Abstract image of a woman sitting on books and studying on a laptop

The Essential Guide to GDPR

T
Tim Hyman LLB

The document provides a summary of the key aspects of the General Data Protection Regulation (GDPR) in 3 pages. It discusses the basic principles of GDPR, how it may impact technology systems, and software tools that can help with compliance. Some of the main topics covered include the definition of personal and sensitive data, data subject rights, privacy by design, security requirements, and obligations for controllers and processors. The summary emphasizes the need for businesses to focus on compliance given the enhanced penalties and wider scope of GDPR.

Business
Related topics:
Data Protection Practices
1 of 25
Downloaded 60 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
GDPR The new data protection regulations, the impact on your systems and the solutions that can assist with compliance TheEssentialGuide
Following recent presentations on the potential impact of GDPR at a number of global law firms and a presentation to the Institute of Barristers Clerks, I have been asked to compile a guide as to the basic principles of GDPR, how they may impact technology systems and which software tools/vendors could assist with compliance. I have therefore put together this guide, The Essential Guide to GDPR and its sister website GDPRwiki.com This is not designed to be an exhaustive list of regulatory changes, nor is it in any way meant to be taken as legal advice. I have picked out what are in my opinion the key areas of impact and particularly those that will need some attention prior to May 29 2018 – deadline for compliance. The solution providers that appear in the guide are those that have come forward and described how their solutions can help businesses looking to get GDPR compliant. Again this is not meant to be an exhaustive list and there will be many other suppliers out there that offer quality and relevant services - as the deadline gets closer I expect more technologies and services to appear and I hope to highlight these in the next edition of this guide. “Having clear laws with safeguards in place is more important than ever giving the growing digital economy” Steve Wood, Deputy Commissioner, ICO This guide focusses on: Brexit Controller or Processor User Rights Privacy by Design Cloud Services Data Protection Officer Consent Impact Assessment
The General Data Protection Regulations are the most significant development in data protection that Europe, possibly the world, has seen over the past twenty years. Unsurprisingly GDPR is designed to better take into account modern technologies, the way we work with them today and are likely to work in the future. In addition, there is a much greater emphasis on compliance following a widely- held belief that businesses, particularly in the UK, had not previously taken data privacy seriously enough. To reinforce this, penalties are considerably harsher and the compliance requirements are intended to spread a far wider net to include small and medium businesses and the third-party contractors they use. THE 6 GDPR DATA PROTECTION PRINCIPLES: 1 (‘lawfulness, fairness and transparency’) processed lawfully, fairly and in a transparent manner in relation to the data subject 2 (‘purpose limitation’) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes 3 (‘data minimisation’) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed 4 (‘accuracy’) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay 5 (‘storage limitation’) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. 6 (‘integrity and confidentiality’) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss destruction or damage, using appropriate technical or organisational measures .
There was some speculation that GDPR would cease to be relevant following the UK’s decision to leave the EU. Whilst we await the detail of what Brexit really means in terms of our EU trade agreements, people movement and laws there has been significant commentary including a statement from the Information Commissioners Office (ICO) suggesting that it will still apply and that businesses should start compliance preparations now. The following key reasons are given as to why GDPR still applies: GDPR Comes Before Brexit The GDPR comes into force 25 May 2018, the earliest Brexit can happen is January 2019 and until then all EU laws apply. Application The GDPR applies to EU citizen’s data regardless of where the controlling or processing of that data takes place. This means that countries outside of the EU (including the US and an independent UK) would have to apply GDPR for client data where the client is in the EU. Adequate Data Protection For an EU country to trade outside of the EU ‘adequate’ data protection measures must be in place. It is likely that GDPR will be the standard set as ‘adequate’ and the UK would have to introduce an equal replacement if it decided to revert to existing DP regulations. Which would simply be GDPR under a different name. Competing with the EU Data is fast becoming the new oil and in order to compete with the EU to be regarded as the new data safe haven, the UK will at the very least match the GDPR standard and may even increase its data protection requirements to attract global data centric business.
Many businesses are significant data consumers. Client data is at the very least at the heart of their marketing initiatives and may even be part of the product or service they sell and the client they sell to. Much of this data is sensitive either for commercial reasons or because it directly relates to an individual. Various sectors from health to finance to legal all have their own specific governance regulations sometimes shared due to complex relationships between the services, but for personal data the GDPR will apply equally to all. There will not be many businesses that do not hold or process personal data but it is important to understand their role and responsibilities as determined by the GDPR. The two significant roles are that of ‘controller’ and ‘processor’. GDPR says… ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; A business will be determined a ‘controller’ for the client, prospect and employee personal data it stores and uses. GDPR says… ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; A cloud service provider or third party data host will in most cases be determined as a ‘processor’. Personal or Sensitive It is import to determine whether data is ‘personal’ or ‘sensitive personal’ as defined by the regulations as different levels of protection are required, some mandatory and accountable in the case of sensitive data. It is also a new requirement that processors understand what type of data they are handling on behalf of their clients
Personal Data The definition of personal data has been broadened to include anything that can be directly associated with an individual. GDPR broadly keeps existing definitions but adds digital footprints such as cookies and IP addresses. GDPR says… ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; - Article 4 of GDPR Sensitive Personal Data The following are the GDPR classifications for sensitive personal data: GDPR says… revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited. - Article 9 of GDPR The GDPR essentially prohibits the processing of sensitive personal data unless one of the criteria in Article 9 (2) is met. These include: 9(2)(a) – Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law 9(2)(e) – Data manifestly made public by the data subject.
In addition to the duty of a firm to protect its information there are a number of enhanced or new data subject rights that they will need to be mindful of as each could demand considerable administration capability particularly if the necessary access and recovery tools are not in place. Data subject access requests (DSARs) will be easier for clients and employees. Data subjects will no longer be required to pay a fee to make a DSAR. Firms must respond without ‘undue delay’ and no later than one month after the DSAR is made (rather than the current 40 days). However, there are a number of grounds for refusal if the request is manifestly unfounded or excessive. Right to Erasure A new right under GDPR is to have data deleted. There are several reasons this request can be refused such as conflicting regulations and in the public interest but once legitimate reasons for denial are exhausted data must be deleted. Right to Portability Not too dissimilar to the right to port a mobile phone number from one supplier to another, GDPR entitles a user to have their data exported and transferred in a ‘machine readable format’. Key Tools Search, Delete, Export Key Solution Providers GDPR Says... The response to a DSAR will include: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject Article 15 of GDPR
Privacy by design is a concept that features consistently throughout the GDPR. In essence. it is the principle of considering and building in appropriate data protections during the design phase of all new projects and changes to systems and processes. Security by design and by default The GDPR requires that employers (and other data processors) should be “audit-ready” at all times, meaning that all employer’s systems will need to be set up to ensure compliance by design. The GDPR introduces a legal requirement for ‘privacy by design’ for sensitive data and the onus will be on employers to prove compliance. Records will need to be kept and policies and procedures will need to be in place to demonstrate this. Firms must implement technical and organisational measures to show that they have considered and integrated data compliance measures into their data processing activities. Key Design Principles Only necessary data to be processed including:  Amount of data  Extent of processing  Retention period  Access to data Organisational measures There are a number of technical measures that can be put into place to enhance data security. Many of these will simply involve ensuring best practice with existing technologies. Organisational measures This will include maintaining the appropriate records as described later in this guide, minimising data by applying appropriate retention periods and appointing a Data Protection Officer to oversee compliance activities. GDPR Says... Data protection by design and by default 1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data- protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. 2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. 3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article. Article 23 of GDPR
Security of Processing GDPR requires that the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. The legislation goes on to describe the security required for processing data.  pseudonymisation and encryption  confidentiality, integrity, availability and resilience of processing systems and services  the ability to restore  testing, assessing and evaluating the effectiveness of technical and organisational measures It is an obligation to ensure that a controller only engages with a third party data processors or cloud service providers if they also comply with the above. Key Tools Encryption, Data Leakage Protection, Secure Archive, Records Management, Access Control Key Solution Providers GDPR Says... Security of processing 1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article. 4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law. Article 32 of GDPR
GDPR requires that the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. The legislation goes on to describe the security required for processing data.  pseudonymisation and encryption  confidentiality, integrity, availability and resilience of processing systems and services  the ability to restore  testing, assessing and evaluating the effectiveness of technical and organisational measures It is an obligation to ensure that a controller only engages with a third party data processors or cloud service providers if they also comply with the above. Cloud Service Provider Checklist □ Technical & Organisational security □ New contract provisions □ Demonstrable GDPR compliance □ Data Processing Records □ Breach Notification □ Delete or return data post contract □ Data Transfer transparency □ Sub-processor permission GDPR Says... Processors Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
