Preparing for the General Data Protection Regulation - inside an organisation

Similar documents
Getting ready for GDPR. A guide to General Data Protection Regulations

12 STEPS TO PREPARE FOR THE GDPR

Guidance on the General Data Protection Regulation: (1) Getting started

General Data Protection Regulation (GDPR) A brief guide

Preparing for the General Data Protection Regulation (GDPR)

GDPR Service Information Sheet

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

GDPR factsheet Key provisions and steps for compliance

TWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION

A Parish Guide to the General Data Protection Regulation (GDPR)

GDPR Factsheet - Key Provisions and steps for Compliance

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

How employers should comply with GDPR

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

Getting ready for the new UK data protection law Eight practical steps for micro business owners and sole traders

Minutes of a meeting of the Website and Information Committee held on the 29 th March 2018.

The GDPR: What does it mean for executive search?

GDPR readiness for start-ups, technology businesses and professional practices Martin Cassey

WSGR Getting Ready for the GDPR Series

Getting Ready for the GDPR

General Data Protection Regulation (GDPR) Frequently Asked Questions

Data Protection Policy

EU General Data Protection Regulation ( GDPR ) FAQs External Version - 16 March 2018

The General Data Protection Regulation An Overview

Policy Document for: Data Protection (GDPR) Approved by Directors: September Due for Review: September Statement of intent

General Data Protection Regulation. The changes in data protection law and what this means for your church.

EU General Data Protection Regulation

EU General Data Protection Regulation (GDPR)

Tourettes Action Data Protection Policy

Data Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents

DATA PROTECTION POLICY 2016

The Sage quick start guide for businesses

Auditing data protection

Guide to the GDPR. Contents. dbsdata.co.uk

Our Privacy Principles

UK SCHOOL TRIPS PRIVACY POLICY

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

P Drive_GDPR_Data Protection Policy_May18_V1. Skills Direct Ltd ( the Company ) Data protection. Date: 21 st May Version: Version 1.

Depending on the circumstances, we may collect, store, and use the following categories of personal information about you:

EU GENERAL DATA PROTECTION REGULATION

Human Resources. Data Protection Policy IMS HRD 012. Version: 1.00

Privacy notices, transparency and control

Information Governance Policy and Management Framework

ACCENTURE BINDING CORPORATE RULES ( BCR )

DATA PROTECTION POLICY

Air Mauritius Limited (Business Registration Number C ) PRIVACY NOTICE

Presenting a live 90-minute webinar with interactive Q&A. Today s faculty features:

What you need to know. about GDPR. as a Financial Broker. Sponsored by

GDPR & Charitable Fundraising: Spotlight on corporate fundraising

Find out about the General Data Protection Regulation (GDPR) and what your club will need to do to comply with the Law.

Foundation trust membership and GDPR

St Mark s Church of England Academy Data Protection Policy

GDPR DATA PROCESSING NOTICE FOR FS1 RECRUITMENT UK LTD FOR APPLICANTS AND WORKERS

The General Data Protection Regulation: What does it mean for you?

Introduction Why is data protection important? How does it apply to volunteers? What volunteers need to do?...

General Data Protection Regulation. What should community energy organisations be doing to prepare?

A guide to GDPR the effect on all UK organisations

Vendor Agreements and the New EU GDPR Steps to Take Now

New General Data Protection Regulation - an introduction

with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA Consulting

What is GDPR and Should You Care?

Consulting Champions

Data Protection Policy

General Data Protection Regulation Philippe Roggeband. Business Development, Manager, GSSO EMEAR

GUIDELINES FOR IMPLEMENTING A PRIVACY MANAGEMENT PROGRAM For Privacy Accountability in Manitoba s Public Sector

Information Asset Management Policy

The data protection rules require that personal information we hold about you must be:-

General Personal Data Protection Policy

GDPR GENERAL GUIDANCE FOR CONGREGATIONS Contents

The new EU data protection Regulation: The business opportunity beyond legal compliance. Kalliopi Spyridaki Chief Privacy Strategist, Europe

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

PERSPECTIVE. GDPR - An industry and geography agnostic regulation. Abstract

Conducting privacy impact assessments code of practice

DATA PROTECTION POLICY

Information Governance Policy

If you have queries about this privacy notice or wish to exercise any of the rights mentioned in it please contact

Breaking the myth How your marketing activities can benefit from the GDPR December 2017

Dealing with the EU Data Protection Regulation in Practice. William Long, Partner Sidley Austin LLP February 11, 2016

EU General Data Protection Regulation (GDPR) Tieto s approach and implementation

Mind the Gap: GDPR Ahead. Rakesh Sancheti. Author. July Vice President and Business Head - Analytics, Europe and Nordic

RESEARCH ETHICS POLICY

Introduction. Ignoring the impact of the GDPR on your recruitment team is opening up your business to substantial risk.

