After a tasty buffet lunch, delegates were served up a strategy for good cookie practice under the GDPR through a keynote by Fedelma Good, Data Protection Strategy, Legal and Compliance Services at PwC, and, Jane Foord-Kelcey, Senior Manager and Solicitor in Data Protection Strategy, Legal and Compliance Services at PwC.
The message urged audience members to anticipate direct action by the ICO in the space of cookie complaints, along with an expectation that more people understand their rights in this sphere.
“We must divulge how long the cookies in our websites and apps will exist for. A high-level audit will enable the business to understand why there are elements that need to be looked at,” Fedelma said.
Delegates were advised to really examine the cookies being used and to ask questions regarding their purpose. As well as undertaking a cookie audit, you need to follow the points:
- Understand the past
- understand the present
- plan for the future, communicate and educate
- test and implement
- review and improve
- monitor and request independent assessments.
In finishing, a good (the best!) cookie recipe was described in the following steps:
- Assess your business need for first and third-party cookies
- Define strictly necessary in the context of your business (and your risk appetite)
- Move to a GDPR level of consent for all but strictly necessary cookies
- Make your cookie notice accessible, write it in plain English and ensure it is always up to date
- Implement a sustainable cookie governance policy framework
- Implement a sustainable cookie management solution
- Implement a robust and auditable cookie consent management solution
- Share your recipe!
The day’s final keynote came from Natasha Warner, Head of Privacy and Information Management at Financial Services Industry, who explored the creation of a successful privacy governance framework.
“Personal data touches every part of a modern organisation and the privacy team will likely be a very small component of that organisation’s resource. The biggest risk of non-compliance is human error, so how do we make sure we have the right people, processes and technology to manage it effectively? How do we continue to influence that larger machine?”
“Human error creeps in no matter what controls and processes we put in place; training and awareness must play a huge role in mitigating this dynamic,” Natasha continued.
Steps to success were then laid out:
Set strategy and risk appetite – local risk registers at a business unit level can be amalgamated into corporate risk register.
Gain buy in – senior sponsorship and tone from the top is crucial to success.
Ensure procedures are sustainable – Once programme resources leave, ensure availability of tools and BAU support.
Ensure that supply chain risks are assessed – consider responsibilities outside the organisation.
“The whole organisation needs to work together if we’re to take data privacy seriously and if we’re to get data privacy right”, Natasha said, citing the words of Information Commissioner, Elizabeth Denham:
“Accountability encapsulates everything that GDPR stands for.”
In order to get data privacy right, the following key questions were put forward:
Do we know…
- Who can access the data?
- How it was obtained?
- Why we hold it?
- How long we retain it?
- Security measures in place?
- Where / how data is stored?
- What personal data we process?
- Legal bases for processing?
“Influencing the business is a really hard thing. The privacy team is a really small cog in a much bigger machine. If we really want to influence the business, then we must have open and honest conversations about what the risks are, about what’s happening out there.
“We have to work together to address the gaps. Tone from the top is critical – there must be buy-in from the very top; senior management support is key to a successful privacy management programme and essential for a privacy-respectful culture.”
“Privacy professionals must ensure that businesses are using the tools that have been designed to maintain privacy. We need easy clear routes to senior management to uphold strong reporting.”
“It has to be a cycle of continuously monitoring and assessing. You have to constantly revisit and evaluate, addressing gaps and issues as they arise.”
How do we know things are going well? What signs of success do we need to look out for as a privacy community?
“Privacy should be on the board’s agenda – bosses should be asking questions and showing understanding of how privacy works, perhaps helping the company to mitigate risks and tackle data privacy issues,” Natasha said.
“Keep the framework alive by constantly assessing, being pragmatic, making sure you’ve defined your risk appetite, and involve your senior leadership team – make sure you have their backing because that will really set you up for success in the organisation.
“Finally, make sure people know where to go if they encounter problems and privacy issues,” Natasha added.
Steve Wright took to the stage for the final time to close the first day of European Data Protection Summit Manchester.
EUDPS Manchester returns tomorrow for another day packed with insightful presentations, knowledge-sharing and networking exclusively at Victoria Warehouse.
The post #Privacy: Tuesday afternoon at European Data Protection Summit Manchester appeared first on PrivSec Report.