The General Data Protection Regulation (GDPR) is an EU legal requirement. The UK Data Protection Act (2018) incorporates the GDPR into UK law.
Personal data for individuals shall be processed lawfully, fairly, and in a transparent manner.
People need to be told what personal data is being collected and for what purpose.
Personal data shall be collected for specified, explicit, and legitimate purposes. It shall not be used for any other reasons that conflict with these purposes.
Personal data shall only be kept and processed for as long as it is required for that purpose and for no longer than that.
A Data Protection Officer (DPO) is required if you process large amounts of sensitive personal data or systematically monitor Data Subjects on a large scale.
Personal data must be kept up-to-date and accurate.
People have the right to receive a copy of their data, or can request that their personal data no longer be used. Insome cases, they can have it erased entirely.
Organizations must implement appropriate security measures to protect personal data against accidental or unlawful destruction, loss, alteration, or disclosure.
In addition, organizations need to ensure all staff members who handle personal data are properly trained in how to secure and protect that data.
Viewing entries tagged
DPO: A GUIDANCE DOCUMENT
Securestorm's experienced Data Protection Team has released has released an extensively researched guidance document to help understand roles, responsibilities, regulations, and applicability of Data Protection Officers to help clear misconceptions and promote better understanding for organisations that are considering a DPO role within their practice.
Download our guide below or use our reading pane to preview the content:
Reach out to our knowledgeable GDPR Practitioners to address GDPR related questions, for invitation to complimentary GDPR learning sessions or to discuss your personal or organisational requirements. We advice clients across the Public and Private Sectors on all things Data Protection (GDPR/Privacy), Cloud & Cyber Security.
OUR GUIDE TO THE DPO DECISION
a guide to gdpr compliance for your website
It’s only a few months until the General Data Protection Regulation (GDPR) comes into force, with May 2018 almost upon us. The new regulation created by the European Commission aims to standardize data protection procedures. Companies will be required to comply with measures regarding the data they hold and how it’s managed.
Data protection goes beyond being a legal necessity, but is also an important step in creating trust with your stakeholders, customers, clients and associates. It’s a process that requires transparency from your organisation and it's practices. There are several steps you need to take now in order to make sure you’re compliant with the new regulations, and we’ve presented a guide below to make sure you’re following best practices for your company's gateway i.e, Website:
For more guidance materials or tailored advice on GDPR & UKDP from subject matter experts, reach out to Securestorm here. We specialise in a range of Data Protection as a Service offerings including, GDPR Assessments, GDPR Planning & Management, DPO Services, Data Protection Impact Assessments and Privacy Management Services, to name a few.
cost effective gdpr compliance for sme'S
According to the latest survey results, the majority of SME businesses are unsure about meeting the GDPR compliance deadline. Moreover, a large part of the business community is unsure of the overall relevance of GDPR to their core business model and operations as well as the overall cost of compliance and business disruption it may cause.
So what should businesses do?
- Determine the relevance of GDPR to your business and operating model: GDPR is not about data protection, it is about personal data protection. It is important that businesses determine the degree of personal data they use.
Actual personal data usage may be very different from perception. For example – a simple weather updates portal. It does not need any personal customer data however it does store and processe the names, addresses, family details, bank account numbers, passport details, work authorisations, salaries, bonus payments and sick leave details of its 50 geographically spread agents. All of these are personal data and some are sensitive data
- Reorganise asset ownership and limit liabilities: SME owners should take advice on reorganising their business ownership and asset ownership. Numerous businesses start as one man idea and then evolve to become a small team. But, due to digital connect or a people based operating model, they collect significant personal data. Owning sensitive assets with associate compliance and liabilities can best be addressed by forming corporate entities and limiting individual liability.
The corporate entity should be the owner of share capital and owner of assets including data/digital assets – even if the product is an app available online with a relatively small number of users.
- Consolidate data ownership: Personal data is an essential element of business flow. Many SMEs use online software-as-a-service tools to manage their business processes and since one tool may not give them all functionalities, data often resides in multiple sets. It’s therefore critical that businesses build their data asset inventory and document who is owner/active custodian of data sets available.
This is good business practice and will provide GDPR and compliance objectives.
- Establish and evaluate scope of compliance: Consult your legal advisor to determine your scope of compliance. SMEs often operate as virtual organizations with staff working in different geographies and governed under different cyber security and data protection laws. Similarly, digital product consumption is global. It is therefore critical that SMEs draw a clear scope of compliance.
The scope of compliance needs to be evaluated to identify possible risk avoidance strategies, for example switching to a same country cloud service provider. Why climb the hill when you can go around it?
- Determine optimum compliance budget: Businesses need to establish an optimum compliance budget. It is important that management considers overall scale, sensitivity and competition parameters on personal data use. If a business uses significant personal data then GDPR compliance is a necessity. If however, GDPR compliance is also expected to offer competitive advantage then it’s important to have marketing team on-board and share some costs. Organisations can subscribe to numerous GDPR compliance services rather than making capital investments.
- Evaluate “DPO as a service”: GDPR requires an organisation to appoint a person in the position of Data Protection Officer - DPO. But, it gives flexibility to have the DPO position as a full time, part-time, shared or a contract resource. In order to reduce cost whilst maintaining compliance, SMEs must explore the option of appointing a shared DPO.
The DPO credential requirements are quite unique and “DPO as a service” provides SMEs the most efficient and practical support on compliance. The business should evaluate the DPO’s personal competence, intellectual property and support team available to address the variety of challenges that GDPR compliance is expected to present.
- Move to a managed service model with suppliers and insist on their GDPR readiness: Outsourcing or specialised sourcing is a great way of implementing efficiency and business compliance. Due to shared cost overheads, the impact of particular compliance drops significantly. In line with this strategy, organisations should move to a managed service model for the parts of their business operations which fit their outsourcing strategy. During the implementation of a managed service strategy as a business or efficiency initiative, specialised focus should be given on compliance. This should reflect in the contractual terms that are entered as well as the governance framework for performance management.
The Data controller will continue to remain accountable, sourcing a specialised and compliant data processor may just relieve management of large recurring compliance investments.
- Market your GDPR compliance as a competitive strength: SMEs need to market the GDPR compliance of their product and business to derive competitive leverage. Large businesses have much higher at stake in terms of penalties and brand loss but they also have compliance budgets and programs for internal systems and processes. These compliance programs include ensuring current and prospective suppliers are GDPR compliant.
Being ahead in the race for compliance and marketing it as a strength would avoid elimination on compliance grounds and lend a power advantage during techno-commercial negotiations.
- Implement cyber security hygiene practices: The key concern of regulatory (ICO) wrath will originate from two sources - A serious complaint from a data subject on systemic non-compliance or security incidents of personal data leakage impacting individual privacy. It’s therefore important to note that more than 70% of security incidents result from weak implementation of security basics, e.g. “admin-admin” username-password combinations, out dated unpatched systems, common password sharing, firewall any-any configurations, more than need/role based access, insider collusion, etc.
Implementation of good security basics (refer to Cyber Essentials ©) which includes managerial and technical controls gives moderately strong data protection assurance to business management and will shield against higher penalties.
- Take insurance cover: If the business is focussed on personal data, it is critically important that the organisation has cyber insurance cover.
This cost will provide the necessary oxygen in case of multiple controls failure. With a constant rise in cyber incidents and a higher participation of insider agents (employees, ex-employees, suppliers staff), data leakages by error can lead to fines, loss of goodwill, disruption of operations and significant erosion of customer confidence and revenue. There could be additional liabilities emerging from suits that may be filed by customers, investors or partners.
- Embrace privacy be design: SMEs need to make a fundamental shift on data governance. Their products, processes and customer interactions need to respect personal data from collection to disposal. They need to evaluate concepts of data minimization, data segregation, data retention, identity management, disclosures, consent and lawful/agreed processing norms. The concepts of the data lean organisation needs to be implemented.
This is a cultural change which DPOs are expected to drive as they operationalise their roles for GDPR compliance.
Check out our content & resources: