The General Data Protection Regulation (GDPR) is an EU legal requirement. The UK Data Protection Act (2018) incorporates the GDPR into UK law.
Personal data for individuals shall be processed lawfully, fairly, and in a transparent manner.
People need to be told what personal data is being collected and for what purpose.
Personal data shall be collected for specified, explicit, and legitimate purposes. It shall not be used for any other reasons that conflict with these purposes.
Personal data shall only be kept and processed for as long as it is required for that purpose and for no longer than that.
A Data Protection Officer (DPO) is required if you process large amounts of sensitive personal data or systematically monitor Data Subjects on a large scale.
Personal data must be kept up-to-date and accurate.
People have the right to receive a copy of their data, or can request that their personal data no longer be used. Insome cases, they can have it erased entirely.
Organizations must implement appropriate security measures to protect personal data against accidental or unlawful destruction, loss, alteration, or disclosure.
In addition, organizations need to ensure all staff members who handle personal data are properly trained in how to secure and protect that data.
Viewing entries in
gdpr & privacy
DPO: A GUIDANCE DOCUMENT
Securestorm's experienced Data Protection Team has released has released an extensively researched guidance document to help understand roles, responsibilities, regulations, and applicability of Data Protection Officers to help clear misconceptions and promote better understanding for organisations that are considering a DPO role within their practice.
Download our guide below or use our reading pane to preview the content:
Reach out to our knowledgeable GDPR Practitioners to address GDPR related questions, for invitation to complimentary GDPR learning sessions or to discuss your personal or organisational requirements. We advice clients across the Public and Private Sectors on all things Data Protection (GDPR/Privacy), Cloud & Cyber Security.
OUR GUIDE TO THE DPO DECISION
a guide to gdpr compliance for your website
It’s only a few months until the General Data Protection Regulation (GDPR) comes into force, with May 2018 almost upon us. The new regulation created by the European Commission aims to standardize data protection procedures. Companies will be required to comply with measures regarding the data they hold and how it’s managed.
Data protection goes beyond being a legal necessity, but is also an important step in creating trust with your stakeholders, customers, clients and associates. It’s a process that requires transparency from your organisation and it's practices. There are several steps you need to take now in order to make sure you’re compliant with the new regulations, and we’ve presented a guide below to make sure you’re following best practices for your company's gateway i.e, Website:
For more guidance materials or tailored advice on GDPR & UKDP from subject matter experts, reach out to Securestorm here. We specialise in a range of Data Protection as a Service offerings including, GDPR Assessments, GDPR Planning & Management, DPO Services, Data Protection Impact Assessments and Privacy Management Services, to name a few.
cost effective gdpr compliance for sme'S
According to the latest survey results, the majority of SME businesses are unsure about meeting the GDPR compliance deadline. Moreover, a large part of the business community is unsure of the overall relevance of GDPR to their core business model and operations as well as the overall cost of compliance and business disruption it may cause.
So what should businesses do?
- Determine the relevance of GDPR to your business and operating model: GDPR is not about data protection, it is about personal data protection. It is important that businesses determine the degree of personal data they use.
Actual personal data usage may be very different from perception. For example – a simple weather updates portal. It does not need any personal customer data however it does store and processe the names, addresses, family details, bank account numbers, passport details, work authorisations, salaries, bonus payments and sick leave details of its 50 geographically spread agents. All of these are personal data and some are sensitive data
- Reorganise asset ownership and limit liabilities: SME owners should take advice on reorganising their business ownership and asset ownership. Numerous businesses start as one man idea and then evolve to become a small team. But, due to digital connect or a people based operating model, they collect significant personal data. Owning sensitive assets with associate compliance and liabilities can best be addressed by forming corporate entities and limiting individual liability.
The corporate entity should be the owner of share capital and owner of assets including data/digital assets – even if the product is an app available online with a relatively small number of users.
- Consolidate data ownership: Personal data is an essential element of business flow. Many SMEs use online software-as-a-service tools to manage their business processes and since one tool may not give them all functionalities, data often resides in multiple sets. It’s therefore critical that businesses build their data asset inventory and document who is owner/active custodian of data sets available.
This is good business practice and will provide GDPR and compliance objectives.
- Establish and evaluate scope of compliance: Consult your legal advisor to determine your scope of compliance. SMEs often operate as virtual organizations with staff working in different geographies and governed under different cyber security and data protection laws. Similarly, digital product consumption is global. It is therefore critical that SMEs draw a clear scope of compliance.
The scope of compliance needs to be evaluated to identify possible risk avoidance strategies, for example switching to a same country cloud service provider. Why climb the hill when you can go around it?
- Determine optimum compliance budget: Businesses need to establish an optimum compliance budget. It is important that management considers overall scale, sensitivity and competition parameters on personal data use. If a business uses significant personal data then GDPR compliance is a necessity. If however, GDPR compliance is also expected to offer competitive advantage then it’s important to have marketing team on-board and share some costs. Organisations can subscribe to numerous GDPR compliance services rather than making capital investments.
- Evaluate “DPO as a service”: GDPR requires an organisation to appoint a person in the position of Data Protection Officer - DPO. But, it gives flexibility to have the DPO position as a full time, part-time, shared or a contract resource. In order to reduce cost whilst maintaining compliance, SMEs must explore the option of appointing a shared DPO.
The DPO credential requirements are quite unique and “DPO as a service” provides SMEs the most efficient and practical support on compliance. The business should evaluate the DPO’s personal competence, intellectual property and support team available to address the variety of challenges that GDPR compliance is expected to present.
- Move to a managed service model with suppliers and insist on their GDPR readiness: Outsourcing or specialised sourcing is a great way of implementing efficiency and business compliance. Due to shared cost overheads, the impact of particular compliance drops significantly. In line with this strategy, organisations should move to a managed service model for the parts of their business operations which fit their outsourcing strategy. During the implementation of a managed service strategy as a business or efficiency initiative, specialised focus should be given on compliance. This should reflect in the contractual terms that are entered as well as the governance framework for performance management.
The Data controller will continue to remain accountable, sourcing a specialised and compliant data processor may just relieve management of large recurring compliance investments.
- Market your GDPR compliance as a competitive strength: SMEs need to market the GDPR compliance of their product and business to derive competitive leverage. Large businesses have much higher at stake in terms of penalties and brand loss but they also have compliance budgets and programs for internal systems and processes. These compliance programs include ensuring current and prospective suppliers are GDPR compliant.
Being ahead in the race for compliance and marketing it as a strength would avoid elimination on compliance grounds and lend a power advantage during techno-commercial negotiations.
- Implement cyber security hygiene practices: The key concern of regulatory (ICO) wrath will originate from two sources - A serious complaint from a data subject on systemic non-compliance or security incidents of personal data leakage impacting individual privacy. It’s therefore important to note that more than 70% of security incidents result from weak implementation of security basics, e.g. “admin-admin” username-password combinations, out dated unpatched systems, common password sharing, firewall any-any configurations, more than need/role based access, insider collusion, etc.
Implementation of good security basics (refer to Cyber Essentials ©) which includes managerial and technical controls gives moderately strong data protection assurance to business management and will shield against higher penalties.
- Take insurance cover: If the business is focussed on personal data, it is critically important that the organisation has cyber insurance cover.
This cost will provide the necessary oxygen in case of multiple controls failure. With a constant rise in cyber incidents and a higher participation of insider agents (employees, ex-employees, suppliers staff), data leakages by error can lead to fines, loss of goodwill, disruption of operations and significant erosion of customer confidence and revenue. There could be additional liabilities emerging from suits that may be filed by customers, investors or partners.
- Embrace privacy be design: SMEs need to make a fundamental shift on data governance. Their products, processes and customer interactions need to respect personal data from collection to disposal. They need to evaluate concepts of data minimization, data segregation, data retention, identity management, disclosures, consent and lawful/agreed processing norms. The concepts of the data lean organisation needs to be implemented.
This is a cultural change which DPOs are expected to drive as they operationalise their roles for GDPR compliance.
Check out our content & resources:
A Driving Force of 'DATA LEAN' Organisations
GDPR presents a unique opportunity for organisations to benefit from becoming “Data Lean”. This is a complete reversal of the current business mind-set where organisations collect maximum data about their current and potential customers because they believe it helps them to understand their needs better. The days of unauthorised data mining for upselling / cross selling certainly are numbered.
