Speaking at the IAPP Data Protection Intensive 2019 conference in London, panel moderator Kabir Barday, CEO of OneTrust, asked “How the UK’s Data Protection Act 2018 Impacts Your GDPR Programme.”
Julie Varcoe-Cocks, head of ethics, regulatory and compliance and data protection officer of Serco, said that the new Data Protection Act (DPA) has “more focus on the rights of the individual” as well details on control of data, and the Information Commissioner’s Office has instructed that businesses should be ready for audits.
She went on to talk about gathering data and understanding exemptions, and said that “having consistency is a challenge,” so one way to achieve this is to have a playbook in order to refine your processes and to demonstrate the way a company operates and what exemptions it applies.
Kasey Chappelle, DPO of GoCardless, added that a playbook can help lay out what you do, and you should base it on what the law requires and the requirements of the DPA. “Write it down and make sure people understand it,” she said.
Speaking to Infosecurity, Chappelle said that the first step in building a playbook is to look at what the company does, and it should be tailored to the company “to answer the questions that they are asking and builds it into their documentation, procedures and handbooks and it is all pulled together in our portal so it is easy to find.”
In terms of a first step for building a playbook, Chappelle said that it is important to figure out what you’re doing, and what your company’s documentation is. “We have an obligation to meet privacy by design and if I built a process that followed that privacy by design process, I guarantee you that my product design team would completely ignore it,” she said. “So I started the other way around: how do we develop products in this organization, what are the documentations that are provided, what are the decisions that are made, how do I understand how I insert myself into those points to understand those decisions and help where necessary?”
The panel also covered the role of the ICO, and how its capability to take away your ability to do data processing was often a greater threat than that of the monetary penalty, while to “intentionally re-identify” was also a new criminal act.