Presentation slides from an NCVO webinar, presented by Gary Shipsey from Protecture, which took place on 15 March 2018. View the webinar recording: https://youtu.be/WxlyCKwsPzQ
1. GETTING READY FOR GDPR:
DAY 1 AND BEYOND
15 MARCH 2018
GARY SHIPSEY
MANAGING DIRECTOR,
PROTECTURE
2. (1) WHAT IS THE GDPR?
HOW DOES GDPR DIFFER
FROM THE CURRENT LAW?
2
3. Same
• Principles-based law (not rule based)
• Principles
• Key definitions
• Risk
3
Greater emphasis
• Transparency
• Accountability
• Fines
shall be responsible
for
and
be able to
demonstrate
compliance with
the principles
5. 5
systematic
monitoring
public
authority
special categories /
criminal convictions
and offences.
Core activities = large scale
1 2 3
Existing employee (if no conflict of
interests) or contract out.
Employer
duties:
• Reports > to highest management level.
• Operates > independently
• Adequate resources > so can meet their
obligations.
DPO
6. 6
IT
Fundraisi
ng
HR
Service
delivery
DPO / DP
Lead
• Document internal analysis and position
• If choose DPO = same requirements
apply
• “DP Lead” – ensure there is no
confusion regarding their title, status,
position & tasks
Staff
Volunteer
s
Supplie
rs
Partner
s
7. 7
Strategically accountable
• Who is responsible at a senior level?
Operational owner
• Who drafts and updates the process /
standard
Tactical deliver
•Which team(s) / role(s) are involved
in the delivery of the process /
standard
8. (3) WHAT IS YOUR RECORD OF
PROCESSING ACTIVITY (ROPA)
AND WHY IS IT KEY?
8
9. 9
Record of Processing Activity:
A record of why, and on what basis, your
organisation handles personal information to meet
its business objectives.
The completed ROPA will be used by your
organisation to:
• Assist the delivery of individual rights – e.g.
know where to search
• Meeting transparency obligations – e.g.
informing them of lawful basis for processing
10. 10
• Provide information on the nature, scope, context
and purposes of processing personal data, which is
required for:
• risk management with regards to your
responsibilities as a Data Controller;
• Data Protection by Design and by Default;
• Data Protection Impact Assessments, and
• risk-based decisions on information security
11. 11
Purpose
Lawful
basis
Transparenc
y
How much to
collect
Who needs to see
it
Who to share it
with
How long to keep it
Processing
activities
Extent to which
people can use /
enforce their
rights
Inform people /
fairness
“… specified, explicit and legitimate
purposes …
12. (4) HOW CAN YOU ACHIEVE
TRANSPARENCY?
IS IT AS SIMPLE AS
UPDATING YOUR PRIVACY
POLICY?
12
13. 13
…user-centric rather than legalistic
The practical (information) requirements are
outlined in Art. 12 - 14
However, the quality, accessibility and
comprehensibility of the information is as important
as the actual content of the transparency
information…”
Article 29 Working Party Guidelines on
transparency
14. 14
‘Privacy notice’ to describe all the privacy
information you need to make available to
people. It must:
• Be more detailed and specific
• Make notices understandable and accessible
• Be audience specific
• Use house-style language
…still discretion for [you] to
consider where the information…
should be displayed in different
layers of a notice.
15. 15
Means of
providing
general privacy
information
Means of
providing
privacy
information
Baseline of specific
privacy information
(per Data Subject Category)
Privacy Information
AssessmentsUse to define how privacy
information will be provide
Three situations:
A. Collected directly from an
individual - e.g. via a form;
verbally; in person.
B. Come into the organisation from
another source - e.g. a referral
from another organisation; a
public source.
C. When existing personal data is to
be used for a new purpose
16. (5) HOW DO YOU PREPARE FOR…
• MANDATORY BREACH
REPORTING
• DATA PROTECTION BY
DESIGN AND BY DEFAULT
• HIGHER STANDARD
CONSENT
16
17. 17
Mandatory breach reporting
• Training
• Process
• Decision making
Higher standard consent
• What have you got now?
• Re-permission where needed (methods are critical)
Data Protection by Design and by Default
• Touch-points
• Assessment
19. 19
Take into account:
state of the art + the costs of implementation
the nature, scope, context, purposes of processing
risk of varying likelihood
severity for the rights and freedoms of natural
persons
…the controller and the processor shall implement
appropriate technical and organisational measures
to ensure a level of security appropriate to the risk…
21. 21
Objectives
• Establish whether your need to appoint a formal DPO
• Decide and document who will lead on managing data protection
risk
• The resources you are committing
• Your approach to data protection training and awareness
Output
A record of who is leading on data protection for your organisation;
the resources committed and approach to training and awareness.
22. 22
Objectives
Establish the extent to which your current procedures, policies and/or
guidance deliver the GDPR’s key requirements,
Make changes and/or create new procedures where required
Output
A set of policies, procedures and/or guidance that confirm how you will
tactically deliver the key requirements of the GDPR.
Objective
Establish how you will monitor and report on compliance for each of the
GDPR’s key requirements.
Output
Details of how you monitor and report on the key requirements of the
GDPR.
23. 23
Objective
Establish how you will monitor and report on compliance for each of the
GDPR’s key requirements.
Output
Details of how you monitor and report on the key requirements of the
GDPR.
Objective
Confirm strategic accountability and operational ownership of each
key GDPR requirement.
Output
Confirmation of who is strategically accountability for each key GDPR
Requirement Framework, and who owns each one at an operational
level.
24. 24
Objective
Create and maintain your Record of Processing Activity (ROPA) – the
record of why, and on what basis, your organisation handles personal
information to meet its business objectives.
Output
Your Record of Processing Activities (ROPA).
25. 25
#1 - Readiness Assessments
#2 - Management & Delivery Of Key GDPR
Requirements
#3 - Record Of Processing Activity
#4 - Data Journeys
#5 - Privacy Information Strategy
#6 - Relationships
#7 - Information Security
Data
Protection
Policy
Framewor
k
Notas do Editor
(1) what are the GDPR principles – what is changing, and what is staying the same?
(2) what does accountability look like under GDPR?
(3) what is your Record of Processing Activity (ROPA) – and why is it key
(4) how can you achieve transparency – is it as simple as updating your privacy policy?
(5) how do you prepare for mandatory breach reporting; Data Protection by Design and by Default and DPO role and the higher standard of consent?
(6) what does appropriate security look like?
(7) what the five key steps to take today.