Ten Simple Steps

Our ten-step process goes like this:

Step 1: Appointing the Data Protection Officer

Step 2: Complete the Data Audit - Otherwise Known As - Where Is All Your Data?

Step 3: Make Your Data Map

Step 4: Get Straight on Security

Step 5: Tell it like it is with Privacy Notices

Step 6: Get it in Writing: Privacy Policies

Step 7: Get on the Training Train

Step 8: Assessing the Impact with PIAs

Step 9: What to do if it All Goes Wrong - Data Breach Reporting

Step 10: Dealing with Third Party Pain

By following our ten-step plan, you’ll be on the road to compliance in no time.

Which Step do I take first?

Steps 1, 2 and 3 must be done first. Steps 4 through 10 do not need to be done in sequence. You
may find that you are tackling some of Steps 4 to 10 concurrently. It is best to read the entire guide,
so you have a better idea of the priority of the remaining steps. It may seem overwhelming at first,
but we will take it one step at a time. Speaking of, let’s get on with Step 1 – the Data Protection
Officer.

Page 1 of 28
S T E P 1 The Data Protection Officer

When do you have to appoint a Data Protection Officer?

Not every organization is required to have a Data Protection Officer (DPO). In small companies
where there is little data processing, it wouldn’t make sense to have one. However, under Article 37
of GDPR, your company must appoint a DPO if:

• You are a public body; or

• You carry out monitoring of individuals on a large scale (for example you monitor people’s online
behaviour); or

• Your “core activities” consist of large scale processing of special categories of data (special
categories include data about race, religion, health, sex life, and sexual orientation) or criminal data
(which for some strange reason is not a special category of data).

If you fail to appoint a DPO when you should, you could be in line for a large fine of up to 2% of
global annual turnover or €10 million.

What is the DPO supposed to do?

Under GDPR, the DPO should have adequate experience and knowledge of data protection law and
practices. The DPO has a number of tasks set down in GDPR including:

• Advising the company on GDPR and data protection laws

• Monitoring GDPR compliance

• Providing advice on data protection Risk Assessments (more on this in step 4)

• Dealing with Regulators

• Being a contact point on all things data protection

• Manage data processing risk

Key Points:

• Some companies are legally obligated under GDPR to appoint a DPO.

• A DPO must operate independently and report to the highest level of the company.

• You must tell Regulators and customers who your DPO is.

• Appointing a DPO may help save your company money.

Page 2 of 28
S T E P 2 Complete the Data Audit Otherwise Known as Where Is All Your Data?

Why you must carry out a Data Audit?

If your GDPR project is like building a house, then the Data Audit is laying the foundation. The Data
Audit will provide you an inventory of your data, which will help you to prepare a data map and data
flow diagram (more on this later).

You carry out your Data Audit to find out:

• Where your data is;

• How it is processed;

• How long you keep it;

• How secure it is;

• Where it is transferred;

• Whether there is a lawful basis (under the processing conditions) for data processing;

• What Data Protection controls you have in place; and

• What you need to do to attain GDPR compliance.

Any sizeable company is likely to carry out many Data Processing operations. For example, if a
company is a bank, its data processing may include:

• Looking at huge swathes of customer data help it understand how to better sell to its products to
customers and predict trends in the market

(known as “Big Data analytics”);

• Collecting information about customers’ website browsing; and

• Sharing information with police if a customer is being investigated.

The Data Audit helps you understand how these processes are operating in order to see whether
improvements need to be made. When the Data Audit is complete, the company can take action to
keep it on the right side of GDPR compliance.

Examples Questionnaire sections may be:

1. Data subjects – Whose data do we hold?

2. Type – Describe the type personal data that we hold. This may include name, address, medical
information, credit check history, Internet browsing history, etc.

TIP: Be sure to think about data broadly. For instance, you may have customer data, supplier data,
other third-party data, and employee data.

3. Electronic – Describe the data that is stored on our electronic systems.

4. Paper – Describe where we store paper data.

5. Direct Collection – Describe how we collect data directly from the data subject (e.g. online form,
phone calls, paper forms etc.).

Page 3 of 28
6. Collection from other sources – Do we collect any data on the data subject from other sources
such as credit check databases?

7. Privacy Notices – What Privacy Notices do customers receive?

8. Consent – What consents are collected from customers from online forms or over the phone?

9. Processing – List the types of processing we carry out on the data (e.g., analytics on customer
data, credit checks etc.).

10. Marketing – Describe any marketing or promotions we carry out using data.

11. Sharing – List with whom we share data.

12. Third parties – Which other third parties store our data.

13. Transfers – Is any of our data transferred outside the EEA? Please give details.

14. Storage – Give details about how and where our data is stored?

15. Cookies – Give details of any cookies that are used on our website.

16. Timeliness – How is our data kept up-to-date?

17. Deletion – How and when is our data deleted?

18. Subject Rights – How do we make sure we give effect to data subjects’ rights?

19. Controls – What systems and controls do we have in place in relation to data (e.g. policies, staff
training etc.)?

This is a non-exhaustive list, but it is a good starting point for your Data Audit.

Your Questionnaire may need to include definitions, explanations and examples. Not everyone in the
business will understand the phrase “data subjects’ rights.” Before people start completing the
Questionnaire, make sure they understand each of the questions and the terminology used. It’ll save
you a giant headache later because people tend to ignore things they don’t understand.

Who should I send it to?

Questionnaires should be sent to someone in each department, such as sales, human resources,
legal, finance, marketing, operational standards, and call centres. Make sure you send it to someone
senior within the Department.

