Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
A Quick Look - Preparing for GDPR.
1. G E N E R A L D A T A P R O T E C T I O N R E G U L A T I O N
H A V E Y O U C O N S I D E R E D . . . ?
A W A R E N E S S | | I N F O R M A T I O N Y O U H O L D
C O M M U N I C A T I N G P R I V A C Y I N F O R M A T I O N
I N D I V I D U A L S ’ R I G H T S | | S U B J E C T A C C E S S R E Q U E S T S
L E G A L B A S I S F O R P R O C E S S I N G P E R S O N A L D A T A
C H I L D R E N | | D A T A B R E A C H E S
D A T A P R O T E C T I O N B Y D E S I G N A N D D A T A P R O T E C T I O N
I M P A C T A S S E S S M E N T S
D A T A P R O T E C T I O N O F F I C E R S | | I N T E R N A T I O N A L
GDPR CONSIDERATIONS
KPRUK CONSULTING
QUICK REFERENCE
Email: rumseyp63@hotmail.com
2. Overview
The General Data Protection Regulation (GDPR)
(Regulation (EU) 2016/679) is a regulation by the EU intended to strengthen and unify data protection
for individuals within the European Union.
Scope:
The regulation applies if the data controller or processor (organisation) or the data subject (person) is
based in the EU. Furthermore (and unlike the current Directive) the Regulation also applies to
organisations based outside the European Union if they process personal data of EU residents.
Brexit:
The EU GDPR still applies to UK companies dealing with the EU.
When: The clock is ticking, comes in to force 27th May 2018.
When GDPR comes into effect, a single complaint may result in an audit and a fine for improperly
handling personal data. This fine could be up to 4% of a company’s annual revenue.
KPRUK CONSULTING
3. Preparing for GDPR
Awareness
You should make sure that decision
makers and key people in your organisation are
aware that the law is changing to the GDPR. They
need to appreciate the impact this is likely to have.
Information you hold
You should document what personal data you hold,
where it came from and who you share it with. You
may need to organise an information audit.
Communicating privacy information
You should review your current privacy notices and
put a plan in place for making any necessary
changes in time for GDPR implementation.
Individuals’ rights
You should check your procedures to ensure they
cover all the rights individuals have, including how
you would delete personal data or provide data
electronically and in a commonly used format.
Subject access requests
You should update your procedures and plan how
you will handle requests within the new timescales
and provide any additional information.
Legal basis for processing personal data
You should look at the various types of data
processing you carry out, identify your legal basis for
carrying it out and document it.
Consent
You should review how you are seeking, obtaining
and recording consent and whether you need to make
any changes.
Children
You should start thinking now about putting systems
in place to verify individuals’ ages and to gather
parental or guardian consent for the data processing
activity.
Data breaches
You should make sure you have the right procedures
in place to detect, report and investigate a personal
data breach.
Data Protection by Design and Data
Protection Impact Assessments
You should familiarise yourself now with the
guidance the ICO has produced on Privacy Impact
Assessments and work out how and when to
implement them in your organisation.
Data Protection officers
You should designate a Data Protection Officer, if
required, or someone to take responsibility for data
protection compliance and assess where this role will
sit within your organisation’s structure and
governance arrangements.
International
If your organisation operates internationally, you
should determine which data protection supervisory
authority you come under.
KPRUK CONSULTING
Gartner predicts that, “By the end of 2018, over 50% of companies affected by
the GDPR will not be in full compliance”. This exposes a company to a
potential fine up to 4% of annual revenue.