CBC GDPR – 1 month to go
•Télécharger en tant que PPTX, PDF•
0 j'aime•200 vues
This document discusses the next steps for complying with the General Data Protection Regulation (GDPR). It outlines 6 key principles of data protection under GDPR and recommends completing a data audit and gap analysis to determine what data is collected, how it is stored and accessed, and where compliance gaps exist. Additional next steps include documenting policies around data protection, privacy notices, consent procedures, and data subject rights, as well as establishing agreements for third party data processing and a data breach procedure. Regular review and registration with the Information Commissioner's Office are also advised.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (13)
Similaire à CBC GDPR – 1 month to go
Similaire à CBC GDPR – 1 month to go (20)
Plus de Jason Chapman
Plus de Jason Chapman (20)
Dernier
Dernier (20)
CBC GDPR – 1 month to go
- 1. GDPR – The next steps !
- 2. 6 PRINCIPLES OF DATA PROTECTION 1. Lawfulness, fairness, transparency 2. Purpose Limitation 3. Data Minimisation 4. Accuracy 5. Storage Limitation 6. Integrity and confidentiality
- 3. NEXT STEPS…. DPO or not ? Carry out a Data Audit and Document it (Data Map) • Controller or Processor ? • What do I have ? • How do I get it ? • Where do I store it ? • Locally (digital), Locally (Physical) or Cloud digital • Who has access to it ? • How secure is it ? NOTE: GDPR applies to customers AND suppliers AND Employees Complete a Gap Analysis Spreadsheet • It looks complex and difficult but its not ! • This shows your compliance Gaps • Allows you to determine which ones you address first • Written form of Data Audit covering most Articles of GDPR – including location, Legal Basis etc.
- 4. NEXT STEPS…. Documentation 1. Data Protection Policy Statement 2. Information Security Policy 3. Privacy Notice 4. Consent - Notify existing customers of your GDPR program and ask for positive consent to store and use their data – strictly for the purposes of your business with them AND tell them the rights they have 5. Give your customers an easy to follow form/procedure for Subject Access requests • What data you have • Correcting errors in that data • Deleting that data • Restriction of processing • Data Portability • The right to object • The right to appropriate decision making 6. Third Party Data Processing agreements – signed, legal and binding 7. Data Breach Procedure
- 5. AND FINALLY…. • Register with the ICO and advise clients of this. • Regularly monitor and review policy, procedures and published documentation to ensure they remain effective and relevant
- 6. Thank You !
Notes de l'éditeur
- No DPO but all staff must be aware of their obligations to GDPR and this must be recorded – coulde be on the GAP Analysis – see later Consent Contractual Legal Obligation Vital Interests Public Interest Legitimate Interest
- Documentation Data Protection Policy Statement setting out your approach to GDPR and the security of information in your business. Information Security Policy stating that you will ensure that storage and transmission of data is appropriately secure. While the ICO and larger organisations treat these as 2 separate topics, smaller companies could make “Information Security” a sub section of your Data Protection Policy Statement Privacy Notice for clients who you are, why you’re collecting data (e.g. to fulfil a contractual obligation), to confirm what it’s being used for , what you’ll do with it, the safeguards you have in place and setting out their rights a regards restriction of use etc. Where websites are used for the gathering of information these privacy statements will need to cover the use of cookies etc. Subject access requests Easy to use procedure (and maybe a form) for clients to contact you asking about their rights:- What data you have Correcting that data Deleting that data Restriction of processing Data Portability The right to object to certain types of processing The right to restrict decision making based on automated processing
- Documentation Data Protection Policy Statement setting out your approach to GDPR and the security of information in your business. Information Security Policy stating that you will ensure that storage and transmission of data is appropriately secure. While the ICO and larger organisations treat these as 2 separate topics, smaller companies could make “Information Security” a sub section of your Data Protection Policy Statement Privacy Notice for clients who you are, why you’re collecting data (e.g. to fulfil a contractual obligation), to confirm what it’s being used for , what you’ll do with it, the safeguards you have in place and setting out their rights a regards restriction of use etc. Where websites are used for the gathering of information these privacy statements will need to cover the use of cookies etc. Subject access requests Easy to use procedure (and maybe a form) for clients to contact you asking about their rights:- What data you have Correcting that data Deleting that data Restriction of processing Data Portability The right to object to certain types of processing The right to restrict decision making based on automated processing
- Latest GDPR news 19/06/2017: 23% of small UK firms haven't started preparations for GDPR Nearly a quarter of small UK businesses still haven't started preparing for data protection rules that are less than a year away, according to a survey.