General Data Protection Regulation. Jim Sneddon GDPR-P, CISSP

Size: px

Start display at page:

Download "General Data Protection Regulation. Jim Sneddon GDPR-P, CISSP"

Vanessa Golden
5 years ago
Views:

1 General Data Protection Regulation Jim Sneddon GDPR-P, CISSP

"The GDPR is actually already in force, it is just that Member States are not obligated to apply it until 25 May 2018.

2 "The GDPR is actually already in force, it is just that Member States are not obligated to apply it until 25 May It s your job, it s your company s job, to understand the risks you re creating for others and to mitigate them. Elizabeth Denham, UK Information Commissioner GDPR is a truly game-changing overhaul of European data protection laws that is going to impact every business, every individual and every member of public sector bodies in Europe. This means it is time for businesses, big and small across all sectors, to start preparing now because it can t be business as usual any longer. It is a law that is going to lead the standard for data protection, globally." Helen Dixon, Data Protection Commissioner of Ireland

3 - Agenda Introductions Informal Interactive Value Housekeeping Fire Exits Tea/Coffee Lunch Overview Differences to now Who/What does the GDPR apply to? Principles Key areas to consider Rights of individual A & G Practical steps to take 02

affected Part Evolution, Part Revolution

changes in the last 20 years Now 20M, or

4 What is the GDPR? On 25th May 2018 The General Data Protection Regulation comes into effect and the 28 countries of the EU will be affected Part Evolution, Part Revolution Updated to take into account technology changes in the last 20 years Now 20M, or 4% of gross global turnover. Previous Maximum fine in UK = 500,000. It is the law It needs board-level attention and guidance Brexit will not affect its implementation 04

The Landscape GDPR Is Entering Into 96% of companies still do not fully understand the EU GPDR Study by Symantec s State of Privacy Report (Oct 2016) Data breaches hit all-time record high in 2016

5 The Landscape GDPR Is Entering Into 96% of companies still do not fully understand the EU GPDR Study by Symantec s State of Privacy Report (Oct 2016) Data breaches hit all-time record high in 2016 with an increase of 40% over 2015 The Last Information Commissioners Office survey found that 75% of adults don t trust businesses with their personal data At least 28,000 DPOs (Data Protection Officers) needed to meet GDPR requirements (The Privacy Advisor 2016) 05

6 Coverage Is Growing & will be BIG!!! Two Day News 6 articles 1 year before GDPR goes Live!!! March 1 st 2017 March 2nd

7 Main differences to now? The big difference You can be fined 20m or 4% of last years gross annual turnover, whichever is the greater To put that into perspective the recent data breach at Tesco Bank could have made them liable for a 1.9 Billion fine 10

8 Main differences to now? 01 If your business is not in the EU, you will still have to comply with the Regulation 04 Changes to the rules for obtaining valid consent 02 The definition of personal data is broader, bringing more data into the regulated perimeter 05 The appointment of a data protection officer (DPO) will be mandatory for certain companies 03 Consent will be necessary to process children s data 06 The introduction of mandatory privacy risk impact assessments 07 New data breach notification requirements 16

9 Main differences to now? Individuals Rights Data portability The international transfer of data Privacy by design Data processor responsibilities One-stop shop 17

Principles (Article 5) Information Data Protect Law Process Processed lawfully, fairly and in a transparent manner Collected for specified, explicit and legitimate purposes Adequate, relevant and

10 Principles (Article 5) Information Data Protect Law Process Processed lawfully, fairly and in a transparent manner Collected for specified, explicit and legitimate purposes Adequate, relevant and limited to what is necessary Accurate and kept up to date Kept for no longer than is necessary Processed in a manner that ensures appropriate security through technical or organisational measures 09

11 Accountability and Governance What is the accountability principle? The new accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility. You must: Implement appropriate technical and organisational measures that ensure and demonstrate that you comply Maintain relevant documentation on processing activities Where appropriate, appoint a data protection officer 46

12 What Does Getting It Wrong Mean BRAND FINES LEGAL 11

13 Example Real Data Leak Stories 12

14 It s Not Only a Big Business Issue! 13

15 Does It Affect Your Business and Who? Anyone that collects / records / uses personal data of employees, customers or people Directors have liabilities GDPR is a Law IT has responsibility for the technology used to secure data HR should be ensuring employees are informed and regulated on their responsibilities Marketing needs to think about the data it buys, collects, uses, markets to Sales Have a CRM system? This alone puts you into having to fully comply with GDPR Finance Do you store any financial data relating and recorded to individuals? Employees are all data leak risks and need to be informed and educated on their responsibilities 14

) flag someone to your marketing automation system as okay to nurture / mail to - that then causes emails to be sent out on your behalf?

16 Example - Considerations For The Marketing Department A specific confirmation to opt-in is going to be required as the norm, not a reliance on people to opt-out any longer both B2B & B2C You must have clear documentation saying that your audience is happy for you to use their data Verify data you hold in likes of Hubspot, Marketo, Eloqua, Mailchimp Can Sales (via CRM?) flag someone to your marketing automation system as okay to nurture / mail to - that then causes s to be sent out on your behalf? Clear policies + supervision of conduct of team (human & automated) Managing Opt in / Initial Opt in / Re-checking Opt in & Opt out Maintaining accuracy of data Old Data? (Right to be forgotten ) Web Cookies Unless your attendees have opted into being contacted, sending a simple follow-up mail could land you in hot water 15

A Truly GLOBAL Law The GDPR applies to all

with personal data of individuals living in the

Any company working with information relating to

requirements of the GDPR, regardless of which

17 A Truly GLOBAL Law The GDPR applies to all companies worldwide that collect, process and deal with personal data of individuals living in the European Union (EU). Any company working with information relating to EU citizens will have to comply with the requirements of the GDPR, regardless of which country your organisation is in, making it the first global data protection law. A Truly GLOBAL Law 18

18 Who does The GDPR apply to? Information Control Process Legal Activity The GDPR applies to controllers and processors. The definitions are broadly the same as under the DPA If you are a processor, the GDPR places specific legal obligations on you 28

19 Data Obligations for Companies One headquarters in EU Only Deal with 1 regulator Joint Liability: Controller and Processor (Cloud & Outsourcing) 22

Key Areas to Consider Consent The GDPR has references to both consent and explicit consent Consent under the GDPR requires some form of clear affirmative action.

20 Key Areas to Consider Consent The GDPR has references to both consent and explicit consent Consent under the GDPR requires some form of clear affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent Consent must be verifiable. This means that some form of record must be kept of how and when consent was given Individuals have a right to withdraw consent at any time 39

21 Individual s Rights 21

22 When to appoint a data protection officer? 53

23 When to appoint a data protection officer? Information Track Crime Account Staff Under the GDPR, you must appoint a data protection officer (DPO) if you: Are a public authority (except for courts acting in their judicial capacity) Carry out large scale monitoring of individuals (for example, online behaviour tracking) Carry out large scale processing of special categories of data or data relating to criminal convictions and offences You may appoint a single data protection officer to act for a group of companies 54

24 Breach Notifications 23

25 Breach Notifications 24

26 Quiz When does the GDPR come into force? What are the penalties that can be incurred? Who needs to be aware in your organisation? Who does it apply to? How long do you have to inform the regulators in the event of a breach? Are processors liable? 26

28 Important Areas Of Consideration Shadow IT & It s Implications Cloud File Sharing Mobile Devices & Data Synching Data Destruction 60

29 Cloud Specific Considerations Create a tracking spreadsheet of all your cloud services and log; Where data is physically stored? Where will any secondary site/data be located? Can they provide a statement of their commitment to complying with GDPR? If your data is stored outside the EU what provision do they have to protect it and comply with EU laws? 61

30 Cloud Specific Considerations If they store any of your data in the USA do they comply with Privacy Shield? What legal jurisdiction is your cloud service agreement held under? If you cancel the service do they contractually commit to delete all your data / backups and how quickly? 62

What Does Good Look Like for the ICO : GDPR Organisation showing proactive positive commitment Demonstrable proof of being pragmatic and mitigating risks Demonstrating intention, commitment & effort

31 What Does Good Look Like for the ICO : GDPR Organisation showing proactive positive commitment Demonstrable proof of being pragmatic and mitigating risks Demonstrating intention, commitment & effort to being compliant Someone that knows the answers and isn t assuming them Documented facts and processes (checklists) Ongoing Process Ideally an independent review from a GDPR practitioner or DPO (Data Protection officer) 63

32 Some Actions To Take Now Identify someone to own the GDPR process in house Get on a full foundation training course get fully aware! Brief your Management team as to the headlines of GDPR and get buy-in! Build an actionable GDPR action plan for your business 64

33 Some Actions To Take Now Inform customers you are taking action Advise your end customers to do the same & start educating and engaging them now! Identify product lines aligned with GDPR (Security / Archiving / Data Destruction.) Consider offering a DPO service offer for smaller clients 65

34 Checklist 66

35 12 Steps To Compliance 67

36 Recommendations Further research the subject and start preparing ASAP Assuredata are happy to help, it would be a fraction of the cost of a fine Understand where your data is, what you use it for and how you process it Get your staff trained on the changes and how to properly handle data Consider cyber liability insurance If in doubt get legal advice 68

Summary There is a lot to do, start planning now Gain buy in

with transparency and individuals rights provisions The GDPR

Organisations should review their approach to governance and

37 Summary There is a lot to do, start planning now Gain buy in from key people in your organisation New procedures to deal with transparency and individuals rights provisions The GDPR places greater emphasis on the documentation and accountability Organisations should review their approach to governance and how they manage data protection as a corporate issue Get professional help 69

38 Questions? Contact us on: Website: Please follow us on: Twitter Twitter