Newsletter | Volume 1

The How aspect addresses the need to understand how the data was acquired in the first place and the training to detect and report the unusual and the suspicious that will challenge Compliance. It is, therefore, the knowledge from The How investigations; the manner, methodology and the framework that can challenge Compliance while implementing GDPR.

Follow the data
The How aspect of GDPR compliance addresses the need to understand how the data was acquired in the first place, with a valid and documented consent. Are the IT and data processes transparent, explicit and for each of the individual categories, clear? Is there enough focus on personal data of vulnerable persons, such as children’s data, which requires more than just parental/guardian consent. The answers lie in the right response to the following questions;

What are the legal basis of IT and cyber security compliance in the organisation?
How is the personal data is collected and used?
Do we use data exactly for the purpose it was collected
Do we always get consent from the data subjects for the secondary processing
How is the review process for implementing change in processing personal data?
How can we prevent abuse or misuse of personal data
How do we address violations
What are the remedies that we use to correct the faults and errors?
How should regularly reviews of the data and process (regular data flow mapping, audits, risk assessments and reviews) to ensure the legal basis has not changed

The How questions also extend to how you manage the data. Does the data management/privacy strategy, includes cradle-to-grave data management, security, record keeping, retention and deletion.

How will each department respond to access requests, and other rights of data subjects such as the right to be forgotten, portability, restriction on processing?
How will the organisation be able to comply with the disclosures and reporting time frame and is there a plan to automate processes with new tools and annual staff training to ensure compliance?

72 hours breach notification requirement
How to address the multi jurisdictional reach of the GDPR. If data or information is transferred to other parts of the organisation outside the EU or to third-parties. Also, agencies will need to consider how to protect the data in storage and transit between the two points and more focus on compliance if data is transferred onward.

What are the processes and documents needed to be in place before meeting the 72 hours breach notification requirement? Not only the processes but are the processors’ geared for the time frame? Have they been tested to detect violations and what are the tools that are currently used to identify and alert on any suspicious activity?

The above can be covered in one or two sentences; follow the data – map all uses of personal data inside and outside the organisation. Update the framework to meet the GDPR requirements and especially with regards to the rights of the data subjects.

Additional action points

Are all employees trained to detect and report any unusual or suspicious activity
Regular review of the personal data life cycle to understand how you use the data, is it used lawfully and as stated in the privacy notices and the general Terms & Conditions?
Assess risks in data flows both with regards to confidentiality and security of the personal data.
Continue to test the GDPR components of incident detection for handling and responses.

Register at one of our training workshops in Copenhagen or London today:
http://www.copenhagencompliance.com/gdpr/index.html
http://www.copenhagencompliance.com/2017/gdpr-uk/