TL
Uploaded byTim Hyman LLB
2,803 views

The Essential Guide to GDPR

The document provides a summary of the key aspects of the General Data Protection Regulation (GDPR) in 3 pages. It discusses the basic principles of GDPR, how it may impact technology systems, and software tools that can help with compliance. Some of the main topics covered include the definition of personal and sensitive data, data subject rights, privacy by design, security requirements, and obligations for controllers and processors. The summary emphasizes the need for businesses to review their data protection practices and ensure they are prepared to comply with GDPR requirements that take effect in May 2018.

Embed presentation

Downloaded 107 times
GDPR The new data protection regulations, the impact on your systems and the solutions that can assist with compliance TheEssentialGuide
Following recent presentations on the potential impact of GDPR at a number of global law firms and a presentation to the Institute of Barristers Clerks, I have been asked to compile a guide as to the basic principles of GDPR, how they may impact technology systems and which software tools/vendors could assist with compliance. I have therefore put together this guide, The Essential Guide to GDPR and its sister website GDPRwiki.com This is not designed to be an exhaustive list of regulatory changes, nor is it in any way meant to be taken as legal advice. I have picked out what are in my opinion the key areas of impact and particularly those that will need some attention prior to May 29 2018 – deadline for compliance. The solution providers that appear in the guide are those that have come forward and described how their solutions can help businesses looking to get GDPR compliant. Again this is not meant to be an exhaustive list and there will be many other suppliers out there that offer quality and relevant services - as the deadline gets closer I expect more technologies and services to appear and I hope to highlight these in the next edition of this guide. “Having clear laws with safeguards in place is more important than ever giving the growing digital economy” Steve Wood, Deputy Commissioner, ICO This guide focusses on: Brexit Controller or Processor User Rights Privacy by Design Cloud Services Data Protection Officer Consent Impact Assessment
The General Data Protection Regulations are the most significant development in data protection that Europe, possibly the world, has seen over the past twenty years. Unsurprisingly GDPR is designed to better take into account modern technologies, the way we work with them today and are likely to work in the future. In addition, there is a much greater emphasis on compliance following a widely- held belief that businesses, particularly in the UK, had not previously taken data privacy seriously enough. To reinforce this, penalties are considerably harsher and the compliance requirements are intended to spread a far wider net to include small and medium businesses and the third-party contractors they use. THE 6 GDPR DATA PROTECTION PRINCIPLES: 1 (‘lawfulness, fairness and transparency’) processed lawfully, fairly and in a transparent manner in relation to the data subject 2 (‘purpose limitation’) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes 3 (‘data minimisation’) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed 4 (‘accuracy’) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay 5 (‘storage limitation’) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. 6 (‘integrity and confidentiality’) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss destruction or damage, using appropriate technical or organisational measures .
There was some speculation that GDPR would cease to be relevant following the UK’s decision to leave the EU. Whilst we await the detail of what Brexit really means in terms of our EU trade agreements, people movement and laws there has been significant commentary including a statement from the Information Commissioners Office (ICO) suggesting that it will still apply and that businesses should start compliance preparations now. The following key reasons are given as to why GDPR still applies: GDPR Comes Before Brexit The GDPR comes into force 25 May 2018, the earliest Brexit can happen is January 2019 and until then all EU laws apply. Application The GDPR applies to EU citizen’s data regardless of where the controlling or processing of that data takes place. This means that countries outside of the EU (including the US and an independent UK) would have to apply GDPR for client data where the client is in the EU. Adequate Data Protection For an EU country to trade outside of the EU ‘adequate’ data protection measures must be in place. It is likely that GDPR will be the standard set as ‘adequate’ and the UK would have to introduce an equal replacement if it decided to revert to existing DP regulations. Which would simply be GDPR under a different name. Competing with the EU Data is fast becoming the new oil and in order to compete with the EU to be regarded as the new data safe haven, the UK will at the very least match the GDPR standard and may even increase its data protection requirements to attract global data centric business.
Many businesses are significant data consumers. Client data is at the very least at the heart of their marketing initiatives and may even be part of the product or service they sell and the client they sell to. Much of this data is sensitive either for commercial reasons or because it directly relates to an individual. Various sectors from health to finance to legal all have their own specific governance regulations sometimes shared due to complex relationships between the services, but for personal data the GDPR will apply equally to all. There will not be many businesses that do not hold or process personal data but it is important to understand their role and responsibilities as determined by the GDPR. The two significant roles are that of ‘controller’ and ‘processor’. GDPR says… ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; A business will be determined a ‘controller’ for the client, prospect and employee personal data it stores and uses. GDPR says… ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; A cloud service provider or third party data host will in most cases be determined as a ‘processor’. Personal or Sensitive It is import to determine whether data is ‘personal’ or ‘sensitive personal’ as defined by the regulations as different levels of protection are required, some mandatory and accountable in the case of sensitive data. It is also a new requirement that processors understand what type of data they are handling on behalf of their clients
Personal Data The definition of personal data has been broadened to include anything that can be directly associated with an individual. GDPR broadly keeps existing definitions but adds digital footprints such as cookies and IP addresses. GDPR says… ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; - Article 4 of GDPR Sensitive Personal Data The following are the GDPR classifications for sensitive personal data: GDPR says… revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited. - Article 9 of GDPR The GDPR essentially prohibits the processing of sensitive personal data unless one of the criteria in Article 9 (2) is met. These include: 9(2)(a) – Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law 9(2)(e) – Data manifestly made public by the data subject.
In addition to the duty of a firm to protect its information there are a number of enhanced or new data subject rights that they will need to be mindful of as each could demand considerable administration capability particularly if the necessary access and recovery tools are not in place. Data subject access requests (DSARs) will be easier for clients and employees. Data subjects will no longer be required to pay a fee to make a DSAR. Firms must respond without ‘undue delay’ and no later than one month after the DSAR is made (rather than the current 40 days). However, there are a number of grounds for refusal if the request is manifestly unfounded or excessive. Right to Erasure A new right under GDPR is to have data deleted. There are several reasons this request can be refused such as conflicting regulations and in the public interest but once legitimate reasons for denial are exhausted data must be deleted. Right to Portability Not too dissimilar to the right to port a mobile phone number from one supplier to another, GDPR entitles a user to have their data exported and transferred in a ‘machine readable format’. Key Tools Search, Delete, Export Key Solution Providers GDPR Says... The response to a DSAR will include: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject Article 15 of GDPR
Privacy by design is a concept that features consistently throughout the GDPR. In essence. it is the principle of considering and building in appropriate data protections during the design phase of all new projects and changes to systems and processes. Security by design and by default The GDPR requires that employers (and other data processors) should be “audit-ready” at all times, meaning that all employer’s systems will need to be set up to ensure compliance by design. The GDPR introduces a legal requirement for ‘privacy by design’ for sensitive data and the onus will be on employers to prove compliance. Records will need to be kept and policies and procedures will need to be in place to demonstrate this. Firms must implement technical and organisational measures to show that they have considered and integrated data compliance measures into their data processing activities. Key Design Principles Only necessary data to be processed including:  Amount of data  Extent of processing  Retention period  Access to data Organisational measures There are a number of technical measures that can be put into place to enhance data security. Many of these will simply involve ensuring best practice with existing technologies. Organisational measures This will include maintaining the appropriate records as described later in this guide, minimising data by applying appropriate retention periods and appointing a Data Protection Officer to oversee compliance activities. GDPR Says... Data protection by design and by default 1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data- protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. 2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. 3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article. Article 23 of GDPR
Security of Processing GDPR requires that the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. The legislation goes on to describe the security required for processing data.  pseudonymisation and encryption  confidentiality, integrity, availability and resilience of processing systems and services  the ability to restore  testing, assessing and evaluating the effectiveness of technical and organisational measures It is an obligation to ensure that a controller only engages with a third party data processors or cloud service providers if they also comply with the above. Key Tools Encryption, Data Leakage Protection, Secure Archive, Records Management, Access Control Key Solution Providers GDPR Says... Security of processing 1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article. 4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law. Article 32 of GDPR
GDPR requires that the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. The legislation goes on to describe the security required for processing data.  pseudonymisation and encryption  confidentiality, integrity, availability and resilience of processing systems and services  the ability to restore  testing, assessing and evaluating the effectiveness of technical and organisational measures It is an obligation to ensure that a controller only engages with a third party data processors or cloud service providers if they also comply with the above. Cloud Service Provider Checklist □ Technical & Organisational security □ New contract provisions □ Demonstrable GDPR compliance □ Data Processing Records □ Breach Notification □ Delete or return data post contract □ Data Transfer transparency □ Sub-processor permission GDPR Says... Processors Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
