1 © GfK 2017 | GDPR – Inside an organisation
Jackie Megahey
GfK UK Director, Information Security &Data Protection
GfK Regional Research & Quality Director, UK, Nordics & Baltics
Version: V2.0
Date: 25/05/2017
Preparing for the General Data Protection
Regulation - inside an organisation
2 © GfK 2017 | GDPR – Inside an organisation
• In today’s session I will be taking you
through the ICOs guidance “Preparing
for the General Data Protection
Regulation” (GDPR) and the 12 steps to
take now
• I will also show some examples of how
this is being managed / implemented
within GfK
• All other suggestions / examples
welcome!
12 Steps to take now
3 © GfK 2017 | GDPR – Inside an organisation
• Identify decision makers and key people and make sure they are aware
of the law change
• They need to appreciate impact and identify areas that could cause
compliance problems
• Start by looking at your organisation’s risk register
• Consider any significant resource implications
• Take time to lead in with a clear awareness campaign
• Last minute compliance will be difficult!
Step 1. Awareness
ICO
4 © GfK 2017 | GDPR – Inside an organisation
Complexity and Volume
Resources / workstreams
>2mio Panelists
15K Staff
<200K Clients/Others
50K Databases
unstructured/analog data
Intelligence
Service
Product Impact
~200 Global BA/EA
~800 Local apps
>100 products
Application
Changes
Audit & Governance
Project Workstreams
5 © GfK 2017 | GDPR – Inside an organisation
Awareness at GfK
• Started in the UK in 2016 with Compliance Training and
Awareness for all staff
• Tailored training specific to each audience
• Researchers
• Shared services – HR, IT, Finance, etc
• Point of Sales
• Mystery Shopping
• Legal
• Operational, etc
• Introduced GDPR into induction training for all new staff
• GfK Group Privacy module soon to be available on our
online training platform
• Security training module developed alongside privacy
• Ongoing……………….
6 © GfK 2017 | GDPR – Inside an organisation
Making the message accessible
SHOW SECURITY VIDEO
7 © GfK 2017 | GDPR – Inside an organisation
Making the message accessible
Multiple channels to get the message across and raise awareness
Intranet, Videos, e-news…….
Appointment of GDPR Project Manager
8 © GfK 2017 | GDPR – Inside an organisation
• Document what personal data you hold, where it came from and who
you share it with
• Organise an information audit across the organisation
• Take into account employee, participant, panellist, client and supplier data
• The GDPR updates rights for a networked world
• If you have inaccurate personal data and have shared this with another
organisation, you will have to tell the other organisation that the data is
inaccurate
What, where, who
• Document it
• Helps to comply with accountability principle
• Demonstrates that you have effective policies and procedures in place
Step 2. Information you hold
ICO
9 © GfK 2017 | GDPR – Inside an organisation
Data flow diagrams may help………………..
10 © GfK 2017 | GDPR – Inside an organisation
……………….. Or be quite scary!!
11 © GfK 2017 | GDPR – Inside an organisation
Information gathering questionnaire
• Started assessment of some 700+ Applications holding
personal data by way of an Online Questionnaire sent out
to application owners / users
• Location of App
• PII categories / Sensitive PII
• Other data leading to identity
• Data Subject Details – Ownership, Access, Transfer
• No of people in data set
• Storage, back-up, Access
• Deletion
• Correction
• Export
• Consent
• Reporting
• Privacy notices
• Privacy by design
• Interaction with other apps
12 © GfK 2017 | GDPR – Inside an organisation
• Review current privacy notices and put a plan in place to implement
changes (if necessary)
• Survey invitation
• Online privacy notices
• T&Cs with your panel
• Thank you leaflets
• Information for qualitative groups
• Review what additional information you need to give in these notices.
• For example, explaining your legal basis for processing the data, your retention
periods, and individual’s right to complain to the ICO
• A challenge for telephone surveys!
Step 3. Communicating privacy information
ICO
13 © GfK 2017 | GDPR – Inside an organisation
Use concise, easy to understand and clear language
• Always a challenge when collecting information in a very complicated way
– some examples
14 © GfK 2017 | GDPR – Inside an organisation
• Check, where necessary, procedures cover all rights:
• Subject access
• To have inaccuracies corrected
• To have information erased
• To prevent direct marketing
• To prevent automated decision-making and profiling
• Data portability
• Would your systems help you to locate and delete data?
• Who will make the decisions about deletion?
• Data portability – provide the data electronically and in a commonly used
format, can you do this?
Step 4. Individual’s rights
ICO
15 © GfK 2017 | GDPR – Inside an organisation
Updating policies and publishing them
Document policies, to meet the requirement
of accountability
16 © GfK 2017 | GDPR – Inside an organisation
• Do your procedures meet the new timescales for providing information
• Respond within 1 month, rather than 40 days
• In most cases there can be no charges
• Manifestly unfounded or excessive requests can be charged or refused
• If you want to refuse a request, have policies and procedures in place to
demonstrate why the request meets these criteria
• Additional information to provide:
• Data retention periods
• The right to have inaccurate data corrected
• What are the logistical impacts for your organisation of a large volume of
requests?
