GDPR

The new data protection regulations, the

impact on your systems and the solutions

that can assist with compliance

Th

e E

sse

ntia

l G

uid

e

Following recent presentations on the potential impact of

GDPR at a number of global law f irms and a presentation to

the Institute of Barristers Clerks, I have been asked to compile

a guide as to the basic principles of GDPR, how they may

impact technology systems and which software tools/vendors

could assist with compliance.

I have therefore put together this guide, The Essential Guide to

GDPR and its sister website GDPRwiki.com

This is not designed to be an exhaustive list of regulatory changes, nor is it in any way meant to be taken as legal advice. I have picked out what are in my opinion the key areas of impact and particularly those that will need some attention prior to May 29 2018 – deadline for compliance. The solution providers that appear in the guide are those that have come forward and described how their solutions can help businesses looking to get GDPR compliant. Again this is not meant to be an exhaustive list and there will be many other suppliers out there that offer quality and relevant services - as the deadline gets closer I expect more technologies and services to appear and I hope to highlight these in the next edition of this guide.

“Having clear laws with safeguards in

place is more important than ever giving

the growing digital economy”

Steve Wood, Deputy Commissioner, ICO

This guide focusses on:

Brexit

Controller or Processor

User Rights

Privacy by Design

Cloud Services

Data Protection Officer

Consent

Impact Assessment

The General Data Protection

Regulations are the most significant

development in data protection that

Europe, possibly the world, has seen

over the past twenty years.

Unsurprisingly GDPR is designed to

better take into account modern

technologies, the way we work with them today and are likely to work in the future.

In addition, there is a much greater emphasis on compliance following a widely-

held belief that businesses, particularly in the UK, had not previously taken data

privacy seriously enough. To reinforce this, penalties are considerably harsher and

the compliance requirements are intended to spread a far wider net to include

small and medium businesses and the third-party contractors they use.

THE 6 GDPR DATA PROTECTION PRINCIPLES:

1 (‘lawfulness, fairness and transparency’) processed lawfully, fairly and in a

transparent manner in relation to the data subject

2 (‘purpose limitation’) collected for specified, explicit and legitimate

purposes and not further processed in a manner that is incompatible with

those purposes

3 (‘data minimisation’) adequate, relevant and limited to what is necessary in

relation to the purposes for which they are processed

4 (‘accuracy’) accurate and, where necessary, kept up to date; every

reasonable step must be taken to ensure that personal data that are

inaccurate, having regard to the purposes for which they are processed, are

erased or rectified without delay

5 (‘storage limitation’) kept in a form which permits identification of data

subjects for no longer than is necessary for the purposes for which the

personal data are processed.

6 (‘integrity and confidentiality’) processed in a manner that ensures

appropriate security of the personal data, including protection against

unauthorised or unlawful processing and against accidental loss destruction

or damage, using appropriate technical or organisational measures .

There was some speculation that GDPR

would cease to be relevant following the UK’s

decision to leave the EU. Whilst we await the

detail of what Brexit really means in terms of

our EU trade agreements, people movement

and laws there has been significant

commentary including a statement from the

Information Commissioners Office (ICO) suggesting that it will still apply and that

businesses should start compliance preparations now. The following key reasons

are given as to why GDPR still applies:

GDPR Comes Before Brexit

The GDPR comes into force 25 May 2018, the earliest Brexit can happen is

January 2019 and until then all EU laws apply.

Application

The GDPR applies to EU citizen’s data regardless of where the controlling or

processing of that data takes place. This means that countries outside of the EU

(including the US and an independent UK) would have to apply GDPR for client

data where the client is in the EU.

Adequate Data Protection

For an EU country to trade outside of the EU ‘adequate’ data protection measures

must be in place. It is likely that GDPR will be the standard set as ‘adequate’ and

the UK would have to introduce an equal replacement if it decided to revert to

existing DP regulations. Which would simply be GDPR under a different name.