Under the GDPR, you must appoint a data protection officer (DPO) if you:  are a public authority (except for courts acting in their judicial capacity);  carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or  carry out large scale processing of special categories of data or data relating to criminal convictions and offences. A DPO can be an outsourced role which will pave the way for external agencies to provide this service. DPO Duties The DPO’s minimum tasks  To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.  To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.  To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc). DPO Rights Businesses must ensure that:  The DPO reports to the highest management level of the organisation  The DPO operates independently and is not dismissed or penalised for performing their task.  Adequate resources are provided to enable DPOs to meet their GDPR obligations. Key Solution Providers GDPR Says... 1. The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10. 2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment. 3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size. 4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors. 5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39. 6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract. 7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority
The GDPR has references to both ‘consent’ for personal data use and ‘explicit consent’ for sensitive personal data use. The difference between the two is not particularly clear given that both forms of consent have to be freely given, specific, informed and an unambiguous indication of the individual’s wishes although in the event of a complaint the required level of consent for sensitive data is expected to be higher. GDPR describes the requirement for some form of clear affirmative action to demonstrate consent. This can include:  Ticking a box  Changing technical settings (eg making something public on Facebook)  Signed client enagement letter GDPR is also clear as to what will NOT be acceptable as consent  Silence  pre-ticked boxes  general inactivity Auditable Consent A new requirement is that consent must be verifiable. This means that some form of auditable record must be kept of how and when consent was given which could impact many marketing systems. Where you already rely on consent that had been previously sought you will not be required to obtain fresh consent from individuals if the standard of that consent meets the new requirements under the GDPR. If you cannot reach this high standard of consent then you must find an alternative legal basis such as or cease or not start the processing in question. GDPR Says... Lawfulness of processing 1. Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
Consent Capture This is an emerging area of technology that enables a granular and compliant approach to capturing user consent whilst providing the right processing and privacy notices. In addition, these solutions will ensure that all consent captured is auditable. Key Vendors GDPR Says... Conditions for consent 1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. 2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. 4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
A common theme throughout the GDPR is accountability and demonstrating compliance i.e. making it evident to the Data Protection Authority that you are meeting obligations. An important component of accountability and mandatory in certain circumstances is the Impact Assessment. Definition A Data Protection Impact Assessment is a tool designed to enable organisations to work out the risks that are inherent in proposed data processing activities before those activities commence. This, in turn, enables organisations to address and mitigate those risks before the processing begins. Scope New to the GDPR all businesses (both controllers and processors) are impacted. Where a new processing activity is proposed (especially where new technologies will be used) resulting in a high degree of risk for data subjects, the controller must first conduct an Impact Assessment. A single Impact Assessment can cover multiple processing operations that present similar risks. Content An Impact Assessment must contain the following:  a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller  an assessment of the necessity and proportionality of the processing operations in relation to the purposes;  an assessment of the risks to the rights and freedoms of data subjects  the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned. GDPR Says... Data protection impact assessment 1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. 2. The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment. 3. A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of: (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or (c) a systematic monitoring of a publicly accessible area on a large scale.
Dark Data One of the challenges businesses face when carrying out an impact assessment is ensuring that all personal data is discovered. Data that is for some reason not searchable and therefore not discoverable is also known as ‘dark data’. The most common example found is a PDF file that has not had the content of the document OCR’d leaving just the document title searchable. This has the potential to leave a business at significant risk of breach and potentially unable to respond in full to a Data Subject Access Request. There are a number of software solutions available that will scan your network for ‘dark data’ identify it and convert it to searchable data. Method An Impact Assessment has the following steps:  Review existing or planned data processing activities  Map data flows within the organisation by system and by process  Identify any compliance risks  Determine any mitigation required and develop an action plan  Determine whether their core business operations involve: (i) regular and systematic monitoring of data subjects on a large scale; and/or (ii) processing of Sensitive Personal Data on a large scale.  If yes to above appoint a DPO. Key Solution Providers
The GDPRREADY Compliance Plan is designed to assist Data Protection Officers in preparing for GDPR and maintaining compliance once the legislation is activated. The GDPRREADY 4 stage process enables the DPO to raise awareness, discover current risks, deliver a mitigation plan and design processes for maintaining compliance. Step 1 – EDUCATE The EDUCATE phase consists of a combination of interactive workshops and stakeholder interviews, designed to generate a high level of understanding of the impending legislation and any changes to system, policy or process in order to achieve GDPR compliance. GDPR Overview Workshop - an onsite workshop to build GDPR awareness and secure buy-in with your key internal stakeholders, custom-tailored to the needs of your firm. Suitable for: Senior Management, Directors, Key Stakeholders GDPR Assessment workshop - A workshop for internal staff responsible for owning the assessment process. Suitable for: Compliance Team, IT Team, Project Managers Stakeholder Interviews – one to one discussions with key stakeholders to document departmental processes involving personal data. STEP 2 – DISCOVER The DISCOVER phase uses the Data Protection Impact Assessment (as recommended by the Information Commissioners Office) to discover any risk or exposure the firm may currently have. Impact Assessment – using our GDPRready Data Register and GDPRready Impact assessment templates you will document, data flows, gap analysis, risk assessment and remediation plans. STEP 3 – PLAN GDPR Preparation Plan – document actions needed to prepare for and maintain GDPR compliance. Understand budget required and systems and processes that require modification. STEP 4 – MAINTAIN Prepare for new obligations such as Breach Response and DSAR Processing. Review existing InfoSec policies and procedures to ensure they align with GDPR. EACH PHASE IS SUPLIMENTED BY GDPRREADY TEMPLATED PROCESSES AND POLICIES AS INDICATED IN THE ACTION SUMMARY CHART BELOW
GDPRREADY COMPLIANCE PLAN – ACTION SUMMARY PHASE 1 – EDUCATE GDPR WORKSHOP IMPACT ASSESSMENT WORKSHOP STAKEHOLDER INTERVIEWS DOC 1 - GUIDE TO GDPR ESSENTIALS DOC 2 - GDPR CHECKLIST PHASE 2 – DISCOVER COMPLETE IMPACT ASSESSMENT DATA MAP COMPLETE IMPACT ASSESSMENT RISK REGISTER PRODUCE IMPACT ASSESSMENT REMEDIATION PLAN DOC 3 - DATA REGISTER DOC 4 - IMPACT ASSESSMENT PHASE 3 – PLAN DOC 5 - GDPR COMPLIANCE PLAN DOC 6 - PRIVACY NOTICE CHECKLIST DOC 7 - USER AWARENESS PROGRAM DOC 8 - CLOUD SERVICE PROVIDER COMPLIANCE CHECKLIST DOC 9 - SUBJECT ACCESS REQUEST PROCEDURE PHASE 4 – MAINTAIN DOC 10 - INFORMATION SECURITY POLICIES DOC 11 - INTERNATIONAL DATA TRANSFER GUIDANCE DOC 12 - CONSENT FORM TEMPLATES DOC 13 - PROCESSING RECORD TEMPLATE DOC 14 - BREACH NOTIFICATION TEMPLATE
SOLUTION PROVIDER GDPR FUNCTION FEATURE DETAIL Data Subject Access Request Data Discovery A comprehensive data discovery and management are essential for GDPR compliance. In order to ensure timely and efficient respond to any Data Subject Access Requests (DSAR), all locations, where personal information is stored, should be easily discovered. contentCrawler ensures comprehensive data discoverability and works to uncover documents that otherwise would not be found because they are not indexed for searching. It is a key tool in making sure that all words in every document (even image documents) are fully text searchable. contentCrawler is an essential component for all firms to ensure they comply with the new GDPR legislation. DocsCorp will be publishing a white paper and hosting a number of GDPR events across Europe. Drop us an email to events@docscorp.com to stay updated and get your free white paper and event invitation. For more information please check the product description below or visit: http://www.docscorp.com/contentcrawler/ Bulk Processing for Document Management contentCrawler is an integrated analysis, processing and reporting framework that intelligently assesses documents in a Document Management System and determines if they require OCR and/or file compression processing. Organisations can bulk process documents in the DMS using either the OCR or Compression modules. Or, they can do both. For example, contentCrawler will convert all image-based documents in the DMS to text-searchable PDFs. The Compression module will then apply compression and down-sampling in order to minimise the file size of the resulting PDF documents. The automated end-to-end process can run 24/7 without any staff intervention, emailing periodic notifications of processing statistics and error
reporting to the IT Administrator. Staff no longer have to worry about OCR or compression as a process or workflow. Key Benefits  Ensure all documents are indexed for searching and are therefore discoverable  Simplify management of image-based documents  Reduce non-compliance risks  Increase efficiency through automation  Leverage existing investment in DMS and search technology  Reduce costs managing OCR and Compression technology Privacy by Design Cyber Security iboss is a cyber security platform that uses cloudtechno logy to extend preventative and predictive multi-layered security to any size or organization, in any place and to any device.The result is a lower risk profile, and greater enhanced due diligence (EDD) for the organisation, which helps meet GDPR regulations, and can lower associated fines if data breaches occur. Privacy by Design Data Leakage Protection Iboss includes behavioural data exfiltration sensors to detect data loss and exfiltration across any communication medium (WEB, EMAIL, DNS, P2P etc) Privacy by Design Content Management Granular gateway level controls against web access and application usage Right to access Privacy by Design Access Control Document Protection Search iManage Govern Govern critical information at every step of the engagement and beyond iManage Govern lets you manage your engagement files according to each client retention policies, from creation through to disposal all while ensuring your organization meets audit and discovery requirements. Improve governance: by applying retention policies centrally across both electronic and physical client records Integrated document and records management: through seamless operation with iManage Work Boost productivity: and reduce risk by taking records management responsibility off your professionals shoulders Manage information in place: without copying to a separate system
