GDPR Top Tips Checklist For security operators, data controllers ...

1 downloads 150 Views 3MB Size Report
If operating in multiple EU member states, you need to determine and document ... The General Data Protection Regulation
Get ready for the General Data Protection Regulation

GDPR Top Tips Checklist For security operators, data controllers & processors

GDPR Top Tips

The General Data Protection Regulation (GDPR) comes into force on 25th May 2018. While businesses strive to ensure compliance, you may find that some areas of the legislation still feel somewhat ambiguous. It is our hope that the following checklist provides you with greater confidence that the key areas are covered and that consistency can be achieved throughout your organisation. 1. Ensure your organisation has a specified data protection officer. The data protection officer is responsible for overseeing your organisation’s data protection strategy and ensuring compliance with the GDPR requirements.

Completed

2. Ensure all policies and procedures regarding the use of security monitoring systems are updated to reflect the GDPR, and double check that any updates to said policies and procedures have been implemented throughout the business. 3. Put in place a process to ensure all staff and security teams are aware of people’s right to request a copy of their image or other data collected. 4.  To help ensure anonymity, consider adopting technology that enables the business to mask individual’s images until they are officially required for evidential purpose. 5. If operating in multiple EU member states, you need to determine and document which is your lead data protection supervisory authority. Refer to the EU’s Article 29 working party guidance on identifying a lead supervisory authority. 6. To ensure compliance across and beyond Europe, check the clarity of any contracts with EU member states and also check individual laws for any countries falling outside the EU. 7. Ensure signage is updated. It must be clear, visible and readable and must be updated to demonstrate consent. This can be achieved by displaying the purpose of security systems and needs to include who to contact in the event of any query. Additionally, it should include details of the operating system used. According to the ICO, this is arguably one of the most important elements of the GDPR, with the emphasis on the need for a ‘higher level of consent’.

8. Ensure you are clear on requirements pertaining to monitoring and data collection with regard to children. Article 8 of the GDPR comprises age-related guidance pertaining to consent for the collection of child related data and handling of data information requests. The GDPR recommends an age limit of 16 years, but no less than 13 years (to be decided by individual member states). The ICO recommends an age limit of 13 years.

Completed

9.  Check how compliance for the GDPR is being enforced across all European entities. In addition to checking that updates to signage are complete, ensure the responsibilities of those implementing updates are clearly set out and understood. 10.  Ensure employees are aware of data retention periods for footage, and subject access request requirements. Be cognisant of holding and sharing information pertaining to third parties, and keep a record of all access requests. Check retention periods in other European countries, and work to align them for consistency and simplicity. 11.  Clearly define roles and lines of responsibility to ensure clarity with regard to compliance ownership and liability. Examples of cross-over may be between data controllers and data processors, and security and IT departments.

The ICO has published tools to help with compliance for the GDPR:



– For data controllers – For data processors

The ICO has acknowledged that data processor’s will have greater responsibility in the future, but ultimately, in most cases ownership falls with the data controllers. 12. Ensure all teams are working within the published CCTV Codes of Practice, the most recent of which can be found here.

13. Check that the most recent updates have been applied to all software and hardware. Ensure any maintenance contracts and agreements include the application of technology updates.

Completed

14. Carry out a full security audit of your CCTV security system, which includes consideration to access rights, remote security, and accessibility of systems. Within this audit, check passwords have been updated and implement a strong process to ensure passwords and security updates are refreshed regularly. Set a process in place to enforce the need for business data to be stored and accessed separately to the CCTV network. 15.  Ensure a thorough Data Protection Impact Assessment (DPIA) is in place for the consideration and implementation of any new technology – such as body cameras. Should the related data processing be deemed high risk, you may be required to seek the advice of the ICO as to whether processing operations comply with the GDPR. 16.  Check through the 8 data protection principles of GDPR, focusing on statutory requirements and aligning GDPR plans with those principles as a basis. Principle #7 highlights the need for protection of data. Businesses using security monitoring systems need to ensure that all relevant data is appropriately secured against cyber-attacks and other security threats. 17.  Familiarise yourself and your teams with the ICO’s paper “Preparing for the GDPR, 12 steps to take now” and review the updated ‘Data Protection Directive’ which comes into force on 10th May 2018. 18. Importantly, for any areas of ambiguity, organisations should document any concerns and steps taken to ensure compliance. The ICO has advised that it will give consideration to those that actively communicate concerns with case workers, demonstrate evidence showing how a potential issue has been addressed, and the steps it has taken to comply with the GDPR. Directly related to this, a ‘live chat’ feature is available via the ICO website, where questions can be asked. A transcription of conversations is available following the discussion. 19.  The ICO emphasises that decisions related to fines will be decided on a case by case basis. Where an Organisation can demonstrate every effort to comply and raises any concerns with the case workers, due consideration will be given.

Any major breach and/or clear non-compliance issues will be dealt with on an individual basis.

20.  To stay abreast of current developments and any announcements related to the GDPR and the Data Protection Directive, the ICO encourages businesses to sign up to its weekly newsletter and read its’ blog.

Panasonic Security Solutions have smart technologies, which can support GDPR compliance. Take a look at our People Masking Technology: business.panasonic.co.uk/security-solutions/people-masking-technology For our Cyber Security offering visit: business.panasonic.co.uk/security-solutions/secure-communication

To learn more about Panasonic’s GDPR friendly technology: Visit: Panasonic Secure Communication: business.panasonic.co.uk/security-solutions/secure-communication Visit: People Masking Technology: business.panasonic.co.uk/security-solutions/people-masking-technology Call +44 (0) 2070226530 Email [email protected]