02 May

GDPR (General Data Protection Regulation)
By:   Dave Newland

EU General Data Protection Regulation (GDPR) 

“Getting Ready For GDPR”

GDPR is focused on how personal data is managed. It introduces more specific and prescriptive data protection compliance challenges for organisations in all industry sectors. The regulation replaces the Directive 95/46/EC, which was the basis of European data protection law introduced in 1995.

The introduction of new rights for individuals, right to be forgotten and the right to portability, as well as the introduction of mandatory breach notification, will increase the regulatory burden for most organisations.

Businesses are acting now and reviewing their current data protection compliance programmes. Its important they determine next steps and mobilise immediately to make sure they are prepared before 2018 to address the changes coming into force. (The new Regulation officially comes into force on 25th May 2018).

Key changes proposed by the EU GDPR

  • Fines of up to 4% of annual worldwide turnover – Fines for a breach of the GDPR are substantial. Regulators can impose fines of up to 4% of total annual worldwide turnover or €20,000,000
  • Expanded scope – Applies to data controllers and processors established in the EU and organisations that target EU citizens
  • Data Protection Officers (DPOs) – DPOs must be appointed if an organisation conducts large scale systematic monitoring or processes large amounts of sensitive personal data
  • Accountability – Organisations must prove they are accountable by:
    • Establishing a culture of monitoring, reviewing and assessing data processing procedures
    • Minimising data processing and retention of data
    • Building in safeguards to data processing activities
    • Documenting data processing policies, procedures and operations that must be made available to protection supervisory authorities on request
  • Privacy Impact Assessments – Organisations must undertake Privacy Impact Assessments when conducting risky or large scale processing of personal data

Consent 

  • Consumer consent to process data must be freely given and for specific purposes
  • Customers must be informed of their right to withdraw their consent
  • Consent must be ‘explicit’ in the case of sensitive personal data or transborder data-flow

Mandatory breach notification – 

  • Organisations must notify supervisory authority of data breaches ‘without undue delay’ or within 72 hours, unless the breach is unlikely to be a risk to individuals
  • If there is a high risk to individuals, those individuals must also be informed

New rights – 

  • The right to be forgotten – the right to ask data controllers to erase all personal data without undue delay in certain circumstances
  • The right to data portability – where individuals have provided personal data to a service provider, they can require the provider to ‘port’ the data to another provider, provided this is technically feasible
  • The right to object to profiling – the right not to be subject to a decision based solely on automated processing

Privacy by design – 

  • Organisations should design data protection into the development of business processes and new systems
  • Privacy settings are set at a high level by default

Obligations on processors – New obligations on data processors – processors become an officially regulated entity

 

How APS can help you with GDPR

  • GDPR Assessment – “Discovery Phase” on clients “as is state” and  “desired end state” to meet the specific requirements of GDPR
    • Covering – detailed assessment of data protection (ensuring ability to provide evidence of compliance) maturity, data processing/mapping, compliance requirements, risk assessments, data monitoring (employee/personal data)
    • Recommendations/Strategy/ Data protection framework and roadmap for remediation, timelines, GDPR plan, process-specific risks, data mapping
  • Privacy Impact Assessment
    • Assessment of systems and/or projects identifying key data protection risks. Focused on Mandatory breach notification – (ensuring ability to notify a data protection supervisory authority of a data breach within 72 hours)
  • Data Inventory “Know your personal data”
    • Personal Information flow documentation – (where it is, where is transferred from / to who has access to it). New Rights; Compliance with the new rights; the ‘right to be forgotten’ the ‘right to data portability’ and the ‘right to object profiling
  • Data Protection improvement programme
    • Privacy governance & Organisation Design, implementation, Compliance and Monitoring Solutions, Policy and procedures, training and awareness, Incident management,On-going support, 3rd party management, risk management, procedures and controls, information security controls, corporate compliance, on-going compliance and monitoring
  • Legal Support
    • Liaise with internal/external legal teams to ensure compliance with data protection legislation
    • Advising on compliance programmes and policies, Assessment of any non-compliance and suggestions of remedial action, Drafting for data controller and data processor agreements, Drafting of Binding Corporate Rules.

For further information contact mark.blake@apsolutions.org.uk or dave.newland@apsolutions.org.uk

Share:
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •