Getting Ready for GDPR

Let us know what you think of our GDPR Readiness Change Plan

Posted by Kevin Whittaker on 16/01/2018

ISG – GDPR Readiness Change Plan

Two Expert Reference Group meetings have taken place aimed at identifying ISG system changes that need to be made to make the system ready for the new General Data Protection Regulations (GDPR) when they come into force in May 2018.

These changes should help organisations meet their GDPR obligations with regard to GDPR in a seamless and timely manner.

Essential changes will be implemented in two phases in January and March 2018. Other desirable changes were also identified and added to the longer term development roadmap of the system and will be revisited and prioritised when the essential changes are complete.

Phase 1 (to be published February 2018)

  • Allow the uploading of documents against Data Assets in the Asset Inventory. This will allow, for example, the uploading of a DPIA associated with a data asset.
  • Remove Implied / Implicit consent from the range of consent model options on the dataflow Privacy tab.
  • Capture evidence of consent where a consent model is being used.
  • Review and update the dataflow post transfer security prompts in line with Article 3 and 5 of GDPR.
  • Allow Privacy Notice upload or link to be added against an organisation and pull through into data flow (rather than adding to each dataflow).
  • Review and update the dataflow non-EEA prompts in line with Article 44.

Phase 2 (to be published April 2018)

  • Replace Schedule 2 and 3 conditions with Article 6 and 9 conditions.
  • Add prompt re "Accountability" to Privacy tab with multi-select list of controls in-line with Article 5, Paragraph 2.
  • Add Data Protection Officer (DPO) role to the system along with appropriate privileges.
  • Add PIA Approval phase (new tab) to dataflows in the system to manage DPO PIA approval.
  • Add pre-set filters to data flow lists to allow quick access to, for example:
    • Non-GDPR compliant flows (flows relying on consent models and conditions invalid under GDPR)
    • Flows coming up for review
    • Expired flows
    • Flows unsigned by current organisation
  • Add a line to the Dashboard counting potentially non-GDPR compliant flows (with link to flows).
  • Update Privacy tab section titles to reflect GDPR wording instead of DPA wording.
  • Prevent assignment of DPO and SIRO role to the same individual within the system.
  • Allow refinement of legal gateways between Data Sharing Summaries and Data Flows.
  • The presence of an organisational Privacy Notice will be taken into account when calculating an organisation’s assurance score.

Future developments

  • Codify legal gateways and purposes based on info that has previously been entered.
  • Broaden the assurance framework options and allow multi-select / additional info.
  • Upload evidence of assurance option.
  • Codify Data Items at the Asset level and and select subset of them in dataflow.
  • Record and handle “stop processing now” messages within the system (log and notify).

Other areas to scope / explore:

  • Add Data Processing agreements to system (or better handling of them).
  • DPIAs to be extended to cover all DPIAs rather than just external sharing arrangements.
  • DPIA to be starting point for data sharing agreements through project startup wizard.
  • Possible expansion of Asset Inventory to provide full for Information Asset Register.

As we work through the plan, features will be released to the ISG Sandpit for preview. Check there regularly to see how things are progressing. We will advertise live system update dates in due course.

Have we missed something? Let us know what you think using the Contact tab or by e-mailing isg@mbhci.nhs.uk.