SlideShare a Scribd company logo
1 of 13
Download to read offline
A LITTLE BEE BOOK
“How it Works”
GDPR
This book belongs to:
A LITTLE BEE BOOK
“How it Works”
GDPR
Adapted from a variety of sources by Bob Yelland
This booklet is intended to provide friendly and
helpful advice and is not a definitive statement of law
BACK NEXT
4
After four years of debate, the General Data
Protection Regulation (GDPR) was ratified by the
European Union during April 2016 and has now
become law, although member states have a
two‑year period to implement it into national law.
This means that companies will be expected to be
fully compliant from 25 May 2018. The regulation
is intended to establish one single set of data
protection rules across Europe.
Organisations outside the EU are subject to this
regulation when they collect data concerning any
EU citizen.
GDPR is designed to give individuals better control
over their personal data held by organisations, and
may lead many to appoint a Data Protection Officer.
BACK NEXT
6
Personal data is defined as any information relating
to a person who can be identified directly or
indirectly. This includes online identifiers, such as IP
addresses and cookies, if they are capable of being
linked back to the data subject.
Indirect information might include physical,
physiological, genetic, mental, economic, cultural or
social identities that can be linked back to a specific
individual.
There is no distinction between personal data about
an individual in their private, public or work roles –
all are covered by this regulation.
50% of global companies say they will struggle to
meet the rules set out by Europe unless they make
significant changes to how they operate.
BACK NEXT
8
There will be a substantial increase in fines for
organisations that do not comply with this new
regulation.
Penalties can be levied up to the greater of ten
million euros or two per cent of global gross
turnover for violations of record-keeping, security,
breach notification and privacy impact assessment
obligations.
These penalties are doubled to twenty million euros
or four per cent of turnover for violations related to
legal justification for processing, lack of consent,
data subject rights and cross-border data transfers.
BACK NEXT
10
Companies will be required to “implement
appropriate technical and organisational measures”
in relation to the nature, scope, context and
purposes of their handling and processing of
personal data. Data protection safeguards must
be designed into products and services from the
earliest stages of development.
These safeguards must be appropriate to the
degree of risk associated with the data held and
might include:
•	 Pseudonymisation and/or encryption of
personal data
•	 Ensuring the ongoing confidentiality, integrity,
availability and resilience of systems
•	 Restoring the availability of, and access to, data
in a timely manner following a physical or
technical incident
•	 Introducing a process for regularly testing,
assessing and evaluating the effectiveness of
these systems.
BACK NEXT
12
A key part of the regulation requires consent to be
given by the individual whose data is held. Consent
means “any freely given, specific, informed and
unambiguous indication of his or her wishes by which
the data subject, either by statement or by a clear
affirmative action, signifies agreement to personal
data relating to them being processed”.
Organisations will need to be able to show how and
when consent was obtained. This consent does not
need to be explicitly given, it can be implied by the
person’s relationship with the company. However,
the data obtained must be for specific, explicit and
legitimate purposes.
Individuals must be able to withdraw consent at any
time and have a right to be forgotten; if their data is
no longer required for the reasons for which it was
collected, it must be erased.
BACK NEXT
14
When companies obtain data from an individual,
some of the areas that must be made clear are:
•	 The identity and contact details of the organisation
•	 The purpose of acquiring the data and how it will
be used
•	 Whether the data will be transferred internationally
•	 The period for which the data will be stored
•	 The right to access, rectify or erase the data
•	 The right to withdraw consent at any time
•	 The right to lodge a complaint.
BACK NEXT
16
The regulations demand that individuals must
have full access to information on how their data is
processed and this information should be available in
a clear and understandable way.
Individuals can make requests, and these must be
executed “without undue delay and at the latest
within one month of receipt of the request”.
Where requests to access data are manifestly
unfounded or excessive then small and
medium‑sized enterprises will be able to charge a
fee for providing access.
BACK NEXT
18
Companies must report breaches of security
“leading to the accidental or unlawful destruction,
loss, alteration, unauthorised disclosure of, or
access to, personal data transmitted, stored or
otherwise processed”.
In the event of a personal-data breach, companies
must notify the appropriate supervisory authority
“without undue delay and, where feasible, not later
than 72 hours after having become aware of it” if the
breach is likely to “result in a risk for the rights and
freedoms of individuals”.
In March 2016, the UK Information Commissioner’s
Office (ICO) published Preparing for the General
Data Protection Regulation (GDPR) – 12 Steps to
Take Now. Some of these steps for organisations are
summarised next.
BACK NEXT
20
1.	Ensure key departments are aware that the law is
changing, and anticipate the impact of GDPR.
2.	Document what personal data is held, where it
came from and with whom it is shared.
3. Review current privacy notices, and make any
necessary changes.
4. Review procedures to address the new rights that
individuals will have.
5. Plan how to handle requests within the new time
frames, and provide the required information.
6. Identify and document the legal basis for each
type of data processing activity.
7.	Review how consent is sought, obtained
and recorded.
8.	Make sure procedures are in place to detect,
report and investigate data breaches.
9.	Designate a Data Protection Officer to take
responsibility for data protection compliance.
BACK NEXT
22
IBM can help companies prepare for this regulation.
Our products offer data transparency, mask
sensitive data, delete old/obsolete data, identify
sensitive/toxic data and locate the data that
matters, where that data is stored and how it is
being used.
IBM Information Integration  Governance (IIG)
provides agile data integration and governance
to build confidence in data, including exploration
and management of data lineage. IBM Information
Lifecycle Governance (ILG) provides insight
into unstructured data and also the tools and
methodology to syndicate, instrument and enforce
policies. IBM Security provides pervasive and
intelligent internal and external network defences,
incident response and security restrictions.
BACK NEXT
24
© Copyright IBM Corporation 2016. All Rights Reserved.
IBM, the IBM logo and ibm.com are trademarks or registered trademarks of International
Business Machines Corporation in the United States, other countries, or both.
Other product, company or service names may be trademarks or service marks of others.

More Related Content

What's hot

What's hot (20)

GDPR
GDPRGDPR
GDPR
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
Data protection
Data protectionData protection
Data protection
 
Training privacy by design
Training privacy by designTraining privacy by design
Training privacy by design
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data Security
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
 
GDPR infographic
GDPR infographicGDPR infographic
GDPR infographic
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
 
Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials  by QualsysGDPR: Training Materials  by Qualsys
GDPR: Training Materials by Qualsys
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
 
WB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection BillWB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection Bill
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theft
 

Viewers also liked

The Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection RegulationThe Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection Regulation
Ghostery, Inc.
 

Viewers also liked (7)

Preparing for EU GDPR
Preparing for EU GDPRPreparing for EU GDPR
Preparing for EU GDPR
 
The Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection RegulationThe Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection Regulation
 
Oikeudet omiin sote-tietoihin 2016-12
Oikeudet omiin sote-tietoihin 2016-12Oikeudet omiin sote-tietoihin 2016-12
Oikeudet omiin sote-tietoihin 2016-12
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for Techies
 
GDPR EU:n tietosuoja-asetus
GDPR EU:n tietosuoja-asetusGDPR EU:n tietosuoja-asetus
GDPR EU:n tietosuoja-asetus
 
Newell's Old Boys
Newell's Old BoysNewell's Old Boys
Newell's Old Boys
 
Varautuminen EU-henkilötietosuoja-asetukseen
Varautuminen EU-henkilötietosuoja-asetukseenVarautuminen EU-henkilötietosuoja-asetukseen
Varautuminen EU-henkilötietosuoja-asetukseen
 

Similar to GDPR for Dummies

New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
Ulf Mattsson
 
Data Privacy and consent management .. .
Data Privacy and consent management  ..  .Data Privacy and consent management  ..  .
Data Privacy and consent management .. .
ClinosolIndia
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Dr. Donald Macfarlane
 

Similar to GDPR for Dummies (20)

GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT works
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway Group
 
Ready for the GDPR, Ready for the Digital Economy
Ready for the GDPR, Ready for the Digital EconomyReady for the GDPR, Ready for the Digital Economy
Ready for the GDPR, Ready for the Digital Economy
 
GDPR Changing Mindset
GDPR Changing MindsetGDPR Changing Mindset
GDPR Changing Mindset
 
Top 10 GDPR Requirements
Top 10 GDPR RequirementsTop 10 GDPR Requirements
Top 10 GDPR Requirements
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
 
Data Privacy and consent management .. .
Data Privacy and consent management  ..  .Data Privacy and consent management  ..  .
Data Privacy and consent management .. .
 
Data privacy and consent management (K.sailaja).pptx
Data privacy and consent management (K.sailaja).pptxData privacy and consent management (K.sailaja).pptx
Data privacy and consent management (K.sailaja).pptx
 
Associates quick guide to gdpr v 1.0
Associates quick guide to gdpr v 1.0Associates quick guide to gdpr v 1.0
Associates quick guide to gdpr v 1.0
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
Key Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection RegulationKey Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection Regulation
 
My presentation- Ala about privacy and GDPR
My presentation- Ala about privacy and GDPRMy presentation- Ala about privacy and GDPR
My presentation- Ala about privacy and GDPR
 
GPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-RightGPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-Right
 
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing   master slides 28 june-finalData protection & security breakfast briefing   master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-final
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
 
Horner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRHorner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPR
 

More from Caroline Boscher

More from Caroline Boscher (8)

What is Websphere Commerce Managed Hosted?
What is Websphere Commerce Managed Hosted?What is Websphere Commerce Managed Hosted?
What is Websphere Commerce Managed Hosted?
 
YOU TO THE POWER OF IBM
YOU TO THE POWER OF IBMYOU TO THE POWER OF IBM
YOU TO THE POWER OF IBM
 
The new era of supply chain begins now
The new era of supply chain begins nowThe new era of supply chain begins now
The new era of supply chain begins now
 
The new era of marketing begins now
The new era of marketing begins nowThe new era of marketing begins now
The new era of marketing begins now
 
All you need to know about Data Management
All you need to know about Data ManagementAll you need to know about Data Management
All you need to know about Data Management
 
L'e-Paiment a l'heure de l'expérience client
L'e-Paiment a l'heure de l'expérience clientL'e-Paiment a l'heure de l'expérience client
L'e-Paiment a l'heure de l'expérience client
 
Les push notifications, mode d’emploi 2015
Les push notifications, mode d’emploi 2015Les push notifications, mode d’emploi 2015
Les push notifications, mode d’emploi 2015
 
Les données de vente B2B de Mapa et Spontex transitent dans le cloud avec ...
Les données de vente  B2B de Mapa et Spontex  transitent dans le cloud  avec ...Les données de vente  B2B de Mapa et Spontex  transitent dans le cloud  avec ...
Les données de vente B2B de Mapa et Spontex transitent dans le cloud avec ...
 

Recently uploaded

Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 

Recently uploaded (20)

Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
The UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, OcadoThe UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, Ocado
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024   Teams Premium - Pretty SecureECS 2024   Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 

GDPR for Dummies

  • 1. A LITTLE BEE BOOK “How it Works” GDPR
  • 2. This book belongs to: A LITTLE BEE BOOK “How it Works” GDPR Adapted from a variety of sources by Bob Yelland This booklet is intended to provide friendly and helpful advice and is not a definitive statement of law BACK NEXT
  • 3. 4 After four years of debate, the General Data Protection Regulation (GDPR) was ratified by the European Union during April 2016 and has now become law, although member states have a two‑year period to implement it into national law. This means that companies will be expected to be fully compliant from 25 May 2018. The regulation is intended to establish one single set of data protection rules across Europe. Organisations outside the EU are subject to this regulation when they collect data concerning any EU citizen. GDPR is designed to give individuals better control over their personal data held by organisations, and may lead many to appoint a Data Protection Officer. BACK NEXT
  • 4. 6 Personal data is defined as any information relating to a person who can be identified directly or indirectly. This includes online identifiers, such as IP addresses and cookies, if they are capable of being linked back to the data subject. Indirect information might include physical, physiological, genetic, mental, economic, cultural or social identities that can be linked back to a specific individual. There is no distinction between personal data about an individual in their private, public or work roles – all are covered by this regulation. 50% of global companies say they will struggle to meet the rules set out by Europe unless they make significant changes to how they operate. BACK NEXT
  • 5. 8 There will be a substantial increase in fines for organisations that do not comply with this new regulation. Penalties can be levied up to the greater of ten million euros or two per cent of global gross turnover for violations of record-keeping, security, breach notification and privacy impact assessment obligations. These penalties are doubled to twenty million euros or four per cent of turnover for violations related to legal justification for processing, lack of consent, data subject rights and cross-border data transfers. BACK NEXT
  • 6. 10 Companies will be required to “implement appropriate technical and organisational measures” in relation to the nature, scope, context and purposes of their handling and processing of personal data. Data protection safeguards must be designed into products and services from the earliest stages of development. These safeguards must be appropriate to the degree of risk associated with the data held and might include: • Pseudonymisation and/or encryption of personal data • Ensuring the ongoing confidentiality, integrity, availability and resilience of systems • Restoring the availability of, and access to, data in a timely manner following a physical or technical incident • Introducing a process for regularly testing, assessing and evaluating the effectiveness of these systems. BACK NEXT
  • 7. 12 A key part of the regulation requires consent to be given by the individual whose data is held. Consent means “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”. Organisations will need to be able to show how and when consent was obtained. This consent does not need to be explicitly given, it can be implied by the person’s relationship with the company. However, the data obtained must be for specific, explicit and legitimate purposes. Individuals must be able to withdraw consent at any time and have a right to be forgotten; if their data is no longer required for the reasons for which it was collected, it must be erased. BACK NEXT
  • 8. 14 When companies obtain data from an individual, some of the areas that must be made clear are: • The identity and contact details of the organisation • The purpose of acquiring the data and how it will be used • Whether the data will be transferred internationally • The period for which the data will be stored • The right to access, rectify or erase the data • The right to withdraw consent at any time • The right to lodge a complaint. BACK NEXT
  • 9. 16 The regulations demand that individuals must have full access to information on how their data is processed and this information should be available in a clear and understandable way. Individuals can make requests, and these must be executed “without undue delay and at the latest within one month of receipt of the request”. Where requests to access data are manifestly unfounded or excessive then small and medium‑sized enterprises will be able to charge a fee for providing access. BACK NEXT
  • 10. 18 Companies must report breaches of security “leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. In the event of a personal-data breach, companies must notify the appropriate supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it” if the breach is likely to “result in a risk for the rights and freedoms of individuals”. In March 2016, the UK Information Commissioner’s Office (ICO) published Preparing for the General Data Protection Regulation (GDPR) – 12 Steps to Take Now. Some of these steps for organisations are summarised next. BACK NEXT
  • 11. 20 1. Ensure key departments are aware that the law is changing, and anticipate the impact of GDPR. 2. Document what personal data is held, where it came from and with whom it is shared. 3. Review current privacy notices, and make any necessary changes. 4. Review procedures to address the new rights that individuals will have. 5. Plan how to handle requests within the new time frames, and provide the required information. 6. Identify and document the legal basis for each type of data processing activity. 7. Review how consent is sought, obtained and recorded. 8. Make sure procedures are in place to detect, report and investigate data breaches. 9. Designate a Data Protection Officer to take responsibility for data protection compliance. BACK NEXT
  • 12. 22 IBM can help companies prepare for this regulation. Our products offer data transparency, mask sensitive data, delete old/obsolete data, identify sensitive/toxic data and locate the data that matters, where that data is stored and how it is being used. IBM Information Integration Governance (IIG) provides agile data integration and governance to build confidence in data, including exploration and management of data lineage. IBM Information Lifecycle Governance (ILG) provides insight into unstructured data and also the tools and methodology to syndicate, instrument and enforce policies. IBM Security provides pervasive and intelligent internal and external network defences, incident response and security restrictions. BACK NEXT
  • 13. 24 © Copyright IBM Corporation 2016. All Rights Reserved. IBM, the IBM logo and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. Other product, company or service names may be trademarks or service marks of others.