A Director-Level View Of GDPR
At the IOD’s Digital Summit, Darren Wray and Birger Tenow ran a workshop in which they ran through the high level view of GDPR for directors…
First they covered the rights that the GDP provides to data subjects:
- To be informed
- Restrict processing
- Data portability
Then they moved on to describing what to consider as you move towards compliance.
As a minimum you must be able to identify the data you hold, and the category it sits in.
Some research found that the average company has information that falls into two categories:
- 20% structured e.g. ERP, CRM, HR
- 80% unstructured e.g. File shares, laptops, Emails, chat
Then they found that around 60% of that unstructured info is usually unmanaged in any way. To comply with GDPR you have to bring all the data under good management.
The steps you need to take to achieve that are:
- Discover — what data do you capture and process anywhere in your organisation?
- Analyse and report—what is in this data, how is it processed, what is the risk level, what level of management is it under, is it compliant?
- Act — maybe you should delete the data, otherwise put in place management of it. There’ll be large amounts of data, so you may need ways to automate this — classifying/moving/etc. Need to encrypt data so that even if there is a breach, it is hard to access the data itself.
You need a register of all the information assets you have and how they are processed.
Consider having a single data store — gathering data from legacy apps and production apps, and then providing APIs to allow reuse and tools to enable compliance.
Policy, Processes and Procedure
Ensure that you are processing personal data consistently, in a way that is compliant with GDPR. This can actually improve the way your business runs too.
You need policies:
- data protection policy
- business continuity policy — so data is safe, backed up and recoverable
Then you need to be able to evidence that your organisation is compliant, not just have the policy documents in place.
Put training in place to ensure all staff are aware of responsibilities, ensure they process data in a compliant way. But also make them aware of their own rights regarding HR data etc.
Systems ability to fulfil Data Subjects’ Rights
Your computer systems need to improve your ability to comply with GDPR and data subjects’ rights — knowing where you got data from, that you had consent to use it in certain ways, and being able to provide copies of data to users. And it needs to hep you meet customer expectation on quick responses.
Possible areas for GDPR automation:
- consent management
- data consistency
- data breach incident management
- orchestration of data
- information/data requests management — drive requests to an online request handling system, integrate this to data sources, create reports automatically
Data Incident Response Plan
GDPR requires you to report a data breach within 72 hours of discovering it. Within that time you must understand what data has been compromised, the nature of the breach and gather it all together to provide in your report.
You will have to report this to the ICO, and possibly to data subjects too.
Because of this tight timescale you need to have a data breach plan in place so you can respond quickly and correctly.
Robert Mueller, ex FBI head said “There are two types of organisation: those who have been hacked, and those who will be hacked.” It’s far better to be prepared than be caught on the hop.
Geographic Restrictions and Requirements
GDPR places geographic restrictions on where the personal data of EU residents can be processed:
- 1st countries — within EEA — no additional requirements
- 2nd countries — with equivalence — some additional requirements. In the US the org must be part of the EU-US Privacy Shield. But the data controller remains responsible for any personal data they collect or process and provide to a third party
- 3rd countries — others — you must put in place enforceable contractual requirements that provide equivalence of the GDPR to protect personal data. This applies even if the company is part of your group.
This was a workshop given at the Institute of Directors Digital Summit.
We’ll soon publish our GDPR guidance for Service and Product managers. Make sure to follow us on here or on twitter at @weareconvivio to get your copy when we release it.
Convivio is a digital agency that brings people together using technology.
We deliver major digital services for government and large organisations.
Find out more at www.weareconvivio.com