The more data gets combined and aggregated, the more substantial the personal data becomes and the more difficult it becomes to de-identify and the higher the risks and responsibilities.
Includes but not limited to: Name, Address, unique identification numbers, Demographics, Behavioural data, Social data, Sensor data, User generated content, CCTV.
Although only concerned with personal data, even if the data is anonymized and can be tied back to an individual, then even this information can be deemed personal.
This is to recognise that not all organisations involved in the processing of personal data have the same degree of responsibility.
Going forward, prior to May 25 2018, you will need to ensure your General T&C’s (Subject), Employment Contracts (Controller) and any agreements with 3rd Parties (Processors).
The new accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.
You will also be responsible for the data you hold and need to demonstrate that it complies to the Data Protection Authorities (DPA's).
You also need to make sure the Data Processors effectively protect your data.
You need to ask for permission, not forgiveness. Simple T&C's & plain language for how personal data will be used.
Data Subjects must be able to withdraw consent at any time, possibly using the same interface they use initially.
The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals. You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
You should put procedures in place to effectively detect, report and investigate a personal data breach. You may wish to assess the types of personal data you hold and document where you would be required to notify the ICO or affected individuals if a breach occurred
“If Talktalk's data breach fine (£400k) was under GDPR, it could have been £70M”
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
You must notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
The DPO will be the Data Controllers and Processors who comply with data protection law and avoid the risks that organisations face when processing personal data.
Firms with over 250 employees must employ a Data Protection Officer (DPO). This person is responsible for ensuring that a business collects and secures personal data responsibly.
GDPR will also apply to small businesses under 250 employees if the processing carried out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as defined in (See article 9)
There will be a requirement to provide 3 types of training regarding GDPR to make sure you have the bases covered:
This is about keeping the general user awareness around Data and IT security and to build strong best practices with the users.
If you have questions or need a personalised plan, contact us and we will study your requirements and offer a customised solution.Contact Us