GDPR Compliance Journey - 05 Policy

Gydeline
3 Apr 201805:01

Summary

TLDRThis video script from Guideline GDP discusses a unique approach to policy creation, emphasizing the importance of simplicity and applicability within organizations. It critiques the common practice of using generic templates and instead promotes succinct, easily enforceable statements linked to various policy areas and personnel. The script outlines a system for organizing policy collections, such as cybersecurity, data protection, and privacy, which can be applied across different areas for compliance with regulations like the GDPR. The speaker also highlights the ability to print policy documents for record-keeping, aiming to simplify compliance processes.

Takeaways

  • 🗓️ The General Data Protection Regulation (GDPR) will be enforceable in seven to eight weeks, emphasizing the urgency to prepare.
  • 📝 The speaker advocates for a unique approach to policy, criticizing the common practice of using generic templates that do not meet specific organizational needs.
  • 🔑 The importance of creating a 'living' policy document that is applied within the organization is highlighted, as opposed to just having a static document.
  • 📑 The script mentions the typical structure of a policy document, including an introduction, explanation, and purpose, which often leads to excessive preamble before the actual policy statements.
  • 📈 The speaker introduces a system for creating succinct, easy-to-understand policy statements that can be linked to various policy areas and individuals within the organization.
  • 🔗 Policy statements are broken down into individual components that can be applied to multiple policy collections, such as data collection, cybersecurity, and data quality.
  • 🔒 A specific example is given about the policy on collecting information for cookies without identifying individuals, which is related to the cookie policy collection.
  • 🛡️ The script discusses the creation of policy collections, such as cybersecurity, data security, data quality, backup, privacy, cookies, and retention, which are essential for GDPR compliance.
  • 📋 The retention policy is used as an example to illustrate how the purpose and scope of policy collections are defined, and how individual statements contribute to these collections.
  • 📘 The flexibility of the system allows for policy statements to be applied across multiple policy areas, streamlining compliance efforts.
  • 🖨️ Once satisfied with the policy collection, the option to print a copy of the policy is available, providing a tangible record of compliance.

Q & A

  • What is the main focus of the video script?

    -The main focus of the video script is to discuss the approach to creating and managing company policies, especially in compliance with the General Data Protection Regulation (GDPR).

  • What is the unique view on policy held by the speaker's company?

    -The speaker's company believes in creating a living policy document that is easily understandable, enforceable, and can be applied across various policy areas and individuals within the organization, rather than a static document that doesn't meet the company's needs.

  • Why does the speaker criticize the standard approach to policy creation?

    -The speaker criticizes the standard approach because it often results in a document that is not a living policy, is not applied within the organization, and is filled with unnecessary introductions and explanations before getting to the actual policy statements.

  • What is the speaker's company's approach to policy statements?

    -The company's approach involves creating succinct statements that are easy to understand and enforce, and can be linked to various policy areas and people within the organization.

  • How does the speaker's company organize policy statements?

    -The company organizes policy statements into individual statements that can be applied to multiple policy collections, allowing for flexibility and efficiency in policy management.

  • What is the purpose of the 'retention policy' mentioned in the script?

    -The purpose of the retention policy is to define the retention period for each category of information stored by the company.

  • What does the speaker mean by 'doing things once and keeping it simple'?

    -The speaker is emphasizing the importance of creating policy statements that can be applied across multiple policy areas, avoiding redundancy, and maintaining simplicity in policy management.

  • How does the company's policy system relate to the GDPR?

    -The company's policy system is designed to help organizations comply with the GDPR by providing a structured and efficient way to manage policies related to data protection, privacy, and cybersecurity.

  • What is the next topic the speaker plans to discuss after policies?

    -The next topic the speaker plans to discuss is the data protection impact assessment.

  • What is the speaker's final message to the audience?

    -The speaker's final message is to encourage the audience to find compliance simple and to look forward to the next discussion on data protection impact assessments.

Outlines

00:00

📅 Countdown to GDPR Enforcement

This paragraph introduces the urgency of the GDPR enforcement deadline, which is fast approaching in about seven to eight weeks from the start of April. The speaker emphasizes the need to quickly address compliance policies within the organization. It suggests that the standard approach of using generic templates is not effective, as it does not create a living document that is applied and enforced within the company. Instead, the speaker proposes a unique approach to policy creation that is succinct, easy to understand, and enforceable, with the ability to link policy statements to various policy areas and individuals within the organization.

📝 Simplifying Policy Statements for GDPR Compliance

The speaker discusses the company's approach to breaking down policies into individual, succinct statements that are easy to understand and enforce. These statements can be linked to various policy areas, such as data protection, cybersecurity, and privacy. The paragraph explains how policy statements are created, such as one about collecting information for cookies without identifying individuals, and how they relate to specific policy areas like data collection and cybersecurity. It also demonstrates how these statements can be grouped into policy collections, such as the cybersecurity policy collection, which includes the purpose, scope, referenced standards, and related statements.

🔒 Policy Collections and GDPR Compliance

This paragraph delves into the concept of policy collections, which are groups of policy statements that are applied to various areas of the business, including GDPR compliance. The speaker highlights the importance of having a comprehensive set of policy collections that cover areas such as cybersecurity, data security, data quality, backup, privacy, cookies, and retention. The paragraph provides an example of the retention policy, explaining its purpose to define the retention period for different categories of information and its scope, which includes all stored information. It also illustrates how individual policy statements can be applied to multiple policy areas, offering flexibility and efficiency in policy management.

🖨️ Printing and Implementing GDPR Policies

The final paragraph of the script discusses the process of finalizing and printing the policy collection once it is satisfied with its content. The speaker suggests that having a well-crafted policy collection sets the stage for other areas of GDPR compliance, such as procedures and documentation. The paragraph concludes by hinting at the next topic to be covered in the series, which is the data protection impact assessment, and it reassures the audience that the approach to policy creation and management is designed to be simple and user-friendly.

Mindmap

Keywords

💡GDPR

GDPR stands for General Data Protection Regulation, a legal framework that sets guidelines for the collection and processing of personal information from individuals within the European Union. It is a key theme of the video as the speaker discusses the need for compliance with this regulation, emphasizing the urgency as the enforcement date approaches.

💡Policy

In the context of the video, 'policy' refers to a set of principles or rules that govern the actions of an organization, particularly in relation to data protection and privacy. The speaker criticizes the common approach of using generic templates and advocates for a more tailored, living document that is applied within the organization, as exemplified by the unique system they will demonstrate.

💡Compliance

Compliance in this video is about adhering to the GDPR's standards and requirements. The speaker highlights the importance of having policies and procedures in place that ensure an organization meets the GDPR's criteria, stressing the limited time left before the regulation becomes enforceable.

💡Living Policy Document

A 'living policy document' is a term used to describe a policy that is actively maintained and updated, as opposed to a static document that may become outdated. The speaker argues for the creation of such documents that are easily understandable, enforceable, and integral to an organization's operations.

💡Cybersecurity

Cybersecurity is a policy area that focuses on the protection of internet-connected systems, including hardware, software, and data, from theft, damage, or unauthorized access. In the script, it is one of the policy collections mentioned, indicating the importance of strong password standards as part of GDPR compliance.

💡Data Protection

Data protection involves the privacy and security of data, which is a central aspect of the GDPR. The video discusses the need for policies that ensure the proper handling and storage of personal data, in line with the regulation's requirements.

💡Data Collection

Data collection is the process of gathering and storing information, particularly personal data. The script mentions a policy statement about collecting information for cookies without identifying individuals, which is a direct reference to GDPR's stipulations on data minimization and consent.

💡Policy Statements

Policy statements in the video are individual, concise declarations that outline specific guidelines or rules within a policy. They are designed to be easily understood and linked to various policy areas, such as data quality, data protection, and cybersecurity.

💡Data Retention

Data retention refers to how long data is kept before it is destroyed or anonymized. The speaker discusses a retention policy that defines periods for storing different categories of information, which is crucial for GDPR compliance as it dictates the lawful period of data storage.

💡Privacy

Privacy in the context of the video relates to the right of individuals to have their personal data kept secure and private. The speaker mentions privacy as one of the policy areas that must be addressed to ensure GDPR compliance, reflecting the regulation's emphasis on individual privacy rights.

💡Data Protection Impact Assessment (DPIA)

A DPIA is a process of evaluating the potential risks of proposed processing operations to the rights and freedoms of individuals. The speaker mentions that they will discuss DPIAs in a future segment, indicating the importance of this assessment in ensuring GDPR compliance.

Highlights

Start of April means 7-8 weeks until GDPR becomes enforceable, emphasizing urgency

Standard approach criticized for using generic word templates that don't meet specific needs

Proposed approach involves creating a living policy document that is applied within the organization

Traditional policies often have 3 pages of description before actual policy content

Introduces a system with succinct statements that are easy to understand and enforce

Policy statements can be linked to various policy areas and people within the organization

Demonstrates breaking down policies into individual statements for clarity and applicability

Example given of a policy statement on collecting information for cookies without identifying individuals

Policy statements can be part of multiple policy collections, such as cybersecurity and data protection

Shows how to apply a single policy statement like strong passwords across different policy areas

Policy collections are organized by areas like data security, data quality, privacy, etc.

