Preparing for the General Data Protection Regulation - inside an organisation Version: V2.0 Date: 25/05/2017 Jackie Megahey GfK UK Director, Information Security &Data Protection GfK Regional Research & Quality Director, UK, Nordics & Baltics 1
12 Steps to take now In today s session I will be taking you through the ICOs guidance Preparing for the General Data Protection Regulation (GDPR) and the 12 steps to take now I will also show some examples of how this is being managed / implemented within GfK All other suggestions / examples welcome! 2
Step 1. Awareness ICO Identify decision makers and key people and make sure they are aware of the law change They need to appreciate impact and identify areas that could cause compliance problems Start by looking at your organisation s risk register Consider any significant resource implications Take time to lead in with a clear awareness campaign Last minute compliance will be difficult! 3
Resources / workstreams Complexity and Volume Project Workstreams Intelligence Service Audit & Governance Application Changes >2mio Panelists 15K Staff <200K Clients/Others 50K Databases unstructured/analog data ~200 Global BA/EA ~800 Local apps Product Impact >100 products 4
Awareness at GfK Started in the UK in 2016 with Compliance Training and Awareness for all staff Tailored training specific to each audience Researchers Shared services HR, IT, Finance, etc Point of Sales Mystery Shopping Legal Operational, etc Introduced GDPR into induction training for all new staff GfK Group Privacy module soon to be available on our online training platform Security training module developed alongside privacy Ongoing. 5
Making the message accessible SHOW SECURITY VIDEO 6
Making the message accessible Multiple channels to get the message across and raise awareness Intranet, Videos, e-news. Appointment of GDPR Project Manager 7
Step 2. Information you hold ICO Document what personal data you hold, where it came from and who you share it with Organise an information audit across the organisation Take into account employee, participant, panellist, client and supplier data The GDPR updates rights for a networked world If you have inaccurate personal data and have shared this with another organisation, you will have to tell the other organisation that the data is inaccurate What, where, who Document it Helps to comply with accountability principle Demonstrates that you have effective policies and procedures in place 8
Data flow diagrams may help.. 9
.. Or be quite scary!! 10
Information gathering questionnaire Started assessment of some 700+ Applications holding personal data by way of an Online Questionnaire sent out to application owners / users Location of App PII categories / Sensitive PII Other data leading to identity Data Subject Details Ownership, Access, Transfer No of people in data set Storage, back-up, Access Deletion Correction Export Consent Reporting Privacy notices Privacy by design Interaction with other apps 11
Step 3. Communicating privacy information ICO Review current privacy notices and put a plan in place to implement changes (if necessary) Survey invitation Online privacy notices T&Cs with your panel Thank you leaflets Information for qualitative groups Review what additional information you need to give in these notices. For example, explaining your legal basis for processing the data, your retention periods, and individual s right to complain to the ICO A challenge for telephone surveys! 12
Use concise, easy to understand and clear language Always a challenge when collecting information in a very complicated way some examples 13
Step 4. Individual s rights ICO Check, where necessary, procedures cover all rights: Subject access To have inaccuracies corrected To have information erased To prevent direct marketing To prevent automated decision-making and profiling Data portability Would your systems help you to locate and delete data? Who will make the decisions about deletion? Data portability provide the data electronically and in a commonly used format, can you do this? 14
Updating policies and publishing them Document policies, to meet the requirement of accountability 15
Step 5. Subject access request ICO Do your procedures meet the new timescales for providing information Respond within 1 month, rather than 40 days In most cases there can be no charges Manifestly unfounded or excessive requests can be charged or refused If you want to refuse a request, have policies and procedures in place to demonstrate why the request meets these criteria Additional information to provide: Data retention periods The right to have inaccurate data corrected What are the logistical impacts for your organisation of a large volume of requests? Do a cost/benefit analysis to providing online access for individuals to their data 16
Ways of publishing the data - all sources to be updated Published policy statements Interactive pdf with links to policy statements Direct links to statements on website 17
Step 6. Legal basis for processing personal data ICO Look at all types of data processing you carry out, identify the legal basis of doing so and document it Not just participant data, but employee, client and supplier personal data Have you thought of the practical implications of stronger rights of individuals to have their data deleted, when you use consent as your legal basis for processing Explain your legal basis in privacy notices and subject access requests, alongside information on data retention; confirm that individuals have a right to complain to the ICO Information to be provided in a concise, easy to understand and clear language 18
