For most businesses, the risks associated with failing appropriately to protect the information they hold on employees, customer, business partners or the general public is a rapidly growing risk. Treated somewhat casually in the 2000s, even after laws were on national statute books, the 2018 EU-wide GDPR regulation and a series of high-profile hacks and data breaches have led to a rapid upturn in efforts to strengthen understanding and protection of personal and sensitive personal data.
Information, People and Process
My personal areas of experience and expertise include:
* Identifying personal / sensitive personal data
* Obtaining tracking and managing consent
* Staff training
* Incident reporting and investigation
* Breach notification
In IT Systems
Many of the controls required for privacy are the same as those required for SOX, fraud protection etc., but seem surprisingly difficult to sustain in practice:
* Understanding where personal data is
* Identity management
* Access controls and Segregation of Duties
* Encryption (at risk and in transit)
* Logging and monitoring
What is new with the GDPR
Key changes brought by the GDPR, which has mandatory EU-wide effect in April 2018 (and to which countries can add legislation if they choose) include:
* Territorial scope clarified.
* For big orgs or processing SPD, DPOs required
* SARs within a month
* Stronger right of access.
* Right to deletion/be forgotten
* Data portability (to different controller)
* Lawful right to process rules strengthened - consent; contract; legal obligation; vital interests of subject; public interest; “legitimate interests” of company
* Consent requires positive indication of agreement, must be easy to withdraw.
* 72 hour Breach notification
* PIAs for projects mandatory in some areas
* Fines max. 20m or 4% of turnover.
* Applies to both processors and controllers. Clouds not exempt.
The actual GDP regulations: