Rating: 5 out of 5 stars
5/5
Ebook291 pages4 hours
A Last Minute Hands-on Guide to GDPR Readiness
Rating: 0 out of 5 stars
()
About this ebook
This book is designed to help companies of all size become GDPR ready. It aims at supplying the relevant knowledge as well as the techniques and practical tools you will need to take your business to GDPR readiness in the shortest possible time. However we can not entirely do this without first imparting some theoretical knowledge so the book tries to present the rules and legislation as is required but keeping an emphasis on practical deployable information.
GDPR will come into force in May 2018 and so there is not a lot of time left in which to become complaint. As a result we strive to present the knowledge within the book through practical examples, checklists, templates and toolkits.
Read more from Alasdair Gilchrist
Google Cloud Platform an Architect's Guide REST API Design Control and Management Rating: 4 out of 5 stars4/5Google Cloud Platform for Data Engineering: From Beginner to Data Engineer using Google Cloud Platform Rating: 5 out of 5 stars5/5An Executive Guide to Identity Access Management - 2nd Edition Rating: 4 out of 5 stars4/5A Concise Guide to Object Orientated Programming Rating: 0 out of 5 stars0 ratingsSpreadsheets To Cubes (Advanced Data Analytics for Small Medium Business): Data Science Rating: 0 out of 5 stars0 ratingsA Practical Guide Wireshark Forensics Rating: 5 out of 5 stars5/5Six Sigma Yellow Belt Certification Study Guide Rating: 0 out of 5 stars0 ratingsConcise Guide to DWDM Rating: 5 out of 5 stars5/5Concise Guide to OTN optical transport networks Rating: 4 out of 5 stars4/5Google Cloud Platform - Networking Rating: 0 out of 5 stars0 ratingsSupply Chain 4.0: From Stocking Shelves to Running the World Fuelled by Industry 4.0 Rating: 3 out of 5 stars3/5Tackling Fraud Rating: 4 out of 5 stars4/5Digital Success: A Holistic Approach to Digital Transformation for Enterprises and Manufacturers Rating: 0 out of 5 stars0 ratingsThe Certified Ethical Hacker Exam - version 8 (The concise study guide) Rating: 3 out of 5 stars3/5SRS - How to build a Pen Test and Hacking Platform Rating: 2 out of 5 stars2/5The Layman's Guide GDPR Compliance for Small Medium Business Rating: 5 out of 5 stars5/5A Concise Guide to Microservices for Executive (Now for DevOps too!) Rating: 1 out of 5 stars1/5Why Industry 4.0 Sucks! Rating: 0 out of 5 stars0 ratingsPSD2 - Open Banking for DevOps(Sec) Rating: 5 out of 5 stars5/5GDPR for DevOp(Sec) - The laws, Controls and solutions Rating: 5 out of 5 stars5/5Concise and Simple Guide to IP Subnets Rating: 5 out of 5 stars5/5An Introduction to SDN Intent Based Networking Rating: 5 out of 5 stars5/5Concise Guide to CompTIA Security + Rating: 3 out of 5 stars3/5FinTech Rising: Navigating the maze of US & EU regulations Rating: 5 out of 5 stars5/5The Concise Guide to the Internet of Things for Executives Rating: 4 out of 5 stars4/5The Concise Guide to SSL/TLS for DevOps Rating: 5 out of 5 stars5/5ChatGPT Will Won't Save The World Rating: 0 out of 5 stars0 ratingsManagement Accounting for New Managers Rating: 1 out of 5 stars1/5
Related to A Last Minute Hands-on Guide to GDPR Readiness
Related ebooks
EU General Data Protection Regulation (GDPR): An Implementation and Compliance Guide Rating: 5 out of 5 stars5/5The Layman's Guide GDPR Compliance for Small Medium Business Rating: 5 out of 5 stars5/5Intro to GDPR: A Plain English Guide to Compliance Rating: 0 out of 5 stars0 ratingsEU General Data Protection Regulation (GDPR) – An implementation and compliance guide, fourth edition Rating: 0 out of 5 stars0 ratingsData Protection and Compliance: Second edition Rating: 0 out of 5 stars0 ratingsThe Impact of the General Data Protection Regulation (GDPR) on the Online Advertising Market Rating: 0 out of 5 stars0 ratingsGDPR for DevOp(Sec) - The laws, Controls and solutions Rating: 5 out of 5 stars5/5Data Protection and the Cloud: Are the risks too great? Rating: 4 out of 5 stars4/5The Ultimate GDPR Practitioner Guide: Demystifying Privacy & Data Protection Rating: 0 out of 5 stars0 ratingsUltimate GDPR Practitioner Guide (2nd Edition): Demystifying Privacy & Data Protection Rating: 0 out of 5 stars0 ratingsGDPR-standard data protection staff training: What employees & associates need to know by Dr Paweł Mielniczek Rating: 0 out of 5 stars0 ratingsThe EU Data Protection Code of Conduct for Cloud Service Providers: A guide to compliance Rating: 0 out of 5 stars0 ratingsData Privacy: A runbook for engineers Rating: 0 out of 5 stars0 ratingsGDPR - Standard Data Protection System In 16 Steps Rating: 0 out of 5 stars0 ratingsThe Cybersecurity Maturity Model Certification (CMMC) – A pocket guide Rating: 0 out of 5 stars0 ratingsThe Cyber Security Handbook – Prepare for, respond to and recover from cyber attacks Rating: 0 out of 5 stars0 ratingsInformation Security Governance: A Practical Development and Implementation Approach Rating: 0 out of 5 stars0 ratingsData Protection Officer Rating: 0 out of 5 stars0 ratingsData Risk Management Rating: 0 out of 5 stars0 ratingsCyber Security: Essential principles to secure your organisation Rating: 0 out of 5 stars0 ratingsFISMA Compliance Handbook: Second Edition Rating: 5 out of 5 stars5/5Enterprise Security: A Data-Centric Approach to Securing the Enterprise Rating: 0 out of 5 stars0 ratingsPCI DSS: A Pocket Guide, fourth edition Rating: 0 out of 5 stars0 ratingsCyber Breach Response That Actually Works: Organizational Approach to Managing Residual Risk Rating: 0 out of 5 stars0 ratingsCertified Cybersecurity Compliance Professional Rating: 5 out of 5 stars5/5Information Security Auditor: Careers in information security Rating: 0 out of 5 stars0 ratingsThe EU General Data Protection Regulation (GDPR): A Commentary, Second Edition Rating: 0 out of 5 stars0 ratingsEU GDPR - A pocket guide, second edition Rating: 0 out of 5 stars0 ratingsEU GDPR – An international guide to compliance Rating: 0 out of 5 stars0 ratings
Internet & Web For You
More Porn - Faster!: 50 Tips & Tools for Faster and More Efficient Porn Browsing Rating: 3 out of 5 stars3/5Python: Learn Python in 24 Hours Rating: 4 out of 5 stars4/5Introduction to Internet Scams and Fraud: Credit Card Theft, Work-At-Home Scams and Lottery Scams Rating: 4 out of 5 stars4/5Wireless Hacking 101 Rating: 4 out of 5 stars4/5Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5Coding All-in-One For Dummies Rating: 4 out of 5 stars4/5Grokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5Podcasting For Dummies Rating: 4 out of 5 stars4/5Cybersecurity For Dummies Rating: 4 out of 5 stars4/5Coding For Dummies Rating: 5 out of 5 stars5/5Learn HTML Programming in 7 Days: Ultimate Beginners Guide to Build and Design Your Own Website Rating: 4 out of 5 stars4/5The Digital Marketing Handbook: A Step-By-Step Guide to Creating Websites That Sell Rating: 5 out of 5 stars5/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5How to Disappear and Live Off the Grid: A CIA Insider's Guide Rating: 0 out of 5 stars0 ratingsRemote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5The Internet Is Not What You Think It Is: A History, a Philosophy, a Warning Rating: 4 out of 5 stars4/5Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Rating: 4 out of 5 stars4/5Six Figure Blogging Blueprint Rating: 5 out of 5 stars5/5The Beginner's Affiliate Marketing Blueprint Rating: 4 out of 5 stars4/5200+ Ways to Protect Your Privacy: Simple Ways to Prevent Hacks and Protect Your Privacy--On and Offline Rating: 0 out of 5 stars0 ratingsHow To Make Money Blogging: How I Replaced My Day-Job With My Blog and How You Can Start A Blog Today Rating: 4 out of 5 stars4/5How To Start A Profitable Authority Blog In Under One Hour Rating: 5 out of 5 stars5/5Lying and Lie Detection: A CIA Insider's Guide Rating: 0 out of 5 stars0 ratingsHow To Start A Podcast Rating: 4 out of 5 stars4/5C++ Learn in 24 Hours Rating: 0 out of 5 stars0 ratingsUltimate Guide for Being Anonymous: Hacking the Planet, #4 Rating: 5 out of 5 stars5/5The Cyber Attack Survival Manual: Tools for Surviving Everything from Identity Theft to the Digital Apocalypse Rating: 0 out of 5 stars0 ratings
Related podcast episodes
The Foolproof Way To Pass The CIPPE Exam In 2 Weeks 0% found this document usefulHow To Succeed With Privacy By Design 0% found this document usefulData Science and Privacy - sugarcoated or straight up? It Depends (with Katharine Jarmul of Cape Privacy) 0% found this document usefulIn Conversation With Eduardo Ustaran 0% found this document usefulFerociously Imperfect: Consumer Tracking (with Rob Shavell of Abine) 0% found this document usefulHumans in the Loop - Lina Weichbrodt 0% found this document usefulRegTech: Using the Power of Technology for Good (with Shub Nandi) 0% found this document useful
Related articles
Data Compliance Checklist MarketingArticle
Data Compliance Checklist
May 15, 2019
People had a lot to say about Google’s January AU$80 million fine for breaching the General Data Protection Regulation (GDPR) – and rightly so. It was the first time a tech giant suffered a financial penalty under the GDPR. The fine served as a signa
3 min readWhy Is Data Protection Important To Small Businesses Parents in BizArticle
Why Is Data Protection Important To Small Businesses
Jan 24, 2022
3 min readThe Global Data War Heats Up The AtlanticArticle
The Global Data War Heats Up
Jun 26, 2019
5 min readKenya Now Has A Data Protection Law. What Does This Mean For Netizens? Global VoicesArticle
Kenya Now Has A Data Protection Law. What Does This Mean For Netizens?
Dec 24, 2019
5 min read“Our Customer Services Rep Called Them A Twerp–can I With Hold This?” PC Pro MagazineArticle
“Our Customer Services Rep Called Them A Twerp–can I With Hold This?”
Dec 8, 2022
Since the start of the summer, a lucky dip of legal queries has landed on my desk. From subject access requests to restrictive covenants in technology consultancy agreements, and onwards to software development contracts between multiple parties. Dat
6 min readPrivacy: The Price Of Trust Inc.Article
Privacy: The Price Of Trust
Aug 17, 2021
How will cybersecurity and data privacy evolve over the next decade? We’re hearing from our customers that cybersecurity and data privacy are increasingly becoming board-level conversations. Companies will start to think about privacy, security, vend
1 min readGood Governance for Dark Data: GUIDELINES FOR INDUSTRIAL IOT MANAGERS The European Business ReviewArticle
Good Governance for Dark Data: GUIDELINES FOR INDUSTRIAL IOT MANAGERS
Mar 31, 2020
7 min read“How Do You Launch A Product Without Alienating Or Damaging Your Customers?” PC Pro MagazineArticle
“How Do You Launch A Product Without Alienating Or Damaging Your Customers?”
Feb 10, 2022
6 min readHow To Keep Data Safe MoneyWeekArticle
How To Keep Data Safe
Feb 3, 2023
2 min readGDPR - Death Knell or a New Life for Customer Analytics? The European Business ReviewArticle
GDPR - Death Knell or a New Life for Customer Analytics?
Sep 20, 2018
4 min readCannaprivacy Cannabis & Tech TodayArticle
Cannaprivacy
Mar 20, 2020
4 min readHide, But Seek India TodayArticle
Hide, But Seek
Jun 11, 2022
3 min readDrawing The Digital Curtains Business TodayArticle
Drawing The Digital Curtains
Jun 25, 2018
8 min read“I Find Myself Incapable Of Moving Away From My Laptop As I Await Further Updates” PC Pro MagazineArticle
“I Find Myself Incapable Of Moving Away From My Laptop As I Await Further Updates”
Mar 9, 2023
It happened again. I was due to run a training course on international data transfers at the end of November 2022. I had prepared a pack of materials, and took great pride in my new case study, taking delegates through the process for a transfer risk
6 min readOLIVIA WHITCROFT “I Often See Jaws Drop When I Tell A Busines They Need To Speak About What They’replanning To Do” PC Pro MagazineArticle
OLIVIA WHITCROFT “I Often See Jaws Drop When I Tell A Busines They Need To Speak About What They’replanning To Do”
Sep 7, 2023
6 min readIndia Pushes For Storage Of Private Data Using Technology Built For Anonymity Global VoicesArticle
India Pushes For Storage Of Private Data Using Technology Built For Anonymity
May 16, 2022
As VPNs and blockchain-based services are often designed to assure user anonymity and privacy, this direction might force many service providers to shut down operations in India.
4 min readDiagnosis: We Have Pii And Ip… Now What? The European Business ReviewArticle
Diagnosis: We Have Pii And Ip… Now What?
Oct 2, 2023
5 min readData Privacy Defanged Business TodayArticle
Data Privacy Defanged
Aug 6, 2018
5 min readProtecting Data Now Fully Law Finweek - EnglishArticle
Protecting Data Now Fully Law
Sep 4, 2020
South Africa remains vulnerable to the threat posed by data breaches and has been found to have the highest probability of experiencing it. The recent hack of credit data firm Experian SA, in which the personal information of as many as 24m South Afr
4 min readThe Gold Standard MarketingArticle
The Gold Standard
Jun 6, 2018
9 min readLOW CONSUMER TRUST: Should We Be Okay With It? NZBusiness and ManagementArticle
LOW CONSUMER TRUST: Should We Be Okay With It?
Jun 24, 2019
Interactions and transactions today are becoming digital. This is especially true of New Zealand, one of the most digitally active nations in one of the world’s most digitally active regions. In the Asia Pacific retail sector alone, consumers are alr
3 min readGetting It Right In ‘RegTech’ Finweek - EnglishArticle
Getting It Right In ‘RegTech’
Oct 18, 2019
the financial services industry may wonder about the way forward for compliance and risk functions as Regulatory Technology, or ‘RegTech’, undeniably becomes a factor for all. In the past, compliance programmes were largely unprepared for the risks a
3 min readDigital Data Capture Law Needed Business TodayArticle
Digital Data Capture Law Needed
Apr 2, 2018
1 min readMarketers: Stop Being A Privacy Liability MarketingArticle
Marketers: Stop Being A Privacy Liability
Jun 6, 2018
Trustworthiness begets a positive customer experience. As a marketer, you intuitively know that having a trustworthy brand is important. Consumers today are also increasingly aware of the value of their personal data. As a result, brands can no longe
2 min readA Step Closer Business TodayArticle
A Step Closer
Sep 1, 2023
2 min readEnter the Industry 4.0 Era Today by Using “Dark Data” You Already Have The European Business ReviewArticle
