With less than 65 days to ensure GDPR compliance (firms must be compliant BEFORE the 25th, not on the 25th!) Cyber Insure draws awareness to these essential points as introduced by the GDPR:
Regulated businesses will need to ensure that all privacy policies are updated and compliant.
Where consent is required for the collection of personally identifiable data, GDPR mandates consent must be “explicit” for certain categories. Consents which pre-dates GDPR may no longer be valid and all consents obtained going forward must meet the new threshold.
Interestingly, all Internet of Things (IoT) products, which have built in privacy settings, must, by default, be set on the most privacy-friendly setting, with the users given the option to alter the setting as part of an initial set-up process.
Enhanced rights for individuals
GDPR establishes rights affecting (i) subject access; (ii) objecting to processing; (iii) data portability; and (iv) objecting to profiling, to name a few.
The right to data portability entitles individuals to request that their data be transferred to a third party, likely a competitor, in a machine-readable form.
A significant shake up for the UK privacy landscape is that GDPR mandates breach reporting to Information Commissioners office within 72 hours of awareness of a data event.
There are conditions for when, in addition to notifying the Commissioner, the individuals affected will also need to be notified.
This will bring with it the associated costs of legal fees, and notification letters, call centres etc. Check yur cyber policy to make sure this is covered.
Binding Corporate Rules for controllers and processors as a means of legitimising transfers will be expressly recognised for the first time and so should be considered as a transfer mechanism for data transfers out of the European Economic Area. Also, if the UK leaves the European Union without a “data-deal”, transfers of personal data between the UK and Europe may not be permitted unless safeguards are in place. Businesses should examine affected data flows now and develop contingency plans for data transfers post-Brexit.
GDPR is quite clear that those businesses who fall foul of the law will be expected to demonstrate compliance e.g.
- (i) maintain certain documents;
- (ii) carry out Privacy Impact Assessments;
- (iii) implement Privacy by Design and Default (in all activities), requiring a fair amount of upfront work.
Cyber Insure recommends the following:
- 1. Update your businesses data security breach plan. If you don’t have one, create one within the framework of GDPR.
- 2. Establish an internal accountability framework for all parts of your business– e.g., monitor processes, procedures, train staff re GDPR, review vendor contracts for privacy clauses..
- 3. Review all privacy notices and policies ensuring these are GDPR compliant. Seek professional assistance if you are in any doubt.
- 4. Audit your international transfers – do you have a lawful basis to transfer data? How will transfers continue post-Brexit?
- 5. Conduct a comprehensive audit review on all your consents – is your business lawfully processing data and within the context of the consent? Review the default privacy settings on your IoT devices?