Reduce operating costs: by moving inactive projects to a governed, searchable archive Privacy by Design Secure File Transfer iManage Share A Fast, easy and secure sharing of professional work product Securely exchange work product with your clients, partner firms, and outside consultants within tools that you are familiar with. iManage Share offers industry-leading security with seamless integration with iManage Work and Microsoft Outlook, so that secure file sharing is easy and convenient without sacrificing security and governance of your client files. With iManage Share: Share, edit and collaborate on work product from within iManage Work. Share files from your Outlook email: Share files as secure links directly from Outlook. Secure, firm-branded web portal in a snap: Give your client access to their documents from a single responsive interface on phone, tablet or desktop, branded with your firm logo. Collaborate on the go: Share and securely collaborate with customers from your smartphone or tablet. Know what is shared and with whom: Monitor who is accessing your files and when. Privacy by Design Right to Access Document Protection Search DSAR response Access Control iManage Work Manage documents, emails and more in a single engagement file Access your work product from anywhere on any device in a single user experience. Designed by professionals for professionals, iManage Work makes it easy to collaborate with your team and stakeholders in a secure and governed manner. Improve productivity: Suggested email filing keeps you ahead of inbox overload Make better decisions: Document timelines, dashboards and analytics cut through clutter enabling faster, better decisions Find everything: Search across all work product (documents, emails, images) automatically tuned to your work style Be more responsive: Secure mobile access means you can view and edit your work from anywhere
Work smarter: Integrates seamlessly with the applications youre already using to save time Privacy by Design Document Protection Access Control Intapp Walls replaces distributed, ad hoc approaches to confidentiality management with a centralised solution that provides law firms with unparalleled capability and control. Several features of Intapp Walls can help address GDPR requirements for “privacy by design,” “privacy by default” and the Accountability principle. Intuitive interface for access management – Define policies using an easy-to-use wizard to configure and control walls and user account management, so that IT, conflicts team members and lawyers have appropriate levels of visibility and control Real-time enforcement and maintenance – Intapp Walls delivers real-time enforcement, automating notifications to individuals subject to specific policies, tracking acknowledgments for compliance, and alerting firm management about suspicious activity related to sensitive information Protection beyond document management libraries – Lock down all key repositories where sensitive information is stored, including records management, accounting, CRM, search, portals and other applications, in addition to document management libraries Automated compliance logging – Demonstrate compliance if required to do so by clients or by government agencies by presenting a documented audit trail via Intapp Walls Broad visibility across the organisation – Gain visibility into the volume and types of policies in effect across the firm; configurable reports can be delivered in an event-driven, scheduled or on-demand basis to provide management with real-time visibility into policies, classification and history, as well as affected parties and prevented breaches Data Protection Officer Education The Law Firm Risk Blog (www.lawfirmrisk.com), sponsored by Intapp, covers a wide range of risk management topics relevant to GDPR, including information governance, conflicts management and information security. The Risk Roundtable Initiative (riskroundtable.com), also sponsored by Intapp, hosts in-person events and webinars bringing together a mix of law firm risk management and related professionals, including general counsel, loss prevention partners, risk management partners, senior conflicts/records managers and IT leadership. They provide
opportunities for peer networking, cross-functional dialogue and a better understanding of common problems and trends including the evolving regulatory landscape affecting confidentiality, information barriers and ethical walls. Intapp customers have access to user group meetings, newsletters, webinars and Inception 2017, Intapp’s global user conference. Intapp Professional Services offers a Risk Consultancy practice that will assess your firm’s approach to confidentiality management and suggest processes, procedures and technologies to satisfy specific compliance obligations related to the EU GDPR, the HIPAA Privacy Rule in the US, and other regulations Privacy by Design Data Leakage Protection Secure Archive Security Enterprise Information Archiving provides the secure, perpetual storage and policy management necessary with the predictable costs and scalability of a true cloud architecture. With an industry-leading 7 second search SLA, archived information is instantly accessible, making it easy for employees or administrators to find a single email or to support a larger e-discovery case. Mimecast solves important archiving challenges by:  Archiving email in the cloud  Responding quickly to litigation requests  Retaining important company files  Archiving Lync IM conversations A single, unified archive in the Mimecast cloud delivers scalability, rapid information access and data assurance — without the spiraling expense of hardware and software typical of legacy on-premises solutions. Consent Consent Capture Consentric Permissions is a tool for managing citizens’ consent for usage of their data. It is a cloud based product with the citizen at the heart, providing them the capability to grant or deny consent to the usage of their data for specific, clearly defined purposes. Organisations benefit from Permissions through a simple integration with their CRM or other system(s), providing a single source of truth relating to consent. They can configure the data to be used, purpose for, and who will request usage of the citizen’s data at a granular level, enabling citizens to clearly understand what is being asked of them. Where required, organisation users can also access citizens’ records to amend consent on instruction. All changes are subject to a full history log, including detail of how and where consent was obtained. This
provides the citizen transparency and control on how their data is being accessed and used. Privacy by Design Consentric Permissions stores citizens’ data in a secure UK sovereign data centre, with consents to share that data managed by the citizen. Classification of the data is aligned to well-known standard schemas, or, created by new custom schemas, allowing sensitive data to be managed separately and securely by the citizen. Consentric Permissions is a trust platform, giving the citizen transparency, ownership and control of their data, enabling you to build loyal relationships with your customers. This radical approach to storing data transforms your ability to achieve required data protection standards through minimisation of personal and sensitive data being stored in your systems and placing the citizen in control of their data and its usage. By integrating into Consentric Permissions, you benefit from our Privacy by Design features and save costs of implementing in your own systems Privacy by Design Secure Data hosting The complexity and expense of managing underlying infrastructure can be challenging to organisations, as their needs fluctuate. Trustmarques IaaS solutions enables organisations to cost-effectively deploy and run their software, whilst taking full advantage of the benefits cloud computing brings. We design, build, procure and manage IaaS services to help you unlock real business value. By providing specialist technical design, management knowledge and understanding the commercial implications of solution design and change, along with the operational considerations of a Cloud service within a traditional ITIL oriented environment. We provide highly resilient and secure IL2, IL3 and IL4 services for OFFICIAL and OFFICIAL SENSITIVE hosting requirements. These convenient, on-demand and configurable computing resources require minimal management effort. Impact Assessment Compliance Trustmarque provide full lifecycle Impact Assessment consultation. In addition as 27001 experts we can ensure that your GDPR compliance measures alin with your wider InfoSec strategy. Privacy by Design Centralisatio n of sensitive data Enabling new, enhanced user rights is a fundamental part of GDPR compliance. PitchPerfect, with its SharePoint data repository, introduces a single centralised content management system which greatly improves the firms ability to meet these requirements. It provides the tools for end-users to locate and extract the requested data,
while restricting the ability to modify and erase data to the content managers working in the back-end. The common distributed data practice whereby CVs and biographies are in multiple locations including a DMS, Email system and file share make compliance with any of these employee access requests complex, time consuming, costly and potentially impossible With user photos falling into the biometric data category new to the GDPR definition of sensitive personal data, it is compulsory to apply adequate protection. PitchPerfect ensures the right level of user access is applied. Data Protection Officer User Education SkillBuilder eLearning provides new innovative ways to empower employees and end users with accessible tools and technologies; enabling them to stay informed and educated in all things related to legal technology and its constantly changing updates. SkillBuilder eLearning was built on the know-how of an over 12 million-strong backlog of ticket data and over 60,000 knowledge base articles. Our online eLearning tool increases productivity through a multifaceted portal that is branded for the firm. SkillBuilder provides a three-tiered model of service: Self-Service for users, Service Desk support provided by Solution Sender and an LMS. All features include access to our robust library of ever-growing content tailor specifically for Legal. SkillBuilder is a single platform whose affects are felt throughout the organization. Consent Data Transfer Security of Processing Privacy by Design Consent Vuture is a marketing automation platform for professional services that makes it easy to personalise email communications, streamline events and control marketing assets from a single flexible system. Manage consent Vuture provides a quick and easy-to-use solution to manage and automate consent. A seamless CRM integration enables you to manage and timestamp contact opt-ins within your CRM, as well as meet all Data Discovery and Data Access requirements. Unambiguous consent is achieved through a CRM- linked tickbox inserted on your preference forms. Control data transfer Vuture is a private cloud solution – each client has their own instance of the platform hosted at a location of their choice. The platform is built with privacy at its core – data never leaves the chosen location and
rigorous security policies ensure you are always fully compliant with Data Protection standards. Privacy and security sit at the heart of Vuture’s development, and both are assessed, tested and updated on a continuous basis. Privacy by Design Data Leakage Protection “Workshare’s unique data loss prevention technology provides an additional layer of content awareness that includes hidden, sensitive data (metadata). Policies decide what has to be removed for compliance from a document when sent externally via email or via the cloud. This maintains security and compliance mandates to ensure no information is leaked through documents shared outside a company in the form of metadata. Workshare is taking our extensive understanding of metadata, email attachments and secure file sharing to the next level as we develop further to aid companies in the prevention of data loss. Because we have insight into multiple sharing channels and deep understanding of content, including metadata, Workshare can provide companies with visibility via a reporting system. Reports can be oriented around particular senders, receivers, and types of metadata to monitor for leakage or misuse. As the proposition develops, we will encompass words within context in a document or metadata and extend this detection to non-email sharing channels. Once detected, we can educate and empower users to take appropriate corrective action to protect their sensitive content.” We hope you found the first edition of this guide useful. To recommend content or a solution for the second edition or GDPRwiki.com please contact: info@2twenty4consulting.com

