody wants a fine that’s 4% of global turnover! 2 Discover what EU privacy data you are holding by conducting a review of data and processes. Consider interviewing department heads. Most of all, prioritize your activities towards the most probable and impactful areas of risk. 3
  10. 10. The Big Disclaimer It’s Legal Stuff The GDPR is a law and it REALLY PAYS to get legal advice on this topic. Explore More Sources Don't just use this guide as your only source of insights as the impacts of the GDPR vary according to the type of enterprise you are and how much EU citizen data you hold Further Reading In addition to this article, I've written a complete guide on the GDPR and how you can implement the changes to Business-As-Usual needed to live 'Data Privacy by Design'
  11. 11. About the Author Background Ian Tomlin has been a senior strategist and management consultant in the tech industry since 1990, experiencing first-hand the impact of Information Security and the GDPR. In 2015, he joined the award winning Canon Europe Security Team and, in 2016, went on to perform a leading role in the GDPR commercial solutions team; inheriting the responsibility of innovating GDPR technology-led solutions for Canon’s European customer community. At the time of writing, Canon is listed by GlobalTrak as the fourth most trusted brand in the world. In Print His first book ‘CEO’s Guide to Business Agility’ written in 2004, describes the move from legacy to modern agile organizational design. In 2006 he wrote his second book on the topic of business social marketing and its move into the cloud, then a new concept of computing on the horizon. ‘Cloud Coffee House’ was followed by his third book ‘Social Operating Systems’ (2009) predicting the future evolution of what have now become comprehensive online platforms like Office365 and Google G-Suite. In 2014, he turned his attention to the subjects of personal development and brand management publishing two guides, one giving advice to newcomers entering the business world on how to achieve more from their careers. This led to the creation of the AboveAndBeyond range of guidebooks for executives. He writes fictional novels under the pseudonym of Christian J. Browning. Career Starting his life as a professional shoemaker, he joined the tech industry in 1990 after a period in local government and has spent most of his career at the leading edge of B2B marketing innovation. He created the management consulting business NDMC Ltd in 2001. In 2002, he worked with a small team to create ENCANVAS; the first and only code-less applications design and deployment platform that gives non-technical people the ability to individually create enterprise scalable business applications. In 2006, he created a technology similar to WhatsApp called SQUORK and in 2009 a container cloud computing platform that simplified the deployment of cloud applications. He continues to sit on the board of several start-up hi-tech businesses. Today, he advises business leaders on how to grow their business, manage risk, tell their story and establish conversational marketing strategies. Ian Tomlin is a storyteller and technology evangelist with a passion to help businesses make conversation profitably…
  12. 12. Out Now! READ the eBook AboveAndBeyond the GDPR by Ian Tomlin Get the eBook HERE • Get the really simple Guide to the GDPR • Learn more about the Regulation • Written by practitioners with hands-on experience of implementations • Packed with hints, tips and learning lessons on how to implement a change program for the GDPR within your organization • Source the tools and process models you need to make the GDPR business-as-usual • Available on AMAZON KINDLE now