Monday, November 28, 2016

Preparing for the EU General Data Protection Regulation (GDPR)

By John Kyriazoglou

Is your company ready?
What steps should you, as a manager, executive or board director take for your company by May, 2018?

My new book ‘Data Protection and Privacy Guide’ in five volumes (see links at the end), is designed to support you effectively in all these issues.

I am providing below a short summary of the GDPR and how it impacts your business operations (including your IT systems) and a flavor of what is contained in these volumes.

1. Introduction to the EU GDPR
On April 2016, the EU General Data Protection Regulation (GDPR) was approved, entering a two-year transition period (April 2016 to May 2018) during which member states and enterprises (private companies and public organizations) handling European residents’ personal data will need to adopt the new requirements. The Regulation introduces tough penalties for non-compliance, with breached organizations facing fines of up to 4% of annual global turnover or €20 million – whichever is greater.

The new law dramatically changes the way in which organizations approach personal data protection (for customers, employees, etc.), particularly in terms of access privileges. With financial penalties in place, which can be as much as 4 per cent of a corporation’s annual turnover, enterprises simply cannot afford to let personal data slip into the wrong hands through mismanagement or a malicious breach. One way to ensure this doesn’t happen is for personal data to be secured under lock and key with the help of identity governance, where entry is monitored and controlled around the clock, etc.

2. Preparing for the General Data Protection Regulation (GDPR)

What basic steps to take by May, 2018:

Step 1: Awareness. You should make sure that decision makers and key people in your company or organization are aware that the law is changing to the GDPR.
Step 2: Data Protection Officers. You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance arrangements.
Step 3: Personal Data you hold. You should document what personal data you hold, where it came from and who you share it with. You may need to organize a personal data audit, etc.
Step 4: Individuals’ rights. You should check your corporate procedures to ensure they cover all the rights individuals have, including how you will handle requests within the new timescales and provide any additional information, how you would delete personal data or provide data electronically and in a commonly used format, etc.
Step 5: Communicating privacy information. You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
Step 6: Legal basis for processing personal data. You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
Step 7: Consent. You should review how you are seeking, obtaining and recording consent and whether you need to make any changes.
Step 8: Children. You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
Step 9: Data breaches. You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Step 10: Data Protection Impact Assessments (DPIA). You should familiarize yourself now with the guidance regarding when to carry out a DPIA. For example where a new technology is being deployed or where a profiling operation is likely to significantly affect individuals, etc.
Step 11: Data Protection by Design and by Default. You should ensure that all your products produced and sold and all services provided (including Information systems) by your company implement privacy and data protection according to the principles of the GDPR.
Step 12: International Operations. If your company operates internationally, you should determine which data protection supervisory authority you come under.

3. Resources to support you in implementing the EU GDPR
As noted above, my new book ‘Data Protection and Privacy Guide’ in five volumes (see links at the end), is designed to support you in all these issues.

This book, in 5 volumes, contains a complete set of methods, strategies, plans, policies, audit tools and other practical techniques to guide, support and facilitate you to effectively manage the personal data your company collects and processes and comply better with all privacy regulations (e.g. EU GDPR).

1. Data Protection and Privacy Management System: Data Protection and Privacy Guide – Vol I
2. DP&P Strategies, Policies and Plans: Data Protection and Privacy Guide – Vol II
3. Data Protection Impact Assessment: Data Protection and Privacy Guide – Vol III
4. Data Protection Specialized Controls: Data Protection and Privacy Guide – Vol IV
5. Security and Data Privacy Audit Questionnaires: Data Protection and Privacy Guide – Vol V

Thank you,

John Kyriazoglou

Monday, November 7, 2016

Data Protection Impact Assessment Toolkit

This is available at:


This document describes a set of methods and tools that enable, facilitate and support you in assessing your data protection risks and executing a Data Protection Impact Assessment
(DPIA) for existing as well as for new products, services, systems, functions and information systems, that collect, process and maintain personal data.

It may also be used to evaluate the data protection and privacy risks of the personal data your company collects, processes and stores and to comply with the requirements of the EU General Data Protection Regulation (Articles 27, 28, 34, 35, 36, 39, 53, 57, 58, 64 and recitals 53 and 58) for any enterprises located within the EU or doing business in the EU, regardless of their home base and central location offices (headquarters).

Table of Contents

Chapter 1: Summary of the New EU General Data Protection Regulation
Chapter 2: Data Protection Impact Assessment Methodology

Chapter 3: Data Protection and Privacy Audit Tools

Annex 1: Data Protection Impact Pre-Assessment Survey
Annex 2: Data Protection Risk Identification Questionnaire
Annex 3. Privacy Risk Register
Annex 4. Suggested DPIA Report Format
Annex 5. Proposed Risk Resolution Actions
Annex 6: Personal Data Checklist

This is available at: