Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

#CyberSafeLambeth

818 views

Published on

Funded by City Bridge Trust, the #CyberSafeLambeth initiative offers free GDPR training for charities in Lambeth

Individuals that lead in IT within charities will be able to attend free General Data Protection Regulation (GDPR) compliance and cybersecurity training, where they will be given expert guidance, support and instruction, thanks to new funding by City Bridge Trust.

#CyberSafeLambeth is a training programme that educates IT Manager level staff in local charities about GDPR and offers insight and knowledge to overcome cybersecurity threats and work more effectively.

The in-depth training programme will run across a number of days and will educate Lambeth-based charity IT professionals about key aspects of cybersecurity and the implications of GDPR, which comes into force from 25 May 2018.

The programme, which is being funded by City Bridge Trust, will require all trainees to commit to help at least one other, smaller Lambeth charity through The Integrate Agency CIC’s innovative ‘Hire a Volunteer’ platform.

This world class training opportunity will be available for Lambeth-based IT manager level charity professionals. Each will be taught about threats and trends within the industry, providing them with the skills and know how to confidently meet the requirements for GDPR.

Eoin Heffernan, Founder of Integrate said: “We are delighted to be able to offer cybersecurity training to local charities and reach out to train charity IT professionals working in the London Borough of Lambeth.

