1 / 13

Digidly - Trustworthy experts to make your business GDPR compliant

GDPR professionals for SME and startups offering 23 GDPR Document Templates into a Toolkit or singularly through our Online Shop.<br><br>Check our new startup: https://digidly.com/ and easily make your business GDPR compliant in a few weeks!!

digidly
Télécharger la présentation

Digidly - Trustworthy experts to make your business GDPR compliant

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AN IMPORTANT FREE GUIDE FOR THE GDPR GDPR: WHAT YOU HAVE TO KNOW 3 EASY STEPS TO BE COMPLIANT A step by step roadmap, easily-applicable advices and all the professional templates you need to make your business compliant. www.digidly.com

  2. Disclaimer This document is intended as a guideline and is not intended as legal advice. The guidance that follows is in the nature of general information about the subject matter concerned – it is invariably the case that detailed legal advice requires a lot of fact-sensitive information that we will not have while discussing points today. As such, no reliance should be placed on the guidance given in this talk without first taking such detailed advice. THE DOCUMENTS ARE AVAILABLE WITH A PRO MEMBER ACCOUNT For more information about the documentation, visit digidly.com. PAGE 02       

  3. STEP 1 AWARENESS EMPLOYEES SHOULD BE ‘IN THE KNOW’ It is important that every member of an organisation understands how their role is impacted by a regulation and how they can contribute towards complying with it. With the GDPR, we expect that the product development team to know what “privacy by design” means and how it should be incorporated into product workflows. A marketing team should know when they have a legal right to send emails to customers (and when they don’t). IT departments are expected know what good security looks like. HR teams should be ready to respond to requests from individual members of staff in relation to their personal information. If your marketing team sends out marketing emails to individuals when they have no right to do so, a complaint could be made to the regulator. If your IT department does not understand what good security looks like there could be a data breach which has to be notified to the regulator. And if your HR team does not respond to an information request from an individual, a claim could be made against your organisation by that individual. In all these scenarios, there is a risk of bad publicity and fines resulting directly from a failure to train your staff. However, let’s not be too alarmist about all this. There are very positive reasons to train all your staff in GDPR compliance. IF THE REGULATOR’S EXPECTATIONS are not met by an organisation then that organisation will not be compliant with data protection law, including the GDPR. If your product development team doesn’t understand its responsibilities, non compliant products will be released which could lead to customer complaints. PAGE 03       

  4. What does a compliant company look like? A company that is GDPR compliant regularly trains all its staff. Firstly, the employees should be “in the know” with a general presentation*. Than the company conducts training and refresher sessions on a regular basis. It incorporates data protection training into its process for onboarding new employees and when retaining contractors. A compliant company does not simply train its staff and then forget about data protection compliance – it embeds data protection compliance into company culture so that protecting personal information becomes second nature. APPOINT THE PERSONS RESPONSIBLE OR A DPO PRESENTATION *GDPR CONFIRMATION *LIST EMPLOYEE It is important to identify who, within your organisation, is responsible for privacy compliance and who else is involved:       individuals who are authorised to decide on important matters on behalf of the organisation       individuals who know about law, technology and data processing within an organisation       people who recognise the importance of privacy compliance. PAGE 04       

  5. DPO DATA PROTECTION OFFICER The DPO is a position that the vast majority of companies will not need as they are either too small or do not carry out enough processing or profiling. However you should undergo a formal assessment and make sure that you have written reasons as to your choice in case of any future enquiry. Even if it is not obligatory, you can still appoint a DPO (art. 37). In any case, you must appoint a DPO if:        you are a public authority or body        if your work involves processing operations that amount to regular and systematic observation of individuals on a large scale        if your job involves processing of special personal data on a large scale (see Step 2). *INTERACTIVE GDPR LAW *CONTACT OF THE DATA PROTECTION AUTHORITIES Any organisation is able to appoint a DPO Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR. There is no specific training or certification needed for a DPO. What is required is they are familiar with the GDPR and with your organisation. They do not have to undergo any specific courses but you should ensure that they keep themselves up to date on all relevant issues and future legislation. They will manage any contact with the Data protection authority of your country*. PAGE 05       

  6. STEP 2 PREPARATION DATA INVENTORY INVENTORY PERSONAL DATA PROCESSING OPERATIONS To be able to act in accordance with the GDPR, you must firstly inventory the personal data processing operations within your organisation. You should know which data is used, by whom and for what purposes. Then you can assess what needs to be changed in order to be compliant. You should inventory everything in a document*. Having mapped your data inventory, you will have a better idea of the data processing operations within your organisation, the greatest risks associated with those operations, and what will change for you. You can then decide what action to take and which subjects are a priority for your organisation. INTRODUCE A DATA MINIMISATION POLICY: DECIDE ON YOUR RETENTION PERIODS The GDPR emphasises the obligation not to process more personal data than necessary. This is also referred to as data minimisation. In this context it is important to determine how long you will retain the personal data and ensure that data is removed promptly. *DATA INVENTORY MAP PAGE 06       

  7. UPDATE YOUR SECURITY POLICY AND APPLY PRIVACY BY DESIGN AND PRIVACY BY DEFAULT Under the GDPR you must take “appropriate technical and organisational measures” to secure personal data. What is appropriate depends on the processing risk: you must be able to demonstrate that you have taken appropriate measures and are able to make your considerations in this regard readily comprehensible. It is partly for that reason that it is important to check whether your security policy is still compliant and to update it where necessary. Check our data privacy policy template*. FURTHERMORE, THE EMPLOYEES *DATA PRIVACY POLICY TEMPLATE *PRIVACY BY DESIGN & PRIVACY BY DEFAULT should read the new data privacy policy for complying with the new code. In addition, the GDPR introduces obligations in the field of Privacy by Design and Privacy by Default*. This means that as soon as you have chosen a medium for data processing or when designing systems or applications, you must take the personal data protection into account by implementing security measures and data minimisation, for example. The standard settings must be such that only personal data is processed for a specific aim. The rights of those concerned must be taken into account at all times as well, which includes in the design of a processing operation. PAGE 07       

  8. STAKEHOLDERS AND CONSUMER’S AWARENESS A number of your data processing operations will probably be based on the principle of consent. Lawful consent only applies if this is “freely given, specific, informed and unambiguous”, without coercion. This can be given by means of a statement or an affirmative act, such as ticking a box, if sufficient information is also provided. The automatic, implicit assumption of consent or the use of prefilled tick boxes is not sufficient to obtain valid consent. You must be able to demonstrate that you have obtained the valid consent of data subjects to process their personal data. Furthermore data subjects are entitled to withdraw their consent at any time. This must be as simple as giving consent, and before data subjects give their consent, they must be informed of this right. Otherwise consent is invalid. CHECK YOUR PROCESSORS AND DATA PROCESSING AGREEMENTS *READINESS LETTER *READINESS PROVE LIST A processor is a third party that processes personal data on behalf of an organisation.   These may include service providers who do the payroll accounting but may also include all kinds of cloud or other IT services where the service provider stores or can access your personal data. So, you should send by email or post asking if the processor is compliant with the GDPR*. PAGE 08       

  9. STEP 3 IMPLEMENTATION IMPLEMENTS TOOLS TO RESPECT THE NEW RIGHTS OF DATA SUBJECTS The GDPR gives particular attention to the rights of data subjects. For example, data subjects have the right to access and rectify their details. Moreover, individuals are being given even more opportunities to speak for themselves when it comes to the processing of their data. Their rights are being strengthened and expanded. Therefore, evaluate your procedures for granting access, etc. and set out the conditions for individuals to exercise their rights under the GDPR within your organisation*. The information should, in principle, be provided at the time the personal data is collected. DPIA: DATA PRIVACY IMPACT ACCESS Under the GDPR you may be obliged to carry out a data privacy impact assessment (“DPIA”). A DPIA is an instrument that allows you to inventory a data processing operation before such operation is carried out, so that measures can be taken to reduce those risks*. *CONSUMER'S RIGHT *DPIA LONG VERSION PAGE 09       

  10. DPIA WHEN IS THERE A NEED FOR A DPIA? A DPIA is mandatory for (envisaged) data processing operations which, given their nature, context and objective, represent a high risk to privacy. There is certainly a high risk in the following cases:       if you assess individuals on the basis of personal characteristics and base decisions on those characteristics. This includes profiling and forecasting;       if you process sensitive personal data, such as data regarding health, data on crime or political preferences, on a large scale;       if you monitor people in public places systematically and on a large scale (e.g. camera surveillance). *DPIA GUIDE VERSION *DPIA SHORT In all other instances you must decide for yourself whether an operation entails a “high risk”. If your processing operation meets two or more of the criteria in our DPIA guide*, you can assume that you must carry out a DPIA. PAGE 10       

  11. DATA BREACH DRAW UP A DATA BREACH PROTOCOL AND KEEP A REGISTER Under the GDPR you may be obliged to report a data breach to the competent authority and/or the data subjects. A data breach refers to the access to or destruction, alteration or release of personal data to an organisation without this being intended. Data breach therefore covers not only the release (breach) of data, but also unlawful processing of data and unintentional destruction. Under the GDPR you are obliged to report any data breach to the data protection authority of your country without delay*, within 72 hours where possible. In addition, you could notify the data breach to your customers. In addition, the GDPR imposes the requirement that all data breaches – both reported and unreported – that have occurred in your organisation, be documented in a register*. Based on this, the competent authority can check whether you have complied with your reporting obligation. DATA LEAK PROTOCOL To be able to comply with the aforementioned obligations, you must ensure that you are aware of a data breach as soon as it occurs and take appropriate action immediately. It is important to have a data breach protocol*. In the protocol you can record the steps to be taken if your organisation is confronted with a data breach, what information must be collected/recorded and/ or reported, by whom, and within what time frame. *DATA BREACH REPORT FORM *DATA BREACH POLICY TEMPLATE *DATA BREACH REGISTER PAGE 11       

  12. L O O K T O O U R D O C U M E N T S BE COMPLIANT POWERED BY DIGIDLY www.digidly.com team@digidly.com PAGE 12       

  13. GDPRSUMMARY Got any Questions? DON'T BE SHY! E-MAIL US AT TEAM@DIGIDLY.COM WWW.DIGIDLY.COM PAGE 13       

More Related