Follow Data Protection – IT Governance Blog on Feedspot

Continue with Google
Continue with Facebook


Most GDPR (General Data Protection Regulation) compliance projects start with a gap analysis.

A gap analysis is a popular method of assessing compliance against the requirements of the Regulation. It’ll help you identify and prioritise the areas that you should address.

What does a gap analysis involve?

A gap analysis is performed by an individual with in-depth expertise of the GDPR’s requirements, and a deep understanding of the practical realities of implementing suitable processes, controls and other measures to help the organisation achieve compliance.

Can I use a free GDPR gap analysis tool?

While it can be tempting to cut costs, freely available gap analysis tools are rarely as comprehensive as paid-for ones.

More concerningly, these free tools can prove troublesome for users who have limited knowledge of their compliance obligations under the GDPR.

With penalties for non-compliance as high as €20 million (about £17 million), it’s always worth opting for a gap assessment tool that has been developed by qualified experts.

Fortunately, there are many professionally developed and inexpensive gap analysis tools available.

What gap analysis options are available?

There are four different options to consider for conducting a gap analysis:

  1. The DIY approach

Questionnaire-driven gap analysis tools help you assess your organisation’s GDPR compliance posture by quickly identifying any gaps for remediation.

DIY tools like our EU GDPR Compliance Gap Assessment Tool typically require detailed knowledge of the Regulation and its compliance requirements.

  1. The template approach

You can purchase a complete set of templates to help you develop the necessary documentation needed to demonstrate GPPR compliance.

Some documentation toolkits even include a gap analysis tool, such as our EU GDPR Documentation Toolkit.

  1. The consultant-led approach

You can outsource the gap analysis to a data protection consultant, who’ll conduct an on-site assessment of your privacy management and data processing practices.

After the assessment, you’ll receive a detailed report of your compliance status. This report will outline the level of effort required to achieve full compliance.

Make sure you appoint a consultant with an in-depth understanding of the GDPR’s requirements and how they should be met.

  1. The software approach

Software solutions offer more benefits than questionnaire-driven tools. Our GDPR Manager tool provides four features in one:

  1. Gap analysis tool
  2. DSAR (data subject access request) management
  3. Data breach monitoring
  4. Third-party management tool
What gap analysis solution is right for me?

The consultant-led approach is ideal for organisations seeking a comprehensive gap analysis. Data protection consultants can offer objective insight into the potential costs and risks involved in implementing a compliance programme.

Not every organisation needs to hire a consultant, though. Smaller organisations can benefit from more affordable tools and solutions that help track and maintain GDPR compliance.

Ten steps to performing a gap analysis

A gap analysis consists of the following stages:

  1. Data protection governance

Assess whether you have the necessary mechanisms in place for:

  • Data protection accountability and responsibility;
  • Policies and procedures;
  • Performance measurement; and
  • Reporting.
  1. Risk management

Ensure you employ adequate privacy risk management practices. This includes how you tackle upholding the rights and freedoms of data subjects.

  1. GDPR project resourcing

Establish how you will resource your compliance programme.

  1. DPO (data protection officer)

Determine whether you are required to appoint a DPO.

  1. Roles and responsibilities

Assess whether staff awareness training has been established, and ensure your compliance programme has identified suitable roles and responsibilities.

  1. Scope of compliance

Consider how you have defined the scope of your compliance obligations. Make sure you’ve considered all data processing and data sharing that your organisation is directly or indirectly involved in.

  1. Personal data processes

Check you’ve implemented processes and procedures for each GDPR principle involving personal data. Determine whether a lawful basis for processing personal has been identified and documented, and ensure you have a suitable DPIA (data protection impact assessment) process in place.

  1. PIMS (personal information management system)

Establish a suitable programme to document your GDPR compliance activities.

  1. ISMS (information security management system)

Implement an ISMS to meet the GDPR’s requirements for securing personal data with “appropriate technical and organisational measures”.

  1. Rights of data subjects

Ensure you have a process in place for facilitating data subjects’ rights, including responding to DSARs.

Get serious about GDPR compliance

Choose the best gap analysis solution for your resource availability, budget and compliance needs.

IT Governance is a leader in the fields of GDPR compliance, data protection and cyber security. Contact us now for expert advice.