European Union General Data Protection Regulation 2016 (Effective 25 May 2018)

Data Management and Protection Policy

GDPR Compliance Checklist

Customer Data Protection. Temenos module for the General Data Protection Regulation (GDPR)

SIGBI DATA PROTECTION PROTOCOLS 2018

Privacy Statement for ING customers. Americas - May 2018

Linking establishment and worker records. May 2017 Version 2

Unit: CPC 420 De-commission services (Commissioning, Procurement and Contracting)

Data Protection Policy

Humber Information Sharing Charter

A Path to Social Licence

Quick guide to the employment practices code

TEL: +44 (0)

Reach out to customers and increase your revenue

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT

ARTICLE 29 Data Protection Working Party

Transcription:

Preparing for the General Data Protection Regulation - inside an organisation Version: V2.0 Date: 25/05/2017 Jackie Megahey GfK UK Director, Information Security &Data Protection GfK Regional Research & Quality Director, UK, Nordics & Baltics 1

12 Steps to take now In today s session I will be taking you through the ICOs guidance Preparing for the General Data Protection Regulation (GDPR) and the 12 steps to take now I will also show some examples of how this is being managed / implemented within GfK All other suggestions / examples welcome! 2

Step 1. Awareness ICO Identify decision makers and key people and make sure they are aware of the law change They need to appreciate impact and identify areas that could cause compliance problems Start by looking at your organisation s risk register Consider any significant resource implications Take time to lead in with a clear awareness campaign Last minute compliance will be difficult! 3

Resources / workstreams Complexity and Volume Project Workstreams Intelligence Service Audit & Governance Application Changes >2mio Panelists 15K Staff <200K Clients/Others 50K Databases unstructured/analog data ~200 Global BA/EA ~800 Local apps Product Impact >100 products 4

Awareness at GfK Started in the UK in 2016 with Compliance Training and Awareness for all staff Tailored training specific to each audience Researchers Shared services HR, IT, Finance, etc Point of Sales Mystery Shopping Legal Operational, etc Introduced GDPR into induction training for all new staff GfK Group Privacy module soon to be available on our online training platform Security training module developed alongside privacy Ongoing. 5

Making the message accessible SHOW SECURITY VIDEO 6

Making the message accessible Multiple channels to get the message across and raise awareness Intranet, Videos, e-news. Appointment of GDPR Project Manager 7

Step 2. Information you hold ICO Document what personal data you hold, where it came from and who you share it with Organise an information audit across the organisation Take into account employee, participant, panellist, client and supplier data The GDPR updates rights for a networked world If you have inaccurate personal data and have shared this with another organisation, you will have to tell the other organisation that the data is inaccurate What, where, who Document it Helps to comply with accountability principle Demonstrates that you have effective policies and procedures in place 8

Data flow diagrams may help.. 9

.. Or be quite scary!! 10

Information gathering questionnaire Started assessment of some 700+ Applications holding personal data by way of an Online Questionnaire sent out to application owners / users Location of App PII categories / Sensitive PII Other data leading to identity Data Subject Details Ownership, Access, Transfer No of people in data set Storage, back-up, Access Deletion Correction Export Consent Reporting Privacy notices Privacy by design Interaction with other apps 11

Step 3. Communicating privacy information ICO Review current privacy notices and put a plan in place to implement changes (if necessary) Survey invitation Online privacy notices T&Cs with your panel Thank you leaflets Information for qualitative groups Review what additional information you need to give in these notices. For example, explaining your legal basis for processing the data, your retention periods, and individual s right to complain to the ICO A challenge for telephone surveys! 12

Use concise, easy to understand and clear language Always a challenge when collecting information in a very complicated way some examples 13

Step 4. Individual s rights ICO Check, where necessary, procedures cover all rights: Subject access To have inaccuracies corrected To have information erased To prevent direct marketing To prevent automated decision-making and profiling Data portability Would your systems help you to locate and delete data? Who will make the decisions about deletion? Data portability provide the data electronically and in a commonly used format, can you do this? 14

Updating policies and publishing them Document policies, to meet the requirement of accountability 15

Step 5. Subject access request ICO Do your procedures meet the new timescales for providing information Respond within 1 month, rather than 40 days In most cases there can be no charges Manifestly unfounded or excessive requests can be charged or refused If you want to refuse a request, have policies and procedures in place to demonstrate why the request meets these criteria Additional information to provide: Data retention periods The right to have inaccurate data corrected What are the logistical impacts for your organisation of a large volume of requests? Do a cost/benefit analysis to providing online access for individuals to their data 16

Ways of publishing the data - all sources to be updated Published policy statements Interactive pdf with links to policy statements Direct links to statements on website 17

Step 6. Legal basis for processing personal data ICO Look at all types of data processing you carry out, identify the legal basis of doing so and document it Not just participant data, but employee, client and supplier personal data Have you thought of the practical implications of stronger rights of individuals to have their data deleted, when you use consent as your legal basis for processing Explain your legal basis in privacy notices and subject access requests, alongside information on data retention; confirm that individuals have a right to complain to the ICO Information to be provided in a concise, easy to understand and clear language 18

At GfK we are. Reviewing T&Cs and MSA s to ensure the data protection clauses reflect the requirements of the GDPR Consider both new T&Cs/MSAs and adding a variation to existing T&Cs/MSAs Working with Procurement to implement additional schedule in Standard Agency Terms to include an Information Security Schedule 19

Step 7. Consent ICO Review how you are seeking, obtaining and recording consent Prominent, concise, separate from other terms and conditions, and easy to understand Confirm the name of your organisation and any third parties, why you want the data, what you will do with it, and the right to withdraw consent Keep records to evidence consent who consented, when, how, and what they were told. Keep consents under review and refresh them if anything changes. Build regular consent reviews into your business processes 20

EXAMPLES What methods can you use to obtain consent? ICO signing a consent statement on a paper form ticking an opt-in box on paper or electronically clicking an opt-in button or link online selecting from equally prominent yes/no options choosing technical settings or preference dashboard settings responding to an email requesting consent answering yes to a clear oral consent request volunteering optional information for a specific purpose eg filling optional fields in a form (combined with just-in-time notices) or dropping a business card into a box 21

Explicit consent ICO You cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes, default settings or a blanket acceptance of your terms and conditions All consent must involve a specific, informed and unambiguous indication of the individual s wishes. The key difference is likely to be that explicit consent must be affirmed in a clear statement (whether oral or written). 22

Step 8. Children ICO Put in place systems to verify individuals ages and gather parental or guardian consent Special protection for children s personal data, particularly for commercial internet services such as social networking Consent has to be verifiable Privacy notice written in a language that children can understand Consider connecting to CEOPS https://ceop.police.uk/safety-centre/ They offer advise in age appropriate language to children on how to stay safe online 23

Step 9. Data breaches ICO Have the right procedures in place to detect, report and investigate a personal data breach Reporting to the ICO those breaches where an individual is likely to suffer some form of damage, such as identity theft or confidentiality breach Reporting to the individual, for instance, if it might lead to financial loss for them Failure to report could result in a fine, as well as a fine for the breach itself 24

Incident Reporting External / internal theft; Misappropriation of company property / intellectual property Inadvertent, accidental or intended illegal disclosure of information Breach of confidentiality Information Security / Data Protection Director Quality Associate Director IT, Finance, HR, Legal, Police, Client, ICO, Data Subject Confidential whistleblowing 25

Step 10. Data protection by design and privacy impact assessment ICO Familiarize yourself with the guidance form the ICO on Privacy Impact Assessments (PIAs) Can link to other organisational processes such as risk management and project management Who will do it Who else needs to be involved Run centrally or locally? Privacy by design and data minimisation an express legal requirement Always consider a PIA for high risk situation, e.g., new technology/application 26

11. Data Protection Officers ICO Designate a data protection officer Where does this sit within your organisation s structure and governance Can be an internal or external advisor Takes proper responsibility for your organisation s data protection compliance and has the knowledge, support and authority to do so effectively 27

Legal and compliance team Identifying the right person in each country / region to act as the Data Protection Officer 28

Step 12. International ICO For international organisations, you should determine which data protection supervisory authority you come under Traditional headquarters (branches model), this is easy to determine More complex if multi-site companies where decisions about different processing activities are taken in different place Helpful to map out where you organisation makes it most significant decisions about data processing May help to determine your main establishment and therefore your lead supervisory authority 29

A final BIG step to take around the GfK World 30

GDPR time boxing schedule needs to be validated 5. Schedule with Milestones Define key milestones and develop the project schedule further from the Project Charter to determine timing, effort and duration required to complete the project. Milestones 2018 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Risk Mitigation Target Setting delivered 2017 Risk Mitigation Plan delivered Audit completed External Reality Check GDPR is Law Project Ramp Up Intelligence Audit Service Legal/Economic Risks Master GFK Duties Develop standard contracts Data Landscape Definition Risk Assessment Global Applications Organization Roles & Responsibilities Master IT Architecture Framework Definition Risk Assessment for Regional Application/Data Roll out Changes Contracts Roll out Changes Organization Domain Specific Implementation Streams Application Changes Early Starters Definition +Changes in applications 31

Thank you Visit the ICO website for further guidance and the 12 steps to take now 32

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback