THE DATA GENERAL FEB 2019 Issue 1

pg. 1

The Data General

Feb 2019

BRIDGING THE COMMUNICATION GAP

IN THIS ISSUE

PrimeConduct Newsletter Data Privacy can be a bit of dry topic and yet the risks of ignoring the laws are significant.

The benefits of getting it right are even more significant, so we thought we should bring you a quick to read summary of what is happening in the wider world of Data Privacy that hasn’t hit the big media headlines.

We would like to help bridge the communication gap so that a wider audience can understand the critical legislation known as GDPR which under UK law, is now the UK Data Protection Act 2018.

We will also include some tips to help your organisation.

What do we do? We help our clients comply with the UK DPA and the EU GDPR so that rather than just being a threat, there is an opportunity to streamline processes and enhance the information which you have currently collected.

Our services include audit and action plan, training, business transformation and ongoing support. The cornerstone of this support is our Data Protection Officer (DPO) Service. To mitigate the cost associated with employing a DPO directly, we provide suitably skilled and qualified DPO as a service.

Not everyone needs a full time DPO. Our service offer bridges this gap by providing as many or as few days as you need. This could be as little as half a day per quarter, but whatever you choose you are reassured of professional backup when needed.

Some organisations have a DPO but cannot cope with the effort needed to reach a compliance plateau where day to

day management is reliable, and we can help there too, by supplementing your existing resources.

We have decades of experience of delivering and managing services in highly regulated industries and have expert in-house skills in the field of security, data management and programme implementation.

How do we do it? First and foremost, we approach from a pragmatic and ethical viewpoint. No matter the organisation whether business, charity or social organisation our role is to help achieve ongoing compliance with the law, and focus on the positive outcomes from this.

You cannot respond to a Subject Access Request (SAR) if you don’t know where all the data is and, if challenged, on what legitimate basis you are holding it.

Training is a major issue as all staff need to understand their responsibilities and how to respond to issues. Training helps avoid the risks of managing personal data and avoiding a breach.

Processes are important and templated SAR responses ensure you provide consistent communication and reliable methodologies.

We are here to help and you can find us at PrimeConduct or Contact Us

PrimeConduct Newsletter A quick read on what is happening in Data Privacy and how it might impact you.

Page 1

ICO Registration is a must do. Many have still not registered but there really is not a lot of choice about this simple step.

Page 2

Partial Compliance A large proportion of businesses have only changed their Privacy Policy.

Page 2

True Compliance Having every piece of the puzzle delivers true compliance.

Page 3

Fast Facts Fact and tips.

Page 3

THE DATA GENERAL FEB 2019 Issue 1 ISS

pg. 2

ICO Registration is a must do. It is the simplest action you can take to avoid the fines, but many organisations are still not registered with the ICO, and the annual fee is typically £40 versus a £4,000 fine.

What is an ICO? The ICO is the Information Commissioners Office and it is the organisation designated by the Data Protection Act 2018 (DPA) to regulate the provisions of the Act. It is also the ultimate adjudicator for the Freedom of Information Act, although of course you can always resort to the courts.

Why Register? Registration is one way of building trust with your customers, it is a step on a compliance journey that tells everyone you take your obligations seriously.

It is really simple to discover if an organisation is registered or not as the ICO publishes a register https://bit.ly/2LIFhxH If you have not registered everyone will know.

Do I need to Register? The ICO provides an easy and simple test which you can find here https://bit.ly/2HFyNMM

If you are storing personal information no matter how small you could try the self-assessment or you can contact PrimeConduct for a free no nonsense conversation.

Can I stick my head in the sand? Not really. Anyone can report you to the ICO through a very simple online complaints website link and the fines are a lot more than the annual fee.

For most organisations the fee is only £40 per annum but the fines can be £4,000. By November 2018 the ICO had fined 103

organisations, 16 of which were hit with a £4,000 fine.