GDPR compliance necessitates organisations to change their business practices and data management systems. For example:
- Data Minimisation: The concept of data minimisation requires that only necessary data is collected as relevant to the business objective of the activity. Today organisations manually and automatically collect unnecessary data from customers so they have the option to mine it for future business purposes. Under GDPR, Data Controllers would be prohibited in collecting unjustified large data sets.
- Rights of Data Subject & Responsibilities of Organizations: GDPR grants individuals the right to enquire and seek all their personal details with the organisation to be provided within 30 days. Similarly, individual’s right to be forgotten implies an individual may demand deletion of all his/her personal data in all systems with the organisation. In order to comply, organisations will require all of their databases that contain personal data to be integrated or centrally managed across modern and legacy systems. Hence the limited the number of databases that store personal data the simpler the life for data controllers and processors.
- Data Processing, Sharing & Consent: GDPR requires organisations to seek individual consent for the purpose(s) that their personal data shall be used. It also requires explicit consent on sharing of data with 3rd parties and associates. Specific and Explicit consent provisions tie the hands of the organisations to “creative analytics” of personal data. It also limits organisation freedom to data partnerships for cross sales. Stretching the use of data to gain marketing leverage would certainly encourage individuals to use their right to object and/or withdraw consent.
- Data Relevance and Deletion: GDPR requires organisations to inform individuals how long their personal data shall be retained at the time of collection. To comply - organisations will need to envisage the time utility of data before the data collection activity and delete data after it has completed the committed time-frame. Alternatively, individuals are empowered to demand deletion at any time. This balance of rights would ensure that organisations only keep relevant data with themselves and adopt an effective data deletion policy.
GDPR compliance will drive organizations to maintain only necessary personal data which they need for agreed business purposes. While the cost of storing data is declining the cost of managing and safeguarding isn’t.
The advantages of becoming “Data Lean” include limited exposure to data loss issues, customer liabilities, regulatory wrath and goodwill damages as well as reduced cyber insurance premiums for compliant organisations.
VISIT OUR CONTENT:
GDPR: Force for 'Good' or an 'Evil' Necessity
by Alex Pavlovic - GDPR 'Strategist'
For those of you who were involved in the much maligned and, at the time, over-hyped Y2K or the ‘Millennium Bug’ you could be excused for thinking that with the General Data Protection Regulation (GDPR) there is a sense of déjà vu.
The “It’ll never happen” versus the “sky is falling on our heads” camps seem to be resurfacing.
It’s been 20ish years since the Y2K project work started. I worked in a trading floor environment at the time and there was a huge, aka expensive, project to identify systems and processes impacted by the date change; the risks of doing nothing far outweighed the investment. Quite a few instances were discovered and we did identify issues with hardware and software.
Was it the end of the world like some predicted: No.
Would it have impacted operations on January 2nd until they were fixed: Yes.
Would we have been able to trade: hmm, tricky - quite a few database and spreadsheet issues were identified. But was it a timely overhaul of outdated systems and processes: Yes.
What the lead up to Y2K did do was focus staff, and most importantly, the executive’s & senior management’s attention to the risks and impact of not doing anything - sound similar to some current conversations ?
The risks of doing nothing far outweighed the investment; at the time there were early and late remediation adopters.
Did that result in getting systems, infrastructure and controls updated (things which IT had been crying out for): Yes.
GDPR has rightly been identified and embraced by organisations (it could be said, long overdue) and plans are finally being developed to rectify the omissions in technical and organisational controls/measures. High profile projects once again have the Executives’ attention and support, albeit grudgingly in some cases. Commitment for resource and budgets are once again being given and remediation work has commenced.
If the controls aren’t implemented will it be the end of the world: No, though it could knock a hole in a company's finances.
Will it impact operations: it could do if a regulator orders a company to halt processing.
Will it be a timely overhaul of outdated systems and processes: I certainly hope so !
Leave your comments down below...
GDPR 'Strategist' &
Alex is a Lead Consultant with 25 years of IT, Audit, Information Security and Risk Management experience. He is a specialist in the GDPR and is an advisor and implementation manager for multiple clients across a wide range of industries. If you are interested to run or participate in GDPR sessions, contact: firstname.lastname@example.org
Visit our content: