Preparing for the General Data Protection...

1 © GfK 2017 | GDPR – Inside an organisation

Jackie Megahey

GfK UK Director, Information Security &Data Protection

GfK Regional Research & Quality Director, UK, Nordics & Baltics

Version: V2.0

Date: 25/05/2017

Preparing for the General Data Protection

Regulation - inside an organisation


• In today’s session I will be taking you

through the ICOs guidance “Preparing

for the General Data Protection

Regulation” (GDPR) and the 12 steps to

take now

• I will also show some examples of how

this is being managed / implemented

within GfK

• All other suggestions / examples

welcome!

12 Steps to take now

https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf



• Identify decision makers and key people and make sure they are aware

of the law change

• They need to appreciate impact and identify areas that could cause

compliance problems

• Start by looking at your organisation’s risk register

• Consider any significant resource implications

• Take time to lead in with a clear awareness campaign

• Last minute compliance will be difficult!

Step 1. Awareness

ICO


Complexity and Volume

Resources / workstreams

>2mio Panelists

15K Staff

<200K Clients/Others

50K Databases

unstructured/analog data

Intelligence

Service

Product Impact

~200 Global BA/EA

~800 Local apps

>100 products

Application

Changes

Audit & Governance

Project Workstreams


Awareness at GfK

• Started in the UK in 2016 with Compliance Training and

Awareness for all staff

• Tailored training specific to each audience

• Researchers

• Shared services – HR, IT, Finance, etc

• Point of Sales

• Mystery Shopping

• Legal

• Operational, etc

• Introduced GDPR into induction training for all new staff

• GfK Group Privacy module soon to be available on our

online training platform

• Security training module developed alongside privacy

• Ongoing……………….


Making the message accessible

SHOW SECURITY VIDEO


Making the message accessible

Multiple channels to get the message across and raise awareness

Intranet, Videos, e-news…….

Appointment of GDPR Project Manager


• Document what personal data you hold, where it came from and who

you share it with

• Organise an information audit across the organisation

• Take into account employee, participant, panellist, client and supplier data

• The GDPR updates rights for a networked world

• If you have inaccurate personal data and have shared this with another

organisation, you will have to tell the other organisation that the data is

inaccurate

What, where, who

• Document it

• Helps to comply with accountability principle

• Demonstrates that you have effective policies and procedures in place

Step 2. Information you hold

ICO


Data flow diagrams may help………………..


……………….. Or be quite scary!!


Information gathering questionnaire

• Started assessment of some 700+ Applications holding

personal data by way of an Online Questionnaire sent out

to application owners / users

• Location of App

• PII categories / Sensitive PII

• Other data leading to identity

• Data Subject Details – Ownership, Access, Transfer

• No of people in data set

• Storage, back-up, Access

• Deletion

• Correction

• Export

• Consent

• Reporting

• Privacy notices

• Privacy by design

• Interaction with other apps


• Review current privacy notices and put a plan in place to implement

changes (if necessary)

• Survey invitation

• Online privacy notices

• T&Cs with your panel

• Thank you leaflets

• Information for qualitative groups

• Review what additional information you need to give in these notices.

• For example, explaining your legal basis for processing the data, your retention

periods, and individual’s right to complain to the ICO

• A challenge for telephone surveys!

Step 3. Communicating privacy information

ICO


Use concise, easy to understand and clear language

• Always a challenge when collecting information in a very complicated way

– some examples


• Check, where necessary, procedures cover all rights:

• Subject access

• To have inaccuracies corrected

• To have information erased

• To prevent direct marketing

• To prevent automated decision-making and profiling

• Data portability

• Would your systems help you to locate and delete data?

• Who will make the decisions about deletion?

• Data portability – provide the data electronically and in a commonly used

format, can you do this?

Step 4. Individual’s rights

ICO


Updating policies and publishing them

Document policies, to meet the requirement

of accountability


• Do your procedures meet the new timescales for providing information

• Respond within 1 month, rather than 40 days

• In most cases there can be no charges

• Manifestly unfounded or excessive requests can be charged or refused

• If you want to refuse a request, have policies and procedures in place to

demonstrate why the request meets these criteria

• Additional information to provide:

• Data retention periods

• The right to have inaccurate data corrected

• What are the logistical impacts for your organisation of a large volume of

requests?

• Do a cost/benefit analysis to providing online access for individuals to their data

Step 5. Subject access request

ICO


Ways of publishing the data - all sources to be updated

Interactive pdf with links to

policy statements

Direct links to

statements on website

Published policy

statements


• Look at all types of data processing you carry out, identify the legal basis of doing

so and document it

• Not just participant data, but employee, client and supplier personal data

• Have you thought of the practical implications of stronger rights of individuals to

have their data deleted, when you use consent as your legal basis for processing

• Explain your legal basis in privacy notices and subject access requests, alongside

information on data retention; confirm that individuals have a right to complain to

the ICO

• Information to be provided in a concise, easy to understand and clear language

Step 6. Legal basis for processing personal data

ICO


• Reviewing T&Cs and MSA’s to ensure the data protection clauses reflect the requirements of the GDPR

• Consider both new T&Cs/MSAs and adding a variation to existing T&Cs/MSAs

• Working with Procurement to implement additional schedule in Standard Agency Terms to include an Information Security Schedule

At GfK we are …….


Step 7. Consent

ICO • Review how you are seeking, obtaining and recording consent

• Prominent, concise, separate from other terms and conditions, and easy

to understand

• Confirm the name of your organisation and any third parties, why you

want the data, what you will do with it, and the right to withdraw consent

• Keep records to evidence consent – who consented, when, how, and

what they were told.

• Keep consents under review and refresh them if anything changes. Build

regular consent reviews into your business processes


What methods can you use to obtain consent?

ICO • signing a consent statement on a paper form

• ticking an opt-in box on paper or electronically

• clicking an opt-in button or link online

• selecting from equally prominent yes/no options

• choosing technical settings or preference dashboard settings

• responding to an email requesting consent

• answering yes to a clear oral consent request

• volunteering optional information for a specific purpose – eg filling

optional fields in a form (combined with just-in-time notices) or dropping

a business card into a box

EX

AM

PLE

S


• You cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes,

default settings or a blanket acceptance of your terms and conditions

Explicit consent

ICO

All consent must involve a specific, informed and unambiguous indication of the individual’s wishes.

The key difference is likely to be that ‘explicit’ consent must be affirmed in a clear statement (whether oral or written).


Step 8. Children

ICO • Put in place systems to verify individuals’ ages and gather parental or

guardian consent

• Special protection for children’s personal data, particularly for

commercial internet services such as social networking

• Consent has to be verifiable

• Privacy notice written in a language that children can understand

• Consider connecting to CEOPS https://ceop.police.uk/safety-centre/

• They offer advise in age appropriate language to children on how to stay

safe online

https://ceop.police.uk/safety-centre/





Step 9. Data breaches

ICO • Have the right procedures in place to detect, report and investigate a

personal data breach

• Reporting to the ICO those breaches where an individual is likely to

suffer some form of damage, such as identity theft or confidentiality

breach

• Reporting to the individual, for instance, if it might lead to financial loss

for them

• Failure to report could result in a fine, as well as a fine for the breach

itself


Incident Reporting

• External / internal theft;

• Misappropriation of company property /

intellectual property

• Inadvertent, accidental or intended illegal

disclosure of information

• Breach of confidentiality

• Confidential whistleblowing

Information Security / Data

Protection Director

Quality Associate Director

IT, Finance, HR, Legal,

Police, Client, ICO, Data

Subject


Step 10. Data protection by design and privacy impact assessment

ICO • Familiarize yourself with the guidance form

the ICO on Privacy Impact Assessments

(PIAs)

• Can link to other organisational processes

such as risk management and project

management

• Who will do it

• Who else needs to be involved

• Run centrally or locally?

• Privacy by design and data minimisation an

express legal requirement

• Always consider a PIA for high risk situation,

e.g., new technology/application

https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf


11. Data Protection Officers

ICO • Designate a data protection officer

• Where does this sit within your organisation’s structure and governance

• Can be an internal or external advisor

• Takes proper responsibility for your organisation’s data protection

compliance and has the knowledge, support and authority to do so

effectively


Legal and compliance team

• Identifying the right person in each country / region to act as the Data Protection Officer


Step 12. International

ICO • For international organisations, you should determine which data

protection supervisory authority you come under

• Traditional headquarters (branches model), this is easy to determine

• More complex if multi-site companies where decisions about different

processing activities are taken in different place

• Helpful to map out where you organisation makes it most significant

decisions about data processing

• May help to determine your ‘main establishment’ and therefore your lead

supervisory authority


A final BIG step to take around the GfK World


GDPR – time boxing schedule – needs to be validated

5. Schedule with Milestones

Define key milestones and develop the project schedule further from the Project Charter to determine timing, effort and duration required to complete the project.

16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

Milestones

Project Ramp Up

Intelligence

Audit

Service

Domain Specific

Implementation Streams

2018

Risk Mitigation Plan

delivered

Risk Mitigation Target

Setting delivered

2017

GDPR is Law External Reality Check

Master GFK Duties Legal/Economic Risks

Data Landscape Risk Assessment for

Regional Application/Data

Organization Roles & Responsibilities

Risk Assessment

Global Applications

+Changes in applications

Roll out Changes Contracts

Develop standard contracts

Master IT Architecture Framework

Audit

completed

Application Changes Early Starters

Roll out Changes Organization

Definition

Definition

Definition


• Thank you

• Visit the ICO website for further

guidance and the 12 steps to take now


Date post:	09-Jun-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Preparing for the General Data Protection...

Documents