GDPR – what is it?

A new data protection

framework which puts

individuals back in control

of their personal data

1. Awareness

2. Document the personal data you hold

3. Communicating privacy information

4. Individuals rights

5. Subject access requests

6. Lawful process for processing personal data

7. Consent

8. Children

9. Data breaches

10. Data protection by design and default

11. Data Protection Officer

12. International

Watch the video here… www.moneyinfo.com/Videos/GDPR12Steps

ICO 12 steps to GDPR compliance

Make sure key people in your organisation are aware that the law is changing. Get a

team together involving compliance, HR and key decision makers and look at what

needs to be done for May 2018.

Step 1: Awareness

• What information do you hold?

• What is it’s purpose?

• Where is it stored?

• Where is it shared?

Step 2: Document the personal data you

hold

Owner Who is responsible for this information asset?

Name A way to identify the information asset.

Description A description of what the information asset is and what It records. Specifically note if your

information asset contains personal or sensitive information.

Format e.g. SQL Database, Excel Spreadsheet

Purpose Why do you hold this information and what it is used for.

Location Where is the information stored?

Security How is the information secured? E.g. password protected, encryption etc.

Users Who has access to this information asset?

Retention Period How long is the data kept for and why?

Risks/Impacts What would be the impact of losing the information asset? Consider loss of confidentiality i.e. a

data breach, loss of availability and loss of integrity.

What would be the cost of replacing the information?

External Sharing Is this information shared externally with any third parties?

Legal basis What is your basis for processing this information? e.g. consent, legitimate interest

Information Asset Register

“a concise, transparent,

intelligible and easily

accessible form, using clear

and plain language…”

ARTICLE 12

Step 3: Communicating privacy

information

• the right to be informed

• the right of access

• the right to be forgotten

• the right to restrict processing

• the right to data portability

• the right to object

• The right not to be subject to

automated decision-making

including profiling

Step 4: Individuals’ rights

“Where possible, the

controller should be able

to provide remote access

to a secure system which

would provide the data

subject with direct access

to his or her personal

data.”

RECITAL 63

Step 5: Subject access requests

• consent

• necessary for the performance of a contract

• compliance with a legal obligation

• to protect the vital interest of a data subject

• for tasks in the public interest

• legitimate interests

DETERMINE WHAT IT IS AND DOCUMENT IT

Step 6: Lawful basis for processing

personal data

Step 7: Consent

When capturing consent “…include:

• the name of your organisation;

• the name of any third party controllers who will rely on

the consent;

• why you want the data;

• what you will do with it; and

• that individuals can withdraw consent at any time.”

INFORMATION COMMISSIONERS OFFICE

Gain consent from someone

with parental responsibility

Apply consent rules when capturing

and recording consent

Step 8: Children

• lost?

• destroyed?

• corrupted?

• disclosed?

Step 9: Data breaches

RECOGNISE

INVESTIGATE

NOTIFY

MITIGATE

Step 9: Data breaches

“In order to be able to

demonstrate compliance with this

regulation, the controller should

adopt internal policies and

implement measures which meet

in particular the principles of data

protection by design and data

protection by default.”

RECITAL 78

Step 10: Data Protection by Design and

Data Protection Impact Assessments

“… description of the envisaged

processing operations…

…assessment of the necessity…

… assessment of the risks to the

rights and freedoms of subjects…

…measures envisaged to address

the risks…”

ARTICLE 35

Step 10: Data Protection by Design and

Data Protection Impact Assessments

You need to appoint someone in your

organisation, or an external adviser,

who has the knowledge, support and

authority to take responsibility for your

data protection compliance.

Step 11: Data Protection Officer

Determine your lead

supervisory authority

.

Step 12: International

The do’s and don’ts for keeping data

safe

Data Access

Data Quality

Data Privacy by Design

Secure communications

Subject Access Requests

Data Portability

.

How can technology help?

.

How can technology help?

.

How can technology help?

.

How can technology help?

.

How can technology help?

.

How can technology help?

.

How can technology help?

.

How can technology help?

.

How can technology help?

.

@moneyinfotech

www.moneyinfo.com

How can technology help?