When your organisation is using third parties, it is essential to complete your own due diligence equal to the risk faced from the said relationship. With businesses and partnerships around the world growing, it is essential to make sure all your relationships and third parties are legal and legitimate. VinciWorks’ guide to risk based third party due diligence will give you a clearer understanding of how to conduct a detailed and genuine risk assessment.
Article 5 of the General Data Protection Regulation requires demonstrable compliance with the new regulations. With GDPR now in force, ensuring your staff are aware of your organisation’s data protection policies is now more important than ever.
Data protection changes under GDPR
Are you familiar with GDPR? Does your organisation have a process for data portability? GDPR legislation now allows individuals to obtain and reuse their personal data for their own purposes across different services. Other changes include the requirement for certain organisations to appoint a Data Protection Officer. Further, under GDPR, sensitive information now includes biometric and genetic information. This means that organisations should familiarise themselves with GDPR and ensure staff understand how to process personal data.
Continue reading
The General Data Protection Regulation has now come into force. The UK’s third generation of data protection law has received Royal Assent and its main provisions commenced on 25 May 2018. The new Act aims to modernise data protection laws to ensure they are effective in the years to come. VinciWorks has hosted a number of webinars to help businesses prepare for the EU-wide law.
On 24, VinciWorks hosted a full-day live webcast to answer questions, interview experts and review the changes to data protection law under GDPR.
Full-day live GDPR webcast schedule
10:00am – Q&A on lawful basis for processing, Gary Yantin and Nick Henderson, VinciWorks
11:00am – GDPR Mythbusters, Webinar replay
11:30am – So you’ve been appointed DPO. What now? Interview with Andrew Moyser, MHA MacIntyre Hudson Chartered Accountants
12:00pm – Live Q&A on privacy notices and DPIAs, Alyssa Redsun and Nick Henderson, VinciWorks
1:00pm – Data Protection Impact Assessments, Webinar replay
2:00pm – The ICO’s view – what will change after GDPR? Richard Nevinson, Information Commissioner’s Office
2:15pm – GDPR – getting it right, Alex Brown, Simmons & Simmons
2.30pm – Live Q&A – ask us anything (about GDPR), Gary Yantin and Nick Henderson, VinciWorks
3:30pm – Privacy notices, Webinar replay
4:30pm – Dawn raids – preparing for the unexpected, Karla Gahan, VinciWorks
5:00pm – Closing remarks and guidance
Under GDPR, you need an approved ‘condition for processing’ for every data processing activity, but you don’t always need to seek consent. With just a week until GDPR comes into force, Director of Course Development Nick Henderson and Director of Best Practice Gary Yantin hosted another webinar to take a deep dive into understanding the conditions for processing data which underpin all uses of personal data.
The webinar covered:
- When do we need consent and when do we not?
- How to rely on legitimate interest
- Data processing scenarios
- Answering your questions on the topic
With GDPR day less than a month away, Director of Course Development Nick Henderson continued to help organisations prepare for the new EU wide regulation. During the webinar, Nick guided listeners through the process of conducting a DPIA. He also answered questions on the topic of DPIAs and gave guidance on next steps to those who have already begun the process.
Read more: The VinciWorks GDPR training suite
The webinar covered:
- The seven steps of conducting a DPIA
- The suggested DPIA timeline
- What to do if you haven’t yet started conducting your DPIAs
- Who should be responsible for conducting and monitoring DPIAs
- Shared tips from attendees
Key findings
- 55% of attendees said they haven’t consulted externally on their DPIA while 27% said they have and 8% said they haven’t but they should have done
- Biometric and genetic data are now special categories of data under GDPR and are required to be included in a DPIA
- It is important to act on the recommendations of the DPIA and often are required to share findings with a third party, such as the Information Commissioner’s Office (ICO)
- Only 4% of attendees have conducted a DPIA on everything while 30% are planning to begin the process soon
Is your organisation ready for the EU-wide General Data Protection Regulation which comes into force on 25 May? What still needs to be done to prepare? VinciWorks has created a helpful resource page that containing GDPR compliance tools, course demos, policy templates and more.
