VIRTUAL DATA PROTECTION OFFICER
GENERAL DATA PROTECTION REGULATION CAME INTO FORCE ON MAY 25TH 2018.
DO YOU NEED ANY HELP?
General Data Protection Regulation came into force on May 25th 2018.
This new EU regulation will replace the Data Protection Act. Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.
It is essential to plan your approach to GDPR compliance now and to gain ‘buy in’ from key people in your organisation. You may need, for example, to put new procedures in place to deal with the GDPR’s new transparency and individuals’ rights provisions. In a large or complex business this could have significant budgetary, IT, personnel, governance and communications implications.
The GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability. Compliance will require organisations to review their approach to governance and how they manage data protection as a corporate issue.
See the 12 steps to GDPR issued by the ICO
Can you guarantee the Confidentiality, Integrity and Availablity of your systems, do you have the correct policies and procedures, are your staff fully trained and aware of GDPR. If not, can ICARIS Sentinel help.
Do we need a data protection officer?
Roles and Responsibilities
Who is responsible for information security?
Who is responsible for meeting legal and regulatory obligations?
Who is responsible for oversight of legal and regulatory obligations?
Who is responsible for contracts with data processors?
Who is responsible for identifying and managing privacy risks?
Designation of the data protection officer
Group undertakings can appoint a single DPO
Where controller or processor is a public authority a single DPO may be appointed for several such authorities depending on structure and size
DPO can represent categories of controllers and processors
DPO designated on the basis of professional qualities and knowledge of data protection law, but not legally qualified
May fulfil the role as part of a service contract
Controller or processor must publish DPO details and notify supervisory authority
Position of the data protection officer
Controller and processor must ensure proper and timely involvement of the DPO
Controller and processor must provide support through necessary resources
DPO has a large degree of independence
Protected role within the organisation
Direct access to highest management
Data subject has clear access to DPO
Bound by confidentiality in accordance with EU law
No conflict of interest arising from additional tasks or duties
Data Protection Officers
Where does the role sit within the organisation
The DPO should sit within a Risk, Compliance or Governance function
Outside delivery functions of IT or Business
The role is about delivering compliance
You can't have compliance under the direction of the delivery team
Independent of the business with direct access to the Board
An effective DPO will ensure that Data Protection is on the Board agenda
Data protection impact assessment
The controller shall seek the advice of the DPO
Where process is using new technologies, and taking into account the nature, scope, context and purposes of the processing, there is a high risk to the rights and freedoms of the natural persons
DPIA is particularly required where:
- taking into account automated processing including profiling there are legal effects concerning natural persons;
- The processing is on a large scale of special categories of data or personal data related to criminal convictions;
- A systematic monitoring of publicly accessible area on a large scale.
Controller shall consult the supervisory authority prior to processing where the DPIA indicates a "high risk to the rights and freedoms of the data subjects":
Supervisory authority shall provide written advice to the controller
Request for controller to provide further information
Information on purposes and means
Information on measures and safeguards
The contact details of the DPO
A copy of the data protection impact assessment
Any other information requested
Data Protection Officers
The realities of the role of the data protection officer
Legal Knowledge of data protection regulations is not enough
Must also have information security knowledge and skills (ISO 27001)
An understanding of risk management and risk assessment (ISO 3100, ISO 27005)
Familiarity with and adherence to codes of conduct for industry sector
A good understanding of compliance standards and data marks
Able to carry out and interpret internal audit against information security standards
Understand and be able to articulate privacy by design to delivery functions
Able to co-ordinate and advise on data breaches and notification
Able to make a cyber security incident response process work
Lead co-operation with supervisory authority
Data protection officers
The first 100 days:
What is the status of the organisation with regards to Data Protection?
Who are the stakeholders of the organisation?
What is the applicable legislation to the organisation?
What are the appropriate information security standards?
What are the appropriate risk frameworks and methodologies?
What are the sectoral codes of conduct and how can they be implemented?
Which certifications should the organisation adopt?
Who is required to be trained across the organisation and how do we do it?
Which resources are available to the DPO and where are they?
What is the reporting structure to ensure independence?
How do you get Data Protection on the Board Agenda?
Do you have the capacity within your organisation?
Can you afford to employ a full time Data Protection Officer?
Why choose ICARIS Sentinel?
