Big school of GDPR lesson 4 - Designing project plan

What do we have to do, how, who and until when? How much does it cost? There are some of the questions we are giving the answer to in our fourth lesson of GDPR in the Big School of GDPR by ICTbusiness.info and Ostendo Consulting.

There are many elements of GDPR that you should have implemented even before adopting this Regulation. Legislation in the area of personal data security management has been in place for decades, but due to the inappropriate powers of supervisory bodies that, in the true sense of this word, never came to be such, only a few of entities gave due attention to this growing problem.

What has changed and why is the protection of personal data suddenly becoming so important?

Two things: A sudden expansive expansion of the trend of unauthorized processing of large amounts of personal data has taken worrying global proportions and the GDRP regulation gives to the supervisory bodies the power of control and penalization.

Tips and tricks

Let the results of the gap analysis from the previous lesson point you to the areas you need to focus on. Analyze results and design the most effective approach. Try to design processes and tools that will solve multiple problems at the same time.

When talking about information systems, focus on minimizing data. Make sure that personal information is located in as few places as possible, and then properly secure these places. Pay special attention to shared folders, email, backup, and test systems. As far as you are confident in yourself, be aware that the personal information is in places you do not expect them to be. Think about scanning a complete information system in search of personal information. You cannot secure the data you are not aware of. Once you identify them, find out which of these data you really need, and delete the rest. Identify the locations where you found them and find out who stored them there and why. Consider implementing the rules for data storage. When you are sure that you have solved the surplus, be sure to secure the remaining data. Check the approved access rights and their approval process. Encrypt the data if you can.

Do you need actual personal data in development and testing systems, and business analysis systems, or can you work with anonymized or pseudonymous data? Keep the general rule: Production data should be encrypted and all other data anonymized or pseudonymized whenever possible.

Anyway, in this lesson we will not deal intensively with the security elements that you should have long implemented. We will focus on the changes brought by GDPR.

Twelve things you certainly do not have

We, of course, cannot guess the results of your gap analysis, but we can focus on the elements that you will certainly need to implement. GDPR in relation to previous regulations brings some changes. These are the things that did not exist in such a form before, you could not have known about them, so you could not have implemented them.

Raising awareness

Primarily, the management and the relevant managers need to be really aware that there is a new regulation they need to harmonize with. They have to understand its implications for business and actively engage in business strategy development that will be aligned with GDPR requirements. You need to develop and implement a program to build a corporate culture of keeping confidentiality of personal information.

List the personal information you have

Analyze your business processes and find out which personal information you have, where you collect them and who you share it with.

Communication of information on the protection of personal data

Identify all means of communication in which you describe personal data handling, including your requests for their third-party protection. This includes internal policies and procedures, various contracts with privacy clauses, privacy on the web, emails, etc. Harmonize them with the GDPR requirements.

Obtaining the right to privacy and access to data

Check all internal procedures to ensure that the rights of individuals are covered. Make sure you can provide:

Right to forget (Can you delete data of an individual without consequences to data integrity?)

Right to transfer (Can you export the data to CSV or another easy-to-read file at an individual's request and do you know which data you can export?)

Make sure if individuals can simply ask for the right to access the personal information you have, and the processes you do. Design and communicate clearly this procedure. When designing a process, ensure that the time it takes to implement it does not exceed the deadlines defined by the regulation.

Legal basis for data processing

You do not always have to ask for consent to collect personal information. In many cases you will have a legal basis for this. Identify and document the legal bases for collecting personal information and explain them clearly in communication with their owners.

Consent

Be sure to check out all the ways in which you collect personal information, whether you are clearly explaining what this information will serve and whether it is collected on a voluntary basis. Pay great attention to transparency, clarity and accuracy in this communication. As a rule, you may only keep the information as long as necessary to perform the processing for which you have been given consent. Ensure that the collected consents are logged and that the processing is carried out solely in accordance with them.

Children

If there is a possibility that the personal data you collect belong to children, design and establish a way of age checking of the provider of consent, which in this case must be parents.

Incidents

Define procedures, responsibilities, and establish mechanisms for identifying, reporting, and investigating personal data leakage

Integrated technical data protection

This is one of the most technically complex requirements. Fortunately, you do not need to implement it on old information systems. It is a general approach to the design of information systems that from the outset must take into account the requirements of the GDPR for the protection of personal data and ensure their implementation. Revise the existing processes of development, procurement and commissioning of information systems as well as processes of change management in information systems. Ensure that each key stage identifies and implements privacy protection requirements, as well as functional requirements for right to forget, etc. Ensure that personal information does not end in test systems, or adequately secure them there.

Assessment of the effect on data protection

Introduce a process of assessing the effect on data protection that will ensure that the organization is aware at all times of sensitive data processing and that the regulator is notified in timely manner of high risk assessments.

Personal Data Protection Officer

Define the structure of responsibility for the protection of personal data. At a minimum, appoint a Personal Data Protection Officer and clearly identify his or her position in the organizational structure in accordance with GDPR requirements.

If you are part of an international organization

If your organization is part of a larger international organization, and especially if, as part of your job, you send personal information outside of the EU, specify to which regulator your organization is responsible to.

Plan(s)

Agree on how you will meet every single request from the organizational, legal and technological side. Be aware in this that the technical fulfillment of IT requirements will take away the most time and significant resources. Divide the project in at least two sub-projects that will be executed simultaneously. Organizational legal and technological.

Appoint the persons responsible for the implementation of each of these sub-projects. Ensure their excellent mutual communication. The project sponsor must be a member of the management board.

In the following lessons, we will go into more depth about some of the activities in this plan you need to implement.