Retention policy defines the period for storing information and applies to all stored data

Policy statements can be flexibly assigned to multiple policy areas, like financial regulations

Emphasizes the ability to do things once and apply them across collections for simplicity

Option to print policy collections for a tangible copy of the policy

Praises the policy capturing and recording method for its ease of use

Sets the stage for discussing procedures and documentation needed for GDPR compliance

Teases upcoming discussion on data protection impact assessments

Transcripts

play00:00

I and welcome back to the guideline GDP

play00:07

our compliance journey it's now the

play00:09

start of April so that means we've got

play00:12

seven or eight weeks to go until the GDR

play00:15

becomes enforceable so a lot to do for

play00:19

not much time so let's crack on with

play00:22

policy now policy is something that we

play00:26

have quite a unique view on here at

play00:29

guideline because having worked in lots

play00:31

of big businesses and very small

play00:33

businesses the standard approach seems

play00:35

to be to get a word template completely

play00:39

company name and have a document that

play00:41

doesn't really meet what you need isn't

play00:43

really a living policy document and

play00:45

doesn't get applied in your organization

play00:47

what we typically see is an introduction

play00:52

and explanation of the document why it's

play00:54

needed what it's for what the purpose of

play00:56

it's for who's included these sorts of

play00:58

things you end up with three pages of

play01:01

description before you even get to any

play01:03

policy so we have a different approach

play01:06

we have a system which I'll show you in

play01:08

a minute

play01:08

and we have lots of very succinctly

play01:12

statements that are easy to understand

play01:15

and that are easily enforceable and we

play01:18

can link those statements to any numbers

play01:20

of policy areas and to any people within

play01:23

the organization so we think it's a much

play01:24

simpler approach and going to take you

play01:28

through some of those areas that apply

play01:30

to the GD P L so as I said we break down

play01:33

our policies into a number of individual

play01:36

policy statements we can see here at the

play01:39

top we have a statement about collecting

play01:42

information for cookies and we're doing

play01:44

so in a way which does not identify

play01:45

anybody and you can see that's related

play01:48

to the policy collection on cookies if

play01:54

we look down further we've got various

play01:56

other policy statements this one all

play01:58

passwords must be strong and meet

play02:00

password standards and this goes into

play02:03

our cybersecurity policy collection in

play02:06

this way we can create a whole number of

play02:09

statements we

play02:11

can then be applied into a number of

play02:13

policy collections so as an example

play02:17

collection of data is only made from

play02:19

reliable and reputable sources which can

play02:22

be applied to data quality data

play02:25

protection and to cybersecurity if we go

play02:30

back and look at the password standards

play02:32

policy statement again and if we click

play02:35

on cybersecurity

play02:36

we can see information about the cyber

play02:39

security policy collection its purpose

play02:42

its scope the standards are referenced

play02:45

and all the statements that go together

play02:48

to make up that policy collection so

play02:53

let's now jump to our policy collections

play02:56

we've got a large number of collections

play02:58

across the business but for now let's

play03:00

focus on our GDP our policy collections

play03:03

and you can see that this is made up of

play03:06

various areas so we've got cyber

play03:08

security data section data quality

play03:11

backup privacy cookies retention and so

play03:15

on if we look at the retention policy we

play03:21

can see that the purpose is to define

play03:23

the retention period for each category

play03:25

of information stored by the company and

play03:27

that the scope is all stored information

play03:31

further down we have the individual

play03:34

policy statements that make up this

play03:36

policy and we can also see that there

play03:38

are some statements this one for example

play03:41

on records relating to pension schemes

play03:43

that will apply in one or more policy

play03:46

areas so this gives us the flexibility

play03:48

to assign this one not just to

play03:51

information retention but also to

play03:54

financial regulations that we might also

play03:56

have to comply with so this means that

play03:59

we can do a policy statement once and

play04:02

apply it across a number of collections

play04:03

and that really is at the heart of what

play04:06

guideline does do things once and keep

play04:09

it simple once I'm happy with my policy

play04:13

collection I then have the option to

play04:17

click print and I can print

play04:21

a copy of my policy so I hope that gives

play04:25

you an idea of how we capture and record

play04:28

policy we like it we think it's very

play04:31

easy to use and that's really sets us up

play04:34

nicely for a number of other areas of

play04:37

the GDP are we need to look at in terms

play04:39

of procedures what our attention might

play04:43

look like some of the documentation we

play04:45

need to do can all be fed from those

play04:47

policies that we've put in place so

play04:50

that's it for policy

play04:51

we'll be back very soon to talk about

play04:53

the data protection impact assessment

play04:56

and until then you hope you find your

play04:58

compliant simple

Browse More Related Video

GDPR Compliance Journey - 09 Retention

How to Implement GDPR Part 1 :Roadmap for Implementation

Data Inventories and Data Maps: The Cornerstone to GDPR Compliance

Roles in the data governance domain - organizational roles and data governance roles

Privacy - CompTIA Security+ SY0-701 - 5.4

GDPR Compliance Journey - 04 Processing Activity Record

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
GDPR CompliancePolicy ManagementData ProtectionCybersecurityData QualityPrivacy PolicyRetention PolicyCookie LawCompliance ToolsRegulatory Standards