Most management systems, compliance, and certification projects require documented policies, procedures, and work instructions. GDPR compliance is no exception. Documentation of policies and processes are vital to achieve compliance.

ITG GDPR Documentation Toolkit gives you a complete set of easily customizable GDPR-compliant documentation templates to help you demonstrate your compliance with the GDPR’s requirements quickly, easily, and affordably.

“Having recently kicked off a GDPR project with a large international organisation I was tasked with creating their Privacy Compliance Framework. The GDPR toolkit provided by IT Governance proved to be invaluable providing the project with a well organised framework of template documents covering all elements of the PIMS framework. It covers areas such as Subject Access Request Procedure, Retention of Records Procedure and Data Protection Impact Assessment Procedure helping you to put in practice policies and procedures to enable the effective management of personal information on individuals. For anyone seeking some support with their GDPR plans the toolkit is well work consideration.”

– Chris Prantl

Two-thirds of remote workers risk potentially breaching GDPR guidelines by printing out work-related documents at home, according to a new study from Go Shred.

The confidential shredding and records management company discovered that 66% of home workers have printed work-related documents since they began working from home, averaging five documents every week. Such documents include meeting notes/agendas (42%), internal documents including procedure manuals (32%), contracts and commercial documents (30%) and receipts/expense forms (27%).

Furthermore, 20% of home workers admitted to printing confidential employee information including payroll, addresses and medical information, with 13% having printed CVs or application forms.

The issue is that, to comply with the GDPR, all companies that store or process personal information about EU citizens within EU states are required to have an effective, documented, auditable process in place for the collection, storage and destruction of personal information.

However, when asked whether they have disposed of any printed documents since working from home, 24% of respondents said they haven’t disposed of them yet as they plan to take them back to the office and a further 24% said they used a home shredding machine but disposed of the documents in their own waste. This method of disposal is not recommended due to personal waste bins not providing enough security for confidential waste and therefore still leaving employers open to a data breach and potential fines, Go Shred pointed out.

Most concerning of all, 8% of those polled said they have no plans to dispose of the work-related documents they have printed at home, with 7% saying they haven’t done so because they do not know how to.

Source: 66% of Workers Risk Breaching GDPR by Printing Work-Related Docs at Home via Infosecurity Magazine

The Information Commissioner’s Office levied fines against British Airways and Marriott International for violating the GDPR.

Source: ‘2019 is the year of enforcement’: GDPR fines have begun – Digiday

British Airways faces $230 million fine over GDPR breach

Marriott Faces GDPR Fines: A DPO and CISO Discussion

Steps to GDPR Compliance

Archived GDPR posts

Subscribe to DISC InfoSec blog by Email

After the ICO issues $450 million of GDPR fines in a week, be sure you’re not next.

Source: 5 ways to avoid a GDPR fine

GDPR For Consultants – Training Webinar

 

What You Need to Know about General Data Protection Regulation

DISC InfoSec – Previous articles in GDPR category

Enter your email address:

Delivered by FeedBurner

Discover how to write a GDPR data breach notification procedure to help you with your GDPR compliance. Including a free template example. Read now

Source: How to write a GDPR data breach notification procedure – with template example – IT Governance Blog

Personal data breach notification procedures under the GDPR

Organizations must create a procedure that applies in the event of a personal data breach under Article 33 – “Notification of a personal data breach to the supervisory authority” – and Article 34 of the GDPR – “Communication of a personal data breach to the data subject”.

Help with creating a data breach notification template

The picture above is an example of what a data breach notification might look like – available from the market-leading EU GDPR Documentation Toolkit – which sets out the scope of the procedure, responsibilities and the steps that will be taken by the organization to communicate the breach from:

• Data processor to data controller;
• Data controller to supervisory authority; and
• Data controller to data subject.

 

 

Enter your email address:

Delivered by FeedBurner

 

A privacy notice is a public statement of how your organisation applies data protection principles to processing data. It should be a clear and concise document that is accessible by individuals.

