Implementing the GDPR – FREE e-Learning Full Course



welcome to see living on the journey data protection regulations as port you are care at this course because you have a role in either using or implementing personal information systems as part of your job and should do so in accordance with the new UK general data protection regulations Shahji accessibility issues all texts can be read by a screen reader and the Texas vocalized by the presenter or voiceover in most cases you welcome to see learning on the jet action regulation this course covers the 12 steps as outlined by the Information Commissioner's Office to get ready for the regulation the e-learning demonstrates what steps are needed as well as giving practical advice as to what to do it will last 60 minutes and the big quiz at the end to test your knowledge as of May 2018 the DPA will be replaced by the general data protection regulation or gdpr with the aim of harmonizing data protection laws across the EU this updated set of rules will take into account modern globalization and the ever-changing technology landscape unlike the DPA the gdpr was made by the European Parliament and Council and will therefore apply to any company processing personal data of individuals in the EU significant penalties can be imposed on employers who breached the gdpr including fines of up to 20 million euros or 4% of a company's turnover whichever is the larger they are designed to strongly penalize any employers who show disregard for the security of personal data the question we need to ask at this is what can you do now as an employee manager or owner to prepare for the gdpr we're going to guide you through the 12 key steps as outlined by the Information Commissioner's Office to ensure you are prepared at the end of the program we should provide links to the ICS printable checklist and other resources to help implement the regulation awareness you should make sure that decision-makers and key people in your organization oh where the law is changing to the GDP are they need to appreciate the impact this is likely to have the more eyes and ears looking out for compliance within the organization the better you can also identify and make known in the business those areas that could cause a compliance problems under the gtp are it will be useful to start by looking at your organization's risk register if you have one a risk register is a data store usually a spreadsheet or database which details potential privacy risks who is responsible for the citation management of the risk and what is done to control the risk and the affect of its control risk is usually measured in terms of likelihood and impact to give a combined everyone's score when multiplied together risk equal severity times likelihood you both the residual risk the initial risk level and the current risk as a result of implementing controls should be recorded in the register building a risk register forms could have significant resource implications especially the larger and more complex organizations you may find compliance difficult if you leave such preparations until the last minute you information you hold you should document what personal data you hold where it came from and who you share it with you may need to organize an information audit across the organization or within particular business areas the gdpr requires you to maintain records of your processing activities it updates rights for a networked world for example if you have inaccurate personal data and have shared this with another organization you have to tell the other organization about the inaccuracy so they can correct its own records be able to trace information that needs to be changed unless you know what personal data you hold where it came from and who you share it with should document this doing this will also help you to comply with the GDP R's accountability principle which requires organizations to be able to show that they comply with the data protection requirements effective policies and procedures are good way of showing compliance with this information requirement communicating privacy information you should review your current privacy notices and put a plan in place for making any necessary changes in time for GDP or implementation when you collect personal data you can't have to give people certain information such as your identity and how you intend to use their information this is usually done for a privacy notice under the gtp are there are some additional things that you have to tell people for example you will need to explain your lawful basis for processing the data your data intention periods and that individuals have a right to complain to the ICO they think there's a problem with the way you're handling their data so what does it look like in real life on webforms the ICAO recommends one of two methods layering with informations given to the user in various layers just in time with information is provided by hovering over fields Larry this is an example of layering where the user can click on the drop down menu item first layer with the notice second layer and click on a link for hyperlink to the full privacy policy just in time these privacy notices explain how the daters can be used on a field by filled basis just in time when the user engages with each field not only should these notices be provided they should also be in concise easy to understand and clear language check the no jargon or overly elaborate English is used further examples from the ICO can be found here you should check your procedures to ensure that they cover all the rights individuals have including how your delete personal data or provide data electronically and in a commonly used format the GDP I'll include the following rights for individuals the right to be informed the right to rectification the right to aresia the right to restrict processing the right today portability the right to object and the right not to be subject to automated decision-making including profiling on the whole the rights individuals will enjoy under the GDP are are the same as those under the DPA but with some significant enhancements again if you are geared up to give individuals their rights now then the transition to the GDP are should be relatively easy this is a good time to check your procedures and to work out how you would react if someone asks to have their personal data deleted for example ask yourself as to whether your systems can be used to locate and delete the data and who'll make decisions about the deletion these procedures should be recorded and those persons responsible made aware of their presence the right to data portability is new data portability is the ability to move data from one system to another in a commonly recognizable format examples would include the ability for data from Facebook to talk to other applications such as Instagram etc from a technical standpoint this may consist of a common XML data structure or simply a CSV file any data must be provided without undue delay and within one month this can be extended by two months where the request is complex or you receive a number of requests you must inform the individual within one month for the receipt of the request and explain why the extension is necessary it only applies to more data an individual has provided to a controller where the processing is based on the individuals consent or for the performance of a contract and when processing is carried out by automated means you should consider whether you need to revise your procedures and make any technical changes you will need to provide