That of course is just a beginning because if you have not registered and are managing personal data you are inviting an investigation. The fines can be astronomical, or in the case of a Swedish company they were shut down by the regulator, no fine just closed.

Partial Compliance Partial Compliance is a bit like believing you have secured the door just because there is a latch on it, but you have to ask is it bolted, where is the padlock and who checked it?

Website Privacy Policy You may need more than one Privacy Policy, for example an external and an internal one. However, downloading a template Privacy Policy is the route to problems.

A Privacy Policy is a statement of how those who run the organisation view the protection of personal data. It is unlikely

that a template will match your organisational ethos or aspirations.

It tells the world that you care about your customers or members of your organisation. It is a policy statement that has to be backed up by action, management and process. There are still many organisations with policies that reference the 1998 Act which is a strong indicator that there is no true compliance.

Up to date Privacy Policy - Yes, but what else? The 2018 Act requires organisations to look hard at the data they keep and why they are keeping it. One well known organisation told us very proudly that they had cleared out half of their warehouse of personal information files, to which the obvious question is why have you kept the other half?

You need to minimise the data you keep, so you only have what is absolutely necessary. Which comes to the next issue of Lawful basis.

Why do you have this data? Much of the Data Protection Act appears simple, but can you explain why you have each item of data. If you are an online

environment and have to deliver goods or services to people you could not provide that service without an address, but where did you write that justification down?

There are six lawful bases for processing data which are, Consent, Contract, Legal Obligation, Vital Interest, Public Interest and Legitimate Interest. Not all data in your organisation will be kept for the same reason and each has a tight definition for use.

What are you going to do with it? This is another one where you can get caught out. You have to be clear and transparent about what you are going to do with the data. For various marketing purposes is too broad and no longer allowed, and selling data to other parties without explicit transparent consent is illegal.

Half a job will not help you if you get investigated or called out by a customer.

.

THE DATA GENERAL FEB 2019 Issue 1

pg. 3

FAST FACTS

50% According to Forrester 50% of companies had a data breach in 2017.

62% Of data breaches were paper based compared to 32% electronic.

28% Although 72% of breaches were by malicious outsiders a staggering 28% were avoidable insider accidents or errors.

69% Of data breaches were Identity Theft.

22% Of breaches involved financial information such as accounts and cards

50% Of companies are not compliant at all and only 30% have full compliance.

FOR MORE INFORMATION

We are pragmatic, helpful and ethical.

We belong to the IAPP

PRIMECONDUCT Contact us at PrimeConduct or Contact Us

Data Mapping A list of all the personal data you have collected and the legal basis for collecting each item. You must clearly define how long you keep each item.

Data Flow Where do you store data and how does it move internally and externally. Policies and contracts must support where the data is and how it is collected.

Contracts You are accountable for the actions and omissions of all third parties you use and their sub-contractors as well as the employees. The status of contracts must be documented.

Data Privacy Impact Assessment (DPIA) In specific instances you are also required to hold a DPIA. This document assesses the risks associated with the data you hold, how it is held and used.

Record of Processing Activity (ROPA) A ROPA is mandatory. It is a record of the personal data being used and the justification. It shows any third parties involved, and security of sensitive data.

Privacy Policy and Training Privacy policies summarise your respect for fair, lawful and transparent use of Personal

Data. Training ensures everyone understands their role in keeping your business reputation safe.

Subject Access Requests Individuals have specific rights of access and control over the data you hold on them. There are defined timescales to complete these requests.

Data Breaches Data breaches will occur and have defined guidance on how they must be managed. This can involve advising those affected by the Breach and the Regulator.

Risk Register A Risk Register documents the issues that you have with holding personal data. It shows you are managing risks responsibly. It is a visible sign of your focus on meeting compliance.

DPO Service Ongoing management of SAR, Breaches, Training and ensuring Privacy by Design as organisations grow and change.

Comprehensive Compliance Comprehensive Compliance comes from completing the picture with all the pieces of the puzzle.

True Compliance