GDPR Compliance – Infinitic Consultancy

Impact of the GDPR to Companies: Data Breach Notification

The new EU General Data Protection Regulation (GDPR) makes it mandatory for organisations to notify the EU member state’s Data Protection Supervisory Authority (DPA) and, in some cases, affected data subjects in the event of a personal data breach. This specific GDPR requirement to notify makes it imperative for organisations to make sure they have effective incident reporting and investigation policies and procedures for personal data breaches that are understood and implemented by their staff. The GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” However, under the GDPR, notification is not required if a personal data breach is unlikely to result in a risk to the rights and freedoms of data subjects. This means the organisation may have an opportunity to review, consider or argue the necessity of notifying a data breach, but, all this must be done within the 72 hour deadlines. In order to comply with the data breach notification obligation, organisations that process personal data of EU citizens should ensure that they have appropriate and effective corporate incident management and investigation policies with clear internal procedures and guidelines on identifying and reporting security breaches and carrying out root cause analyses. Under the GDPR, data controllers must notify the supervisory authority without delay and, where practicable, not later than 72 hours after having become aware of the incident. A personal data breach notification delay of more than 72 hours will have to be well justified. The notification to the DPA should at the minimum contain the following information: If the information above is not available immediately within 72 hours, it may be provided after the data breach notification. Data processors do not have an obligation to notify data breaches to the DPA but must notify the data controller immediately for the data controller to take the necessary actions. The GDPR offers guidance on required security standards; data controllers are obliged to ensure that their data processors have sufficient guarantees of adequate and appropriate security safeguards to protect personal data and to protect the rights of data subjects. Organisations will need to implement effective policies and procedures to comply with the GDPR data breach obligations. Staff must be made aware of the organisation’s procedures and processes and must be appropriately trained to ensure they are able to identify and report data breaches. DPOs must be able to investigate data breaches and carry out a root cause analysis for each incident to ensure lessons are learned and recurrence of incidents is avoided. For the organisation’s incident management policies and procedures to be effectively implemented, the organisation needs to develop a culture that encourages staff to report incidents. The whole incident management processes must be treated as a learning exercise rather than an exercise to apportion blame and liability for internal discipline. The following are the key steps that organisations must make to ensure compliance with the GDPR data breach obligations;

Impact of the GDPR to Companies: Data Breach Notification Read More »

Impact of the GDPR to Companies: The mandatory DP Officer

GDPR Compliance, Information risk, Our Blogs / infinitic

The GDPR requires organisations to appoint or designate a data protection officer with responsibilities to inform and advise the organisation about compliance with GDPR obligations and other data protection laws. The DPO requirement applies to both data controllers and data processors. The DPO will also be responsible for monitoring the organisation’s compliance with the GDPR, managing internal data protection activities and carrying out data protection impact assessments ensuring that the organisation has access to effective advice on data protection risks and issues. The DPO must be the organisation’s main contact for the supervisory authorities and for individuals whose data is processed and also has responsibilities for staff data protection training, staff advice and carrying out internal audits. DPOs are expected to have expert knowledge of data protection law and practices and the level of knowledge should be determined by the type or level and volume of the organisation’s personal data processing and protection required for the personal data being processed. The GDPR does not specify the qualifications a data protection officer should have; however, the GDPR requires that the DPO have professional experience and knowledge of data protection law and should be proportionate to the type of processing the organisation carries out. The GDPR does not put a limit on the size of companies that should appoint DPOs. It states that DPOs must be appointed for all public authorities and by organisations whose core activities involves “regular and systematic monitoring of data subjects on a large scale” or where high volume processing of special categories of personal data as defined in the GDPR e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, etc. takes place. Reporting Arrangements and Seniority of DPOs The GDPR defines the minimum tasks of the DPO in Article 39. It states that the DPO must be responsible for reporting to the highest management level of the organisation which basically means they must be a board level member of the organisation or equivalent. One of the fundamental aspects of the role of the DPO in the organisation is that they must be allowed to operate independently and cannot be dismissed or penalised for performing their task. This removes the element of bias in the DPOs role as an advisor to the organisation and ensures that they operate without any conflict of interests and can be able to challenge decisions that are not compatible with the GDPR and other data protection legislation at a very senior level in the organisation. The GDPR also requires that adequate resources are provided to enable DPOs to meet their GDPR obligations and the DPO role can also be allocated to existing members of staff in an organisation as long as their professional duties are compatible with duties of the DPO as specified in the GDPR i.e. the DPO must be allowed to work independently and should not have any conflict of interests. Organisation that do not wish to employ a full time DPO may externally contract out the DPO role as long as the governance arrangements enable staff to have the DPO readily available for advice to staff and senior management. The DPO requirements set out in the GDPR must fully be complied with and the appointment of the DPO must not be seen as tick-box exercise or a superficial way of complying with the regulations. Operational effectiveness and understanding of data protection legal requirements is what the organisation should be getting from the DPO. Organisations may also want to consider appointing a DPO with good understanding of information risk management which is essential in the ever changing cyber security environment. DPO should be able to identify and anticipate threats to personal data and be able to review and assess the vulnerabilities of the organisation’s systems and other information assets.

Impact of the GDPR to Companies: The mandatory DP Officer Read More »

Impact of the GDPR to Companies: Consent Requirements

Data Protection, Data Sharing, GDPR Compliance / infinitic

Consent was one of the robustly argued subjects during the drafting of the GDPR and remains a lawful basis for processing, transfer or disclosure of personal data under the GDPR. The GDPR sets a very high standard for consent by clearly defining consent as: “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;” The major change under the GDPR is that consent must be unambiguous to be valid, meaning, data subjects should clearly express agreement or make a statement that clearly says “yes” to the actual processing of their personal data for a specific purpose. This may be by clicking/ticking in a box or actually selecting settings or making a clear declaration. Consent will also be considered valid where a data subject also acts in a clear way which expresses or affirms their consent. Even though the GDPR does not require explicit consent for all types of data processing, it makes it clear that “silence, pre-ticked boxes or inactivity should therefore not constitute consent.” The GDPR requires explicit consent only for processing sensitive personal data but “unambiguous” consent will suffice for non-sensitive data permitting organisation to use implied consent to some degree if a data subject’s actions are clearly and adequately indicative of their agreement to specific data processing. The fundamental challenge that organisations face with the new GDPR consent requirements is the requirement of organisational accountability and providing proof of consent. The GDPR requires the data controller to be “able to demonstrate that consent was given by the data subject to the processing of their personal data” meaning data controllers can no longer rely on implicit or “opt-out” forms of consent in some cases but will need to show that the data subject indicated their agreement by form of a “statement or clear affirmative action”. Organisations face the difficult task of ensuring that they review the way consent is recorded and ensuring that data subjects are adequately informed and agree to the processing of their personal data. It is no longer sufficient to just record that an individual has ticked a box, organisations will need to keep records and audit trails that shows that data subjects have been fully informed by way of notices etc. and freely agreed to their data to be processed for a specific purpose. Failure by a data controller to verify consent records may lead to a breach of the GDPR requirements for legal consent and exposes the organisation to a risk of enforcement for processing personal data without a lawful basis. Any infringements of the basic principles of personal data processing under GDPR “including conditions for consent” can be subject to huge financial penalties for organisations, which may be up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide turnover of the preceding financial year, whichever is higher. This makes documenting consent one of the important actions to take for organisations to comply with the GDPR. Infinitic Compliance Services can help your organisation carry-out risk assessment and ensure you are prepared for the GDPR. Our consultants can help you develop processes and systems that enable your organisation to record proof of consent. Please contact us if you require help with developing effective and GDPR compliant consent processes.

Impact of the GDPR to Companies: Consent Requirements Read More »

ICO Publishes Guide For GDPR Compliance

GDPR Compliance / infinitic

The UK Information Commissioner’s office has published a 12 step guide to help organisations prepare for the EU General Data Protection Regulation (GDPR). The guidance outlines 12 steps that organisations need to follow to ensure their processes, systems and policies comply with the new regulation.The ICO has indicated that it will set out its plans to produce new guidance and other tools to assist organisations to prepare for the GDPR over the next few months. The ICO will also be working closely with trade associations and bodies representing the various sectors to facilitate sector based implementation of the GDPR. Accountability is a key issue within the GDPR and organisations that process personal data must ensure that they have documented policies, procedures and processes articulating how they manage or comply with data protection requirements and legislation as an organisation. Data Controllers will no longer be required to register their processing activities with the ICO but will face strict requirements to maintain comprehensive records of their processing. Some data controllers and processors will be required to designate a Data Protection Officer (DPO) as part of their accountability programme. This is particularly where the data controller or processor’s core activities consist of processing special categories of personal data on a large scale. The GDPR still imposes the burden for data protection on data controllers. A lot of the work for organisations that wish to comply with the GDPR will go into reviewing data flows and determining lawful basis for each data flow and reviewing procedures for individuals’ rights to ensure they cover all the rights individuals have, including organisation’s procedure for deleting personal data ensuring that personal data can be provided electronically and in a commonly used format. Organisations may also need to review arrangements for sharing data with other organisations to ensure contracts are fit for purpose and meet the requirements of the GDPR. The GDPR contains more detailed requirements for the data controller-processor relationship. This means most data controllers will need to review their data processor contracts as data processors have additional duties under the GDPR and are liable for non-compliance with their contractual obligations or for acting outside the data processing authority granted by a controller. ICO checklist is a good starting point for working out areas that your organisation may need to address to comply with GDPR. The ICO checklist effectively highlights the differences between the current Data Protection Act and the GDPR making it easier for organisations to identify gaps and areas of risk. A copy of the GDPR guidance is available at: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

ICO Publishes Guide For GDPR Compliance Read More »

About Us

Our Services

Other Links

Latest News

How to Train Your Team on IG – Without Overloading Them

The Policies You Need for DSP Toolkit Success (Without Starting From Scratch)

Where Most Providers Struggle with the DSP Toolkit – And How to Fix It

What Is the DSP Toolkit – and Why It Matters for Your Organisation