Associate feature: Keeping compliant with GDPR

Where are we with the EU GDPR (General Data Protection Regulation)?

It’s almost six months since the biggest shake-up in data protection in 20 years came into effect. It has forced European organisations (and many others globally) to implement plans to ensure they’re taking data protection seriously and so they can respond to data breaches.

Polls are demonstrating that although organisations are getting up to speed with what they’re supposed to do to become GDPR compliant, many are still struggling or are only starting to work on their GDPR compliance project.

2018 has seen major organisations such as British Airways, Dixons Carphone, Adidas, Butlin’s and Reddit suffer data breaches, bringing the issue of data protection into the zeitgeist. These cases follow the much publicised WannaCry incident of 2017 when more than 300,000 NHS computers were infected and lead to damages costing in the region of a billion pounds.

Holyrood’s Future of Data Protection Conference, taking place this October, intends to discover more solutions to Scotland’s GDPR compliance challenges. It’s a vital opportunity for the Scottish public sector to continue to build a clear strategic understanding of its data protection responsibilities, and discover how to integrate data protection into the business to remain compliant and how it can benefit from the effective use and sharing of public data.

Stuart Skelly, a vastly experienced GDPR consultant who will be speaking at the event, has discussed how organisations holding vast amounts of personal data can become secure.

He said: “Organisations must implement a practical, feasible document management policy (including data retention and disposal policy). Public-sector organisations hold so much personal data, in so many locations and for so many different reasons, that this can be very difficult to create and to manage/monitor adherence. But it is one of the absolute foundations of a successful GDPR/Data Protection Act 2018 compliance strategy.”

Where do I start with a GDPR compliance strategy?

Conducting a DPIA (data protection impact assessment) is the starting point for embedding data protection by default and by design. DPIAs help organisations identify, assess and mitigate or minimise privacy risks with data processing activities.

Critically, it enables organisations to identify security vulnerabilities in advance of building software which means that issues are resolved early in the process, and better, more cost-effectively secure systems are built.

DPIAs also support the GDPR’s accountability principle, helping organisations prove that they have taken appropriate measures as required by the Regulation.

Failing to adequately conduct a DPIA where mandated constitutes a breach under the GDPR, and could lead to fines of up to 2% of the organisation’s annual global turnover or €10 million – whichever is greater.

So how do I get my DPIA started and what will it involve?

The first thing to do is to identify, within an organisation, whether the inherent risks of the processing operation require a DPIA. Article 35(1) of the GDPR states that you must undertake a DPIA where a type of processing is likely to result in a high risk to the rights and freedoms of individuals.

Once it has been determined that an organisation requires a DPIA it must be able to describe the information flow. This involves describing how the information within the processing operation is collected, stored, used and deleted. It is then the organisation’s responsibility to catalogue the range of threats, and their vulnerabilities, to the rights and freedoms of individuals whose data they collect and/or process.

by Jenni Davidson

Event report: Brexit or not, we will still have the GDPR

The next steps involve identifying privacy solutions by making a ‘risk decision’. This includes whether to accept or reject the risk, whether to transfer it or take steps to reduce impact or likelihood of the threat successfully exploiting the vulnerability.

Once this step is complete an organisation will sign off and record the DPIA outcomes in a report which must be signed by those responsible. Where a high risk has been identified, the organisation must submit the DPIA to the regulatory authority for consultation. Now the outcomes of their DPIA have been disclosed it becomes possible to integrate them into a project plan.

What sort of projects require a DPIA?

Examples of projects that will require a DPIA include implementing a new CRM system, finance system or simply anytime a company will be processing data in a way which may pose a risk to the rights and freedoms of data subjects.  It also applies to any current processes involving personal data an organisation has in place. 

What will be the long term benefits of a DPIA?

As mentioned, avoiding the financial sanctions associated with GDPR is one of the major benefits of beginning a DPIA.

Consistent use of DPIAs increases the awareness of privacy and data protection issues within your organisation. It will also ensure that all relevant staff involved in planning projects consider privacy at the early stages and adopt a ‘data protection by design’ approach.

A DPIA also brings broader compliance benefits, as it can be an effective way to assess and demonstrate your compliance with all data protection principles and obligations.

What do I do next?

A DPIA should be conducted as early as possible within any new project lifecycle, so that its findings and recommendations can be incorporated into the design of the processing operation.

GDPR expert IT Governance provide a number of DPIA solutions that can help you fill the gaps in your GDPR compliance. 

As a leading provider of GDPR expertise and solutions, IT Governance supports organisations of all sizes in initiating and maintaining their compliance projects through training courses, books, documentation toolkits, staff awareness, compliance tools and consultancy.

Visit IT Governance’s GDPR and cyber security experts at Holyrood’s Future of Data Protection conference to find out more or contact us now to arrange a meeting.

This article is in association with IT Governance