Abstract image of a woman sitting on books and studying on a laptop

GDPR, what you need to know and how to prepare for it e book

P
Plr-Printables

The document provides an overview of the General Data Protection Regulation (GDPR), its implications for individuals, businesses, and organizations handling personal data within the EU and beyond. It discusses the responsibilities of data controllers and processors, compliance requirements, penalties for violations, and the rights afforded to individuals under GDPR. Furthermore, it outlines preparation steps for businesses to ensure compliance with the regulation by its implementation date of May 25, 2018.

Business
Related topics:
Data Protection Practices
1 of 23
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
  GDPR, What you need to know - and how to prepare for it.   © 2018.plr-printables.com a SMALL Business Marketing kit site 
2   Contents    What does GDPR stand for? 5  Why GDPR? 5  What is GDPR? 6  Who does GDPR apply to? 7  What is a Data Controller? 8  What is GDPR compliance? 8  What does GDPR mean for you? 9  What does GDPR mean for businesses? 9  What does GDPR mean for consumers? 10  When is a Data Protection Officer required? 11  What are the GDPR fines and penalties? 12  Brexit and GDPR? 13  How to prepare for GDPR? 14  Awareness 16  Information your business holds 17  Communicating privacy information 17  Covering all Individuals’ rights? 18  Dealing with subject access requests 19  Lawful basis for processing personal data 19  Consent 20  Children 21  Data Breaches 21  Data Protection by Design and Impact Assessment 22  Data Protection Officer 23  Cross-border Processing 23  Conclusion 24   
3   Part I: What you need to Know   
4   What does GDPR stand for? General Data Protection Regulation  Why GDPR? The European Commission set out plans for data protection reform in January 2012. Its mission to make Europe 'fit for the digital age'. It took almost four years for agreement to be reached on what was involved and how it would be enforced. The biggest component of the new data protection reforms is the General Data Protection Regulation (GDPR). This European union wide framework applies to organisations in every member-state and will impact not only businesses and individuals across Europe, but globally. Because if a company touches personal data of someone residing within the EU, then GDPR applies. Even if that company is based outside of Europe. In December 2015, when the reforms were agreed, Andrus Ansip, vice-president for the Digital Single Market said "The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information".  
5   What is GDPR? GDPR is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify regulations so citizens and businesses in the EU can get maximum benefit from the ‘digital economy’. Many of the laws and obligations surrounding personal data, privacy and consent were outdated. The latest reforms are designed for the internet-connected world we live in today where nearly every aspect of our lives revolves around the collection and analysis of our personal data. Today’s world is one where governments, banks, social media networks, and mobile apps record; what we buy, what we read, where we go, and what we eat, and this ‘data’ and more is willingly pushed into the public domain by almost 3 billion people worldwide ​(Source: ​https://www.internetworldstats.com​)​ and 85.7% of Europeans ​(Source: https://www.internetworldstats.com/stats9.htm#eu​)​ who are connected to the internet. Source: ​https://www.internetworldstats.com Graph ​https://www.internetworldstats.com/images/world2017Q4pie.png  
6   Who does GDPR apply to? GDPR applies to any organisation operating within the EU, as well as any organisations outside of the EU which offer goods or services to customers or businesses in the EU. Yes, It also ​applies​ to ​organisations outside​ the ​EU ​that ​offer goods​ or ​services​ to individuals in the ​EU. That means almost every major business in the world will need to be GDPR ready on May 25th 2018, when GDPR comes into effect. Article 4 of the General Data Protection Regulation identifies two different types of data-handler that the legislation applies to. Data 'processors' and Data 'controllers'.  
7   What is a Data Controller? A Data Controller is a "person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data". What is a Data Processor? A Data Processor is a "person, public authority, agency or other body which processes personal data on behalf of the data controller". The UK's Information Commissioner's Office, or ICO, is the authority responsible for; registering data controllers, taking action on data protection issues and handling concerns regarding mishandling of data in the UK, states that "You will have significantly more legal liability if you are responsible for a breach. These obligations for data processors are a new requirement under the GDPR". GDPR makes a data processor responsible for maintaining and processing personal data records, with a much higher level of legal liability in the event of any breaches. Data Controllers will also be made to ensure that all contracts with data processors are also compliant with GDPR. What is GDPR compliance? It is widely accepted and frighteningly commonplace for data breaches to happen. There are many ways our personal data can be made available to people with who have malicious intent and were never supposed to have access to this data. Under GDPR, organisations will have to ensure that personal data is gathered under strict legal conditions and those who collect and manage it will be obliged to protect it or face serious penalties and hefty fines.  
8   What does GDPR mean for you? GDPR expands the current definition of personal data to not only include name, address, and photographs, but also things like an IP address, biometric and genetic data. In fact any piece of data that could, on its own or in combination with other data, be used to uniquely identify an individual. What does GDPR mean for businesses? GDPR is a single set of rules that apply to all companies doing business within EU member states, meaning that the legislation extends outside the borders of Europe itself. Many International organisations based outside of Europe, conducting activities on 'European soil' will still need to comply. The European commission hopes to save €2.3 billion annually across Europe, by making it simpler and cheaper for businesses to operate. They also claim GDPR will encourage innovation by persuading companies to build data protection safeguards like data 'pseudonymization' into in new products and technologies at the initial development stage, by fostering a 'data protection by design' culture.  
9   What does GDPR mean for consumers? In order to ensure EU citizens can take appropriate measures to prevent any leaked personal data being abused, consumers are given the right to know when their data has been hacked, within 72 hours of the organisation first becoming aware of it. Especially when it is likely to result in a risk to the rights and freedoms of individuals or lead to financial loss, loss of confidentiality, discrimination, economic or social disadvantage, or reputational damage. Just to highlight how frequent data leaks occur data privacy website itgovernance.co.uk report 20,836,531 records leaked in March 2018 (https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-march-2018/)​, almost exactly two months, to the day, before GDPR comes into effect. Consumers are also promised more control over how their personal data is processed, with companies and government bodies now being required to explain, in a clear and understandable way, how they intend to use customer information and requiring them to actively opt-in to receive specific emails and texts. Furthermore, consumers should be provided with an easy way of opting out, if they change their minds about their details being on a mailing list. There has been a recent media frenzy surrounding the 'right to be forgotten'. But this is not intended to allow criminals the freedom to go undetected but rather to allow people who no longer want their personal data processed to request it to be deleted.  
10   When is a Data Protection Officer required? An organisation must appoint a Data Protection Officer or DPO, if it is a public authority, or if it carries out large-scale processing of special categories of data, or large scale monitoring of individuals such as behaviour tracking. But all organisations will need to ensure they have the skills and staff necessary to be compliant with GDPR. There's no set criteria on who should be a DPO or what qualifications they should have, but according to the Information Commissioner's Office, they should have professional experience and data protection law proportionate to what the organisation carries out.  
11   What are the GDPR fines and penalties? Fines of 10 million euros or up to four percent of the company's annual global turnover could be imposed for failure to comply with GDPR, depend on the severity of the breach. Ignoring subject access requests, unauthorised international transfer of personal data, or failure to put procedures in place that result in the infringements of the rights of data subjects could mean a fine of 20 million euros or four percent of worldwide annual turnover (whichever is greater). And companies could be fined half that for mishandling data in other ways. Which means fines of 10 million euros or two percent of worldwide turnover for, failure to report a data breach, failure to build in privacy by design, or not appointing a data protection officer, if required to.  
12   Brexit and GDPR? Despite the UK being poised to depart from the EU at the end of March 2019, ten months after GDPR becomes law across the EU, it doesn’t mean data subjects in the UK will be treated any differently. The UK government has already said that Brexit won't affect its implementation of GDPR.  
13   How to prepare for GDPR? There's no 'one size fits all' approach to preparing for GDPR. Each business will need to decide what needs to be done in order to comply. This could be the responsibility of an individual in a small business, or a team in a larger company. The ICO says "You are expected to put into place comprehensive but proportionate governance measures," and "Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data.” Read Part II to find out what you can do now.  
14   Part II: GDPR and Your Business - 12 things you can do now!     
15   Awareness Plan how will you communicate with people in your business about GDPR how it affects your  business and them.    You should make sure that decision makers and key people in your                        organisation are aware that the law is changing to the GDPR. They need to                            appreciate the impact this is likely to have and identify areas that could                          cause compliance problems under the GDPR. It would be useful to start by                          looking at your organisation’s risk register, if you have one. Implementing                      the GDPR could have significant resource implications, especially for larger                    and more complex organisations. You may find compliance difficult if you                      leave your preparations until the last minute.     
16   Information your business holds   How will you document what personal data you hold, where it came from, and who you share it  with.  Do you need to do an Information Audit?    The GDPR requires you to maintain records of your processing activities.  It updates rights for a networked world. For example, if you have inaccurate                          personal data and have shared this with another organisation, you will have                        to tell the other organisation about the inaccuracy so it can correct its own                            records. You won’t be able to do this unless you know what personal data                            you hold, where it came from and who you share it with. You should                            document this. Doing this will also help you to comply with the GDPR’s                          accountability principle, which requires organisations to be able to show                    how they comply with the data protection principles, for example by having                        effective policies and procedures in place.  Communicating privacy information you need to review your current privacy notices and plan any changes that you need to make  before May 25​th​ GDPR Implementation Day    When you collect personal data you currently have to give people certain                        information, such as your identity and how you intend to use their                        information. This is usually done through a privacy notice. Under the GDPR                        there are some additional things you will have to tell people. For example,                          you will need to explain your lawful basis for processing the data, your data                            retention periods and that individuals have a right to complain to the ICO if                            they think there is a problem with the way you are handling their data. The                              GDPR requires the Information to be provided in concise, easy to understand                        and clear language. The ICO’s Privacy notices code of practice reflects the                        new requirements of the GDPR.   
17   Covering all Individuals’ rights? You need to check your procedures to ensure they cover all the rights, listed below, that  individuals have, including how you would delete personal data or provide data electronically and  in a commonly used format.  The GDPR provides the following rights for individuals:  1. The right to be informed  2. The right of access  3. The right to rectification  4. The right to erasure  5. The right to restrict processing  6. The right to data portability  7. The right to object  8. Rights in relation to automated decision making and profiling​.    On the whole, the rights individuals will enjoy under the GDPR are the same                            as those under the DPA but with some significant enhancements. If you are                          geared up to give individuals their rights now, then the transition to the                          GDPR should be relatively easy. This is a good time to check your procedures                            and to work out how you would react if someone asks to have their personal                              data deleted, for example. Would your systems help you to locate and delete                          the data? Who will make the decisions about deletion?     The right to data portability is new. You need to create procedures to accommodate this.  The right to data portability only applies:  ∙ ​to personal data an individual has provided to a controller;  ∙ ​where the processing is based on the individual’s consent or for the performance of a contract;  and  ∙ ​when processing is carried out by automated means.      You will need to provide the personal data in a structured commonly used  and machine readable form and provide the information free of charge.   
18   Dealing with subject access requests You need to create procedures and plan how you will handle requests to take account of the new  rules.  In essence you need to:  ● Provide this service for free   ● Complete Requests within one month  ● If the requests are excessive or unfounded, you can refuse, but you have to say why.    If your organisation handles a large number of access requests, consider the                        logistical implications of having to deal with requests more quickly. You                      could consider whether it is feasible or desirable to develop systems that                        allow individuals to access their information easily online.  Lawful basis for processing personal data You need to identify the lawful basis for processing data, document it and update your privacy  notice to explain it. ​(to comply with GDPR accountability requirements)    Many organisations will not have thought about their lawful basis for                      processing personal data. Under the current law this does not have many                        practical implications. However, this will be different under the GDPR                    because some individuals’ rights will be modified depending on your lawful                      basis for processing their personal data. The most obvious example is that                        people will have a stronger right to have their data deleted where you use                            consent as your lawful basis for processing.   
19   Consent You need to review how you obtain, record and manage consent and make any changes. Refresh  existing consents now if they don’t meet the GDPR standard.  This means that a positive Opt-in is required and consent needs to be specifically given for each  type of communication. This is probably one area of GDPR that will drive most changes to how  your business operates.    You should read the detailed guidance the ICO has published on consent                        under the GDPR, and use your consent checklist to review your practices.                        Consent must be freely given, specific, informed and unambiguous. There                    must be a positive opt-in – consent cannot be inferred from silence,                        preticked boxes or inactivity. It must also be separate from other terms and                          conditions, and you will need to have simple ways for people to withdraw                          consent. Public Authorities and employers will need to take particular care.                      Consent has to be verifiable and individuals generally have more rights                      where you rely on consent to process their data.   
20   Children Do you offer services or handle data that belongs to children, do you verify individuals’ ages. if so  and any children are under 16 years of age, you need to get parental consent.    For the first time, the GDPR will bring in special protection for children’s                          personal data, particularly in the context of commercial internet services                    such as social networking. If your organisation offers online services                    (‘information society services’) to children and relies on consent to collect                      information about them, then you may need a parent or guardian’s consent                        in order to process their personal data lawfully. The GDPR sets the age when                            a child can give their own consent to this processing at 16 (although this may                              be lowered to a minimum of 13 in the UK). If a child is younger then you will                                    need to get consent from a person holding ‘parental responsibility’.      Data Breaches you need to make sure you have the right procedures in place to detect, report and investigate a  personal data breach.    The GDPR introduces a duty on all organisations to report certain types of                          data breach to the ICO, and in some cases, to individuals. You only have to                              notify the ICO of a breach where it is likely to result in a risk to the rights and                                      freedoms of individuals – if, for example, it could result in discrimination,                        damage to reputation, financial loss, loss of confidentiality or any other                      significant economic or social disadvantage.     
21   Data Protection by Design and Impact Assessment The GDPR makes privacy by design a legal requirement, called ‘data protection by design and by  default’. It also makes ‘Data Protection Impact Assessments’ mandatory in certain circumstances  you need to check if this affects your business.    A DPIA is required in situations where data processing is likely to result in                            high risk to individuals, for example:  ∙ ​where a new technology is being deployed;  ∙ ​where a profiling operation is likely to significantly affect individuals; or  ∙ ​where there is processing on a large scale of the special categories of data.   
22   Data Protection Officer It is recommended to have a Data Protection Officer, but you need to check if you are formally  required to have one.     You should designate someone to take responsibility for data protection                    compliance and assess where this role will sit within your organisation’s                      structure and governance arrangements. You should consider whether you                  are required to formally designate a Data Protection Officer (DPO).   You must designate a DPO if you are:  ∙ ​a public authority (except for courts acting in their judicial capacity);  ∙ ​an organisation that carries out the regular and systematic monitoring of                      individuals on a large scale; or  ∙ ​an organisation that carries out the large scale processing of special                      categories of data, such as health records, or information about criminal                      convictions. The Article 29 Working Party has ​produced guidance for                    organisations on the designation, position and tasks of DPOs.  Cross-border Processing As you operate in several EU member states you need to select a lead data protection supervisory  authority and document it. For the time being this is probably going to be the UK as that is where  the most senior staff are located. The Article 29 Working party has produced ​guidance on  identifying a controller or processor’s lead supervisory authority​.    The lead authority is the supervisory authority in the state where your main                          establishment is. Your main establishment is the location where your central                      administration in the EU is or else the location where decisions about the                          purposes and means of processing are taken and implemented..     
23   Conclusion There is no escaping the fact that wherever physically located ‘all organisations’ dealing with EU citizens (and UK citizens post-Brexit), will need to ensure they've carried out all the necessary impact assessments and are GDPR compliant by the deadline of May 25th 2018. Are you ready?        

More Related Content

PDF
GDPR: the legal aspects. By Matthias of theJurists Europe.
Matthias Dobbelaere-Welvaert
 
PDF
delphix-wp-gdpr-for-data-masking
Jes Breslaw
 
PPTX
Do You Have a Roadmap for EU GDPR Compliance?
Ulf Mattsson
 
PPTX
GDPR Is Coming – Are Emailers Ready?
MediaPost
 
PDF
GDPR - A practical guide
Angad Dayal
 
PPT
GDPR FAQ'S
Morgan McKinley
 
PDF
GDPR A Practical Guide with Varonis
Angad Dayal
 
PPTX
Practical Guide to GDPR 2017
Dryden Geary
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
Matthias Dobbelaere-Welvaert
 
delphix-wp-gdpr-for-data-masking
Jes Breslaw
 
Do You Have a Roadmap for EU GDPR Compliance?
Ulf Mattsson
 
GDPR Is Coming – Are Emailers Ready?
MediaPost
 
GDPR - A practical guide
Angad Dayal
 
GDPR FAQ'S
Morgan McKinley
 
GDPR A Practical Guide with Varonis
Angad Dayal
 
Practical Guide to GDPR 2017
Dryden Geary
 

What's hot (19)

PDF
Privacy Year In Preview
Rockwell Bower, Esq., CIPP(US), CIPM
 
PDF
Marketing data management | The new way to think about your data
Laurence
 
PPTX
Preparing for GDPR: What Every B2B Marketer Must Know
Integrate
 
PDF
Gdpr in a nutshell
Matthew Butler
 
PDF
GDPR: data needs to be in safe hands
legalandgeneral
 
PDF
Cognizant business consulting the impacts of gdpr
audrey miguel
 
PPTX
GDPR: A ticking time bomb is approaching - Another Millennium Bug or is this ...
Jessica Pattison
 
PDF
Companies, digital transformation and information privacy: the next steps
The Economist Media Businesses
 
PPTX
NetSquared London - GDPR for charities
Tech Trust
 
PDF
Jowanna Conboye - Stephens Scown
Agile PR
 
PPTX
How to Protect Your Data
Neopost Mailing Solutions, Digital Communications and Shipping Services
 
PDF
INFOMAGAZINE 8 by REAL security
Samo Zavašnik
 
PDF
GDPR- Get the facts and prepare your business
Mark Baker
 
PPTX
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Dr. Donald Macfarlane
 
PPTX
What is GDPR?
Faidepro
 
PDF
iStart feature: Protect and serve how safe is your personal data?
Hayden McCall
 
PDF
EveryCloud_GDPR_Whitepaper_v2
Paul Richards
 
PDF
"If we're leaving the EU, does GDPR even matter?" And other FAQs
Tech Data
 
PDF
Research on Legal Protection of Data Rights of E Commerce Platform Operators
YogeshIJTSRD
 
Privacy Year In Preview
Rockwell Bower, Esq., CIPP(US), CIPM
 
Marketing data management | The new way to think about your data
Laurence
 
Preparing for GDPR: What Every B2B Marketer Must Know
Integrate
 
Gdpr in a nutshell
Matthew Butler
 
GDPR: data needs to be in safe hands
legalandgeneral
 
Cognizant business consulting the impacts of gdpr
audrey miguel
 
GDPR: A ticking time bomb is approaching - Another Millennium Bug or is this ...
Jessica Pattison
 
Companies, digital transformation and information privacy: the next steps
The Economist Media Businesses
 
NetSquared London - GDPR for charities
Tech Trust
 
Jowanna Conboye - Stephens Scown
Agile PR
 
How to Protect Your Data
Neopost Mailing Solutions, Digital Communications and Shipping Services
 
INFOMAGAZINE 8 by REAL security
Samo Zavašnik
 
GDPR- Get the facts and prepare your business
Mark Baker
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Dr. Donald Macfarlane
 
What is GDPR?
Faidepro
 
iStart feature: Protect and serve how safe is your personal data?
Hayden McCall
 
EveryCloud_GDPR_Whitepaper_v2
Paul Richards
 
"If we're leaving the EU, does GDPR even matter?" And other FAQs
Tech Data
 
Research on Legal Protection of Data Rights of E Commerce Platform Operators
YogeshIJTSRD
 
Ad

Similar to GDPR, what you need to know and how to prepare for it e book (20)

PDF
GDPR - Are you ready?
VILT
 
PDF
The Countdown to the GDPR Regulations
Elliot Reeman
 
PDF
[REPORT PREVIEW] GDPR Beyond May 25, 2018
Altimeter, a Prophet Company
 
PDF
GDPR Whitepaper
Richard Goddard
 
PPTX
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
PDF
What's Next - General Data Protection Regulation (GDPR) Changes
Ogilvy Consulting
 
PDF
GDPR: how IT works
Morris Dorfer
 
PDF
The Essential Guide to GDPR
Tim Hyman LLB
 
PDF
The Essential Guide to GDPR
Tim Hyman LLB
 
PPTX
Introduction to GDPR
Priyab Satoshi
 
PPTX
The general data protection act overview
Roy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
PPTX
General data protection regulation
Fahad Ameen
 