More Related Content

PDF
GDPR for Dummies
byCaroline Boscher
 
PPTX
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
byOmo Osagiede
 
PPTX
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
byQualsys Ltd
 
PPTX
The Practical Impact of the General Data Protection Regulation
byGhostery, Inc.
 
PDF
GDPR-Overview
byErica Walker
 
PPTX
The Meaning and Impact of the General Data Protection Regulation
byJake DiMare
 
PPTX
EU GDPR - 12 Steps To Compliance
byTom Haynes
 
PPTX
The GDPR for Techies
byLilian Edwards
 
GDPR for Dummies
byCaroline Boscher
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
byOmo Osagiede
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
byQualsys Ltd
 
The Practical Impact of the General Data Protection Regulation
byGhostery, Inc.
 
GDPR-Overview
byErica Walker
 
The Meaning and Impact of the General Data Protection Regulation
byJake DiMare
 
EU GDPR - 12 Steps To Compliance
byTom Haynes
 
The GDPR for Techies
byLilian Edwards
 

What's hot

PPTX
GDPR: Training Materials by Qualsys
byQualsys Ltd
 
PDF
How IBM Supports Clients around GDPR and Cybersecurity Legislation
byIBM Security
 
PDF
GDPR Basics - General Data Protection Regulation
byVicky Dallas
 
PDF
EY General Data Protection Regulation: Are you ready?
byVYTIS MALECKAS
 
PPTX
GDPR Presentation slides
byNaomi Holmes
 
PDF
GDPR for dummies
byBenoît De Nayer
 
PPTX
Teradata's approach to addressing GDPR
byPaul O'Carroll
 
PPT
Building a register of data processing
byTim Gough
 
PPTX
Gdpr action plan - ISSA
byUlf Mattsson
 
PPTX
General Data Protection Regulation
byBCC - Solutions for IBM Collaboration Software
 
PDF
GDPR 11/1/2017
byisc2-hellenic
 
PPTX
Quick Introduction to the EU GDPR by Sami Zahran
byDr. Sami Zahran
 
PPTX
Do You Have a Roadmap for EU GDPR Compliance?
byUlf Mattsson
 
PPTX
EU General Data Protection Regulation - Update 2017
byCliff Ashcroft
 
PPTX
GDPR - Fail to Prepare, Prepare to Fail!
byFintan Swanton
 
PPTX
Findability Day 2016 - What is GDPR?
byFindwise
 
PDF
Modelling the General Data Protection Regulation
bySabrina Kirrane
 
PPTX
Preparing for general data protection regulations (gdpr) within the hous...
byStephanie Vasey
 
PPTX
GDPR security services - Areyou ready ?
byFrederick Penaud
 
GDPR: Training Materials by Qualsys
byQualsys Ltd
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
byIBM Security
 
GDPR Basics - General Data Protection Regulation
byVicky Dallas
 
EY General Data Protection Regulation: Are you ready?
byVYTIS MALECKAS
 
GDPR Presentation slides
byNaomi Holmes
 
GDPR for dummies
byBenoît De Nayer
 
Teradata's approach to addressing GDPR
byPaul O'Carroll
 
Building a register of data processing
byTim Gough
 
Gdpr action plan - ISSA
byUlf Mattsson
 
General Data Protection Regulation
byBCC - Solutions for IBM Collaboration Software
 
GDPR 11/1/2017
byisc2-hellenic
 
Quick Introduction to the EU GDPR by Sami Zahran
byDr. Sami Zahran
 
Do You Have a Roadmap for EU GDPR Compliance?
byUlf Mattsson
 
EU General Data Protection Regulation - Update 2017
byCliff Ashcroft
 
GDPR - Fail to Prepare, Prepare to Fail!
byFintan Swanton
 
Findability Day 2016 - What is GDPR?
byFindwise
 
Modelling the General Data Protection Regulation
bySabrina Kirrane
 
Preparing for general data protection regulations (gdpr) within the hous...
byStephanie Vasey
 
GDPR security services - Areyou ready ?
byFrederick Penaud
 

Viewers also liked

PDF
The Essential Guide to GDPR
byTim Hyman LLB
 
PDF
delphix-wp-gdpr-for-data-masking
byJes Breslaw
 
PPTX
DevOps vs GDPR: How to Comply and Stay Agile
byBen Saunders
 
PDF
Preparing for EU GDPR
byIT Governance Ltd
 
PDF
GDPR in a nutshell
byInitio
 
PPTX
BASICS FOR ISO 9001 QMS LEAD AUDITOR COURSE
byNithin V. Joseph
 
PDF
Iso 9001 lead auditor course training irca approved
byIntertek Moody
 
PPTX
GDPRR: The Key Changes
byCraig Clark ITIL, CIS LI,EU GDPR P
 
PDF
delphix-ebook-using-data-effectively-compliance-banking-1
byJes Breslaw
 
PDF
Preparing to the GDPR - the next steps
byExove
 
PPTX
Jump start EU Data Privacy Compliance with Data Classification
byWatchful Software
 
PDF
SureSkills GDPR - Discover the Smart Solution
byGoogle
 
PDF
GDPR Implementation Basics_Igor Mate_2016 CEE GC Summit_Istanbul
byIgor
 
PDF
GDPR and technology - details matter
byExove
 
PPTX
GDPR: A Step-By-Step Guide To Compliance
byMarkLogic
 
PDF
Infographic: EU General Data Protection Regulation (GDPR) Cybersecurity Compl...
byCheapSSLsecurity
 
The Essential Guide to GDPR
byTim Hyman LLB
 
delphix-wp-gdpr-for-data-masking
byJes Breslaw
 
DevOps vs GDPR: How to Comply and Stay Agile
byBen Saunders
 
Preparing for EU GDPR
byIT Governance Ltd
 
GDPR in a nutshell
byInitio
 
BASICS FOR ISO 9001 QMS LEAD AUDITOR COURSE
byNithin V. Joseph
 
Iso 9001 lead auditor course training irca approved
byIntertek Moody
 
GDPRR: The Key Changes
byCraig Clark ITIL, CIS LI,EU GDPR P
 
delphix-ebook-using-data-effectively-compliance-banking-1
byJes Breslaw
 
Preparing to the GDPR - the next steps
byExove
 
Jump start EU Data Privacy Compliance with Data Classification
byWatchful Software
 
SureSkills GDPR - Discover the Smart Solution
byGoogle
 
GDPR Implementation Basics_Igor Mate_2016 CEE GC Summit_Istanbul
byIgor
 
GDPR and technology - details matter
byExove
 
GDPR: A Step-By-Step Guide To Compliance
byMarkLogic
 
Infographic: EU General Data Protection Regulation (GDPR) Cybersecurity Compl...
byCheapSSLsecurity
 

Similar to The Essential Guide to GDPR

PDF
GDPR A Practical Guide with Varonis
byAngad Dayal
 
PPTX
Practical Guide to GDPR 2017
byDryden Geary
 
PPTX
Gdpr presentation
bySudarsan Reddy
 
PPTX
General Data Protection Regulation (GDPR)
byExtentia Information Technology
 
PDF
Gdpr presentation
byIain Wicks MCIPR
 
PDF
GDPR- Get the facts and prepare your business
byMark Baker
 
PDF
Horner Downey & Co Newsletter- GDPR
byJenny Ferguson
 
PDF
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
bydan hyde
 
PDF
GDPR - Are you ready?
byVILT
 
PDF
GDPR, what you need to know and how to prepare for it e book
byPlr-Printables
 
PDF
The Countdown to the GDPR Regulations
byElliot Reeman
 
PDF
Guide to-the-general-data-protection-regulation
byN N
 
PDF
[REPORT PREVIEW] GDPR Beyond May 25, 2018
byAltimeter, a Prophet Company
 
PDF
GDPR and Analytics
bybrunomase
 
PDF
What's Next - General Data Protection Regulation (GDPR) Changes
byOgilvy Consulting
 
PDF
GDPR Whitepaper
byRichard Goddard
 
PPT
GDPR webinar presentation | LawBite
byClive Rich
 
PPTX
Getting to grips with General Data Protection Regulation (GDPR)
byZoodikers
 
PDF
Public sector breakfast club - October 2017, Exeter
byBrowne Jacobson LLP
 
PDF
Engage 2018: GDPR Three Days To Go
bypanagenda
 
GDPR A Practical Guide with Varonis
byAngad Dayal
 
Practical Guide to GDPR 2017
byDryden Geary
 
Gdpr presentation
bySudarsan Reddy
 
General Data Protection Regulation (GDPR)
byExtentia Information Technology
 
Gdpr presentation
byIain Wicks MCIPR
 
GDPR- Get the facts and prepare your business
byMark Baker
 
Horner Downey & Co Newsletter- GDPR
byJenny Ferguson
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
bydan hyde
 
GDPR - Are you ready?
byVILT
 
GDPR, what you need to know and how to prepare for it e book
byPlr-Printables
 
The Countdown to the GDPR Regulations
byElliot Reeman
 
Guide to-the-general-data-protection-regulation
byN N
 
[REPORT PREVIEW] GDPR Beyond May 25, 2018
byAltimeter, a Prophet Company
 
GDPR and Analytics
bybrunomase
 
What's Next - General Data Protection Regulation (GDPR) Changes
byOgilvy Consulting
 
GDPR Whitepaper
byRichard Goddard
 
GDPR webinar presentation | LawBite
byClive Rich
 
Getting to grips with General Data Protection Regulation (GDPR)
byZoodikers
 
Public sector breakfast club - October 2017, Exeter
byBrowne Jacobson LLP
 
Engage 2018: GDPR Three Days To Go
bypanagenda
 

Recently uploaded

PDF
_5 Trusted Strategies to Buy Verified Wise Accounts Safely & Legally.pdf
byBuy Verified Wise Accounts
 
PDF
03 Trusted Websites for Buying Verified PayPal Accounts in to USA.pdf
bysyt149817
 
PDF
17 Sites for Buying Verified Wise Accounts in the US .pdf
byPVAisBack Developer Digital Marketing
 
PDF
EQX Annual Toronto Investor Reception.pdf
byEquinox Gold Corp.
 
DOCX
Buy Verified Wise Account_ Top 11 Guide in the USA.docx
bypvaisback is a Digital Accounting
 
PPTX
Keynote: The Modern CMO: Architect of Growth. Guardian of Credibility.
byArmis Inc
 
PDF
Transforming Ideas into Impact – The DIVARUM Success Story.pdf
byinsightssuccess2
 
PDF
Kirill Klip GEM Royalty TNR Gold Lithium Presentation
byKirill Klip
 
PDF
geopolitical-risk-dashboard-december-2025.pdf
byHenry Tapper
 
PDF
WRN_Investor_Presentation_January 2026.pdf
bycmagee4
 
PDF
Instructions Kentucky Taxes
bySmiling Lungs
 
PDF
Sohar International Bank's Digital Transformation Journey
byFrank Schwab
 
PDF
A Comprehensive Guide to Buying a Naver Account
byzonezia548
 
PDF
Designing Business Model for Deep Tech Startups
byJegajith PT
 
DOCX
Best Place to Buy Facebook Account Verified Social Media Accounts.docx
bypvaisback is a Digital Accounting
 
DOCX
Reliable Places to Buying Old Gmail Accounts .docx
byhttps://propvaservice.com/product/buy-old-gmail-accounts/
 
PPTX
Maharashtra Industries Policy 2025: Incentives, Subsidies & Investment Benefits
byFinraja Consultancy
 
PDF
How Much Does a Custom Website Design Cost .pdf
byDesign Studio UI/UX
 
PDF
Chris Elwell Woburn - An Experienced IT Executive
byChris Elwell Woburn
 
PPTX
xxxxccccc fhjfg gf gh fghj fg fg ghf g fg
byprajwaljme23
 
_5 Trusted Strategies to Buy Verified Wise Accounts Safely & Legally.pdf
byBuy Verified Wise Accounts
 
03 Trusted Websites for Buying Verified PayPal Accounts in to USA.pdf
bysyt149817
 
17 Sites for Buying Verified Wise Accounts in the US .pdf
byPVAisBack Developer Digital Marketing
 
EQX Annual Toronto Investor Reception.pdf
byEquinox Gold Corp.
 
Buy Verified Wise Account_ Top 11 Guide in the USA.docx
bypvaisback is a Digital Accounting
 
Keynote: The Modern CMO: Architect of Growth. Guardian of Credibility.
byArmis Inc
 
Transforming Ideas into Impact – The DIVARUM Success Story.pdf
byinsightssuccess2
 
Kirill Klip GEM Royalty TNR Gold Lithium Presentation
byKirill Klip
 
geopolitical-risk-dashboard-december-2025.pdf
byHenry Tapper
 
WRN_Investor_Presentation_January 2026.pdf
bycmagee4
 
Instructions Kentucky Taxes
bySmiling Lungs
 
Sohar International Bank's Digital Transformation Journey
byFrank Schwab
 
A Comprehensive Guide to Buying a Naver Account
byzonezia548
 
Designing Business Model for Deep Tech Startups
byJegajith PT
 
Best Place to Buy Facebook Account Verified Social Media Accounts.docx
bypvaisback is a Digital Accounting
 
Reliable Places to Buying Old Gmail Accounts .docx
byhttps://propvaservice.com/product/buy-old-gmail-accounts/
 
Maharashtra Industries Policy 2025: Incentives, Subsidies & Investment Benefits
byFinraja Consultancy
 
How Much Does a Custom Website Design Cost .pdf
byDesign Studio UI/UX
 
Chris Elwell Woburn - An Experienced IT Executive
byChris Elwell Woburn
 
xxxxccccc fhjfg gf gh fghj fg fg ghf g fg
byprajwaljme23
 

The Essential Guide to GDPR

  • 1.
    GDPR The new dataprotection regulations, the impact on your systems and the solutions that can assist with compliance TheEssentialGuide
  • 2.
    Following recent presentationson the potential impact of GDPR at a number of global law firms and a presentation to the Institute of Barristers Clerks, I have been asked to compile a guide as to the basic principles of GDPR, how they may impact technology systems and which software tools/vendors could assist with compliance. I have therefore put together this guide, The Essential Guide to GDPR and its sister website GDPRwiki.com This is not designed to be an exhaustive list of regulatory changes, nor is it in any way meant to be taken as legal advice. I have picked out what are in my opinion the key areas of impact and particularly those that will need some attention prior to May 29 2018 – deadline for compliance. The solution providers that appear in the guide are those that have come forward and described how their solutions can help businesses looking to get GDPR compliant. Again this is not meant to be an exhaustive list and there will be many other suppliers out there that offer quality and relevant services - as the deadline gets closer I expect more technologies and services to appear and I hope to highlight these in the next edition of this guide. “Having clear laws with safeguards in place is more important than ever giving the growing digital economy” Steve Wood, Deputy Commissioner, ICO This guide focusses on: Brexit Controller or Processor User Rights Privacy by Design Cloud Services Data Protection Officer Consent Impact Assessment
  • 3.
    The General DataProtection Regulations are the most significant development in data protection that Europe, possibly the world, has seen over the past twenty years. Unsurprisingly GDPR is designed to better take into account modern technologies, the way we work with them today and are likely to work in the future. In addition, there is a much greater emphasis on compliance following a widely- held belief that businesses, particularly in the UK, had not previously taken data privacy seriously enough. To reinforce this, penalties are considerably harsher and the compliance requirements are intended to spread a far wider net to include small and medium businesses and the third-party contractors they use. THE 6 GDPR DATA PROTECTION PRINCIPLES: 1 (‘lawfulness, fairness and transparency’) processed lawfully, fairly and in a transparent manner in relation to the data subject 2 (‘purpose limitation’) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes 3 (‘data minimisation’) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed 4 (‘accuracy’) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay 5 (‘storage limitation’) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. 6 (‘integrity and confidentiality’) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss destruction or damage, using appropriate technical or organisational measures .
  • 4.
    There was somespeculation that GDPR would cease to be relevant following the UK’s decision to leave the EU. Whilst we await the detail of what Brexit really means in terms of our EU trade agreements, people movement and laws there has been significant commentary including a statement from the Information Commissioners Office (ICO) suggesting that it will still apply and that businesses should start compliance preparations now. The following key reasons are given as to why GDPR still applies: GDPR Comes Before Brexit The GDPR comes into force 25 May 2018, the earliest Brexit can happen is January 2019 and until then all EU laws apply. Application The GDPR applies to EU citizen’s data regardless of where the controlling or processing of that data takes place. This means that countries outside of the EU (including the US and an independent UK) would have to apply GDPR for client data where the client is in the EU. Adequate Data Protection For an EU country to trade outside of the EU ‘adequate’ data protection measures must be in place. It is likely that GDPR will be the standard set as ‘adequate’ and the UK would have to introduce an equal replacement if it decided to revert to existing DP regulations. Which would simply be GDPR under a different name. Competing with the EU Data is fast becoming the new oil and in order to compete with the EU to be regarded as the new data safe haven, the UK will at the very least match the GDPR standard and may even increase its data protection requirements to attract global data centric business.
  • 5.
    Many businesses aresignificant data consumers. Client data is at the very least at the heart of their marketing initiatives and may even be part of the product or service they sell and the client they sell to. Much of this data is sensitive either for commercial reasons or because it directly relates to an individual. Various sectors from health to finance to legal all have their own specific governance regulations sometimes shared due to complex relationships between the services, but for personal data the GDPR will apply equally to all. There will not be many businesses that do not hold or process personal data but it is important to understand their role and responsibilities as determined by the GDPR. The two significant roles are that of ‘controller’ and ‘processor’. GDPR says… ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; A business will be determined a ‘controller’ for the client, prospect and employee personal data it stores and uses. GDPR says… ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; A cloud service provider or third party data host will in most cases be determined as a ‘processor’. Personal or Sensitive It is import to determine whether data is ‘personal’ or ‘sensitive personal’ as defined by the regulations as different levels of protection are required, some mandatory and accountable in the case of sensitive data. It is also a new requirement that processors understand what type of data they are handling on behalf of their clients
  • 6.
    Personal Data The definitionof personal data has been broadened to include anything that can be directly associated with an individual. GDPR broadly keeps existing definitions but adds digital footprints such as cookies and IP addresses. GDPR says… ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; - Article 4 of GDPR Sensitive Personal Data The following are the GDPR classifications for sensitive personal data: GDPR says… revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited. - Article 9 of GDPR The GDPR essentially prohibits the processing of sensitive personal data unless one of the criteria in Article 9 (2) is met. These include: 9(2)(a) – Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law 9(2)(e) – Data manifestly made public by the data subject.
  • 7.
    In addition to theduty of a firm to protect its information there are a number of enhanced or new data subject rights that they will need to be mindful of as each could demand considerable administration capability particularly if the necessary access and recovery tools are not in place. Data subject access requests (DSARs) will be easier for clients and employees. Data subjects will no longer be required to pay a fee to make a DSAR. Firms must respond without ‘undue delay’ and no later than one month after the DSAR is made (rather than the current 40 days). However, there are a number of grounds for refusal if the request is manifestly unfounded or excessive. Right to Erasure A new right under GDPR is to have data deleted. There are several reasons this request can be refused such as conflicting regulations and in the public interest but once legitimate reasons for denial are exhausted data must be deleted. Right to Portability Not too dissimilar to the right to port a mobile phone number from one supplier to another, GDPR entitles a user to have their data exported and transferred in a ‘machine readable format’. Key Tools Search, Delete, Export Key Solution Providers GDPR Says... The response to a DSAR will include: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject Article 15 of GDPR
  • 8.
    Privacy by design isa concept that features consistently throughout the GDPR. In essence. it is the principle of considering and building in appropriate data protections during the design phase of all new projects and changes to systems and processes. Security by design and by default The GDPR requires that employers (and other data processors) should be “audit-ready” at all times, meaning that all employer’s systems will need to be set up to ensure compliance by design. The GDPR introduces a legal requirement for ‘privacy by design’ for sensitive data and the onus will be on employers to prove compliance. Records will need to be kept and policies and procedures will need to be in place to demonstrate this. Firms must implement technical and organisational measures to show that they have considered and integrated data compliance measures into their data processing activities. Key Design Principles Only necessary data to be processed including:  Amount of data  Extent of processing  Retention period  Access to data Organisational measures There are a number of technical measures that can be put into place to enhance data security. Many of these will simply involve ensuring best practice with existing technologies. Organisational measures This will include maintaining the appropriate records as described later in this guide, minimising data by applying appropriate retention periods and appointing a Data Protection Officer to oversee compliance activities. GDPR Says... Data protection by design and by default 1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data- protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. 2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. 3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article. Article 23 of GDPR
  • 9.
    Security of Processing GDPRrequires that the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. The legislation goes on to describe the security required for processing data.  pseudonymisation and encryption  confidentiality, integrity, availability and resilience of processing systems and services  the ability to restore  testing, assessing and evaluating the effectiveness of technical and organisational measures It is an obligation to ensure that a controller only engages with a third party data processors or cloud service providers if they also comply with the above. Key Tools Encryption, Data Leakage Protection, Secure Archive, Records Management, Access Control Key Solution Providers GDPR Says... Security of processing 1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article. 4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law. Article 32 of GDPR
  • 10.
    GDPR requires that the controllershall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. The legislation goes on to describe the security required for processing data.  pseudonymisation and encryption  confidentiality, integrity, availability and resilience of processing systems and services  the ability to restore  testing, assessing and evaluating the effectiveness of technical and organisational measures It is an obligation to ensure that a controller only engages with a third party data processors or cloud service providers if they also comply with the above. Cloud Service Provider Checklist □ Technical & Organisational security □ New contract provisions □ Demonstrable GDPR compliance □ Data Processing Records □ Breach Notification □ Delete or return data post contract □ Data Transfer transparency □ Sub-processor permission GDPR Says... Processors Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
  • 11.
