GDPR Workshop
Download as PPTX, PDF1 like149 views
The document discusses the General Data Protection Regulation (GDPR) and provides information to help organizations comply. It lists types of personal data covered by GDPR and outlines typical questions organizations may have. It also discusses developing an incident response plan for data breaches and following a process to understand how personal data flows within an organization. The final section presents options for managing a GDPR compliance project either internally or with external support.
GDPR Workshop
- 1. General Data Protection Regulation - GDPR
- 2. GDPR – Strategic Change ▶ Ownership ▶ Priorities ▶ Communication ▶ Risk ▶ Time ▶ Cost ▶ Opportunity
- 3. Biometric Data Vehicle Regn IP Address Passport Number NI Number Email Address Full Name First Name Last Name Login Details (username) Postcode Genetic Info Birthplace Date of Birth Digital Identity Credit Card No Telephone No Workplace Drivers Licence No Cookies Criminal Record Salary Gender Age It’s all of the above
- 4. TIME Awareness of GDPR Attend Public GDPR events Daunted by the scale of GDPR Start small with focused workshop or live project Implement a company specific programme Competitive Advantage curve Early Adopters Early Majority Late Majority Laggards Shock Denial Frustration Depression Experiment Decision Change success Change curve
- 6. Typical questions for discussion • What consent do I need? • Do I need to get opt-in permission for existing customers/prospects? • What is legitimate interest? • When do I have to be compliant? • What data is included? • How do I secure data in cloud software? • What is the difference between business and personal data? • How can I store data? • What if I have printed data? • Who owns the data? • What level of security is needed for data and emails? • What are my responsibilities for data shared with my supply chain? • How can I do telemarketing? • What is the impact for payroll and pensions for staff? • What are the likely fines? • How do I handle subject access requests and the confirmation of identity? • What level of education do I need for the company?
- 7. Breach Management ▶ Produce an incident management plan ▶ Communicate the plan to all staff ▶ Inform the team who to contact if they have concerns ▶ Ensure that all your suppliers / data processors have an equivalent plan (and that their teams know about it) ▶ As controller you must ensure processors report any breach without delay ▶ Damage limitation on your brand / reputation ▶ Real life risks – malicious intent, human error, ambulance chasing,…
- 8. If you take one action away today we would recommend starting with the simple process outlined here to follow data into your company to see: • What personal data is taken? • Who touches it? • What gets done with it? • Where is it stored?
- 9. One off meeting 1/2 days per week 3/4 days per week Augmentum managed √ Company managed √ Augmentum managed √ Company managed √ Augmentum managed √ Company managed √ Project Governance √ √ √ Project strategy initiation to include data mapping requirements, process review, project communication, budget planning, resource skill and availability √ √ √ Project initiation and audit pilot /project to complete data/process mapping. Process assessment and adjustment √ √√? √ Data policy drafting and sign off. Staff communication, training. Consent wording for all data capture methods √ √√? √ Engaging/managing external experts for legal, IT, etc √ √√? √ Supply chain requirements and contract implementation √ √√? √ Project testing and review √ √√? √ Ongoing review and audit √ √ √ GDPR services The complex nature of GDPR projects requires the right initiation which will then advise on the budget and resources required to work towards compliance. The matrix has been designed to give an oversight of the elements and a recognition that there will be a mix of internal and external resources required.