The EU General Data Protection Regulation (GDPR) takes effect on 25th May 2018, and will control the management and processing of all personal data throughout the countries of the European Union. Even following Brexit, it will remain a significant element of future data protection legislation within the UK.
From 2018, GDPR no longer requires data controllers to register with their local Data Protection Authority. Instead, they will be required to maintain comprehensive records of data processing activities (Art.30) which demonstrate how they provide effective protection for personal data. An accurate Data Protection Impact Assessment is required, which may be requested at any time by the Supervisory Authority, and which many organisations are deciding to share with data subjects in order to build confidence and trust. Our UtopiaR solution extends beyond traditional thinking, to highlight and report issues and observations which require remediation, providing timely and valuable protection for our customers.
Our UtopiaR solution allows for the creation and management of accurate Privacy Impact Assessments, providing a record of:
The data processing activity being assessed, and how personal data is being processed.
The categories of personal data which are being processed, and which personnel and/or IT systems have access to it.
Where the personal data is to be processed or stored and details of any third parties who may be involved in its processing.
Whether appropriate data protection training and awareness has been conducted, so that everyone involved in the activity is aware of their roles and responsibilities.
Detailed data flows of how the personal data moves through the various stages of the activity.
The assessment against data protection legislation, for example whether data subject consent has been obtained and how data breaches are to be identified and reported.
Article 25 of the EU General Data Protection Regulation (GDPR) requires that “data protection by design and default” is delivered in the processing of personal data. This approach is not new and is best evidenced by the completion of a Data Protection Impact Assessment, which under Article 35 of GDPR is required for all data processing activities which are “likely to result in a high risk to the rights and freedoms of natural persons”.
The conducting of effective Data Protection Impact Assessments (also known as Privacy Impact Assessments) are at the heart of “Privacy by Design and Default”. This activity has a number of distinct roles which are addressed by the UtopiaR solution:
To understand and implement effect privacy controls into all data processing activities.
To identify and escalate data protection and privacy issues that may be identified during the course of an assessment.
To reduce the exposure, associated costs and legislative penalties from data protection and privacy risks that otherwise may not have been discovered.
To produce comprehensive Data Protection Impact Assessments which can be provided to the Supervisory Authority upon request (e.g. in the event of an investigation).
To provide an option for sharing transparency of how personal data is being processed with data subjects, to build confidence and trust.
To support existing information security best practice for those who undertake risk management activities, for example as part of their ISO27001 information security certification.