Search Mobile-alt Envelope Facebook Linkedin Youtube Bell

GDPR – The Checklist

Search Mobile-alt Envelope Bell

Find out more below

GDPR – The Checklist

Now that the new regulation has come into effect, it is time to double check your organisation’s policies and practices.

Published on 7th June 2018

Although the GDPR deadline has now passed, it’s important for organisations to show that in the event of a regulatory investigation, they have taken reasonable steps to demonstrate they take privacy seriously – and ultimately comply. The good news is that fines for organisations that suffer a breach of personal data won’t be applied if they can prove they’ve taken the correct steps to comply.

The reality is that GDPR will be a continuous journey for organisations involving constantly reviewing data, removing low value data, looking at new data, following procedures, and maintaining trust with customers – by prioritising their privacy. Although many organisations are becoming better prepared for GDPR, here are some key, practical actions that must be taken now.

Double check the GDPR specialist

For those organisations with over 250 employees, a staff member will hopefully have already been made GDPR accountable as the data protection officer. Although they will possess a significant understanding of both the business and complexities of the data regulations – they must also operate independently within the business. Therefore, it’s critical that they don’t have any other responsibilities that may result in a conflict of interest.

Remember that employees count too under GDPR

All staff must receive a ‘Data Privacy Notice’ advising them that their personal data will be processed by the company under ‘legitimate interest’. Explain in simple language which personal data will be processed, the reasons and timeframe for doing so, what rights they have and who they should contact if they have concerns. Also, outline what happens if they leave the organisation and who else this personal data will be shared with.

Gain enterprise-wide GDPR awareness

Everyone within an organisation needs to know what the regulation means for them. This means establishing which areas of the business fall within the scope of GDPR, by identifying, assessing and mitigating privacy risks with data processing activities. For larger organisations, territories and jurisdictions must be looked at too – as well as standards and management systems that may be affected or could positively contribute to GDPR compliance.

Another task is to establish from the IT team if there are any imminent projects that involve personal data – as these will be candidates for privacy by design. This is critical as, privacy by design in a service or product, is taken into account, not only at the point of delivery, but also from a product’s inception.

Identify enterprise-wide data

Organisations hold huge volumes of data in all sorts of weird and wonderful places, so they must ensure that they’ve identified which types are held, where it comes from and the lawful basis for processing it. There are special categories of data that may invite stricter processing rules, such as getting explicit consent. Once all data has been sought out – it must be clearly documented with when, how, and why it was obtained; what is going to be done with it and how long its will be kept.

Audit data flow

Organisations will hopefully now have an understanding of how personal data follows within their business too – as well as where it comes from and where it is sent. This will help highlight risks in data processing activities and where controls are required. From this, it can be established if further effort is required to help identify, assess and mitigate or minimise privacy risks with data processing activities. The three primary conditions for an assessment identified in the GDPR are:

  • Systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person
  • Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences
  • Systematic monitoring of a publicly accessible area on a large scale

Create or improve key policies and processes

According to Article 30 of the GDPR, companies will be required to record personal data processing activities including, but not limited to, the categories of data being processed, the categories of recipients of the data and time limits for keeping the data. Each business will also need a privacy notice, a data protection policy and have to update or review contracts with employees and suppliers – to ensure they are compliant.

These policies should explain what personal data is and why it’s important to keep it secure and protected. Everyone should be clear on what they can and cannot do with that data and must understand the consequences of non-compliance.

The rules around consent are clear: it must be freely given by the individuals; the information must be unambiguous, specific and with no jargon, and consent must be given affirmatively. Transparency is paramount: organisations must be open and honest with the people who provide their data about what is being collected, why it’s wanted, how it will be used and how it will be cared for – and that withdrawal of their consent is possible at any time.

To addresses citizen’s rights, requires more comprehensive outlines on how their data should be handled. Key changes include the ‘right of access’, which have expanded considerably and are required to be free of charge. Additionally, the ‘right to be forgotten’ has also been extended, with individuals now able to be ‘forgotten’ when they no longer want to have a relationship with that brand. This means that organisations should think about what processes are needed to accomplish this.

Check breach response

This response process to a data breach must become flawless. Organisations must therefore conduct practice sessions to ensure that everyone knows what is expected of them – so they’re able to alert the relevant authorities within 72 hours.

Seek additional expertise

If outside help is required, organisations should only consider GDPR partners that have hands-on experience, great relationships with other experts in the field, access to specialist tools – and possesses a strong track record in regulated sectors. Also, a potential partner should already be GDPR compliant themselves.

Also, ensure any partner complies with ISO 27001 to deliver the appropriate technical controls, policies, procedures and promote a culture of awareness of information security. Any potential partner should also follow ITIL best practices and help use it to implement and adapt processes for GDPR compliance.

Source

https://www.itproportal.com/features/gdpr-the-checklist/

Search
Follow us on social media
Facebook Linkedin Youtube
Get the latest updates
Subscribe here
Copyright © EasySAM 2024

The latest updates straight to your inbox

We just need a few details to get you subscribed

More info

Health Checks

SAMplicity 365 Lite

A simple health check of what's being used across your Office 365 estate in this FREE, Microsoft backed and easy to setup review.

SAMplicity MOT

Just like you would with your vehicle each year, get an annual check up of your software asset management programme.

SAMplicity Process

Overwhelmed by the task of documenting the steps for a successful SAM programme? Get the experts in to help!

SAMplicity Tool Check

Concerned your SAM tools aren't covering your whole estate? Or on the look out for an entirely new tool? Get us in to assist.

Inventory & Compliance

SAMplicity Discovery

Not content with covering all things SAM related, we've teamed up with Capital to provide a comprehensive hardware asset management review.

SAMplicity One

A simple, one-time reconciliation of the software you have deployed versus the licence entitlement you own.

SAMplicity Plus

A regularly scheduled analysis of your organisation's estate, specifically adapted to your needs and budget.

Cloud Readiness & Optimisation

SAMplicity 365

A full appraisal of your Microsoft 365 setup and how best to optimise it through automated recommendations.

SAMplicity Cloud

An add-on to our SAMplicity One, MOT and Plus offerings, quickly diagnose your ability to migrate your resources to the cloud.

Agreement & Audit Support

SAMplicity Contract

In collaboration with law firm Addleshaw Goddard, ensure the legality of your SAM programme and get assistance with any contract disputes.

SAMplicity Response

Available as standard with SAMplicity Plus, ensure you're compliant if you're unexpectedly audited by a vendor.

Learning

SAMplicity Academy

We've teamed up with some of the forefront experts in licensing knowledge so you can teach yourself to be an expert too.

SAMplicity Training

Stumped by the continually evolving complexities of SAM? Join us for one of our comprehensive courses, either in-person or online.

View all services

Addleshaw Goddard

Block 64

Capital

Flexera

ITEXACT

Ivanti

License Dashboard

Licensing School

Raynet

Snow Software

TBSC

View all partners

What is SAM?

Services

Partners

Blog

Events

Knowledge Base

News

Contact Us

Login

Mobile-alt Envelope Facebook Linkedin Youtube Bell

Looking for something specific?

Let's see what we can find - just type in what you're after

Wait! Before you go

Have you signed up to our newsletter yet?

It’s chock full of useful advice, exclusive events and interesting articles. Don’t miss out!

Subscribe here

Cookie Notice

Our website uses cookies to ensure you have the best experience while you're here.

Accept
Reject