Keep in mind that you may want to tailor your Questionnaire for different roles. For instance,
Human Resources is unlikely to use data for marketing purposes, so it may make sense to strip out
unnecessary questions on a by-role basis.

Remember that communication is key. It is best to avoid sending emails saying, “Please complete
attached Data Audit Questionnaire.” Instead, try calling the people you want to answer the
Questionnaire, so you can preview the request.

After your call, write a follow-up email such as: “Hi Claire, we are currently carrying out an important
project to update our processes so that they are in line with the new General Data Protection
Regulation. As I said on the phone today, we need your expertise in understanding how personal
data is processed in your department. Would you be able to complete this by Feb 1? Let me know if
you have any queries.”

Page 4 of 28
What do I do next?

Once you have received the Questionnaire responses back, you should go through all of them with a
highlighter pen and highlight the areas that:

• Require further information; and

• Pose a potential risk to your company.

It is a good idea to arrange to meet each person who completed a Questionnaire so that you can
obtain further information on any issue they raised.

Key Points:

• Audit needed – You need to carry out a Data Audit to better understand what your company is
doing with its data and what GDPR risks are present.

• Questionnaire – You should prepare a Questionnaire that asks for details on how data is
processed.

• Send it out – The Questionnaire should be sent to all departments of the company that carry out
data processing.

• Follow up with meetings – When you receive the completed Questionnaires you should review
them and follow up with in-person meetings to ensure you properly understand how data is
processed.

Once you’ve finished your Data Audit, you’re going to need a way to aggregate and organize all of
the information. That’s where Step 3 comes in – mapping your data flows.

Page 5 of 28
S T E P 3 Make Your Data Map

Preparing a report on your Data Audit

Now that you’ve completed your Data Audit, you should prepare a written report summarizing how
data is used across your company. The repot should

include details about how the processing that is carried out. Share the results with Legal,
Compliance, and anyone else who should know about your data use.

Mapping your data flows

To begin the data mapping process, you need to understand the data flows in your business. This
means understanding:

• How data flows into the company

• How we share it internally

• Who has access to it

• Who we share it with

• Whether we are transferring any data abroad

The next step is to prepare a visual map of the flows to help you understand these processes.

Preparing the Risk Register

After your data mapping exercise is done, it’s time to prepare your Risk Register.

What is a risk register?

A risk register is a form or a document that sets out the different data privacy risks your company
faces.

For example, if you work in a marketing company and you find out the company is sending spam
emails to people on behalf of a retail company without the customer’s consent, you would:

• Note this on your risk register as a key risk;

• Decide how risky this spam email practice is by giving it a score (e.g. from 1-10 or from low to
high); and

• Describe what you need to do next to deal with the risk (e.g. warn the board of how dangerous it
is, look toward obtaining customer consents where you are able to etc.).

What should my Risk Register include?

The Risk Register should detail:

• The major risks regarding how your data is used;

• The aspects of processing that could potentially breach GDPR; and

• Details of what you need to do next.

Your Risk Register might look like this

Page 6 of 28
 Potential
Data Carried Risk
Breaches of
Processing out by Rating Next steps
GDPR?
Change all consents to
ensure they are
Sending marketing
Marketing emails are sufficient and allow
emails to customers and Head of
High being sent without customer to withdraw
others with vague sales
proper consents consent. Train
consents
Marketing
team
CCTV footage collected
Risk that the first
of employees working
principle in relation to Suspend CCTV while we
and people on the street
Head of fair, lawful and consider how to carry
outside the office with High
security transparent data out less invasive form
No signage telling
processing has of building security
people about the
been breached
recording
Risk to GDPR
principle to keep Audit access to the
data secure. building and man
No entrance security or Head of
High Inadequate reception desk. Tighten
Visitors register kept security
controls around security around the
building makes building generally
data less secure
We obtain Check that our
Data passed to customer consents consents are good
marketing companies to to this on our online enough and check that
Head of
help analyse which Moderate forms and we make we do not use
sales
customers to target in sure that we only use any data where
future data where we have customers have not
obtained consents consented
No information Draft Privacy Notice for
This breaches GDPR
given to customers websites and customer
in terms of using data
about how we use their Legal High documents to explain
fairly, lawfully and
data on our websites or to them how we use
transparently
our documents their data
Prepare online training
module and provide
This potentially
face-to-face sessions
Staff are not trained on breaches GDPR in
Legal High with Legal, Sales,
how to use data relation to ensuring
Information
data is kept securely
Technology, and
Human Resources

Key Points:

• Map the data flows – Drawing a map of the data flows will help you pinpoint the issues.

• Prepare a Data Audit report – When the Data Audit is complete, you should prepare a report about
how data is processed within your company.

Page 7 of 28
• Prepare a Risk Register – You should prepare a Risk Register that outlines:

• The major risks inherent in the way data is being used;

• How these activities could breach GDPR;
• What you need to do next.

Now that your data audit and data mapping are complete, let’s turn to the most important task of
all: securing the ship.

Page 8 of 28
S T E P 4 Get Straight on Security

What does GDPR say about Data Security?

Article 5(f) of the GDPR says data must be “processed in a manner that ensures appropriate security
of the personal data, including protection against unauthorized or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical or organizational measures.”
Article 32 gives more detail on this and explains that the greater the damage that could be caused to
customers by a data breach, the greater the effort you have to make to keep the data secure.