PPTX
Everything you need to know about the GDPR
Spoon London
 
PDF
Horner Downey & Co Newsletter- GDPR
Jenny Ferguson
 
PDF
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Financial Poise
 
PPTX
Data protection
RaviPrashant5
 
PDF
Guide to-the-general-data-protection-regulation
N N
 
PDF
Introduction to EU General Data Protection Regulation: Planning, Implementat...
Financial Poise
 
PPTX
How to get your business GDPR ready
Premier EPOS
 
PPTX
GDPR training
ASL
 
GDPR - Are you ready?
VILT
 
The Countdown to the GDPR Regulations
Elliot Reeman
 
[REPORT PREVIEW] GDPR Beyond May 25, 2018
Altimeter, a Prophet Company
 
GDPR Whitepaper
Richard Goddard
 
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
What's Next - General Data Protection Regulation (GDPR) Changes
Ogilvy Consulting
 
GDPR: how IT works
Morris Dorfer
 
The Essential Guide to GDPR
Tim Hyman LLB
 
The Essential Guide to GDPR
Tim Hyman LLB
 
Introduction to GDPR
Priyab Satoshi
 
The general data protection act overview
Roy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
General data protection regulation
Fahad Ameen
 
Everything you need to know about the GDPR
Spoon London
 
Horner Downey & Co Newsletter- GDPR
Jenny Ferguson
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Financial Poise
 
Data protection
RaviPrashant5
 
Guide to-the-general-data-protection-regulation
N N
 
Introduction to EU General Data Protection Regulation: Planning, Implementat...
Financial Poise
 
How to get your business GDPR ready
Premier EPOS
 
GDPR training
ASL
 
Ad

Recently uploaded (20)

DOCX
Hand book of Entrepreneurship 4 Chapters.docx
DrSubinKMohan
 
PDF
Robin Fischer: A Visionary Leader Making a Difference in Healthcare, One Day ...
The lifescience magaizne
 
PDF
Immigration Law and Communication: Challenges and Solutions {www.kiu.ac.ug)
publication11
 
PPTX
BUSINESS CYCLE_INFLATION AND UNEMPLOYMENT.pptx
TasmiaThalil
 
DOCX
Handbook of entrepreneurship- Chapter 7- Types of business organisations
DrSubinKMohan
 
PPTX
basic introduction to research chapter 1.pptx
sangeethanagaraj8
 
DOCX
Center Enamel Powering Innovation and Resilience in the Italian Chemical Indu...
cecvessels
 
PDF
#1 Safe and Secure Verified Cash App Accounts for Purchase.pdf
Buy Verified Cash App Accounts
 
PDF
Middle East's Most Impactful Business Leaders to Follow in 2025
thearabbusiness
 
PPTX
TRAINNING, DEVELOPMENT AND APPRAISAL.pptx
sy2773667
 
DOCX
80 DE ÔN VÀO 10 NĂM 2023vhkkkjjhhhhjjjj
janggookdal
 
PDF
Stacey L Stevens - Canada's Most Influential Women Lawyers Revolutionizing Th...
insightssuccess2
 
PPTX
Chapter 2 strategic Presentation (6).pptx
5624212u
 
PPTX
IITM - FINAL Option - 01 - 12.08.25.pptx
MukeshAssociates2
 
PPTX
interschool scomp.pptxzdkjhdjvdjvdjdhjhieij
PrashantNagi1
 
PDF
Comments on Clouds that Assimilate Parts I&II.pdf
Brij Consulting, LLC
 
PDF
Business Communication for MBA Students.
ssuser024a72
 
PDF
Cross-Cultural Leadership Practices in Education (www.kiu.ac.ug)
publication11
 
PPTX
IMM marketing mix of four ps give fjcb jjb
aruntambralli3813
 
PPTX
IMM.pptx marketing communication givguhfh thfyu
aruntambralli3813
 
Hand book of Entrepreneurship 4 Chapters.docx
DrSubinKMohan
 
Robin Fischer: A Visionary Leader Making a Difference in Healthcare, One Day ...
The lifescience magaizne
 
Immigration Law and Communication: Challenges and Solutions {www.kiu.ac.ug)
publication11
 
BUSINESS CYCLE_INFLATION AND UNEMPLOYMENT.pptx
TasmiaThalil
 
Handbook of entrepreneurship- Chapter 7- Types of business organisations
DrSubinKMohan
 
basic introduction to research chapter 1.pptx
sangeethanagaraj8
 
Center Enamel Powering Innovation and Resilience in the Italian Chemical Indu...
cecvessels
 
#1 Safe and Secure Verified Cash App Accounts for Purchase.pdf
Buy Verified Cash App Accounts
 
Middle East's Most Impactful Business Leaders to Follow in 2025
thearabbusiness
 
TRAINNING, DEVELOPMENT AND APPRAISAL.pptx
sy2773667
 
80 DE ÔN VÀO 10 NĂM 2023vhkkkjjhhhhjjjj
janggookdal
 
Stacey L Stevens - Canada's Most Influential Women Lawyers Revolutionizing Th...
insightssuccess2
 
Chapter 2 strategic Presentation (6).pptx
5624212u
 
IITM - FINAL Option - 01 - 12.08.25.pptx
MukeshAssociates2
 
interschool scomp.pptxzdkjhdjvdjvdjdhjhieij
PrashantNagi1
 
Comments on Clouds that Assimilate Parts I&II.pdf
Brij Consulting, LLC
 
Business Communication for MBA Students.
ssuser024a72
 
Cross-Cultural Leadership Practices in Education (www.kiu.ac.ug)
publication11
 
IMM marketing mix of four ps give fjcb jjb
aruntambralli3813
 
IMM.pptx marketing communication givguhfh thfyu
aruntambralli3813
 

GDPR, what you need to know and how to prepare for it e book

  • 1.   GDPR, What you need to know - and how to prepare for it.   © 2018.plr-printables.com a SMALL Business Marketing kit site 
  • 2. 2   Contents    What does GDPR stand for? 5  Why GDPR? 5  What is GDPR? 6  Who does GDPR apply to? 7  What is a Data Controller? 8  What is GDPR compliance? 8  What does GDPR mean for you? 9  What does GDPR mean for businesses? 9  What does GDPR mean for consumers? 10  When is a Data Protection Officer required? 11  What are the GDPR fines and penalties? 12  Brexit and GDPR? 13  How to prepare for GDPR? 14  Awareness 16  Information your business holds 17  Communicating privacy information 17  Covering all Individuals’ rights? 18  Dealing with subject access requests 19  Lawful basis for processing personal data 19  Consent 20  Children 21  Data Breaches 21  Data Protection by Design and Impact Assessment 22  Data Protection Officer 23  Cross-border Processing 23  Conclusion 24   
  • 3. 3   Part I: What you need to Know   
  • 4. 4   What does GDPR stand for? General Data Protection Regulation  Why GDPR? The European Commission set out plans for data protection reform in January 2012. Its mission to make Europe 'fit for the digital age'. It took almost four years for agreement to be reached on what was involved and how it would be enforced. The biggest component of the new data protection reforms is the General Data Protection Regulation (GDPR). This European union wide framework applies to organisations in every member-state and will impact not only businesses and individuals across Europe, but globally. Because if a company touches personal data of someone residing within the EU, then GDPR applies. Even if that company is based outside of Europe. In December 2015, when the reforms were agreed, Andrus Ansip, vice-president for the Digital Single Market said "The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information".  
  • 5. 5   What is GDPR? GDPR is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify regulations so citizens and businesses in the EU can get maximum benefit from the ‘digital economy’. Many of the laws and obligations surrounding personal data, privacy and consent were outdated. The latest reforms are designed for the internet-connected world we live in today where nearly every aspect of our lives revolves around the collection and analysis of our personal data. Today’s world is one where governments, banks, social media networks, and mobile apps record; what we buy, what we read, where we go, and what we eat, and this ‘data’ and more is willingly pushed into the public domain by almost 3 billion people worldwide ​(Source: ​https://www.internetworldstats.com​)​ and 85.7% of Europeans ​(Source: https://www.internetworldstats.com/stats9.htm#eu​)​ who are connected to the internet. Source: ​https://www.internetworldstats.com Graph ​https://www.internetworldstats.com/images/world2017Q4pie.png  
  • 6. 6   Who does GDPR apply to? GDPR applies to any organisation operating within the EU, as well as any organisations outside of the EU which offer goods or services to customers or businesses in the EU. Yes, It also ​applies​ to ​organisations outside​ the ​EU ​that ​offer goods​ or ​services​ to individuals in the ​EU. That means almost every major business in the world will need to be GDPR ready on May 25th 2018, when GDPR comes into effect. Article 4 of the General Data Protection Regulation identifies two different types of data-handler that the legislation applies to. Data 'processors' and Data 'controllers'.  
  • 7. 7   What is a Data Controller? A Data Controller is a "person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data". What is a Data Processor? A Data Processor is a "person, public authority, agency or other body which processes personal data on behalf of the data controller". The UK's Information Commissioner's Office, or ICO, is the authority responsible for; registering data controllers, taking action on data protection issues and handling concerns regarding mishandling of data in the UK, states that "You will have significantly more legal liability if you are responsible for a breach. These obligations for data processors are a new requirement under the GDPR". GDPR makes a data processor responsible for maintaining and processing personal data records, with a much higher level of legal liability in the event of any breaches. Data Controllers will also be made to ensure that all contracts with data processors are also compliant with GDPR. What is GDPR compliance? It is widely accepted and frighteningly commonplace for data breaches to happen. There are many ways our personal data can be made available to people with who have malicious intent and were never supposed to have access to this data. Under GDPR, organisations will have to ensure that personal data is gathered under strict legal conditions and those who collect and manage it will be obliged to protect it or face serious penalties and hefty fines.  
  • 8. 8   What does GDPR mean for you? GDPR expands the current definition of personal data to not only include name, address, and photographs, but also things like an IP address, biometric and genetic data. In fact any piece of data that could, on its own or in combination with other data, be used to uniquely identify an individual. What does GDPR mean for businesses? GDPR is a single set of rules that apply to all companies doing business within EU member states, meaning that the legislation extends outside the borders of Europe itself. Many International organisations based outside of Europe, conducting activities on 'European soil' will still need to comply. The European commission hopes to save €2.3 billion annually across Europe, by making it simpler and cheaper for businesses to operate. They also claim GDPR will encourage innovation by persuading companies to build data protection safeguards like data 'pseudonymization' into in new products and technologies at the initial development stage, by fostering a 'data protection by design' culture.  
  • 9. 9   What does GDPR mean for consumers? In order to ensure EU citizens can take appropriate measures to prevent any leaked personal data being abused, consumers are given the right to know when their data has been hacked, within 72 hours of the organisation first becoming aware of it. Especially when it is likely to result in a risk to the rights and freedoms of individuals or lead to financial loss, loss of confidentiality, discrimination, economic or social disadvantage, or reputational damage. Just to highlight how frequent data leaks occur data privacy website itgovernance.co.uk report 20,836,531 records leaked in March 2018 (https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-march-2018/)​, almost exactly two months, to the day, before GDPR comes into effect. Consumers are also promised more control over how their personal data is processed, with companies and government bodies now being required to explain, in a clear and understandable way, how they intend to use customer information and requiring them to actively opt-in to receive specific emails and texts. Furthermore, consumers should be provided with an easy way of opting out, if they change their minds about their details being on a mailing list. There has been a recent media frenzy surrounding the 'right to be forgotten'. But this is not intended to allow criminals the freedom to go undetected but rather to allow people who no longer want their personal data processed to request it to be deleted.  
  • 10. 10   When is a Data Protection Officer required? An organisation must appoint a Data Protection Officer or DPO, if it is a public authority, or if it carries out large-scale processing of special categories of data, or large scale monitoring of individuals such as behaviour tracking. But all organisations will need to ensure they have the skills and staff necessary to be compliant with GDPR. There's no set criteria on who should be a DPO or what qualifications they should have, but according to the Information Commissioner's Office, they should have professional experience and data protection law proportionate to what the organisation carries out.  
  • 11. 11   What are the GDPR fines and penalties? Fines of 10 million euros or up to four percent of the company's annual global turnover could be imposed for failure to comply with GDPR, depend on the severity of the breach. Ignoring subject access requests, unauthorised international transfer of personal data, or failure to put procedures in place that result in the infringements of the rights of data subjects could mean a fine of 20 million euros or four percent of worldwide annual turnover (whichever is greater). And companies could be fined half that for mishandling data in other ways. Which means fines of 10 million euros or two percent of worldwide turnover for, failure to report a data breach, failure to build in privacy by design, or not appointing a data protection officer, if required to.  
  • 12. 12   Brexit and GDPR? Despite the UK being poised to depart from the EU at the end of March 2019, ten months after GDPR becomes law across the EU, it doesn’t mean data subjects in the UK will be treated any differently. The UK government has already said that Brexit won't affect its implementation of GDPR.  
  • 13. 13   How to prepare for GDPR? There's no 'one size fits all' approach to preparing for GDPR. Each business will need to decide what needs to be done in order to comply. This could be the responsibility of an individual in a small business, or a team in a larger company. The ICO says "You are expected to put into place comprehensive but proportionate governance measures," and "Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data.” Read Part II to find out what you can do now.  
  • 14. 14   Part II: GDPR and Your Business - 12 things you can do now!     
  • 15. 15   Awareness Plan how will you communicate with people in your business about GDPR how it affects your  business and them.    You should make sure that decision makers and key people in your                        organisation are aware that the law is changing to the GDPR. They need to                            appreciate the impact this is likely to have and identify areas that could                          cause compliance problems under the GDPR. It would be useful to start by                          looking at your organisation’s risk register, if you have one. Implementing                      the GDPR could have significant resource implications, especially for larger                    and more complex organisations. You may find compliance difficult if you                      leave your preparations until the last minute.     
  • 16. 16   Information your business holds   How will you document what personal data you hold, where it came from, and who you share it  with.  Do you need to do an Information Audit?    The GDPR requires you to maintain records of your processing activities.  It updates rights for a networked world. For example, if you have inaccurate                          personal data and have shared this with another organisation, you will have                        to tell the other organisation about the inaccuracy so it can correct its own                            records. You won’t be able to do this unless you know what personal data                            you hold, where it came from and who you share it with. You should                            document this. Doing this will also help you to comply with the GDPR’s                          accountability principle, which requires organisations to be able to show                    how they comply with the data protection principles, for example by having                        effective policies and procedures in place.  Communicating privacy information you need to review your current privacy notices and plan any changes that you need to make  before May 25​th​ GDPR Implementation Day    When you collect personal data you currently have to give people certain                        information, such as your identity and how you intend to use their                        information. This is usually done through a privacy notice. Under the GDPR                        there are some additional things you will have to tell people. For example,                          you will need to explain your lawful basis for processing the data, your data                            retention periods and that individuals have a right to complain to the ICO if                            they think there is a problem with the way you are handling their data. The                              GDPR requires the Information to be provided in concise, easy to understand                        and clear language. The ICO’s Privacy notices code of practice reflects the                        new requirements of the GDPR.   
  • 17. 17   Covering all Individuals’ rights? You need to check your procedures to ensure they cover all the rights, listed below, that  individuals have, including how you would delete personal data or provide data electronically and  in a commonly used format.  The GDPR provides the following rights for individuals:  1. The right to be informed  2. The right of access  3. The right to rectification  4. The right to erasure  5. The right to restrict processing  6. The right to data portability  7. The right to object  8. Rights in relation to automated decision making and profiling​.    On the whole, the rights individuals will enjoy under the GDPR are the same                            as those under the DPA but with some significant enhancements. If you are                          geared up to give individuals their rights now, then the transition to the                          GDPR should be relatively easy. This is a good time to check your procedures                            and to work out how you would react if someone asks to have their personal                              data deleted, for example. Would your systems help you to locate and delete                          the data? Who will make the decisions about deletion?     The right to data portability is new. You need to create procedures to accommodate this.  The right to data portability only applies:  ∙ ​to personal data an individual has provided to a controller;  ∙ ​where the processing is based on the individual’s consent or for the performance of a contract;  and  ∙ ​when processing is carried out by automated means.      You will need to provide the personal data in a structured commonly used  and machine readable form and provide the information free of charge.   
  • 18. 18   Dealing with subject access requests You need to create procedures and plan how you will handle requests to take account of the new  rules.  In essence you need to:  ● Provide this service for free   ● Complete Requests within one month  ● If the requests are excessive or unfounded, you can refuse, but you have to say why.    If your organisation handles a large number of access requests, consider the                        logistical implications of having to deal with requests more quickly. You                      could consider whether it is feasible or desirable to develop systems that                        allow individuals to access their information easily online.  Lawful basis for processing personal data You need to identify the lawful basis for processing data, document it and update your privacy  notice to explain it. ​(to comply with GDPR accountability requirements)    Many organisations will not have thought about their lawful basis for                      processing personal data. Under the current law this does not have many                        practical implications. However, this will be different under the GDPR                    because some individuals’ rights will be modified depending on your lawful                      basis for processing their personal data. The most obvious example is that                        people will have a stronger right to have their data deleted where you use                            consent as your lawful basis for processing.   
  • 19. 19   Consent You need to review how you obtain, record and manage consent and make any changes. Refresh  existing consents now if they don’t meet the GDPR standard.  This means that a positive Opt-in is required and consent needs to be specifically given for each  type of communication. This is probably one area of GDPR that will drive most changes to how  your business operates.    You should read the detailed guidance the ICO has published on consent                        under the GDPR, and use your consent checklist to review your practices.                        Consent must be freely given, specific, informed and unambiguous. There                    must be a positive opt-in – consent cannot be inferred from silence,                        preticked boxes or inactivity. It must also be separate from other terms and                          conditions, and you will need to have simple ways for people to withdraw                          consent. Public Authorities and employers will need to take particular care.                      Consent has to be verifiable and individuals generally have more rights                      where you rely on consent to process their data.   
  • 20. 20   Children Do you offer services or handle data that belongs to children, do you verify individuals’ ages. if so  and any children are under 16 years of age, you need to get parental consent.    For the first time, the GDPR will bring in special protection for children’s                          personal data, particularly in the context of commercial internet services                    such as social networking. If your organisation offers online services                    (‘information society services’) to children and relies on consent to collect                      information about them, then you may need a parent or guardian’s consent                        in order to process their personal data lawfully. The GDPR sets the age when                            a child can give their own consent to this processing at 16 (although this may                              be lowered to a minimum of 13 in the UK). If a child is younger then you will                                    need to get consent from a person holding ‘parental responsibility’.      Data Breaches you need to make sure you have the right procedures in place to detect, report and investigate a  personal data breach.    The GDPR introduces a duty on all organisations to report certain types of                          data breach to the ICO, and in some cases, to individuals. You only have to                              notify the ICO of a breach where it is likely to result in a risk to the rights and                                      freedoms of individuals – if, for example, it could result in discrimination,                        damage to reputation, financial loss, loss of confidentiality or any other                      significant economic or social disadvantage.     
  • 21. 21   Data Protection by Design and Impact Assessment The GDPR makes privacy by design a legal requirement, called ‘data protection by design and by  default’. It also makes ‘Data Protection Impact Assessments’ mandatory in certain circumstances  you need to check if this affects your business.    A DPIA is required in situations where data processing is likely to result in                            high risk to individuals, for example:  ∙ ​where a new technology is being deployed;  ∙ ​where a profiling operation is likely to significantly affect individuals; or  ∙ ​where there is processing on a large scale of the special categories of data.   
  • 22. 22   Data Protection Officer It is recommended to have a Data Protection Officer, but you need to check if you are formally  required to have one.     You should designate someone to take responsibility for data protection                    compliance and assess where this role will sit within your organisation’s                      structure and governance arrangements. You should consider whether you                  are required to formally designate a Data Protection Officer (DPO).   You must designate a DPO if you are:  ∙ ​a public authority (except for courts acting in their judicial capacity);  ∙ ​an organisation that carries out the regular and systematic monitoring of                      individuals on a large scale; or  ∙ ​an organisation that carries out the large scale processing of special                      categories of data, such as health records, or information about criminal                      convictions. The Article 29 Working Party has ​produced guidance for                    organisations on the designation, position and tasks of DPOs.  Cross-border Processing As you operate in several EU member states you need to select a lead data protection supervisory  authority and document it. For the time being this is probably going to be the UK as that is where  the most senior staff are located. The Article 29 Working party has produced ​guidance on  identifying a controller or processor’s lead supervisory authority​.    The lead authority is the supervisory authority in the state where your main                          establishment is. Your main establishment is the location where your central                      administration in the EU is or else the location where decisions about the                          purposes and means of processing are taken and implemented..     
  • 23. 23   Conclusion There is no escaping the fact that wherever physically located ‘all organisations’ dealing with EU citizens (and UK citizens post-Brexit), will need to ensure they've carried out all the necessary impact assessments and are GDPR compliant by the deadline of May 25th 2018. Are you ready?