Fully qualified EU GDPR Practitioner
Experience in implementing and auditing GDPR requirements
Full online audit reporting tool
Full online system for recording policies / breaches / Subject Access Requests
Instant access to our advisors for guidance
Independent advisors to your organisation / no conflicts of interests
Dedicated advisor for your organisation
Reporting direct to Board Level
Full confidential service
Flexible service contracts
Call our sales team for further advice
Receive a tailored quotation to meet your requirements
This website and its social media feeds content is copyright of Icaris Sentinel Limited Unit 5, Benner Road, Pinchbeck, Spalding, Lincolnshire, PE11 3TZ
Any redistribution or reproduction of part or all of the contents in any form is prohibited other than the following:
You may print or download to a local hard disk extracts for your personal and non- commercial use only. you may copy the content to individual third parties for their personal use, but only if you acknowledge the website as the source of the material.
Individuals may not, except with our express written permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any other website or other form of electronic retrieval system.
Organisations may not use, reproduce or exploit our content without our express written permission.
1.0 OUR CORE BELIEFS REGARDING USER PRIVACY AND DATA PROTECTION
User privacy and data protection are human rights
We have a duty of care to the people within our data
Data is a liability, it should only be collected and processed when absolutely necessary
We do not spam or support the practice
We will never sell, rent or otherwise distribute or make public your personal information
2.0 RELEVANT LEGISLATION
Along with our business and internal computer systems, this website is designed to comply with the following national and international legislation with regards to data protection and user privacy:
This site’s compliance with the above legislation, all of which are stringent in nature, means that this site is likely compliant with the data protection and user privacy legislation set out by many other countries and territories as well. If you are unsure about whether this site is compliant with your own country of residences’ specific data protection and user privacy legislation you should contact our data protection officer (details of whom can be found in section 9.0) for clarification.
3.0 PERSONAL INFORMATION THAT THIS WEBSITE COLLECTS AND WHY WE COLLECT IT
This website collects and uses personal information for the following reasons:
3.1 Site visitation tracking
Like most websites, we use Google Web Analytics (GWA) https://www.google.com/analytics/ to track user interaction. We use this data to determine the number of people using our site, to better understand how they find and use our web pages and to see their journey through the website.
Although GWA records data such as your geographical location, device, internet browser and operating system, none of this information personally identifies you to us. GWA also records your computer’s IP address which could be used to personally identify you but Google do not grant us access to this. We consider GWA to be a third party data processor (see Section 6.0 below).
3.2 Contact forms and email links
Should you choose to contact us using the contact form on our Contact us page or an email link, none of the data that you supply will be stored by this website or passed to / be processed by any of the third party data processors defined in Section 6.0. Instead, the data will be collated into an email and sent to us over the Simple Mail Transfer Protocol (SMTP). Our SMTP servers are protected by TLS (sometimes known as SSL) meaning that the email content is encrypted using SHA-2, 256-bit cryptography before being sent across the internet. The email content is then decrypted by our local computers and devices.
3.4 Email newsletter
If you choose to join our email newsletter, the email address that you submit to us will be forwarded to MailChimp who provide us with email marketing services. We consider MailChimp to be a third party data processor (see section 6.0 below). The email address that you submit will not be stored within this website’s own database or in any of our internal computer systems.
Your email address will remain within MailChimp’s database for as long as we continue to use MailChimp’s services for email marketing or until you specifically request removal from the list. You can do this by unsubscribing using the unsubscribe links contained in any email newsletters that we send you or by requesting removal via email. When requesting removal via email, please send your email to us using the email account that is subscribed to the mailing list.
If you are under 16 years of age you MUST obtain parental consent before joining our email newsletter.
While your email address remains within the MailChimp database, you will receive periodic (approximately weekly) newsletter-style emails from us.
4.0 HOW WE STORE YOUR PERSONAL INFORMATION
4.1 Submitted Data
Data submitted to us for processing other than defined in Section 4.1 will be securely retained within our secure IT system. All data within this system is subject to additional password protection and encryption. We retain only the basic data required to deliver our services to you. This is typically Name, Address, Email address, Subscription start/end details and contact opt-in details.
4.3 Opt-Out List
We also maintain a list of people who have opted out of receiving communications from our organisation. Should you attempt to opt-in having opted out previously we will contact you to confirm this decision and for your approval to remove you from the opt-out list. All mailings will be screened against our opt-out list.
4.4 Right to be forgotten
We fully support your right to be forgotten which can be applied by writing to our Data Protection Officer at Section 9.0 giving your identifying details and requesting removal of all material from our data systems. Our DPO will conduct a full sweep of all systems and remove your personal data, this includes our opt-out lists. Once complete the DPO will advise you of this action.
