Jadu GDPR guide: A easy to follow guide for Digital Service Managers and Website Managers
•
0 j'aime•1,974 vues
Sarah Backhouse, Product Manager for Jadu Continuum CMS presented an easy to follow guide on GDPR at Jadu Academy in Scotland in November 2017. The guide helps you understand the key areas Website Owners and managers and Digital Service Managers can manage compliance with GDPR.
Contenu connexe
Tendances
Tendances (20)
Similaire à Jadu GDPR guide: A easy to follow guide for Digital Service Managers and Website Managers
Similaire à Jadu GDPR guide: A easy to follow guide for Digital Service Managers and Website Managers (20)
Dernier
Dernier (20)
Jadu GDPR guide: A easy to follow guide for Digital Service Managers and Website Managers
- 1. Preparing for GDPR Sarah Backhouse Product Manager — Jadu Continuum CMS
- 2. GDPR imposes new rules on organisations that offer goods and services to people in the EU, or that collect and analyse data connected to EU citizens, no matter where they are located. 25th May 2018 General Data Protection Regulation ✓ Enhanced personal privacy rights ✓ Increased duty for protecting data ✓ Mandatory breach reporting ✓ Significant penalties for non-compliance
- 3. Individuals have the right to: • Access their personal data • Correct errors in their personal data • Erase their personal data • Object to processing of their personal data • Export personal data Key changes in GDPR Controls • Protect personal data using appropriate security practices • Notify authorities with 72 hours of breaches • Receive consent before processing personal data • Keep records detailing data processing Transparent policies • Provide clear notice of data collection • Outline processing purposes and use cases • Define data retention and deletion policies IT & Training • Train privacy personnel & employees • Audit & update data policies • Employ a Data Protection Officer • Create & manage processor/vendor contracts Processor obligations
- 4. Strategy for getting started Discover Identify what personal data you have and where it resides Manage Govern how personal data is used and accessed Protect Establish security controls to prevent, detect, and respond to vulnerabilities & data breaches Report Keep required documentation, manage data requests and breach notifications
- 5. Discover
- 6. What information do you hold? Any identifying data Name Email address Social media posts Physical, physiological, or genetic information Medical information Location Bank details IP address Cookies Cultural identity
- 7. Where does the information reside? All places that store personal data Emails Documents Databases Removable media Metadata Log files Backups
- 8. Discover Data you collect User accounts Online forms 3rd Party integrations Social media Analytics Advertisements Data you share Data exports Back office integrations Data shared with 3rd parties This information should be stored for future reference in an inventory of personal data held, and referenced in your privacy policy.
- 9. Manage
- 10. How do you manage this information? Your policies and procedures need to cover: • The right to be informed • The right of access • The right to rectification • The right to erasure • The right to restrict processing • The right to data portability • The right to object • The right not to be subject to automated decision making and profiling
- 11. How would you…? • Process a request to delete someone’s personal data? • Provide data where the right to data portability is invoked? • Manage a correction to data that you hold? • Allow access to personal data? • Record consent for data to be processed? • Verify the age of individuals to account for special protection for children?
- 12. Consent • prominent • not in terms and conditions • not using pre-ticked boxes • clear, plain language • specify why you want the data • specify what you’re going to do with it • granular options to consent to independent processing • named organisations • tell individuals they can withdraw their consent • ensure they can refuse consent without detriment
- 13. Privacy notice • Contact details of the controller and data protection officer • Purpose and your lawful basis for processing the data • Who data is shared with and transfers to other countries • Data retention times • Rights of the data subject • That individuals have the right to complain and withdraw consent • Consequences of failing to provide the personal data • Easy to understand, clear language
- 14. Protect
- 15. Security of data • Are you auditing who has access to personal data? • Are you testing your security regularly? • Are you prepared for Data Protection Impact Assessments when procuring new technology?
- 16. Encryption • Do you know what data you hold in an encrypted form? • Do you know what encryption algorithm is in use? • Do you know if there is any data being held that should be encrypted and isn’t? Continuum: • form responses: AES algorithm • user details: Triple DES algorithm • passwords: BCrypt password hashing function
- 17. Data breaches • can you detect a breach? • can you report a breach? notify DPA and customers • do you have the procedures in place to investigate a breach? Consider: • network security • storage security • compute security • identity management • access control • encryption • risk mitigation
- 18. Report
- 19. Record keeping You will need to record: • Register of personal data held and where • Classification of data • 3rd parties with access to the data • Purpose of processing the data • Security measures you have in place to protect the data • Data retention times You may need to make these records available to the supervisory authority
- 20. Summary • GDPR is coming May 2018 • GDPR includes increased rights for individuals and increase responsibilities for record keeping • Review areas of your website where you’re collecting data to ensure compliance, such as your privacy notice and where you ask for consent to process data • Check that you have security activities in place so that you can demonstrate compliance • Set up processes to handle new rights
- 21. jadu.net/gdpr