Post on 16-Apr-2017
transcript
GDPR
The new data protection regulations, the
impact on your systems and the solutions
that can assist with compliance
Th
e E
sse
ntia
l G
uid
e
Following recent presentations on the potential impact of
GDPR at a number of global law f irms and a presentation to
the Institute of Barristers Clerks, I have been asked to compile
a guide as to the basic principles of GDPR, how they may
impact technology systems and which software tools/vendors
could assist with compliance.
I have therefore put together this guide, The Essential Guide to
GDPR and its sister website GDPRwiki.com
This is not designed to be an exhaustive list of regulatory changes, nor is it in any way meant to be taken as legal advice. I have picked out what are in my opinion the key areas of impact and particularly those that will need some attention prior to May 29 2018 – deadline for compliance. The solution providers that appear in the guide are those that have come forward and described how their solutions can help businesses looking to get GDPR compliant. Again this is not meant to be an exhaustive list and there will be many other suppliers out there that offer quality and relevant services - as the deadline gets closer I expect more technologies and services to appear and I hope to highlight these in the next edition of this guide.
“Having clear laws with safeguards in
place is more important than ever giving
the growing digital economy”
Steve Wood, Deputy Commissioner, ICO
This guide focusses on:
Brexit
Controller or Processor
User Rights
Privacy by Design
Cloud Services
Data Protection Officer
Consent
Impact Assessment
The General Data Protection
Regulations are the most significant
development in data protection that
Europe, possibly the world, has seen
over the past twenty years.
Unsurprisingly GDPR is designed to
better take into account modern
technologies, the way we work with them today and are likely to work in the future.
In addition, there is a much greater emphasis on compliance following a widely-
held belief that businesses, particularly in the UK, had not previously taken data
privacy seriously enough. To reinforce this, penalties are considerably harsher and
the compliance requirements are intended to spread a far wider net to include
small and medium businesses and the third-party contractors they use.
THE 6 GDPR DATA PROTECTION PRINCIPLES:
1 (‘lawfulness, fairness and transparency’) processed lawfully, fairly and in a
transparent manner in relation to the data subject
2 (‘purpose limitation’) collected for specified, explicit and legitimate
purposes and not further processed in a manner that is incompatible with
those purposes
3 (‘data minimisation’) adequate, relevant and limited to what is necessary in
relation to the purposes for which they are processed
4 (‘accuracy’) accurate and, where necessary, kept up to date; every
reasonable step must be taken to ensure that personal data that are
inaccurate, having regard to the purposes for which they are processed, are
erased or rectified without delay
5 (‘storage limitation’) kept in a form which permits identification of data
subjects for no longer than is necessary for the purposes for which the
personal data are processed.
6 (‘integrity and confidentiality’) processed in a manner that ensures
appropriate security of the personal data, including protection against
unauthorised or unlawful processing and against accidental loss destruction
or damage, using appropriate technical or organisational measures .
There was some speculation that GDPR
would cease to be relevant following the UK’s
decision to leave the EU. Whilst we await the
detail of what Brexit really means in terms of
our EU trade agreements, people movement
and laws there has been significant
commentary including a statement from the
Information Commissioners Office (ICO) suggesting that it will still apply and that
businesses should start compliance preparations now. The following key reasons
are given as to why GDPR still applies:
GDPR Comes Before Brexit
The GDPR comes into force 25 May 2018, the earliest Brexit can happen is
January 2019 and until then all EU laws apply.
Application
The GDPR applies to EU citizen’s data regardless of where the controlling or
processing of that data takes place. This means that countries outside of the EU
(including the US and an independent UK) would have to apply GDPR for client
data where the client is in the EU.
Adequate Data Protection
For an EU country to trade outside of the EU ‘adequate’ data protection measures
must be in place. It is likely that GDPR will be the standard set as ‘adequate’ and
the UK would have to introduce an equal replacement if it decided to revert to
existing DP regulations. Which would simply be GDPR under a different name.