Under the GDPR, you must appoint a data protection officer (DPO) if you:  are a public authority (except for courts acting in their judicial capacity);  carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or  carry out large scale processing of special categories of data or data relating to criminal convictions and offences. A DPO can be an outsourced role which will pave the way for external agencies to provide this service. DPO Duties The DPO’s minimum tasks  To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.  To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.  To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc). DPO Rights Businesses must ensure that:  The DPO reports to the highest management level of the organisation  The DPO operates independently and is not dismissed or penalised for performing their task.  Adequate resources are provided to enable DPOs to meet their GDPR obligations. Key Solution Providers GDPR Says... 1. The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10. 2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment. 3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size. 4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors. 5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39. 6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract. 7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority
The GDPR has references to both ‘consent’ for personal data use and ‘explicit consent’ for sensitive personal data use. The difference between the two is not particularly clear given that both forms of consent have to be freely given, specific, informed and an unambiguous indication of the individual’s wishes although in the event of a complaint the required level of consent for sensitive data is expected to be higher. GDPR describes the requirement for some form of clear affirmative action to demonstrate consent. This can include:  Ticking a box  Changing technical settings (eg making something public on Facebook)  Signed client enagement letter GDPR is also clear as to what will NOT be acceptable as consent  Silence  pre-ticked boxes  general inactivity Auditable Consent A new requirement is that consent must be verifiable. This means that some form of auditable record must be kept of how and when consent was given which could impact many marketing systems. Where you already rely on consent that had been previously sought you will not be required to obtain fresh consent from individuals if the standard of that consent meets the new requirements under the GDPR. If you cannot reach this high standard of consent then you must find an alternative legal basis such as or cease or not start the processing in question. GDPR Says... Lawfulness of processing 1. Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
Consent Capture This is an emerging area of technology that enables a granular and compliant approach to capturing user consent whilst providing the right processing and privacy notices. In addition, these solutions will ensure that all consent captured is auditable. Key Vendors GDPR Says... Conditions for consent 1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. 2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. 4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
A common theme throughout the GDPR is accountability and demonstrating compliance i.e. making it evident to the Data Protection Authority that you are meeting obligations. An important component of accountability and mandatory in certain circumstances is the Impact Assessment. Definition A Data Protection Impact Assessment is a tool designed to enable organisations to work out the risks that are inherent in proposed data processing activities before those activities commence. This, in turn, enables organisations to address and mitigate those risks before the processing begins. Scope New to the GDPR all businesses (both controllers and processors) are impacted. Where a new processing activity is proposed (especially where new technologies will be used) resulting in a high degree of risk for data subjects, the controller must first conduct an Impact Assessment. A single Impact Assessment can cover multiple processing operations that present similar risks. Content An Impact Assessment must contain the following:  a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller  an assessment of the necessity and proportionality of the processing operations in relation to the purposes;  an assessment of the risks to the rights and freedoms of data subjects  the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned. GDPR Says... Data protection impact assessment 1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. 2. The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment. 3. A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of: (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or (c) a systematic monitoring of a publicly accessible area on a large scale.
Dark Data One of the challenges businesses face when carrying out an impact assessment is ensuring that all personal data is discovered. Data that is for some reason not searchable and therefore not discoverable is also known as ‘dark data’. The most common example found is a PDF file that has not had the content of the document OCR’d leaving just the document title searchable. This has the potential to leave a business at significant risk of breach and potentially unable to respond in full to a Data Subject Access Request. There are a number of software solutions available that will scan your network for ‘dark data’ identify it and convert it to searchable data. Method An Impact Assessment has the following steps:  Review existing or planned data processing activities  Map data flows within the organisation by system and by process  Identify any compliance risks  Determine any mitigation required and develop an action plan  Determine whether their core business operations involve: (i) regular and systematic monitoring of data subjects on a large scale; and/or (ii) processing of Sensitive Personal Data on a large scale.  If yes to above appoint a DPO. Key Solution Providers
The GDPRREADY Compliance Plan is designed to assist Data Protection Officers in preparing for GDPR and maintaining compliance once the legislation is activated. The GDPRREADY 4 stage process enables the DPO to raise awareness, discover current risks, deliver a mitigation plan and design processes for maintaining compliance. Step 1 – EDUCATE The EDUCATE phase consists of a combination of interactive workshops and stakeholder interviews, designed to generate a high level of understanding of the impending legislation and any changes to system, policy or process in order to achieve GDPR compliance. GDPR Overview Workshop - an onsite workshop to build GDPR awareness and secure buy-in with your key internal stakeholders, custom-tailored to the needs of your firm. Suitable for: Senior Management, Directors, Key Stakeholders GDPR Assessment workshop - A workshop for internal staff responsible for owning the assessment process. Suitable for: Compliance Team, IT Team, Project Managers Stakeholder Interviews – one to one discussions with key stakeholders to document departmental processes involving personal data. STEP 2 – DISCOVER The DISCOVER phase uses the Data Protection Impact Assessment (as recommended by the Information Commissioners Office) to discover any risk or exposure the firm may currently have. Impact Assessment – using our GDPRready Data Register and GDPRready Impact assessment templates you will document, data flows, gap analysis, risk assessment and remediation plans. STEP 3 – PLAN GDPR Preparation Plan – document actions needed to prepare for and maintain GDPR compliance. Understand budget required and systems and processes that require modification. STEP 4 – MAINTAIN Prepare for new obligations such as Breach Response and DSAR Processing. Review existing InfoSec policies and procedures to ensure they align with GDPR. EACH PHASE IS SUPLIMENTED BY GDPRREADY TEMPLATED PROCESSES AND POLICIES AS INDICATED IN THE ACTION SUMMARY CHART BELOW
GDPRREADY COMPLIANCE PLAN – ACTION SUMMARY PHASE 1 – EDUCATE GDPR WORKSHOP IMPACT ASSESSMENT WORKSHOP STAKEHOLDER INTERVIEWS DOC 1 - GUIDE TO GDPR ESSENTIALS DOC 2 - GDPR CHECKLIST PHASE 2 – DISCOVER COMPLETE IMPACT ASSESSMENT DATA MAP COMPLETE IMPACT ASSESSMENT RISK REGISTER PRODUCE IMPACT ASSESSMENT REMEDIATION PLAN DOC 3 - DATA REGISTER DOC 4 - IMPACT ASSESSMENT PHASE 3 – PLAN DOC 5 - GDPR COMPLIANCE PLAN DOC 6 - PRIVACY NOTICE CHECKLIST DOC 7 - USER AWARENESS PROGRAM DOC 8 - CLOUD SERVICE PROVIDER COMPLIANCE CHECKLIST DOC 9 - SUBJECT ACCESS REQUEST PROCEDURE PHASE 4 – MAINTAIN DOC 10 - INFORMATION SECURITY POLICIES DOC 11 - INTERNATIONAL DATA TRANSFER GUIDANCE DOC 12 - CONSENT FORM TEMPLATES DOC 13 - PROCESSING RECORD TEMPLATE DOC 14 - BREACH NOTIFICATION TEMPLATE
SOLUTION PROVIDER GDPR FUNCTION FEATURE DETAIL Data Subject Access Request Data Discovery A comprehensive data discovery and management are essential for GDPR compliance. In order to ensure timely and efficient respond to any Data Subject Access Requests (DSAR), all locations, where personal information is stored, should be easily discovered. contentCrawler ensures comprehensive data discoverability and works to uncover documents that otherwise would not be found because they are not indexed for searching. It is a key tool in making sure that all words in every document (even image documents) are fully text searchable. contentCrawler is an essential component for all firms to ensure they comply with the new GDPR legislation. DocsCorp will be publishing a white paper and hosting a number of GDPR events across Europe. Drop us an email to events@docscorp.com to stay updated and get your free white paper and event invitation. For more information please check the product description below or visit: http://www.docscorp.com/contentcrawler/ Bulk Processing for Document Management contentCrawler is an integrated analysis, processing and reporting framework that intelligently assesses documents in a Document Management System and determines if they require OCR and/or file compression processing. Organisations can bulk process documents in the DMS using either the OCR or Compression modules. Or, they can do both. For example, contentCrawler will convert all image-based documents in the DMS to text-searchable PDFs. The Compression module will then apply compression and down-sampling in order to minimise the file size of the resulting PDF documents. The automated end-to-end process can run 24/7 without any staff intervention, emailing periodic notifications of processing statistics and error
reporting to the IT Administrator. Staff no longer have to worry about OCR or compression as a process or workflow. Key Benefits  Ensure all documents are indexed for searching and are therefore discoverable  Simplify management of image-based documents  Reduce non-compliance risks  Increase efficiency through automation  Leverage existing investment in DMS and search technology  Reduce costs managing OCR and Compression technology Privacy by Design Cyber Security iboss is a cyber security platform that uses cloudtechno logy to extend preventative and predictive multi-layered security to any size or organization, in any place and to any device.The result is a lower risk profile, and greater enhanced due diligence (EDD) for the organisation, which helps meet GDPR regulations, and can lower associated fines if data breaches occur. Privacy by Design Data Leakage Protection Iboss includes behavioural data exfiltration sensors to detect data loss and exfiltration across any communication medium (WEB, EMAIL, DNS, P2P etc) Privacy by Design Content Management Granular gateway level controls against web access and application usage Right to access Privacy by Design Access Control Document Protection Search iManage Govern Govern critical information at every step of the engagement and beyond iManage Govern lets you manage your engagement files according to each client retention policies, from creation through to disposal all while ensuring your organization meets audit and discovery requirements. Improve governance: by applying retention policies centrally across both electronic and physical client records Integrated document and records management: through seamless operation with iManage Work Boost productivity: and reduce risk by taking records management responsibility off your professionals shoulders Manage information in place: without copying to a separate system
Reduce operating costs: by moving inactive projects to a governed, searchable archive Privacy by Design Secure File Transfer iManage Share A Fast, easy and secure sharing of professional work product Securely exchange work product with your clients, partner firms, and outside consultants within tools that you are familiar with. iManage Share offers industry-leading security with seamless integration with iManage Work and Microsoft Outlook, so that secure file sharing is easy and convenient without sacrificing security and governance of your client files. With iManage Share: Share, edit and collaborate on work product from within iManage Work. Share files from your Outlook email: Share files as secure links directly from Outlook. Secure, firm-branded web portal in a snap: Give your client access to their documents from a single responsive interface on phone, tablet or desktop, branded with your firm logo. Collaborate on the go: Share and securely collaborate with customers from your smartphone or tablet. Know what is shared and with whom: Monitor who is accessing your files and when. Privacy by Design Right to Access Document Protection Search DSAR response Access Control iManage Work Manage documents, emails and more in a single engagement file Access your work product from anywhere on any device in a single user experience. Designed by professionals for professionals, iManage Work makes it easy to collaborate with your team and stakeholders in a secure and governed manner. Improve productivity: Suggested email filing keeps you ahead of inbox overload Make better decisions: Document timelines, dashboards and analytics cut through clutter enabling faster, better decisions Find everything: Search across all work product (documents, emails, images) automatically tuned to your work style Be more responsive: Secure mobile access means you can view and edit your work from anywhere
Work smarter: Integrates seamlessly with the applications youre already using to save time Privacy by Design Document Protection Access Control Intapp Walls replaces distributed, ad hoc approaches to confidentiality management with a centralised solution that provides law firms with unparalleled capability and control. Several features of Intapp Walls can help address GDPR requirements for “privacy by design,” “privacy by default” and the Accountability principle. Intuitive interface for access management – Define policies using an easy-to-use wizard to configure and control walls and user account management, so that IT, conflicts team members and lawyers have appropriate levels of visibility and control Real-time enforcement and maintenance – Intapp Walls delivers real-time enforcement, automating notifications to individuals subject to specific policies, tracking acknowledgments for compliance, and alerting firm management about suspicious activity related to sensitive information Protection beyond document management libraries – Lock down all key repositories where sensitive information is stored, including records management, accounting, CRM, search, portals and other applications, in addition to document management libraries Automated compliance logging – Demonstrate compliance if required to do so by clients or by government agencies by presenting a documented audit trail via Intapp Walls Broad visibility across the organisation – Gain visibility into the volume and types of policies in effect across the firm; configurable reports can be delivered in an event-driven, scheduled or on-demand basis to provide management with real-time visibility into policies, classification and history, as well as affected parties and prevented breaches Data Protection Officer Education The Law Firm Risk Blog (www.lawfirmrisk.com), sponsored by Intapp, covers a wide range of risk management topics relevant to GDPR, including information governance, conflicts management and information security. The Risk Roundtable Initiative (riskroundtable.com), also sponsored by Intapp, hosts in-person events and webinars bringing together a mix of law firm risk management and related professionals, including general counsel, loss prevention partners, risk management partners, senior conflicts/records managers and IT leadership. They provide
opportunities for peer networking, cross-functional dialogue and a better understanding of common problems and trends including the evolving regulatory landscape affecting confidentiality, information barriers and ethical walls. Intapp customers have access to user group meetings, newsletters, webinars and Inception 2017, Intapp’s global user conference. Intapp Professional Services offers a Risk Consultancy practice that will assess your firm’s approach to confidentiality management and suggest processes, procedures and technologies to satisfy specific compliance obligations related to the EU GDPR, the HIPAA Privacy Rule in the US, and other regulations Privacy by Design Data Leakage Protection Secure Archive Security Enterprise Information Archiving provides the secure, perpetual storage and policy management necessary with the predictable costs and scalability of a true cloud architecture. With an industry-leading 7 second search SLA, archived information is instantly accessible, making it easy for employees or administrators to find a single email or to support a larger e-discovery case. Mimecast solves important archiving challenges by:  Archiving email in the cloud  Responding quickly to litigation requests  Retaining important company files  Archiving Lync IM conversations A single, unified archive in the Mimecast cloud delivers scalability, rapid information access and data assurance — without the spiraling expense of hardware and software typical of legacy on-premises solutions. Consent Consent Capture Consentric Permissions is a tool for managing citizens’ consent for usage of their data. It is a cloud based product with the citizen at the heart, providing them the capability to grant or deny consent to the usage of their data for specific, clearly defined purposes. Organisations benefit from Permissions through a simple integration with their CRM or other system(s), providing a single source of truth relating to consent. They can configure the data to be used, purpose for, and who will request usage of the citizen’s data at a granular level, enabling citizens to clearly understand what is being asked of them. Where required, organisation users can also access citizens’ records to amend consent on instruction. All changes are subject to a full history log, including detail of how and where consent was obtained. This
provides the citizen transparency and control on how their data is being accessed and used. Privacy by Design Consentric Permissions stores citizens’ data in a secure UK sovereign data centre, with consents to share that data managed by the citizen. Classification of the data is aligned to well-known standard schemas, or, created by new custom schemas, allowing sensitive data to be managed separately and securely by the citizen. Consentric Permissions is a trust platform, giving the citizen transparency, ownership and control of their data, enabling you to build loyal relationships with your customers. This radical approach to storing data transforms your ability to achieve required data protection standards through minimisation of personal and sensitive data being stored in your systems and placing the citizen in control of their data and its usage. By integrating into Consentric Permissions, you benefit from our Privacy by Design features and save costs of implementing in your own systems Privacy by Design Secure Data hosting The complexity and expense of managing underlying infrastructure can be challenging to organisations, as their needs fluctuate. Trustmarques IaaS solutions enables organisations to cost-effectively deploy and run their software, whilst taking full advantage of the benefits cloud computing brings. We design, build, procure and manage IaaS services to help you unlock real business value. By providing specialist technical design, management knowledge and understanding the commercial implications of solution design and change, along with the operational considerations of a Cloud service within a traditional ITIL oriented environment. We provide highly resilient and secure IL2, IL3 and IL4 services for OFFICIAL and OFFICIAL SENSITIVE hosting requirements. These convenient, on-demand and configurable computing resources require minimal management effort. Impact Assessment Compliance Trustmarque provide full lifecycle Impact Assessment consultation. In addition as 27001 experts we can ensure that your GDPR compliance measures alin with your wider InfoSec strategy. Privacy by Design Centralisatio n of sensitive data Enabling new, enhanced user rights is a fundamental part of GDPR compliance. PitchPerfect, with its SharePoint data repository, introduces a single centralised content management system which greatly improves the firms ability to meet these requirements. It provides the tools for end-users to locate and extract the requested data,
while restricting the ability to modify and erase data to the content managers working in the back-end. The common distributed data practice whereby CVs and biographies are in multiple locations including a DMS, Email system and file share make compliance with any of these employee access requests complex, time consuming, costly and potentially impossible With user photos falling into the biometric data category new to the GDPR definition of sensitive personal data, it is compulsory to apply adequate protection. PitchPerfect ensures the right level of user access is applied. Data Protection Officer User Education SkillBuilder eLearning provides new innovative ways to empower employees and end users with accessible tools and technologies; enabling them to stay informed and educated in all things related to legal technology and its constantly changing updates. SkillBuilder eLearning was built on the know-how of an over 12 million-strong backlog of ticket data and over 60,000 knowledge base articles. Our online eLearning tool increases productivity through a multifaceted portal that is branded for the firm. SkillBuilder provides a three-tiered model of service: Self-Service for users, Service Desk support provided by Solution Sender and an LMS. All features include access to our robust library of ever-growing content tailor specifically for Legal. SkillBuilder is a single platform whose affects are felt throughout the organization. Consent Data Transfer Security of Processing Privacy by Design Consent Vuture is a marketing automation platform for professional services that makes it easy to personalise email communications, streamline events and control marketing assets from a single flexible system. Manage consent Vuture provides a quick and easy-to-use solution to manage and automate consent. A seamless CRM integration enables you to manage and timestamp contact opt-ins within your CRM, as well as meet all Data Discovery and Data Access requirements. Unambiguous consent is achieved through a CRM- linked tickbox inserted on your preference forms. Control data transfer Vuture is a private cloud solution – each client has their own instance of the platform hosted at a location of their choice. The platform is built with privacy at its core – data never leaves the chosen location and
rigorous security policies ensure you are always fully compliant with Data Protection standards. Privacy and security sit at the heart of Vuture’s development, and both are assessed, tested and updated on a continuous basis. Privacy by Design Data Leakage Protection “Workshare’s unique data loss prevention technology provides an additional layer of content awareness that includes hidden, sensitive data (metadata). Policies decide what has to be removed for compliance from a document when sent externally via email or via the cloud. This maintains security and compliance mandates to ensure no information is leaked through documents shared outside a company in the form of metadata. Workshare is taking our extensive understanding of metadata, email attachments and secure file sharing to the next level as we develop further to aid companies in the prevention of data loss. Because we have insight into multiple sharing channels and deep understanding of content, including metadata, Workshare can provide companies with visibility via a reporting system. Reports can be oriented around particular senders, receivers, and types of metadata to monitor for leakage or misuse. As the proposition develops, we will encompass words within context in a document or metadata and extend this detection to non-email sharing channels. Once detected, we can educate and empower users to take appropriate corrective action to protect their sensitive content.” We hope you found the first edition of this guide useful. To recommend content or a solution for the second edition or GDPRwiki.com please contact: info@2twenty4consulting.com

More Related Content

PDF
GDPR-Overview
Erica Walker
 
PPTX
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Qualsys Ltd
 
PDF
Regulation (EU) 2016_679_GDPR_Overview_June 2016
John Greenwood
 
PPTX
The GDPR for Techies
Lilian Edwards
 
PDF
GDPR for dummies
Benoît De Nayer
 
PDF
GDPR 11/1/2017
isc2-hellenic
 
PDF
EY General Data Protection Regulation: Are you ready?
VYTIS MALECKAS
 
PDF
The Essential Guide to GDPR
Tim Hyman LLB
 
GDPR-Overview
Erica Walker
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Qualsys Ltd
 
Regulation (EU) 2016_679_GDPR_Overview_June 2016
John Greenwood
 
The GDPR for Techies
Lilian Edwards
 
GDPR for dummies
Benoît De Nayer
 
GDPR 11/1/2017
isc2-hellenic
 
EY General Data Protection Regulation: Are you ready?
VYTIS MALECKAS
 
The Essential Guide to GDPR
Tim Hyman LLB
 

What's hot (20)

PPTX
The Meaning and Impact of the General Data Protection Regulation
Jake DiMare
 
PDF
GDPR for Dummies
Caroline Boscher
 
PPTX
GDPRR: The Key Changes
Craig Clark ITIL, CIS LI,EU GDPR P
 
PPTX
EU General Data Protection Regulation - Update 2017
Cliff Ashcroft
 
PPTX
Preparing for general data protection regulations (gdpr) within the hous...
Stephanie Vasey
 
PDF
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
Nordic APIs
 
PPTX
Sophie's Privacy - a story about GDPR
Hans Demeyer
 
PPTX
Simple GDPR Overview
Gydeline Ltd
 
PDF
EU GDPR and you: requirements for marketing
IT Governance Ltd
 
PDF
Modelling the General Data Protection Regulation
Sabrina Kirrane
 
PPTX
Findability Day 2016 - What is GDPR?
Findwise
 
PDF
GDPR Demystified
SPIN Chennai
 
PPTX
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
PPTX
Gdpr action plan - ISSA
Ulf Mattsson
 
PDF
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
PPTX
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
PDF
GDPR in a nutshell
Initio
 
PDF
GDPR Cyber Insurance 11/1/2017
isc2-hellenic
 
PPTX
GDPR From Implementation to Opportunity
Dean Sappey
 
PPTX
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
eHealth Forum
 
The Meaning and Impact of the General Data Protection Regulation
Jake DiMare
 
GDPR for Dummies
Caroline Boscher
 
GDPRR: The Key Changes
Craig Clark ITIL, CIS LI,EU GDPR P
 
EU General Data Protection Regulation - Update 2017
Cliff Ashcroft
 
Preparing for general data protection regulations (gdpr) within the hous...
Stephanie Vasey
 
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
Nordic APIs
 
Sophie's Privacy - a story about GDPR
Hans Demeyer
 
Simple GDPR Overview
Gydeline Ltd
 
EU GDPR and you: requirements for marketing
IT Governance Ltd
 
Modelling the General Data Protection Regulation
Sabrina Kirrane
 
Findability Day 2016 - What is GDPR?
Findwise
 
GDPR Demystified
SPIN Chennai
 
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
Gdpr action plan - ISSA
Ulf Mattsson
 
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
GDPR in a nutshell
Initio
 
GDPR Cyber Insurance 11/1/2017
isc2-hellenic
 
GDPR From Implementation to Opportunity
Dean Sappey
 
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
eHealth Forum
 
Ad

Similar to The Essential Guide to GDPR (20)

PPTX
Operational impact of gdpr finance industries in the caribbean
EquiGov Institute
 
PDF
GDPR- Get the facts and prepare your business
Mark Baker
 
PDF
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
dan hyde
 
PDF
Horner Downey & Co Newsletter- GDPR
Jenny Ferguson
 
PPTX
Practical Guide to GDPR 2017
Dryden Geary
 
PDF
GDPR A Practical Guide with Varonis
Angad Dayal
 
PDF
Cognizant business consulting the impacts of gdpr
audrey miguel
 
PDF
GDPR - A practical guide
Angad Dayal
 
PPTX
General Data Protection Regulation
Pete S
 
PDF
The Evolution of Data Privacy: 3 things you didn’t know
Symantec
 
PDF
GDPRIBMWhitePaper
Jim Wilson
 
PPTX
Data protection
RaviPrashant5
 
PDF
LW-Privacy-GDPR-Compliance-Checklist.pdf
ENGSAMIRTAMIM
 
PDF
GDPR - Are you ready?
VILT
 
PDF
GDPR - The new era of data protection
Interlogica
 
PPTX
GDPR
Gopi PD
 
PDF
The Countdown to the GDPR Regulations
Elliot Reeman
 
PDF
GDPR: data needs to be in safe hands
legalandgeneral
 
PDF
Aon GDPR white paper
Graeme Cross
 
PDF
GDPR, what you need to know and how to prepare for it e book
Plr-Printables
 
Operational impact of gdpr finance industries in the caribbean
EquiGov Institute
 
GDPR- Get the facts and prepare your business
Mark Baker
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
dan hyde
 
Horner Downey & Co Newsletter- GDPR
Jenny Ferguson
 
Practical Guide to GDPR 2017
Dryden Geary
 
GDPR A Practical Guide with Varonis
Angad Dayal
 
Cognizant business consulting the impacts of gdpr
audrey miguel
 
GDPR - A practical guide
Angad Dayal
 
General Data Protection Regulation
Pete S
 
The Evolution of Data Privacy: 3 things you didn’t know
Symantec
 
GDPRIBMWhitePaper
Jim Wilson
 
Data protection
RaviPrashant5
 
LW-Privacy-GDPR-Compliance-Checklist.pdf
ENGSAMIRTAMIM
 
GDPR - Are you ready?
VILT
 
GDPR - The new era of data protection
Interlogica
 
GDPR
Gopi PD
 
The Countdown to the GDPR Regulations
Elliot Reeman
 
GDPR: data needs to be in safe hands
legalandgeneral
 
Aon GDPR white paper
Graeme Cross
 
GDPR, what you need to know and how to prepare for it e book
Plr-Printables
 
Ad

Recently uploaded (20)

PPTX
Side hustles: 14 powerful tips to embrace the future of work
Reversed Out Creative
 
PDF
The Impact of Policy Changes on Legal Communication Strategies (www.kiu.ac.ug)
publication11
 
PPTX
Business Research Methods- Secondary Data
DanielOdhiambo9
 
PPTX
Biomass_Energy_PPT_FIN AL________________.pptx
gloryjsingh
 
PPTX
PPT Hafizullah Oria- Final Thesis Exam.pptx
Ehsanullah Oria
 
DOCX
“Strategic management process of a selected organization”.Nestle-docx.docx
mkamumin08
 
PDF
The Influence of Historical Figures on Legal Communication (www.kiu.ac.ug)
publication11
 
PDF
Implementing Steam Education: Challenges and Solutions (www.kiu.ac.ug)
publication11
 
DOCX
Center Enamel Enabling Precision and Sustainability in the Netherlands' Advan...
cecvessels
 
PDF
The Role of School Boards in Educational Management (www.kiu.ac.ug)
publication11
 
PPTX
OS ALL UNITS MATxtdtc5ctc5cycgctERIAL.pptx
kanirudhsingh2357
 
PDF
The Dynamic CLOs Shaping the Future of the Legal Industry in 2025.pdf
businessmindsmedia12
 
PDF
El futuro empresarial 2024 una vista gen
dannflolo1
 
PDF
audit case scenario .pdf by icai ca inter
DhakshaBhambhani
 
PDF
IFRS Green Book_Part B for professional pdf
andargie2015
 
PDF
Shriram Finance, one of India's leading financial services companies, which o...
Sanjit Singh
 
PDF
The Evolution of Legal Communication through History (www.kiu.ac.ug)
publication11
 
PDF
France's Top 5 Promising EdTech Companies to Watch in 2025.pdf
educationexcellencem
 
PPTX
PwC consulting Powerpoint Graphics 2014 templates
tjmajingyan
 
PPTX
Hospitality & tourism management.pptxHospitality & tourism management.pptx
Nida Mahmood
 
Side hustles: 14 powerful tips to embrace the future of work
Reversed Out Creative
 
The Impact of Policy Changes on Legal Communication Strategies (www.kiu.ac.ug)
publication11
 
Business Research Methods- Secondary Data
DanielOdhiambo9
 
Biomass_Energy_PPT_FIN AL________________.pptx
gloryjsingh
 
PPT Hafizullah Oria- Final Thesis Exam.pptx
Ehsanullah Oria
 
“Strategic management process of a selected organization”.Nestle-docx.docx
mkamumin08
 
The Influence of Historical Figures on Legal Communication (www.kiu.ac.ug)
publication11
 
Implementing Steam Education: Challenges and Solutions (www.kiu.ac.ug)
publication11
 
Center Enamel Enabling Precision and Sustainability in the Netherlands' Advan...
cecvessels
 
The Role of School Boards in Educational Management (www.kiu.ac.ug)
publication11
 
OS ALL UNITS MATxtdtc5ctc5cycgctERIAL.pptx
kanirudhsingh2357
 
The Dynamic CLOs Shaping the Future of the Legal Industry in 2025.pdf
businessmindsmedia12
 
El futuro empresarial 2024 una vista gen
dannflolo1
 
audit case scenario .pdf by icai ca inter
DhakshaBhambhani
 
IFRS Green Book_Part B for professional pdf
andargie2015
 
Shriram Finance, one of India's leading financial services companies, which o...
Sanjit Singh
 
The Evolution of Legal Communication through History (www.kiu.ac.ug)
publication11
 
France's Top 5 Promising EdTech Companies to Watch in 2025.pdf
educationexcellencem
 
PwC consulting Powerpoint Graphics 2014 templates
tjmajingyan
 
Hospitality & tourism management.pptxHospitality & tourism management.pptx
Nida Mahmood
 

The Essential Guide to GDPR

  • 1. GDPR The new data protection regulations, the impact on your systems and the solutions that can assist with compliance TheEssentialGuide
  • 2. Following recent presentations on the potential impact of GDPR at a number of global law firms and a presentation to the Institute of Barristers Clerks, I have been asked to compile a guide as to the basic principles of GDPR, how they may impact technology systems and which software tools/vendors could assist with compliance. I have therefore put together this guide, The Essential Guide to GDPR and its sister website GDPRwiki.com This is not designed to be an exhaustive list of regulatory changes, nor is it in any way meant to be taken as legal advice. I have picked out what are in my opinion the key areas of impact and particularly those that will need some attention prior to May 29 2018 – deadline for compliance. The solution providers that appear in the guide are those that have come forward and described how their solutions can help businesses looking to get GDPR compliant. Again this is not meant to be an exhaustive list and there will be many other suppliers out there that offer quality and relevant services - as the deadline gets closer I expect more technologies and services to appear and I hope to highlight these in the next edition of this guide. “Having clear laws with safeguards in place is more important than ever giving the growing digital economy” Steve Wood, Deputy Commissioner, ICO This guide focusses on: Brexit Controller or Processor User Rights Privacy by Design Cloud Services Data Protection Officer Consent Impact Assessment
  • 3. The General Data Protection Regulations are the most significant development in data protection that Europe, possibly the world, has seen over the past twenty years. Unsurprisingly GDPR is designed to better take into account modern technologies, the way we work with them today and are likely to work in the future. In addition, there is a much greater emphasis on compliance following a widely- held belief that businesses, particularly in the UK, had not previously taken data privacy seriously enough. To reinforce this, penalties are considerably harsher and the compliance requirements are intended to spread a far wider net to include small and medium businesses and the third-party contractors they use. THE 6 GDPR DATA PROTECTION PRINCIPLES: 1 (‘lawfulness, fairness and transparency’) processed lawfully, fairly and in a transparent manner in relation to the data subject 2 (‘purpose limitation’) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes 3 (‘data minimisation’) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed 4 (‘accuracy’) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay 5 (‘storage limitation’) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. 6 (‘integrity and confidentiality’) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss destruction or damage, using appropriate technical or organisational measures .
  • 4. There was some speculation that GDPR would cease to be relevant following the UK’s decision to leave the EU. Whilst we await the detail of what Brexit really means in terms of our EU trade agreements, people movement and laws there has been significant commentary including a statement from the Information Commissioners Office (ICO) suggesting that it will still apply and that businesses should start compliance preparations now. The following key reasons are given as to why GDPR still applies: GDPR Comes Before Brexit The GDPR comes into force 25 May 2018, the earliest Brexit can happen is January 2019 and until then all EU laws apply. Application The GDPR applies to EU citizen’s data regardless of where the controlling or processing of that data takes place. This means that countries outside of the EU (including the US and an independent UK) would have to apply GDPR for client data where the client is in the EU. Adequate Data Protection For an EU country to trade outside of the EU ‘adequate’ data protection measures must be in place. It is likely that GDPR will be the standard set as ‘adequate’ and the UK would have to introduce an equal replacement if it decided to revert to existing DP regulations. Which would simply be GDPR under a different name. Competing with the EU Data is fast becoming the new oil and in order to compete with the EU to be regarded as the new data safe haven, the UK will at the very least match the GDPR standard and may even increase its data protection requirements to attract global data centric business.
  • 5. Many businesses are significant data consumers. Client data is at the very least at the heart of their marketing initiatives and may even be part of the product or service they sell and the client they sell to. Much of this data is sensitive either for commercial reasons or because it directly relates to an individual. Various sectors from health to finance to legal all have their own specific governance regulations sometimes shared due to complex relationships between the services, but for personal data the GDPR will apply equally to all. There will not be many businesses that do not hold or process personal data but it is important to understand their role and responsibilities as determined by the GDPR. The two significant roles are that of ‘controller’ and ‘processor’. GDPR says… ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; A business will be determined a ‘controller’ for the client, prospect and employee personal data it stores and uses. GDPR says… ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; A cloud service provider or third party data host will in most cases be determined as a ‘processor’. Personal or Sensitive It is import to determine whether data is ‘personal’ or ‘sensitive personal’ as defined by the regulations as different levels of protection are required, some mandatory and accountable in the case of sensitive data. It is also a new requirement that processors understand what type of data they are handling on behalf of their clients
  • 6. Personal Data The definition of personal data has been broadened to include anything that can be directly associated with an individual. GDPR broadly keeps existing definitions but adds digital footprints such as cookies and IP addresses. GDPR says… ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; - Article 4 of GDPR Sensitive Personal Data The following are the GDPR classifications for sensitive personal data: GDPR says… revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited. - Article 9 of GDPR The GDPR essentially prohibits the processing of sensitive personal data unless one of the criteria in Article 9 (2) is met. These include: 9(2)(a) – Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law 9(2)(e) – Data manifestly made public by the data subject.
  • 7. In addition to the duty of a firm to protect its information there are a number of enhanced or new data subject rights that they will need to be mindful of as each could demand considerable administration capability particularly if the necessary access and recovery tools are not in place. Data subject access requests (DSARs) will be easier for clients and employees. Data subjects will no longer be required to pay a fee to make a DSAR. Firms must respond without ‘undue delay’ and no later than one month after the DSAR is made (rather than the current 40 days). However, there are a number of grounds for refusal if the request is manifestly unfounded or excessive. Right to Erasure A new right under GDPR is to have data deleted. There are several reasons this request can be refused such as conflicting regulations and in the public interest but once legitimate reasons for denial are exhausted data must be deleted. Right to Portability Not too dissimilar to the right to port a mobile phone number from one supplier to another, GDPR entitles a user to have their data exported and transferred in a ‘machine readable format’. Key Tools Search, Delete, Export Key Solution Providers GDPR Says... The response to a DSAR will include: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject Article 15 of GDPR
  • 8. Privacy by design is a concept that features consistently throughout the GDPR. In essence. it is the principle of considering and building in appropriate data protections during the design phase of all new projects and changes to systems and processes. Security by design and by default The GDPR requires that employers (and other data processors) should be “audit-ready” at all times, meaning that all employer’s systems will need to be set up to ensure compliance by design. The GDPR introduces a legal requirement for ‘privacy by design’ for sensitive data and the onus will be on employers to prove compliance. Records will need to be kept and policies and procedures will need to be in place to demonstrate this. Firms must implement technical and organisational measures to show that they have considered and integrated data compliance measures into their data processing activities. Key Design Principles Only necessary data to be processed including:  Amount of data  Extent of processing  Retention period  Access to data Organisational measures There are a number of technical measures that can be put into place to enhance data security. Many of these will simply involve ensuring best practice with existing technologies. Organisational measures This will include maintaining the appropriate records as described later in this guide, minimising data by applying appropriate retention periods and appointing a Data Protection Officer to oversee compliance activities. GDPR Says... Data protection by design and by default 1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data- protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. 2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. 3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article. Article 23 of GDPR
  • 9. Security of Processing GDPR requires that the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. The legislation goes on to describe the security required for processing data.  pseudonymisation and encryption  confidentiality, integrity, availability and resilience of processing systems and services  the ability to restore  testing, assessing and evaluating the effectiveness of technical and organisational measures It is an obligation to ensure that a controller only engages with a third party data processors or cloud service providers if they also comply with the above. Key Tools Encryption, Data Leakage Protection, Secure Archive, Records Management, Access Control Key Solution Providers GDPR Says... Security of processing 1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article. 4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law. Article 32 of GDPR
  • 10. GDPR requires that the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. The legislation goes on to describe the security required for processing data.  pseudonymisation and encryption  confidentiality, integrity, availability and resilience of processing systems and services  the ability to restore  testing, assessing and evaluating the effectiveness of technical and organisational measures It is an obligation to ensure that a controller only engages with a third party data processors or cloud service providers if they also comply with the above. Cloud Service Provider Checklist □ Technical & Organisational security □ New contract provisions □ Demonstrable GDPR compliance □ Data Processing Records □ Breach Notification □ Delete or return data post contract □ Data Transfer transparency □ Sub-processor permission GDPR Says... Processors Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
  • 11. Under the GDPR, you must appoint a data protection officer (DPO) if you:  are a public authority (except for courts acting in their judicial capacity);  carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or  carry out large scale processing of special categories of data or data relating to criminal convictions and offences. A DPO can be an outsourced role which will pave the way for external agencies to provide this service. DPO Duties The DPO’s minimum tasks  To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.  To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.  To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc). DPO Rights Businesses must ensure that:  The DPO reports to the highest management level of the organisation  The DPO operates independently and is not dismissed or penalised for performing their task.  Adequate resources are provided to enable DPOs to meet their GDPR obligations. Key Solution Providers GDPR Says... 1. The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10. 2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment. 3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size. 4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors. 5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39. 6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract. 7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority
  • 12. The GDPR has references to both ‘consent’ for personal data use and ‘explicit consent’ for sensitive personal data use. The difference between the two is not particularly clear given that both forms of consent have to be freely given, specific, informed and an unambiguous indication of the individual’s wishes although in the event of a complaint the required level of consent for sensitive data is expected to be higher. GDPR describes the requirement for some form of clear affirmative action to demonstrate consent. This can include:  Ticking a box  Changing technical settings (eg making something public on Facebook)  Signed client enagement letter GDPR is also clear as to what will NOT be acceptable as consent  Silence  pre-ticked boxes  general inactivity Auditable Consent A new requirement is that consent must be verifiable. This means that some form of auditable record must be kept of how and when consent was given which could impact many marketing systems. Where you already rely on consent that had been previously sought you will not be required to obtain fresh consent from individuals if the standard of that consent meets the new requirements under the GDPR. If you cannot reach this high standard of consent then you must find an alternative legal basis such as or cease or not start the processing in question. GDPR Says... Lawfulness of processing 1. Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
  • 13. Consent Capture This is an emerging area of technology that enables a granular and compliant approach to capturing user consent whilst providing the right processing and privacy notices. In addition, these solutions will ensure that all consent captured is auditable. Key Vendors GDPR Says... Conditions for consent 1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. 2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. 4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
  • 14. A common theme throughout the GDPR is accountability and demonstrating compliance i.e. making it evident to the Data Protection Authority that you are meeting obligations. An important component of accountability and mandatory in certain circumstances is the Impact Assessment. Definition A Data Protection Impact Assessment is a tool designed to enable organisations to work out the risks that are inherent in proposed data processing activities before those activities commence. This, in turn, enables organisations to address and mitigate those risks before the processing begins. Scope New to the GDPR all businesses (both controllers and processors) are impacted. Where a new processing activity is proposed (especially where new technologies will be used) resulting in a high degree of risk for data subjects, the controller must first conduct an Impact Assessment. A single Impact Assessment can cover multiple processing operations that present similar risks. Content An Impact Assessment must contain the following:  a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller  an assessment of the necessity and proportionality of the processing operations in relation to the purposes;  an assessment of the risks to the rights and freedoms of data subjects  the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned. GDPR Says... Data protection impact assessment 1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. 2. The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment. 3. A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of: (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or (c) a systematic monitoring of a publicly accessible area on a large scale.
  • 15. Dark Data One of the challenges businesses face when carrying out an impact assessment is ensuring that all personal data is discovered. Data that is for some reason not searchable and therefore not discoverable is also known as ‘dark data’. The most common example found is a PDF file that has not had the content of the document OCR’d leaving just the document title searchable. This has the potential to leave a business at significant risk of breach and potentially unable to respond in full to a Data Subject Access Request. There are a number of software solutions available that will scan your network for ‘dark data’ identify it and convert it to searchable data. Method An Impact Assessment has the following steps:  Review existing or planned data processing activities  Map data flows within the organisation by system and by process  Identify any compliance risks  Determine any mitigation required and develop an action plan  Determine whether their core business operations involve: (i) regular and systematic monitoring of data subjects on a large scale; and/or (ii) processing of Sensitive Personal Data on a large scale.  If yes to above appoint a DPO. Key Solution Providers
  • 16. The GDPRREADY Compliance Plan is designed to assist Data Protection Officers in preparing for GDPR and maintaining compliance once the legislation is activated. The GDPRREADY 4 stage process enables the DPO to raise awareness, discover current risks, deliver a mitigation plan and design processes for maintaining compliance. Step 1 – EDUCATE The EDUCATE phase consists of a combination of interactive workshops and stakeholder interviews, designed to generate a high level of understanding of the impending legislation and any changes to system, policy or process in order to achieve GDPR compliance. GDPR Overview Workshop - an onsite workshop to build GDPR awareness and secure buy-in with your key internal stakeholders, custom-tailored to the needs of your firm. Suitable for: Senior Management, Directors, Key Stakeholders GDPR Assessment workshop - A workshop for internal staff responsible for owning the assessment process. Suitable for: Compliance Team, IT Team, Project Managers Stakeholder Interviews – one to one discussions with key stakeholders to document departmental processes involving personal data. STEP 2 – DISCOVER The DISCOVER phase uses the Data Protection Impact Assessment (as recommended by the Information Commissioners Office) to discover any risk or exposure the firm may currently have. Impact Assessment – using our GDPRready Data Register and GDPRready Impact assessment templates you will document, data flows, gap analysis, risk assessment and remediation plans. STEP 3 – PLAN GDPR Preparation Plan – document actions needed to prepare for and maintain GDPR compliance. Understand budget required and systems and processes that require modification. STEP 4 – MAINTAIN Prepare for new obligations such as Breach Response and DSAR Processing. Review existing InfoSec policies and procedures to ensure they align with GDPR. EACH PHASE IS SUPLIMENTED BY GDPRREADY TEMPLATED PROCESSES AND POLICIES AS INDICATED IN THE ACTION SUMMARY CHART BELOW
  • 17. GDPRREADY COMPLIANCE PLAN – ACTION SUMMARY PHASE 1 – EDUCATE GDPR WORKSHOP IMPACT ASSESSMENT WORKSHOP STAKEHOLDER INTERVIEWS DOC 1 - GUIDE TO GDPR ESSENTIALS DOC 2 - GDPR CHECKLIST PHASE 2 – DISCOVER COMPLETE IMPACT ASSESSMENT DATA MAP COMPLETE IMPACT ASSESSMENT RISK REGISTER PRODUCE IMPACT ASSESSMENT REMEDIATION PLAN DOC 3 - DATA REGISTER DOC 4 - IMPACT ASSESSMENT PHASE 3 – PLAN DOC 5 - GDPR COMPLIANCE PLAN DOC 6 - PRIVACY NOTICE CHECKLIST DOC 7 - USER AWARENESS PROGRAM DOC 8 - CLOUD SERVICE PROVIDER COMPLIANCE CHECKLIST DOC 9 - SUBJECT ACCESS REQUEST PROCEDURE PHASE 4 – MAINTAIN DOC 10 - INFORMATION SECURITY POLICIES DOC 11 - INTERNATIONAL DATA TRANSFER GUIDANCE DOC 12 - CONSENT FORM TEMPLATES DOC 13 - PROCESSING RECORD TEMPLATE DOC 14 - BREACH NOTIFICATION TEMPLATE
  • 18. SOLUTION PROVIDER GDPR FUNCTION FEATURE DETAIL Data Subject Access Request Data Discovery A comprehensive data discovery and management are essential for GDPR compliance. In order to ensure timely and efficient respond to any Data Subject Access Requests (DSAR), all locations, where personal information is stored, should be easily discovered. contentCrawler ensures comprehensive data discoverability and works to uncover documents that otherwise would not be found because they are not indexed for searching. It is a key tool in making sure that all words in every document (even image documents) are fully text searchable. contentCrawler is an essential component for all firms to ensure they comply with the new GDPR legislation. DocsCorp will be publishing a white paper and hosting a number of GDPR events across Europe. Drop us an email to [email protected] to stay updated and get your free white paper and event invitation. For more information please check the product description below or visit: http://www.docscorp.com/contentcrawler/ Bulk Processing for Document Management contentCrawler is an integrated analysis, processing and reporting framework that intelligently assesses documents in a Document Management System and determines if they require OCR and/or file compression processing. Organisations can bulk process documents in the DMS using either the OCR or Compression modules. Or, they can do both. For example, contentCrawler will convert all image-based documents in the DMS to text-searchable PDFs. The Compression module will then apply compression and down-sampling in order to minimise the file size of the resulting PDF documents. The automated end-to-end process can run 24/7 without any staff intervention, emailing periodic notifications of processing statistics and error
  • 19. reporting to the IT Administrator. Staff no longer have to worry about OCR or compression as a process or workflow. Key Benefits  Ensure all documents are indexed for searching and are therefore discoverable  Simplify management of image-based documents  Reduce non-compliance risks  Increase efficiency through automation  Leverage existing investment in DMS and search technology  Reduce costs managing OCR and Compression technology Privacy by Design Cyber Security iboss is a cyber security platform that uses cloudtechno logy to extend preventative and predictive multi-layered security to any size or organization, in any place and to any device.The result is a lower risk profile, and greater enhanced due diligence (EDD) for the organisation, which helps meet GDPR regulations, and can lower associated fines if data breaches occur. Privacy by Design Data Leakage Protection Iboss includes behavioural data exfiltration sensors to detect data loss and exfiltration across any communication medium (WEB, EMAIL, DNS, P2P etc) Privacy by Design Content Management Granular gateway level controls against web access and application usage Right to access Privacy by Design Access Control Document Protection Search iManage Govern Govern critical information at every step of the engagement and beyond iManage Govern lets you manage your engagement files according to each client retention policies, from creation through to disposal all while ensuring your organization meets audit and discovery requirements. Improve governance: by applying retention policies centrally across both electronic and physical client records Integrated document and records management: through seamless operation with iManage Work Boost productivity: and reduce risk by taking records management responsibility off your professionals shoulders Manage information in place: without copying to a separate system
  • 20. Reduce operating costs: by moving inactive projects to a governed, searchable archive Privacy by Design Secure File Transfer iManage Share A Fast, easy and secure sharing of professional work product Securely exchange work product with your clients, partner firms, and outside consultants within tools that you are familiar with. iManage Share offers industry-leading security with seamless integration with iManage Work and Microsoft Outlook, so that secure file sharing is easy and convenient without sacrificing security and governance of your client files. With iManage Share: Share, edit and collaborate on work product from within iManage Work. Share files from your Outlook email: Share files as secure links directly from Outlook. Secure, firm-branded web portal in a snap: Give your client access to their documents from a single responsive interface on phone, tablet or desktop, branded with your firm logo. Collaborate on the go: Share and securely collaborate with customers from your smartphone or tablet. Know what is shared and with whom: Monitor who is accessing your files and when. Privacy by Design Right to Access Document Protection Search DSAR response Access Control iManage Work Manage documents, emails and more in a single engagement file Access your work product from anywhere on any device in a single user experience. Designed by professionals for professionals, iManage Work makes it easy to collaborate with your team and stakeholders in a secure and governed manner. Improve productivity: Suggested email filing keeps you ahead of inbox overload Make better decisions: Document timelines, dashboards and analytics cut through clutter enabling faster, better decisions Find everything: Search across all work product (documents, emails, images) automatically tuned to your work style Be more responsive: Secure mobile access means you can view and edit your work from anywhere
  • 21. Work smarter: Integrates seamlessly with the applications youre already using to save time Privacy by Design Document Protection Access Control Intapp Walls replaces distributed, ad hoc approaches to confidentiality management with a centralised solution that provides law firms with unparalleled capability and control. Several features of Intapp Walls can help address GDPR requirements for “privacy by design,” “privacy by default” and the Accountability principle. Intuitive interface for access management – Define policies using an easy-to-use wizard to configure and control walls and user account management, so that IT, conflicts team members and lawyers have appropriate levels of visibility and control Real-time enforcement and maintenance – Intapp Walls delivers real-time enforcement, automating notifications to individuals subject to specific policies, tracking acknowledgments for compliance, and alerting firm management about suspicious activity related to sensitive information Protection beyond document management libraries – Lock down all key repositories where sensitive information is stored, including records management, accounting, CRM, search, portals and other applications, in addition to document management libraries Automated compliance logging – Demonstrate compliance if required to do so by clients or by government agencies by presenting a documented audit trail via Intapp Walls Broad visibility across the organisation – Gain visibility into the volume and types of policies in effect across the firm; configurable reports can be delivered in an event-driven, scheduled or on-demand basis to provide management with real-time visibility into policies, classification and history, as well as affected parties and prevented breaches Data Protection Officer Education The Law Firm Risk Blog (www.lawfirmrisk.com), sponsored by Intapp, covers a wide range of risk management topics relevant to GDPR, including information governance, conflicts management and information security. The Risk Roundtable Initiative (riskroundtable.com), also sponsored by Intapp, hosts in-person events and webinars bringing together a mix of law firm risk management and related professionals, including general counsel, loss prevention partners, risk management partners, senior conflicts/records managers and IT leadership. They provide
  • 22. opportunities for peer networking, cross-functional dialogue and a better understanding of common problems and trends including the evolving regulatory landscape affecting confidentiality, information barriers and ethical walls. Intapp customers have access to user group meetings, newsletters, webinars and Inception 2017, Intapp’s global user conference. Intapp Professional Services offers a Risk Consultancy practice that will assess your firm’s approach to confidentiality management and suggest processes, procedures and technologies to satisfy specific compliance obligations related to the EU GDPR, the HIPAA Privacy Rule in the US, and other regulations Privacy by Design Data Leakage Protection Secure Archive Security Enterprise Information Archiving provides the secure, perpetual storage and policy management necessary with the predictable costs and scalability of a true cloud architecture. With an industry-leading 7 second search SLA, archived information is instantly accessible, making it easy for employees or administrators to find a single email or to support a larger e-discovery case. Mimecast solves important archiving challenges by:  Archiving email in the cloud  Responding quickly to litigation requests  Retaining important company files  Archiving Lync IM conversations A single, unified archive in the Mimecast cloud delivers scalability, rapid information access and data assurance — without the spiraling expense of hardware and software typical of legacy on-premises solutions. Consent Consent Capture Consentric Permissions is a tool for managing citizens’ consent for usage of their data. It is a cloud based product with the citizen at the heart, providing them the capability to grant or deny consent to the usage of their data for specific, clearly defined purposes. Organisations benefit from Permissions through a simple integration with their CRM or other system(s), providing a single source of truth relating to consent. They can configure the data to be used, purpose for, and who will request usage of the citizen’s data at a granular level, enabling citizens to clearly understand what is being asked of them. Where required, organisation users can also access citizens’ records to amend consent on instruction. All changes are subject to a full history log, including detail of how and where consent was obtained. This
  • 23. provides the citizen transparency and control on how their data is being accessed and used. Privacy by Design Consentric Permissions stores citizens’ data in a secure UK sovereign data centre, with consents to share that data managed by the citizen. Classification of the data is aligned to well-known standard schemas, or, created by new custom schemas, allowing sensitive data to be managed separately and securely by the citizen. Consentric Permissions is a trust platform, giving the citizen transparency, ownership and control of their data, enabling you to build loyal relationships with your customers. This radical approach to storing data transforms your ability to achieve required data protection standards through minimisation of personal and sensitive data being stored in your systems and placing the citizen in control of their data and its usage. By integrating into Consentric Permissions, you benefit from our Privacy by Design features and save costs of implementing in your own systems Privacy by Design Secure Data hosting The complexity and expense of managing underlying infrastructure can be challenging to organisations, as their needs fluctuate. Trustmarques IaaS solutions enables organisations to cost-effectively deploy and run their software, whilst taking full advantage of the benefits cloud computing brings. We design, build, procure and manage IaaS services to help you unlock real business value. By providing specialist technical design, management knowledge and understanding the commercial implications of solution design and change, along with the operational considerations of a Cloud service within a traditional ITIL oriented environment. We provide highly resilient and secure IL2, IL3 and IL4 services for OFFICIAL and OFFICIAL SENSITIVE hosting requirements. These convenient, on-demand and configurable computing resources require minimal management effort. Impact Assessment Compliance Trustmarque provide full lifecycle Impact Assessment consultation. In addition as 27001 experts we can ensure that your GDPR compliance measures alin with your wider InfoSec strategy. Privacy by Design Centralisatio n of sensitive data Enabling new, enhanced user rights is a fundamental part of GDPR compliance. PitchPerfect, with its SharePoint data repository, introduces a single centralised content management system which greatly improves the firms ability to meet these requirements. It provides the tools for end-users to locate and extract the requested data,
  • 24. while restricting the ability to modify and erase data to the content managers working in the back-end. The common distributed data practice whereby CVs and biographies are in multiple locations including a DMS, Email system and file share make compliance with any of these employee access requests complex, time consuming, costly and potentially impossible With user photos falling into the biometric data category new to the GDPR definition of sensitive personal data, it is compulsory to apply adequate protection. PitchPerfect ensures the right level of user access is applied. Data Protection Officer User Education SkillBuilder eLearning provides new innovative ways to empower employees and end users with accessible tools and technologies; enabling them to stay informed and educated in all things related to legal technology and its constantly changing updates. SkillBuilder eLearning was built on the know-how of an over 12 million-strong backlog of ticket data and over 60,000 knowledge base articles. Our online eLearning tool increases productivity through a multifaceted portal that is branded for the firm. SkillBuilder provides a three-tiered model of service: Self-Service for users, Service Desk support provided by Solution Sender and an LMS. All features include access to our robust library of ever-growing content tailor specifically for Legal. SkillBuilder is a single platform whose affects are felt throughout the organization. Consent Data Transfer Security of Processing Privacy by Design Consent Vuture is a marketing automation platform for professional services that makes it easy to personalise email communications, streamline events and control marketing assets from a single flexible system. Manage consent Vuture provides a quick and easy-to-use solution to manage and automate consent. A seamless CRM integration enables you to manage and timestamp contact opt-ins within your CRM, as well as meet all Data Discovery and Data Access requirements. Unambiguous consent is achieved through a CRM- linked tickbox inserted on your preference forms. Control data transfer Vuture is a private cloud solution – each client has their own instance of the platform hosted at a location of their choice. The platform is built with privacy at its core – data never leaves the chosen location and
  • 25. rigorous security policies ensure you are always fully compliant with Data Protection standards. Privacy and security sit at the heart of Vuture’s development, and both are assessed, tested and updated on a continuous basis. Privacy by Design Data Leakage Protection “Workshare’s unique data loss prevention technology provides an additional layer of content awareness that includes hidden, sensitive data (metadata). Policies decide what has to be removed for compliance from a document when sent externally via email or via the cloud. This maintains security and compliance mandates to ensure no information is leaked through documents shared outside a company in the form of metadata. Workshare is taking our extensive understanding of metadata, email attachments and secure file sharing to the next level as we develop further to aid companies in the prevention of data loss. Because we have insight into multiple sharing channels and deep understanding of content, including metadata, Workshare can provide companies with visibility via a reporting system. Reports can be oriented around particular senders, receivers, and types of metadata to monitor for leakage or misuse. As the proposition develops, we will encompass words within context in a document or metadata and extend this detection to non-email sharing channels. Once detected, we can educate and empower users to take appropriate corrective action to protect their sensitive content.” We hope you found the first edition of this guide useful. To recommend content or a solution for the second edition or GDPRwiki.com please contact: [email protected]