Everand Logo

Welcome to Everand!

  • Discover millions of ebooks, audiobooks, and so much more with a free trial

    From $11.99/month after trial. Cancel anytime.

    A Last Minute Hands-on Guide to GDPR Readiness
    A Last Minute Hands-on Guide to GDPR Readiness
    A Last Minute Hands-on Guide to GDPR Readiness
    Ebook292 pages4 hours

    A Last Minute Hands-on Guide to GDPR Readiness

    By alasdair gilchrist

    ()

    Read preview

    About this ebook

    This book is designed to help companies of all size become GDPR ready. It aims at supplying the relevant knowledge as well as the techniques and practical tools you will need to take your business to GDPR readiness in the shortest possible time. However we can not entirely do this without first imparting some theoretical knowledge so the book tries to present the rules and legislation as is required but keeping an emphasis on practical deployable information. 
    GDPR will come into force in May 2018 and so there is not a lot of time left in which to become complaint. As a result we strive to present the knowledge within the book through practical examples, checklists, templates and toolkits. 
     

    LanguageEnglish
    Publisheralasdair gilchrist
    Release dateJan 13, 2018
    ISBN9781386440710
    A Last Minute Hands-on Guide to GDPR Readiness

    Read more from Alasdair Gilchrist

    Related to A Last Minute Hands-on Guide to GDPR Readiness

    Related ebooks

    Internet & Web For You

    View More
    View More

    Related podcast episodes

    Related articles

    • UNLIMITED

      Data Compliance Checklist

      May 15, 2019

      People had a lot to say about Google’s January AU$80 million fine for breaching the General Data Protection Regulation (GDPR) – and rightly so. It was the first time a tech giant suffered a financial penalty under the GDPR. The fine served as a signa

      3 min read

    • UNLIMITED

      Managing the Risks of Digital Lending

      Feb 18, 2022

      TECHNOLOGY HAS BEEN the crux of the Indian banking system and the advent of Covid-19 has fuelled the shift of business models from ‘physical’ to ‘digital’. The journey of innovation, which started with internet banking and digital means of payments,

      6 min read

    • UNLIMITED

      “Our Customer Services Rep Called Them A Twerp–can I With Hold This?”

      Dec 8, 2022

      Since the start of the summer, a lucky dip of legal queries has landed on my desk. From subject access requests to restrictive covenants in technology consultancy agreements, and onwards to software development contracts between multiple parties. Dat

      6 min read

    • UNLIMITED

      Privacy: The Price Of Trust

      Aug 17, 2021

      How will cybersecurity and data privacy evolve over the next decade? We’re hearing from our customers that cybersecurity and data privacy are increasingly becoming board-level conversations. Companies will start to think about privacy, security, vend

      1 min read

    • UNLIMITED

      How To Keep Data Safe

      Feb 3, 2023

      How To Keep Data Safe
      2 min read

    • UNLIMITED

      Cannaprivacy

      Mar 20, 2020

      Cannaprivacy
      4 min read

    • UNLIMITED

      Hide, But Seek

      Jun 11, 2022

      Hide, But Seek
      3 min read

    • UNLIMITED

      Drawing The Digital Curtains

      Jun 25, 2018

      Drawing The Digital Curtains
      8 min read

    • UNLIMITED

      “I Find Myself Incapable Of Moving Away From My Laptop As I Await Further Updates”

      Mar 9, 2023

      It happened again. I was due to run a training course on international data transfers at the end of November 2022. I had prepared a pack of materials, and took great pride in my new case study, taking delegates through the process for a transfer risk

      6 min read

    • UNLIMITED

      India Pushes For Storage Of Private Data Using Technology Built For Anonymity

      May 16, 2022

      As VPNs and blockchain-based services are often designed to assure user anonymity and privacy, this direction might force many service providers to shut down operations in India.

      4 min read

    • UNLIMITED

      Data Privacy Defanged

      Aug 6, 2018

      Data Privacy Defanged
      5 min read

    • UNLIMITED

      Protecting Data Now Fully Law

      Sep 4, 2020

      South Africa remains vulnerable to the threat posed by data breaches and has been found to have the highest probability of experiencing it. The recent hack of credit data firm Experian SA, in which the personal information of as many as 24m South Afr

      4 min read

    • UNLIMITED

      The Gold Standard

      Jun 6, 2018

      The Gold Standard
      9 min read

    • UNLIMITED

      LOW CONSUMER TRUST: Should We Be Okay With It?