Competing with the EU
Data is fast becoming the new oil and in order to compete with the EU to be
regarded as the new data safe haven, the UK will at the very least match the
GDPR standard and may even increase its data protection requirements to attract
global data centric business.
Many businesses are significant
data consumers. Client data is at
the very least at the heart of their
marketing initiatives and may even
be part of the product or service
they sell and the client they sell to.
Much of this data is sensitive either
for commercial reasons or because it directly relates to an individual.
Various sectors from health to finance to legal all have their own specific
governance regulations sometimes shared due to complex relationships between
the services, but for personal data the GDPR will apply equally to all.
There will not be many businesses that do not hold or process personal data but it
is important to understand their role and responsibilities as determined by the
GDPR. The two significant roles are that of ‘controller’ and ‘processor’.
GDPR says…
‘controller’ means the natural or legal person, public authority, agency or other
body which, alone or jointly with others, determines the purposes and means of
the processing of personal data; where the purposes and means of such
processing are determined by Union or Member State law, the controller or the
specific criteria for its nomination may be provided for by Union or Member State
law;
A business will be determined a ‘controller’ for the client, prospect and employee
personal data it stores and uses.
GDPR says…
‘processor’ means a natural or legal person, public authority, agency or other
body which processes personal data on behalf of the controller;
A cloud service provider or third party data host will in most cases be determined
as a ‘processor’.
Personal or Sensitive
It is import to determine whether data is ‘personal’ or ‘sensitive personal’ as
defined by the regulations as different levels of protection are required, some
mandatory and accountable in the case of sensitive data. It is also a new
requirement that processors understand what type of data they are handling on
behalf of their clients
Personal Data
The definition of personal data has been broadened to include anything that can
be directly associated with an individual. GDPR broadly keeps existing definitions
but adds digital footprints such as cookies and IP addresses.
GDPR says…
‘personal data’ means any information relating to an identified or identifiable
natural person (‘data subject’); an identifiable natural person is one who can be
identified, directly or indirectly, in particular by reference to an identifier such as
a name, an identification number, location data, an online identifier or to one or
more factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person; - Article 4 of GDPR
Sensitive Personal Data
The following are the GDPR classifications for sensitive personal data:
GDPR says…
revealing racial or ethnic origin,
political opinions,
religious or philosophical beliefs,
or trade union membership,
and the processing of genetic data,
biometric data for the purpose of uniquely identifying a natural person,
data concerning health or
data concerning a natural person's sex life or sexual orientation shall be
prohibited. - Article 9 of GDPR
The GDPR essentially prohibits the processing of sensitive personal data unless
one of the criteria in Article 9 (2) is met. These include:
9(2)(a) – Explicit consent of the data subject, unless reliance on consent is
prohibited by EU or Member State law
9(2)(e) – Data manifestly made public by the data subject.
In addition to
the duty of a
firm to protect
its information
there are a
number of
enhanced or
new data
subject rights
that they will need to be mindful of as each could
demand considerable administration capability
particularly if the necessary access and recovery
tools are not in place.
Data subject access requests (DSARs) will be
easier for clients and employees.
Data subjects will no longer be required
to pay a fee to make a DSAR. Firms must
respond without ‘undue delay’ and no later than
one month after the DSAR is made (rather than
the current 40 days). However, there are a
number of grounds for refusal
if the request is manifestly unfounded or
excessive.
Right to Erasure
A new right under GDPR is to have data deleted.
There are several reasons this request can be
refused such as conflicting regulations and in the
public interest but once legitimate reasons for
denial are exhausted data must be deleted.
Right to Portability
Not too dissimilar to the right to port a mobile
phone number from one supplier to another,
GDPR entitles a user to have their data exported
and transferred in a ‘machine readable format’.
Key Tools
Search, Delete, Export
Key Solution Providers
GDPR Says...
