Post List

Preparing for the General Data Protection Regulation (GDPR)

Preparing for the General Data Protection Regulation (GDPR) - blog post image

Be Prepared – NOT Scared!!!! Data Protection rules change May 2018


Main Points:
  • The EU-GDPR (General Data Protection Regulation) is a framework that prescribes guidelines to manage, monitor and protect personally identifiable information for all residents within the EU, regardless of Nationality.
  • Adopted by all states within the European Union in April 2016, the EU- GDPR goes live on the 25th May 2018, impacting on all companies that hold, process or transfer Personally Identifiable Information. Businesses need to be prepared and have robust procedures in place to ensure compliance.
  • Accurate records vital to ensure compliance
  • Aims to provide access by data subjects and prevent security breaches
  • GDPR provides the standards that all organisations will have to adhere to, whether they are based in the EU or outside.
  • Requirement to obtain specific consent to process data in some cases
  • Overseen by the ICO (Information Commissioners Office) and will continue after BREXIT
  • Severe penalties – up to €20M / 4% global turnover
  • New roles: Data Protection Officer (not always mandatory), Data Controller & Data Processor
  • ‘Safe Harbor’ principle no longer valid
  • Recognised EU-GDPR Practitioner available for help, guidance & support
Key Numbers:
 7                   Key Principles of the GDPR
4%                Potential penalty as a %age of Global turnover
72 hours       Max time to report a Data Breach, IRRESPECTIVE of working hours
99                Articles with approx. 80% of new requirements
Typical Questions:
1. What Personally Identifiable Information (PII) are you collecting?
{anything that can be used to identify a person:name, address,email,mobile phone number etc.
2.what purpose are you using this PII for?
{A precise and defined purpose – NOT ‘in case it may be needed’!!!}
3. Have you defined the Data Controller & Data Processor roles?
{Specific responsibilities allocated, including a Data Protection Officer – not always mandatory}
4. How is this PII analysed?
{Precise analytical & statistical methods}
5. Has the data subject given express permission for you to collect & analyse this information?
{Express permission CLEARLY given, not automatic opt-in/out}
6. How do you respond to a Data Subject’s request – access to records; the right to be forgotten?
{Procedure to be followed, records kept}
7. Where is the collected data held, stored, and analysed – have you mapped the data flows?
{Flow diagram charting data through the organisation & storage/processing stages}
8. Are there any automated decision-making processes?
{Example: access to services/levels of service. Must have ‘human’ intervention process}
9. Who has access to this information – as collected, stored, or processed
10. Do you have a Data Security Policy?
{Typical content: Incident response Policy; levels of access; password renewal/update policy, etc}
11. Do you have a Data Privacy Policy?
{Typical content: Notification to the Data Subject of a high-risk breach, risk of harm, loss, etc.}
12. Do you conduct training for all employees regarding Data Privacy & Security?
{Appropriate records – refresher/updates}
12 Steps to Compliance – Information Commissioners Office (ICO)
1. Awareness – decision makers & key personnel
2. Information held – carry out an information audit
3. Privacy Notices & Policies – review
4. Individuals’ rights – check procedures to ensure full compliance with GDPR
5. Subject Access Requests – update company procedures
6. Basis for processing data – identify that basis is lawful
7. Consent – review how you seek, record and manage consent, UPDATE current consents to ensure compliance
8. Children – procedure to verify ages
9. Data Breaches – procedures in place to detect, report & investigate
10. Data Protection by Design & Data Protection Impact Assessments – follow ICO guidelines
11. Data Protection Officers – consider if mandatory, or a recommendation for someone to take responsibility for data protection compliance
12. International – e.g. cross-border processing?
Header image sourced from www,
Post List