The post Ten steps to a GDPR gap analysis appeared first on IT Governance Blog.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

The broad range of skills required to succeed as a DPO (data protection officer) makes it a tough position to fill. DPOs need to work with staff to answer data protection questions, monitor the organisation’s data protection policies and procedures, and, of course, have expert knowledge of the GDPR (General Data Protection Regulation).

We therefore wouldn’t expect an organisation to simply tell its newly appointed DPO to get straight to work. Instead, they should be given specialist training to help them excel.

Not convinced? Here are three reasons why you should invest in specialised DPO training.

1. It will shore up GDPR knowledge gaps

DPOs are naturally expected to have expert understanding of data protection law, and they should have received GDPR training. However, the shortage of skilled DPOs means not every organisation will be able to appoint someone who already knows the Regulation inside out. Many will have to make do with their resident data protection and privacy expert, who may well have a strong understanding of the GDPR, but will need to bone up on the Regulation’s requirements to fulfil all the DPO’s tasks.

Studying will also help DPOs understand how the GDPR works in practice. Those who are new to the job will quickly learn that there’s a huge difference between understanding the Regulation’s requirements and ensuring that the organisation implements them. It’s only through practical exercises that DPOs can learn to bridge that gap.

2. They need to learn how to be independent advisors

Arguably the trickiest part of being a DPO is liaising with employees on the organisation’s data protection practices. DPOs must advise staff on their data protection responsibilities and monitor whether they are being met, but they must also operate independently and without instruction from the organisation.

This means an employer can’t help the DPO perform their duties, and the DPO can’t overstep their boundaries when advising employees on how to achieve compliance. Doing so would effectively make them responsible for that activity, jeopardising their status as independent advisors free from conflicts of interest.

As such, DPOs must learn what they can and can’t say in their role, a skill that’s particularly important if they take on the responsibilities alongside their existing role.

3. It helps them prepare for disaster

DPOs play a crucial role in the data breach response process. The GDPR gives organisations 72 hours from the time they become aware of a breach to disclose it to their supervisory authority. The disclosure should include explanatory details about the incident, such as what caused the breach, how many records were affected and the types of information involved.

It’s the DPO’s responsibility to record all these details (acquired from relevant members of staff) and relay them to the supervisory authority by email or phone.

The task itself is relatively straightforward if the DPO is sufficiently prepared. This generally means having the supervisory authority’s contact details to hand, as well as a list of the details you are required to provide. A meticulous DPO might also prepare a list of employees who are best suited to providing the necessary information, as well as alternatives if that person is away from the office.

However, without specialist training, your DPO will have to figure out how to plan for breaches by themselves. (Remember, you can’t advise them.) Maybe they’ll manage, but do you want to take the chance? Particularly when the stress and panic that comes with a data breach could lead to your DPO making a crucial mistake.

Interested in a DPO masterclass?

Anyone who wants to learn how to become an expert DPO should consider our Certified Data Protection Officer (C-DPO) Masterclass Training Course.

Using practical examples and exercises, you’ll learn how to fulfil the DPO’s tasks and develop the soft skills that the role requires.

This four-day course runs in Birmingham, London and Manchester.

The post Why your DPO needs specialised training appeared first on IT Governance Blog.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Almost one year on from the introduction of new data protection laws, more than half of UK schools and colleges reveal they are not fully compliant. In a recent survey from edtech giant RM Learning and Trend Micro, 14% of respondents also admitted to not having a clear plan to become compliant with the GDPR (General Data Protection Regulation).

On the plus side, over 80% said that they had taken steps towards becoming compliant, mostly in the form of updating policies, training staff, appointing a DPO (data protection officer) or carrying out a data audit. Despite this, 46% cited a lack of security awareness as one of the biggest challenges in complying with data protection regulations.

Mandatory breach recording and reporting

The GDPR expects organisations to record all data breaches and, in some circumstances, report these to the ICO (Information Commissioner’s Office) within 72 hours of becoming aware. Worryingly, 29% of those surveyed said they did not have a formal breach response process in place, putting them at risk of serious non-compliance, should a breach occur.

Beware the inside threat

75% of schools and colleges regard their staff as the biggest threat to data, with cyber criminals seen as a bigger threat in just 19% of organisations. Careless staff can be just as big a threat as a malicious insider – awareness and training play a key role in protecting the sensitive data educational institutions hold.

