What do you need to do to prepare for GDPR and actions to take now to be compliant for May 2018.
John Godwin, Director of Compliance and IA at UKCloud and Keith Dewar, Group Marketing & Product Director at MyLife Digital presented on:
- The impact of GDPR:
- Why data protection is essential for information security
- The key requirements for GDPR and what this means for you
- The cost of getting GDPR wrong
- The 5W framework
- How to use the 5W framework to assess your processes
- What organisations need to record
- The opportunities that GDPR presents to engage with your supporters
- How to audit your data
- How consent can grow your organisation through trust
- How to know the current state of your data and consents
- Know the impact of GDPR on your organisation before May 2018
Download the slides from the webinar here.
Plain txt is below:
Getting Ready for GDPR
General Data Protection Regulation
or, in other words
Getting Data Protection Right!
- The UK has decided to leave the EU, this will take up to 2 years.
- EU-GDPR will be introduced in May 2018.
- Matt Hancock MP … GDPR is a “decent piece of legislation”.
- Identified need to maintain trading and business relationships, and data flows, with the remainder of the European Union
- People tend to react only to security issues that affect them.
- Regulators react to security issues they become aware of.
- A compromise or breach = weak information security controls.
- Awareness commonly by news channels, press or social media.
- Or maybe something not right with an online bank account.
- Or their social media accounts such as Facebook or Twitter?
- Thankfully, not an issue for the majority of users, the majority of the time.
Privacy is Different
- Affects everybody, regardless of their age, status, wealth or location.
- Hard to avoid, difficult to ignore:
- The annoying pop-up you see in your web browser
- The junk post and email you receive
- Supermarkets targeting their marketing and offers
- Controlling visibility of personal data on social media
- Privacy doesn’t need a breach to be important
- Data privacy affects every individual person – simply because they are alive.
- Three things we can be certain of. Death. Taxes. The processing of our personal data.
- Trust cannot be purchased. It needs to be earned.
- GDPR protects the rights of data subjects: it will impact everyone and every entity, including:
- Government departments
- Large corporations
- Charities, clubs and societies.
Privacy by Design, PIA
- Ensuring that data privacy is integrated into activities, processes and systems.
- Data Protection Impact Assessments:
- To demonstrate compliance to GDPR
- To reduce the risk of breaches, penalties
- To highlight activities requiring remediation
- To provide visibility to citizens and customers
- To keep your house in good order
Data Subject Consent
A data subject’s consent for the processing of their personal data must be:
- able to be revoked
- recorded, securely stored
- … and retrospective
Citizen Right to be Forgotten
- Citizens right to request removal of their personal data without delay.
- Withdrawal of processing consent if there is no other legal need for retaining it.
- Google vs. Spain: removal of irrelevant or historic data from search engine results.
- Organisations need to develop procedures, delivered by competent resources, to ensure compliance.
- GDPR applies to all 28 countries of the EU.
- GDPR will apply to non-EU organisations who:
- Provide goods or services to EU citizens, or
- Monitor EU citizens or their behaviour
- To be compliant, they will need to an accountable EU representative.
- How will the larger, non-EU (and cloud) providers evolve to meet this requirement?
- What does this mean for cloud service providers and users of their services?
- Ongoing challenges to the Safe Harbor replacement “Privacy Shield”
Data Controller & Processor
- Data controllers are responsible under UK law for the security of personal data.
- Data processors then undertake the lawful instructions of the data controller.
- Liabilities are managed by the contract between the controller and processor.
- GDPR introduces joint and several liability.
- Data subjects won’t differentiate between the roles … so may pursue both?
- This introduces contractual uncertainty. How to address this?
- Look for contractual clarity from suppliers as a key element of due diligence.
Data Protection Officers
- Under certain circumstances, a designated DPO will be needed:
- Large scale processing of personal data, or
- Requires regular large-scale monitoring of data subjects, or
- Processing by a public authority
- DPOs need to have appropriate knowledge/experience.
- Is this a function required by your organisation?
Mandatory Breach Notifications
- Compulsory disclosure of ALL data breaches – even if only suspected
- Tight windows for disclosure require prompt attention – 72 hours
- Expect open publication of breaches and penalties
- Nature of follow-up by UK Regulator – to be advised
- Also … substantial penalties for even failing to report
- Associated negative impact for organisations and brands
- Damage to customer confidence, reduction in revenue
Cost of Getting it Wrong
- Current maximum penalty under UK Data Protection Act available to the Information Commissioner … £500,000
- Up to 4% of annual, worldwide turnover or €20 million (2% or €10m for less serious breaches)
- Increasing mistrust by citizens – how and where is their personal data being processed?
- High profile cases include Snowden vs. NSA, Shrems and SafeHarbor (crowd-funded!)
- Privacy activists already taking action against Privacy Shield.
- To the average citizen, will GDPR be the next “PPI” style money generating opportunity?
- More rights to complain, probably at no cost.
- Emergence of class actions?
- Citizen groups and trade union actions?
Citizen Data Functions
- How will the consent of citizens be obtained and maintained? Retention and data minimisation?
- Processes for subject access requests and permanent data deletion (incl. cloud environments)
- Internal process controls and training so all employees understand the impact of breaches
Personnel / HR Management
- Obtaining and secure storage of data needed for personnel management purposes
- Consider implications of outsourced or cloud-based payroll, benefits, training providers
- Access to employee data should be minimised to maximise security
- Proactive requests to your suppliers to understand their compliance position on GDPR
- Contractual clauses committing them to meet their GDPR responsibilities
- How will data security breaches in the supply chain be promptly identified and fully notified?
Far reaching across all departments/functions … the above is just an sample. Start planning!
Use Available Guidance
- Many law firms have already published helpful guidance on GDPR.
- Whilst this may change as a result of Brexit, the principles are sound and likely to remain.
- Search online for available resources, and assess your organisation’s readiness.
- One example – Bird & Bird (www.twobirds.com)
Seek Specialist Help
- A number of specialised providers are helping to reduce the burden of meeting elements of the GDPR framework. UKCloud partner MyLife Digital has developed a “Consent-as-a-Service” offering to help record and track citizen consent when they use various on-line applications and services.
- By placing citizens at the heart of deciding where their personal data is visible, shared and used, this addresses the GDPR requirement for Consent Management and assists with Right to be Forgotten.
Ask this Question
If GDPR were to come into force tomorrow, with your current consents, what would happen to your income?
- Income risk across segments, products, channels
- Scenario planning on incremental attainment of correct consent vs. income
- Impact of consent on attrition rates across supporter/customer types
- Cost per supporter/customer acquisition pre-GDPR vs post-GDPR
How to Audit your Data
- GDPR applies to data from which a living EU citizen could be identified
- Understand what personal data you hold across organisational systems
- Scan it against the 5W framework to understand its consent status
- Create a live consent management framework going forward
The 5W Framework
- What data has been collected?
- Why was the data collected (purpose)?
- Who is using the data?
- When was the permission granted (timestamp)?
- Where was the permission granted (source or channel)?
- Kantara initiative: defacto standard for consent receipts
- Ability to view my consent history increases my trust
The positive side of compliance
- Away from legislative changes…well-documented citizen trends…
- Declining trust in organisations, especially online
- Increased privacy concerns
- Lack of transparency
- Much research points to correlations between consent, trust & engagement
- E.g. Boston Consulting Group
- If properly consented, individuals will share five times more data
- Erasure button doubles the level of trust in an organisation