personal data in a structured commonly used a machine readable form and provide the information free of charge you should update your procedures and plan how you request from data subjects for their personal data as we've said before you should aim in most cases not to charge for a request but you can refuse or charge for requests that are manifestly unfounded or excessive if you refuse a request you must tell the individual why and they had the right to complain to the supervisory authority and to a judicial remedy you must do this without undue delay and at the latest within one month the European Data Protection Board EDP B will resolve any disputes note that you will have a month to comply farther than the current 40 days under the Data Protection Act policies procedures and your privacy notice should be updated to take care of this fact if your organisation handles a large number of access requests consider the logistical implications of having to deal with requests more quickly you could consider whether it is feasible or desirable to develop systems that allow individuals to access their own information easily online consideration should be given to the overall security of such systems with privacy by design being the dominant principle applied when building such systems you should identify the lawful basis for your processing activity in the GDP our document it and update your privacy noticed to explain it the lawfulness of the processing conditions usually comprises of the fact that the data subject has given their consent there are however other reasons such as processing the data is necessary for the purposes of a contract in order to protect the interest of the data subject consult sections 6 and 9 of the legislation for information about specific cases note the lawful basis and the GDP are broadly the same as the conditions for processing in the DPA it should be possible to review the types of processing activities you carry out and to identify your lawful basis for doing so you should document your lawful basis in order to help you comply with the GDP R's accountability requirements you also have to explain your lawful basis of person in personal data in your privacy notice when you answer a subject access request many organizations will not have thought about their lawful basis for processing personal data under the DPA but does not have many practical implications however this is different under the gdpr because of some individuals rights we modify depending on your lawful basis for processing their personal data the most obvious example is that people will have a stronger right to have their data deleted where you use consent as your lawful basis for processing you consent you should review how you seek record and manage consent and whether you need to make any changes refresh existing consents now if they don't meet the gdpr standard consent must be freely given specific informed unambiguous and above all there must be a positive opt-in a positive opt-in means that the user must actively press a button checkbox or sign a piece of paper to give consent it cannot be inferred from silence leaving pre tick boxes protect or simple inactivity it must also be separate from other terms and conditions and you'll need to have simple ways for people to withdraw consent public authorities and employers will need to take particular care consent has to be verifiable and individuals generally have more rights when you rely on consent to process their data you're not required to automatically repaper or refresh or existing DPI consents in preparation for the gdpr but if you rely on individuals consent to process their data make sure you'll meet the GDP our standard on being specific granular clear prominent opt in properly documented and easily withdrawn for instance if you're going to collect contact information in a number of ways email phone etc or for number bodies company parent company or third party organizations be careful not to bundle consent together into a single check box instead separate them out as shown some organizations also another removal of consent here is an example from The Guardian children you should start thinking now about whether you need to put systems into place to verify individuals ages and to obtain parental or guardian consent for any data processing activity for the first time the gdpr will bring in special protection for children's personal data musically in the context of commercial internet services such as social networking if your organization offers online services information societal services to children and relies on consent to collect information about them then you may need a parent or guardians consent in order to process their personal data lawfully the GDP offsets the age when a child can give their own consent to this processing at 16 although this may be lowered to a minimum of 13 in the UK if a child is younger and you either get consent from a person holding parental responsibilities this could have significant implications if your organisation offers online services to children and collects their personal data remember the consent has to be verifiable and then when collecting childers data your privacy notice must be written in language that the children would understand data breaches you should make sure you have the right procedures in place to detect report and investigate a personal data breach some organizations already required to notify the ICO and possibly some other bodies when they suffer a personal data breach the gdpr introduces a duty on all organizations to report certain types of data breach to the ICO and in some cases to individuals you only have to notify the ICO of a breach where it's likely to result in a risk to the rights and freedoms of individuals if for example a Co result in discrimination damage to reputation financial loss loss of confidentiality or any other significant economic or social disadvantage an extreme example of an organization which would have needed to notify would be Ashley Madison an extramarital affair dating site publication of the members list let the members open to blackmail social embarrassment and the end of many marriages contrasting this sonot for free Wi-Fi in a pub have reach at that information although potentially valuable to hackers is not notifiable to the ICO this applies to any company with the services supplementary to the primary activity the business in this case serving alcoholic beverages and food web breaches like to result in a high risk to the rights and freedoms of individuals as in the case of Ashley Madison you would also have to notify those concern directly in most cases you should put procedures in place to effectively detect report and investigate a personal data breach he may wish to assess the types of personal ties you hold and document where would be required to notify the ICO or affected individuals if a breach occurred large organizations will need to update policies and procedures for managing data breaches failure to report a breach when required to do so can result in a fine as well as a fine for the breach itself data protection by design and data protection impact assessments it has always been good practice to adopt a privacy by design approach privacy by design means that privacy and data protection is considered from the start of the design of any system and not just bolted in at the end a privacy impact assessment PIAA is carried out as part of this process however the gdpr makes privacy by design and express legal requirement under the term data protection by design and by default it also makes P IAS referred to as data protection impact assessments or DP is mandatory in certain circumstances a dpi a is required in situations where data processing is likely to result in high risk to individuals for example where new technology has been deployed where profiling operation is likely significantly affect individuals or where there is processing on a large scale of the special categories of data if a dpi indicates that the data processing is high-risk and you cannot sufficiently address those risks you'll be required to consult the ICO to seek his opinion as to whether the processing operation complies with the gdpr you should therefore start to assess the situations where it will be necessary to conduct a dpi a who will do it who else needs to be involved will the process be run centrally or locally says you should consider whether you are required to formally designate a data protection officer or DPO you must designate a DPO if you are a public authority except for courts acting in their judicial capacity an organisation that carries out the regular and systematic monitoring of individuals on a large scale or an organization that carries out the large-scale processing of special categories of data such as health records or information about criminal convictions it is most important that someone in your organization or an external data protection adviser takes proper responsibility for your data protection compliance and has the knowledge support and authority to carry out their role effectively you may also need to carry out a privacy impact assessment PIAA under article 33 of the GD P R P is as we've seen before help companies identify and minimize privacy risk with new projects it overlaps with other organizational processes such as risk management and project management and result in a P ia report International if you organization operates in more than one member state you should determine your lead data protection supervisory authority and document this the lead authorities the Supervisory Authority in the state were your main establishment is your main establishment is the location where your central administration in the EU is or else the location where decisions about the purposes and means of purchasing are taken and implemented this is only relevant where you carry out cross-border processing are you have establishments in more than one a member state or you have a single establishment in the EU that carries out processing which substantially affects individuals in other EU states if this applies to your organization you should map out where your organization makes its most significant decisions about processing activities this will help determine your main establishment and therefore your lead supervisory authority so let's refresh our knowledge of what we have learnt so far I get a witty for the gdpr you've learned about these twelve steps to successful implementation step 1 awareness you should make sure the decision-makers and key people responsible for personal data in your organization or whether the law is changing to the gdpr I need to appreciate the impact this is likely to have this could be by using awareness training or another similar method step2 auditing the information you hold you should document what personal data you hold where it came from and who you share it with you may need to organize an information audit step 3 communicating privacy information used to review your current privacy notices and put a plan in place for making any necessary changes in time for GDP or implementation step for individuals rights you should check your procedures to ensure they cover all the rights individuals have including how you would delete personal data or provide data electronically in a commonly used format step 5 subject access requests you should update your procedures and plan how you'll handle requests within the new timescales and provide any additional information step 6 lawful basis for processing personal data you should identify the lawful basis for your processing activity in the GDP are documented and update your privacy notice to explain it step 7 consent you should review how you seek record and manage consent and whether you need to make any changes refresh existing consents now if they don't meet the gdpr standard step 8 children you should start thinking now about whether you need to put systems in place to verify individuals ages and to obtain parental or guardian consent for any data processing activity step 9 data breaches you should make sure you have the right procedures in place to detect report and investigate a personal data breach step 10 data protection by design privacy and data protection should be considered from the start of the design of any system or process and not just bolted in at the end a privacy impact assessment or PIAA may also need to be carried out as part of this process step 11 data protection officers you should designate someone state responsibility for data protection compliance and assess where this role was sit within your organization and structure and governance arrangements you should also consider whether you are required to formally designate a data protection officer step 12 international if your organization operates in more than one year member state are you carry out cross-border processing you should determine your lead data protection supervisory authority the Information Commissioner's Office or ICO have produced a handy checklist that compliments the 12-step advice offered in this training use the checklist to help you identify and map out more pots your business need attention links to this another useful guidance documentation are available at the end of the training now you have an understanding with gdpr you'll realize that there are further steps to take to ensure that your entire company is repaired for this new legislation firstly there is training remember this course is a hundred percent free to download and use should you wish to customize it purchasing an online authoring system called chattel cloud contact us and we can set you up to do this in minutes additional awareness training will also be needed we've compiled a list of subject areas from our course list of over 150 courses you you you self-assessment it is important to assess your company's readiness for the GDP are the ICO offers a useful checklist designed to help you get your house in order they're getting ready for the GDP our checklist includes getting to grips with the new rights of individuals subject handling access requests consent data breaches and designating a data protection officer in addition we have a variety of guided self-assessment tools aimed at all businesses from SMEs to global corporations these systems have added advantages and they provide solutions and consultancy to help secure IT infrastructure and automate tasks such as subjects access requests contact elearning WB about training course customization and any additional awareness e-learning requirements you may have remember if you already compliant APA then there is not much to do but don't be complacent the differences are significant and as we've seen failure to comply can be catastrophic with fines consisting of whatever is the largest of either four percent of annual turnover or 20 million euros we hope to hear from you soon should you require help with training and assessment failing that then we wish you good luck for your efforts in meeting the challenges float forward by this valuable and timely legislation

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *