<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

5 Last Minute Steps to GDPR Readiness

Posted: 21 March 2018

5 Last Minute Steps to GDPR Readiness Countdown Time May 2018

With less than 100 days to go until the enforcement of the GDPR (General Data Protection Regulation) and the relevance of this blog post on a short time span, a certain level of panic may begin to consume those who have only just started to take this subject seriously.

Although research shows time and time again that the vast majority are in the same situation of unpreparedness, it does not change the level of risk post May 25th 2018. With so many articles to comply with and the overall journey requiring significant changes, in some cases, now might be the time to forget achieving 100% compliance in 2 months and instead focus on the quick wins which are likely to have the greatest impact and reduce risk.

1. Document your processing activities

Article 30 of the GDPR requires that both data controllers and data processors maintain a record of their processing activities. In other words, document all cases of processing; what is processed, how it is carried out, its lawfulness and whether there is interaction with third-parties. An exemption exists in this article for organisations smaller than 250 employees and where processing does not risk the rights and freedoms of data subjects.

It is my opinion that considering the value this activity this can provide in business practice clarity alone, it is recommended that processing records are created and maintained.

2. Assess the lawfulness of processing

The GDPR maintains that processing personal data is only ever considered lawful if it meets one of the following criteria:

  • The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  • Processing is necessary for the performance of a contract.
  • Processing is necessary for a legal obligation which the data controller is subject to.
  • Processing is necessary to protect the vital interests of the data subject.
  • Processing is necessary to carry out a task in the public interest.
  • Processing is necessary for purposes of legitimate interests pursued by the data controller.

You should assess whether your current data processing activities are considered lawful under the GDPR and of course make changes where required.

[You might also like: "GDPR: Seek re-consent or burn your contacts database, really?"]

3. Review your Privacy Policy

Privacy policies are documented statements of how your company or organisation complies with data protection regulations generally. They set out the common processing activities you engage in, why you engage in them, with whom you share personal data or processing responsibilities and who is responsible for data protection in your organisation as a point of contact.

If you currently do not have one, then of course you should. If you do, review the privacy policy to ensure it's up to date, relevant and placed on your website in a highly accessible location. Examples of good privacy policies, should you require a template, can be found via a Google search.

[You might also like: "5 Things to Know About the EU's Upcoming ePrivacy Regulation"]

4. Create a Breach and Incident Register

If you have been told that all breaches must be reported to the supervisory authority or even the data subject themselves, you have been incorrectly informed. Reporting of breaches only needs to take place where there is a risk to the rights and freedoms of data subjects, however you are still expected to record incidents of breach internally and I would argue this is a useful exercise to highlight areas of risk and improvement, even without the GDPR.

Any instance of unlawful processing, unauthorised access, deletion, alteration, transmission or sharing of personal data is considered a breach and should be recorded in your breach and incident register. With even the most minor of accidental incidents considered a breach, it would be wise to educate your users on how to identify breaches and how to report them for addition to the register.

5. Have processes for Subject Access Requests and Other Rights

The GDPR creates a number of rights for data subjects, as well as maintains those created under the original data protection directive of 1995. In particular you would be best preparing for three as a priority:

  • The right to access (subject access request)
  • The right to restrict processing
  • The right to object

Subject access requests allow data subjects to request information from you regarding the personal data you hold relating to that data subject and how your process it. There is a maximum time limit imposed on your response of 30 days, which creates a sense of urgency and encourages a robust and practiced workflow for handling such requests.

The rights to restrict processing and object to processing relate to a data subject questioning the lawfulness of processing. If it is based on consent then the data subject has the right to withdraw that permission giving activity. Much like subject access requests, a robust and well-rehearsed workflow will turn shrugs into success.

[You might also like: "Do you know what "The Right to Forget" in GDPR terms really means?"]

All hope is not lost

With little precious time left, all is not lost. But a focus on changes and developments which have the greatest impact and reduce the most risk will set you apart from your peers. Whilst fellow GDPR project leads will be comply with nearly 100 pages of regulation, in the time that is left (that is roughly a page per day, including weekends, at the time of writing), it is worth remembering that it is the tortoise which wins the race.

Prepare for GDPR 11 step checklist

Chris Payne Senior Technical Consultant, Infinigate UK
Posted by: Chris Payne
Senior Technical Consultant, Infinigate UK

 

Share via:

    

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts