A Christmas Story: GDPR Compliance

Dec 18, 2019 12:00:00 AM | EU A Christmas Story: GDPR Compliance

This is the story of one cold December for Jamie, and his data conscious filled adventure. He started the month with his Christmas shopping, all the discounts and all the best offers about - he grabbed them all, without a hint of any doubt. From the latest headphones, to pants, a new pair of white sneakers, and even some living room plants. He realised one important thing, after all that almost effortless buying, he’d not just been spending money here and there, he’d been giving his data - with almost nothing to spare.
christmas_story_dataprivacyJamie was sitting by the fireplace, all cosied up and warm and he had noticed a box of old Christmas movies and stories. While he went through all these memorable relics and played some Christmas classics on his speaker, he suddenly thought about a lot of different things: data importance, was one of them.

All I want for Christmas - Overview on your data environment





An organisation’s GDPR compliance starts from within. Having everyone on the same page and having the same data privacy centered culture is an important requirement when dealing with GDPR obligations. However, it might not be an easy task. All I want for Christmas, is you to keep up with GDPR compliance efforts. As it is a team game, a structured approach to handling GDPR is a strong benefit. Taking time to address and monitor workflow is a much needed step in keeping your company’s management of data aligned with the GDPR. Look into identified risks, tasks to do, and have an overview on the who’s (individuals in and out of your organisation) and the what’s on all the different work being done. 

You're a mean one, Mr. Grinch - Data Breaches









A story that is undoubtedly an instant renown classic, nobody at Whoville wanted their Christmas spirit taken away. Picturing Whoville to be your company and having Christmas spirit as your company’s valuable data, nothing should be taking that away either. Data breaches can happen at any given moment, and may prove to be a heavy penalty for organisations who do not take the appropriate measures in preventing them from happening. This year’s notable incidents such as the JW Mariott data breach where an estimated 30 million residents of 31 countries had their personal data stolen, or the Bulgarian Tax Agency data breach incident, which affected 5 million Bulgarian residents, have both highlighted the importance of taking the extra steps in preventing such incidents.

What are some vital steps to make sure?

 Reporting to the Supervisory Authority: If an incident were to happen, the data controller should report to the Supervisory Authority no later than 72 hours after becoming aware of it. Taking the right steps to determine whether an incident needs to be reported will be important.
Draw from existing data: Determine the consequences of a breach by going through processing inventories.
Having a strong overview: Keep information on unnotified breaches and make sure you have a way to review such incidents.  

At the end of the classic story, the Grinch gave the Christmas spirit back to the people of Whoville - which wouldn’t be the case when it comes to unauthorised third parties and valuable personal data.  

Santa Claus is Coming to Town - Assessments









He’s making a list, he’s checking it twice, he’s going to find out if you’ve been naughty or nice, Santa Clause is in violation of the GDPR. Want to make sure you’re not? One way of doing so is conducting assessments. Conduct Data Protection Impact Assessments (DPIAs) where it is needed and keep up with legal requirements. Handling a DPIA is an important aspect of an organisation’s accountability obligations under the EU’s GDPR. A DPIA is needed whenever a data processing is likely to result in a high risk to the rights and freedoms of individuals - hence why Santa Clause may just be in trouble. Having a solid understanding of the nature, scope, context and the purpose of data processings are vital steps in the DPIA. Assessments will help identify where, and why some practices might not be in line with the GDPR. Determine the risks and associated mitigating measures regarding the necessity of the processing, data subject rights, threats and impacts. All in all, we still have yet to hear a legitimate interest from Santa and his “list”. Will he be penalised as well this year? We’ll soon find out. 

Winter Wonderland - Wonders of Automation


It might not always be a walk through a winter wonderland we hoped for, but it can surely feel like one at work once you explore how automation does the heavy lifting for you. A less complicated way approach in keeping up with GDPR compliance is to have a centralised management platform, where you have an overview on all things happening and most importantly, keep track of them. Automation is an efficient alternative that helps organise data and minimise potential threats. This year, 60% of data breaches reported to the UK’s ICO were a result of human error. This may suggest that by having an automated system to handle such sensitive data, organisations are making appropriate safeguards.

So Jamie was happy, not only did he manage to connect such an important holiday with an important aspect of everyday human life, but he was also happy that his data was safe. Understanding the necessary steps to take to ensure everyone has a jolly end of the year is undoubtedly one of the many things to be grateful for on a Christmas day.

From all of us at PrivacyPerfect, we wish you a very happy holiday!