What are your personal 'Top 5' practical tips for implementing GDPR?
For example:
1. Remember that the fundamental purpose of GDPR is to PROTECT the personal data and rights of individual Data Subjects: It's the "General Data *Protection* Regulation. (This sounds obvious but is sometimes forgotten!)
2. Prioritise security awareness - don't leave it as an afterthought for your annual compliance "refresher" training! As soon as possible in the GDPR implementation, start training staff (eg Senior Managers, Project Managers and Security staff) to recognise typical examples of 'personal data' such as different types of personal unique identifiers, data that uniquely identfies an individual because they are the only person who has that Job Title, etc. Also, to always *consider* the extent to which personal data could be involved, from the outset of any project. (Broad statements such as:"There's no personal data involved in this project" usually require further investigation.) Aim to have all your staff trained to understand the Principles and the key Definitions that apply to their own roles by May 25 2018.
4. Unless you are authorised to do so, don't try to 'interpret' the meaning of any aspect of GDPR - check the meaning and its implications with your Data Protection Officer or other authorised data protection/privacy/legal lead.
5. The 'special categories' of personal data (broadly similar to 'sensitive personal data' under current EU legislation) require ADDITIONAL protection on top of any controls that will apply to 'personal data'. Security staff are well-placed to advise on "additional protection" - eg data classification, data handling and other data 'processing' requirements.
Agreed, we know the velocity of the decisions in the EU, and Germany in particular is pretty good example of how strong it could be with their Federal Data Protection Act:
https://iapp.org/media/pdf/resource_center/Eng-trans-Germany-DPL.pdf
For a great round-up of the pre-existing(non-GDPR) case law I recommend taking a look at this:
https://ec.europa.eu/anti-fraud/sites/antifraud/files/caselaw_2001_2015_en.pdf
While you have mentioned Germany, it helps to remind me of another regulator's decision on Data Protection Officer (DPO) aligning with Article 37, 38 and 39 under the GDPR during late 2016 while referencing the FDPA:
Totally, that's a no brainer on a conflict of interest, plus a IT Manager does not reach anywhere high enough in the organisation. From the link you referenced:
V. Recommendation
Companies required to appoint a DPO are thus well advised to carefully consider candidates that are free from conflicts of interest. While it does not appear necessary to preclude a DPO from having other corporate functions, the designated individual should not be in charge of, or have a personal stake in, significant decision-making relating to IT. One potential solution may be to “firewall” DPOs from such decision-making processes. Suffice it to say that this aspect of GDPR/BDSG compliance will be scrutinized heavily by German (and likely other) data protection authorities in the coming months and years.
DPOs advise this separation, so this is good advice.
There is also a school of thought I've come across that says don't call your DPO a DPO, unless you are mandated to have one under GDPR or other frameworks as there might be a heavier burden of expectation. Not the best reason IMHO, but this was from some lawyers.
You have rightfully pointed out, Early_Adopter, "... don't call your DPO a DPO, unless you are mandated to have one under GDPR or other frameworks as there might be a heavier burden of expectation...". The role is a compliance role rather than a risk management function. An IT Manager is more of a risk management or operation role and does not have a legal mandate like the DPO has under GDPR. It creates conflict of interest due to its operative nature as demonstrated in the German authority's opinion.
While you will find others like Singapore embedded DPO in its data protection regulatory rules back in 2014 and not as loudly as GDPR demands, Hong Kong continues advocating the role as a best practice and South Korea as well as Philippines have revised their regulations to accommodate the data protection role legally without mentioning DPO directly.
With GDPR being so descriptive and likely to set a 'gold' standard for the role, we will find these is likely to create a norm or increase expectations for the regulatory environment across the globe in years to come.
Other than outlaw.com:
.... Does anyone know of any legal/media sites that are centralising and tracking privacy-related items and court cases?
('The Register' tracks security news items but it can be quite partisan.)
Definitely - and there's always the possibility that the organisation 'waiting and seeing' could be the subject of a regulatory investigation or court case itself, privacy data breaches being the far-reaching and sometimes unpredictable things they are.
1. Make it cross-department effort, it is not just IT, just Legal, etc. Include Legal, IT, InfoSec, Compliance, perhaps Risk
2. Understand the data-flows and contracts in place - map the data-flows, review the contracts and consent for processing data.
3. Create a process for Privacy Risk Assessment and integrate it into the System Acquisition and Deployment, and Vendor Management processes
4. Implement Records Management practice that will enable the organisation to discover data based on an individual's names or unique identifier.
5. Deploy Threat Detection and Response capability to detect and respond to breaches if they occur
And below are the 5 stages I saw recently in a presentation:
While I am unsure of a website that offers a centralised view about privacy tracking or court cases, I find this article quite useful if you like to know the data protection or privacy enforcement actions taken across the globe, not just EU:
My number 6 would be don't be taken in by the snakeoil salesmen punting GDPR certification 🙂