Welcome to 2018 New Year Shopping

New Year Preparations for GDPR

David Parish - Information Security Consultant David Parish – Information Security Consultant

Welcome to 2018 and on your new years, to do list, I hope you have one item that won’t be forgotten. The gym membership and other New Years resolutions may fall by the way side but your preperations for compliance with the forth coming GDPR ENFORCEMENT ( see my next blog on article 29 working group ) isn’t going away and despite Brexit will have to become enshrined in how you operate as a business. The best way to approach this is to treat the requirement as a business improvement. You certainly do not want your business reputation harmed due to a lack of endeavour to become compliant. The information commissioner has been publishing considerable information and updates and I take the same approach to her recent comments .

This is about Evolution and not revolution everyone should be entitled to have there privacy and personal information protected and managed properly.

My next series of updates and blogs will hopefully assist and help you steer yourself through the legislation and more importantly provide practical guidance on how to implement or interpret the legislation for your business.

There will be challenges along the way there may be costs ,these can all be managed and applied proportianetly to your individual needs if you approach this as Improvement embrace the need for change and don’t try and cut corners.

So our first steps are to remind you of the key changes in the GDPR:

Refer back to our schematic Preparing for the General Data Protection Regulation ( GDPR ) 12 steps to take now.

The GDPR contains a number of new concepts and imposes new obligations on Organisations and More rights for Individuals

The key changes and heightened regulation that the GDPR bring include the following:

Principle of accountability – data controllers are responsible for, and must be able to demonstrate compliance with, data protection obligations.

Principle of transparency – personal data must be processed in a transparent manner, with data subjects being notified of processing.

Data minimisation – there are stricter rules relating to the extent of personal data which is kept, and to the period for which it may be kept.

Data breach notification – subject to limited exceptions, data breaches must be notified to the supervisory authority and data subjects.

Right to be forgotten.

Right of portability – data subjects will be entitled to receive a copy of personal data concerning them or have the data transferred to a third party.

Data Protection Officers and Data Protection Impact Assessments.

New liabilities for processors, which will include when processing information for legal matters.

Example the New Year shopping experience.

So continuing on from my Christmas shopping update ( December 2017 ) lets have a brief look at Lawful processing, data minimisation and consent .

The New Year sales are upon us and unfortunately some of those gifts that arrived at Christmas are surplus to requirements or need a refund.

You arrive at the till with the receipt the goods the bank card you purchased the item with ready for your refund to be credited. The very helpful store assistant then asks you  “ can I have your post code “? You ask “why” the assistant is somewhat flummoxed as the computer says ,post code required . You then quite rightly decline and face an impasse as when the manager is called no one can explain why your post code is required for a refund.  This simple issue impacts heavily on GDPR compliance as it provides additional information to the retailer which further along with your bank details name etc means they have the ability for no clear reason to process your personal data. It certainly isn’t a requirement in law for this information to be stored.

The can I have your email question ?

A high street retailer requests your e mail address at point of sale “ Can I have your e mail address to send you your receipt “ You may be happy however a hard copy receipt has already been generated by the till and the assistant has said receipt in their hand.

These issues are happening and unbeknown to you are enabling your personal information to be stored, processed, profiled, sold.

So happy shopping in the sales and don’t only think how you and your business are going to achieve GDPR compliance remember its also about who and how other business are storing and processing your personal information.

Next what is the Article 29 working party and why is this especially important to how you address compliance.

by David Parish, Information Security Consultant – IBITGQ Certified ISO 27001 and GDPR implementation Specialist MSC Security and Risk Management

About GDPR Academy

GDPR Academy is dedicated to GDPR and Cyber Security. These go hand-in-hand so you are up-to-date, day-by-day on the latest developments, white papers, laws and timings et al.

Become a Member

GDPR Academy is the only place you’ll find a comprehensive body of knowledge, resources and experts to help you navigate the complex landscape of tomorrow’s GDPR and Cyber Security issues.