The EU’s new GDPR regulation, known as the General Data Protection Regulation , can impact your organization significantly in the way it is handling personal data. The organization will not only be responsible for ensuring compliance with the regulation in terms of handling and protecting personal data, it could even be penalized and fined hefty fines for non-compliance and it will be liable for any damage resulting from data breaches. The EU’s General Data Protection regulation wants to harmonize the data protection regulations throughout the EU and to strengthen and unify data protection. This comes with the risks that data your firm is handling might not be in compliance with the GDPR
GDRP addresses personal data security for EU citizens and individuals within the EU, but regulates also export of personal data outside the EU. The Commission’s primary objectives of the GDPR are not to give citizens back the control of their personal data but access regulation in taxation and penalized fines that is to simplify the regulatory environment for international business by unifying the regulation within the EU in the taxation module of tomorrow.
The regulation was adopted on the 27th of April 2016. It enters into application on the 25th of May 2018 after a two year transition period and will replace the current data protection directive 95/46/EC from 1995. Unlike a directive, it does not require any enabling legislation to be passed by governments and therefore can hamper your business and its daily activities if not in compliance.
- Legal & Regulatory roles and obligations
- Awareness (value, costs, risks, compliance, architecture)
- Maturity and vision
- Impact on business model
- GDPR regulation
The GDPR will supersede all current national data protection laws in the EU. Here is an overview of the main expected changes that organizations will have to be aware of and adapt to:
Expanded territorial reach
The GDPR applies to organizations and their subcontractors outside the EU. This means in practice that a company outside the EU, that is targeting consumers in the EU, will be subject to the GDPR.
Accountability and Privacy by Design
The GDPR makes organizations fully accountable for demonstrating compliance. This includes requiring them to document compliance, conduct data protection impact assessments for risky data processing and implement data protection by design and by default in their operational processes.
A data subject’s consent to processing his or her personal data must be given freely, and for sensitive data explicitly, either by a statement or a clear affirmative action stating agreement to the processing. Consent can be withdrawn at any moment. The organization is required to be able to demonstrate that consent was given.
Data Breach Notification
Organizations must notify data breaches to the Data Privacy Authority. This must be done without delay and, where feasible, within 72 hours of awareness. A substantiated justification must be provided if this time-frame is not met. The organization must notify the affected data subjects without delay when their data has been compromised.
Role of subcontractors
One of the key changes in the GDPR is that subcontractors have direct obligations. This includes implementing technical and organizational measures and notifying your organization without delay of data breaches.
The GDPR establishes penalties for breach imposing fines for infringements of up to 4% of annual worldwide turnover on data breach and up to 2% of annual worldwide turnover on non-compliance.
Data Protection Officer (DPO)
In specific circumstances organizations or subcontractors must designate a Data Protection Officer. The DPO will need sufficient expert knowledge. The DPO may be employed or under a service contract.
Right to be forgotten
Individuals can require their personal data to be erased without undue delay by the organization. A good example is where they withdraw consent and no other legal ground for processing applies.
Steps to get started with GDPR
How Baretzky & Associates can help you
Baretzky & Associates can assist in Road-map and data protection strategic development through consulting or through staff provisioning at different levels. Our team of experienced consultants provides services from information and technical data automation to C-level advisory to ensure continuity and single accountability is delivered.
DPO resources: The required resources or competences to staff a Data Protection Officer cost huge funds and many organizations do not have the required resources or competences to staff a Data Protection Officer Baretzky & Associates provides individuals with the required competences and certifications to assist organizations in their GDPR compliance track in a DPO, CISO (Chief Information Security Officer) or other role, in project mode or in operational mode. The consultant can ensure all DPO responsibilities are met and can assist the organization on a broader risk managment context in a dedicated, shared, full- or part time mode. If required, Baretzky & Associates can accompany the DPO with assistance through a recognized law firm to ensure legal advice is in compliance at all times.
Awareness campaigns: These are keys to success towards GDPR compliance. Baretzky & Associates does not only provide awareness sessions concerning the GDPR requirements, but extends awareness programs with practical sessions looking into the impact on business processes and daily operations. With the addition, international awareness programs are focused towards acceptance of change with the objective to not only raise global awareness about data privacy protection, but also towards the necessity of the GDPR compliance program.
Program and project management: Is key factor throughout your entire data protection life-cycle. Whether you need a program manager to drive the compliance track on a high-level or you need a technical project support lead to implement an automated solution, Baretzky & Associates provides resources with broad security competences, organizational and communication skills who are used to drive strategic change programs.
Risk assessment services: Baretzky & Associates is experienced in risk assessment services which can be performed either with a broad scope towards enterprise IT security risk either with a limited scope specifically towards data protection or GDPR compliance. Baretzky & Associates risk prioritization and impact analysis provides your company with an excellent tool to decide on your future investments, strategy and road-map forward.
GDPR compliance assessment: We focus on a “Fast Track” solution towards identification of compliance gaps and can be a tool where budget is limited and resources are scarce. Baretzky & Associates executes a Quick GDPR compliance assessment to identify the areas where an organization is not compliant. A high-level prioritization can be defined in order to develop a compliance road-map within the shortest space of time.
Automated data classification and protection: A critical step towards in GDPR compliance is the identification and the classification of data. Baretzky & Associates provides experienced leadership and expertise in data classification through a combination of manual and automated methods to ensure a full range of coverage. Data Classification is a highly interactive exercise in collaboration with the client stakeholders, which are significantly involved in the decision making process. Baretzky & Associates partners with different organizations such as Verizon, CyberPOL and others, to automate data classification and data protection. Through automated classification and data protection Baretzky & Associates ensures reduced project- and implementation costs. By enforcing and delegating policies, operational data management costs are significantly reduced.
Staff provisioning: Baretzky & Associates can provision security staff at different levels
Baretzky & Associates services for GDPR
Our Key Differentiation
• Baretzky & Associates can rely on a rich pool of resources, covering a very broad range of security services from very technical competences to C-level advisors. Having a competent team of experts at its disposition is a major advantage that not many organizations can provide. Baretzky & Associates prefers to service you with the most ‘fit for purpose’ experts within a diverse project team to maximize the right expertise at the right level at the right time.
• Our client base extends throughout all sectors on a national scale. We have worked with a broad spectrum of organizational cultures and maturity levels. This experience gives us an emphatic touch which is crucial to succeed in implementing strategic change within an organization. Our approach is well-structured and methodological, but flexible and adapted to your organizational needs, to your organizations capacity to change and to the objectives set by your management.
• Our relations with vendors and partners extend beyond national boundaries and provide an unmatched pool of expertise, product support and competences. Baretzky & Associates is de facto a services company and is product and vendor independent. With our service-approach backed-up by our partnerships we are able to provide you with an independent advice on automation solutions and we offer a vast range of product implementation services with our own people or through our partners.
BARETZKY & ASSOCIATES Nine-point GDPR action plan:
Procedures to follow in GDPR – Keep it simple:
1. Baretzky & Associates can be nominated as Nominate a GDPR lead or Data Processing Officer (DPO) All staff must be adequately briefed, but one person leading on GDPR will ensure that the regulation is given the necessary priority and compliance is achieved from the outset.
- Action 1: Document and audit the data you have Note one of the biggest elements of GDPR is being able to prove the individual provided consent for you to hold their personal details.
2. Baretzky & Associates can carry out a data mapping review and Identify reasons for processing personal data This will help to inform your business what data is held, what legal basis is being relied upon to process such data and where it has come from. This is a good time to review and update policies procedures and refresh any consents (if necessary).
- Action 2: The need to identify and justify the lawful basis for data processing activity.
3. Baretzky & Associates can update your customer facing privacy notices to assure consent is obtained. Now organisations are required to prove that consent to hold this data has been given by the individual. Tacit consent is no longer sufficient. This step is essential due to the fact that businesses must now ensure that customers are informed as to exactly what businesses intend to do with their data. Take this time to also remove any pre-ticked consent boxes and replace them with opt-in boxes.
- Action 3: Review how you seek, record and manage consent moving forward, ensuring to prove that consent to hold this data has been given by the individual.
4. Baretzky & Associates can review and update all relevant data-related policies and procedures. We evaluate and asses the internal processes to see what data is held, why it is still being retained and most importantly how the data is processed and protected. This could include processes such as reporting on potential breaches, insider threats and rectifying data upon request.
- Action 4: Prevent any breaches or data leaks and keep resistant to insider threats which is the no1 cause of data theft.
5. Baretzky & Associates examine, clarify and document the legal basis that you are relying on for processing data This is most important with regards to consumers consent – if you are relying on consent as the legal basis, check if consents are valid and if not then re-approach contacts to gain consent or delete the data. Valid consent is now harder to obtain and must be an affirmative action – be sure to keep an audit trail as the burden is on the business controller to demonstrate compliance.
- Action 5: Review your privacy information and current privacy notices and policies.
6. Baretzky & Associates check and validates your marketing lists to ensure that all marketing lists comply with the current regulation. If the business has acquired a list, ensure that the targets have consented to their data being transferred. I would also suggest having a ‘stop list’ to make sure individuals are not contacted if they have objected or not given their consent.
- Action 6: Check your procedures to ensure they cover all the rights Understand the individuals’ rights.
7. Baretzky & Associates In-house Supper Computer capability can test, check and Validate QA on your IT systems can properly support compliance’ Performing an IT system check to ensure that your business can respond to requests and easily rectify data errors, strip out any redundant data and transfer data in response to consent. Also consider whether data should be encrypted and monitor changes to data and record these changes.
- Action 7: Quality assurance and IT validations checks can get your head around subject access requests and updating your processes and procedures to plan how you will handle requests within the new timescales (from forty days with the Data Protection Act to one month with GDPR).
8. Baretzky & Associates assist you in understanding how to review all third-party supplier arrangements with regard to the new regulatory requirements. Third party suppliers, such as back-office support outsourcing, IT cloud storage providers and delivery haulage companies, need to have their agreements checked to ensure that processing of any personal data is governed by a written agreement. This must contain prescribed guarantees in terms of the processor’s technical and organisational measures and record keeping but also obligations on the processor to act only on your instruction.
- Action 8: Cosy up with Data Protection Impact Assessments (DPIAs) risk assessment for your business, but around data protection and identify, assess and mitigate privacy risks with data processing activities.
NOTE: DPIAs Help organisations comply with new requirements and demonstrate that appropriate measures have been taken to ensure compliance.
9. Baretzky & Associates provide regular staff training and ongoing audits to ensure staff are adequately briefed and carry out ongoing audits. Training and educating staff to identify risks and red flags should help to avoid any data protection fines and leaks ensuring continually reviewing processes to ensure the business remains compliant.
- Action 9: Hire Baretzky & Associates to evaluate and implement Data Protection measures With huge fines of up to €20m, it’s pays to have someone responsible for data protection with third party insurance. Note: Your need to demonstrate compliance if the Information Commissioner’s Office (ICO) . Report data breaches (Immediately !)