Enter the Industry 4.0 Era Today by Using “Dark Data” You Already Have
Aug 2, 2019
7 min readTop Eight Cybersecurity Predictions For 2022-23 NZBusiness and ManagementArticle
Top Eight Cybersecurity Predictions For 2022-23
Jul 20, 2022
3 min readTHE DECADE OF DELETE How New Privacy And Cyber Regulations Will End Organisational Data Hoarding The European Business ReviewArticle
THE DECADE OF DELETE How New Privacy And Cyber Regulations Will End Organisational Data Hoarding
Feb 1, 2023
6 min readHow Do you Know If You’ve Been Hacked PC Pro MagazineArticle
How Do you Know If You’ve Been Hacked
Apr 4, 2024
8 min read“When Someone Asks Me To Prepare A Privacy Notice, I Find It Hard To Meet Their Expectations” PC Pro MagazineArticle
“When Someone Asks Me To Prepare A Privacy Notice, I Find It Hard To Meet Their Expectations”
Mar 7, 2024
6 min read
Reviews for A Last Minute Hands-on Guide to GDPR Readiness
Rating: 0 out of 5 stars
0 ratings
0 ratings0 reviews
Book preview
A Last Minute Hands-on Guide to GDPR Readiness - alasdair gilchrist
Chapter 1 – Getting Ready for the GDPR
GDPR –An introduction
Chapter 2 – Getting GDPR Ready
GDPR Readiness
GDPR Requirements
Key Data Protection Objectives of GDPR
Core Actors of the GDPR
Territorial Scope Example
GDPR and the Territorial Scope
Working toward GDPR Compliance
Step 1 – Understand the GDPR legal framework
Step 2 – Create a Data Register
Step 3 – Identify and classify your data
Step 4 – Start with your top priority
Step 5 – Assess and document additional risks and processes
Step 6 – Rinse and repeat
Summary;
PART II –The Bottom up Approach
Chapter 3 – Building a Privacy Program
Introduction
Overview & Key Challenges
Recommendations for an effective privacy program
Strategic Planning Assumption
Understanding the approaches
Approach Analysis
Create a Common Vision which delivers operational and budgetary efficiency and that aligns itself to the company’s strategic vision
Design the Privacy Program to Enable the Business
Ensure That Employees Are Aware of the Program and its Business Goals
Privacy Programs are not Projects They Need Continuous Risk Assessment Iteration
Chapter 4 – A Roadmap to GDPR in 4 Stages
Crafting a Roadmap to GDPR Readiness
Determining the Flow of Personal Data
Stage 1 – Personal Data Flow Analysis
Assess Security Risks
Finding Personal Data
Digging for Data
Searching for a Social Security Number
The Data Flow Diagram
Data Discovery Assessment
Stage 2 - Cyber Security Roadmap
10 Steps to GDPR Cyber Security:
1. Information Risk Management
2. Secure configuration
3. Network security
4. Managing user privileges
5. User education and awareness
6. Incident management
7. Malware prevention
8. Monitoring
9. Removable media controls
10. Home and mobile working
Stage 3 - Perform a Gap Analyses
12 Gap Analysis KPIs
1) Awareness
2) Information you hold
3) Communicating privacy information
4) Individuals’ rights
5) Subject access requests
6) Lawful basis for processing personal data
7) Consent
8) Children
9) Data breaches
10) Data Protection by Design and Data Protection Impact Assessments
11) Data Protection Officers
12) International
Conducting the GAP Analysis
Using a Gap Analysis Questionnaire;
Stage 4 - Compliance Roadmap Review
PART III – The Risk Assessment Approach
Chapter 5 - Taking the Risk Assessment Approach
Risk-based approach to compliance
Risk Assessments in Practice
Defining Risk in a GDPR Context
Potential harm under the GDPR
High risk activities
Explicit risk-based measures
Breach Notification
Chapter 6 - Performing a Data Protection Impact Assessment
Key elements of a successful DPIA
What Is Involved In A DPIA?
Article 35 - Data protection impact assessment (DPIA)
Controls and Measures for Accountability
Examples of Evidence of Accountability
Maintain PIA/DPIA guidelines and templates
Part IV – The Accountability Approach
Chapter 7 - Taking the Accountability Approach
1.Choice & Consent
2.Legitimate Purpose Specification and Limitation
3.Personal Information Lifecycle
4.Accuracy & Quality
5.Openness, Transparency & Notice
6.Privacy Harm Risk & Risk Mitigation
7.Accountability
8.Enforcing Privacy & Security
9.Monitoring, Measuring & Reporting
10. Preventing Harm
11. Third Part Vendor Management
12. Data Breach Management
13. Security & Privacy by Design
14. Free Flow of Information and Legitimate Restriction
Chapter 8 - Key GDPR Data Security Controls
Assess Security Risks
Prevent Attacks
Encryption
Article 1 - Aims and objectives of the law
Article 2 – Material Scope
Article – 3 Territorial Scope
Article 4 – Definitions
Article – 5 Fair, lawful and transparent processing
Article 6 - Lawfulness
Article 7: Conditions for consent
Article 8: Conditions applicable to child's consent in relation to information society services
Article 9: Processing of special categories of personal data
Article 10: Processing of data relating to criminal convictions and offences
Article 11: Processing which does not require identification
Section 1: Transparency and Modalities
Section 2: Information and Access to Data
Section 5: Restrictions
Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject
Article 13: Information to be provided where personal data are collected from the data subject
Article 15: Right of access by the data subject
Article 16: Right to rectification
Article 17: Right to erasure ('right to be forgotten')
Article 18: Right to restriction of processing
Article 19: Notification obligation
Article 20: Right to data portability
Section 4: Right to object and automated individual decision making
Article 21: Right to object
Article 22: Automated individual decision-making, including profiling
Section 5: Restrictions
Article 23: Restrictions
Section 1: General Obligations
Article 24: Responsibility of the controller
Article 25: Data protection by design and by default
Article 26: Joint controllers
Article 27: Representatives of controllers not established in the Union
Article 28 - Appointment of processors
Article 29: Processing under the authority of the controller or processor
Article 30: Records of processing activities
Article 31: Cooperation with the supervisory authority
Article 32: Security of processing
Article 33: Notification of a personal data breach to the supervisory authority
Article 34: Communication of a personal data breach to the data subject
Article 35: Data protection impact assessment
Article 36: Prior Consultation
Article 37: Designation of the data protection officer
Article 38: Position of the data protection officer
Article 39: Tasks of the data protection officer
Article 40: Codes of Conduct
Article 41: Monitoring of approved codes of conduct
Article 42: Certification
Article 43: Certification Bodies
Article 44: General Principle for transfer
Article 45: Transfers of the basis of an adequacy decision
Article 46: Transfers subject to appropriate safeguards
Article 47: Binding corporate rules
Article 48: Transfers or disclosures not authorised by union law
Article 49: Derogations for specific situations
Article 50: International cooperation for the protection of personal data
International and Third Party Cooperation
Article 51: Supervisory Authority
Article 52: Independence
Article 53: General conditions for the members of the supervisory authority
Article 54: Rules on the establishment of the supervisory Authority
Section 2: Competence, Tasks, and Powers
Article 55: Competence
Article 56: Competence of the lead supervisory authority
Article 57: Tasks
Article 58: Powers
Article 59: Activity Reports
Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned
Article 61: Mutual Assistance
Article 62: Joint operations of supervisory authorities
Article 63: Consistency mechanism
Article 64: Opinion of the Board
Article 65: Dispute resolution by the Board
Article 66: Urgency Procedure
Article 67: Exchange of information
Article 68 – European Data Protection Board
Article 69 – Independence
Article 70 –Tasks of the Board
Article 71- Reports
Article 72- Procedure
Article 73- Chair
Activity 74 – Tasks of the Chair
Article 75 – Secretariat
Activity 76 – Confidentiality
Article 77: Right to lodge a complaint with a supervisory authority
Article 78: Right to an effective judicial remedy against a supervisory authority
Article 79: Right to an effective judicial remedy against a controller or processor
Article 80: Representation of data subjects
Article 81: Suspension of proceedings
Article 82: Right to compensation and liability
Article 83: General conditions for imposing administrative fines
Article 84: Penalties
