Sally Mewies talks to Rocio De La Cruz about what to look at regarding GDPR before the New Year.
Click here to view the video.
Sally Mewies: So welcome to the continuation of our General Data Protection Regulation (GDPR) Compliancy Check List and the month now is November and we're going talk a little bit more about documentation and policies. In the last video we talked about privacy notices and all the complexity associated with those but that isn't the only documentation that you need to get ready for May 2018, is it Rocio? Do you want to talk to us about what else you need you need to be thinking about around the whole policy piece.
Rocio De La Cruz: Obviously, if you are compliant with the Data Protection Act at the moment you might have some policies in place say for example a general data protection policy, a policy to handle with data subject requests, an IT security policy and all these policies now need to be revised and some new policies will need to be put in place.
So in terms of subject access requests, if you have a policy dealing with subject access requests now the requirements under the GDPR has changed so for example the deadline to ask has been reduced to 30 days or one month, it still can be extended but obviously that needs a refresh of the policies and also the training in the future. In terms of breach notification if there is a policy already dealing with incidents, recording or logging now that again the requirements has been enhanced and now it is quite challenging actually because now if there is a breach you need to notify the Information Commissioner's Office (ICO) in 72 hours if there is a risk for the rights of freedoms of individuals and you need to be ready for that and so, that policy is a very important one because you even perhaps need to think about forming a breach incident team who is ready to deal with that and who would be responsible for that, who would be responsible for completing the forms and also even include some templates in the policies for the officers or members of the staff use them if there is breach of data.
Also in terms of privacy impact assessments so we haven't seen many privacy impact assessments policies in place under the Data Protection Act. Also obviously, we have seen organisations carrying out privacy impact assessments in practice, because it is good practice obviously, and also because it helps you to minimise risks so it's something that we have been doing for years, but now we talked about privacy impact assessments I think that a separate policy for privacy impact assessments is required because now it's going be mandatory if you are engaging new IT systems or if you are processing sensitive personal data or if you are processing data in a way that could put the rights and freedoms of the individuals under risk and because it's going be mandatory, staff need to be ready or the relevant people who will be responsible for carrying out the privacy impact assessment need to be ready and same as with the subject access rights, say for example right to be forgotten or right to data portability and they will need to be included in the data protection policies as well.
Sally: So they're sort of policies really to help people understand what they need to do if you get a request for portability or you get a subject access request.
What about some of other new things, like profiling Rocio and privacy by design. I've heard mentioned somewhere that it might be necessary to have a policy around privacy by design, have you got any thoughts on that?
Rocio: Yes. I think that all these actions you need to undertake in an organisation to assure the privacy by design is linked to your IT security policy. So it's something that you need to think about in terms to assess who is going to be responsible for that and perhaps it's something that you need to, you can include by updating your IT security policy.
Sally: So, moving into December Rocio and businesses are probably still working on all its policies but what should you be thinking about doing before the end of 2017?
Rocio: Well, Sally if organisations have been thorough on these and working hard and they have got all through the check list that we were talking about since July perhaps they will be in a situation now where they understand and they have a global understanding of all the processing activities and also they have the draft documentation, privacy notice, consent forms and all the policies that we were talking about before and if they are in that point what is good practice before going live is testing all the documents that you've got.
So, for example for the privacy notices what the ICO says is that a good way of testing your privacy notice and your consent forms before they go live is just selecting a sample of your customers, your employees and ask them to use the privacy notice and ask them for feedback obviously, so then you have an understanding of whether or not it really works, whether or not they really understand the privacy notice or whether or not you need to make some little tweaks before displaying them and then the policies is something very, very important to test. At least those concerned in breach notification and privacy impact assessment because we are seeing in practice that we are helping organisations to implement the privacy impact assessment structure in their organisations and then you have the training model you have the templates you have the policy in place but when the stuff is about using them and they are undertaking a privacy impact assessment then there are a lot of queries that you can have and you need to deal with and you don't want to stop a project because there are queries regarding the way to use the privacy impact assessment and you don't want to put the organisation under risk either. So it's very, very important to test the privacy impact assessment if you are for example thinking about using the personal data for a new purpose or if you need to refresh consent, or consider whether or not you need to refresh consent, that's a very good option to involve the stakeholders and to involve relevant staff and ask them to undertake a privacy impact assessment to see how it works before May comes … arrives.
Sally: Yeah, thank you. And that's all we have for November and December, thank you for watching.