Preparing The Structure and Plan For EU General Data Protection Regulation
Learn how to change your practices within your IT platform and data environment to comply with GDPR, data privacy regulation. At the seminar on the 20th April 2017 at The Confederation of Danish Industries we focus on the following GDPR implementation issues;
Even though the GDPR is effective on May 25, 2018, it is not too early to get a complete review of the stored personal data, (both inside and outside of Europe) and start adjusting the current practices on privacy controls, by establishing parameters in your IT- data and systems and environments to comply with this regulation.
- How to identify the sensitive personal information that is stored, processed, transferred, and deleted in your data and IT systems
- How to limit the access to personal information and its availability to only when and while it is needed
- How to Implement controls for preventing and downloading personal information
- What are the best practices for transferring and deleting personal data in the systems and the productive and non-productive environments
Prioritise the preparation plans
The urgency is because new policies must be implemented to protect sensitive personal information that is kept by the customer, client, employee, and information master, and that is sometimes transferred to or from service providers.
To achieve the above objective a comprehensive risk analysis of current data collection, transfer, use, and disposal against the new GDPR requirements need to be performed to prioritise the preparation plans.
Personal information is any data relating to an individual, including names, email addresses, identification numbers, bank details, medical information, and even a photo or an IP address. The GDPR also broadens personal information to biometric and genetic data.
Define In-Scope Data
The second step of the plan is to start identifying all GDPR issues in your IT and Data environments; i.e. clients, master data tables, and fields containing personal information of European residents, even customised data stacks, tables and fields. Backups, legacy systems, archives, databases should also be included in the planning process.
The quantity and quality of sensitive personal data to protect primarily differs between industries and legal areas. Certain sectors, such as healthcare, insurance, banking, recruitment, and marketing, deal with a high volume and wide variety of personal information. These industries need to comply with stricter industry rules and regulations. Other master data tables containing employment, date of birth, citizenship, identification number, tax, and credit data should be scoped.
During the scope planning, it is important to validate with the business owners why the personal information is collected for the impact assessment. Confirming the specific and legitimate needs of keeping personal information with business experts is highly advisable.
At the seminar, we will make sure that you understand the GDPR business need for each data type of personal information to help you to define responsible contact and data retention requirements. You will get guidance on how information is transferred and interfaced with the systems and IT platforms, systems and organisations. Finally, you get information on how to reduce the amount of personal information and facilitate the preparation by mitigating risk in the IT tools and system and to comply with the GDPR mandates.