– WHICH COMES IN TO FORCE ON THE 25TH MAY 2018!
Be as transparent as possible. All processing must be within people’s reasonable expectations, in order for it to be lawful. The more that you do to ensure that people are well-informed, and provided with realistic choices, the more that it can be said that what you are doing is within people’s reasonable expectations. Let people know the risks of processing, as well as, the rewards.
Provide clear explanations. You must specify all intended uses of personal data (including future intended uses). Consider using your data flow map/(s) (see point 6 below) to help you to provide people with clear visual explanations, about what you do with their data. Make sure that you keep your data flow maps up-to-date.
Use your website, social media, application’s, and traditional communications channels to keep people informed about the way that you process their data. You can potentially use the same platforms to enable people to provide you with feedback, and to also make decisions (eg to opt-in to or out of general or specific data processing initiatives).
Think broadly and creatively in terms of how you can most effectively engage with the people whose data you control and/or process. Think about workshops, seminars, and drop-in sessions, public and online surveys, developing videos and/or animations, and utilising local or national radio and television channels. Remember to always take equalities and diversity into consideration (e.g. is the information accessible in different formats and languages), and to also think about ways of engaging groups and individuals that may be marginalised.
Keep it proportionate. As a general rule, the more sensitive and voluminous the data, and/or the more innovative that what you are trying to achieve is, the more you will have to do to inform and engage.
Remember that your duty to keep people informed is an on-going one. Ensure that you keep people informed of all relevant changes that either impact, or have the potential to impact their right to privacy. Don’t just stick a privacy notice up and think the job is done!
People must be given the opportunity to provide you with explicit and unambiguous indications about the way that they wish for their data to be handled. Since everybody has a different view of how they would like their confidential and sensitive data to be handled, to ensure compliance with the GDPR, you must design your systems, processes and technologies in a manner which enables each individual’s informed decisions to be respected, by default and by design.
Answering the following three basic questions, will help you to ensure that the choices your offer are both realistic and compliant:
What choices are aligned with your strategic objectives?
What choices will it be technically possible to securely deliver?
What choices are within the reasonable expectations of your end-users (i.e. what was the feedback from user engagement)?
Recording consent decisions centrally and electronically, in a manner which enables consent decisions to flow downstream into all relevant systems and processes, is a challenging (depending on the scale of what you need to achieve and your organisations digital maturity level), yet worthwhile task.
Doing this will help you to ensure that access to confidential and sensitive data is intuitively restricted, on a need to know basis, and readily accessible – if necessary, in real-time. Being able to rapidly ascertain whom, has consented to what, makes delivering compliant products and services, all the more easy.
For example it will make it easier to determine which of your end-users has consented to their data being shared with third parties, or used for commercial and/or research purposes. It will also make it easier to delete data if end-users later decide to opt-out.
GDPR makes it mandatory for public authorities, and all organisations that routinely and systematically conduct activities which involve the handling of confidential and sensitive data, on a large scale, to appoint a Data Protection Officer (DPO). If you fall into either of these categories, and if you have not already done so, now is the time to appoint and, if necessary, train a DPO.
Even if you do not fall into these categories – there is much work to be done in order to ensure that your organisation will comply with the GDPR when it comes into force. Having a DPO with expert knowledge of data protection law and practice will make the task of compliance much easier.
This does not necessarily mean that you will have to hire a new member of staff. You may have an existing staff member with sufficient expertise and capacity to take on the role. It is also permissible to obtain advice and support from independent experts, if desirable, or necessary.
A good DPO should be as proactive about designing ways to enable data be used in a compliant manner, as they are about identifying and mitigating privacy and data protection risks. Look out for someone that is as pragmatic about solving problems, as they are knowledgeable about privacy and data protection law. DPOs should actively participate in online and offline networks and forums. Helping them to learn lessons from others, and build a network of people to share ideas, templates, and possibly even costs with.
A well designed Information Risk Management Strategy (IRMS) can help your organisation to ensure that all privacy and data protection risks are pro-actively mitigated, and aligned with your overarching corporate risks, and risk appetite.
HIGH-LEVEL IRMS OVERVIEW
Systems, processes and technologies are designed with privacy embedded by default. Helping you to ensure that all access to confidential and sensitive data is secure and legitimately accessed.
People and third parties that process personal data on your behalf are appropriately vetted, trained, and bound by contracts which impose standards considered equal to or greater than the privacy and data protection laws of the countries whose citizens data you process.
Information Asset Registers are used to ensure that all confidential and sensitive data are appropriately managed, accurate, classified, protectively marked, resilient, secure at rest, up-to-date, accessed on a strict need to know basis, not kept for longer than necessary and confidentially destroyed when no longer required.
Data Flow Maps are used to ensure that all confidential and sensitive data are lawfully disclosed and secure in transit.
Information Risk Registers (IRR) are used to record, measure, mitigate, monitor and report privacy and data protection risks (and breaches – in the unfortunate, but increasingly likely event that they will happen). In the event of a data breach, an IRR can provide clear evidence that you did all that it is was reasonably practicable to do, in the circumstances, in order to identify and mitigate privacy and data protection risks.
Automated monitoring and routine auditing enable you to identify risks and rapidly respond to threats.
Mapping all of your organisations in-bound, internal and out-bound flows of confidential and sensitive data, will help you to ensure that all flows are lawful and secure. Providing you with an up-to-date picture of what data goes where, how it gets there, whom accesses it, and for what purpose. Enabling you to identify actual and potential privacy and data protection risks (which should, in turn, be recorded in the IRR). It is important to note that GDPR imposes an obligation on data controllers to ensure that data processors, sub-processors, and even sub-sub process have GDPR compliant controls in place.
Data Protection & Privacy risks include:
A lack of, and/or inadequate training is unquestionably one of the major root causes of privacy and data protection breaches. Providing those that handle data within your organisation with succinct, engaging and up-to-date training can therefore, be one of the most effective and efficient ways of reducing privacy risks. Training should be supported by clear, concise and accessible guidance materials, which are designed to help those that handle data to understand and confidently discharge their responsibilities.
Try to tailor your training to suit the things that your organisations does with data, and the roles and responsibilities of the people that handle data on your behalf. This will help those undergoing training to put things into context, and hopefully help to engage them in what is sometimes perceived as being a dull subject. If your staff are particularly difficult to engage, you may have to throw in videos, games, animation’s and even finger puppets!
8. ENSURE ALL CONTRACTS ARE GDPR COMPLIANT
Review the contracts which are in place with any third parties that process confidential and/or sensitive data on your behalf, and check that they have clauses in them which impose conditions on the third party (and any sub-processors, and sub-sub-processors) that are either equal to, or greater than those imposed by the GDPR). This can be a challenging task, particularly for complex and large organisations, as there are lots of legalities to take into consideration.
9. CHECK PARTNER AND SUPPLIER CREDENTIALS
Do those that process data on your behalf have adequate controls in place to protect privacy? It is one thing having a robust contract in place, it is another to ensure that contractual obligations are being met. Ensure that those that process data on your behalf follow international best practice. One way that can help you to do this is to ensure that they maintain compliance with standards such as ISO 27001, by routinely requesting evidence of independent certification. However, the more complex the data processing arrangement, or the more sensitive and/or voluminous the data, the more controls that may need to be in place and routinely monitored.
DPIAs are now mandatory for all processing that is likely to have a significant risk on the privacy, quality or security of personal data. DPIAs can help you to identify actual and potential privacy and data protection risks, and to measure the impact that they may have. DPIAs should, as a minimum, be used whenever you are doing something that is likely to have a significant impact on privacy. This may for example include; joint ventures, mergers and acquisitions, takeovers, implementing new technologies, sharing data with partners, and using personal data for previously unspecified purposes. Knowing what risks you face and the actual or potential impact they may have, is key to knowing how to best mitigate risks.
All organisations that process data belonging to EU citizens (whether they are your customers or not – for example you may wittingly or unwittingly collect personal data through your website) will need to comply with the GDPR by the 25th May 2018.
IG Smart is currently deeply embedded within private and public sector organisations, helping them to ensure that they are compliant when GDPR comes in to force. We are here to share lessons learned, and to help you implement pragmatic controls to ensure compliance with GDPR.