The resource page includes:
- Course demos of all the training included in the GDPR training suite
- Knowledge checks to test staff’s knowledge of the changes to data protection regulation under GDPR
- Online guides, including the VinciWorks guide to GDPR
- Downloadable and editable GDPR related policy templates
- On-demand GDPR webinars
- Helpful articles on GDPR compliance
What is a GDPR-compliant privacy policy?
A GDPR-compliant privacy policy should set out the different areas where user privacy is concerned and outline the obligations and requirements of the users, the website and website owners. It should also detail the ways your organisation processes, stores and protects user data and information. The policy should be made available on your organisation’s website.
The main points that should be addressed in a privacy policy include:
- Use of cookies: define what cookies are and how and why your organisation uses them
- Personal information: If your organisation requests or stores personal information, this should be made clear. Under GDPR, individuals have the right to request a copy of this information and can request to be removed from the database at any time
- Information collection and use: The policy should make clear how your organisation collects information and how long it’s stored for
- Other information: A GDPR-compliant privacy policy must make clear how any other information that is collected, such as through registration forms or any other means, is used, and also must provide instructions on how to unsubscribe from any mailing list
What is a GDPR-compliant privacy notice?
A privacy notice tells people from whom you are taking data:
- Who you are
- What you are going to do with their information
- Who you will share it with
At minimum, a privacy notice must contain those three key things. GDPR requires a privacy notice to be concise, transparent, intelligible and easily accessible. It must be written in clear and plain language, appropriate for the audience, and free of charge.
3 Key aspects of developing good GDPR privacy notice
There are three key aspects of good practice to keep in mind when developing a GDPR compliant privacy notice.
Director of Best Practice Gary Yantin was once again joined by Director of Course Development Nick Henderson to help you prepare for the General Data Protection Regulation. During the webinar, Nick delved into the world of privacy notices.
Under GDPR, as well as meeting all of the GDPR principles, an organisation must rely on one of six legal justifications to use personal data, known as the conditions for processing. For instance, you could process a sale to a customer by relying on condition 2, fulfilling a contract.
Different conditions give different rights to individuals. Relying on consent, for instance, gives the person the right to withdraw their consent, a right they must be informed about, usually in a privacy notice.
- The person gave explicit consent
- It is to fulfil or prepare a contract
- There is a legal obligation (excluding a contract)
- To save someone’s life or in a medical situation
- To carry out a public function
- There is some other legitimate interest (excluding public authorities)
If the data is sensitive, i.e. about a person’s race, religion, or health status, there must be an additional justification to process this which can include explicit consent, employment law, or for medical purposes. Under GDPR, genetic and biometric data such as data from a biometric passport or fingerprint scans will now count as sensitive personal data.
As Facebook CEO Mark Zuckerberg continues his testimony in Congress following the Cambridge Analytica scandal, he has been set a pile of homework to beef up Facebook’s data protection policies and become GDPR compliant. While the enquiry came about following an investigation into cambridge analytica, in the long run it may have come at the perfect time, with GDPR just weeks away from coming into full force. During the hearing, Zuckerberg committed to implementing GDPR’s standards worldwide.
Eight things Facebook must do to comply with GDPR
Here is what the social network giant must do ensure they are at least on the way to full compliance come 25 May 2018.
1. Appoint a data protection officer (DPO)
Under GDPR, Organisations that process large amounts of personal data, are in the public sector or process particularly sensitive data are required to appoint a DPO. Facebook has certainly recognised this need, advertising the vacant position on their website and other forums. It remains to be seen, however, whether Zuckerberg will seek to appoint a DPO, or someone in a similar role, to strengthen their data protection compliance across the US.