Articles 12, 13 and 14 of the GDPR outline the requirements on giving privacy information to data subjects. These are more detailed and specific than in the UK Data Protection Act 1998 (DPA).

The GDPR says that the information you provide must be:

• Concise, transparent, intelligible and easily accessible;
• Written in clear and plain language, particularly if addressed to a child; and
• Free of charge.

Help with creating a privacy notice template

The privacy notice should address the following to sufficiently inform the data subject:

• Who is collecting the data?
• What data is being collected?
• What is the legal basis for processing the data?
• Will the data be shared with any third parties?
• How will the information be used?
• How long will the data be stored for?
• What rights does the data subject have?
• How can the data subject raise a complaint?

Below is an example of a customisable privacy notice template, available from IT Governance here.

If you are looking for a complete set of GDPR templates to help with your compliance project, you may be interested in the market-leading EU GDPR Documentation Toolkit. This toolkit is designed and developed by expert GDPR practitioners, and has been used by thousands of organisations worldwide. It includes:

• A complete set of easy-to-use and customisable documentation templates, which will save you time and money and ensure GDPR compliance;
• Helpful dashboards and project tools to ensure complete GDPR coverage;
• Direction and guidance from expert GDPR practitioners; and
• Two licences for the GDPR Staff Awareness E-learning Course.

With the advent of the European Union (EU) deadline for General Data Protection Regulation (GDPR) (EU 2016/679 regulation) coming up on 25 May 2018, many organizations are addressing their data gathering, protection and retention needs concerning the privacy of their data for EU citizens and residents. This regulation has many parts, as ISACA has described in many of its recent publications and events, but all of the efforts revolve around the protection and retention of the EU participants’ personal information. The 6 main areas for data protection defined in this regulation are:

1. Data security controls need to be, by default, active at all times. Allowing security controls to be optional is not recommended or even suggested. “Always on” is the mantra for protection.
2. These controls and the protection they provide must be embedded inside all applications. The GDPR view is that privacy is an essential part of functionality, the security of the system and its processing activities.
3. Along with embedding the data protection controls in applications, the system must maintain data privacy across the entire processing effort for the affected data. This end-to-end need for protection includes collection efforts, retention requirements and even the new “right to be forgotten” requirement, wherein the customer has the right to request removal of their data from an organization’s storage.
4. Complete data protection and privacy adds full-functional security and business requirements to any processing system in this framework for data privacy. It provides that business requirements and data protection requirements be equally important during the business process.
5. The primary requirement for protection within the GDPR framework demands the security and privacy controls implemented are proactive rather than reactive. As its principal goal, the system needs to prevent issues, releases and successful attacks. The system is to keep privacy events from occurring in the first place.
6. With all of these areas needed under GDPR, the most important point for organizations to understand about GDPR is transparency. The EU wants full disclosure of an organization’s efforts, documentation, reviews, assessments and results available for independent third-party review at any point. The goal is to ensure privacy managed by these companies is not dependent upon technology or business practices. It needs to be provable to outside parties and, therefore, acceptable. The EU has purposely placed some strong fine structures and responses into this regulation to ensure compliance.

Having reviewed various organizational efforts in preparation for GDPR implementation, it has been found that it is good practice to look at these 6 areas for all the collected and retained data, not just EU-based data. This zero-tolerance approach to data breaches is purposely designed to be stringent and strong. Good luck to all in meeting and maintaining the data privacy and security requirements of GDPR.

Steps to EU GDPR compliance

 

By Julia Dutton

Organizations have until 25 May 2018 to comply with the EU General Data Protection Regulation (GDPR).

Those who have studied the Regulation will be aware that there are many references to certification schemes, seals and marks. The GDPR encourages the use of certification schemes like ISO 27001 to serve the purpose of demonstrating that the organisation is actively managing its data security in line with international best practice.

Managing people, processes and technology

ISO 27001 is the international best practice standard for information security, and is a certifiable standard that is broad-based and encompasses the three essential aspects of a comprehensive information security regime: people, processes and technology.  By implementing measures to protect information using this three-pronged approach, the company is able to defend itself from not only technology-based risks, but other, more common threats, such as poorly informed staff or ineffective procedures.

By implementing ISO 27001, your organisation will be deploying an ISMS (information security management system): a system that is supported by top leadership, incorporated into your organisation’s culture and strategy, and which is constantly monitored, updated and reviewed.  Using a process of continual improvement, your organisation will be able to ensure that the ISMS adapts to changes – both in the environment and inside the organisation – to continually identify and reduce risks.

What does the GDPR say?

The GDPR states clearly in Article 32 that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

1. the pseudonymisation and encryption of personal data;
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

Let’s look at these items separately:

Encryption of data is recommended by ISO 27001 as one of the measures that can and should be taken to reduce the identified risks.  ISO 27001:2013 outlines 114 controls that can be used to reduce information security risks.  Since the controls an organisation implements are based on the outcomes of an ISO 27001-compliant risk assessment, the organisation will be able to identify which assets are at risk and require encryption to adequately protect them.

One of ISO 27001’s core tenets is the importance of ensuring the ongoing confidentiality, integrity and availability of information.  Not only is confidentiality important, but the integrity and availability of such data is critical as well. If the data is available but in a format that is not usable because of a system disruption, then the integrity of that data has been compromised; if the data is protected but inaccessible to those who need to use it as part of their jobs, then the availability of that data has been compromised.

Risk assessment

ISO 27001 mandates that organisations conduct a thorough risk assessment by identifying threats and vulnerabilities that can affect an organisation’s information assets, and to take steps to assure the confidentiality, availability and integrity (CIA) of that data. The GDPR specifically requires a risk assessment to ensure an organisation has identified risks that can impact personal data.

Business continuity

ISO 27001 addresses the importance of business continuity management, whereby it provides a set of controls that will assist the organisation to protect the availability of information in case of an incident and protect critical business processes from the effects of major disasters to ensure their timely resumption.

Testing and assessments

Lastly, organisations that opt for certification to ISO 27001 will have their ISMSs independently assessed and audited by an accredited certification body to ensure that the management system meets the requirements of the Standard. Companies need to regularly review their ISMS and conduct the necessary assessments as prescribed by the Standard in order to ensure it continues protecting the company’s information. Achieving accredited certification to ISO 27001 delivers an independent, expert assessment of whether you have implemented adequate measures to protect your data.

The requirements to achieve compliance with ISO 27001 of course do not stop there.  Being a broad standard, it covers many other elements, including the importance of staff awareness training and leadership support.  ISO 27001 has already been adopted by thousands of organisations globally, and, given the current rate and severity of data breaches, it is also one of the fastest growing management system standards today.

Related articles:

Read more about ISO 27001 and the GDPR >>>>

GDPR Documentation Toolkit and gap assessment tool >>>>

Understanding the GDPR: General Data Protection Regulation >>>>

 

The GDPR will replace these with a pan-European regulatory framework effective from 25 May 2018.  The GDPR applies to all EU organizations – whether commercial business or public authority – that collect, store or process the personal data (PII) of EU individuals.

Organizations based outside the EU that monitor or offer goods and services to individuals in the EU will have to observe the new European rules and adhere to the same level of protection of personal data. This potentially includes organizations everywhere in the world, regardless of how difficult it may be to enforce the Regulation. Compliance consultant must know the following 9 tenants of the GDPR.

 

• Supervisory Authority – A one-stop shop provision means that organizations will only have to deal with a single supervisory authority, not one for each of the EU’s 28 member states, making it simpler and cheaper for companies to do business in the EU.

 

• Breach Disclosure – Organizations must disclose and document the causes of breaches, effects of breaches, and actions taken to address them.

 

• Processor must be able to provide “sufficient guarantees to implement appropriate technical and organizational measures” to ensure that processing will comply with the GDPR and that data subjects’ rights are protected. This requirement flows down the supply chain, so a processor cannot subcontract work to a second processor without the controller’s explicit authorization. If requested by subject you must cease processing and using his or her data for some limited period of time.

 

• Data Consent – The Regulation imposes stricter requirements on obtaining valid consent from individuals to justify the processing of their personal data. Consent must be “freely given, specific, informed and unambiguous indication of the individual’s wishes”. The organization must also keep records so it can demonstrate that consent has been given by the relevant individual. Data can only be used for the purposes that data subject originally explicitly consented. You must obtain and document consent for only one specific purpose at a time.

 

• Right to be forgotten – Individuals have a right to require the data controller to erase all personal data held about them in certain circumstances, such as where the data is no longer necessary for the purposes for which it was collected. If requested by subject, you must erase their data on premises, in apps and on devices.

 

• Data portability – Individuals will have the right to transfer personal data from one data controller to another where processing is based on consent or necessity for the performance of a contract, or where processing is carried out by automated means

 

• Documentation – The Regulation requires quite a bit of documentation. In addition to the explicit and implicit requirements for specific records (especially including proof of consent from data subjects), you should also ensure that you have documented how you comply with the GDPR so that you have some evidence to support your claims if the supervisory authority has any cause to investigate.

 

• Fines – Major noncompliance of the law will be punishable by fines of up to either 4% or €20 million of group annual worldwide turnover.

 

Data protection by design – Organization must ensure data security and data privacy across cloud and endpoints as well as design their system and processes that protects from unauthorized data access and malware.  Specifically, organizations must take appropriate technical and organizational measures before data processing begin to ensure that it meets the requirements of the Regulation. Data privacy risks must be properly assessed, and controllers may use adherence to approved codes of conduct or management system certifications, such as ISO 27001, to demonstrate their compliance.

 

How to improve information security under the GDPR

Although many businesses understand the importance of implementing the right procedures for detection, report and investigate a data breach, but not many are aware of how to go about this effectively, especially during implementation phase.

 

Seven steps that can help you prevent a data breach:

1. Find out where your personal information resides and prioritize your data.
2. Identify all the risks that could cause a breach of your personal data.
3. Apply the most appropriate measures (controls) to mitigate those risks.
4. Implement the necessary policies and procedures to support the controls.
5. Conduct regular tests and audits to make sure the controls are working as intended.
6. Review, report and update your plans regularly.
7. Implement comprehensive and robust ISMS.

 

ISO 27001, the international information security standard, can help you achieve all of the above and protect all your other confidential company information, too. To achieve GDPR compliance, feel free to contact us for more detail on implementation.

Related articles on GDPR and ISO 27k

The GDPR and Personal Data…HELP! from Cloud Security Alliance

As part of an EU General Data Protection Regulation (GDPR) compliance project, organisations will need to map their data and information flows in order to assess their privacy risks. This is also an essential first step for completing a data protection impact assessment (DPIA), which is mandatory for certain types of processing.

The key elements of data mapping

To effectively map your data, you need to understand the information flow, describe it and identify its key elements.

1. Understand the information flow

An information flow is a transfer of information from one location to another, for example:

• From inside to outside the European Union; or
• From suppliers and sub-suppliers through to customers.

2. Describe the information flow

• Walk through the information lifecycle to identify unforeseen or unintended uses of data. This also helps to minimise what data is collected.
• Make sure the people who will be using the information are consulted on the practical implications.
• Consider the potential future uses of the information collected, even if it is not immediately necessary.

3. Identify its key elements

Data items

• What kind of data is being processed (name, email, address, etc.) and what category does it fall into (health data, criminal records, location data, etc.)?

Formats

• In what format do you store data (hardcopy, digital, database, bring your own device, mobile phones, etc.)?

Transfer method

• How do you collect data (post, telephone, social media) and how do you share it internally (within your organisation) and externally (with third parties)?

Location

• What locations are involved within the data flow (offices, the Cloud, third parties, etc.)?

Accountability

• Who is accountable for the personal data? Often this changes as the data moves throughout the organisation.

Access

• Who has access to the data in question?

 

The key challenges of data mapping

• Identifying personal data Personal data can reside in a number of locations and be stored in a number of formats, such as paper, electronic and audio. Your first challenge is deciding what information you need to record and in what format.
• Identifying appropriate technical and organizational safeguards The second challenge is likely to be identifying the appropriate technology – and the policy and procedures for its use – to protect information while also determining who controls access to it.
• Understanding legal and regulatory obligations Your final challenge is determining what your organisation’s legal and regulatory obligations are. As well as the GDPR, this can include other compliance standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and ISO 27001.Once you’ve completed these three challenges, you’ll be in a position to move forward, gaining the trust and confidence of your key stakeholders.

 

Data flow mapping

To help you gather the above information and consolidate it into one area, Vigilant Software, a subsidiary of IT Governance, has developed a data flow mapping tool with a specific focus on the GDPR.

 

Order Today

 

Data Protection / EU GDPR Toolkits

 

 

Accelerate your GDPR compliance implementation project with the market-leading EU GDPR Documentation Toolkit used by hundreds of organizations worldwide, now with significant improvements and new content for summer 2017:

EU General Data Protection Regulation (GDPR) Documentation Toolkit

By Chloe Biscoe

The General Data Protection Regulation (GDPR) is a new law that will harmonize data protection in the European Union (EU) and will be enforced from May 25, 2018. It aims to protect EU residents from data and privacy breaches, and has been introduced to keep up with the modern digital landscape.

Who needs to comply with the GDPR?

The GDPR will apply to all organizations outside of the EU that process the personal data of EU residents.

Non-compliance can result in hefty fines of up to 4% of annual global turnover or €20 million $23.5 million) – whichever is greater.

Organizations that are compliant with the new Regulation will also find that their processes and contractual relationships are more robust and reliable.

What do US organizations need to do to comply with the GDPR?

The transition period for compliance with the GDPR ends in May 2018. This means that organizations now have less than ten months to make sure they are compliant.

For US organizations, the most significant change concerns the territorial reach of the GDPR.

The GDPR will supersede the current EU Data Protection Directive. Under the current Regulation, organizations without a physical presence or employees in the EU have one main compliance issue to deal with: How to legally transfer data out of the EU. The EU–US Privacy Shield provides such a mechanism for compliance.

Almost all US organizations that collect or process EU residents’ data will need to comply fully with the requirements of the GDPR. US organizations without a physical EU presence must also appoint a GDPR representative based in a Member State.

Save 10% on your essential guide to the GDPR and the EU–US Privacy Shield

August’s book of the month is the ideal resource for anyone wanting a clear primer on the principles of data protection and their new obligations under the GDPR and the EU–US Privacy Shield.

Alan Calder’s EU GDPR & EU-US Privacy Shield – A Pocket Guide explains in simple terms:

• The terms and definitions used within the GDPR and the EU-US Privacy Shield
• The key requirements
• How to comply with the Regulation

 

Data Protection / EU GDPR Toolkits

 

Mobile app creation: Why data privacy and compliance should be at the forefront

A user’s personal data can be anything from their user name and email address to their telephone name and physical address. Less obvious forms of sensitive data include IP addresses, log data and any information gathered through cookies, as well as users’ biometric data.

Any business whose mobile app collects personal information from users is required to have a Privacy Policy. Regardless of app geography or business domain, there are mandatory regulations such as the GDPR, the CCPA, and the PDPA, as well as Apple, Google and Android guidelines that ensure accountability and user data privacy. Some apps do not directly collect personal data but instead use a third-party tool like Google Analytics – they, too, need a Privacy Policy.

Data privacy and security and the mobile app creation process

Xamarin in Action: Creating native cross-platform mobile apps

How to Become a Data Protection Officer

The role of a Data Protection Officer (DPO) is a fairly new one in many companies. What’s more, the need to hire a DPO often comes as a response to the General Data Protection Regulations (GDPR) which were implemented back in 2018.
As such, the responsibilities, reporting and structure of the role are primarily defined by GDPR guidelines.