At GfK we are. Reviewing T&Cs and MSA s to ensure the data protection clauses reflect the requirements of the GDPR Consider both new T&Cs/MSAs and adding a variation to existing T&Cs/MSAs Working with Procurement to implement additional schedule in Standard Agency Terms to include an Information Security Schedule 19
Step 7. Consent ICO Review how you are seeking, obtaining and recording consent Prominent, concise, separate from other terms and conditions, and easy to understand Confirm the name of your organisation and any third parties, why you want the data, what you will do with it, and the right to withdraw consent Keep records to evidence consent who consented, when, how, and what they were told. Keep consents under review and refresh them if anything changes. Build regular consent reviews into your business processes 20
EXAMPLES What methods can you use to obtain consent? ICO signing a consent statement on a paper form ticking an opt-in box on paper or electronically clicking an opt-in button or link online selecting from equally prominent yes/no options choosing technical settings or preference dashboard settings responding to an email requesting consent answering yes to a clear oral consent request volunteering optional information for a specific purpose eg filling optional fields in a form (combined with just-in-time notices) or dropping a business card into a box 21
Explicit consent ICO You cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes, default settings or a blanket acceptance of your terms and conditions All consent must involve a specific, informed and unambiguous indication of the individual s wishes. The key difference is likely to be that explicit consent must be affirmed in a clear statement (whether oral or written). 22
Step 8. Children ICO Put in place systems to verify individuals ages and gather parental or guardian consent Special protection for children s personal data, particularly for commercial internet services such as social networking Consent has to be verifiable Privacy notice written in a language that children can understand Consider connecting to CEOPS https://ceop.police.uk/safety-centre/ They offer advise in age appropriate language to children on how to stay safe online 23
Step 9. Data breaches ICO Have the right procedures in place to detect, report and investigate a personal data breach Reporting to the ICO those breaches where an individual is likely to suffer some form of damage, such as identity theft or confidentiality breach Reporting to the individual, for instance, if it might lead to financial loss for them Failure to report could result in a fine, as well as a fine for the breach itself 24
Incident Reporting External / internal theft; Misappropriation of company property / intellectual property Inadvertent, accidental or intended illegal disclosure of information Breach of confidentiality Information Security / Data Protection Director Quality Associate Director IT, Finance, HR, Legal, Police, Client, ICO, Data Subject Confidential whistleblowing 25
Step 10. Data protection by design and privacy impact assessment ICO Familiarize yourself with the guidance form the ICO on Privacy Impact Assessments (PIAs) Can link to other organisational processes such as risk management and project management Who will do it Who else needs to be involved Run centrally or locally? Privacy by design and data minimisation an express legal requirement Always consider a PIA for high risk situation, e.g., new technology/application 26
11. Data Protection Officers ICO Designate a data protection officer Where does this sit within your organisation s structure and governance Can be an internal or external advisor Takes proper responsibility for your organisation s data protection compliance and has the knowledge, support and authority to do so effectively 27
Legal and compliance team Identifying the right person in each country / region to act as the Data Protection Officer 28
Step 12. International ICO For international organisations, you should determine which data protection supervisory authority you come under Traditional headquarters (branches model), this is easy to determine More complex if multi-site companies where decisions about different processing activities are taken in different place Helpful to map out where you organisation makes it most significant decisions about data processing May help to determine your main establishment and therefore your lead supervisory authority 29
A final BIG step to take around the GfK World 30
GDPR time boxing schedule needs to be validated 5. Schedule with Milestones Define key milestones and develop the project schedule further from the Project Charter to determine timing, effort and duration required to complete the project. Milestones 2018 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Risk Mitigation Target Setting delivered 2017 Risk Mitigation Plan delivered Audit completed External Reality Check GDPR is Law Project Ramp Up Intelligence Audit Service Legal/Economic Risks Master GFK Duties Develop standard contracts Data Landscape Definition Risk Assessment Global Applications Organization Roles & Responsibilities Master IT Architecture Framework Definition Risk Assessment for Regional Application/Data Roll out Changes Contracts Roll out Changes Organization Domain Specific Implementation Streams Application Changes Early Starters Definition +Changes in applications 31
Thank you Visit the ICO website for further guidance and the 12 steps to take now 32