The document provides a summary of the key aspects of the General Data Protection Regulation (GDPR) in 3 pages. It discusses the basic principles of GDPR, how it may impact technology systems, and software tools that can help with compliance. Some of the main topics covered include the definition of personal and sensitive data, data subject rights, privacy by design, security requirements, and obligations for controllers and processors. The summary emphasizes the need for businesses to focus on compliance given the enhanced penalties and wider scope of GDPR.
Ensure the security of your HCL environment by applying the Zero Trust princi...
The Essential Guide to GDPR
1. GDPR
The new data protection regulations, the
impact on your systems and the solutions
that can assist with compliance
TheEssentialGuide
2. Following recent presentations on the potential impact of
GDPR at a number of global law firms and a presentation to
the Institute of Barristers Clerks, I have been asked to compile
a guide as to the basic principles of GDPR, how they may
impact technology systems and which software tools/vendors
could assist with compliance.
I have therefore put together this guide, The Essential Guide to
GDPR and its sister website GDPRwiki.com
This is not designed to be an exhaustive list of regulatory changes, nor is it in any way
meant to be taken as legal advice. I have picked out what are in my opinion the key areas
of impact and particularly those that will need some attention prior to May 29 2018 –
deadline for compliance.
The solution providers that appear in the guide are those that have come forward and
described how their solutions can help businesses looking to get GDPR compliant. Again
this is not meant to be an exhaustive list and there will be many other suppliers out there
that offer quality and relevant services - as the deadline gets closer I expect more
technologies and services to appear and I hope to highlight these in the next edition of this
guide.
“Having clear laws with safeguards in
place is more important than ever giving
the growing digital economy”
Steve Wood, Deputy Commissioner, ICO
This guide focusses on:
Brexit
Controller or Processor
User Rights
Privacy by Design
Cloud Services
Data Protection Officer
Consent
Impact Assessment
3. The General Data Protection
Regulations are the most significant
development in data protection that
Europe, possibly the world, has seen
over the past twenty years.
Unsurprisingly GDPR is designed to
better take into account modern
technologies, the way we work with them today and are likely to work in the future.
In addition, there is a much greater emphasis on compliance following a widely-
held belief that businesses, particularly in the UK, had not previously taken data
privacy seriously enough. To reinforce this, penalties are considerably harsher and
the compliance requirements are intended to spread a far wider net to include
small and medium businesses and the third-party contractors they use.
THE 6 GDPR DATA PROTECTION PRINCIPLES:
1 (‘lawfulness, fairness and transparency’) processed lawfully, fairly and in a
transparent manner in relation to the data subject
2 (‘purpose limitation’) collected for specified, explicit and legitimate
purposes and not further processed in a manner that is incompatible with
those purposes
3 (‘data minimisation’) adequate, relevant and limited to what is necessary in
relation to the purposes for which they are processed
4 (‘accuracy’) accurate and, where necessary, kept up to date; every
reasonable step must be taken to ensure that personal data that are
inaccurate, having regard to the purposes for which they are processed, are
erased or rectified without delay
5 (‘storage limitation’) kept in a form which permits identification of data
subjects for no longer than is necessary for the purposes for which the
personal data are processed.
6 (‘integrity and confidentiality’) processed in a manner that ensures
appropriate security of the personal data, including protection against
unauthorised or unlawful processing and against accidental loss destruction
or damage, using appropriate technical or organisational measures .
4. There was some speculation that GDPR
would cease to be relevant following the UK’s
decision to leave the EU. Whilst we await the
detail of what Brexit really means in terms of
our EU trade agreements, people movement
and laws there has been significant
commentary including a statement from the
Information Commissioners Office (ICO) suggesting that it will still apply and that
businesses should start compliance preparations now. The following key reasons
are given as to why GDPR still applies:
GDPR Comes Before Brexit
The GDPR comes into force 25 May 2018, the earliest Brexit can happen is
January 2019 and until then all EU laws apply.
Application
The GDPR applies to EU citizen’s data regardless of where the controlling or
processing of that data takes place. This means that countries outside of the EU
(including the US and an independent UK) would have to apply GDPR for client
data where the client is in the EU.
Adequate Data Protection
For an EU country to trade outside of the EU ‘adequate’ data protection measures
must be in place. It is likely that GDPR will be the standard set as ‘adequate’ and
the UK would have to introduce an equal replacement if it decided to revert to
existing DP regulations. Which would simply be GDPR under a different name.
Competing with the EU
Data is fast becoming the new oil and in order to compete with the EU to be
regarded as the new data safe haven, the UK will at the very least match the
GDPR standard and may even increase its data protection requirements to attract
global data centric business.
5. Many businesses are significant
data consumers. Client data is at
the very least at the heart of their
marketing initiatives and may even
be part of the product or service
they sell and the client they sell to.
Much of this data is sensitive either
for commercial reasons or because it directly relates to an individual.
Various sectors from health to finance to legal all have their own specific
governance regulations sometimes shared due to complex relationships between
the services, but for personal data the GDPR will apply equally to all.
There will not be many businesses that do not hold or process personal data but it
is important to understand their role and responsibilities as determined by the
GDPR. The two significant roles are that of ‘controller’ and ‘processor’.
GDPR says…
‘controller’ means the natural or legal person, public authority, agency or other
body which, alone or jointly with others, determines the purposes and means of
the processing of personal data; where the purposes and means of such
processing are determined by Union or Member State law, the controller or the
specific criteria for its nomination may be provided for by Union or Member State
law;
A business will be determined a ‘controller’ for the client, prospect and employee
personal data it stores and uses.
GDPR says…
‘processor’ means a natural or legal person, public authority, agency or other
body which processes personal data on behalf of the controller;
A cloud service provider or third party data host will in most cases be determined
as a ‘processor’.
Personal or Sensitive
It is import to determine whether data is ‘personal’ or ‘sensitive personal’ as
defined by the regulations as different levels of protection are required, some
mandatory and accountable in the case of sensitive data. It is also a new
requirement that processors understand what type of data they are handling on
behalf of their clients
6. Personal Data
The definition of personal data has been broadened to include anything that can
be directly associated with an individual. GDPR broadly keeps existing definitions
but adds digital footprints such as cookies and IP addresses.
GDPR says…
‘personal data’ means any information relating to an identified or identifiable
natural person (‘data subject’); an identifiable natural person is one who can be
identified, directly or indirectly, in particular by reference to an identifier such as
a name, an identification number, location data, an online identifier or to one or
more factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person; - Article 4 of GDPR
Sensitive Personal Data
The following are the GDPR classifications for sensitive personal data:
GDPR says…
revealing racial or ethnic origin,
political opinions,
religious or philosophical beliefs,
or trade union membership,
and the processing of genetic data,
biometric data for the purpose of uniquely identifying a natural person,
data concerning health or
data concerning a natural person's sex life or sexual orientation shall be
prohibited. - Article 9 of GDPR
The GDPR essentially prohibits the processing of sensitive personal data unless
one of the criteria in Article 9 (2) is met. These include:
9(2)(a) – Explicit consent of the data subject, unless reliance on consent is
prohibited by EU or Member State law
9(2)(e) – Data manifestly made public by the data subject.
7. In addition to
the duty of a
firm to protect
its information
there are a
number of
enhanced or
new data
subject rights
that they will need to be mindful of as each could
demand considerable administration capability
particularly if the necessary access and recovery
tools are not in place.
Data subject access requests (DSARs) will be
easier for clients and employees.
Data subjects will no longer be required
to pay a fee to make a DSAR. Firms must
respond without ‘undue delay’ and no later than
one month after the DSAR is made (rather than
the current 40 days). However, there are a
number of grounds for refusal
if the request is manifestly unfounded or
excessive.
Right to Erasure
A new right under GDPR is to have data deleted.
There are several reasons this request can be
refused such as conflicting regulations and in the
public interest but once legitimate reasons for
denial are exhausted data must be deleted.
Right to Portability
Not too dissimilar to the right to port a mobile
phone number from one supplier to another,
GDPR entitles a user to have their data exported
and transferred in a ‘machine readable format’.
Key Tools
Search, Delete, Export
Key Solution Providers
GDPR Says...
The response to a DSAR will
include:
(a) the purposes of the processing;
(b) the categories of
personal data concerned;
(c) the recipients or
categories of recipient to
whom the personal data have
been or will be disclosed, in
particular recipients in third
countries or international
organisations;
(d) where possible, the
envisaged period for which the
personal data will be stored,
or, if not possible, the criteria
used to determine that period;
(e) the existence of the right to
request from the controller
rectification or erasure of
personal data or restriction of
processing of personal data
concerning the data subject or
to object to such processing;
(f) the right to lodge a
complaint with a supervisory
authority;
(g) where the personal data are
not collected from the data
subject, any available
information as to their source;
(h) the existence of automated
decision-making, including
profiling, referred to in Article
22(1) and (4) and, at least in
those cases, meaningful
information about the logic
involved, as well as the
significance and the envisaged
consequences of such
processing for the data subject
Article 15 of GDPR
8. Privacy by
design is a
concept that
features
consistently
throughout the
GDPR. In
essence. it is
the principle of
considering and building in appropriate data
protections during the design phase of all new
projects and changes to systems and processes.
Security by design and by default
The GDPR requires that employers (and other data
processors) should be “audit-ready” at all times,
meaning that all employer’s systems will need to be
set up to ensure compliance by design. The GDPR
introduces a legal requirement for ‘privacy by
design’ for sensitive data and the onus will be on
employers to prove compliance. Records will need
to be kept and policies and procedures will need to
be in place to demonstrate this.
Firms must implement technical and organisational
measures to show that they have considered and
integrated data compliance measures into their data
processing activities.
Key Design Principles
Only necessary data to be processed including:
Amount of data
Extent of processing
Retention period
Access to data
Organisational measures
There are a number of technical measures that can
be put into place to enhance data security. Many of
these will simply involve ensuring best practice with
existing technologies.
Organisational measures
This will include maintaining the appropriate records as described later in this
guide, minimising data by applying appropriate retention periods and appointing a
Data Protection Officer to oversee compliance activities.
GDPR Says...
Data protection by design and by
default
1. Taking into account the state of the
art, the cost of implementation and the
nature, scope, context and purposes of
processing as well as the risks of varying
likelihood and severity for rights and
freedoms of natural persons posed by
the processing, the controller shall, both
at the time of the determination of the
means for processing and at the time of
the processing itself, implement
appropriate technical and organisational
measures, such as pseudonymisation,
which are designed to implement data-
protection principles, such as data
minimisation, in an effective manner and
to integrate the necessary safeguards
into the processing in order to meet the
requirements of this Regulation and
protect the rights of data subjects.
2. The controller shall implement
appropriate technical and organisational
measures for ensuring that, by default,
only personal data which are necessary
for each specific purpose of the
processing are processed. That
obligation applies to the amount of
personal data collected, the extent of
their processing, the period of their
storage and their accessibility. In
particular, such measures shall ensure
that by default personal data are not
made accessible without the individual's
intervention to an indefinite number of
natural persons.
3. An approved certification mechanism
pursuant to Article 42 may be used as
an element to demonstrate compliance
with the requirements set out in
paragraphs 1 and 2 of this Article.
Article 23 of GDPR
9. Security of Processing
GDPR requires that the controller shall
implement appropriate technical and
organisational measures to ensure and to be
able to demonstrate that processing is
performed in accordance with this Regulation.
The legislation goes on to describe the
security required for processing data.
pseudonymisation and encryption
confidentiality, integrity, availability and
resilience of processing systems and
services
the ability to restore
testing, assessing and evaluating the
effectiveness of technical and
organisational measures
It is an obligation to ensure that a controller
only engages with a third party data
processors or cloud service providers if they
also comply with the above.
Key Tools
Encryption, Data Leakage Protection, Secure
Archive, Records Management, Access
Control
Key Solution Providers
GDPR Says...
Security of processing
1. Taking into account the state of the art, the
costs of implementation and the nature, scope,
context and purposes of processing as well as
the risk of varying likelihood and severity for
the rights and freedoms of natural persons, the
controller and the processor shall implement
appropriate technical and organisational
measures to ensure a level of security
appropriate to the risk, including inter alia as
appropriate:
(a) the pseudonymisation and encryption of
personal data;
(b) the ability to ensure the ongoing
confidentiality, integrity, availability and
resilience of processing systems and services;
(c) the ability to restore the availability and
access to personal data in a timely manner in
the event of a physical or technical incident;
(d) a process for regularly testing, assessing
and evaluating the effectiveness of technical
and organisational measures for ensuring the
security of the processing.
2. In assessing the appropriate level of security
account shall be taken in particular of the risks
that are presented by processing, in particular
from accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or
access to personal data transmitted, stored or
otherwise processed.
3. Adherence to an approved code of conduct
as referred to in Article 40 or an approved
certification mechanism as referred to in Article
42 may be used as an element by which to
demonstrate compliance with the requirements
set out in paragraph 1 of this Article.
4. The controller and processor shall take
steps to ensure that any natural person acting
under the authority of the controller or the
processor who has access to personal data
does not process them except on instructions
from the controller, unless he or she is required
to do so by Union or Member State law.
Article 32 of GDPR
10. GDPR requires
that the
controller shall
implement
appropriate
technical and
organisational
measures to
ensure and to
be able to demonstrate that processing is
performed in accordance with this Regulation.
The legislation goes on to describe the
security required for processing data.
pseudonymisation and encryption
confidentiality, integrity, availability and
resilience of processing systems and
services
the ability to restore
testing, assessing and evaluating the
effectiveness of technical and
organisational measures
It is an obligation to ensure that a controller
only engages with a third party data
processors or cloud service providers if they
also comply with the above.
Cloud Service Provider Checklist
□ Technical & Organisational security
□ New contract provisions
□ Demonstrable GDPR compliance
□ Data Processing Records
□ Breach Notification
□ Delete or return data post contract
□ Data Transfer transparency
□ Sub-processor permission
GDPR Says...
Processors
Where processing is to be carried out on
behalf of a controller, the controller shall use
only processors providing sufficient
guarantees to implement appropriate
technical and organisational measures in
such a manner that processing will meet
the requirements of this Regulation and
ensure the protection of the rights of the data
subject.
Processing by a processor shall be governed
by a contract or other legal act under Union or
Member State law, that is binding on the
processor with regard to the controller and that
sets out the subject-matter and duration of
the processing, the nature and purpose of
the processing, the type of personal data
and categories of data subjects and the
obligations and rights of the controller
Each processor and, where applicable, the
processor's representative shall maintain
a record of all categories of processing
activities carried out on behalf of a
controller.
The processor shall not engage another
processor without prior specific or
general written authorisation of the
controller. In the case of general written
authorisation, the processor shall inform
the controller of any intended changes
concerning the addition or replacement of
other processors, thereby giving the
controller the opportunity to object to such
changes.
11. Under the
GDPR, you
must
appoint a
data
protection
officer
(DPO) if
you:
are a public authority (except for courts acting
in their judicial capacity);
carry out large scale systematic monitoring of
individuals (for example, online behaviour
tracking); or
carry out large scale processing of special
categories of data or data relating to criminal
convictions and offences.
A DPO can be an outsourced role which will pave
the way for external agencies to provide this
service.
DPO Duties
The DPO’s minimum tasks
To inform and advise the organisation and its
employees about their obligations to comply
with the GDPR and other data protection laws.
To monitor compliance with the GDPR and
other data protection laws, including managing
internal data protection activities, advise on
data protection impact assessments; train staff
and conduct internal audits.
To be the first point of contact for supervisory
authorities and for individuals whose data is
processed (employees, customers etc).
DPO Rights
Businesses must ensure that:
The DPO reports to the highest management
level of the organisation
The DPO operates independently and is not
dismissed or penalised for performing their
task.
Adequate resources are provided to enable
DPOs to meet their GDPR obligations.
Key Solution Providers
GDPR Says...
1. The controller and the processor shall
designate a data protection officer in any case
where:
(a) the processing is carried out by a public
authority or body, except for courts acting in
their judicial capacity;
(b) the core activities of the controller or the
processor consist of processing operations
which, by virtue of their nature, their scope
and/or their purposes, require regular and
systematic monitoring of data subjects on a
large scale; or
(c) the core activities of the controller or the
processor consist of processing on a large
scale of special categories of data pursuant to
Article 9 and personal data relating to criminal
convictions and offences referred to in Article
10.
2. A group of undertakings may appoint a
single data protection officer provided that a
data protection officer is easily accessible from
each establishment.
3. Where the controller or the processor is a
public authority or body, a single data
protection officer may be designated for
several such authorities or bodies, taking
account of their organisational structure and
size.
4. In cases other than those referred to in
paragraph 1, the controller or processor or
associations and other bodies representing
categories of controllers or processors may or,
where required by Union or Member State law
shall, designate a data protection officer. The
data protection officer may act for such
associations and other bodies representing
controllers or processors.
5. The data protection officer shall be
designated on the basis of professional
qualities and, in particular, expert knowledge of
data protection law and practices and the
ability to fulfil the tasks referred to in Article 39.
6. The data protection officer may be a staff
member of the controller or processor, or fulfil
the tasks on the basis of a service contract.
7. The controller or the processor shall publish
the contact details of the data protection officer
and communicate them to the supervisory
authority
12. The GDPR has
references to both
‘consent’ for personal
data use and ‘explicit
consent’ for sensitive
personal data use. The
difference between the
two is not particularly
clear given that both
forms of consent have to be freely given, specific,
informed and an unambiguous indication of the
individual’s wishes although in the event of a
complaint the required level of consent for sensitive
data is expected to be higher.
GDPR describes the requirement for some form of
clear affirmative action to demonstrate consent.
This can include:
Ticking a box
Changing technical settings (eg making
something public on Facebook)
Signed client enagement letter
GDPR is also clear as to what will NOT be
acceptable as consent
Silence
pre-ticked boxes
general inactivity
Auditable Consent
A new requirement is that consent must be
verifiable. This means that some form of auditable
record must be kept of how and when consent was
given which could impact many marketing systems.
Where you already rely on consent that had been
previously sought you will not be required to obtain
fresh consent from individuals if the standard of
that consent meets the new requirements under
the GDPR.
If you cannot reach this high standard of consent
then you must find an alternative legal basis such
as or cease or not start the processing in question.
GDPR Says...
Lawfulness of processing
1. Processing shall be lawful only if and
to the extent that at least one of the
following applies:
(a) the data subject has given consent
to the processing of his or her personal
data for one or more specific purposes;
(b) processing is necessary for the
performance of a contract to which the
data subject is party or in order to take
steps at the request of the data subject
prior to entering into a contract;
(c) processing is necessary for
compliance with a legal obligation to
which the controller is subject;
(d) processing is necessary in order to
protect the vital interests of the data
subject or of another natural person;
(e) processing is necessary for the
performance of a task carried out in the
public interest or in the exercise of
official authority vested in the controller;
(f) processing is necessary for the
purposes of the legitimate interests
pursued by the controller or by a third
party, except where such interests are
overridden by the interests or
fundamental rights and freedoms of the
data subject which require protection of
personal data, in particular where the
data subject is a child.
Point (f) of the first subparagraph shall
not apply to processing carried out by
public authorities in the performance of
their tasks.
13. Consent Capture
This is an emerging area of technology that
enables a granular and compliant approach to
capturing user consent whilst providing the right
processing and privacy notices. In addition, these
solutions will ensure that all consent captured is
auditable.
Key Vendors
GDPR Says...
Conditions for consent
1. Where processing is based on
consent, the controller shall be able to
demonstrate that the data subject has
consented to processing of his or her
personal data.
2. If the data subject's consent is given
in the context of a written declaration
which also concerns other matters, the
request for consent shall be presented in
a manner which is clearly distinguishable
from the other matters, in an intelligible
and easily accessible form, using clear
and plain language. Any part of such a
declaration which constitutes an
infringement of this Regulation shall not
be binding.
3. The data subject shall have the right
to withdraw his or her consent at any
time. The withdrawal of consent shall not
affect the lawfulness of processing
based on consent before its withdrawal.
Prior to giving consent, the data subject
shall be informed thereof. It shall be as
easy to withdraw as to give consent.
4. When assessing whether consent is
freely given, utmost account shall be
taken of whether, inter alia, the
performance of a contract, including the
provision of a service, is conditional on
consent to the processing of personal
data that is not necessary for the
performance of that contract.
14. A common theme
throughout the
GDPR is
accountability and
demonstrating
compliance i.e.
making it evident
to the Data
Protection
Authority that you are meeting obligations. An
important component of accountability and
mandatory in certain circumstances is the Impact
Assessment.
Definition
A Data Protection Impact Assessment is a tool
designed to enable organisations to work out the
risks that are inherent in proposed data processing
activities before those activities commence. This, in
turn, enables organisations to address and mitigate
those risks before the processing begins.
Scope
New to the GDPR all businesses
(both controllers and processors) are impacted.
Where a new processing activity is proposed
(especially where new technologies will be used)
resulting in a high degree of risk for data subjects,
the controller must first conduct an Impact
Assessment. A single Impact Assessment can
cover multiple processing operations that present
similar risks.
Content
An Impact Assessment must contain the following:
a systematic description of the envisaged
processing operations and the purposes of the
processing, including, where applicable, the
legitimate interest pursued by the controller
an assessment of the necessity and
proportionality of the processing operations in
relation to the purposes;
an assessment of the risks to the rights and
freedoms of data subjects
the measures envisaged to address the risks,
including safeguards, security measures and mechanisms to ensure the
protection of personal data and to demonstrate compliance with this Regulation
taking into account the rights and legitimate interests of data subjects and other
persons concerned.
GDPR Says...
Data protection impact assessment
1. Where a type of processing in
particular using new technologies, and
taking into account the nature, scope,
context and purposes of the processing,
is likely to result in a high risk to the
rights and freedoms of natural persons,
the controller shall, prior to the
processing, carry out an assessment of
the impact of the envisaged processing
operations on the protection of personal
data. A single assessment may address
a set of similar processing operations
that present similar high risks.
2. The controller shall seek the advice of
the data protection officer, where
designated, when carrying out a data
protection impact assessment.
3. A data protection impact assessment
referred to in paragraph 1 shall in
particular be required in the case of:
(a) a systematic and extensive
evaluation of personal aspects relating
to natural persons which is based on
automated processing, including
profiling, and on which decisions are
based that produce legal effects
concerning the natural person or
similarly significantly affect the natural
person;
(b) processing on a large scale of
special categories of data referred to in
Article 9(1), or of personal data relating
to criminal convictions and offences
referred to in Article 10; or
(c) a systematic monitoring of a publicly
accessible area on a large scale.
15. Dark Data
One of the challenges businesses face when carrying out an impact assessment is
ensuring that all personal data is discovered. Data that is for some reason not
searchable and therefore not discoverable is also known as ‘dark data’. The most
common example found is a PDF file that has not had the content of the document
OCR’d leaving just the document title searchable. This has the potential to leave a
business at significant risk of breach and potentially unable to respond in full to a
Data Subject Access Request.
There are a number of software solutions available that will scan your network for
‘dark data’ identify it and convert it to searchable data.
Method
An Impact Assessment has the following steps:
Review existing or planned data processing activities
Map data flows within the organisation by system and by process
Identify any compliance risks
Determine any mitigation required and develop an action plan
Determine whether their core business operations involve: (i) regular and
systematic monitoring of data subjects on a large scale; and/or (ii) processing of
Sensitive Personal Data on a large scale.
If yes to above appoint a DPO.
Key Solution Providers
16. The GDPRREADY Compliance Plan is designed
to assist Data Protection Officers in preparing
for GDPR and maintaining compliance once the
legislation is activated. The GDPRREADY 4
stage process enables the DPO to raise
awareness, discover current risks, deliver a
mitigation plan and design processes for
maintaining compliance.
Step 1 – EDUCATE
The EDUCATE phase consists of a combination of interactive workshops and
stakeholder interviews, designed to generate a high level of understanding of the
impending legislation and any changes to system, policy or process in order to
achieve GDPR compliance.
GDPR Overview Workshop - an onsite workshop to build GDPR awareness and
secure buy-in with your key internal stakeholders, custom-tailored to the needs of
your firm.
Suitable for: Senior Management, Directors, Key Stakeholders
GDPR Assessment workshop - A workshop for internal staff responsible for
owning the assessment process.
Suitable for: Compliance Team, IT Team, Project Managers
Stakeholder Interviews – one to one discussions with key stakeholders to
document departmental processes involving personal data.
STEP 2 – DISCOVER
The DISCOVER phase uses the Data Protection Impact Assessment (as
recommended by the Information Commissioners Office) to discover any risk or
exposure the firm may currently have.
Impact Assessment – using our GDPRready Data Register and GDPRready
Impact assessment templates you will document, data flows, gap analysis, risk
assessment and remediation plans.
STEP 3 – PLAN
GDPR Preparation Plan – document actions needed to prepare for and maintain
GDPR compliance. Understand budget required and systems and processes that
require modification.
STEP 4 – MAINTAIN
Prepare for new obligations such as Breach Response and DSAR Processing.
Review existing InfoSec policies and procedures to ensure they align with GDPR.
EACH PHASE IS SUPLIMENTED BY GDPRREADY TEMPLATED PROCESSES
AND POLICIES AS INDICATED IN THE ACTION SUMMARY CHART BELOW
17. GDPRREADY COMPLIANCE PLAN – ACTION SUMMARY
PHASE 1 – EDUCATE
GDPR WORKSHOP
IMPACT ASSESSMENT WORKSHOP
STAKEHOLDER INTERVIEWS
DOC 1 - GUIDE TO GDPR ESSENTIALS
DOC 2 - GDPR CHECKLIST
PHASE 2 – DISCOVER
COMPLETE IMPACT ASSESSMENT DATA
MAP
COMPLETE IMPACT ASSESSMENT RISK
REGISTER
PRODUCE IMPACT ASSESSMENT
REMEDIATION PLAN
DOC 3 - DATA REGISTER
DOC 4 - IMPACT ASSESSMENT
PHASE 3 – PLAN
DOC 5 - GDPR COMPLIANCE PLAN
DOC 6 - PRIVACY NOTICE CHECKLIST
DOC 7 - USER AWARENESS PROGRAM
DOC 8 - CLOUD SERVICE PROVIDER
COMPLIANCE CHECKLIST
DOC 9 - SUBJECT ACCESS REQUEST
PROCEDURE
PHASE 4 – MAINTAIN
DOC 10 - INFORMATION SECURITY
POLICIES
DOC 11 - INTERNATIONAL DATA TRANSFER
GUIDANCE
DOC 12 - CONSENT FORM TEMPLATES
DOC 13 - PROCESSING RECORD TEMPLATE
DOC 14 - BREACH NOTIFICATION
TEMPLATE
18. SOLUTION
PROVIDER
GDPR
FUNCTION
FEATURE DETAIL
Data
Subject
Access
Request
Data
Discovery
A comprehensive data discovery and management
are essential for GDPR compliance. In order to
ensure timely and efficient respond to any Data
Subject Access Requests (DSAR), all locations,
where personal information is stored, should be easily
discovered.
contentCrawler ensures comprehensive data
discoverability and works to uncover documents that
otherwise would not be found because they are not
indexed for searching. It is a key tool in making sure
that all words in every document (even image
documents) are fully text searchable. contentCrawler
is an essential component for all firms to ensure they
comply with the new GDPR legislation.
DocsCorp will be publishing a white paper and
hosting a number of GDPR events across Europe.
Drop us an email to events@docscorp.com to stay
updated and get your free white paper and event
invitation.
For more information please check the product
description below or visit:
http://www.docscorp.com/contentcrawler/
Bulk Processing for Document Management
contentCrawler is an integrated analysis, processing
and reporting framework that intelligently assesses
documents in a Document Management System and
determines if they require OCR and/or file
compression processing.
Organisations can bulk process documents in the
DMS using either the OCR or Compression modules.
Or, they can do both. For example, contentCrawler
will convert all image-based documents in the DMS to
text-searchable PDFs. The Compression module will
then apply compression and down-sampling in order
to minimise the file size of the resulting PDF
documents.
The automated end-to-end process can run 24/7
without any staff intervention, emailing periodic
notifications of processing statistics and error
19. reporting to the IT Administrator. Staff no longer have
to worry about OCR or compression as a process or
workflow.
Key Benefits
Ensure all documents are indexed for
searching and are therefore discoverable
Simplify management of image-based
documents
Reduce non-compliance risks
Increase efficiency through automation
Leverage existing investment in DMS and
search technology
Reduce costs managing OCR and
Compression technology
Privacy by
Design
Cyber
Security
iboss is a cyber security platform that uses
cloudtechno logy to extend preventative and
predictive multi-layered security to any size or
organization, in any place and to any device.The
result is a lower risk profile, and greater enhanced
due diligence (EDD) for the organisation, which helps
meet GDPR regulations, and can lower associated
fines if data breaches occur.
Privacy by
Design
Data
Leakage
Protection
Iboss includes behavioural data exfiltration sensors to
detect data loss and exfiltration across any
communication medium (WEB, EMAIL, DNS, P2P
etc)
Privacy by
Design
Content
Management
Granular gateway level controls against web access
and application usage
Right to
access
Privacy by
Design
Access
Control
Document
Protection
Search
iManage Govern Govern critical information at every
step of the engagement and beyond
iManage Govern lets you manage your engagement
files according to each client retention policies, from
creation through to disposal all while ensuring your
organization meets audit and discovery requirements.
Improve governance: by applying retention policies
centrally across both electronic and physical client
records
Integrated document and records management:
through seamless operation with iManage Work
Boost productivity: and reduce risk by taking
records management responsibility off your
professionals shoulders
Manage information in place: without copying to a
separate system
20. Reduce operating costs: by moving inactive
projects to a governed, searchable archive
Privacy by
Design
Secure File
Transfer
iManage Share A Fast, easy and secure sharing of
professional work product
Securely exchange work product with your clients,
partner firms, and outside consultants within tools
that you are familiar with. iManage Share offers
industry-leading security with seamless integration
with iManage Work and Microsoft Outlook, so that
secure file sharing is easy and convenient without
sacrificing security and governance of your client
files.
With iManage Share:
Share, edit and collaborate on work product from
within iManage Work.
Share files from your Outlook email: Share files as
secure links directly from Outlook.
Secure, firm-branded web portal in a snap: Give
your client access to their documents from a single
responsive interface on phone, tablet or desktop,
branded with your firm logo.
Collaborate on the go: Share and securely
collaborate with customers from your smartphone or
tablet.
Know what is shared and with whom: Monitor who
is accessing your files and when.
Privacy by
Design
Right to
Access
Document
Protection
Search
DSAR
response
Access
Control
iManage Work Manage documents, emails and more
in a single engagement file
Access your work product from anywhere on any
device in a single user experience. Designed by
professionals for professionals, iManage Work makes
it easy to collaborate with your team and
stakeholders in a secure and governed manner.
Improve productivity: Suggested email filing keeps
you ahead of inbox overload
Make better decisions: Document timelines,
dashboards and analytics cut through clutter enabling
faster, better decisions
Find everything: Search across all work product
(documents, emails, images) automatically tuned to
your work style
Be more responsive: Secure mobile access means
you can view and edit your work from anywhere
21. Work smarter: Integrates seamlessly with the
applications youre already using to save time
Privacy by
Design
Document
Protection
Access
Control
Intapp Walls replaces distributed, ad hoc approaches
to confidentiality management with a centralised
solution that provides law firms with unparalleled
capability and control.
Several features of Intapp Walls can help address
GDPR requirements for “privacy by design,” “privacy
by default” and the Accountability principle.
Intuitive interface for access management –
Define policies using an easy-to-use wizard to
configure and control walls and user account
management, so that IT, conflicts team members and
lawyers have appropriate levels of visibility and
control
Real-time enforcement and maintenance – Intapp
Walls delivers real-time enforcement, automating
notifications to individuals subject to specific policies,
tracking acknowledgments for compliance, and
alerting firm management about suspicious activity
related to sensitive information
Protection beyond document management
libraries – Lock down all key repositories where
sensitive information is stored, including records
management, accounting, CRM, search, portals and
other applications, in addition to document
management libraries
Automated compliance logging – Demonstrate
compliance if required to do so by clients or by
government agencies by presenting a documented
audit trail via Intapp Walls
Broad visibility across the organisation – Gain
visibility into the volume and types of policies in effect
across the firm; configurable reports can be delivered
in an event-driven, scheduled or on-demand basis to
provide management with real-time visibility into
policies, classification and history, as well as affected
parties and prevented breaches
Data
Protection
Officer
Education
The Law Firm Risk Blog (www.lawfirmrisk.com),
sponsored by Intapp, covers a wide range of risk
management topics relevant to GDPR, including
information governance, conflicts management and
information security.
The Risk Roundtable Initiative (riskroundtable.com),
also sponsored by Intapp, hosts in-person events and
webinars bringing together a mix of law firm risk
management and related professionals, including
general counsel, loss prevention partners, risk
management partners, senior conflicts/records
managers and IT leadership. They provide
22. opportunities for peer networking, cross-functional
dialogue and a better understanding of common
problems and trends including the evolving regulatory
landscape affecting confidentiality, information
barriers and ethical walls.
Intapp customers have access to user group
meetings, newsletters, webinars and Inception 2017,
Intapp’s global user conference.
Intapp Professional Services offers a Risk
Consultancy practice that will assess your firm’s
approach to confidentiality management and suggest
processes, procedures and technologies to satisfy
specific compliance obligations related to the EU
GDPR, the HIPAA Privacy Rule in the US, and other
regulations
Privacy by
Design
Data
Leakage
Protection
Secure
Archive
Security
Enterprise Information Archiving provides the secure,
perpetual storage and policy management necessary
with the predictable costs and scalability of a true
cloud architecture. With an industry-leading 7 second
search SLA, archived information is instantly
accessible, making it easy for employees or
administrators to find a single email or to support a
larger e-discovery case.
Mimecast solves important archiving challenges by:
Archiving email in the cloud
Responding quickly to litigation requests
Retaining important company files
Archiving Lync IM conversations
A single, unified archive in the Mimecast cloud
delivers scalability, rapid information access and data
assurance — without the spiraling expense of
hardware and software typical of legacy on-premises
solutions.
Consent
Consent
Capture
Consentric Permissions is a tool for managing
citizens’ consent for usage of their data. It is a cloud
based product with the citizen at the heart, providing
them the capability to grant or deny consent to the
usage of their data for specific, clearly defined
purposes.
Organisations benefit from Permissions through a
simple integration with their CRM or other system(s),
providing a single source of truth relating to consent.
They can configure the data to be used, purpose for,
and who will request usage of the citizen’s data at a
granular level, enabling citizens to clearly understand
what is being asked of them. Where required,
organisation users can also access citizens’ records
to amend consent on instruction.
All changes are subject to a full history log, including
detail of how and where consent was obtained. This
23. provides the citizen transparency and control on how
their data is being accessed and used.
Privacy by
Design
Consentric Permissions stores citizens’ data in a
secure UK sovereign data centre, with consents to
share that data managed by the citizen.
Classification of the data is aligned to well-known
standard schemas, or, created by new custom
schemas, allowing sensitive data to be managed
separately and securely by the citizen.
Consentric Permissions is a trust platform, giving the
citizen transparency, ownership and control of their
data, enabling you to build loyal relationships with
your customers.
This radical approach to storing data transforms your
ability to achieve required data protection standards
through minimisation of personal and sensitive data
being stored in your systems and placing the citizen
in control of their data and its usage. By integrating
into Consentric Permissions, you benefit from our
Privacy by Design features and save costs of
implementing in your own systems
Privacy by
Design
Secure Data
hosting
The complexity and expense of managing underlying
infrastructure can be challenging to organisations, as
their needs fluctuate. Trustmarques IaaS solutions
enables organisations to cost-effectively deploy and
run their software, whilst taking full advantage of the
benefits cloud computing brings. We design, build,
procure and manage IaaS services to help you
unlock real business value. By providing specialist
technical design, management knowledge and
understanding the commercial implications of solution
design and change, along with the operational
considerations of a Cloud service within a traditional
ITIL oriented environment.
We provide highly resilient and secure IL2, IL3 and
IL4 services for OFFICIAL and OFFICIAL SENSITIVE
hosting requirements. These convenient, on-demand
and configurable computing resources require
minimal management effort.
Impact
Assessment
Compliance
Trustmarque provide full lifecycle Impact Assessment
consultation. In addition as 27001 experts we can
ensure that your GDPR compliance measures alin
with your wider InfoSec strategy.
Privacy by
Design
Centralisatio
n of sensitive
data
Enabling new, enhanced user rights is a fundamental
part of GDPR compliance.
PitchPerfect, with its SharePoint data repository,
introduces a single centralised content management
system which greatly improves the firms ability to
meet these requirements. It provides the tools for
end-users to locate and extract the requested data,
24. while restricting the ability to modify and erase data to
the content managers working in the back-end.
The common distributed data practice whereby CVs
and biographies are in multiple locations including a
DMS, Email system and file share make compliance
with any of these employee access requests
complex, time consuming, costly and potentially
impossible
With user photos falling into the biometric data
category new to the GDPR definition of sensitive
personal data, it is compulsory to apply adequate
protection. PitchPerfect ensures the right level of user
access is applied.
Data
Protection
Officer
User
Education
SkillBuilder eLearning provides new innovative ways
to empower employees and end users with
accessible tools and technologies; enabling them to
stay informed and educated in all things related to
legal technology and its constantly changing updates.
SkillBuilder eLearning was built on the know-how of
an over 12 million-strong backlog of ticket data and
over 60,000 knowledge base articles. Our online
eLearning tool increases productivity through a
multifaceted portal that is branded for the firm.
SkillBuilder provides a three-tiered model of service:
Self-Service for users, Service Desk support provided
by Solution Sender and an LMS. All features include
access to our robust library of ever-growing content
tailor specifically for Legal. SkillBuilder is a single
platform whose affects are felt throughout the
organization.
Consent
Data
Transfer
Security of
Processing
Privacy by
Design
Consent
Vuture is a marketing automation platform for
professional services that makes it easy to
personalise email communications, streamline events
and control marketing assets from a single flexible
system.
Manage consent
Vuture provides a quick and easy-to-use solution to
manage and automate consent. A seamless CRM
integration enables you to manage and timestamp
contact opt-ins within your CRM, as well as meet all
Data Discovery and Data Access requirements.
Unambiguous consent is achieved through a CRM-
linked tickbox inserted on your preference forms.
Control data transfer
Vuture is a private cloud solution – each client has
their own instance of the platform hosted at a location
of their choice. The platform is built with privacy at its
core – data never leaves the chosen location and
25. rigorous security policies ensure you are always fully
compliant with Data Protection standards.
Privacy and security sit at the heart of Vuture’s
development, and both are assessed, tested and
updated on a continuous basis.
Privacy by
Design
Data
Leakage
Protection
“Workshare’s unique data loss prevention technology
provides an additional layer of content awareness
that includes hidden, sensitive data (metadata).
Policies decide what has to be removed for
compliance from a document when sent externally via
email or via the cloud. This maintains security and
compliance mandates to ensure no information is
leaked through documents shared outside a company
in the form of metadata.
Workshare is taking our extensive understanding of
metadata, email attachments and secure file sharing
to the next level as we develop further to aid
companies in the prevention of data loss. Because
we have insight into multiple sharing channels and
deep understanding of content, including metadata,
Workshare can provide companies with visibility via a
reporting system. Reports can be oriented around
particular senders, receivers, and types of metadata
to monitor for leakage or misuse. As the proposition
develops, we will encompass words within context in
a document or metadata and extend this detection to
non-email sharing channels. Once detected, we can
educate and empower users to take appropriate
corrective action to protect their sensitive content.”
We hope you found the first edition of this guide useful.
To recommend content or a solution for the second edition or GDPRwiki.com please
contact:
info@2twenty4consulting.com