The GDPR ups the ante in several ways when it comes to data security. For instance:

• Huge fines can be levied against companies for data breaches;

• Processors can now be punished if they do not keep data secure; and

• There is a mandatory requirement to report data breaches (see Step 9 - Reporting Data Breaches).

Inspecting the ship

Before you can move on to tackling the data security issues you face you must first find your
vulnerabilities.

You need to investigate your current data security before you can make improvements to your
systems and controls.

How do you go about inspecting the ship? It is a good idea to prepare a table that helps you
understand what your data security issues are. Your Data Audit can help with this.

Below is an example Data Security Table that can help you to assess your existing data security:

Data Security Issue Questions Answers

• Is the building secure?
• Could members of the
public get access to
Building Security customer data?
• Is CCTV in place?
• Is there a record of who
gets into the building?
• Are software updates
installed regularly?
• Do your systems
monitor for unusual
Computer systems activity?
• Is your data backed
up?
• Do you use breach
detection technology?
• Do employees receive
any training on data
security?
Employees
• Do employees know
how to report a data
breach to the DPO?

Page 9 of 28
 • What access do
employees have to
customer data?
• Do you have adequate
Policies and Procedures policies and procedures in
place?
• Which third parties have
access to our data?
• Are there contracts in
Third parties
place to ensure that third
parties behave when they
are handling our data?

What do I do now?

Data security can be highly technical area that could merit a collection of books in itself. However,
there are three areas of concern you should always consider.

(1) Plugging the Leaks – The staff are the widely considered to be the most common cause of data
breaches.

Make sure your staff is trained to keep data secure by focusing on topics such as:

• What to do if there is a data breach;

• How to transfer data securely both inside and outside the office;

• How to work securely from home;

• How to comply with your company Data Protection Policy;

• How to avoid falling victim to malware, phishing, and blagging attacks;

• Being careful with company information on social media;

• Setting proper passwords;

• The maximum penalties under the GDPR;

• How to report a data breach to the DPO’s email address or a hotline See Step 7 – Get on the
Training Train for further information.

(2) Plugging the Leaks – Cybersecurity

Cybersecurity includes the technology, policies, and procedures you have in place to protect your
data against cybercrimes such as hacking or ransom attacks.

Cybersecurity is essential to GDPR compliance. The biggest Regulator fine to date in the UK (against
TalkTalk in October 2015) was imposed due to cybersecurity failure. The Information
Commissioner’s Office fined TalkTalk £400,000 for inadequate website security. TalkTalk had not
updated their database software adequately which led to hackers being able to attack the website
and steal the data of almost 157,000 customers.

Make sure your cybersecurity is in good shape across the company.

Page 10 of 28
Top Tips:

• Breach detection – Some cybersecurity breaches happen for months or even years before the
company becomes aware. Cyber criminals can be subtle operators. Make sure the Information
Technology and Security people in your company have implemented proper breach detection
technology so that they would be alerted of a cyber-attack at the earliest opportunity.

• Software patches – Software applications must be updated regularly to ensure that flaws in
security are remediated. If your software needs updating, it means that there is vulnerability, and
the ship may be leaking. Fix it.

• Penetration Testing – Carry out regular “pen tests” (penetration testing) of your network to ensure
you fix the weak spots before hackers exploit them.

• Encryption – Encrypting data when it is stored and when it is in transit can mitigate against the
worst effects of hackers. You should consider using a risk-based approach to determine which of
your data should be encrypted. It is always wise to have an Encryption Policy in place.

(3) Plugging the Leaks – The Data Breach Response Plan.

Suffering a data breach such as a hack is inevitable for most companies.

“There are only two types of companies: those that have been hacked and those that will be.” –
Former FBI Director Robert Mueller

Your company is going to need a Data Breach Response Plan in place, so it knows how to respond if a
cyber-attack or any other type of data breach that occurs. We cover data breach planning in Step 9 –
What to Do When It All Goes Wrong: Preparing for and Reporting Data Breaches but for now, just
know that having a data breach plan is a critical part of data security.

Key Points:

• Data Security is the most important part of GDPR compliance.

• Inspect your ship.

• Train your staff.

• Make sure you have adequate cybersecurity.

• Put a Data Breach Response Plan in place.

• Get Cyber insured.

Now that we know we’re running a tight ship that’s ship-shape, it’s time to let the world know what
we’re doing with their data.

Page 11 of 28
S T E P 5 Tell it Like It Is with Privacy Notices

What is a Privacy Notice?

A Privacy Notice is the way in which you tell customers (or other data subjects – I use “customers”
for ease of reference) about how you use their data.

Examples of different types of Privacy Notices are:

• An online Privacy “policy” or notice on a website;

• A paragraph about how your information is used in your pension documents; or

• A company giving you information over the phone about calls being recorded.

The main Privacy Notice or what I like to think of as the “Master” Privacy Notice is the customer-
facing Internet Privacy Notice. All of your other Privacy Notices should be shorted versions of the
Master Privacy Notice document, and any shortened version must be consistent with the Master
document.

What does GDPR say about Privacy Notices?

Under Article 5 of GDPR we must use data fairly, lawfully and transparently. Under Articles 13 and
14, customers also have the right to be informed about how their data is used. This is why
companies need Privacy Notices. A company may be breaching GDPR if it does not inform customers
about what it is doing with their data.

Rules about Privacy Notices can be found in Articles 12, 13, and 14 of GDPR. GDPR requires that
Privacy Notices be understandable, accessible, and written in plain language.

The information in Privacy Notices must always be made available to the customer free of charge.

Is there anything I have to include?