      Jun 24, 2019

      Interactions and transactions today are becoming digital. This is especially true of New Zealand, one of the most digitally active nations in one of the world’s most digitally active regions. In the Asia Pacific retail sector alone, consumers are alr

      3 min read

    • UNLIMITED

      Getting It Right In ‘RegTech’

      Oct 18, 2019

      the financial services industry may wonder about the way forward for compliance and risk functions as Regulatory Technology, or ‘RegTech’, undeniably becomes a factor for all. In the past, compliance programmes were largely unprepared for the risks a

      3 min read

    • UNLIMITED

      Marketers: Stop Being A Privacy Liability

      Jun 6, 2018

      Trustworthiness begets a positive customer experience. As a marketer, you intuitively know that having a trustworthy brand is important. Consumers today are also increasingly aware of the value of their personal data. As a result, brands can no longe

      2 min read

    Related categories

    Reviews for A Last Minute Hands-on Guide to GDPR Readiness

    0 ratings

    0 ratings0 reviews

    What did you think?

    Tap to rate

    Review must be at least 10 words

      Book preview

      A Last Minute Hands-on Guide to GDPR Readiness - alasdair gilchrist

      Chapter 1 – Getting Ready for the GDPR

      GDPR –An introduction

      Chapter 2 – Getting GDPR Ready

      GDPR Readiness

      GDPR Requirements

      Key Data Protection Objectives of GDPR

      Core Actors of the GDPR

      Territorial Scope Example

      GDPR and the Territorial Scope

      Working toward GDPR Compliance

      Step 1 – Understand the GDPR legal framework

      Step 2 – Create a Data Register

      Step 3 – Identify and classify your data

      Step 4 – Start with your top priority

      Step 5 – Assess and document additional risks and processes

      Step 6 – Rinse and repeat

      Summary;

      PART II –The Bottom up Approach

      Chapter 3 – Building a Privacy Program

      Introduction

      Overview & Key Challenges

      Recommendations for an effective privacy program

      Strategic Planning Assumption

      Understanding the approaches

      Approach Analysis

      Create a Common Vision which delivers operational and budgetary efficiency and that aligns itself to the company’s strategic vision

      Design the Privacy Program to Enable the Business

      Ensure That Employees Are Aware of the Program and its Business Goals

      Privacy Programs are not Projects They Need Continuous Risk Assessment Iteration

      Chapter 4 – A Roadmap to GDPR in 4 Stages

      Crafting a Roadmap to GDPR Readiness

      Determining the Flow of Personal Data

      Stage 1 – Personal Data Flow Analysis

      Assess Security Risks

      Finding Personal Data

      Digging for Data

      Searching for a Social Security Number

      The Data Flow Diagram

      Data Discovery Assessment

      Stage 2 - Cyber Security Roadmap

      10 Steps to GDPR Cyber Security:

      1. Information Risk Management

      2. Secure configuration

      3. Network security

      4. Managing user privileges

      5. User education and awareness

      6. Incident management

      7. Malware prevention

      8. Monitoring

      9. Removable media controls

      10. Home and mobile working

      Stage 3 - Perform a Gap Analyses

      12 Gap Analysis KPIs

      1) Awareness

      2) Information you hold

      3) Communicating privacy information

      4) Individuals’ rights

      5) Subject access requests

      6) Lawful basis for processing personal data

      7) Consent

      8) Children

      9) Data breaches

      10) Data Protection by Design and Data Protection Impact Assessments

      11) Data Protection Officers

      12) International

      Conducting the GAP Analysis

      Using a Gap Analysis Questionnaire;

      Stage 4 - Compliance Roadmap Review

      PART III – The Risk Assessment Approach

      Chapter 5 - Taking the Risk Assessment Approach

      Risk-based approach to compliance

      Risk Assessments in Practice

      Defining Risk in a GDPR Context

      Potential harm under the GDPR

      High risk activities

      Explicit risk-based measures

      Breach Notification

      Chapter 6 - Performing a Data Protection Impact Assessment

      Key elements of a successful DPIA

      What Is Involved In A DPIA?

      Article 35 - Data protection impact assessment (DPIA)

      Controls and Measures for Accountability

      Examples of Evidence of Accountability

      Maintain PIA/DPIA guidelines and templates

      Part IV – The Accountability Approach

      Chapter 7 - Taking the Accountability Approach

      1.Choice & Consent

      2.Legitimate Purpose Specification and Limitation

      3.Personal Information Lifecycle

      4.Accuracy & Quality

      5.Openness, Transparency & Notice

      6.Privacy Harm Risk & Risk Mitigation

      7.Accountability

      8.Enforcing Privacy & Security

      9.Monitoring, Measuring & Reporting

      10. Preventing Harm

      11. Third Part Vendor Management

      12. Data Breach Management

      13. Security & Privacy by Design

      14. Free Flow of Information and Legitimate Restriction

      Chapter 8 - Key GDPR Data Security Controls

      Assess Security Risks

      Prevent Attacks

      Encryption

      Article 1 - Aims and objectives of the law

      Article 2 – Material Scope

      Article – 3 Territorial Scope

      Article 4 – Definitions

      Article – 5 Fair, lawful and transparent processing

      Article 6 - Lawfulness

      Article 7: Conditions for consent

      Article 8: Conditions applicable to child's consent in relation to information society services

      Article 9: Processing of special categories of personal data

      Article 10: Processing of data relating to criminal convictions and offences

      Article 11: Processing which does not require identification

      Section 1: Transparency and Modalities

      Section 2: Information and Access to Data

      Section 5: Restrictions

      Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject

      Article 13: Information to be provided where personal data are collected from the data subject

      Article 15: Right of access by the data subject

      Article 16: Right to rectification

      Article 17: Right to erasure ('right to be forgotten')

      Article 18: Right to restriction of processing

      Article 19: Notification obligation

      Article 20: Right to data portability

      Section 4: Right to object and automated individual decision making

      Article 21: Right to object

      Article 22: Automated individual decision-making, including profiling

      Section 5: Restrictions

      Article 23: Restrictions

      Section 1: General Obligations

      Article 24: Responsibility of the controller

      Article 25: Data protection by design and by default

      Article 26: Joint controllers

      Article 27:  Representatives of controllers not established in the Union

      Article 28 - Appointment of processors

      Article 29: Processing under the authority of the controller or processor

      Article 30: Records of processing activities

      Article 31: Cooperation with the supervisory authority

      Article 32: Security of processing

      Article 33: Notification of a personal data breach to the supervisory authority

      Article 34: Communication of a personal data breach to the data subject

      Article 35: Data protection impact assessment

      Article 36: Prior Consultation

      Article 37: Designation of the data protection officer

      Article 38: Position of the data protection officer

      Article 39: Tasks of the data protection officer

      Article 40: Codes of Conduct

      Article 41: Monitoring of approved codes of conduct

      Article 42: Certification

      Article 43: Certification Bodies

      Article 44: General Principle for transfer

      Article 45: Transfers of the basis of an adequacy decision

      Article 46: Transfers subject to appropriate safeguards

      Article 47: Binding corporate rules

      Article 48: Transfers or disclosures not authorised by union law

      Article 49: Derogations for specific situations

      Article 50: International cooperation for the protection of personal data

      International and Third Party Cooperation

      Article 51: Supervisory Authority

      Article 52: Independence

      Article 53: General conditions for the members of the supervisory authority

      Article 54: Rules on the establishment of the supervisory Authority

      Section 2: Competence, Tasks, and Powers

      Article 55: Competence

      Article 56: Competence of the lead supervisory authority

      Article 57: Tasks

      Article 58: Powers

      Article 59: Activity Reports

      Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned

      Article 61: Mutual Assistance

      Article 62: Joint operations of supervisory authorities

      Article 63: Consistency mechanism

      Article 64: Opinion of the Board

      Article 65: Dispute resolution by the Board

      Article 66: Urgency Procedure

      Article 67: Exchange of information

      Article 68 – European Data Protection Board

      Article 69 – Independence

      Article 70 –Tasks of the Board

      Article 71- Reports

      Article 72- Procedure

      Article 73- Chair

      Activity 74 – Tasks of the Chair

      Article 75 – Secretariat

      Activity 76 – Confidentiality

      Article 77: Right to lodge a complaint with a supervisory authority

      Article 78: Right to an effective judicial remedy against a supervisory authority

      Article 79: Right to an effective judicial remedy against a controller or processor

      Article 80: Representation of data subjects

      Article 81: Suspension of proceedings

      Article 82: Right to compensation and liability

      Article 83: General conditions for imposing administrative fines

      Article 84: Penalties

      Article 85: Processing and freedom of expression and information

      Relationship between EU data protection law and freedom of expression

      Article 86: Processing and public access to official documents

      Article 87: Processing of the national identification number

      Article 88: Processing in the context of employment

      Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

      Article 90: Obligations of secrecy

      Article 91: Existing data protection rules of churches and religious associations

      Article 94: Repeal of Directive 95/46/EC

      Article 95: Relationship with Directive 2002/58/EC

      Article 96: Relationship with previously concluded Agreements

      Article 97: Commission Reports

      Article 98: Review of other union legal acts on data protection

      Article 99: Entry into force and application

      PART I – Taking the Minimalist Approach

      Chapter 1 – Getting Ready for the GDPR

      Introduction

      This book is designed to help companies of all size become GDPR ready. It aims at supplying the relevant knowledge as well as the techniques and practical tools you will need to take your business to GPR readiness in the shortest possible time. However we can not entirely do this without first imparting some theoretical knowledge so the book tries to present the rules and legislation as is required but keeping an emphasis on practical deployable information.

      GDPR will come into force in May 2018 and so there is not a lot of time left in which to become complaint. As a result we strive to present the knowledge within the book through practical examples, checklists, templates and toolkits.

      To get the most of this book you should read it chapter by chapter but as always time is of the essence so skipping chapters especially those that are theoretical may be advantageous if you are already familiar with data privacy protection.

      GDPR –An introduction

      The GDPR (General Data Protection Regulation) is focused on personal information and how and why it should be protected especially from a third party that may monetise that data. As a result the GDPR protects EU (European Citizens) from international technology giants that feel it may be their right and within their business model to pertain personal information as a right of access to a service.

      The General Data Protection Regulation (GDPR) goes into effect in May 25th 2018, and most interestingly it will require companies around the world that do business within the European Economic Area (EEA) to comply with the new regulation.

      As a result this means that companies around the globe that market in the EEA should make sure that their data governance plans comply with the new regulation – it is not optional it is mandatory. However, many organisations out with the EEA and even within, or are intending to leave, such as the UK believes these regulations will not be a concern to them. This unfortunately is folly as indeed any organisation that wishes to trade within the EAA market will have to comply with GDPR.

      Indeed many organizations within the European Union are surprised that regardless of where a company is based, if they supply products or services to EU residents, then they must be in compliance. Similarly, many UK companies believe that when they leave the EU and the Single Market, they will be deemed to be foreign companies. Subsequently they feel they will be free of the GDPR, whereas the reality is that they will still have to comply if they wish to trade the EEA as well as have to pay tariffs for the privilege.

      Interestingly, a recent survey found that despite the hype surrounding the GDPR, there was less than half (45 percent) of businesses that had a structured plan in place for compliance. Furthermore, and quite shockingly a little over more than half (58 percent) indicated that their businesses were not fully aware of their state of readiness or even the consequences of non-compliance.

      The big change in the new regulation is that under the GDPR, individuals have the right to control their own personal data. However, the definition of just what constitutes personal data remains ambiguous with the EU GDPR Regulation stating:

      The term ‘Personal data’ shall mean any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

      Therefore, a request from an individual that their personal data be accessible for review or if they demand to be erased, under certain circumstances, must be done which is known as the right to be forgotten.

      However, that is easier said than done, as to find, review, or erase data requires that the company knows where the data is stored. Therefore to comply with a request in order to forget, the company must understand everywhere the data may exist within their internal and cloud based storage systems. This is more difficult than one might think. Indeed, 48 percent of survey respondents acknowledged that they were challenged just to find personal data within their own databases.

      Consequently, there are five major steps that can be recommended for a company of any size to follow and by doing so get on the right track toward GDPR compliance:

      Locate personal data - the GDPR demands that organizations know where they store personal data and they must not rely on where they think personal data might be. The regulation requires that organizations can prove where personal data is (and where it isn’t) and importantly who has access to it. This requires a system where there is access to all company data sources, different file types, including relational data sources such as Oracle, and big data technologies such as Apache Hadoop.

      Identify – Identification is as crucial as where personal data resides in each of the company’s data sources. The ability to identify an individual by the data is critical so it is important to protect sources that can be obviously related to an individual such as information like a mailing list in a CRM system, or hidden within unstructured data sources like spreadsheet files, email or text files. Therefore it may be best to use sampling techniques and sophisticated algorithms such as hashing or encryption to prevent data being used for identification. These technologies can be used to obfuscate and protect personal data within structured and unstructured data sources from illegal access.

      Manage – ensuring processes and procedures that are enforced across the entire organization may be the most awkward task. This includes communication across business units and vendors so demands diligent documentation. This is hugely important with the GDPR, as it’s critical that organizations can prove compliance every step of the data journey and they can only do this through robust documentation. This diligent enforcement will demand documentation of work practices, policies, proper data lineage, monitoring data quality and managing business terms across the organization. It’s also important to document and assign owners to terms, practices and responsibilities and then link them to policies or technical assets, such as tasks, reports or data sources.

      Protect - The GDPR is fundamentally about protecting personal information from falling into the wrong hands i.e. about privacy. Therefore the focus is on anonymising personal data so that it cannot be reverse engineered to determine an individual’s identity. Therefore, hashing, role-based data masking and encryption techniques can secure sensitive information.

      Audit -A major issue with implementing GDPR is being able to prove where data resides and who has access to it. Running interactive DB scripts can identify the users, files, data sources and types of personal information being stored in databases. However, more diligent auditing can reveal who has accessed to personal data, and how it’s being protected across the business.

      An good first step for assessing GDPR readiness is once you have contemplated and processed the previous 5 steps and have a good understanding of the data being collected, stored, shared or processed by your company is to consider the company’s current state of readiness. We can do this using the following checklist for GDPR Compliance.

      Completing the GDPR Readiness Checklist above will prove you with insight into the areas of strength and weakness regarding the company’s readiness to meet the stringent requirements and obligations set down by the GDPR.

      Gaining an initial assessment of the current situation is important as it will indicate the amount of work that will be required to be undertaken to become GDPR compliant. It will also provide a valuable indication of which approach to GDPR readiness is most appropriate for the company. The Minimalist approach that we introduce in this part of the book will be most appropriate for organisations both large and small that can answer yes to most of the items in the checklist. Typically these organisations are small businesses with limited data collection and processing capabilities or conversely organisations at the other end of the scale, which have complex data processing responsibilities but also have mature data governance and inherent data privacy protection cultures.

      Nonetheless, before we can adequately gauge the GDPR readiness of the organisation we first need to fully understand the goals and objectives of the GDPR.

      Chapter 2 – Getting GDPR Ready

      On 25th May 2018, the legislation – designed to protect EU citizens’ data – will become law. Its intent is to ensure that organisations are including privacy by design in their security strategies and make them more accountable to their customers. Complying with GDPR is not optional. If your organization controls or processes personal data on natural persons in the European Union, GDPR almost certainly applies to you.

      GDPR Readiness

      GDPR compliance is not particularly easy, but it is basically common sense in an organisation with good data governance specially one with the previous Data Protection Directive (DPD) under control. Indeed many suggest that GDPR compliance = common sense + diligent data security policy + transparency of processing. Moreover, when properly executed, GDPR compliance can have lasting beneficial effects on an organization. For example, industry survey’s found that 71 percent of respondents believe that their data governance will improve as a result of GDPR compliance initiatives. Furthermore, 37 percent of organizations think that their general IT capabilities will improve as they seek readiness, and 30 percent of respondents agree that complying with the GDPR will improve their image as the GDPR is seen to strengthen and harmonize data protection laws across EU nations.

      The regulation mandates a

      Enjoying the preview?
      Page 1 of 1