The response to a DSAR will include:
(a) the purposes of the processing;
(b) the categories of
personal data concerned;
(c) the recipients or
categories of recipient to
whom the personal data have
been or will be disclosed, in
particular recipients in third
countries or international
organisations;
(d) where possible, the
envisaged period for which the
personal data will be stored,
or, if not possible, the criteria
used to determine that period;
(e) the existence of the right to
request from the controller
rectification or erasure of
personal data or restriction of
processing of personal data
concerning the data subject or
to object to such processing;
(f) the right to lodge a
complaint with a supervisory
authority;
(g) where the personal data are
not collected from the data
subject, any available
information as to their source;
(h) the existence of automated
decision-making, including
profiling, referred to in Article
22(1) and (4) and, at least in
those cases, meaningful
information about the logic
involved, as well as the
significance and the envisaged
consequences of such
processing for the data subject
Article 15 of GDPR
Privacy by design is a concept that features consistently throughout the GDPR. In essence. it is the principle of
considering and building in appropriate data protections during the design phase of all new projects and changes to systems and processes.
Security by design and by default
The GDPR requires that employers (and other data processors) should be “audit-ready” at all times, meaning that all employer’s systems will need to be set up to ensure compliance by design. The GDPR introduces a legal requirement for ‘privacy by design’ for sensitive data and the onus will be on employers to prove compliance. Records will need to be kept and policies and procedures will need to be in place to demonstrate this.
Firms must implement technical and organisational measures to show that they have considered and integrated data compliance measures into their data processing activities.
Key Design Principles
Only necessary data to be processed including:
Amount of data
Extent of processing
Retention period
Access to data
Organisational measures
There are a number of technical measures that can be put into place to enhance data security. Many of these will simply involve ensuring best practice with existing technologies.
Organisational measures
This will include maintaining the appropriate records as described later in this guide, minimising data by applying appropriate retention periods and appointing a Data Protection Officer to oversee compliance activities.
GDPR Says...
Data protection by design and by default
1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.
3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.
Article 23 of GDPR
Security of Processing
GDPR requires that the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.
The legislation goes on to describe the security required for processing data.
pseudonymisation and encryption
confidentiality, integrity, availability and resilience of processing systems and services
the ability to restore
testing, assessing and evaluating the effectiveness of technical and organisational measures
It is an obligation to ensure that a controller only engages with a third party data processors or cloud service providers if they also comply with the above.
Key Tools Encryption, Data Leakage Protection, Secure Archive, Records Management, Access Control Key Solution Providers
GDPR Says...
Security of processing
1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements
set out in paragraph 1 of this Article.
4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
Article 32 of GDPR
GDPR requires
that the
controller shall
implement
appropriate
technical and
organisational
measures to
ensure and to
be able to demonstrate that processing is
performed in accordance with this Regulation.
The legislation goes on to describe the security required for processing data.
pseudonymisation and encryption
confidentiality, integrity, availability and resilience of processing systems and services
the ability to restore
testing, assessing and evaluating the effectiveness of technical and organisational measures
It is an obligation to ensure that a controller only engages with a third party data processors or cloud service providers if they also comply with the above.
Cloud Service Provider Checklist
□ Technical & Organisational security
□ New contract provisions
□ Demonstrable GDPR compliance
□ Data Processing Records
□ Breach Notification
□ Delete or return data post contract
□ Data Transfer transparency
□ Sub-processor permission
GDPR Says... Processors
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the
obligations and rights of the controller
Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller.
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written
authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
Under the
GDPR, you
must
appoint a
data
protection
officer
(DPO) if
you:
are a public authority (except for courts acting in their judicial capacity);
carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
carry out large scale processing of special categories of data or data relating to criminal
convictions and offences.
A DPO can be an outsourced role which will pave the way for external agencies to provide this service.
DPO Duties
The DPO’s minimum tasks
To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
To be the first point of contact for supervisory authorities and for individuals whose data is
processed (employees, customers etc).
DPO Rights
Businesses must ensure that:
The DPO reports to the highest management level of the organisation
The DPO operates independently and is not dismissed or penalised for performing their task.
Adequate resources are provided to enable DPOs to meet their GDPR obligations.
Key Solution Providers
GDPR Says... 1. The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10. 2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment. 3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size. 4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors. 5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39. 6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract. 7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory
authority
The GDPR has
references to both
‘consent’ for personal
data use and ‘explicit
consent’ for sensitive
personal data use. The
difference between the
two is not particularly
clear given that both
forms of consent have to be freely given, specific,
informed and an unambiguous indication of the
individual’s wishes although in the event of a
complaint the required level of consent for sensitive
data is expected to be higher.
GDPR describes the requirement for some form of clear affirmative action to demonstrate consent. This can include:
Ticking a box Changing technical settings (eg making
something public on Facebook) Signed client enagement letter
GDPR is also clear as to what will NOT be acceptable as consent
Silence pre-ticked boxes general inactivity
Auditable Consent
A new requirement is that consent must be verifiable. This means that some form of auditable record must be kept of how and when consent was given which could impact many marketing systems.
Where you already rely on consent that had been previously sought you will not be required to obtain fresh consent from individuals if the standard of that consent meets the new requirements under the GDPR.
If you cannot reach this high standard of consent then you must find an alternative legal basis such as or cease or not start the processing in question.
GDPR Says...
Lawfulness of processing
1. Processing shall be lawful only if and to the extent that at least one of the
following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
Consent Capture
This is an emerging area of technology that enables a granular and compliant approach to capturing user consent whilst providing the right processing and privacy notices. In addition, these solutions will ensure that all consent captured is auditable.
Key Vendors
GDPR Says...
Conditions for consent
1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not
be binding.
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
A common theme throughout the GDPR is accountability and demonstrating compliance i.e. making it evident to the Data Protection
Authority that you are meeting obligations. An important component of accountability and mandatory in certain circumstances is the Impact Assessment.
Definition
A Data Protection Impact Assessment is a tool designed to enable organisations to work out the risks that are inherent in proposed data processing activities before those activities commence. This, in turn, enables organisations to address and mitigate those risks before the processing begins.
Scope
New to the GDPR all businesses (both controllers and processors) are impacted.
Where a new processing activity is proposed (especially where new technologies will be used) resulting in a high degree of risk for data subjects, the controller must first conduct an Impact Assessment. A single Impact Assessment can cover multiple processing operations that present similar risks.
Content
An Impact Assessment must contain the following:
a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller
an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
an assessment of the risks to the rights and freedoms of data subjects
the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
GDPR Says...
Data protection impact assessment
1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations
that present similar high risks.
2. The controller shall seek the advice of the data protection officer, where designated, when carrying out a data
protection impact assessment.
3. A data protection impact assessment referred to in paragraph 1 shall in
particular be required in the case of:
(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or (c) a systematic monitoring of a publicly
accessible area on a large scale.
Dark Data
One of the challenges businesses face when carrying out an impact assessment is
ensuring that all personal data is discovered. Data that is for some reason not
searchable and therefore not discoverable is also known as ‘dark data’. The most
common example found is a PDF file that has not had the content of the document
OCR’d leaving just the document title searchable. This has the potential to leave a
business at significant risk of breach and potentially unable to respond in full to a
Data Subject Access Request.
There are a number of software solutions available that will scan your network for
‘dark data’ identify it and convert it to searchable data.
Method
An Impact Assessment has the following steps:
Review existing or planned data processing activities
Map data flows within the organisation by system and by process
Identify any compliance risks
Determine any mitigation required and develop an action plan
Determine whether their core business operations involve: (i) regular and systematic monitoring of data subjects on a large scale; and/or (ii) processing of Sensitive Personal Data on a large scale.
If yes to above appoint a DPO.
Key Solution Providers
The GDPRREADY Compliance Plan is designed to assist Data Protection Officers in preparing for GDPR and maintaining compliance once the legislation is activated. The GDPRREADY 4 stage process enables the DPO to raise awareness, discover current risks, deliver a mitigation plan and design processes for maintaining compliance.