Under GDPR there are certain things the Privacy Notice must contain, including:

• The identity and contact details of your company and the DPO;

• The reasons for processing the customer’s data and the legal basis for doing so;

• The categories of data you are processing (you do not need to include this if you are collecting the
information directly from the customer);

“Categories of data” means the types of personal data that you are processing. For example, a
company might be using a customer’s name, address, email address, credit check details and details
about the customer’s health in order to decide whetherto provide the customer with healthcare.

• Source of the data;

• Who it might be disclosed to;

• Details of where it might be going in the world (i.e. international transfers);

• How long we keep the data, and details about the customer’s rights;

• Whether the customer is legally or contractually required to provide it and the consequences if
they refuse to provide it;

Page 12 of 28
• Details about profiling that may be carried out (See The introduction for more details on profiling);
and

• Information on the right to lodge a complaint with a Regulator.

When do I need to give the Privacy Notice to the customer?

Under GDPR there are some technical rules about when you must provide privacy notification
information to the customer.

If you are collecting the data directly from the customer, then you need to give her privacy-related
information at the time you are

obtaining the data. For example, if a customer is completing an online form, she should be able to
see the Privacy Notice at the time of completion.

• If you are getting the customer data from a third party, you need to give privacy-related
information to the customer either:

• Within a reasonable period, or one month at the latest; OR

• If the data is to be used to communicate with the customer, you must give it to her as soon
as you communicate with her; OR
• If the data obtained from the third party is going to be given to a fourth party, you must give
the Privacy Notice to her before you give her data to the fourth party

How much detail should we include in the Privacy Notice?

We do not need to include every tiny detail in the Privacy Notice. If something is perfectly obvious, it
does not need to go in.

For example, if I order a book on Amazon, do I really need to be told that they might pass my details
to a courier in order that they can deliver it to my apartment in London? Probably not.

But if I am buying a movie news app and the app owner plans to carry out big data analytics using
my data, should I be told of this in the Privacy Notice? Most definitely. Big data analytics is a much
more controversial practice, and I deserve to know this.

Where do I start?

Before you start drafting your Privacy Notices, you need a good idea about what is happening with
data in your organization. Pull out your completed

Data Audit and Data Map from Steps 1 and 2. They’ll help you to complete the exercise.

You’ll want to draft your Master Privacy Notice (the customer-facing Internet Privacy Policy) first. To
do this, we need to come up with a Privacy Notice Plan.

Your Privacy Notice Plan will be divided into three main sections:

• How we collect your information;

• What we do with it; and

• Who we share it with.

Privacy Policies and Employees

Page 13 of 28
Don’t forget that you need a separate Privacy Notice for employees to instruct employees on (1)
how your company collects their information, (2) what the company does with it and (3) with whom
the company shares it. You can put this Privacy Notice in your Staff Handbook or intranet page.

For example, a Privacy Notice may need to advise employees in the staff handbook that their emails
are being monitored. The Privacy Notice to the employees may read as follows:

“We pay attention to how our computer systems are used at work. This includes checking that
employees are using emails in the appropriate way. We observe emails for the use of inappropriate
language and keeping an eye on emails that are sent outside our company to make sure that our
employees are behaving in a manner that is consistent with our company policies. For more details
click here www.AcmeStaffHandbook.com.”

Key Points:

• Some matters are required within Privacy Notices under GDPR (such as the contact details of the
company and the DPO);

• You do not need to include every detail in the Privacy Notice;

• Layered is good;

• Keep it short and clear, avoid jargon, present it well, and use an appropriate tone.

Now that we’ve communicated with our customers, it’s time put it in writing with our Staff Policies.

Page 14 of 28
S T E P 6 Get it in Writing – Staff Policies

Why do we have to change our policies?

Maybe you don’t. But GDPR has changed the rules on how you can process data and it is likely that
your policies will need to be updated as a result.

What policies do we need to have in place to be GDPR compliant?

Part of the Accountability Principle under Article 5 of GDPR means you are expected to put in place
appropriate corporate governance around personal data. Having appropriate policies in place is a big
part of that corporate governance.

The essential policies are:

1. Data Protection Policy

What is it? An essential guide to employees regarding how they may use data, how they can keep it
secure, and the consequences of misuse.

Why do we need it? Employees cause many data breaches, and a good Data Protection Policy can
prevent such breaches by helping employees understand how they are supposed to handle data.

2. Data Retention Policy

What is it? A statement explaining when data in documents or held electronically should be
destroyed or deleted. It sets out the time limits for deleting different types of documents.

Why do we need it? GDPR says that data cannot be kept for longer than necessary. Breaching this
principle can attract the upper-tier of fines so we have to educate employees on data deletion.

3. Data Breach Incident Policy

What is it? An emergency plan that tells your company what to do if a data breach occurs, how to
form a team to deal with the breach, how to prevent any further loss of data and whether to tell
customers and Regulators.

Why do we need it? So that vital time isn’t wasted figuring out what to do if a disaster strikes. You
want to protect your customer data and your job if you suffer a data breach. This is a critical policy.

What other policies should we consider putting into place?

There are a number of other Data Protection Policies that you should consider putting into place
including:

• Big Data Policy – What you can and cannot do with Big Data under GDPR.

• Human Resources and Data Protection Policy – How to treat employee data.

• Marketing and Data Protection Policy – The rulebook on sending customers offers and promotions.

• Social Media Policy – Explains what employees are allowed to post on social media, sometimes
including on private accounts.

• Encryption Policy – How, when and why we encrypt data.

• Outsourcing Policy – What you need to do if you are sending data to a business partner.

Page 15 of 28
• Bring Your Own Device Policy – The manual on how to use a personal device in the course of your
job.

Of course, some of the policies mentioned above can be rolled into your Data Protection Policy, but
frequently it is more useful to have separate policies. Having one tome that covers all topics can be
off-putting to employees. It is more manageable to split them into shorter policies on distinct topics.

Key Points:

• Most companies will need to change some policies to align with GDPR.

• You may need some new Data Protection Policies such as Data Breach Incident Plan, Big Data
Policy, Human Resources and Data

Protection Policy, Marketing and Data Protection Policy, Social Media Policy, and Bring Your Own
Device Policy.

Make sure your policies are:

• Easy to find

• Easy to understand

• Short

• Consistent

• Enforced

Now that our policies are in place, let’s get on the training train.

Page 16 of 28
S T E P 7 Get on the Training Train

Why do we train staff on Data Protection and GDPR?

Staff training is one of the most crucial parts of GDPR. Your company staff will be processing data in
all sorts of ways, and they need to know how to do it compliantly.

If you want them to process data according to your policies, you are going to need to make sure they
have proper training on Data Protection and that includes GDPR.

Staff training on data security is critical to keeping data safe and avoiding the penalties of GDPR. One
recent study said that human error is the leading cause of data breaches, featuring in 37% of data
breaches.[7] You don’t want your company to become a statistic.

Examples of data breaches that have been caused by employees include:

• A con man pretending to be the company CEO tricked an employee into sending the personal
details of 700 staff members out of the company.

• A nurse’s laptop containing sensitive unencrypted data was stolen.

• A lawyer stored sensitive case files on the family computer. The files were accidentally uploaded
onto the Internet.

• An employee took a sensitive social worker’s file and left it in his car. The car was then stolen.

How do we train staff?

Training is usually performed online and/or in person. Sometimes webinars take the place of in-
person training but feature a live person who can answer questions. Training can provide all staff
with a working knowledge of Data Protection.

Online training

Many companies prefer to use online training courses because employees can individually choose
the best time to take the course. Online training also

provides a one-stop-shop for training, which can easily be deployed at a convenient time. For
instance, if your company has employees on sick leave or

parental leave, it is highly convenient to assign them the same course everyone else has taken when
they return to work.

Online training can be procured in two ways: off-the-shelf and bespoke.

Off-the-Shelf Online Training

Many training companies have off-the-shelf training courses that can be taken by your employees
online or loaded into your company’s Learning

Management System. It is generally more cost effective to buy an off-the-shelf version of online
training. However, off-the-shelf courses are not tailored to the specific needs of your business.

Let’s say that an off-the-shelf training course features a manufacturing environment in the example
scenarios. If you are working at a technology company, it may be difficult for your employees to
apply the lessons presented in the off-the-shelf training to their day-to-day activities.

Page 17 of 28
Additionally, off-the-shelf training may not provide the specificity needed to teach employees in
different roles about concepts that apply to their work.

For example, Peter and Sumit work in a huge car repair company. Peter works in the call center and
Sumit is in charge of the company’s social media marketing. Peter and Sumit have very different
privacy training needs because Peter needs trained on how to interact on the phone with customers
whereas Sumit needs to be taught about privacy rules relating to marketing.

Lastly, employees may not take off-the-shelf training as seriously as bespoke training, because the
training is typically not branded to your company.

Some off-the-shelf products allow for customization, including adding a company’s logo and a
recorded message from the CEO. But it will be obvious to employees that the content of the course
is not developed strictly for them.

Bespoke Online Training

Large companies or companies with highly creative, technologically skilled staff may choose to
create their own online training courses. Some bespoke online training courses are created entirely
in-house, while others are created in tandem with an outside vendor that develops such courses.
Either way, a bespoke course is created entirely with your company and your policies in mind.

Developing a bespoke course takes time – usually between two and four months. However, once
your company has the course, it should be able to deploy it for at least a year. If it is an introductory
course, it may be assigned to all new employees for many years to come, making the investment
more palatable. Perhaps the best part of bespoke online training is the ability to customize the
course so it only touches on issues and scenarios your employees will face in the delivery of your
product or services. This customization allows for better comprehension of the application of the
law to the issues faced within your company.

Face-to-face training

In-person training can be highly successful if it is performed correctly. Most people are more
engaged with a human than a computer screen, and a human can answer questions in real time,
whereas a person watching the computer-based training has to write an email to get questions
answered.

Face-to-face or webinar training needs to be structured appropriately for maximum engagement.

Trainers must resist the impulse to be legalistic and to read a set of bullet point rules or to quote the
GDPR in detail. Training should focus on the learner and what the learner needs to know to do his or
her job properly and in accordance with the principles of the GDPR.

Face-to-face training may be prohibitively expensive if your company has offices in multiple states or
countries. Some companies record live training, then push out the video to the company on its
intranet or Learning Management System. Others invest in sending the trainer to multiple officers or
countries or have one set of PowerPoint slides delivered by different people in each office using a
“Train-the-Trainer” model. “Train-the-Trainer” works when the creator or deliverer of the training
goes through the slides with the other people who will be delivering the training and teaches them
how to do it properly.

What do staff need to know about GDPR?

Page 18 of 28
Regardless of whether you choose online training or the in-person model, determining what the
staff needs to know is a crucial next step. Training needsmay vary. What each person needs to know
depends on the role that your various members of staff play. It is good for all staff to have a working
knowledge of Data Protection issues generally.

General-employee training will usually include:

• A brief explanation of the law and why it is necessary to protect privacy;

• A description of the fines and reputational damage that can occur if the company does not comply;

• An explanation of the primary principles of the GDPR and how they apply to the activities of the
company;

• Information on the main points of your company’s Data Protection Policy and where it can be
found;

• Information on where to get answers to questions.

Remember that people absorb training when they understand two things: (1.) Why the training is
important to them and (2.) What they need to do in response to the training. You should be
absolutely certain that your training includes this information, or people won’t incorporate the
training into their work.

Key Points:

• Deliver basic data protection training that includes GDPR to all staff.

• Work out who needs face-to-face training.

• Make it engaging!

• Record all training you carry out.

Now that everyone knows what they’re supposed to do on training, let’s go on and assess the impact
of future projects with Privacy Impact Assessments.

Page 19 of 28
S T E P 8 Measuring the Impact with PIAs

What is a PIA?

A Data Privacy Impact Assessment (“PIA” sometimes called a “DPIA”) is a risk assessment that a
company should complete at the start of a new project if that project involves any material
processing of customer data. PIAs usually take the form of a written document that is completed by
the person in charge of the project and signed off by a person in authority.

The DPO in a company will usually be the person who is drafting and sending out PIAs. Under GDPR,
companies must seek the advice of their DPO (if they have one) when completing the PIA.

The point of the PIA is to:

• Detail potential privacy risks of the project;

• List the ways in which those risks can be reduced;

• Have the risks signed off by the appropriate person within the company;

• Ensure the situation is monitored so that recommendations are carried out.

Implementing a PIA process will help you understand the potential data privacy problems that exist
at an early stage so you can fix them and stay on the right side of the law.

Why do I hear so much talk about PIAs now?

There are new responsibilities under GDPR around assessing the privacy risk for new projects.

Under Article 35 of GDPR, controllers must do an assessment of the privacy risk on a project where
“it is likely to result in a high risk to the rights and freedoms” of individuals. You can also complete a
PIA voluntarily even when you are not obliged to under GDPR. This can be useful to show Regulators
if they ever investigate your processes.

The fact that we have to “demonstrate compliance” under Article 5 of GDPR is important too,
because PIAs are evidence that a company takes data privacy seriously. And this evidence can be
useful if a Regulator decides to pay you a visit.

GDPR says we must complete a PIA when the project involves:

• Use of data for “profiling” such as monitoring customer behavior on your website so that you
know which pop-up ads to send to particular customers when they are online;

• A large amount of sensitive (or “special categories” of data[8]) such as transferring all your
customer medical records to a cloud provider;

• Monitoring a publicly accessible area on a large scale, such as capturing CCTV footage of a public
park.

But PIAs are not limited to the examples listed above. We must complete a PIA for any data project
that poses a “high risk” to the privacy rights and freedoms of individuals.

At what stage should a PIA be carried out?

A PIA should be carried out at the start of a project so that the people involved in the project can be
informed of any privacy risks. Solutions to these

Page 20 of 28
risks can then be built into the project at the earliest possible stage.

If you hear of a project that has started without a completed PIA, then you should ask for the PIA to
be completed a PIA as soon as possible.

What are the sections of a PIA?

Many of the PIAs I have seen have been overly complicated. PIAs should be simple and clear.

Your PIA template form may cover the following areas. Some of these areas are legal requirements,
as noted:

• Initial questions to see if a PIA is needed. These include questions such as “Does the project use
data?” or “Does the project use data in a new way?”

• Briefly explain what the project is about. You want the project owner to fill out this section. For
example, the project owner may write: “This is a project by the Big Data team to analyze customer’s
financial information from last year.”

• Describe the type of data involved. For example, “The customer’s name and most recent account
balance.”

• Describe how the data is used. For example, “Customer data will be used to see which customers
will be most likely to buy mortgage products.” This is a legal requirement under GDPR.

• Identify the lawful basis or legitimizing condition being relied upon under GDPR for processing the
data. For example, “We have the customer’s consent.”

• Identify the privacy risks. For example, “Security risks exist while moving the data from one
department to another during the project.” This is a legal requirement.

• Identify solutions to the privacy risks/risk management. For example, “Check that all consents are
current and valid.” This is a legal requirement.

• Necessary and Proportionate? You are required to consider whether the data used in a project is
necessary and proportionate. You should ask, “Do we need to do this?” This consideration is a legal
requirement for the PIA process.

• Recommendations from the DPO – The DPO should review the PIA and make recommendation on
topics such as data security and consent.

• Sign off on the risk from the person in charge – It is important that the Senior Member of the
project has been made aware of the risks and has agreed to them in writing. The Board may need to
be aware of the project as well as the Head of Compliance if the privacy risks are significant.

Who should sign off your PIA?

Someone sufficiently senior who has the authority to approve risks relating to the project should
sign off on the PIA. The DPO will advise and recommend how to mitigate the risk of data within a
project but he should not sign it off on it. Under Article 39 of GDPR, it is the DPO’s job to “inform and
advise” on Data Protection. The business must make the ultimate decision about whether to go
forward with each project and which mitigating controls they wish to put in place.

The DPO can advise on the extent of the risk (i.e. she can tell the company whether the risks are
small, medium or a large) and she can advise whether she thinks the project should go ahead or not.

Page 21 of 28
But it is not her job to decide whether to actually assume the risk. This belongs to whoever has that
authority within your company to approve the project.

Key Points:

• PIAs are a fundamental part of GDPR and it is a breach of GDPR not to use them for “high risk”
data projects.