Competing with the EU

Data is fast becoming the new oil and in order to compete with the EU to be

regarded as the new data safe haven, the UK will at the very least match the

GDPR standard and may even increase its data protection requirements to attract

global data centric business.

Many businesses are significant

data consumers. Client data is at

the very least at the heart of their

marketing initiatives and may even

be part of the product or service

they sell and the client they sell to.

Much of this data is sensitive either

for commercial reasons or because it directly relates to an individual.

Various sectors from health to finance to legal all have their own specific

governance regulations sometimes shared due to complex relationships between

the services, but for personal data the GDPR will apply equally to all.

There will not be many businesses that do not hold or process personal data but it

is important to understand their role and responsibilities as determined by the

GDPR. The two significant roles are that of ‘controller’ and ‘processor’.

GDPR says…

‘controller’ means the natural or legal person, public authority, agency or other

body which, alone or jointly with others, determines the purposes and means of

the processing of personal data; where the purposes and means of such

processing are determined by Union or Member State law, the controller or the

specific criteria for its nomination may be provided for by Union or Member State

law;

A business will be determined a ‘controller’ for the client, prospect and employee

personal data it stores and uses.

GDPR says…

‘processor’ means a natural or legal person, public authority, agency or other

body which processes personal data on behalf of the controller;

A cloud service provider or third party data host will in most cases be determined

as a ‘processor’.

Personal or Sensitive

It is import to determine whether data is ‘personal’ or ‘sensitive personal’ as

defined by the regulations as different levels of protection are required, some

mandatory and accountable in the case of sensitive data. It is also a new

requirement that processors understand what type of data they are handling on

behalf of their clients

Personal Data

The definition of personal data has been broadened to include anything that can

be directly associated with an individual. GDPR broadly keeps existing definitions

but adds digital footprints such as cookies and IP addresses.

GDPR says…

‘personal data’ means any information relating to an identified or identifiable

natural person (‘data subject’); an identifiable natural person is one who can be

identified, directly or indirectly, in particular by reference to an identifier such as

a name, an identification number, location data, an online identifier or to one or

more factors specific to the physical, physiological, genetic, mental, economic,

cultural or social identity of that natural person; - Article 4 of GDPR

Sensitive Personal Data

The following are the GDPR classifications for sensitive personal data:

GDPR says…

revealing racial or ethnic origin,

political opinions,

religious or philosophical beliefs,

or trade union membership,

and the processing of genetic data,

biometric data for the purpose of uniquely identifying a natural person,

data concerning health or

data concerning a natural person's sex life or sexual orientation shall be

prohibited. - Article 9 of GDPR

The GDPR essentially prohibits the processing of sensitive personal data unless

one of the criteria in Article 9 (2) is met. These include:

9(2)(a) – Explicit consent of the data subject, unless reliance on consent is

prohibited by EU or Member State law

9(2)(e) – Data manifestly made public by the data subject.

In addition to

the duty of a

firm to protect

its information

there are a

number of

enhanced or

new data

subject rights

that they will need to be mindful of as each could

demand considerable administration capability

particularly if the necessary access and recovery

tools are not in place.

Data subject access requests (DSARs) will be

easier for clients and employees.

Data subjects will no longer be required

to pay a fee to make a DSAR. Firms must

respond without ‘undue delay’ and no later than

one month after the DSAR is made (rather than

the current 40 days). However, there are a

number of grounds for refusal

if the request is manifestly unfounded or

excessive.

Right to Erasure

A new right under GDPR is to have data deleted.

There are several reasons this request can be

refused such as conflicting regulations and in the

public interest but once legitimate reasons for

denial are exhausted data must be deleted.

Right to Portability

Not too dissimilar to the right to port a mobile

phone number from one supplier to another,

GDPR entitles a user to have their data exported

and transferred in a ‘machine readable format’.

Key Tools

Search, Delete, Export

Key Solution Providers

GDPR Says...

The response to a DSAR will include:

(a) the purposes of the processing;

(b) the categories of

personal data concerned;

(c) the recipients or

categories of recipient to

whom the personal data have

been or will be disclosed, in

particular recipients in third

countries or international

organisations;

(d) where possible, the

envisaged period for which the

personal data will be stored,

or, if not possible, the criteria

used to determine that period;

(e) the existence of the right to

request from the controller

rectification or erasure of

personal data or restriction of

processing of personal data

concerning the data subject or

to object to such processing;

(f) the right to lodge a

complaint with a supervisory

authority;

(g) where the personal data are

not collected from the data

subject, any available

information as to their source;

(h) the existence of automated

decision-making, including

profiling, referred to in Article

22(1) and (4) and, at least in

those cases, meaningful

information about the logic

involved, as well as the

significance and the envisaged

consequences of such

processing for the data subject

Article 15 of GDPR

Privacy by design is a concept that features consistently throughout the GDPR. In essence. it is the principle of

considering and building in appropriate data protections during the design phase of all new projects and changes to systems and processes.

Security by design and by default

The GDPR requires that employers (and other data processors) should be “audit-ready” at all times, meaning that all employer’s systems will need to be set up to ensure compliance by design. The GDPR introduces a legal requirement for ‘privacy by design’ for sensitive data and the onus will be on employers to prove compliance. Records will need to be kept and policies and procedures will need to be in place to demonstrate this.

Firms must implement technical and organisational measures to show that they have considered and integrated data compliance measures into their data processing activities.

Key Design Principles

Only necessary data to be processed including:

Amount of data

Extent of processing

Retention period

Access to data

Organisational measures

There are a number of technical measures that can be put into place to enhance data security. Many of these will simply involve ensuring best practice with existing technologies.

Organisational measures

This will include maintaining the appropriate records as described later in this guide, minimising data by applying appropriate retention periods and appointing a Data Protection Officer to oversee compliance activities.

GDPR Says...

Data protection by design and by default

1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.

3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

Article 23 of GDPR

Security of Processing

GDPR requires that the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.

The legislation goes on to describe the security required for processing data.

pseudonymisation and encryption

confidentiality, integrity, availability and resilience of processing systems and services

the ability to restore

testing, assessing and evaluating the effectiveness of technical and organisational measures

It is an obligation to ensure that a controller only engages with a third party data processors or cloud service providers if they also comply with the above.

Key Tools Encryption, Data Leakage Protection, Secure Archive, Records Management, Access Control Key Solution Providers

GDPR Says...

Security of processing

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements

set out in paragraph 1 of this Article.

4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

Article 32 of GDPR

GDPR requires

that the

controller shall

implement

appropriate

technical and

organisational

measures to

ensure and to

be able to demonstrate that processing is

performed in accordance with this Regulation.

The legislation goes on to describe the security required for processing data.

pseudonymisation and encryption

confidentiality, integrity, availability and resilience of processing systems and services

the ability to restore

testing, assessing and evaluating the effectiveness of technical and organisational measures

It is an obligation to ensure that a controller only engages with a third party data processors or cloud service providers if they also comply with the above.

Cloud Service Provider Checklist

□ Technical & Organisational security

□ New contract provisions

□ Demonstrable GDPR compliance

□ Data Processing Records

□ Breach Notification

□ Delete or return data post contract

□ Data Transfer transparency

□ Sub-processor permission

GDPR Says... Processors

Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the

obligations and rights of the controller

Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller.

The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written

authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

Under the

GDPR, you

must

appoint a

data

protection

officer

(DPO) if

you:

are a public authority (except for courts acting in their judicial capacity);

carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or

carry out large scale processing of special categories of data or data relating to criminal

convictions and offences.

A DPO can be an outsourced role which will pave the way for external agencies to provide this service.

DPO Duties

The DPO’s minimum tasks

To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.

To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.

To be the first point of contact for supervisory authorities and for individuals whose data is

processed (employees, customers etc).

DPO Rights

Businesses must ensure that:

The DPO reports to the highest management level of the organisation

The DPO operates independently and is not dismissed or penalised for performing their task.

Adequate resources are provided to enable DPOs to meet their GDPR obligations.

Key Solution Providers

GDPR Says... 1. The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10. 2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment. 3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size. 4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors. 5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39. 6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract. 7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory

authority

The GDPR has

references to both

‘consent’ for personal

data use and ‘explicit

consent’ for sensitive

personal data use. The

difference between the

two is not particularly

clear given that both

forms of consent have to be freely given, specific,

informed and an unambiguous indication of the

individual’s wishes although in the event of a

complaint the required level of consent for sensitive

data is expected to be higher.

GDPR describes the requirement for some form of clear affirmative action to demonstrate consent. This can include:

Ticking a box Changing technical settings (eg making

something public on Facebook) Signed client enagement letter

GDPR is also clear as to what will NOT be acceptable as consent

Silence pre-ticked boxes general inactivity

Auditable Consent

A new requirement is that consent must be verifiable. This means that some form of auditable record must be kept of how and when consent was given which could impact many marketing systems.

Where you already rely on consent that had been previously sought you will not be required to obtain fresh consent from individuals if the standard of that consent meets the new requirements under the GDPR.

If you cannot reach this high standard of consent then you must find an alternative legal basis such as or cease or not start the processing in question.

GDPR Says...

Lawfulness of processing

1. Processing shall be lawful only if and to the extent that at least one of the

following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

Consent Capture

This is an emerging area of technology that enables a granular and compliant approach to capturing user consent whilst providing the right processing and privacy notices. In addition, these solutions will ensure that all consent captured is auditable.

Key Vendors

GDPR Says...

Conditions for consent

1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not

be binding.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

A common theme throughout the GDPR is accountability and demonstrating compliance i.e. making it evident to the Data Protection

Authority that you are meeting obligations. An important component of accountability and mandatory in certain circumstances is the Impact Assessment.

Definition

A Data Protection Impact Assessment is a tool designed to enable organisations to work out the risks that are inherent in proposed data processing activities before those activities commence. This, in turn, enables organisations to address and mitigate those risks before the processing begins.

Scope

New to the GDPR all businesses (both controllers and processors) are impacted.

Where a new processing activity is proposed (especially where new technologies will be used) resulting in a high degree of risk for data subjects, the controller must first conduct an Impact Assessment. A single Impact Assessment can cover multiple processing operations that present similar risks.

Content

An Impact Assessment must contain the following:

a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller

an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

an assessment of the risks to the rights and freedoms of data subjects

the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

GDPR Says...

Data protection impact assessment

1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations

that present similar high risks.

2. The controller shall seek the advice of the data protection officer, where designated, when carrying out a data

protection impact assessment.

3. A data protection impact assessment referred to in paragraph 1 shall in

particular be required in the case of:

(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or (c) a systematic monitoring of a publicly

accessible area on a large scale.

Dark Data

One of the challenges businesses face when carrying out an impact assessment is

ensuring that all personal data is discovered. Data that is for some reason not

searchable and therefore not discoverable is also known as ‘dark data’. The most

common example found is a PDF file that has not had the content of the document

OCR’d leaving just the document title searchable. This has the potential to leave a

business at significant risk of breach and potentially unable to respond in full to a

Data Subject Access Request.

There are a number of software solutions available that will scan your network for

‘dark data’ identify it and convert it to searchable data.

Method

An Impact Assessment has the following steps:

Review existing or planned data processing activities

Map data flows within the organisation by system and by process

Identify any compliance risks

Determine any mitigation required and develop an action plan

Determine whether their core business operations involve: (i) regular and systematic monitoring of data subjects on a large scale; and/or (ii) processing of Sensitive Personal Data on a large scale.

If yes to above appoint a DPO.

Key Solution Providers

The GDPRREADY Compliance Plan is designed to assist Data Protection Officers in preparing for GDPR and maintaining compliance once the legislation is activated. The GDPRREADY 4 stage process enables the DPO to raise awareness, discover current risks, deliver a mitigation plan and design processes for maintaining compliance.

Step 1 – EDUCATE

The EDUCATE phase consists of a combination of interactive workshops and

stakeholder interviews, designed to generate a high level of understanding of the

impending legislation and any changes to system, policy or process in order to

achieve GDPR compliance.

GDPR Overview Workshop - an onsite workshop to build GDPR awareness and secure buy-in with your key internal stakeholders, custom-tailored to the needs of your firm. Suitable for: Senior Management, Directors, Key Stakeholders

GDPR Assessment workshop - A workshop for internal staff responsible for

owning the assessment process. Suitable for: Compliance Team, IT Team, Project Managers Stakeholder Interviews – one to one discussions with key stakeholders to

document departmental processes involving personal data. STEP 2 – DISCOVER

The DISCOVER phase uses the Data Protection Impact Assessment (as

recommended by the Information Commissioners Office) to discover any risk or

exposure the firm may currently have.

Impact Assessment – using our GDPRready Data Register and GDPRready Impact assessment templates you will document, data flows, gap analysis, risk assessment and remediation plans.

STEP 3 – PLAN

GDPR Preparation Plan – document actions needed to prepare for and maintain

GDPR compliance. Understand budget required and systems and processes that

require modification.

STEP 4 – MAINTAIN

Prepare for new obligations such as Breach Response and DSAR Processing.

Review existing InfoSec policies and procedures to ensure they align with GDPR.

EACH PHASE IS SUPLIMENTED BY GDPRREADY TEMPLATED PROCESSES

AND POLICIES AS INDICATED IN THE ACTION SUMMARY CHART BELOW

GDPRREADY COMPLIANCE PLAN – ACTION SUMMARY

PHASE 1 – EDUCATE GDPR WORKSHOP

IMPACT ASSESSMENT WORKSHOP

STAKEHOLDER INTERVIEWS

DOC 1 - GUIDE TO GDPR ESSENTIALS

DOC 2 - GDPR CHECKLIST

PHASE 2 – DISCOVER COMPLETE IMPACT ASSESSMENT DATA MAP

COMPLETE IMPACT ASSESSMENT RISK REGISTER

PRODUCE IMPACT ASSESSMENT REMEDIATION PLAN

DOC 3 - DATA REGISTER

DOC 4 - IMPACT ASSESSMENT

PHASE 3 – PLAN DOC 5 - GDPR COMPLIANCE PLAN

DOC 6 - PRIVACY NOTICE CHECKLIST

DOC 7 - USER AWARENESS PROGRAM

DOC 8 - CLOUD SERVICE PROVIDER COMPLIANCE CHECKLIST

DOC 9 - SUBJECT ACCESS REQUEST PROCEDURE

PHASE 4 – MAINTAIN DOC 10 - INFORMATION SECURITY POLICIES

DOC 11 - INTERNATIONAL DATA TRANSFER GUIDANCE

DOC 12 - CONSENT FORM TEMPLATES

DOC 13 - PROCESSING RECORD TEMPLATE

DOC 14 - BREACH NOTIFICATION TEMPLATE

SOLUTION PROVIDER

GDPR FUNCTION

FEATURE DETAIL

Data Subject Access Request

Data Discovery

A comprehensive data discovery and management are essential for GDPR compliance. In order to ensure timely and efficient respond to any Data Subject Access Requests (DSAR), all locations, where personal information is stored, should be easily

discovered.

contentCrawler ensures comprehensive data discoverability and works to uncover documents that otherwise would not be found because they are not indexed for searching. It is a key tool in making sure that all words in every document (even image documents) are fully text searchable. contentCrawler is an essential component for all firms to ensure they

comply with the new GDPR legislation.

DocsCorp will be publishing a white paper and hosting a number of GDPR events across Europe. Drop us an email to events@docscorp.com to stay updated and get your free white paper and event invitation.

For more information please check the product description below or visit:

http://www.docscorp.com/contentcrawler/

Bulk Processing for Document Management

contentCrawler is an integrated analysis, processing

and reporting framework that intelligently assesses documents in a Document Management System and determines if they require OCR and/or file

compression processing.