• Do a cost/benefit analysis to providing online access for individuals to their data
Step 5. Subject access request
ICO
17 © GfK 2017 | GDPR – Inside an organisation
Ways of publishing the data - all sources to be updated
Interactive pdf with links to
policy statements
Direct links to
statements on website
Published policy
statements
18 © GfK 2017 | GDPR – Inside an organisation
• Look at all types of data processing you carry out, identify the legal basis of doing
so and document it
• Not just participant data, but employee, client and supplier personal data
• Have you thought of the practical implications of stronger rights of individuals to
have their data deleted, when you use consent as your legal basis for processing
• Explain your legal basis in privacy notices and subject access requests, alongside
information on data retention; confirm that individuals have a right to complain to
the ICO
• Information to be provided in a concise, easy to understand and clear language
Step 6. Legal basis for processing personal data
ICO
19 © GfK 2017 | GDPR – Inside an organisation
• Reviewing T&Cs and MSA’s to ensure the data protection clauses reflect the requirements of the GDPR
• Consider both new T&Cs/MSAs and adding a variation to existing T&Cs/MSAs
• Working with Procurement to implement additional schedule in Standard Agency Terms to include an Information Security Schedule
At GfK we are …….
20 © GfK 2017 | GDPR – Inside an organisation
Step 7. Consent
ICO • Review how you are seeking, obtaining and recording consent
• Prominent, concise, separate from other terms and conditions, and easy
to understand
• Confirm the name of your organisation and any third parties, why you
want the data, what you will do with it, and the right to withdraw consent
• Keep records to evidence consent – who consented, when, how, and
what they were told.
• Keep consents under review and refresh them if anything changes. Build
regular consent reviews into your business processes
21 © GfK 2017 | GDPR – Inside an organisation
What methods can you use to obtain consent?
ICO • signing a consent statement on a paper form
• ticking an opt-in box on paper or electronically
• clicking an opt-in button or link online
• selecting from equally prominent yes/no options
• choosing technical settings or preference dashboard settings
• responding to an email requesting consent
• answering yes to a clear oral consent request
• volunteering optional information for a specific purpose – eg filling
optional fields in a form (combined with just-in-time notices) or dropping
a business card into a box
EX
AM
PLE
S
22 © GfK 2017 | GDPR – Inside an organisation
• You cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes,
default settings or a blanket acceptance of your terms and conditions
Explicit consent
ICO
All consent must involve a specific, informed and unambiguous indication of the individual’s wishes.
The key difference is likely to be that ‘explicit’ consent must be affirmed in a clear statement (whether oral or written).
23 © GfK 2017 | GDPR – Inside an organisation
Step 8. Children
ICO • Put in place systems to verify individuals’ ages and gather parental or
guardian consent
• Special protection for children’s personal data, particularly for
commercial internet services such as social networking
• Consent has to be verifiable
• Privacy notice written in a language that children can understand
• Consider connecting to CEOPS https://ceop.police.uk/safety-centre/
• They offer advise in age appropriate language to children on how to stay
safe online
24 © GfK 2017 | GDPR – Inside an organisation
Step 9. Data breaches
ICO • Have the right procedures in place to detect, report and investigate a
personal data breach
• Reporting to the ICO those breaches where an individual is likely to
suffer some form of damage, such as identity theft or confidentiality
breach
• Reporting to the individual, for instance, if it might lead to financial loss
for them
• Failure to report could result in a fine, as well as a fine for the breach
itself
25 © GfK 2017 | GDPR – Inside an organisation
Incident Reporting
• External / internal theft;
• Misappropriation of company property /
intellectual property
• Inadvertent, accidental or intended illegal
disclosure of information
• Breach of confidentiality
• Confidential whistleblowing
Information Security / Data
Protection Director
Quality Associate Director
IT, Finance, HR, Legal,
Police, Client, ICO, Data
Subject
26 © GfK 2017 | GDPR – Inside an organisation
Step 10. Data protection by design and privacy impact assessment
ICO • Familiarize yourself with the guidance form
the ICO on Privacy Impact Assessments
(PIAs)
• Can link to other organisational processes
such as risk management and project
management
• Who will do it
• Who else needs to be involved
• Run centrally or locally?
• Privacy by design and data minimisation an
express legal requirement
• Always consider a PIA for high risk situation,
e.g., new technology/application
27 © GfK 2017 | GDPR – Inside an organisation
11. Data Protection Officers
ICO • Designate a data protection officer
• Where does this sit within your organisation’s structure and governance
• Can be an internal or external advisor
• Takes proper responsibility for your organisation’s data protection
compliance and has the knowledge, support and authority to do so
effectively
28 © GfK 2017 | GDPR – Inside an organisation
Legal and compliance team
• Identifying the right person in each country / region to act as the Data Protection Officer
29 © GfK 2017 | GDPR – Inside an organisation
Step 12. International
ICO • For international organisations, you should determine which data
protection supervisory authority you come under
• Traditional headquarters (branches model), this is easy to determine
• More complex if multi-site companies where decisions about different
processing activities are taken in different place
• Helpful to map out where you organisation makes it most significant
decisions about data processing
• May help to determine your ‘main establishment’ and therefore your lead
supervisory authority
30 © GfK 2017 | GDPR – Inside an organisation
A final BIG step to take around the GfK World
31 © GfK 2017 | GDPR – Inside an organisation
GDPR – time boxing schedule – needs to be validated
5. Schedule with Milestones
Define key milestones and develop the project schedule further from the Project Charter to determine timing, effort and duration required to complete the project.
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Milestones
Project Ramp Up
Intelligence
Audit
Service
Domain Specific
Implementation Streams
2018
Risk Mitigation Plan
delivered
Risk Mitigation Target
Setting delivered
2017
GDPR is Law External Reality Check
Master GFK Duties Legal/Economic Risks
Data Landscape Risk Assessment for
Regional Application/Data
Organization Roles & Responsibilities
Risk Assessment
Global Applications
+Changes in applications
Roll out Changes Contracts
Develop standard contracts
Master IT Architecture Framework
Audit
completed
Application Changes Early Starters
Roll out Changes Organization
Definition
Definition
Definition
32 © GfK 2017 | GDPR – Inside an organisation
• Thank you
• Visit the ICO website for further
guidance and the 12 steps to take now