Watch Vide Here https://youtu.be/03QHyulelYY Please copy and paste this script for your use
General Data Protection Regulation (GDPR)
Hello, My Name is Lee Werrell, I am the owner of Compliance Consultant, The UK’s Leading Remedial Compliance Consultancy for Financial Services.
Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.
You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR. It would be useful to start by looking at your organisation’s risk register, if you have one.
2 Information you hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit, across the organisation, or within particular business areas. The GDPR updates rights for a networked world.
Doing this will also help you to comply with the GDPR’s accountability principle, which requires organisations to be able to show how they comply with the data protection principles, for example by having effective policies and procedures in place.
3 Communicating privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice. Under the GDPR there are some additional things you will have to tell people. For example, you will need to explain your legal basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data.
4 Individuals’ rights
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
The main rights for individuals under the GDPR will be:
• subject access,
• to have inaccuracies corrected,
• to have information erased,
• to prevent direct marketing,
• to prevent automated decision-making and profiling, and
• data portability.
On the whole, the rights individuals will enjoy under the GDPR are the same as those under the DPA but with some significant enhancements. This is a good time to check your procedures and to work out how you would react if someone asks to have their personal data deleted, for example. Would your systems help you to locate and delete the data? Who will make the decisions about deletion?
The right to data portability is new. This is an enhanced form of subject access where you have to provide the data electronically and in a commonly used format. Many organisations will already provide the data in this way, but if you use paper print-outs or an unusual electronic format, now is a good time to revise your procedures and make any necessary changes.
5 Subject access requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information. The rules for dealing with subject access requests will change under the GDPR. There will be different grounds for refusing to comply with subject access request – manifestly unfounded or excessive requests can be charged for or refused. If you want to refuse a request, you will need to have policies and procedures in place to demonstrate why the
request meets these criteria.
You will also need to provide some additional information to people making requests, such as your data retention periods and the right to have inaccurate data corrected. If your organisation handles a large number of access requests, the impact of the changes could be considerable so the logistical implications of having to deal with requests more quickly and provide additional information will need thinking through carefully.
6 Legal basis for processing personal data
You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it. Many organisations will not have thought about their legal basis for processing personal data.
You will also have to explain your legal basis for processing personal data in your privacy notice and when you answer a subject access request. The legal bases in the GDPR are broadly the same as those in the DPA so it should be possible to look at the various types of data processing you carry out and to identify your legal basis for doing so. Again, you should document this in order to help you comply with the GDPR’s ‘accountability’ requirements.
You should review how you are seeking, obtaining and recording consent and whether you need to make any changes. Like the DPA, the GDPR has references to both ‘consent’ and ‘explicit’ consent’. The difference between the two is not clear given that both forms of consent have to be freely given, specific, informed and unambiguous. Consent also has to be a positive indication of agreement to personal data being processed – it cannot be inferred from silence, preticked boxes or inactivity.
The GDPR is clear that controllers must be able to demonstrate that consent was given. Note that consent has to be verifiable and that individuals generally have stronger rights where you rely on consent to process their data. You should therefore review the systems you have for recording consent to ensure you have an effective audit trail.
You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. In short, if your organisation collects information about children – in the UK this will probably be defined as anyone under 13 – then you will need a parent or guardian’s consent in order to process their personal data lawfully.
9 Data breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. Some organisations are already required to notify the ICO (and possibly some other bodies) when they suffer a personal data breach. However, the GDPR will bring in a breach notification duty across the board.
You should start now to make sure you have the right procedures in place to detect, report and investigate a personal data breach. This could involve assessing the types of data you hold and documenting which ones would fall within the notification requirement if there was a breach.
10 Data Protection by Design and Data Protection Impact Assessments
You should familiarise yourself now with the guidance produced on Privacy Impact Assessments (PIAs) and work out how to implement them in your organisation if necessary. You should start to assess the situations where it will be necessary to conduct a DPIA. Who will do it? Who else needs to be involved? Will the process be run centrally or locally?
It has always been good practice to adopt a privacy by design approach and to carry out a privacy impact assessment as part of this. A privacy by design and data minimisation approach has always been an implicit requirement of the data protection principles. However, the GDPR will make this an express legal requirement.
11 Data Protection Officers
You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. The GDPR will require some organisations to designate a Data Protection Officer (DPO), for example public authorities or ones whose activities involve the regular and systematic monitoring of data subjects on a large scale. Therefore you should consider now whether you will be required to designate a DPO and, if so, to assess whether your current approach to data protection compliance will meet the GDPR’s requirements.
If your organisation operates internationally, you should determine which data protection supervisory authority you come under. The GDPR contains quite complex arrangements for working out which data protection supervisory authority takes the lead when investigating a complaint with an international aspect, for example where a data processing operation affects people in a number of Member States. Put simply, the lead authority is determined according to where your organisation has its main administration or where decisions about dataprocessing are made.
If you need any assistance in designing, assessing, implementing or delivering your project, please do not hesitate to contact us on email@example.com or call 0207 097 1434.
Internal Links from video
Policies available at http://fcaapplicationgovernance.com or https://www.complianceconsultant.org/products/
Governance Review http://bit.ly/GovRev
Template Compliance Manual http://goo.gl/fxAhgA
Compliance Healthcheck Video https://youtu.be/z_hSI9tLCVI