1 / 41

Google & GDPR: Data Protection Compliance in 2019

Meeting all your data protection and privacy needs. Learn about transparency, accountability, security measures, sector-specific considerations, and the importance of consent and transparency.

ccoffey
Download Presentation

Google & GDPR: Data Protection Compliance in 2019

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Google, GDPR and you Data Protection compliance in 2019 Meeting all your data protection and privacy needs

  2. Agenda Introduction – Google and you Transparency Accountability What methods can be used to manage data protection risk? Does the paperwork match reality? Is a privacy policy enough? Security Environment When should a breach be reported to the ICO? What non-IT measures should we be using? How is DP affected by the sector you work in / law? How does your culture affect data protection?

  3. Data protection is… …about people …shorthand for the protection of people against unfair / unwarranted adverse consequences coming from yourprocessing of theirdata

  4. Data Protection principles… Fair, lawful, transparent Specified purposes Minimisation Accuracy Storage limitation Security Accountability

  5. Where do you want to be? Cosmetic Risk Ethics

  6. GDPR and DPA 2018 Sensitivity Volume Risk Environment Other legislation, regulations and standards which may impose additional obligations on the organisation

  7. Google

  8. Google

  9. Google

  10. Consent “ ” Any freely given, specific, informed and unambiguous indication of [their] wishes… [either] by a statement or by a clear affirmative action

  11. Consent “ • …you should provide a separate opt-in for each…unless you are confident it is appropriate to bundle them together. People should not be forced to agree to all or nothing…they may want to consent to some things but not to others. ” Any freely given, specific, informed and unambiguous indication of [their] wishes… [either] by a statement or by a clear affirmative action

  12. Google Consent • Informed? • Specific • Unambiguous?

  13. Google Transparency in a concise, transparent, intelligible and easily accessible form, using clear and plain language • Reflecting your different audiences? • Appropriate for the personal data you’re collecting? • Tailored to each of your collection / touch points? • Providing the privacy info. up front, on a policy, or later? Are you happy to explain your decisions on what goes where, and why, and how?

  14. GDPR and DPA 2018 Sensitivity Volume Risk Environment Other legislation, regulations and standards which may impose additional obligations on the organisation

  15. Organisational Context Nature, scope and scale of the organisation understood • Nature & Scope • Legislative and regulatory frameworks for specific products or services • Standards and codes of conduct • Penalties • Industry bodies • Scale • Size • Global, UK-wide, national or local • Territorial scope of GDPR • Culture • Sector • Organisation structure • History • Demographics • Locations Environment

  16. Organisational Context Nature, scope and scale of the organisation understood • How is data protection affected by • the sector you work in • other legislation? • How might (does) your organisation’s culture affect data protection? Environment

  17. Organisational Context Nature, scope and scale of the organisation understood Nature & Scope Scale Culture Environment Arts Faith Conservation Housing NHS DSP Toolkit CQC Regulated services Higher Education International Aid

  18. GDPR and DPA 2018 Transparency It should be transparent to people that personal data concerning them are collected, used, or otherwise processed and to what extent the personal data are or will be processed. Accountability The controller shall be responsible for, and be able to demonstrate compliance with, the principles Sensitivity Volume Risk • Security • Controllers and processors must use appropriate technical or organisational measures to ensure the integrity and confidentiality of personal data, including protection against • unauthorised or unlawful processing, and • against accidental loss, destruction or damage. Environment Other legislation, regulations and standards which may impose additional obligations on the organisation

  19. GDPR and DPA 2018 Accountability The controller shall be responsible for, and be able to demonstrate compliance with, the principles Sensitivity Volume Risk Environment Other legislation, regulations and standards which may impose additional obligations on the organisation

  20. Strategic Context OrganisationalGoals |Board level champion |Resources Sector-specific regulation and standards (global, national, local) • Policy • Approach to privacy • Risk • Roles & responsibilities • DPO or DP Lead? • Meeting the DP Principles • Metrics & Reporting • Records Management • Acceptable Use • E-Privacy • Procedure • Subject Access and other rights • Breach handling • Managing consent • Archiving and retention • Monitoring • Joining & leaving • Due diligence & procurement • Documentation • Policy & Procedures • ROPA • IAR • Privacy Information • Evidence of consent • Contracts • Retention Schedule • Checklists • Logs • Key decisions Accountability

  21. Strategic Context OrganisationalGoals |Board level champion |Resources Sector-specific regulation and standards (global, national, local) “For me, the crucial, crucial change the law brought was around accountability. Accountability encapsulates everything the GDPR is about. It enshrines in law an onus on companies to understand the risks that they create for others with their data processing, and to mitigate those risks… …I don’t see that change in practice yet. I don’t see it in the breaches reported to the ICO. I don’t see it in the cases we investigate, or in the audits we carry out…that’s a problem. Because accountability is a legal requirement. It’s not optional.” Accountability

  22. Strategic Context OrganisationalGoals |Board level champion |Resources Sector-specific regulation and standards (global, national, local) HMRC Bounty Accountability Caselaw

  23. Strategic Context OrganisationalGoals |Board level champion |Resources Sector-specific regulation and standards (global, national, local) shall be responsible for and be able to demonstrate compliance with the principles Accountability Prove your compliance…

  24. Strategic Context OrganisationalGoals |Board level champion |Resources Sector-specific regulation and standards (global, national, local) “Common sense is not so common” Voltaire Accountability Prove your compliance…

  25. Strategic Context OrganisationalGoals |Board level champion |Resources Sector-specific regulation and standards (global, national, local) Your Org. Controller • Strategic accountability Board / Trustees Accountability Suppliers and contractors DP Lead • Operational accountability “DP champions” Processors • Day-to-day processes All staff

  26. Strategic Context OrganisationalGoals |Board level champion |Resources Sector-specific regulation and standards (global, national, local) Accountability Model Procedures Contract Checklist Contract Model Clauses Audit

  27. GDPR and DPA 2018 Transparency It should be transparent to people that personal data concerning them are collected, used, or otherwise processed and to what extent the personal data are or will be processed. Accountability The controller shall be responsible for, and be able to demonstrate compliance with, the principles Sensitivity Volume Risk Environment Other legislation, regulations and standards which may impose additional obligations on the organisation

  28. Context Organisational commitment to meeting the transparency principle Purposes and lawful basis identified |ROPA completed |Data mapping completed • Modality • Channels and resources available • Different modalities for different audiences • Joint controller relationships • Indirectly collected personal data • Content • Data Controller details • Purposes and lawful basis • Rights • Retention • Data sharing • Transfers • Complaints • Accessibility • Easily accessible • Concise • Clear and plain language • Children • Vulnerable data subjects • Specific communication needs Transparency

  29. Context Organisational commitment to meeting the transparency principle Purposes and lawful basis identified |ROPA completed |Data mapping completed True Visions Productions (TVP) Poland case Transparency Case law

  30. Context Organisational commitment to meeting the transparency principle Purposes and lawful basis identified |ROPA completed |Data mapping completed Transparency Privacy Strategy Tools Privacy Notice Checklist

  31. Break

  32. GDPR and DPA 2018 Transparency It should be transparent to people that personal data concerning them are collected, used, or otherwise processed and to what extent the personal data are or will be processed. Accountability The controller shall be responsible for, and be able to demonstrate compliance with, the principles Sensitivity Volume Risk • Security • Controllers and processors must use appropriate technical or organisational measures to ensure the integrity and confidentiality of personal data, including protection against • unauthorised or unlawful processing, and • against accidental loss, destruction or damage. Environment Other legislation, regulations and standards which may impose additional obligations on the organisation

  33. Context Organisational commitment to meeting the integrity and confidentiality principle Risks identified | Data mapping completed | Information Asset Register • Organisational • Safe recruitment • Roles & responsibilities • Training • Physical access • Change management • Business continuity • Off-site working • Visitors • 3rd Parties • Due diligence • Contract monitoring • Rights requests handling • Data breach handling • Supply chain • Technical • Confidentiality, Integrity and Availability (CIA) • Resources and expertise • Access controls • Access monitoring • Testing • Backup and restore Security

  34. Context Organisational commitment to meeting the integrity and confidentiality principle Risks identified | Data mapping completed | Information Asset Register Denmark Security Case law

  35. Context Organisational commitment to meeting the integrity and confidentiality principle Risks identified | Data mapping completed | Information Asset Register Organisational 3rd Parties Technical Security IS Self-Assessment Tool Due Diligence checklist DP Contract Clauses Web Provider guidance

  36. 8 take-ways from enforcement cases 2019 If need consent, ensure it’s “freely given, specific, informed” Do your thinking up front (DPIA) Transparency is key – and privacy policy alone is not enough Processes and decision making are vital Paperwork matching reality Sensitivity Volume Risk Context of the processing is key No security issues at play – a move away from typical fines?? What should we do, not what can we do?

  37. Transparency Accountability

  38. Environment Security

  39. Our experts Subscription and Modules

  40. Free Data Protection Self-Assessment https://protecture.org.uk/data-protection-self-assessment/ www.protecture.org.ukhelp@protecture.org.uk @ProtectureDPO

More Related