search.noResults

search.searching

dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
FEATURE


BUSINESS CRIME & PROTECTION


Where to start with GDPR


By David Sarras, Data Protection Officer for showmetheGDPR.com


The consequence of the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 was to make the protection of personal data processing a fundamental right. Organisations do this by providing data rights and security of processing via the implementation of some technical and organisational measures. The biggest challenge of any senior management team


when faced with commencing data protection for their organisation is actually identifying where to start. This article aims to answer that question and provide direction on how best to jump-start Data Protection. Before starting the project it is best to understand the


vocabulary. If you are not familiar with “data subject”, “data controller”, “data processor”, “special category data”, “data protection impact assessment”, “data rights”, “security of processing” and “technical and organisational measures” now is the time to familiarise yourself. The data rights are so called because they can be demanded by any person whose data your organisation has. The most famous are the right to deletion and access requests where you have to remove all their personal data from your system or provide them with a list of all the information you have on them. Here are some tips on where to start and how to develop


your data protection measures depending on the size of your organisation.


SMALL ORGANISATIONS To get started, have all the decision makers meet together and work through a Data Protection Impact Assessment (DPIA). This should be performed on the organisation as a whole to identify its data protection risks. You will find the Information Commissioner’s Office version at: ico.org.uk. Once you have a completed list of measures to reduce


risk, assign ownership of the measures and a completion timeline to individuals. Ensure that those measures are put into place within the agreed timeline.


MEDIUM-SIZED ORGANISATIONS In data protection terms a medium-sized organisation has fewer than 250 employees. Get the senior IT staff to perform Data Privacy Impact Assessments (DPIAs) on all your different systems, both computer and paper based (if


50 business network June 2019


you still have any of those). Once you have a completed list of measures to reduce risk, assign ownership of the measures to senior department heads and ensure they are implemented. You may want to look at training dedicated data


stewards in each department to ensure data compliance for governance of data, cyber security and data protection. Additionally, in order that your staff are not blindsided


by data access or deletion requests, a programme of data protection training is recommended.


LARGE ORGANISATIONS In data protection terms a large organisation is one with more than 250 employees. You will need a full fat data management implementation of data governance, cyber security and data protection. The good news here is that organisations of this size usually have all of these components already within them; the starting point is usually to get them joined up and working in concert. To start, get the senior management and information


technology people together to thrash out an operating model of data governance, cyber security and data protection. Expect this to take a significant amount of time as the size of the task will be proportional to the size and complexity of the organisation. It is beneficial to use data taxonomy to split up your


organisation’s data into manageable chunks and assign data ownership and data stewardship accordingly. Ownership and stewardship should be divided between senior ranking and line level staff. An Article 30 Records of Process register will have to be


built and you will probably need, either as a permanent member of staff or as a service contract, a data protection officer. You will need ongoing staff training, an audit function and, if you are a public body, at least one full-time person completing freedom of information requests. Always keep in mind that data protection is an ongoing


responsibility, not something you do and then forget about. Everything you do, or do not do, needs to be documented. The GDPR contains four overlapping jeopardies which can lead to financial or reputational damage to your organisation. Get data protection right and you will win new business and become a more efficient and profitable organisation.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68  |  Page 69  |  Page 70  |  Page 71  |  Page 72  |  Page 73  |  Page 74  |  Page 75  |  Page 76  |  Page 77  |  Page 78  |  Page 79  |  Page 80  |  Page 81  |  Page 82  |  Page 83  |  Page 84