5.0 ABOUT THIS WEBSITE’S SERVER
This website is hosted on a server provided and managed by Wix.com. Details of Wix.com can be found in Section 6.3
6.0 OUR THIRD PARTY DATA PROCESSORS
We use several third parties to process personal data on our behalf. These third parties have been carefully chosen and all of them comply with the legislation set out in Section 2.0.
6.1 Website Hoster Wix.com
We utilise Icaris Limited to manage website presence.
6.3 Wix.com of 40 Namal Tel Aviv St., Tel Aviv, Israel, at Wix.com Inc. , 500 Terry A. Francois Boulevard, 6th Floor, San Francisco, CA, 94158, or at Wix.com Luxembourg S.a.r.l, 5, rue Guillaume Kroll, L-1882 Luxembourg provide and manage the server to which the website is hosted. They can be contacted on 00 1 415-639-9034 or
7.0 DATA BREACHES
We will report any unlawful data breach of this website’s database or the database(s) of any of our third party data processors to any and all relevant persons and authorities within 72 hours of the breach if it is apparent that personal data stored in an identifiable manner has been stolen.
8.0 DATA CONTROLLER
The data controller of this website is: Icaris Sentinel Limited, Unit 5, Benner Road, Pinchbeck, Spalding, Lincolnshire, PE11 3TZ
9.0 DATA PROTECTION OFFICER
Alan Owen, Icaris Sentinel Limited, Unit 5, Benner Road, Pinchbeck, Spalding, Lincolnshire, PE11 3TZ
Telephone: 0845 075 8175
10.0 ICO INDEPENDENT ADVICE
For independent advice about data protection, privacy and data-sharing issues, you can contact the Information Commissioner at:
11.1 Change Log
Website Usage Policy
The term ‘Icaris Sentinel Limited’ or ‘us’ or ‘we’ refers to the owner of the website whose registered office is. The term ‘you’ refers to the user or viewer of our website.
The content of the pages of this website is for your general information and use only. It is subject to change without notice.
Neither we nor any third parties provide any warranty or guarantee as to the accuracy, timeliness, performance, completeness or suitability of the information and materials found or offered on this website for any particular purpose. You acknowledge that such information and materials may contain inaccuracies or errors and we expressly exclude liability for any such inaccuracies or errors to the fullest extent permitted by law.
Your use of any information or materials on this website is entirely at your own risk, for which we shall not be liable. It shall be your own responsibility to ensure that any products, services or information available through this website meet your specific requirements.
This website contains material which is owned by or licensed to us. This material includes, but is not limited to, the design, layout, look, appearance and graphics. Reproduction is prohibited other than in accordance with the copyright notice, which forms part of these terms and conditions.
All trademarks reproduced in this website, which are not the property of, or licensed to the operator, are acknowledged on the website.
Unauthorised use of this website may give rise to a claim for damages and/or be a criminal offence.
From time to time this website may also include links to other Websites, Individuals and Organisations. These links are provided for your convenience to provide further information. They do not signify that we endorse the recipient. We have no responsibility for the content of the linked website(s).
You may not create a link to this website from another website or document without Icaris Sentinel Limited’s prior written consent.
Your use of this website and any dispute arising out of such use of the website is subject to the laws of England, Scotland and Wales.
The information contained in this website is for general information purposes only. The information is provided by Icaris Sentinel Limited and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
In no event will we be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website.
Nothing in these terms and conditions excludes or limits liability for death or personal injury caused by negligence, fraudulent misrepresentation, or any other liability which may not otherwise be limited or excluded under applicable law. Icaris Sentinel Limited will not be liable, in contract, tort (including, without limitation, negligence), pre- contract or other representations (other than fraudulent on negligent misrepresentations) or otherwise out of or in connection with the terms and conditions for any:
economic losses (including without limitation loss of revenues, data, profits, contracts, business or anticipated savings); or
loss of goodwill or reputation; or
special or indirect losses Suffered or incurred by that party arising out of or in connection with the provisions of any matter under these terms and conditions.
The Icaris Sentinel Limited aggregate liability (whether in contract, tort or otherwise) for loss or damage shall in any event be limited to a sum equal to the amount paid or payable by you for any product(s) or service(s) in respect of one incident or series of incidents attributable to the same clause
We will take all reasonable precautions to keep the details of your order and payment secure, but, unless we are negligent, we cannot be held liable for any losses caused as a result of unauthorised access to information provided by you.
Through this website you are able to link to other websites which are not under the control of Icaris Sentinel Limited. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, Icaris Sentinel Limited takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control