Organisations can bulk process documents in the DMS using either the OCR or Compression modules. Or, they can do both. For example, contentCrawler will convert all image-based documents in the DMS to text-searchable PDFs. The Compression module will then apply compression and down-sampling in order to minimise the file size of the resulting PDF

documents.

The automated end-to-end process can run 24/7 without any staff intervention, emailing periodic notifications of processing statistics and error

reporting to the IT Administrator. Staff no longer have to worry about OCR or compression as a process or

workflow.

Key Benefits

Ensure all documents are indexed for searching and are therefore discoverable

Simplify management of image-based documents

Reduce non-compliance risks

Increase efficiency through automation

Leverage existing investment in DMS and search technology

Reduce costs managing OCR and

Compression technology

Privacy by Design

Cyber Security

iboss is a cyber security platform that uses cloudtechno logy to extend preventative and predictive multi-layered security to any size or organization, in any place and to any device.The result is a lower risk profile, and greater enhanced due diligence (EDD) for the organisation, which helps meet GDPR regulations, and can lower associated fines if data breaches occur.

Privacy by Design

Data Leakage Protection

Iboss includes behavioural data exfiltration sensors to detect data loss and exfiltration across any communication medium (WEB, EMAIL, DNS, P2P etc)

Privacy by Design

Content Management

Granular gateway level controls against web access and application usage

Right to access

Privacy by Design

Access Control

Document Protection

Search

iManage Govern Govern critical information at every

step of the engagement and beyond

iManage Govern lets you manage your engagement files according to each client retention policies, from creation through to disposal all while ensuring your

organization meets audit and discovery requirements.

Improve governance: by applying retention policies

centrally across both electronic and physical client records

Integrated document and records management:

through seamless operation with iManage Work

Boost productivity: and reduce risk by taking

records management responsibility off your

professionals shoulders

Manage information in place: without copying to a

separate system

Reduce operating costs: by moving inactive projects to a governed, searchable archive

Privacy by Design

Secure File Transfer

iManage Share A Fast, easy and secure sharing of

professional work product

Securely exchange work product with your clients, partner firms, and outside consultants within tools that you are familiar with. iManage Share offers industry-leading security with seamless integration with iManage Work and Microsoft Outlook, so that secure file sharing is easy and convenient without sacrificing security and governance of your client

files.

With iManage Share:

Share, edit and collaborate on work product from

within iManage Work.

Share files from your Outlook email: Share files as

secure links directly from Outlook.

Secure, firm-branded web portal in a snap: Give

your client access to their documents from a single responsive interface on phone, tablet or desktop, branded with your firm logo.

Collaborate on the go: Share and securely

collaborate with customers from your smartphone or

tablet.

Know what is shared and with whom: Monitor who is accessing your files and when.

Privacy by Design

Right to Access

Document Protection

Search

DSAR response

Access Control

iManage Work Manage documents, emails and more

in a single engagement file

Access your work product from anywhere on any device in a single user experience. Designed by professionals for professionals, iManage Work makes it easy to collaborate with your team and stakeholders in a secure and governed manner.

Improve productivity: Suggested email filing keeps

you ahead of inbox overload

Make better decisions: Document timelines,

dashboards and analytics cut through clutter enabling

faster, better decisions

Find everything: Search across all work product (documents, emails, images) automatically tuned to

your work style

Be more responsive: Secure mobile access means

you can view and edit your work from anywhere

Work smarter: Integrates seamlessly with the applications youre already using to save time

Privacy by Design

Document Protection

Access Control

Intapp Walls replaces distributed, ad hoc approaches to confidentiality management with a centralised solution that provides law firms with unparalleled

capability and control.

Several features of Intapp Walls can help address GDPR requirements for “privacy by design,” “privacy

by default” and the Accountability principle.

Intuitive interface for access management – Define policies using an easy-to-use wizard to configure and control walls and user account management, so that IT, conflicts team members and lawyers have appropriate levels of visibility and

control

Real-time enforcement and maintenance – Intapp

Walls delivers real-time enforcement, automating notifications to individuals subject to specific policies, tracking acknowledgments for compliance, and alerting firm management about suspicious activity

related to sensitive information

Protection beyond document management libraries – Lock down all key repositories where

sensitive information is stored, including records management, accounting, CRM, search, portals and other applications, in addition to document

management libraries

Automated compliance logging – Demonstrate

compliance if required to do so by clients or by government agencies by presenting a documented audit trail via Intapp Walls

Broad visibility across the organisation – Gain

visibility into the volume and types of policies in effect across the firm; configurable reports can be delivered in an event-driven, scheduled or on-demand basis to provide management with real-time visibility into policies, classification and history, as well as affected parties and prevented breaches

Data Protection Officer

Education

The Law Firm Risk Blog (www.lawfirmrisk.com), sponsored by Intapp, covers a wide range of risk management topics relevant to GDPR, including information governance, conflicts management and

information security.

The Risk Roundtable Initiative (riskroundtable.com), also sponsored by Intapp, hosts in-person events and webinars bringing together a mix of law firm risk management and related professionals, including general counsel, loss prevention partners, risk management partners, senior conflicts/records managers and IT leadership. They provide

opportunities for peer networking, cross-functional dialogue and a better understanding of common problems and trends including the evolving regulatory landscape affecting confidentiality, information

barriers and ethical walls.

Intapp customers have access to user group meetings, newsletters, webinars and Inception 2017, Intapp’s global user conference.

Intapp Professional Services offers a Risk Consultancy practice that will assess your firm’s approach to confidentiality management and suggest processes, procedures and technologies to satisfy specific compliance obligations related to the EU GDPR, the HIPAA Privacy Rule in the US, and other regulations

Privacy by Design

Data Leakage Protection

Secure Archive

Security

Enterprise Information Archiving provides the secure, perpetual storage and policy management necessary with the predictable costs and scalability of a true cloud architecture. With an industry-leading 7 second search SLA, archived information is instantly accessible, making it easy for employees or administrators to find a single email or to support a

larger e-discovery case.

Mimecast solves important archiving challenges by:

Archiving email in the cloud

Responding quickly to litigation requests

Retaining important company files Archiving Lync IM conversations

A single, unified archive in the Mimecast cloud delivers scalability, rapid information access and data assurance — without the spiraling expense of hardware and software typical of legacy on-premises solutions.

Consent Consent Capture

Consentric Permissions is a tool for managing citizens’ consent for usage of their data. It is a cloud based product with the citizen at the heart, providing them the capability to grant or deny consent to the usage of their data for specific, clearly defined

purposes.

Organisations benefit from Permissions through a simple integration with their CRM or other system(s), providing a single source of truth relating to consent. They can configure the data to be used, purpose for, and who will request usage of the citizen’s data at a granular level, enabling citizens to clearly understand what is being asked of them. Where required, organisation users can also access citizens’ records

to amend consent on instruction.

All changes are subject to a full history log, including detail of how and where consent was obtained. This

provides the citizen transparency and control on how their data is being accessed and used.

Privacy by Design

Consentric Permissions stores citizens’ data in a secure UK sovereign data centre, with consents to share that data managed by the citizen.

Classification of the data is aligned to well-known standard schemas, or, created by new custom schemas, allowing sensitive data to be managed

separately and securely by the citizen.

Consentric Permissions is a trust platform, giving the citizen transparency, ownership and control of their data, enabling you to build loyal relationships with

your customers.

This radical approach to storing data transforms your ability to achieve required data protection standards through minimisation of personal and sensitive data being stored in your systems and placing the citizen in control of their data and its usage. By integrating into Consentric Permissions, you benefit from our Privacy by Design features and save costs of implementing in your own systems

Privacy by Design

Secure Data hosting

The complexity and expense of managing underlying infrastructure can be challenging to organisations, as their needs fluctuate. Trustmarques IaaS solutions enables organisations to cost-effectively deploy and run their software, whilst taking full advantage of the benefits cloud computing brings. We design, build, procure and manage IaaS services to help you unlock real business value. By providing specialist technical design, management knowledge and understanding the commercial implications of solution design and change, along with the operational considerations of a Cloud service within a traditional

ITIL oriented environment.

We provide highly resilient and secure IL2, IL3 and IL4 services for OFFICIAL and OFFICIAL SENSITIVE hosting requirements. These convenient, on-demand and configurable computing resources require minimal management effort.

Impact Assessment

Compliance

Trustmarque provide full lifecycle Impact Assessment consultation. In addition as 27001 experts we can ensure that your GDPR compliance measures alin with your wider InfoSec strategy.

Privacy by Design

Centralisation of sensitive data

Enabling new, enhanced user rights is a fundamental

part of GDPR compliance.

PitchPerfect, with its SharePoint data repository, introduces a single centralised content management system which greatly improves the firms ability to meet these requirements. It provides the tools for end-users to locate and extract the requested data,

while restricting the ability to modify and erase data to the content managers working in the back-end.

The common distributed data practice whereby CVs and biographies are in multiple locations including a DMS, Email system and file share make compliance with any of these employee access requests complex, time consuming, costly and potentially

impossible

With user photos falling into the biometric data category new to the GDPR definition of sensitive personal data, it is compulsory to apply adequate protection. PitchPerfect ensures the right level of user access is applied.

Data Protection Officer

User Education

SkillBuilder eLearning provides new innovative ways to empower employees and end users with accessible tools and technologies; enabling them to stay informed and educated in all things related to

legal technology and its constantly changing updates.

SkillBuilder eLearning was built on the know-how of an over 12 million-strong backlog of ticket data and over 60,000 knowledge base articles. Our online eLearning tool increases productivity through a multifaceted portal that is branded for the firm. SkillBuilder provides a three-tiered model of service: Self-Service for users, Service Desk support provided by Solution Sender and an LMS. All features include access to our robust library of ever-growing content tailor specifically for Legal. SkillBuilder is a single platform whose affects are felt throughout the organization.

Consent

Data Transfer

Security of Processing

Privacy by Design

Consent

Vuture is a marketing automation platform for professional services that makes it easy to personalise email communications, streamline events and control marketing assets from a single flexible system.

Manage consent

Vuture provides a quick and easy-to-use solution to manage and automate consent. A seamless CRM integration enables you to manage and timestamp contact opt-ins within your CRM, as well as meet all Data Discovery and Data Access requirements. Unambiguous consent is achieved through a CRM-

linked tickbox inserted on your preference forms.

Control data transfer

Vuture is a private cloud solution – each client has their own instance of the platform hosted at a location of their choice. The platform is built with privacy at its core – data never leaves the chosen location and

rigorous security policies ensure you are always fully compliant with Data Protection standards.

Privacy and security sit at the heart of Vuture’s development, and both are assessed, tested and updated on a continuous basis.

Privacy by Design

Data Leakage Protection

“Workshare’s unique data loss prevention technology provides an additional layer of content awareness that includes hidden, sensitive data (metadata). Policies decide what has to be removed for compliance from a document when sent externally via email or via the cloud. This maintains security and compliance mandates to ensure no information is leaked through documents shared outside a company

in the form of metadata.

Workshare is taking our extensive understanding of metadata, email attachments and secure file sharing to the next level as we develop further to aid companies in the prevention of data loss. Because we have insight into multiple sharing channels and deep understanding of content, including metadata, Workshare can provide companies with visibility via a reporting system. Reports can be oriented around particular senders, receivers, and types of metadata to monitor for leakage or misuse. As the proposition develops, we will encompass words within context in a document or metadata and extend this detection to non-email sharing channels. Once detected, we can educate and empower users to take appropriate

corrective action to protect their sensitive content.”

We hope you found the first edition of this guide useful.

To recommend content or a solution for the second edition or GDPRwiki.com please contact:

info@2twenty4consulting.com