#timhjrogers: GDPR PHASE 2 – DATA PROTECTION AND INFORMATION SECURITY ARMS RACE

Sunday 9 December 2018

GDPR PHASE 2 – DATA PROTECTION AND INFORMATION SECURITY ARMS RACE

I have worked with a number of organisations this year and my experience has been that May 25 presented a deadline and scramble to pull together the minimum requirements for a Data Privacy Notice.

In the period that has followed attention has turned to comparing hastily revised policies and procedures with real-life practices. As more than one wise person has said, it takes a long time for new ways of working to become habit.

There is a lot of work underway reviewing Contracts, Data Sharing Agreements and Processor Controller Agreements, in response to data protection and information security concerns.

The States of Jersey, JFSC and GFSC championing of Cyber Essentials as a minimum standard for information security and ISO27001 as a more respectable goal I anticipate that 2019 will be regarded as GDPR Phase 2 – putting theory into practice.

The Regulators of all jurisdictions have been clear that GDPR is not a once-only-event like Y2K but instead an ongoing process.

My view is that it has the makings of an arms race and to fall behind presents real difficulties being able to catch-up as each requirement piles upon the previous and makes basic assumptions about your start-point.

For many organisations this is just another step in the journey, but for some 2019 will see more challenge and more change than they were able to accommodate in 2018 and there may be consequences.

LINKS

https://www.jerseyfsc.org/the-commission/cyber-security/

https://www.gfsc.gg/news/article/cyberinformation-security-information-pack-boards

https://www.gov.je/StayingSafe/BeSafeOnline/ProtectYourBusinessOnline/pages/cyberessentials.aspx

AUTHOR

Tim HJ Rogers

https://www.linkedin.com/in/timhjrogers/

No comments:

Post a Comment

Privacy

This Privacy Notice sets out what data we hold and use. We take privacy and security of your information seriously and will only use such personal information as set out in this privacy policy.

OTHER WEBSITES

This site contains links to other sites whose information practices may differ from ours. If you should visit such third party sites, you should ensure that you review the appropriate privacy notices as we have no control over information that is submitted to, or collected by, these third parties.

WHO WE ARE

This site is run by Tim Rogers to provide and seek information, comment and guidance on matters affecting charities. It is a free not-for-profit, non-commercial site.

WHAT, WHERE AND WHEN WE COLLECT YOUR DATA

The site is run using Blogger, which is a standard application provided by Google. Tim Rogers does not capture any personal data from the site, unless of course you choose to leave you personal details in a comment. However Google does track data: it is for example how we know if this page has been read by 10 people or 10,000 people.

If you choose to comment, phone, email or send a letter we may note your name, email-address, organisation and information relevant to your correspondence.

DISCLOSING YOUR PERSONAL DATA

On occasion that a correspondent may seek advice which is best given by a third-party (for example a specialist in IT Security) we will put them in touch with each-other. Similarly if someone asks a question that is better addressed by the Association of Jersey Charities or Jersey Community Partnership we will put you in touch with each other.

DATA SECURITY

We use Google’s up-to-date data storage and security techniques to protect your personal information from unauthorised access, improper use or disclosure, unauthorised modification or unlawful destruction or accidental loss. Unless you post a comment we know nothing about you, and if you use a Private Browser Google will know nothing about you.

INTERNATIONAL TRANSFERS

However as a consequence of using Google’s Blogger some personal data may be processed in (including being accessed in or stored in) a country or territory outside your home country, including outside the European Economic Area (“EEA”).

HOW LONG WE RETAIN PERSONAL DATA

We will retain your personal data for as long as necessary to fulfil the purpose for which it was collected in accordance with General Data Protection Regulation [GDPR]

YOUR RIGHTS

You have the right to apply for a copy of the personal data we hold about you and to have any inaccurate personal data about you rectified.

In some circumstances you may also have the right to ask us to erase your personal data or restrict its processing. Where we process your data for our legitimate interests, you have the right to object to such processing. Where our processing is based on consent, you may withdraw your consent by emailing us

Should you wish to discuss the exercise of any your rights, please contact us as set out below.