A recent conversation by PricewaterhouseCoopers (PwC) at the IP EXPO EUROPE suggests that while most companies are preparing fervently for GDPR, there is a mini black hole emerging in the process.
Stewart Room, global lead cyber security and data legal protection services outlined that many companies are overlooking their technology stack which falls squarely on the radar of GDPR. So, to ensure that you are not caught off-guard, here are some things you need to consider.
Is data protection an integral part of your technology landscape?
The data protection principles set out the core compliance goals of the law. They have been at the heart of European data protection regulation from its very beginning in the 1960s. The principles must be delivered in the technology stack and you must take ‘appropriate technical and organisational measures’ to do so. When developing those technical and organisational measures, you must have full regard to the ‘nature, scope, context and purposes of processing’ and ‘the risks of varying likelihood and severity for the rights and freedoms of natural persons’. The obvious implication of this requirement is that risk assessments must be performed in all cases. These risk assessments require a deep understanding of the effect that technology can have on individual rights and freedoms.
If people are to have control over their personal data, they need rights over that data and transparency about what is happening to it. But the exercise of these individual rights is only truly effective if an organisation’s technology stack is fully responsive to them, and has the right functionality embedded in it. The core individual rights are the ‘right of access’, ‘right to rectification’, ‘right to erasure’ (or the ‘right to be forgotten’), ‘right to restriction of processing’, ‘right to data portability’ and ‘right to object’. In a functional sense, these rights require the technology to:
- Connect individuals to their personal data;
- Categorise personal data by type and processing purpose;
- Map or trace the full information lifecycle;
- Perform search and retrieval;
- Enable rectification, redaction, erasure and anonymisation;
- Enable freeze and suppression;
- Enable the transmission of personal data from one technology stack to another.
All of this must be protected by appropriate security.
What do you need to look out for?
- Accountability – Does your technology work properly and does it do what it says on the tin?
- Records of processing activities – Do you know your data life cycle and your information flow processes?
- DPA by design – Is your system designed and built with DPA in mind?
- DPIA – Have you completed your privacy impact assessment?
- Breach notification – Do you have adequate measures in place to prevent a breach? If this fails, you have a process for notification?
Which Articles you need to keep an eye on?
- Article 15 – Right of access by the data subject
- Article 16 – Right to rectification
- Article 17 – Right to erasure (right to be forgotten)
- Article 18 – Right to restriction of processing
- Article 19 – Notification obligation regarding rectification or erasure of personal data or restriction of processing
- Article 20 – Right to data portability
- Article 21 – Right to object
- Article 22 – Automated individual decision-making, including profiling
- Article 25 – Data protection by design and default
- Article 35 – Data protection impact assessments
Here’s where we can help:
Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at firstname.lastname@example.org or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.