BUILDING GDPR IMPLEMENTATION PLAN IN 10 STEPS
Get ready for more transparency, more informed consent and more rights for data subject
Článek je publikován na portálu: comsuregroup.com
Najdete ho na adrese: http://tinyurl.com/yafgwc5l
10 Steps:
( Poznámka: cituji první odstavce popisu jednotlivých kriků )
Step 1 is to audit the organisation core activities toward data protection requirements and compliance. Broad overview of operations shall emcompass DP principles recognized under Directive 1995 and reinforced under GDPR:
Step 2 – Define a plan and personal data flow mapping
Following the readiness assessment, we need to develop a gap analysis and define a plan to address issues prioritized considering possible risks involved toward level of effort and available resources.
Step 3 – Build a plan and strike a consensus
Building consensus up-front is critical to the success of any GDPR project within an organization, especially when considering the complexity. It needs to be rehearsed from the CEO/managing director downwards. It’s about the company’s image and reputation.tep
4 – Implementation of GDPR
With Data Protection Officer (DPO) appointment/assignment (Art 37) the implementation into your organisation will be kick-started. DPO may be an employee or a third party service provider (e.g., consulting or law firm), but should be a direct report to the Board/managing director. He/she shall enjoy significant independence for performing compliance monitoring.
Step 5. Address Sub-contracting and personal data transfer
Sub-contractor monitoring will be an integral part of compliance and accountability practice. This will start from review/update of existing contracts (Data Processor, storage and cloud services etc.) to assess and confirm the counterparts are GDPR complying too. The contract will have to reflect new requirements for example timely Incident Response and Management. Adherence to code or conduct (Art 41) and/or Certification mechanisms (Art 42) will be supportive tools for compliance proof.
Step 6. Data inventory
This step of identifying and listing personal data by DC and DP (and possible subprocessors) is essential for effective GDPR compliance. Organizations are more equipped to secure/manage personal data when listing which data are collected, where they are stored, who shares them, and how long they are retained/stored. Moreover, the loss of protected and sensitive data is a serious threat to business operations.
Step 7. Security & Data Breach Plan
Data Loss Prevention tools are available on the IS market to detect suspicious activities and possible data exfiltration tentative. System must be robust and able to identify and detect sensitive data being transferred outside your organisation’s system per Network file transfer or portable media
Step 8. Developing an accountability framework: DPIA and Consent mechanisms
• Data Protection Impact Assessment
Recital 90 GDPR demands:”That impact assessment should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of personal data and demonstrating compliance with this Regulation”.
DPIA will be based on 3 aspects
• Data Subject’s Consent logs
This has been largely debated within the privacy community. Alike the transparency requirement GDPR put more stringent rules for obtaining data subjet’s consent.
Step 9 Address “Right to be forgotten” and “Data Portability Rights”.
Next to breach notification obligation GDPR has developped new features for example data erasure and data portability rights. Profiling restrictions have been dealt with above. Data protection by design and by default concept must be implemented by data controller and data processor into their business model. Data protection culture must obtain support and adherence of organisations processing personal data.
Step 10 Data Storage Limitation and Solution
According to Tech UK around 90% of global data available today was generated in just the last 2 years and that amount is predicted to grow year on year over the next decade. We are all exposed to Big Data. According to Art 23 DC should only store personal data for as long as is necessary for the specific purpose for which it was obtained.