But though it might be a fairly new role, it can be a very exciting and rewarding one. So if you’re considering a career as a data protection officer, this guide is for you. Below, we’ll take a look at what the role entails and what you need to do to get a job as a DPO.

What is a Data Protection Officer and What Do They Do?

In a nutshell, a data protection officer is a steward for data protection and privacy within a business. They must implement effective data protection strategies and facilitate a culture of data protection throughout the company. This is to ensure companywide compliance with GDPR. The appointment of a DPO is mandatory in some businesses, particularly those in the public sector or those that process a large amount of personal data. That being said, some businesses choose to appoint a DPO even though they are not legally required to as it pays to have someone in charge of compliance and data privacy.

In the general data protection regulations, it is stated that the DPO should report directly to the highest management level. As a DPO, some of the key responsibilities include:

• Ensuring that a business applies the laws of data protection appropriately and effectively, as
  well as following these regulations and legislations.
• Educating and training management and all other employees about GDPR and other data protection statutes as well as about compliance and demonstrating effective measures and strategies for data handling and processing.
• Conducting regular security audits.
• Acting as the point of contact between the company and any supervisory authorities (SAs). For example, if there is a data breach, it is the job of the DPO to report this to the relevant authorities.

With this in mind, here’s how you can tailor your career path to lead to the role of a data protection officer.

In order to become a DPO, What skills you may need…

Becoming a Data Protection Officer

Certified Data Protection Officer

Data Protection and the Cloud 

TikTok sued over its use of children’s personal data

TikTok is again being accused of illegally processing children’s personal data.

The latest claim has been brought by Anne Longfield, the former children’s commissioner for England, who is suing the video-sharing app on behalf of 3.5 million children in the UK.

She alleges that TikTok is violating the GDPR (General Data Protection Regulation) by collecting excessive data and failing to explain what it’s used for.

Children’s data is subject to special protections under the GDPR, including the requirement that privacy policies must be written in a way that’s understandable to the service’s target audience.

Today I’m launching a legal claim against @tiktok_uk on behalf of millions of children whose data was illegally taken and transferred to unknown third parties for profit. Learn more about our fight to protect children's privacy @TikTokClaimUK for updates https://t.co/eSCxj4Jwql pic.twitter.com/LBvNHq7Oth

— Anne Longfield (@annelongfield) April 21, 2021

New Federal Data Privacy Legislation Proposed

In late March 2021, Representative Susan DelBene (D-WA 01) introduced legislation to the 116^th Congress to protect consumer privacy and put control of consumers’ data in their own hands.

DelBene noted that states are surging ahead of the federal government in creating privacy laws, each with their own flavor and each serving the needs of a particular constituency/demographic. DelBene argued that having a federal policy will stem consumer confusion and put the United States back into the conversation on global privacy policies. The EU, for example, is pushing their General Data Protection Regulation (GDPR) as the global standard.

The Information Transparency and Personal Data Control Act (pdf) will ensure that an individual’s personal identifying information (PII), and all information pertaining to children under the age of 13, are protected. The bill requires:

• Companies produce their privacy policies in “plain English” within 90 days of the bill’s passage.
• Users must “opt in” before companies my use their sensitive PII. In doing so, the user is made aware of how the information may be used and more importantly how it is not to be used. Companies will have 90 days to put in place this capability once the legislation becomes law.
• Companies must be transparent when it comes to sharing user information – who, what, where, how and why.
• The Federal Trade Commission (FTC) will be given the authority to fine bad actors on their first offense and empower state attorneys general to pursue offenders. If the FTC doesn’t act on a complaint within 60 days, the state attorney general may pursue legal remedies.
• Trust, yet verify by requiring, every two years, a “neutral” privacy audit to ensure companies (with information from 250,000 or more people) are handling PII in accordance with the provisions of the Act.

The bill will provide to the FTC 50 additional full-time employees, of which 15 must be technical experts (not further defined), and initial funding for the program will be $35 million.

DISC InfoSec Shop

If you are a business looking to comply with various data privacy laws, look no further. We can help with Privacy as a Service. 👍

The simplest, fastest, and most affordable way to comply with privacy legislation like the EU’s GDPR (General Data Protection Regulation), the CPRA (California Privacy Rights Act), New York’s SHIELD Act, and others. With Privacy as a Service, you can:

 Privacy as a Service

* Achieve scaled privacy compliance quickly
* Remain one step ahead of legislative developments with affordable advice and support
* Reduce privacy risks with one simple subscription service
* Enjoy peace of mind with your own dedicated data privacy manager

Luke Irwin

Looking for affordable ways to keep your data secure? Sometimes the simplest solutions are the best – and nothing beats the simplicity of a book.

With books, you get expert advice at your fingertips. You can study whenever is convenient and the information is always there for you to reference.

So, which books are right for you? That depends on what you want to know. Fortunately, IT Governance has a selection of titles covering everything you need to know, including the GDPR, Cloud security and the CCPA.

Let’s take a look at some of our most popular titles. Below are the four best books on Data Privacy.

---

EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide

This bestselling guide is the ideal companion for those trying to understand how the GDPR affects their organisation.

It explains the Regulation’s requirements in terms you can understand and helps you understand data subjects’ rights and the way consent requests have changed.

You’ll also gain a deeper understanding of the GDPR’s technical requirements, such as the appointment of a DPO (data protection officer), international data transfers and the obligations of data controllers and processors.

---

Data Protection and the Cloud – Are you really managing the risks?

Cloud computing is becoming a bigger part of the way organisations do business, but you need to understand the privacy risks that come with it.

In this guide, data protection expert Paul Ticher shows you how to use the Cloud safely and in line with the requirements of the GDPR and the NIS (Network and Information Systems) Regulations 2018.

---

EU GDPR: An international guide to compliance

Written by Alan Calder, IT Governance’s founder and executive chairman, this book is an essential introduction to the GDPR.

It’s ideal for anybody who is new to the Regulation or needs a refresher, explaining the legal terminology and compliance in simple terms.

It also provides invaluable advice on how you can meet the GDPR’s requirements.

This includes broad measures that your organisation should implement as well as tips on things you should and shouldn’t do when processing personal data.

---

The California Consumer Privacy Act (CCPA): An implementation guide

If your organisation collects California residents’ personal data, you must comply with the CCPA (California Consumer Privacy Act).

The law, which took effect on 1 January 2020, applies to certain companies depending on their annual turnover, how much personal data they collect and whether they sell the information for profit.

Written by data protection expert and consultant Preston Bukaty, this handbook provides a comprehensive explanation of the law’s scope and how to achieve compliance.

Training course outline

The CCPA (California Consumer Privacy Act) is a California data protection law that came into effect on January 1, 2020. Following the passing of Prop 24, the CPRA (California Privacy Rights Act) will take effect officially on January 1, 2023 and replace the CCPA. The CPRA is widely viewed as California’s version of the EU’s GDPR (General Data Protection Regulation).

Just like the GDPR, it gives people more control over their personal data, and holds businesses more accountable for protecting the data they collect and process.

Once you have completed the California Consumer Privacy Act Foundation Online Training course, you will be able to:

• Demonstrate an understanding of privacy and cybersecurity law concepts, and basis of national/state jurisdiction 
• Define terms used in the CCPA/CPRA and contrast to the GDPR 
• Articulate the rights of consumers, and determine the duties of a business 
• Examine the CPRA’s security requirements and prepare relevant responses 
• Use the CPRA to determine what action(s) should be taken in the event of a breach 
• Demonstrate an understanding of the CPRA’s penalty provisions 

California Consumer Privacy Act (CCPA) Foundation Self-Paced Online Training Course

Source: 5 key privacy trends for 2021

As organisations become increasingly reliant on the use of personal data, the risks they face grow exponentially.

We saw last year a record number of data breachesand a surge in penalties for regulatory violations, but 2021 is set to be even more perilous as the public demand for data privacy grows, COVID-19 scams continue and data protection laws get more complex following Brexit.

Here are our five key data privacy trends for this year.

1. There will be more public awareness of privacy rights

This year, we will see growing public awareness of privacy rights. There is a proliferation of information about data breaches, including commentary in the press regarding data breaches and class action suits, such as the one filed against British Airways.

All of this information is helping consumers become more aware of their rights.

Likewise, the collection by major private and public-sector organisations, as well as employers, of location- and health-related data will also drive employee and consumer awareness of data privacy.

The fact that employers must have a lawful reason for processing personal data means that even on the simple interface of employee–employer relationships, there is a growing awareness of individuals’ rights concerning data.

There is also an increased focus on supervisory authority decisions surrounding DSARs (data subject access requests), and the role they play in taking forward an employment law case.

Over the next year or two, DSARs will likely become a standard preliminary step in any employment-related legal action.

2. Brexit will continue to cause headaches

Brexit, of course, is the biggest immediate issue for UK and EU organisations, and they need to understand the relevance of the UK GDPR (General Data Protection Regulation) – which is embedded in the DPA (Data Protection Act) 2018 as a localised version of the EU GDPR.

For example, references to the EU scope have been changed to the UK, and sections that relate to the actions of the EDPB (European Data Protection Board) have been removed, because its decisions are no longer applicable in the UK.

Organisations operating in the UK and the EU are subject to both regulations, and must keep an eye on the differences in the way they are interpreted and how that affects their compliance requirements.

3. We shouldn’t expect an adequacy decision imminently

Another big concern for organisations operating in the UK and the EU is how to transfer personal data between the UK and the EU.

For data to be transferred freely, there needs to be an adequacy decision made by the EU in respect of the UK data protection regime. On the face of it, that should be straightforward, because its rules mirror those of the EU GDPR.

But in practical terms, it’s not quite as straightforward – not least because there’s an intersection between the UK government’s bulk collection of personal data and the restrictions placed on that under the EU GDPR.

Currently, personal data can continue between the EU and the UK for a minimum of four months – until 30 April. If both parties agree, that can be extended for another two months.

In that period, the EU must decide whether to grant an adequacy decision to the UK. If it does, the UK will be adequate in the same way that the Channel Islands are, and personal data will be able to be moved between the EU and the UK freely.

The UK has already granted an adequacy finding in respect of the EU – so that’s not an issue for moving data from the UK to the EU.

4. GDPR enforcement will be more consistent

In the EU, the approach to enforcing the GDPR is continuing to mature. In the 18 months after the Regulation took effect, there wasn’t much in the way of major decisions, but in the past year there has been a growing number of decisions on a wide range of issues.

In some cases, the fines were miniscule, but in others the penalties were large.

It’s clear that supervisory authorities are paying attention to the requirements of the GDPR – not just relating to data breaches but also violations of its data protection requirements.

We can expect to see supervisory authorities act with greater cohesion and make swifter decisions.

Although the UK’s ICO (Information Commissioner’s Office) has no obligation to follow through with decisions made in the EU, it will almost certainly pay attention to what is happening in the EU.

5. Cookie laws will come under greater scrutiny

From the perspective of most marketers and website users, cookies are a pain in the neck, but they are becoming an increasingly important part of data privacy.

This is evident in the £91 million fine levied against Google for its ad tracking practices, as well as the recent actions from Max Schrems and his organisation NOYB.

So, cookies – and in particular the way organisations gain consent for their use – will become a significant issue in the EU and the UK.

Current regulations indicate that they apply whenever organisations provide a service into the EU, so we’ll see more websites, wherever they are based, displaying big banners asking visitors to accept and review their cookie collection practices.

Likewise, people will increasingly review these practices to see whether organisations are getting legitimate consent and therefore meeting their regulatory requirements.

Meet your data privacy requirements with IT Governance

You can find out more about data privacy and the steps you must take to protect the information you process with our Privacy by Design Foundation Training Course.

One of our experts will guide you through the privacy and Agile roadmap, helping you understand how to incorporate privacy by design in your products and services.