    Under the GDPR, you must appointa data protection officer (DPO) if you:  are a public authority (except for courts acting in their judicial capacity);  carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or  carry out large scale processing of special categories of data or data relating to criminal convictions and offences. A DPO can be an outsourced role which will pave the way for external agencies to provide this service. DPO Duties The DPO’s minimum tasks  To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.  To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.  To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc). DPO Rights Businesses must ensure that:  The DPO reports to the highest management level of the organisation  The DPO operates independently and is not dismissed or penalised for performing their task.  Adequate resources are provided to enable DPOs to meet their GDPR obligations. Key Solution Providers GDPR Says... 1. The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10. 2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment. 3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size. 4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors. 5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39. 6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract. 7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority
  • 12.
    The GDPR has referencesto both ‘consent’ for personal data use and ‘explicit consent’ for sensitive personal data use. The difference between the two is not particularly clear given that both forms of consent have to be freely given, specific, informed and an unambiguous indication of the individual’s wishes although in the event of a complaint the required level of consent for sensitive data is expected to be higher. GDPR describes the requirement for some form of clear affirmative action to demonstrate consent. This can include:  Ticking a box  Changing technical settings (eg making something public on Facebook)  Signed client enagement letter GDPR is also clear as to what will NOT be acceptable as consent  Silence  pre-ticked boxes  general inactivity Auditable Consent A new requirement is that consent must be verifiable. This means that some form of auditable record must be kept of how and when consent was given which could impact many marketing systems. Where you already rely on consent that had been previously sought you will not be required to obtain fresh consent from individuals if the standard of that consent meets the new requirements under the GDPR. If you cannot reach this high standard of consent then you must find an alternative legal basis such as or cease or not start the processing in question. GDPR Says... Lawfulness of processing 1. Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
  • 13.
    Consent Capture This isan emerging area of technology that enables a granular and compliant approach to capturing user consent whilst providing the right processing and privacy notices. In addition, these solutions will ensure that all consent captured is auditable. Key Vendors GDPR Says... Conditions for consent 1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. 2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. 4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
  • 14.
    A common theme throughoutthe GDPR is accountability and demonstrating compliance i.e. making it evident to the Data Protection Authority that you are meeting obligations. An important component of accountability and mandatory in certain circumstances is the Impact Assessment. Definition A Data Protection Impact Assessment is a tool designed to enable organisations to work out the risks that are inherent in proposed data processing activities before those activities commence. This, in turn, enables organisations to address and mitigate those risks before the processing begins. Scope New to the GDPR all businesses (both controllers and processors) are impacted. Where a new processing activity is proposed (especially where new technologies will be used) resulting in a high degree of risk for data subjects, the controller must first conduct an Impact Assessment. A single Impact Assessment can cover multiple processing operations that present similar risks. Content An Impact Assessment must contain the following:  a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller  an assessment of the necessity and proportionality of the processing operations in relation to the purposes;  an assessment of the risks to the rights and freedoms of data subjects  the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned. GDPR Says... Data protection impact assessment 1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. 2. The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment. 3. A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of: (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or (c) a systematic monitoring of a publicly accessible area on a large scale.
  • 15.
    Dark Data One ofthe challenges businesses face when carrying out an impact assessment is ensuring that all personal data is discovered. Data that is for some reason not searchable and therefore not discoverable is also known as ‘dark data’. The most common example found is a PDF file that has not had the content of the document OCR’d leaving just the document title searchable. This has the potential to leave a business at significant risk of breach and potentially unable to respond in full to a Data Subject Access Request. There are a number of software solutions available that will scan your network for ‘dark data’ identify it and convert it to searchable data. Method An Impact Assessment has the following steps:  Review existing or planned data processing activities  Map data flows within the organisation by system and by process  Identify any compliance risks  Determine any mitigation required and develop an action plan  Determine whether their core business operations involve: (i) regular and systematic monitoring of data subjects on a large scale; and/or (ii) processing of Sensitive Personal Data on a large scale.  If yes to above appoint a DPO. Key Solution Providers
  • 16.
    The GDPRREADY CompliancePlan is designed to assist Data Protection Officers in preparing for GDPR and maintaining compliance once the legislation is activated. The GDPRREADY 4 stage process enables the DPO to raise awareness, discover current risks, deliver a mitigation plan and design processes for maintaining compliance. Step 1 – EDUCATE The EDUCATE phase consists of a combination of interactive workshops and stakeholder interviews, designed to generate a high level of understanding of the impending legislation and any changes to system, policy or process in order to achieve GDPR compliance. GDPR Overview Workshop - an onsite workshop to build GDPR awareness and secure buy-in with your key internal stakeholders, custom-tailored to the needs of your firm. Suitable for: Senior Management, Directors, Key Stakeholders GDPR Assessment workshop - A workshop for internal staff responsible for owning the assessment process. Suitable for: Compliance Team, IT Team, Project Managers Stakeholder Interviews – one to one discussions with key stakeholders to document departmental processes involving personal data. STEP 2 – DISCOVER The DISCOVER phase uses the Data Protection Impact Assessment (as recommended by the Information Commissioners Office) to discover any risk or exposure the firm may currently have. Impact Assessment – using our GDPRready Data Register and GDPRready Impact assessment templates you will document, data flows, gap analysis, risk assessment and remediation plans. STEP 3 – PLAN GDPR Preparation Plan – document actions needed to prepare for and maintain GDPR compliance. Understand budget required and systems and processes that require modification. STEP 4 – MAINTAIN Prepare for new obligations such as Breach Response and DSAR Processing. Review existing InfoSec policies and procedures to ensure they align with GDPR. EACH PHASE IS SUPLIMENTED BY GDPRREADY TEMPLATED PROCESSES AND POLICIES AS INDICATED IN THE ACTION SUMMARY CHART BELOW
  • 17.
    GDPRREADY COMPLIANCE PLAN– ACTION SUMMARY PHASE 1 – EDUCATE GDPR WORKSHOP IMPACT ASSESSMENT WORKSHOP STAKEHOLDER INTERVIEWS DOC 1 - GUIDE TO GDPR ESSENTIALS DOC 2 - GDPR CHECKLIST PHASE 2 – DISCOVER COMPLETE IMPACT ASSESSMENT DATA MAP COMPLETE IMPACT ASSESSMENT RISK REGISTER PRODUCE IMPACT ASSESSMENT REMEDIATION PLAN DOC 3 - DATA REGISTER DOC 4 - IMPACT ASSESSMENT PHASE 3 – PLAN DOC 5 - GDPR COMPLIANCE PLAN DOC 6 - PRIVACY NOTICE CHECKLIST DOC 7 - USER AWARENESS PROGRAM DOC 8 - CLOUD SERVICE PROVIDER COMPLIANCE CHECKLIST DOC 9 - SUBJECT ACCESS REQUEST PROCEDURE PHASE 4 – MAINTAIN DOC 10 - INFORMATION SECURITY POLICIES DOC 11 - INTERNATIONAL DATA TRANSFER GUIDANCE DOC 12 - CONSENT FORM TEMPLATES DOC 13 - PROCESSING RECORD TEMPLATE DOC 14 - BREACH NOTIFICATION TEMPLATE
  • 18.
    SOLUTION PROVIDER GDPR FUNCTION FEATURE DETAIL Data Subject Access Request Data Discovery A comprehensivedata discovery and management are essential for GDPR compliance. In order to ensure timely and efficient respond to any Data Subject Access Requests (DSAR), all locations, where personal information is stored, should be easily discovered. contentCrawler ensures comprehensive data discoverability and works to uncover documents that otherwise would not be found because they are not indexed for searching. It is a key tool in making sure that all words in every document (even image documents) are fully text searchable. contentCrawler is an essential component for all firms to ensure they comply with the new GDPR legislation. DocsCorp will be publishing a white paper and hosting a number of GDPR events across Europe. Drop us an email to events@docscorp.com to stay updated and get your free white paper and event invitation. For more information please check the product description below or visit: http://www.docscorp.com/contentcrawler/ Bulk Processing for Document Management contentCrawler is an integrated analysis, processing and reporting framework that intelligently assesses documents in a Document Management System and determines if they require OCR and/or file compression processing. Organisations can bulk process documents in the DMS using either the OCR or Compression modules. Or, they can do both. For example, contentCrawler will convert all image-based documents in the DMS to text-searchable PDFs. The Compression module will then apply compression and down-sampling in order to minimise the file size of the resulting PDF documents. The automated end-to-end process can run 24/7 without any staff intervention, emailing periodic notifications of processing statistics and error
  • 19.
    reporting to theIT Administrator. Staff no longer have to worry about OCR or compression as a process or workflow. Key Benefits  Ensure all documents are indexed for searching and are therefore discoverable  Simplify management of image-based documents  Reduce non-compliance risks  Increase efficiency through automation  Leverage existing investment in DMS and search technology  Reduce costs managing OCR and Compression technology Privacy by Design Cyber Security iboss is a cyber security platform that uses cloudtechno logy to extend preventative and predictive multi-layered security to any size or organization, in any place and to any device.The result is a lower risk profile, and greater enhanced due diligence (EDD) for the organisation, which helps meet GDPR regulations, and can lower associated fines if data breaches occur. Privacy by Design Data Leakage Protection Iboss includes behavioural data exfiltration sensors to detect data loss and exfiltration across any communication medium (WEB, EMAIL, DNS, P2P etc) Privacy by Design Content Management Granular gateway level controls against web access and application usage Right to access Privacy by Design Access Control Document Protection Search iManage Govern Govern critical information at every step of the engagement and beyond iManage Govern lets you manage your engagement files according to each client retention policies, from creation through to disposal all while ensuring your organization meets audit and discovery requirements. Improve governance: by applying retention policies centrally across both electronic and physical client records Integrated document and records management: through seamless operation with iManage Work Boost productivity: and reduce risk by taking records management responsibility off your professionals shoulders Manage information in place: without copying to a separate system
  • 20.
    Reduce operating costs:by moving inactive projects to a governed, searchable archive Privacy by Design Secure File Transfer iManage Share A Fast, easy and secure sharing of professional work product Securely exchange work product with your clients, partner firms, and outside consultants within tools that you are familiar with. iManage Share offers industry-leading security with seamless integration with iManage Work and Microsoft Outlook, so that secure file sharing is easy and convenient without sacrificing security and governance of your client files. With iManage Share: Share, edit and collaborate on work product from within iManage Work. Share files from your Outlook email: Share files as secure links directly from Outlook. Secure, firm-branded web portal in a snap: Give your client access to their documents from a single responsive interface on phone, tablet or desktop, branded with your firm logo. Collaborate on the go: Share and securely collaborate with customers from your smartphone or tablet. Know what is shared and with whom: Monitor who is accessing your files and when. Privacy by Design Right to Access Document Protection Search DSAR response Access Control iManage Work Manage documents, emails and more in a single engagement file Access your work product from anywhere on any device in a single user experience. Designed by professionals for professionals, iManage Work makes it easy to collaborate with your team and stakeholders in a secure and governed manner. Improve productivity: Suggested email filing keeps you ahead of inbox overload Make better decisions: Document timelines, dashboards and analytics cut through clutter enabling faster, better decisions Find everything: Search across all work product (documents, emails, images) automatically tuned to your work style Be more responsive: Secure mobile access means you can view and edit your work from anywhere
  • 21.
    Work smarter: Integratesseamlessly with the applications youre already using to save time Privacy by Design Document Protection Access Control Intapp Walls replaces distributed, ad hoc approaches to confidentiality management with a centralised solution that provides law firms with unparalleled capability and control. Several features of Intapp Walls can help address GDPR requirements for “privacy by design,” “privacy by default” and the Accountability principle. Intuitive interface for access management – Define policies using an easy-to-use wizard to configure and control walls and user account management, so that IT, conflicts team members and lawyers have appropriate levels of visibility and control Real-time enforcement and maintenance – Intapp Walls delivers real-time enforcement, automating notifications to individuals subject to specific policies, tracking acknowledgments for compliance, and alerting firm management about suspicious activity related to sensitive information Protection beyond document management libraries – Lock down all key repositories where sensitive information is stored, including records management, accounting, CRM, search, portals and other applications, in addition to document management libraries Automated compliance logging – Demonstrate compliance if required to do so by clients or by government agencies by presenting a documented audit trail via Intapp Walls Broad visibility across the organisation – Gain visibility into the volume and types of policies in effect across the firm; configurable reports can be delivered in an event-driven, scheduled or on-demand basis to provide management with real-time visibility into policies, classification and history, as well as affected parties and prevented breaches Data Protection Officer Education The Law Firm Risk Blog (www.lawfirmrisk.com), sponsored by Intapp, covers a wide range of risk management topics relevant to GDPR, including information governance, conflicts management and information security. The Risk Roundtable Initiative (riskroundtable.com), also sponsored by Intapp, hosts in-person events and webinars bringing together a mix of law firm risk management and related professionals, including general counsel, loss prevention partners, risk management partners, senior conflicts/records managers and IT leadership. They provide
  • 22.
    opportunities for peernetworking, cross-functional dialogue and a better understanding of common problems and trends including the evolving regulatory landscape affecting confidentiality, information barriers and ethical walls. Intapp customers have access to user group meetings, newsletters, webinars and Inception 2017, Intapp’s global user conference. Intapp Professional Services offers a Risk Consultancy practice that will assess your firm’s approach to confidentiality management and suggest processes, procedures and technologies to satisfy specific compliance obligations related to the EU GDPR, the HIPAA Privacy Rule in the US, and other regulations Privacy by Design Data Leakage Protection Secure Archive Security Enterprise Information Archiving provides the secure, perpetual storage and policy management necessary with the predictable costs and scalability of a true cloud architecture. With an industry-leading 7 second search SLA, archived information is instantly accessible, making it easy for employees or administrators to find a single email or to support a larger e-discovery case. Mimecast solves important archiving challenges by:  Archiving email in the cloud  Responding quickly to litigation requests  Retaining important company files  Archiving Lync IM conversations A single, unified archive in the Mimecast cloud delivers scalability, rapid information access and data assurance — without the spiraling expense of hardware and software typical of legacy on-premises solutions. Consent Consent Capture Consentric Permissions is a tool for managing citizens’ consent for usage of their data. It is a cloud based product with the citizen at the heart, providing them the capability to grant or deny consent to the usage of their data for specific, clearly defined purposes. Organisations benefit from Permissions through a simple integration with their CRM or other system(s), providing a single source of truth relating to consent. They can configure the data to be used, purpose for, and who will request usage of the citizen’s data at a granular level, enabling citizens to clearly understand what is being asked of them. Where required, organisation users can also access citizens’ records to amend consent on instruction. All changes are subject to a full history log, including detail of how and where consent was obtained. This
  • 23.
    provides the citizentransparency and control on how their data is being accessed and used. Privacy by Design Consentric Permissions stores citizens’ data in a secure UK sovereign data centre, with consents to share that data managed by the citizen. Classification of the data is aligned to well-known standard schemas, or, created by new custom schemas, allowing sensitive data to be managed separately and securely by the citizen. Consentric Permissions is a trust platform, giving the citizen transparency, ownership and control of their data, enabling you to build loyal relationships with your customers. This radical approach to storing data transforms your ability to achieve required data protection standards through minimisation of personal and sensitive data being stored in your systems and placing the citizen in control of their data and its usage. By integrating into Consentric Permissions, you benefit from our Privacy by Design features and save costs of implementing in your own systems Privacy by Design Secure Data hosting The complexity and expense of managing underlying infrastructure can be challenging to organisations, as their needs fluctuate. Trustmarques IaaS solutions enables organisations to cost-effectively deploy and run their software, whilst taking full advantage of the benefits cloud computing brings. We design, build, procure and manage IaaS services to help you unlock real business value. By providing specialist technical design, management knowledge and understanding the commercial implications of solution design and change, along with the operational considerations of a Cloud service within a traditional ITIL oriented environment. We provide highly resilient and secure IL2, IL3 and IL4 services for OFFICIAL and OFFICIAL SENSITIVE hosting requirements. These convenient, on-demand and configurable computing resources require minimal management effort. Impact Assessment Compliance Trustmarque provide full lifecycle Impact Assessment consultation. In addition as 27001 experts we can ensure that your GDPR compliance measures alin with your wider InfoSec strategy. Privacy by Design Centralisatio n of sensitive data Enabling new, enhanced user rights is a fundamental part of GDPR compliance. PitchPerfect, with its SharePoint data repository, introduces a single centralised content management system which greatly improves the firms ability to meet these requirements. It provides the tools for end-users to locate and extract the requested data,
  • 24.
    while restricting theability to modify and erase data to the content managers working in the back-end. The common distributed data practice whereby CVs and biographies are in multiple locations including a DMS, Email system and file share make compliance with any of these employee access requests complex, time consuming, costly and potentially impossible With user photos falling into the biometric data category new to the GDPR definition of sensitive personal data, it is compulsory to apply adequate protection. PitchPerfect ensures the right level of user access is applied. Data Protection Officer User Education SkillBuilder eLearning provides new innovative ways to empower employees and end users with accessible tools and technologies; enabling them to stay informed and educated in all things related to legal technology and its constantly changing updates. SkillBuilder eLearning was built on the know-how of an over 12 million-strong backlog of ticket data and over 60,000 knowledge base articles. Our online eLearning tool increases productivity through a multifaceted portal that is branded for the firm. SkillBuilder provides a three-tiered model of service: Self-Service for users, Service Desk support provided by Solution Sender and an LMS. All features include access to our robust library of ever-growing content tailor specifically for Legal. SkillBuilder is a single platform whose affects are felt throughout the organization. Consent Data Transfer Security of Processing Privacy by Design Consent Vuture is a marketing automation platform for professional services that makes it easy to personalise email communications, streamline events and control marketing assets from a single flexible system. Manage consent Vuture provides a quick and easy-to-use solution to manage and automate consent. A seamless CRM integration enables you to manage and timestamp contact opt-ins within your CRM, as well as meet all Data Discovery and Data Access requirements. Unambiguous consent is achieved through a CRM- linked tickbox inserted on your preference forms. Control data transfer Vuture is a private cloud solution – each client has their own instance of the platform hosted at a location of their choice. The platform is built with privacy at its core – data never leaves the chosen location and
  • 25.
    rigorous security policiesensure you are always fully compliant with Data Protection standards. Privacy and security sit at the heart of Vuture’s development, and both are assessed, tested and updated on a continuous basis. Privacy by Design Data Leakage Protection “Workshare’s unique data loss prevention technology provides an additional layer of content awareness that includes hidden, sensitive data (metadata). Policies decide what has to be removed for compliance from a document when sent externally via email or via the cloud. This maintains security and compliance mandates to ensure no information is leaked through documents shared outside a company in the form of metadata. Workshare is taking our extensive understanding of metadata, email attachments and secure file sharing to the next level as we develop further to aid companies in the prevention of data loss. Because we have insight into multiple sharing channels and deep understanding of content, including metadata, Workshare can provide companies with visibility via a reporting system. Reports can be oriented around particular senders, receivers, and types of metadata to monitor for leakage or misuse. As the proposition develops, we will encompass words within context in a document or metadata and extend this detection to non-email sharing channels. Once detected, we can educate and empower users to take appropriate corrective action to protect their sensitive content.” We hope you found the first edition of this guide useful. To recommend content or a solution for the second edition or GDPRwiki.com please contact: info@2twenty4consulting.com