Sarah Backhouse, Product Manager for Jadu Continuum CMS presented an easy to follow guide on GDPR at Jadu Academy in Scotland in November 2017. The guide helps you understand the key areas Website Owners and managers and Digital Service Managers can manage compliance with GDPR.
2. GDPR imposes new rules
on organisations that offer
goods and services to
people in the EU, or that
collect and analyse data
connected to EU citizens,
no matter where they are
located.
25th May 2018
General Data Protection Regulation
✓ Enhanced personal privacy rights
✓ Increased duty for protecting data
✓ Mandatory breach reporting
✓ Significant penalties for non-compliance
3. Individuals have
the right to:
• Access their personal
data
• Correct errors in their
personal data
• Erase their personal
data
• Object to processing
of their personal data
• Export personal data
Key changes in GDPR
Controls
• Protect personal data
using appropriate
security practices
• Notify authorities with
72 hours of breaches
• Receive consent
before processing
personal data
• Keep records
detailing data
processing
Transparent
policies
• Provide clear notice
of data collection
• Outline processing
purposes and use
cases
• Define data retention
and deletion policies
IT & Training
• Train privacy
personnel &
employees
• Audit & update data
policies
• Employ a Data
Protection Officer
• Create & manage
processor/vendor
contracts
Processor obligations
4. Strategy for getting started
Discover
Identify what personal data you
have and where it resides
Manage
Govern how personal data is
used and accessed
Protect
Establish security controls to
prevent, detect, and respond to
vulnerabilities & data breaches
Report
Keep required documentation,
manage data requests and
breach notifications
6. What information do you hold?
Any identifying data
Name
Email address
Social media posts
Physical, physiological, or
genetic information
Medical information
Location
Bank details
IP address
Cookies
Cultural identity
7. Where does the information reside?
All places that store
personal data
Emails
Documents
Databases
Removable media
Metadata
Log files
Backups
8. Discover
Data you collect
User accounts
Online forms
3rd Party integrations
Social media
Analytics
Advertisements
Data you share
Data exports
Back office integrations
Data shared with 3rd parties
This information should be stored for future reference in an
inventory of personal data held, and referenced in your privacy
policy.
10. How do you manage this information?
Your policies and procedures need to cover:
• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict
processing
• The right to data portability
• The right to object
• The right not to be subject
to automated decision
making and profiling
11. How would you…?
• Process a request to delete someone’s personal data?
• Provide data where the right to data portability is invoked?
• Manage a correction to data that you hold?
• Allow access to personal data?
• Record consent for data to be processed?
• Verify the age of individuals to account for special
protection for children?
12. Consent
• prominent
• not in terms and
conditions
• not using pre-ticked boxes
• clear, plain language
• specify why you want the
data
• specify what you’re going
to do with it
• granular options to
consent to independent
processing
• named organisations
• tell individuals they can
withdraw their consent
• ensure they can refuse
consent without detriment
13. Privacy notice
• Contact details of the controller and data protection officer
• Purpose and your lawful basis for processing the data
• Who data is shared with and transfers to other countries
• Data retention times
• Rights of the data subject
• That individuals have the right to complain and withdraw
consent
• Consequences of failing to provide the personal data
• Easy to understand, clear language
15. Security of data
• Are you auditing who has access to personal data?
• Are you testing your security regularly?
• Are you prepared for Data Protection Impact Assessments
when procuring new technology?
16. Encryption
• Do you know what data you hold in an encrypted form?
• Do you know what encryption algorithm is in use?
• Do you know if there is any data being held that should be
encrypted and isn’t?
Continuum:
• form responses: AES algorithm
• user details: Triple DES algorithm
• passwords: BCrypt password hashing function
17. Data breaches
• can you detect a breach?
• can you report a breach? notify DPA and customers
• do you have the procedures in place to investigate a
breach?
Consider:
• network security
• storage security
• compute security
• identity management
• access control
• encryption
• risk mitigation
19. Record keeping
You will need to record:
• Register of personal data held and where
• Classification of data
• 3rd parties with access to the data
• Purpose of processing the data
• Security measures you have in place to protect the data
• Data retention times
You may need to make these records available to the supervisory authority
20. Summary
• GDPR is coming May 2018
• GDPR includes increased rights for individuals and
increase responsibilities for record keeping
• Review areas of your website where you’re collecting data
to ensure compliance, such as your privacy notice and
where you ask for consent to process data
• Check that you have security activities in place so that you
can demonstrate compliance
• Set up processes to handle new rights