What is GDPR

On May 25th, 2018, the EU’s General Data Protection Regulation (GDPR) takes effect and becomes enforceable. The new regulation, technically known as EU 2016/679, replaces the Data Protection Directive, which already goes back to 1995. All companies now have to consider how they process and store data.

In order to adhere to the new rules GDPR data safe have created a solution that is a dynamic communication software and data storage platform. As an affordable retail data entry platform it ensures the processing of data under GDPR at each customer touch point is completed lawfully and with specific consent in line with GDPR rules.

From initial contact through to order forms, finance applications and product purchases and more, the platform provides your customers specific, granular consent information, often with two point authentication. All communication with customers is stored in a history file, with easily access for you to fulfil the GDPR individual access requirements.

The aim of the General Data Protection Regulation is to reinforce the data protection rights of the individuals, facilitate the free flow of personal data in the digital single market and reduce administrative burden.

The ICO (Information Commissioner's Office) which is the Government organisation that enforces the Data Protection Act have suggested 12 simple steps to get ready for the new GDPR rules the information through out this website aims to share information and workflows to support those planning steps.

• Table of contents
• New Rules
• Rights of the Individual
• The rule book
• High level fines – Article 83
• Non compliance questions ?
• Data Transparency
• Data Audit
• Data Protection Impact Assessment
• Data Protection Officer (DPO)

Awareness: There have been rules in place to protect consumers since the Data Protection Act 1998 the key points to review in the new rules are

• Higher sanctions – up to 20 million euros – 4% of Global turnover
• Consent defined
• Must notify of breach within 72 Hours
• Clarity on the role of a Data Protection Officer
• Controllers and processors jointly liable
• Right to be forgotten
• Right to amend details
• General right not to be “profiled”
• Privacy by design introduced
• Data protection impact assessments must be prepared
• Right to restrict (freeze) processing

Reinforce the Rights of the Individual

Defined as a “natural person” individuals have data rights.

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling.

The information on the regulation can be found in the rule book

11 chapters – 99 Articles

• Chapter 1 (Art 1 – 4) - General Provisions
• Chapter 2 (Art 5 – 11) - Principles
• Chapter 3 (Art 12 – 23) - Rights of the data subject
• Chapter 4 (Art 24 – 43) - Controller and processor
• Chapter 5 (Art 44 – 50 - Transfer of personal data to third countries
• Chapter 6 (Art 51 – 59) - Independent supervisory authorities
• Chapter 7 (Art 60 – 76) - Cooperation and consistency
• Chapter 8 (Art 77 – 84) - Remedies, liability and penalties
• Chapter 9 (Art 85 – 91) - Provisions relating to specific processing situations
• Chapter 10 (Art 92 – 93) - Delegated acts and implementing acts
• Chapter 11 (Art 94 – 99) - Final provisions

NON Compliance Higher level Fines: Article 83

The ICO have made the point in recent communications that GDPR is not just about fines, companies need to review and understand how they process and gain specific consent for the use of an individual’s data.

The Higher sanctions – up to 20 million euros – 4% of Global turnover, these relate to

• 5: Principals relating to the processing of personal data
• 6 : The Lawfulness of processing
• 7: Conditions for consent
• 9: Processing special categories of personal data (i.e. sensitive data)
• 12 – 22 : Data subjects rights to information access, rectification, erasure, restriction of processing, data portability, object, profiling
• 44 – 49 : Transfer to third countries or international
• 58(1) Requirement to provide access to supervisory authority
• 58(2) : Orders or limitations on processing or the suspension of data flows

The questions companies should therefore consider are

• How can I minimise the risk and protect my business?
• How can my business implement a technical framework to collect specific consent and lawfully collect data?
• How can my business handle different data streams?
• How can my business uphold the new regulations and define data collection and storage?
• How can my business ensure the security and protection of personal data?

Data Protection by Design

The implantation of appropriate technical and organisational measures to show you have considered the integration data protection into your processing activities

You need to have an understanding of the

• Integration of Data Protection
• Implementation planning for GDPR
• Data Risk Management
• When a Data risk assessment is necessary
• An understanding of the data architecture

Protection by Design: Data Transparency

• Your approach to information when collecting data under the GDPR
• Clearly understand how the data might be used
• Information must be concise, easily accessible and in clear and plain language
• Data Controller will have to provide mandated information, access, restrict, and port their data
• Notices addressed to children must be child-friendly
• Consider the use of layered policies, immediate and available information
• Common use of Icons throughout workflows to aid key information points

Information you hold: Practical Data Audit

Where are your data sources?

• Website
• Advertisement
• Sales process
• Sales database
• General database
• Accounts
• HR department
• Third party storage, communication tools, archive

Just because it was permitted under data protection act does not mean it will be permitted under GDPR

• All business need to carry out a Data Audit in line with changes
• Understand the types of data you hold
• Analyse the personal data and determine the lawful purpose
• Accountability – You are required to document the analysis of lawful purposes that your data is used and retained.

If you process high volumes of sensitive data there is a legal requirements to document the data you hold and carry out and confirm a Data Protection impact assessment

• A description of processing and purposes of data
• Confirm the Legitimate interests pursued by the controller
• An assessment of the necessity and proportionality of the processing
• An assessment of the risks to the rights and freedoms of data subjectsThe measures envisaged to address the risks
• All safeguards & security measures to demonstrate compliance
• Indication of any data protection by design and default measures
• A list of recipients of personal data
• Compliance with approved codes of conduct
• Whether data subjects have been consulted

Data Protection Officer (DPO)

What does a Data Protection Officer do?

• Informs and advises on DP obligations
• Monitors the implementation and application of policies
• Staff training

Appointing a DPO:

• Designation of a single DPO for several Organization
• DPO should be accessible
• DPO should have the relevant expertise and skill and no conflicts of interest
• DPO can be appointed on the basis of a service contract

DPO : review Data Controller or Data Processor - Contracts

Audit will be required for contracts with third party processors to asses the compliant and lawful processing and storage of data

Controllers and processors equally responsible

• Review data sharing arrangements - responsibilities
• Review contracts where you appoint data processors
• Direct obligations include testing the robust protection of data
• Review your contracts where you are a data processor
• Controllers right to audit
• Review third party data security – Breech reporting – Service levels