Article 85: Processing and freedom of expression and information
Relationship between EU data protection law and freedom of expression
Article 86: Processing and public access to official documents
Article 87: Processing of the national identification number
Article 88: Processing in the context of employment
Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
Article 90: Obligations of secrecy
Article 91: Existing data protection rules of churches and religious associations
Article 94: Repeal of Directive 95/46/EC
Article 95: Relationship with Directive 2002/58/EC
Article 96: Relationship with previously concluded Agreements
Article 97: Commission Reports
Article 98: Review of other union legal acts on data protection
Article 99: Entry into force and application
PART I – Taking the Minimalist Approach
Chapter 1 – Getting Ready for the GDPR
Introduction
This book is designed to help companies of all size become GDPR ready. It aims at supplying the relevant knowledge as well as the techniques and practical tools you will need to take your business to GPR readiness in the shortest possible time. However we can not entirely do this without first imparting some theoretical knowledge so the book tries to present the rules and legislation as is required but keeping an emphasis on practical deployable information.
GDPR will come into force in May 2018 and so there is not a lot of time left in which to become complaint. As a result we strive to present the knowledge within the book through practical examples, checklists, templates and toolkits.
To get the most of this book you should read it chapter by chapter but as always time is of the essence so skipping chapters especially those that are theoretical may be advantageous if you are already familiar with data privacy protection.
GDPR –An introduction
The GDPR (General Data Protection Regulation) is focused on personal information and how and why it should be protected especially from a third party that may monetise that data. As a result the GDPR protects EU (European Citizens) from international technology giants that feel it may be their right and within their business model to pertain personal information as a right of access to a service.
The General Data Protection Regulation (GDPR) goes into effect in May 25th 2018, and most interestingly it will require companies around the world that do business within the European Economic Area (EEA) to comply with the new regulation.
As a result this means that companies around the globe that market in the EEA should make sure that their data governance plans comply with the new regulation – it is not optional it is mandatory. However, many organisations out with the EEA and even within, or are intending to leave, such as the UK believes these regulations will not be a concern to them. This unfortunately is folly as indeed any organisation that wishes to trade within the EAA market will have to comply with GDPR.
Indeed many organizations within the European Union are surprised that regardless of where a company is based, if they supply products or services to EU residents, then they must be in compliance. Similarly, many UK companies believe that when they leave the EU and the Single Market, they will be deemed to be foreign companies. Subsequently they feel they will be free of the GDPR, whereas the reality is that they will still have to comply if they wish to trade the EEA as well as have to pay tariffs for the privilege.
Interestingly, a recent survey found that despite the hype surrounding the GDPR, there was less than half (45 percent) of businesses that had a structured plan in place for compliance. Furthermore, and quite shockingly a little over more than half (58 percent) indicated that their businesses were not fully aware of their state of readiness or even the consequences of non-compliance.
The big change in the new regulation is that under the GDPR, individuals have the right to control their own personal data. However, the definition of just what constitutes personal data remains ambiguous with the EU GDPR Regulation stating:
The term ‘Personal data’ shall mean any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
Therefore, a request from an individual that their personal data be accessible for review or if they demand to be erased, under certain circumstances, must be done which is known as the right to be forgotten.
However, that is easier said than done, as to find, review, or erase data requires that the company knows where the data is stored. Therefore to comply with a request in order to forget, the company must understand everywhere the data may exist within their internal and cloud based storage systems. This is more difficult than one might think. Indeed, 48 percent of survey respondents acknowledged that they were challenged just to find personal data within their own databases.
Consequently, there are five major steps that can be recommended for a company of any size to follow and by doing so get on the right track toward GDPR compliance:
Locate personal data - the GDPR demands that organizations know where they store personal data and they must not rely on where they think personal data might be. The regulation requires that organizations can prove where personal data is (and where it isn’t) and importantly who has access to it. This requires a system where there is access to all company data sources, different file types, including relational data sources such as Oracle, and big data technologies such as Apache Hadoop.
Identify – Identification is as crucial as where personal data resides in each of the company’s data sources. The ability to identify an individual by the data is critical so it is important to protect sources that can be obviously related to an individual such as information like a mailing list in a CRM system, or hidden within unstructured data sources like spreadsheet files, email or text files. Therefore it may be best to use sampling techniques and sophisticated algorithms such as hashing or encryption to prevent data being used for identification. These technologies can be used to obfuscate and protect personal data within structured and unstructured data sources from illegal access.
Manage – ensuring processes and procedures that are enforced across the entire organization may be the most awkward task. This includes communication across business units and vendors so demands diligent documentation. This is hugely important with the GDPR, as it’s critical that organizations can prove compliance every step of the data journey and they can only do this through robust documentation. This diligent enforcement will demand documentation of work practices, policies, proper data lineage, monitoring data quality and managing business terms across the organization. It’s also important to document and assign owners to terms, practices and responsibilities and then link them to policies or technical assets, such as tasks, reports or data sources.
Protect - The GDPR is fundamentally about protecting personal information from falling into the wrong hands i.e. about privacy. Therefore the focus is on anonymising personal data so that it cannot be reverse engineered to determine an individual’s identity. Therefore, hashing, role-based data masking and encryption techniques can secure sensitive information.
Audit -A major issue with implementing GDPR is being able to prove where data resides and who has access to it. Running interactive DB scripts can identify the users, files, data sources and types of personal information being stored in databases. However, more diligent auditing can reveal who has accessed to personal data, and how it’s being protected across the business.
An good first step for assessing GDPR readiness is once you have contemplated and processed the previous 5 steps and have a good understanding of the data being collected, stored, shared or processed by your company is to consider the company’s current state of readiness. We can do this using the following checklist for GDPR Compliance.
Completing the GDPR Readiness Checklist above will prove you with insight into the areas of strength and weakness regarding the company’s readiness to meet the stringent requirements and obligations set down by the GDPR.
Gaining an initial assessment of the current situation is important as it will indicate the amount of work that will be required to be undertaken to become GDPR compliant. It will also provide a valuable indication of which approach to GDPR readiness is most appropriate for the company. The Minimalist approach that we introduce in this part of the book will be most appropriate for organisations both large and small that can answer yes to most of the items in the checklist. Typically these organisations are small businesses with limited data collection and processing capabilities or conversely organisations at the other end of the scale, which have complex data processing responsibilities but also have mature data governance and inherent data privacy protection cultures.
Nonetheless, before we can adequately gauge the GDPR readiness of the organisation we first need to fully understand the goals and objectives of the GDPR.
Chapter 2 – Getting GDPR Ready
On 25th May 2018, the legislation – designed to protect EU citizens’ data – will become law. Its intent is to ensure that organisations are including privacy by design
in their security strategies and make them more accountable to their customers. Complying with GDPR is not optional. If your organization controls or processes personal data on natural persons in the European Union, GDPR almost certainly applies to you.
GDPR Readiness
GDPR compliance is not particularly easy, but it is basically common sense in an organisation with good data governance specially one with the previous Data Protection Directive (DPD) under control. Indeed many suggest that GDPR compliance = common sense + diligent data security policy + transparency of processing. Moreover, when properly executed, GDPR compliance can have lasting beneficial effects on an organization. For example, industry survey’s found that 71 percent of respondents believe that their data governance will improve as a result of GDPR compliance initiatives. Furthermore, 37 percent of organizations think that their general IT capabilities will improve as they seek readiness, and 30 percent of respondents agree that complying with the GDPR will improve their image as the GDPR is seen to strengthen and harmonize data protection laws across EU nations.
The regulation mandates
Enjoying the preview?
Page 1 of 1