Easy steps to reduce the risks and demonstrate GDPR compliance

For schools and colleges, the good news is that the risks highlighted in this survey can be reduced in a simple and cost-effective manner. As the survey suggests, human error is one of the biggest risks to data security. Losing data or sending it to the wrong people top the list of data breach causes across all sectors, and cyber criminals see busy staff as easy targets for scams like phishing. Staff training can significantly reduce these risks.

Train staff with e-learning from IT Governance

Our e-learning modules cover the GDPR, cyber security, appropriate use of Cc and Bcc in emails and how to spot phishing scams.

Demonstrate compliance with GDPR.co.uk

The GDPR.co.uk platform includes a data breach recording functionality that can report breaches directly to the ICO, DSAR (data subject access request) recording, staff GDPR training, and data and supplier mapping functionality – all the elements required to demonstrate GDPR compliance.

We offer a 10% discount on all our products and services to ASCL and COBIS member schools.

Review your compliance with our free GDPR checklist >>

The post More than half of schools not compliant with the GDPR appeared first on IT Governance Blog.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

A version of this blog was originally published on 6 February 2018.

The GDPR (General Data Protection Regulation) isn’t just about implementing technological and organisational measures to secure the information you store. You also need to demonstrate your compliance, which is why data protection policies are essential.

These documents form part of organisations’ wider commitment to accountability, outlined in Article 5(2) of the GDPR.

In this blog, we explain what a GDPR data protection policy is, what it should include and how to simplify the documentation process.

What is a data protection policy?

A data protection policy is an internal document that serves as the core of an organisation’s GDPR compliance practices. It explains the GDPR’s requirements to employees and states the organisation’s commitment to compliance.

The data protection policy doesn’t need to provide specific details on how the organisation will meet the Regulation’s requirements, as these will be covered in the organisation’s procedures. Rather, a policy only needs to outline how the GDPR relates to the organisation.

Take data minimisation as an example. Whereas your procedures should state exactly how you will ensure this principle will be met (for example, you might require that any prospective data collection activities be accompanied by a document explaining why processing is necessary), your policy need only state that the organisation will address that principle.

Why you need a GDPR data protection policy

Data protection policies serve three goals. First, they provide the groundwork from which an organisation can achieve GDPR compliance. The Regulation as it’s written is simply too complex to be used as a basis for an implementation project. Imagine starting on page one and planning your compliance practices as you go; it would be a mess.

Instead, you should use the data protection policy as a cheat sheet, breaking the GDPR’s requirements into manageable chunks that are applicable to your organisation.

That brings us to the second goal: to make the GDPR understandable to your staff. Remember, most people responsible for compliance aren’t data protection experts and won’t have pored over the Regulation’s principles to understand why these rules are in place.

A data protection policy is the ideal place to address that, explaining in simple terms how the GDPR applies to employees and what their obligations are.

Finally, data protection policies prove that organisations are committed to GDPR compliance. Article 24 of the GDPR specifies that organisations create a policy in order to “demonstrate that [data] processing is performed in accordance with this Regulation”.

Being able to demonstrate compliance is essential when it comes to regulatory investigations. If a customer complains that an organisation has misused their data or hasn’t facilitated one or more of their rights as a data subject, the organisation will be subject to an investigation from their supervisory authority.

A data protection policy will be the first piece of evidence the regulator looks for to see whether the organisation takes the GDPR seriously. From there, the supervisory authority may determine whether the organisation met its regulatory requirements and, if it didn’t, whether the violation was due to a mistake or widespread neglect of the Regulation’s requirements.

The answer to this will determine what disciplinary action is levied. A one-time mistake might be met with a slap on the wrist and a reminder to be more thorough in the future, but a systemic failure will almost certainly lead to a significant fine.

What your data protection policy should include

You can include as much or as little information in your GDPR data protection policy as you like, but we recommend that you cover:

  • The purpose of the policy: This can serve as your introduction, explaining the policy’s relation to the GDPR, the importance of compliance and why the policy is necessary.
  • Definition of key terms: The GDPR is full of data protection terminology that you will need to explain. This section should include notoriously tricky terms like ‘controller’ and ‘processor’, but you might also want to clarify things like ‘data subject’, which aren’t as clear-cut as you might think.
  • Scope: The GDPR’s requirements apply to EU residents’ personal data and anyone in your organisation who processes that information.
  • Principles: Explain the GDPR’s six principles for data processing, as well as accountability (which is also a principle but addressed slightly differently). You should also briefly note your commitment to meeting these principles.
  • Data subject rights: The GDPR endows individuals with eight data subject rights. You should define them and state that will ensure that they are met.
  • DPO (data protection officer): You should provide the name and contact details of your DPO. If you’ve chosen not to appoint one (some organisations are exempt from this requirement), you should list the senior member of staff responsible for data protection.
Want to a quick and easy data protection policy template?

Putting all the necessary information into a policy from scratch is a tough ask, which is why some organisations simply adapt their existing data protection policy to include GDPR-specific elements.

We don’t recommend this approach, because you can easily overlook essential requirements. However, we understand the desire for help, which is why we offer a GDPR Data Protection Policy Template.

With this document, designed by our expert information security practitioners, you can createa GDPR-compliant data protection policy in minutes.

The post How to write a GDPR data protection policy – with template appeared first on IT Governance Blog.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Stop us if you’ve heard this one before: organisations that fail to meet the requirements of the GDPR (General Data Protection Regulation) face fines of up to €20 million (about £17.3 million) or 4% of their annual global turnover.

Experts have been warning organisations about this since long before the Regulation took effect on 25 May 2018, but their advice has started to fall on deaf ears. That’s somewhat understandable, given that no UK organisation has yet been disciplined under the GDPR.

But that’s about to change – and here’s why.

GDPR fines expected in June

The UK’s supervisory authority, the ICO (Information Commissioner’s Office), doesn’t issue fines lightly. This has been the case for years, and that’s why it typically takes about twelve to fifteen months for it to complete investigations and decide upon disciplinary measures.

You can browse the ICO’s recent enforcement actions for evidence of this. For instance, an investigation into the pregnancy and parenthood advice club Bounty UK was launched on 30 April 2018 and concluded last week with the ICO issuing a £400,000 fine.

Likewise, the data protection watchdog began communications with the London Borough of Newham in April 2018 after complaints that it had breached the personal data of more than 200 people. On 4 April 2019, the ICO issued a fine of £145,000.

Other investigations that have recently concluded include an NHS manager who misappropriated information, a funeral home that sent nuisance calls to thousands of people and a television company that filmed a maternity ward without parents’ consent. These incidents were all reported to the ICO in November 2017, meaning the supervisory authority spent more than a year investigating.

When you consider that alongside the fact that the GDPR can’t be applied retroactively, it’s easy to see why we’re yet to see a fine under the GDPR in the UK. It’s not that organisations have gone unpunished in the past year; it’s that the ICO has been working through breaches that occurred before the Regulation took effect.

With the ICO now concluding investigations into incidents that were reported at the end of April 2018, it’s only a matter of time before the authority moves on to incidents that occurred on and after that landmark 25 May 2018 date.

If the ICO maintains its twelve-month timeframe for investigations, we could see the first GDPR fine in the UK in late May or early June.

Which organisation will be the first to be fined?

Regulatory fines aren’t handed out on a first come, first served basis, so it’s hard to say which UK organisation will enter the GDPR record books. Many people have speculated that the ICO will be looking for a mammoth fine to make other organisations sit up and take note.

That was certainly the case in France, whose data protection regulator, the CNIL, fined Google €50 million (£44 million) in January. The ICO is also investigating the Internet giant, and we wouldn’t be surprised if a similar penalty was handed out, but we doubt the decision will be made in the next few months.

A far more likely candidate is Dixons Carphone. The retailer was hit by a cyber attack in July 2017 but the damage wasn’t discovered for almost a year. The ICO commented: “We will look at when the incident happened and when it was discovered as part of our work, and this will inform whether it is dealt with under the [Data Protection Act] 1998 or [the GDPR].”

Another candidate for the first GDPR fine in the UK is the NHS. The organisation reported a coding error that exposed the personal data of 150,000 patients in early July 2018.

Unlike the Dixons Carphone incident, the breach occurred after the GDPR took effect and is a clear violation of the Regulation’s requirements.

Those affected had requested that their personal and health information should be used only for medical purposes. However, the SystmOne application never passed on the request to NHS England’s IT provider, meaning the information was also used for research and auditing purposes.

It’s not a devastating breach in the grand scheme of things, but it’s still a violation of the individuals’ right to object to processing – one that could prove to be a regulatory landmark.

Looking for a fast and affordable route to GDPR compliance?

The organisations that have come under investigation for GDPR violations haven’t failed for a lack of effort. Their shortcomings are more likely a result of the complexity of the Regulation’s requirements, and the cost and disruption of implementing them.

These challenges are particularly tough to overcome for SMEs, which often lack the resources to tackle implementation effectively. Unfortunately, they are also the most likely to suffer from GDPR violations, with a regulatory breach potentially causing ruinous financial and reputational damage.

You can avoid that fate with IT Governance’s GDPR Quick-Comply for SMEs. This bundle is tailored specifically for smaller organisations, providing essential resources, like staff awareness training and a documentation toolkit, to fast-track your implementation project.

Get to grips with the GDPR and achieve demonstrable compliance with GDPR Quick-Comply >>

The post GDPR fines are coming and here’s why appeared first on IT Governance Blog.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

This blog has been updated to reflect industry updates. Originally published June 2017.

On 25 May 2018, the EU’s GDPR (General Data Protection Regulation) superseded the UK’s DPA (Data Protection Act) 1998. With the Regulation expanding the definition of personal data, many organisations were uncertain as to what the new definition includes.

The scope of personal data

Let’s start with the circumstances under which the processing of personal data must meet the GDPR’s requirements. This set of circumstances is now broader than under the DPA, with Article 2 of the GDPR stating that the Regulation applies to “the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system”.

What constitutes personal data?

The GDPR’s definition of personal data is also much broader than under the DPA 1998. Article 4 defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’)”. It adds that:

an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Perhaps the biggest implication of this is that, under certain circumstances, personal data includes online identifiers such as IP addresses and mobile device IDs. Similarly, the GDPR introduces the concept of ‘pseudonymous data’ – personal data that cannot be attributed to the data subject without some additional information.

The qualifier of ‘certain circumstances’ is important to highlight here, because it’s often the context in which information exists that determines whether it can identify someone. The same issue applied to the DPA 1998, and the ICO uses the example of a person’s name to explain this issue:

By itself the name John Smith may not always be personal data because there are many individuals with that name. However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual.

However, it also notes that names are not necessarily required to identify someone:

Simply because you do not know the name of an individual does not mean you cannot identify that individual. Many of us do not know the names of all our neighbours, but we are still able to identify them.

Generally, if you’re unsure whether the information you store is personal data or not, it’s best to err on the side of caution. This means not only making sure that data is secure, but also reducing the amount of data you store and ensuring that you don’t store any information for longer than necessary.

DPO as a service (GDPR)

GRCI Law’s DPO as a service enables you to outsource the DPO role to an expert, helping you to comply with your GDPR obligations without losing focus on your core business activities.

Our DPO team has experience advising clients in a wide variety of sectors, including financial institutions, professional services, education, and health and social care, and we can tailor our service to your unique requirements.

Speak to a member of our team to find out more >>

The post GDPR: How the definition of personal data has changed appeared first on IT Governance Blog.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

The ICO (Information Commissioner’s Office) has fined Grove Pension Solutions £40,000 for sending nearly 2 million unsolicited marketing emails. 

The pensions firm’s campaign, which took place between October 2016 and October 2017, violated the PECR (Privacy and Electronic Communications Regulations)

Tried to do the right thing 

Grove’s PECR failure wasn’t for a lack of effort. The organisation hired a data protection consultant for advice, and ran its plan past an independent data protection solicitor. 

Unfortunately, the counsel was either wrong or Grove didn’t take it on board. Either way, the ICO pointed out that the organisation was responsible for its own actions. 

The ICO’s director of investigations and intelligence, Andy White, said: “Spam email uses people’s personal data unlawfully, filling up their inboxes and promoting products and services which they don’t necessarily want. 

“We acknowledge that Grove Pension Solutions Ltd took steps to check that their marketing activity was within the law, but received misleading advice. However, ultimately, they are responsible for ensuring they comply with the law and they were in breach of it.  

“The ICO is here to provide businesses with guidance about electronic marketing and data protection, free of charge. The company could have contacted us and avoided this fine.” 

What are the PECR’s consent requirements? 

The PECR states that organisations must obtain explicit consent whenever they send unsolicited electronic communications for marketing purposes. Unlike the GDPR (General Data Protection Regulation), the requirements apply even when personal data isn’t being processed. 

In this instance, Grove relied on indirect consent. That is to say, it used email addresses provided by people who, in the process of consenting to another organisation’s service, agreed to be contacted by third parties. 

However, the ICO’s PECR guidance states that it’s not enough to say that an individual might be contacted by “similar organisations”, “partners” or “selected third parties”. 

The request must be from the organisation in question, or a third party that specifically names the organisations that will be given access to individuals’ contact information. 

Don’t make the same mistake 

As Grove learned to its cost, the PECR can be a minefield to navigate, particularly when you also need to meet the GDPR’s requirements. Any organisation that’s unsure about its compliance status should consider our PECR Audit Service

With this service, an independent assessor reviews your processes and delivers a detailed report, showing you how to resolve any areas of non-compliance. 

Find out more >>

The post Grove Pension Solutions fined £40,000 for PECR violation appeared first on IT Governance Blog.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

The data protection landscape was dramatically reshaped with the introduction of the EU GDPR (General Data Protection Regulation) on 25 May 2018, but it wasn’t the only law that took effect that day.

The UK DPA (Data Protection Act) 2018 also came into force, and although it arrived with much less fanfare than the EU GDPR, it’s just as important.

In this blog, we explain why the DPA 2018 exists, what it contains and how it relates to the EU GDPR.

Similarities between the DPA 2018 and the EU GDPR

You can think of the DPA 2018 as a UK-specific version of the EU GDPR. It enacts the Regulation’s requirements into UK law, clarifies certain terms, such as ‘controller’ and ‘public authority’, and documents the UK’s position on aspects of the Regulation that member states are free to adjust.

The most prominent of these adjustments is the age at which a data subject is no longer considered a child. The EU GDPR sets this at 16 but allows member states to set the threshold as low as 13, which the UK has done.

This is just one of the reasons that you must read the DPA 2018 and the EU GDPR alongside one another. Doing so enables you to see your overall requirements and the things you must take into account when dealing with UK residents.

Moreover, after Brexit, the EU GDPR will be enacted in UK law under the European Union (Withdrawal) Act 2018. This new regime – the UK GDPR – will ensure that data protection requirements remain as consistent as possible after Brexit.

You can read more about this in our introduction to the DPA 2018 blog.

Interested in DPA 2018 training?

The changes to UK data protection law mean that anyone who handles personal information must have an in-depth understanding of their requirements.

Our Data Protection Act 2018 Distance Learning training course is the ideal resource for those who want to get that information in a quick and convenient way.

The course contains eight modules that cover everything you need to know about the DPA 2018. You can study at your own pace, pausing and picking up the content around your schedule. This makes it perfect for anyone who can’t commit to a whole day’s uninterrupted training or who wants the option to repeat tricky topics and skip familiar territory.

Find out more about our Data Protection Act 2018 Distance Learning training course >>

The post What you need to know about the DPA 2018 and the GDPR appeared first on IT Governance Blog.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

You might have heard increased chatter recently about the need for an EU representative under the GDPR (General Data Protection Regulation).

This rule applies to any organisation outside the EU that monitors the behaviour of, or provides goods or services to, EU residents.

The representative will be a point of contact for data subjects and supervisory authorities concerning data protection queries. They’ll also keep a record of data processing activities the organisation carries out.

This requirement wasn’t widely discussed in the UK when the GDPR took effect, because it didn’t apply. However – and we hope we’re not breaking news to you here – the UK will soon be leaving the EU, which means a swathe of organisations need to establish EU representatives.

Does this requirement affect all UK organisations?

UK organisations only need to appoint an EU representative if they monitor or provide goods or services to EU residents.

If you deal exclusively with UK-based customers, you therefore won’t be required to appoint an EU representative. That’s because as soon as the UK is no longer in the EU, your customers will cease to be EU residents.

However, if your data processing or monitoring extends to other EU member states, you’ll probably be required to appoint an EU representative. There are two exemptions:

  1. Organisations that have an office and employees based in the EU.
  2. Organisations whose processing activity is occasional, doesn’t include large-scale processing of special categories of data and is unlikely to result in a risk to the rights and freedoms of natural persons (see Article 27 of the GDPR for more information).

These exemptions don’t apply to public authorities, which must always have a DPO.

Selecting your EU representative

Your EU representative can be any natural or legal person who’s based in an EU member state within which you collect personal data.

If you only collect information from data subjects in, say, France, your EU representative must be based in France. However, if you collect personal data from the entirety of the EU, you can appoint a representative from any EU member state.

When you have multiple countries to choose from, it’s best to select the one in which you collect the most data or conduct the most extensive monitoring.

How the Brexit negotiations affect this requirement

UK organisations only need to have an EU representative once the UK is no longer a member of the EU. This was originally set to happen on 29 March 2019, but a delay is almost certain at this point, and that will in turn delay the date at which you need to appoint an EU representative.

But whereas most things Brexit-related remain uncertain, causing organisations to take a wait-and-see approach to business, the requirement for an EU representative is straightforward. The UK will in all likelihood be leaving the EU, whether that’s in a few weeks, months or a year, and at that point you’ll need an EU-based representative.

Appoint your EU representative before Brexit

You can find an EU representative quickly and easily with the help of our sister company GRCI Law.

Led by a team of lawyers, barristers, and information and cyber security experts, GRCI Law can take the strain of GDPR compliance, acting as your EU representative for personal data processing activities.

Find out more about GRCI Law’s GDPR EU Representative service >>

The post A guide to the GDPR’s EU representative requirements appeared first on IT Governance Blog.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

For many organisations, last year’s GDPR (General Data Protection Regulation) compliance deadline was a whirlwind of privacy policy updates, data protection training courses and hours spent online researching exactly what a ‘controller’ and ‘processor’ are.

In the nine months since, you’ve hopefully been able to grips with your compliance requirements. You should have also noticed that compliance isn’t a fixed status. Your organisation, like the cyber threat landscape, is constantly evolving, meaning you should always be considering ways to adjust and strengthen your security and privacy measures.

To help you do that quickly and cost-effectively, IT Governance has created a pair of packages containing our most popular GDPR compliance products and solutions.

GDPR Compliance Solution – Package 1

GDPR Compliance Solution – Package 2

Which package is right for you?

The compliance solution you choose will obviously depend on what aspect of the GDPR you want support with. In this section, we explain what each product and service entails and who would benefit from it.

GDPR Staff Awareness E-learning Course

This interactive e-learning course provides non-technical staff with a comprehensive overview of the GDPR.

It covers the principles, roles, responsibilities and processes under the Regulation, giving your employees a confident understanding of their GDPR requirements.

EU GDPR Documentation Toolkit

Eliminate errors, cut your implementation costs and accelerate your GDPR compliance project with our customisable documentation templates.

Developed by industry experts, the toolkit includes 80 indispensable policies, procedures, forms, schedules and guidance documents to help you achieve and demonstrate compliance with the Regulation.

GDPR Manager

Assess your data protection practices, create a clear audit trail and speed up your internal compliance processes with our four-in-one GDPR compliance solution.

This Cloud-based tool includes four modules to help you manage a range of core GDPR aspects on one platform, covering data breach reporting, SARs (subject access requests), gap analyses and monitoring the compliance status of third parties.

GRCI Law consultancy support

Both packages come with three hours of consultancy support from our sister company GRCI Law.

GRCI Law specialises in data protection, data privacy, and cyber and information security law. The team consists of lawyers, barristers and information security specialists.

You can use your consultancy time on any of GRCI Law’s solutions, whether that’s to support your DPO (data protection officer), data breach, DSAR ordata privacy management needs, or for specific legal advice, such as the reviewing and drafting of contracts and advising on international data transfers.

EU GDPR, A Pocket Guide

Get to grips with the GDPR with this essential introductory guide. It explains the Regulation’s terminology in simple terms, which is crucial for unpacking the complexities of regulatory compliance.

You’ll also gain a clear picture of how the GDPR affects you and what you must do to meet its requirements.

EU GDPR – An Implementation and Compliance Guide

This comprehensive guide offers practical advice to help you implement and maintain the GDPR’s requirements.

It uses non-technical language, making it ideal for anyone who’s getting started with the laws and best practices regarding data protection.

Find out which product is right for you >>

The post Take your GDPR project to the next level with our compliance packages appeared first on IT Governance Blog.

Read Full Article

Read for later

Articles marked as Favorite are saved for later viewing.
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview