THE PRIVACYPERFECT BLOG

As a Chief Information Security Officer, you hold a vital role in protecting your organisation's most valuable data as well as their reputation. With experts suggesting the numbers of cyberattacks and data breaches to increase in the upcoming years, your role as a CISO could prove even more decisive. Recent reports have suggested that in the ever-growing pressure CISOs are met with, many are bridging cybersecurity and data privacy together.

This includes keeping up with the EU's GDPR and the numerous obligations it provides. As you continue to establish your organisation's visions, strategies and programs to ensure information assets are properly protected, how are you bridging data privacy compliance with cybersecurity? 

One way or another, almost all organisations rely on third parties for processing personal data in today’s digital world, creating a direct need for data processing agreements (DPA). Even the tools that are considered to be the basic necessities in business, such as email clients, CMS systems, data storage servers, or website analytics, all process personal data on behalf of organisations. With the introduction of the GDPR, there are strict requirements and guidelines on how this can be done in a compliant manner, through signed DPAs between the organisation (the data controller) and any party that acts as a data processor on their behalf. But what are Data Processing Agreements (DPAs), are they really necessary for you, what do they look like, and who needs to be involved from within your organisation? 

Twenty-one months have passed since the implementation of the GDPR.  The desperate flurry of data mapping, consent gaining, and compliance training is but a distant memory, obscured behind the day-to-day pressures of billings, client demands, and other regulatory procedures. Yet, there is no escape from the fourth industrial revolution. The speed at which technology is blurring the lines between the physical, digital, and biological spheres is without precedent.  Every single industry and the lives of all people are being impacted. 

Educational institutions collect vast amounts of personal data from students and staff. Generally, this data falls in the category of regular personal data, such as names, email addresses, and physical addresses. On the other hand, sensitive personal data, such as health information, financial information, legal guardianship contact details, disciplinary records, are also often required. Given the huge quantity and high sensitivity of personal data collected, compliance with the GDPR will have to be a very conscious investment for higher educational institutions, both in terms of time, resources, and tooling. Below is everything you need to know about how the GDPR affects higher education institutions specifically, and how these organisations can start off towards compliance.

Since the enforcement of the GDPR back in May 2018, organisations that process personal data within the EU & EEA are obligated to respond to a Data Subject Access Request (DSAR). DSARs are not new, however, the GDPR enforced a new set of new rules for the process. For instance, organisations today are required to respond within 30 days upon receiving a request. The tight time-frame and the process itself often poses challenges for organisations when responding to DSARs.

The GDPR provides a clear criteria that organisations should take into account when wanting to appoint a Data Protection Officer for their compliance efforts. However, besides the right qualifications, organisations also need to be able to identify what the ‘right’ DPO means for them. For instance, some companies might not have the capacity to appoint someone full-time for data protection, and might find that alternatives such as resorting to external DPO service providers or training existing employees to take up the role are a better fit for them. Other organisations might not even be required to appoint one. In order to be able to determine what the case is for your organisation, first you will need to have a clear understanding of the requirements set up by the GDPR, and then take into consideration the best practices described in this blog post, to see what’s best for your organisation specifically.

The GDPR highlights that data subjects need to be given the right to be informed about the gathering and the use of their personal data. Organisations are encouraged to fulfill this obligation through a privacy statement, that informs individuals in a clear and easily understandable manner on how their personal data is gathered and processed by the organisation. At the same time, organisations often find challenges in creating the perfect privacy statement as narrowing down a huge variety of complex legal information is not a task for the faint hearted. Furthermore, with the enforcement of the GDPR, previous privacy statements also had to be readjusted. So, what do organisations need to keep in mind for creating the perfect privacy statement, and what benefits it holds to have one, besides compliance?

Back when the GDPR was still within the adaptation phase, data-driven organisations and public bodies that process personal data on a large scale found the new obligation of data minimisation to be a rather vague obstacle. The GDPR states that “personal data shall be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are processed”, but this concept still often poses challenges for some firms. At the same time, data driven organisations continue to process and gather personal data on a large scale, where data minimisation could prove that ‘bigger’ might not necessarily always mean ‘better’: after over a year since the EU privacy regulation’s enforcement, we have now learned that data minimisation actually holds several benefits for organisations that decide to embed it into their practices. Before we start looking into what data minimisation can look like in practice, let’s take a look into what this concept entails exactly according to the GDPR. 

After the enforcement of the GDPR, organisations had to make their choice on how to comply with the EU privacy regulation: using the method of privacy by design or privacy by default.  For some organisations, one or both of these concepts were new, but these are now legal obligations for all those handling personal data. The GDPR emphasises that privacy by design requires organisations to consider privacy compliance in the initial designing process upfront in everything that the organisation does in regards to their handling of personal data. Meanwhile privacy by default means that organisations should be only gathering personal data that is required. But which one these methods fit your organisation the best, and how can you make sure you benefit from compliance?

Back in the adaptation period of the GDPR between 2016 and 2018 May, many businesses were concerned that the new EU-privacy regulation might weaken their marketing efforts, especially in the field of email marketing.  As the GDPR puts several restrictions on why and how personal data can be collected and processed, previous forms of popular marketing techniques, such as building a database of prospects for years on end, and purchasing prospect lists, had to be changed and adjusted for compliance. These types of databases were used most typically for the email marketing efforts or organisations, therefore many believed that this aspect of business marketing might actually suffer from the new regulation. After over a year since the enforcement of the GDPR though, businesses reported several benefits of the GDPR in regard to marketing, through adapting a compliant email marketing strategy. So, what steps can your organisation take to make sure to enjoy these benefits, while strengthening your compliance?