Not at #AWEurope in London this week? These are the key takeaways from Monday morning's seminar with Doug McPherson from OpenX, James Fenelon from Bird & Bird, and Rebecca Stewart from The Drum, 66 Days to GDPR: Preparing for GDPR & Examining its Potential Impacts:
There are seven Data Protection principles...
- 1. Limitation of Purpose
- 2. Accountability
- 3. Accuracy
- 4. Fair, Lawful, Transparent Processing
- 5. Data Minimisation
- 6. Data Retention Period
- 7. Data Security
...and seven steps that you should take now:
- 1. Map your personal data
- 2. Define role as controller or processor
- 3. Put data processing agreements in place
- 4. Lawful Condition - is consent needed?
- 5. Legitimise cross-border data transfer
- 6. Create and/or update policies and procedures
- 7. Live Privacy by Design
Step 1: Map Your Personal Data
- Purpose - For what purposes is it collected?
- Data Subjects - Who does the personal data relate to?
- Categories of Personal Data - What personal data is received?
- Recipients - To whom is it sent?
- Data Transfers - Where is it sent? Where is it stored?
- Retention Periods - For how long is it kept?
- Technical and Organisational Measures - How is it protected?
Step 2: Define Roles
Are you a controller or processor?
- Controllers: Determine the manner and purposes around how data is processed;
- Processors: Actually process the data on behalf of the data controller;
You may be a controller for some purposes and a processor for other purposes, e.g. controller of EU employee data but processor of customer data.
Why does it matter? GDPR imposes different requirements on controllers.
Controller obligations:
- Comply with stringent data breach notification requirements;
- Comply with data subject rights under the GDPR;
- Conduct Data Protection Impact Assessments;
- Provide relevant information to the data subject regarding the collection and processing of personal data;
- Implement appropriate technical and organisational measures designed to comply with data protection principles and ensure the only necessary data is processed for the specific purposes it was collected for;
- Ensure personal data is accurate, relevant and limited to the purpose for which it was collected and is retained for no longer than necessary;
Step 3: Put Data Processing Agreements in Place
GDPR requires data controllers to execute Data Processing Agreements (DPAs) with each of their processors. In a DPA, data processors commit to (among other things):
- Maintaining security procedures that protect the confidentiality of personal data and ensure staff with access to personal data maintain confidentiality;
- Limiting access to personal data to those required to have access;
- Permitting an audit of GDPR compliance;
- Notifying the controller of security data breaches (within 72 hours);
- Returning or deleting customer data upon request at the end of the provision of the services;
- Being liable for any actions of its subprocessors;
- Allowing controllers the right to refuse to allow additional third parties to have access to their data;
Step 4: Understanding Lawful Condition - Is Consent Needed?
Controllers must be able to justify processing data (i.e. they need a lawful condition under GDPR). GDPR makes consent more difficult to obtain (consent must be specific, informed, unambiguous, active and freely given). There are consent tools that can help (like IAB's industry consent standard), but there are still a lot lot of unanswered questions:
- When is consent required (use of cookies, processing sensitive personal data, e-marketing);
- What form of consent is sufficient (ePrivacy Regulation);
- Can you rely on consent to serve the cookies, but rely on legitimate interests to process the personal data collected via cookies?;
Step 5: Legitimise Cross-Border Data Transfer
GDPR applies to all companies outside the EU that process EU data. Publishers and developers outside the EU must have an approved mechanism for transmitting any EU personal data outside the EU.
For many, Privacy Shield certification will be the simplest method to implement. If Privacy Shield certification isn't possible, consider the EU standard contractual clauses.
Step 6: Create and/or Update Policies and Procedures
EXTERNAL POLICIES
- GDPR requires more detailed disclosures in privacy policies and terms and conditions;
- Consumer-facing privacy policies, among other things, provide information about data subjects' rights;
INTERNAL POLICIES
- Policies dealing with individual rights (right to erasure, be forgotten, portability, restriction);Security Policy;
- Data Breach Policy;
- Data Retention Policy;
- Employee training on privacy and security;
- Evaluate whether you need to designate a Data Protection Officer;
- Confirm you have means to correct inaccuracies, delete personal data (the right to be forgotten);
- Review your policies and procedures regularly and make sure GDPR ownership (and awareness) is shared with key internal stakeholders;
Step 7: Live Privacy by Design
- The minimum amount of personal data is collected;
- The purposes of data collection are clearly disclosed to users and documented internally;
- Services are designed with data security in mind;
- Personal data is kept for the minimum time necessary to accomplish the purpose;
- DPIAs carried out where necessary;
- Be agile as further guidance or enforcement require modifications to your GDPR approach;
- Work with partners that are committed to GDPR or willing to put in the resources to become compliant;
Watch a replay of the live presentation right here, on AW Europe's official website.
No comments
Post a Comment