• PIAs should cover risks, recommendations, solutions, and sign off.

• Keep PIAs concise, and explain the document to your company.

• Have a PIA tracker to stay on top of your PIAs.

• Keep an eye on the projects.

• Be careful if the business wants to proceed despite having been told of serious risks.

Now that we’ve implemented our PIA process, let’s move on from the world of managing data to the
murky world of preparing for and reporting data breaches.

Page 22 of 28
S T E P 9 What to Do When It All Goes Wrong: Preparing for and Reporting Data Breaches

What’s the story?

Under Article 33 of GDPR there is a legal obligation for companies to report significant data breaches
(breaches) to the Regulator. Companies must also report certain breaches to individuals affected by
a breach – this is set out in Article 34.

The maximum fine for not reporting a significant breach is up to €10m or 2% of global annual
turnover, sums that could give your Board sleepless nights!

The Data Breach Response Plan.

Suffering a data breach is inevitable for most companies.

Your company is going to need a Data Breach Response Plan (Plan) in place so it knows how to
respond to a cyberattack or any other type of data breach.

Keep the Plan short and simple – The last thing you need in the middle of a Data Breach is for people
to be running around trying to figure out what the plan means. Don’t over engineer it.

Create a Rapid Response Team

A Rapid Response team is a group of people who are pre-chosen and trained to deal with a data
breach. Creating a Rapid Response team is a critical part of data breach preparation.

Rapid Response teams typically include named individuals from IT Security, Compliance, Human
Resources, Marketing, and Legal. Depending on your company’s structure, you may want to include
someone from Communications, Public Relations, and/or the business.

Document the membership of the Rapid Response team within your Plan. Make sure everyone on
the Rapid Response team’s contact information (including mobile phone number) is included in the
Plan. Set out the responsibilities of each team member in the document, and make sure all members
of the team know what they should do. For example, Legal may need to review contracts to
determine whether the customer should be notified, while Compliance may be assigned breach
notification research. Communications or Public Relations might be tasked with drafting holding
statements or communications to the media regarding the breach.

Practice runs should be performed so the team knows how to operate in the event of a real breach.

What else should I include in my Plan?

• Information on containing the breach – Your Plan should include tips for containing breaches as
soon as they occur so that you can limit the damage.

• Contact information for a third-party IT Team on standby – A team trained in crisis management
and incident response should be able to help you deal with the immediate aftermath of the breach.
Find these professionals before you need them and either put them on retainer or have them on
speed-dial.

• Template Internal Breach Report – Draft a template report and have it ready to complete when an
incident occurs. The finalized report should include information on what happened and how to
prevent it happening again. It should also contain details of any improvements that must be added
to the company’s systems and controls.

Page 23 of 28
• Checklist of Records – Prepare a checklist that will tell the company which records to keep so you
can prove all of the steps you took to manage the breach.

• Flow-chart for Reporting – Create a flowchart detailing when to report the breach to the
employees, Regulators or customers.

When it All Goes Wrong – Reporting a Data Breach

When a data breach occurs, the first question after, “Is it contained?” is “Who, if anyone, do we
have to notify?” Notification can be painful, but with some pre-planning, it can be easier to manage.

What do I need to know about notifying the Regulator of a Data Breach?

You, as a Controller, have to notify the Regulator of a breach if the breach is likely to result in “a risk
to the rights and freedoms of individuals.” Like so much of GDPR, this is a judgment call as to when a
data breach meets this threshold.

For example, if there is a breach and a hacker steals 20 customers’ credit card details, this would
undoubtedly qualify as a breach that should be reported to the Regulator because it represents a
risk to the rights and freedoms of individuals.

However, if there is a breach where a document containing only the names of 30 customers who
entered a competition to win a weekend in New York were lost on the street, then it is unlikely that
this would need to be reported to the Regulator.

If you need to report a breach to the Regulator, notice must be made within 72 hours of the
company becoming aware of the breach.

What should I include in my breach report to the Regulator?

There are certain pieces of information you’ll need to report to the Regulator. Article 33 of GDPR
says you have to include specifics, including:

• Details about the number of people and records involved.

• The categories of personal data involved.

• Name of the DPO or other contact within the company.

• Description of the likely consequences of the breach.

• A description of how you intend to deal with the breach.

Do I also have to tell the affected people about a Data Breach?

Maybe. If your company suffers a data breach that results in a “high risk to the rights and freedoms”
of customers/individuals (I will use “customers” for ease of reference), you will have to tell the
customers about the breach. This appears at Article 34 of GDPR.

For example, if a customer’s financial records are hacked at a bank, the customer could suffer
financial loss through identity theft or fraud due to the records being accessed. The customer needs
to be told about this.

If you have to report a breach to the customer, GDPR says the report must be made “without undue
delay.”

Review the Contract

Page 24 of 28
Please note many contracts include data breach notification requirements that may be stricter than
the GDPR’s. For example, some of your suppliers and business partners may require that all data
breaches relating to data of their employees or customers be reported to them, even if the breach
does not involve “high risk to the rights and freedoms” of those involved. Other contracts may
require reporting to the supplier within 24 or 48 hours. Be sure to check contracts with your
suppliers to make sure that you know what they want you to do if a data breach happens.

What should I include in my breach report to customers?

Section A34 of GDPR says you should tell the customer:

• The name of the DPO or other contact within the company.

• A description of the consequences of the breach.

• A description of how you intend to deal with the breach.

Make sure you explain the breach to the customer simply and clearly.

Key Points:

• Under GDPR, you have to notify the Regulator within 72 hours of a breach where it is likely to
result in “a risk to the rights and freedoms of individuals.”

• You must promptly notify customers about a data breach that results in a “high risk to their rights
and freedoms.”

• Make sure employees who learn of a Data Breach tell you about it immediately. This should be in
your Data Protection Policy.

• Bad things happen sometimes – create a Data Breach Plan to guide your company in its response.

Now that you made it through data breach preparation, it’s time to deal with your suppliers and
third parties that have access to your organization’s personal data.

Page 25 of 28
S T E P 1 0 Dealing with Third Party Pain

What is a Processor and what is a Controller?

Under Article 4 of GDPR, a “Controller” is the company that decides how the data is processed. A
“Processor” is a company that processes the data on behalf of the Controller.

When companies do business and share data, is there always a Controller and a Processor in the
relationship?

No. In some cases when parties share data, they may both have authority to over the data, and they
may therefore both be Controllers. An example might be an insurance broker called CarSafe. CarSafe
has a shop and sells car insurance to customers in Cookstown. CarSafe shares data with the
underwriter called BigCo in London who provides the financial backing for the policies. Both CarSafe
and BigCo are Controllers because neither is the servant of the other.

Why do I have to worry about suppliers and Data Security?

Often the Data Breaches, you hear about in the news are caused by a company’s business partners
or suppliers, rather than the company itself. The Target incident mentioned earlier in the book was a
prime example. Forty million customer credit card details were compromised after hackers gained
access via one of Target’s third-party vendors.

What to do if you are a Controller doing business with a Processor

What do I need know about choosing a Processor?

Under GDPR, there are some very specific rules around choosing Processors. Specifically, under
Article 28 you can only choose a Processor that provides “sufficient guarantees” that they will
uphold GDPR. Remember this is the “show not tell” regulation, so you are going to need solid
evidence the Processor you are doing business with is going to be able to keep the data safe and give
you evidence they are able to do so.

This means that your company is going to have to do due diligence on any new supplier you do
business with.

Top Tips for Due Diligence on Processors:

1. Have an Outsourcing Policy on hiring new Processors – Put a company policy in place detailing a
procedure for hiring new Processors. The policy should set out the kind of homework required each
time you hire a new Processor to make sure they are the type of organization you would trust with
your customer data.

The policy could include steps such as requiring the return of a questionnaire providing details of the
Processor’s Data Security procedures. It could also include investigating the Processor’s history and
public profile to verify that they are trustworthy.

2. Security standards – Check to see if the Processor has obtained certification to any security-
related standard, such as ISO 27001.

3. Evidence – Ask the potential Processor for evidence of their data security procedures. Don’t take
their word for it.

4. Record – Record all the due diligence you have carried out on the Processor.

Page 26 of 28
Contracts – What do I have to do to make sure my contracts are up to par with GDPR?

Under GDPR, you have to make sure your Processors agree to a number of clauses regarding how
they will use with your data. It is a breach of GDPR if your Processors do not sign up to these clauses.

Make sure that Legal or whoever drafts your supplier agreements includes the clauses that are listed
at Article 28 of GDPR.

Under Article 28 if you are a Controller choosing a Processor, there has to be a contract in place
saying the Processor:

• Will do as they are told with the data.

• Will only employ people who have promised to keep the data confidential.

• Will keep the data secure.

• Will not hire another Processor to do the work unless the Controller has given permission.

• Will help the Controller fulfill requests brought by customers enforcing their rights under GDPR.
For example, if a customer puts in a request for her data to be wiped under the Right of Erasure,
then the Processor will help the Controller by wiping any data off their (i.e. the Processor’s) systems
if the Controller asks them to.

• Will help the Controller with their GDPR duties including breach notification requirements. So, if
the Processor loses some of the data given to it by the Controller, the Processor will tell the
Controller so that the Controller will be able to report the breach to the Regulator within the 72-
hour time limit.

• Will delete the data at the end of the contract.

• Will allow their processes to be inspected and audited.

Please check Article 28 to see these clauses in more detail.

Do I have to redraft all the contracts that were in force before GDPR?

No. No one expects you to trawl through and change every agreement you had in place before the
GDPR came into force. However, there may be some higher-risk agreements you’ll want to
renegotiate with your suppliers.

For example, if a Processor handles large amount of your customer data, you may be concerned that
there is inadequate protection for you in this agreement if things go wrong. You may want to
consider contacting the Processor and renegotiating the contract to ensure compliance with GDPR.

Cloud Providers and Outsourced IT

Be extra careful when dealing with cloud providers. Cloud providers handle huge amounts of
customer data and often store it in various parts of the globe. You should do your homework on the
cloud provider before handing over terabytes of customer data. Similarly, ensure you have
appropriate clauses in the contract to protect you if they lose your data.

Also, be careful if you are dealing with outsourced IT services. You should make sure the contract
spells out the responsibilities the IT service provider has; such as updating software, monitoring data
etc. A properly drafted contract will protect you if something goes wrong.

Page 27 of 28
Key Points:

• Suppliers often cause data breaches.

• GDPR expects you to choose suppliers wisely.

• Make sure your contracts contain all required GDPR clauses.

• If you are a Processor providing a service for a Controller, you have more risks now than you did
before.

• Be careful with cloud providers and outsourced IT.

Congratulations! You’ve made it through all Ten Steps to GDPR Compliance. Think you’re finished
and you can sit back and relax? Maybe for a brief minute. But this quest continues…

Page 28 of 28