Step 1 – EDUCATE
The EDUCATE phase consists of a combination of interactive workshops and
stakeholder interviews, designed to generate a high level of understanding of the
impending legislation and any changes to system, policy or process in order to
achieve GDPR compliance.
GDPR Overview Workshop - an onsite workshop to build GDPR awareness and secure buy-in with your key internal stakeholders, custom-tailored to the needs of your firm. Suitable for: Senior Management, Directors, Key Stakeholders
GDPR Assessment workshop - A workshop for internal staff responsible for
owning the assessment process. Suitable for: Compliance Team, IT Team, Project Managers Stakeholder Interviews – one to one discussions with key stakeholders to
document departmental processes involving personal data. STEP 2 – DISCOVER
The DISCOVER phase uses the Data Protection Impact Assessment (as
recommended by the Information Commissioners Office) to discover any risk or
exposure the firm may currently have.
Impact Assessment – using our GDPRready Data Register and GDPRready Impact assessment templates you will document, data flows, gap analysis, risk assessment and remediation plans.
STEP 3 – PLAN
GDPR Preparation Plan – document actions needed to prepare for and maintain
GDPR compliance. Understand budget required and systems and processes that
require modification.
STEP 4 – MAINTAIN
Prepare for new obligations such as Breach Response and DSAR Processing.
Review existing InfoSec policies and procedures to ensure they align with GDPR.
EACH PHASE IS SUPLIMENTED BY GDPRREADY TEMPLATED PROCESSES
AND POLICIES AS INDICATED IN THE ACTION SUMMARY CHART BELOW
GDPRREADY COMPLIANCE PLAN – ACTION SUMMARY
PHASE 1 – EDUCATE GDPR WORKSHOP
IMPACT ASSESSMENT WORKSHOP
STAKEHOLDER INTERVIEWS
DOC 1 - GUIDE TO GDPR ESSENTIALS
DOC 2 - GDPR CHECKLIST
PHASE 2 – DISCOVER COMPLETE IMPACT ASSESSMENT DATA MAP
COMPLETE IMPACT ASSESSMENT RISK REGISTER
PRODUCE IMPACT ASSESSMENT REMEDIATION PLAN
DOC 3 - DATA REGISTER
DOC 4 - IMPACT ASSESSMENT
PHASE 3 – PLAN DOC 5 - GDPR COMPLIANCE PLAN
DOC 6 - PRIVACY NOTICE CHECKLIST
DOC 7 - USER AWARENESS PROGRAM
DOC 8 - CLOUD SERVICE PROVIDER COMPLIANCE CHECKLIST
DOC 9 - SUBJECT ACCESS REQUEST PROCEDURE
PHASE 4 – MAINTAIN DOC 10 - INFORMATION SECURITY POLICIES
DOC 11 - INTERNATIONAL DATA TRANSFER GUIDANCE
DOC 12 - CONSENT FORM TEMPLATES
DOC 13 - PROCESSING RECORD TEMPLATE
DOC 14 - BREACH NOTIFICATION TEMPLATE
SOLUTION PROVIDER
GDPR FUNCTION
FEATURE DETAIL
Data Subject Access Request
Data Discovery
A comprehensive data discovery and management are essential for GDPR compliance. In order to ensure timely and efficient respond to any Data Subject Access Requests (DSAR), all locations, where personal information is stored, should be easily
discovered.
contentCrawler ensures comprehensive data discoverability and works to uncover documents that otherwise would not be found because they are not indexed for searching. It is a key tool in making sure that all words in every document (even image documents) are fully text searchable. contentCrawler is an essential component for all firms to ensure they
comply with the new GDPR legislation.
DocsCorp will be publishing a white paper and hosting a number of GDPR events across Europe. Drop us an email to events@docscorp.com to stay updated and get your free white paper and event invitation.
For more information please check the product description below or visit:
http://www.docscorp.com/contentcrawler/
Bulk Processing for Document Management
contentCrawler is an integrated analysis, processing
and reporting framework that intelligently assesses documents in a Document Management System and determines if they require OCR and/or file
compression processing.
