What is the GDPR?
The General Data Protection Regulation(GDPR) is European Union (EU) legislation that addresses the handling of personal data. It is a regulation by which the European Commission intend to strengthen and unify data protection for all individuals within the EU. GDPR also addresses the export of personal data outside the EU.
Privacy is a fundamental human right recognized in the UN Declaration of Human Rights and in many other international and regional treaties. Privacy underpins human dignity and it has become one of the most important human rights issues of the modern age.
The GDPR primarily aims to give control of personal data back to citizens and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect on 25 May 2018 it will replace the current EU data protection directives
Most businesses already take information security and privacy very seriously and wish to maintain industry best practices to ensure the availability, integrity and confidentiality of personal data while it is in their custody. Being aware of the requirements of the GDPR and considering its relevance to an organisation, as both a data controller and data processor requires a GDPR compliance strategy, which usually involves a cross-functional team and some companies have also appointed a Data Privacy Officer (DPO) to oversee the compliance strategy. For many companies the GDPR requirements are seen as the minimum standard to maintain world class global data privacy controls.
The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover.
Getting ready for GDPR
Purpose
Control of how personal information is used by organizations, business or the government
Principles
Personal information must be
- Used fairly and lawfully
- Used for limited, specifically stated purpose
- Used in a way that is adequate, relevant and not excessive
- Accurate
- Kept for no longer than absolutely necessary
- Kept safe and secure
- Transfer to other countries or handling of personal information typically sanctioned
Implementation is delivered through Technical and Organizational Measures (TOM’s)
- Engage a team or external provider to:
- Provide initial training to key stakeholders
- Conduct readiness assessment
- Develop recommendations and conduct knowledge transfer
- Appoint a Data Privacy Officer (DPO)
- Nominate functional primes and build project team(s)
- Complete Data Protection Impact Assessments (PIA)
- Execute remediation plans based on findings
- Periodic status meetings for the project team(s) to report back to stakeholders
- Remediation review prior to May 2018
- DPO establishes compliance strategy, standards and policy
- DPO engages with nominated resources to communicate requirements for each department
- Establish records and document processing activities of personal data
- Conduct Privacy Impact Assessment (PIA) for High Risk processing activities
- Review customer contracts
- Update supplier agreements when they act as sub processors
- Develop project plans for the implementation of remediation actions and ongoing project governance
- Establish awareness
- Identify training requirements
- Develop (proactive) customer and internal communications
- Provide an internal knowledge base with GDPR materials (strategy, policy, procedures, contacts)
- Identify applications in use
- Provider of the application
- Brief description of the application
- Responsible contact
- Develop and maintain records
- Name, address and contacts of data processing entities
- Description and purposes of the processing
- Categories of personal data and categories of data subjects
- Categories of recipients and possible cross-border transfers with documentation of appropriate safeguards (e.g. DPA)
- Access rights and authorization concept
- Data retention policy
- Describe Technical and Organizational Measures (TOMs)
- timekeeping
- electronic archiving of receipts
- professional training and education
- visitors (register and management)
- credit assessment and processing
- cloud services
- CRM / ERP system
- e-learning system
- Mobile Device Management (MDM)
- electronic payments
- electronic time recording
- membership administration
- newsletters
- payroll accounting
- personnel data management
- travel expense accounting
- subcontracting
- share button
- telephone database
- appointment management
- training schedule
- vacation planning
- accounting
- video surveillance
- web form, portal and web tracking
- access control system
- birthday list
- marketing campaigns
- account management
- helpdesk
- contract management
- customer service
- vendor management
- invoicing
- recruitment
PIA is a risk assessment for processing of personal data and is mandatory in case there is a high risk to the data subjects rights and/or:
- Where there is systematic and extensive evaluation of personal aspects relating to a person, based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the person.
- For example: financial institutions who conduct automated loan approvals, data analytic providers, online marketing companies, and search engines with target marketing facilities
- Processing on a large scale of sensitive personal data and personal data relating to criminal convictions and offences.
- For example: Healthcare providers, insurance companies.
- Systematic monitoring of a publicly accessible area on a large scale.
- For example: Local authorities with CCTV in public areas, leisure industry operators with CCTV outside nightclubs, bars, restaurants and shopping centres.
For both internal and external processes, commercial products and services, privacy requirements should be factored in during the design:
- Minimisation of personal data
- Transparency
- Privacy Enhancing Technologies (PET)
- Encryption / pseudonomization
- Segregation
- Access controls
- Retention
- Explicit consent
- Right to be forgotten / annonymization
- Other Technical and Organizational Measures (TOMs)