Organisations can bulk process documents in the DMS using either the OCR or Compression modules. Or, they can do both. For example, contentCrawler will convert all image-based documents in the DMS to text-searchable PDFs. The Compression module will then apply compression and down-sampling in order to minimise the file size of the resulting PDF
documents.
The automated end-to-end process can run 24/7 without any staff intervention, emailing periodic notifications of processing statistics and error
reporting to the IT Administrator. Staff no longer have to worry about OCR or compression as a process or
workflow.
Key Benefits
Ensure all documents are indexed for searching and are therefore discoverable
Simplify management of image-based documents
Reduce non-compliance risks
Increase efficiency through automation
Leverage existing investment in DMS and search technology
Reduce costs managing OCR and
Compression technology
Privacy by Design
Cyber Security
iboss is a cyber security platform that uses cloudtechno logy to extend preventative and predictive multi-layered security to any size or organization, in any place and to any device.The result is a lower risk profile, and greater enhanced due diligence (EDD) for the organisation, which helps meet GDPR regulations, and can lower associated fines if data breaches occur.
Privacy by Design
Data Leakage Protection
Iboss includes behavioural data exfiltration sensors to detect data loss and exfiltration across any communication medium (WEB, EMAIL, DNS, P2P etc)
Privacy by Design
Content Management
Granular gateway level controls against web access and application usage
Right to access
Privacy by Design
Access Control
Document Protection
Search
iManage Govern Govern critical information at every
step of the engagement and beyond
iManage Govern lets you manage your engagement files according to each client retention policies, from creation through to disposal all while ensuring your
organization meets audit and discovery requirements.
Improve governance: by applying retention policies
centrally across both electronic and physical client records
Integrated document and records management:
through seamless operation with iManage Work
Boost productivity: and reduce risk by taking
records management responsibility off your
professionals shoulders
Manage information in place: without copying to a
separate system
Reduce operating costs: by moving inactive projects to a governed, searchable archive
Privacy by Design
Secure File Transfer
iManage Share A Fast, easy and secure sharing of
professional work product
Securely exchange work product with your clients, partner firms, and outside consultants within tools that you are familiar with. iManage Share offers industry-leading security with seamless integration with iManage Work and Microsoft Outlook, so that secure file sharing is easy and convenient without sacrificing security and governance of your client
files.
With iManage Share:
Share, edit and collaborate on work product from
within iManage Work.
Share files from your Outlook email: Share files as
secure links directly from Outlook.
Secure, firm-branded web portal in a snap: Give
your client access to their documents from a single responsive interface on phone, tablet or desktop, branded with your firm logo.
Collaborate on the go: Share and securely
collaborate with customers from your smartphone or
tablet.
Know what is shared and with whom: Monitor who is accessing your files and when.
Privacy by Design
Right to Access
Document Protection
Search
DSAR response
Access Control
iManage Work Manage documents, emails and more
in a single engagement file
Access your work product from anywhere on any device in a single user experience. Designed by professionals for professionals, iManage Work makes it easy to collaborate with your team and stakeholders in a secure and governed manner.
Improve productivity: Suggested email filing keeps
you ahead of inbox overload
Make better decisions: Document timelines,
dashboards and analytics cut through clutter enabling
faster, better decisions
Find everything: Search across all work product (documents, emails, images) automatically tuned to
your work style
Be more responsive: Secure mobile access means
you can view and edit your work from anywhere
Work smarter: Integrates seamlessly with the applications youre already using to save time
Privacy by Design
Document Protection
Access Control
Intapp Walls replaces distributed, ad hoc approaches to confidentiality management with a centralised solution that provides law firms with unparalleled
capability and control.
Several features of Intapp Walls can help address GDPR requirements for “privacy by design,” “privacy
by default” and the Accountability principle.
Intuitive interface for access management – Define policies using an easy-to-use wizard to configure and control walls and user account management, so that IT, conflicts team members and lawyers have appropriate levels of visibility and
control
Real-time enforcement and maintenance – Intapp
Walls delivers real-time enforcement, automating notifications to individuals subject to specific policies, tracking acknowledgments for compliance, and alerting firm management about suspicious activity
related to sensitive information
Protection beyond document management libraries – Lock down all key repositories where
sensitive information is stored, including records management, accounting, CRM, search, portals and other applications, in addition to document
management libraries
Automated compliance logging – Demonstrate
compliance if required to do so by clients or by government agencies by presenting a documented audit trail via Intapp Walls
Broad visibility across the organisation – Gain
visibility into the volume and types of policies in effect across the firm; configurable reports can be delivered in an event-driven, scheduled or on-demand basis to provide management with real-time visibility into policies, classification and history, as well as affected parties and prevented breaches
Data Protection Officer
Education
The Law Firm Risk Blog (www.lawfirmrisk.com), sponsored by Intapp, covers a wide range of risk management topics relevant to GDPR, including information governance, conflicts management and
information security.
The Risk Roundtable Initiative (riskroundtable.com), also sponsored by Intapp, hosts in-person events and webinars bringing together a mix of law firm risk management and related professionals, including general counsel, loss prevention partners, risk management partners, senior conflicts/records managers and IT leadership. They provide
opportunities for peer networking, cross-functional dialogue and a better understanding of common problems and trends including the evolving regulatory landscape affecting confidentiality, information
barriers and ethical walls.
Intapp customers have access to user group meetings, newsletters, webinars and Inception 2017, Intapp’s global user conference.
Intapp Professional Services offers a Risk Consultancy practice that will assess your firm’s approach to confidentiality management and suggest processes, procedures and technologies to satisfy specific compliance obligations related to the EU GDPR, the HIPAA Privacy Rule in the US, and other regulations
Privacy by Design
Data Leakage Protection
Secure Archive
Security
Enterprise Information Archiving provides the secure, perpetual storage and policy management necessary with the predictable costs and scalability of a true cloud architecture. With an industry-leading 7 second search SLA, archived information is instantly accessible, making it easy for employees or administrators to find a single email or to support a
larger e-discovery case.
Mimecast solves important archiving challenges by:
Archiving email in the cloud
Responding quickly to litigation requests
Retaining important company files Archiving Lync IM conversations
A single, unified archive in the Mimecast cloud delivers scalability, rapid information access and data assurance — without the spiraling expense of hardware and software typical of legacy on-premises solutions.
Consent Consent Capture
Consentric Permissions is a tool for managing citizens’ consent for usage of their data. It is a cloud based product with the citizen at the heart, providing them the capability to grant or deny consent to the usage of their data for specific, clearly defined
purposes.
Organisations benefit from Permissions through a simple integration with their CRM or other system(s), providing a single source of truth relating to consent. They can configure the data to be used, purpose for, and who will request usage of the citizen’s data at a granular level, enabling citizens to clearly understand what is being asked of them. Where required, organisation users can also access citizens’ records
to amend consent on instruction.
All changes are subject to a full history log, including detail of how and where consent was obtained. This
provides the citizen transparency and control on how their data is being accessed and used.
Privacy by Design
Consentric Permissions stores citizens’ data in a secure UK sovereign data centre, with consents to share that data managed by the citizen.
Classification of the data is aligned to well-known standard schemas, or, created by new custom schemas, allowing sensitive data to be managed
separately and securely by the citizen.
Consentric Permissions is a trust platform, giving the citizen transparency, ownership and control of their data, enabling you to build loyal relationships with
your customers.
This radical approach to storing data transforms your ability to achieve required data protection standards through minimisation of personal and sensitive data being stored in your systems and placing the citizen in control of their data and its usage. By integrating into Consentric Permissions, you benefit from our Privacy by Design features and save costs of implementing in your own systems
Privacy by Design
Secure Data hosting
The complexity and expense of managing underlying infrastructure can be challenging to organisations, as their needs fluctuate. Trustmarques IaaS solutions enables organisations to cost-effectively deploy and run their software, whilst taking full advantage of the benefits cloud computing brings. We design, build, procure and manage IaaS services to help you unlock real business value. By providing specialist technical design, management knowledge and understanding the commercial implications of solution design and change, along with the operational considerations of a Cloud service within a traditional
ITIL oriented environment.
We provide highly resilient and secure IL2, IL3 and IL4 services for OFFICIAL and OFFICIAL SENSITIVE hosting requirements. These convenient, on-demand and configurable computing resources require minimal management effort.
Impact Assessment
Compliance
Trustmarque provide full lifecycle Impact Assessment consultation. In addition as 27001 experts we can ensure that your GDPR compliance measures alin with your wider InfoSec strategy.
Privacy by Design
Centralisation of sensitive data
Enabling new, enhanced user rights is a fundamental
part of GDPR compliance.
PitchPerfect, with its SharePoint data repository, introduces a single centralised content management system which greatly improves the firms ability to meet these requirements. It provides the tools for end-users to locate and extract the requested data,
while restricting the ability to modify and erase data to the content managers working in the back-end.
The common distributed data practice whereby CVs and biographies are in multiple locations including a DMS, Email system and file share make compliance with any of these employee access requests complex, time consuming, costly and potentially
impossible
With user photos falling into the biometric data category new to the GDPR definition of sensitive personal data, it is compulsory to apply adequate protection. PitchPerfect ensures the right level of user access is applied.
Data Protection Officer
User Education
SkillBuilder eLearning provides new innovative ways to empower employees and end users with accessible tools and technologies; enabling them to stay informed and educated in all things related to
legal technology and its constantly changing updates.
SkillBuilder eLearning was built on the know-how of an over 12 million-strong backlog of ticket data and over 60,000 knowledge base articles. Our online eLearning tool increases productivity through a multifaceted portal that is branded for the firm. SkillBuilder provides a three-tiered model of service: Self-Service for users, Service Desk support provided by Solution Sender and an LMS. All features include access to our robust library of ever-growing content tailor specifically for Legal. SkillBuilder is a single platform whose affects are felt throughout the organization.
Consent
Data Transfer
Security of Processing
Privacy by Design
Consent
Vuture is a marketing automation platform for professional services that makes it easy to personalise email communications, streamline events and control marketing assets from a single flexible system.
Manage consent
Vuture provides a quick and easy-to-use solution to manage and automate consent. A seamless CRM integration enables you to manage and timestamp contact opt-ins within your CRM, as well as meet all Data Discovery and Data Access requirements. Unambiguous consent is achieved through a CRM-
linked tickbox inserted on your preference forms.
Control data transfer
Vuture is a private cloud solution – each client has their own instance of the platform hosted at a location of their choice. The platform is built with privacy at its core – data never leaves the chosen location and
rigorous security policies ensure you are always fully compliant with Data Protection standards.
Privacy and security sit at the heart of Vuture’s development, and both are assessed, tested and updated on a continuous basis.
Privacy by Design
Data Leakage Protection
“Workshare’s unique data loss prevention technology provides an additional layer of content awareness that includes hidden, sensitive data (metadata). Policies decide what has to be removed for compliance from a document when sent externally via email or via the cloud. This maintains security and compliance mandates to ensure no information is leaked through documents shared outside a company
in the form of metadata.
Workshare is taking our extensive understanding of metadata, email attachments and secure file sharing to the next level as we develop further to aid companies in the prevention of data loss. Because we have insight into multiple sharing channels and deep understanding of content, including metadata, Workshare can provide companies with visibility via a reporting system. Reports can be oriented around particular senders, receivers, and types of metadata to monitor for leakage or misuse. As the proposition develops, we will encompass words within context in a document or metadata and extend this detection to non-email sharing channels. Once detected, we can educate and empower users to take appropriate
corrective action to protect their sensitive content.”
We hope you found the first edition of this guide useful.
To recommend content or a solution for the second edition or GDPRwiki.com please contact:
info@2twenty4consulting.com