Published in: Technology
  • Be the first to comment

#CyberSafeLambeth

  1. 1. GENERALDATA PROTECTION REGULATION w w w . i n t e g r a t e a g e n c y . c o . u k
  2. 2. 09:00 – 09:30 Introductions 09:30 – 10:30 Module 1 - GDPR Fundamentals and Principles 10:30 – 10:45 Break 10:45 – 12:00 Module 2 - Rights of the Data Subject 12:00 – 12:45 Lunch 12:00 – 14:00 Module 3 - Controllers and Processors (including Security of Processing) 14:00 – 14:20 Break 14:20 – 15:00 Module 4 - Liabilities and Penalties 15:00 – 15:30 Module 5 - Supervisory Authorities 15:30 – 16:30 Module 6 - Steps to Preparation and the Road to Compliance End of Session and Close Schedule 2 #CyberSafeLambeth | @IntegrateUK
  3. 3. 3 Module 1 GDPR Fundamentals and Principles #CyberSafeLambeth | @IntegrateUK
  4. 4. 4 Overview ‘How do we collect data’ ‘How do we process and store data’ ‘Who do we share data with’ Where Does it Come From? Where Does It Go? What Do We Do With It? #CyberSafeLambeth | @IntegrateUK
  5. 5. 5 Article 24 – Responsibility of the Controller consider Article 6 – Lawfulness of Processing Article 7 – Condition for Consent Article 7 – Contract Rights of the Data Subject Article 12 - Transparent information Article 13 – Information to Be Provided (Privacy Statement) Article 14 – Information to be Provided Article 15– Right of Access Article 16– Right to rectification Article 17– Right of Erasure ‘To Be Forgotten’ Article 18– Right to Restriction of Processing Article 19– Notification Obligation Article 20– Right to Data Portability Article 21– Right to Object Article 22– Automated Decision Making & Profiling Article 9 – Special Categories consider Point of Data Capture Data Type Data Storage & Processing Article 32 - Security of processing Article 35 - Privacy Impact Assessment Article 25 - Privacy by Design / Default Processor Article 28 - Processor consider Hosted On Premise Article 13 – Privacy Statement GDPR Article Flow #CyberSafeLambeth | @IntegrateUK
  6. 6. 6 Evidence Article 5 (2) ‘The controller shall be responsible for, and be able to demonstrate compliance’ #CyberSafeLambeth | @IntegrateUK GDPR Article Flow
  7. 7. 7 Article 30 ‘Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility’ #CyberSafeLambeth | @IntegrateUK GDPR Article Flow Evidence
  8. 8. 8 EUROPEAN LAW Directives lay down certain results that must be achieved, but each Member State is free to decide how to transpose directives into national laws. General Data Protection Regulation (EU) 2016/679 (GDPR) comes into effect 25th May 2018, replacing EU Directive 95/46/EC - the Data Protection Directive. The UK ‘Data Protection Act 1998’ Introduces a single set of rules to all EU member states and extends the scope of the EU data protection law to all foreign companies processing data of EU residents THE GOVERNMENT HAS CONFIRMED THAT THE UK’S DECISION TO LEAVE THE EU WILL NOT AFFECT THE COMMENCEMENT OF THE GDPR. #CyberSafeLambeth | @IntegrateUK Background Regulations have binding legal force throughout every Member State and enter into force on a set date in all the Member States.
  9. 9. 9 It defines what is meant by ‘personal data’ It confers rights on ‘data subjects’ It places obligations on ‘data controllers’ and ‘data processors’ It creates principles relating to the processing of personal data It provides for penalties for failure to comply with the above. So, what does GDPR Actually Do? Main Points #CyberSafeLambeth | @IntegrateUK General Data Protection Regulation
  10. 10. 10 GDPR Content Breakdown #CyberSafeLambeth | @IntegrateUK
  11. 11. 11 173 Recitals of explanatory text 11 chapters covering 99 Articles: General provisions Data protection principles Rights of the data subject Obligations on controllers and processors Transfer of personal data to third countries or international organisations Independent supervisory authorities Cooperation and consistency between member states Remedies, liability and penalties Provisions relating to specific processing situations #CyberSafeLambeth | @IntegrateUK GDPR Content Breakdown
  12. 12. 12 General Provisions #CyberSafeLambeth | @IntegrateUK
  13. 13. 13 “The controller shall be responsible for, and be able to demonstrate, compliance with the principles.” The onus on data controllers & processors to demonstrate compliance Review all contracts Review Privacy Statement (Web and Paper) Joint responsibility through out the supply chain Both must have robust security measures – regularly tested and certified Processors must report breaches to controllers and must assist with investigations Both could be subject to Penalties. Article 5 (2) #CyberSafeLambeth | @IntegrateUK GDPR General Provisions
  14. 14. European Commission Statement "Personal data is any information relating to an individual, whether it relates to his or her private, professional* or public life. It can be anything from a name*, a photo*, an email address*, bank details, posts on social networking websites, medical information, or even a computer’s IP address." 14 Art.4(1) "Personal data" means any information relating to an identified or identifiable person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. *staff information we publish on the web Article 4 (1) #CyberSafeLambeth | @IntegrateUK Personal Data Definition – Mostly Unchanged
  15. 15. 15 Principles #CyberSafeLambeth | @IntegrateUK
  16. 16. 16 Fair and Lawful Processing Specified and Lawful purposes (and not incompatible) Adequate, relevant and not excessive Accurate and Up-to-date Lawfully, fairly and in a transparent manner Collected for specified, explicit and legitimate purposes (and not incompatible) further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes Adequate, relevant and limited to what is necessary (Data Minimisation. Peudonymisation as soon as possible) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay DPA GDPR Article 5 #CyberSafeLambeth | @IntegrateUK DPA vs GDPR Principles
  17. 17. 17 Not kept for longer than is necessary Appropriate Security Not transferred outside the EEA Kept in a form which permits identification of data subjects for no longer than is necessary: longer periods possible if processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; Ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Gone – GDPR compliance requirements should ensure that any non EEA or cross border processing is secure and legal and compliant. DPA GDPR Article 5 #CyberSafeLambeth | @IntegrateUK DPA vs GDPR Principles
  18. 18. 18Article 9 “Sensitive Personal Data” Racial or Ethnic Origin Political Opinions Religious or similar beliefs Trade union membership Physical or mental health Sexual life Offences and Criminal Proceedings Not Included Not included “Special Conditions” Racial or Ethnic Origin Political Opinions Religious or philosophical beliefs Trade union membership Health Sex life or sexual orientation Criminal convictions and offences or related security measures are not sensitive and are treated separately Biometric data for the purpose of uniquely identifying a natural individual (A biometric is "A measurable physical characteristic or personal behavioural trait used to recognise the identity of an enrolee or verify a claimed identity." ... Face is then a biometric. Scars or tattoos can be if they are able to do the above. The same biometric can be in many forms - photographs, digital images.) Genetic Data #CyberSafeLambeth | @IntegrateUK DPA GDPR Sensitive Personal Data
  19. 19. 19 Personal data shall be: Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;; Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, (‘accuracy’); kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (‘storage limitation’); Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). Article 5 #CyberSafeLambeth | @IntegrateUK Principles
  20. 20. 20 Lawfulness of Processing #CyberSafeLambeth | @IntegrateUK
  21. 21. 21 a. b. c. d. e. f. Consent Contract Legal Obligation Vital Interests Public interest Legitimate interests Article 6 #CyberSafeLambeth | @IntegrateUK Lawfulness of Processing
  22. 22. 22 What data is actually required? Why is it held – Legal Basis Data minimisation – hold as little as is required to deliver the function Who is processes it? Capture and further processing ‘Need to know’ access - Potential impact on culture? How is it Processed. When is it Processed. Data Return or Disposal? Article 9 Define the lawful basis for processing data #CyberSafeLambeth | @IntegrateUK Processing Data 6(1)(a) – Consent of the data subject 6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract 6(1)(c) – Processing is necessary for compliance with a legal obligation 6(1)(d) – Processing is necessary to protect the vital interests of a data subject or another person 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller 6(1)(f ) – Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
  23. 23. 23 FREELY GIVEN, INFORMED, SPECIFIC AND EXPLICIT Ability to withdraw consent - Intelligible and easily accessible form, with clear and plain language Not to be implied Requires a clear statement; or Positive affirmative action; and Distinguished from other matters Article 7 #CyberSafeLambeth | @IntegrateUK Consent
  24. 24. 24Article 7 (cont..) CONTROLLER MUST: DEMONSTRATE THAT DATA SUBJECT HAS GIVEN CONSENT Must be as easy to withdraw, as it is to give consent If not appropriate, use another lawful basis Inform data subjects that they have the right to withdraw consent at any time #CyberSafeLambeth | @IntegrateUK Consent
  25. 25. 25 Module 2 Rights of the Data Subject #CyberSafeLambeth | @IntegrateUK
  26. 26. 26 Privacy procedures – What changes are needed? There is no one-size fits all, the content of these procedures should be based on an organisations’ processing operations and current risk processes and procedures You will need to consider how these requirements will be met in the HR context and document the measures taken to ensure compliance in each case The GDPR introduces new privacy concepts and requirements, for example: 1. Privacy by design and default 2. DPIAs 3. New data subject rights 4. Mandatory breach notification #CyberSafeLambeth | @IntegrateUK Privacy
  27. 27. 27 Information (Articles 13 and 14) Access (Article 15) Rectification (Article 16) Erasure (right to be forgotten) (Article 17) Restrict Processing (Article 18) Data Portability (Article 20) Object to Processing (Article 20) Automated decisions and/or profiling (Article 20) DATA SUBJECT RIGHTS #CyberSafeLambeth | @IntegrateUK Rights of the Data Subject
  28. 28. 28 PRIVACY PROCEDURES – DATA SUBJECT RIGHTS POINTS TO CONSIDER AND INCLUDE IN THE PROCEDURE: New data subjects rights covered Time periods for complying with requests How to identify requests How is a request processed What is the criteria for approving or refusing a request How are decisions documented How are requests to extend the time period for responding documented and what is the organisation’s criteria for requesting an extension Who should own this procedure How often should this be reviewed and updated How can compliance be monitored / demonstrated #CyberSafeLambeth | @IntegrateUK Rights of the Data Subject
  29. 29. 29 Obligation on the Controller to provide information in a legible format usually by electronic means Controllers can provide information verbally to a verified data subject Obligation to facilitate the rights of the data subject Required to act upon SARs without undue delay or within one month Can extend a further 2 months but must notify the reason for delay within one month No charge for copies of data unless manifestly unfounded or excessive Article 12 #CyberSafeLambeth | @IntegrateUK Transparency and Modalities
  30. 30. 30Article 13 Article 13 - Information to be Provided where Personal Data are Collected from the Data Subject The identity and the contact details of the controller and, where applicable, of the controller’s representative; The contact details of the data protection officer, where applicable; The recipients or categories of recipients of the personal data, if any; a. b. c. d. e. #CyberSafeLambeth | @IntegrateUK Privacy Notices 1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: The purposes of the processing for which the personal data are intended as well as the legal basis for the processing; Where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation
  31. 31. 31 Article 13 - Information to be Provided where Personal Data are Collected from the Data Subject 2. In addition, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing: a. The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period. b. The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability. c. Where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. Article 13 #CyberSafeLambeth | @IntegrateUK Privacy Notices
  32. 32. 32Article 13 Article 13 - Information to be Provided where Personal Data are Collected from the Data Subject a. The right to lodge a complaint with a supervisory authority. b. Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data. c. The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 3. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information. #CyberSafeLambeth | @IntegrateUK Privacy Notices
  33. 33. 33 RIGHT OF ACCESS The right exists now, but is reduced to 1 month, down from 40 days – But can be extended if complex Can no longer charge £10 for processing - but can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive Responses must provide context as to why the data is held Article 15 #CyberSafeLambeth | @IntegrateUK Rights of the Data Subject
  34. 34. Purposes of processing Categories of data Source of data Any automated decision making Transfers of data Storage period Right to request rectification/erasure or restriction of processing or objection Right to complain to supervisory authority and seek judicial remedy 34 NO FEE Recipient has 1 month (not 40 days) to respond Can refuse or charge for requests, if manifestly unfounded or excessive Article 15 #CyberSafeLambeth | @IntegrateUK Subject Access Requests CONTROLLER MUST INFORM INDIVIDUAL OF:
  35. 35. 35Article 16 RIGHT TO RECTIFICATION MUST BE ACTIONED WITHIN 1 MONTH #CyberSafeLambeth | @IntegrateUK Rights of the Data Subject
  36. 36. 36Article 17 RIGHT TO ERASURE Does not provide an absolute ‘right to be forgotten’ but allows for personal data to be erased and to prevent processing in specific circumstances: Under the DPA, the right to erasure is limited to processing that causes unwarranted and substantial damage or distress. Under the GDPR, this threshold is not present. However, if processing causes damage or distress, this is likely to strengthen the case for erasure Where the data is no longer necessary in relation to the purpose for which it was originally collected/ processed When the individual withdraws consent The data was unlawfully processed (i.e. otherwise in breach of the GDPR) The data has to be erased in order to comply with a legal obligation #CyberSafeLambeth | @IntegrateUK Rights of the Data Subject
  37. 37. 37 RIGHT TO RESTRICT PROCESSING Article 18 #CyberSafeLambeth | @IntegrateUK Rights of the Data Subject Accuracy is contested Unlawful processing No longer required but opposes erasure Objects to processing (21/1)
  38. 38. 38 NOTIFICATION OBLIGATION REGARDING RECTIFICATION OR ERASURE OF PERSONAL DATA OR RESTRICTION OF PROCESSING Article 19 #CyberSafeLambeth | @IntegrateUK Rights of the Data Subject
  39. 39. 39 #CyberSafeLambeth | @IntegrateUK Rights of the Data Subject Article 20 Right to Data Portability The right to data portability only applies: DATA MUST BE AVAILABLE WITHIN 1 MONTH OF THE REQUEST Allows individuals to obtain and reuse their personal data for their own purposes across different services. To personal data an individual has provided to a controller; Where the processing is based on the individual’s consent or for the performance of a contract; and When processing is carried out by automated means (not paper)
  40. 40. Rights of the Data Subject 40 #CyberSafeLambeth | @IntegrateUK RIGHT TO OBJECT Right to prevent direct marketing Immediate effect upon receipt No exemptions or grounds to refuse Article 21
  41. 41. Rights of the Data Subject 41 #CyberSafeLambeth | @IntegrateUKArticle 22 RIGHT PREVENT AUTOMATED DECISION-MAKING AND PROFILING INDIVIDUALS HAVE THE RIGHT NOT TO BE SUBJECT TO A DECISION WHEN: MUST ENSURE THAT INDIVIDUALS ARE ABLE TO: THE RIGHT DOES NOT APPLY IF THE DECISION: It is based on automated processing; and Obtain human intervention; Is necessary for entering into or performance of a contract Is authorised by law (e.g. for the purposes of fraud or tax evasion prevention); or Based on explicit consent. (Article 9(2)). Express their point of view; and It produces a legal effect or a similarly significant effect on the individual. Obtain an explanation of the decision and challenge it.
  42. 42. Rights of the Data Subject 42 #CyberSafeLambeth | @IntegrateUK GDPR DEFINES PROFILING AS ANY FORM OF AUTOMATED PROCESSING INTENDED TO EVALUATE CERTAIN PERSONAL ASPECTS OF AN INDIVIDUAL, IN PARTICULAR TO ANALYSE OR PREDICT THEIR: PROFILING MUST ENSURE THAT APPROPRIATE SAFEGUARDS ARE IN PLACE. AUTOMATED DECISIONS MUST NOT: Performance At Work Economic Situation Health Personal Preferences Reliability Behaviour Location Movements Fair and transparent - providing information about the logic involved, the significance and the envisaged consequences. Concern a child; or Be based on the processing of special categories of data unless: You have the explicit consent of the individual; or The processing is necessary for reasons of substantial public interest on the basis of State law. Technical and organisational measures in place to enable inaccuracies to be corrected and minimise the risk of errors. Secure personal data in a way that is proportionate to the risk to the interests and rights of the individual and prevents discriminatory effects. Article 22
  43. 43. 43 #CyberSafeLambeth | @IntegrateUK Module 3 Controllers & Processors
  44. 44. 44 #CyberSafeLambeth | @IntegrateUK The Controller Obliged to implement appropriate technical and organisational controls Be able to demonstrate that processing is in accordance with the regulation Appropriate data protection policies and procedures are in place Must only use processors who provide sufficient guarantees they will comply with GDPR Must ensure appropriate contracts are in place with processors Records of processing Cooperation with supervisory authorities Things to consider: Responsibilities Article 24
  45. 45. 45 #CyberSafeLambeth | @IntegrateUK The Processor CONTROLLER SHALL ONLY USE PROCESSORS PROVIDING SUFFICIENT GUARANTEES Processor shall not engage another party without prior authorisation CONTRACTS WITH PROCESSOR MUST BE BINDING AND SET OUT: Subject matter and duration of processing Nature and purpose Type of personal data Categories of data subjects Obligations and rights of controller Specific terms to be included in the contract (Article 28) Article 28
  46. 46. 46 #CyberSafeLambeth | @IntegrateUK Security of Processing
  47. 47. 47 #CyberSafeLambeth | @IntegrateUK SO WHAT TIME IS IT ANY WAY..!!
  48. 48. 48 #CyberSafeLambeth | @IntegrateUK Simple or Complex..!! Prevent Unauthorised Access Review the Process, Procedure Stop: Loss, Theft, Compromise of Data
  49. 49. 49 #CyberSafeLambeth | @IntegrateUK Information Security Training eLearning Package Educational emails Organisational Policy Presentations Posters Screen Saver Staff Handbook Information Security Web Portal Bulleting 10. News 11. Induction 1. 2. 3. 4. 5. 6. 7. 8. 9.
  50. 50. 50 #CyberSafeLambeth | @IntegrateUK Discussion – Part 1 This is You ATTACK !! This is Your Target
  51. 51. 51 #CyberSafeLambeth | @IntegrateUK WWW PHISHING SCAM !WARNING RANSOMWARE
  52. 52. 52 #CyberSafeLambeth | @IntegrateUK 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. Common Failings Checking ID/Credentials – Challenging Visitors Clear Desk/Screen Attention to Detail (email, letters, policy) Regular Accountability/Audit Personal Accountability/Knowledge (Digital Competence) Situation/Third Party Awareness Vigilance/Double Checking The Basics (password protection) Clicking links System updates and patches Anti-virus – Encryption MDM – Mobile Device Management Opening attachments Human Error Common Sense
  53. 53. 53 #CyberSafeLambeth | @IntegrateUK A. Assume Nothing B. Believe No One C. Check Everyhing
  54. 54. 54 #CyberSafeLambeth | @IntegrateUK Discussion – Part 2 This is You DEFEND !! This is Your Threat
  55. 55. 55 #CyberSafeLambeth | @IntegrateUK Prevent, Detection, Deter Firewall IPS/IDS Web/Mail Filter Anti-Virus Encryption Backup – (Read Only Encrypted) Patch Management Access Control Manage Risk OWASP Cloud (PaaS, SaaS, IaaS) DR/BCP
  56. 56. 56 #CyberSafeLambeth | @IntegrateUK Secondary Breach
  57. 57. 57 Security and Data Breaches Security of personal data, key measures: Pseudonymisation and encryption Confidentiality, integrity, availability and resilience of processing systems and services Ability to restore availability and access in a timely manner after an incident Process for regularly testing the measures Take into account the risks of: Accidental/unlawful destruction Loss Alteration Unauthorised disclosure of, or access to personal data #CyberSafeLambeth | @IntegrateUKArticle 32
  58. 58. A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data. #CyberSafeLambeth | @IntegrateUK Mandatory Breach Notification GDPR INTRODUCES A DUTY ON ALL ORGANISATIONS TO REPORT WITHIN 72 HOURS CERTAIN TYPES OF DATA BREACH TO THE ICO, AND IN SOME CASES TO THE INDIVIDUALS AFFECTED: WHERE A BREACH IS LIKELY TO RESULT IN A HIGH RISK TO INDIVIDUAL(S) THEY MUST BE NOTIFIED DIRECTLY. A ‘HIGH RISK’ MEANS THE THRESHOLD FOR NOTIFYING INDIVIDUALS IS HIGHER THAN FOR NOTIFYING THE RELEVANT SUPERVISORY AUTHORITY. Must review our internal reporting procedures and training Must maintain records of reports and investigations Article 33/34 58
  59. 59. Privacy Impact Assessments for all new systems or processes where personal data is processed #CyberSafeLambeth | @IntegrateUK Privacy By Design Regular Risk Assessments Identify all overseas processing Documented Mitigation How is it justified? Review Contracts Determine the supervising authority (local ICO equivalents) Pseudonymous data Some sets of data can be amended in such a way that no individuals can be identified from those data (whether directly or indirectly) without a "key" that allows the data to be re-identified. GDPR explicitly encourages organisations to consider pseudonymisation as a security measure. It can allow organisations to satisfy their obligations of "privacy by design" and may be used to justify processing that would otherwise be deemed "incompatible" with the purposes for which the data were originally collected – Could help legitimate interest problem. Article 25 Justification for accepting risk 59
  60. 60. 60 Privacy Impact Assessments for all new systems or processes where personal data is processed Regular Risk Assessments Documented Mitigation Justification for accepting risk #CyberSafeLambeth | @IntegrateUK DPIA Article 35
  61. 61. 61 #CyberSafeLambeth | @IntegrateUK Prior Consultation THE CONTROLLER SHALL CONSULT THE SUPERVISORY AUTHORITY PRIOR TO PROCESSING WHERE A DATA PROTECTION IMPACT ASSESSMENT UNDER ARTICLE 35 INDICATES THAT THE PROCESSING WOULD RESULT IN A HIGH RISK IN THE ABSENCE OF MEASURES TAKEN BY THE CONTROLLER TO MITIGATE THE RISK. Article 36
  62. 62. 62 Data Protection Officer #CyberSafeLambeth | @IntegrateUK
  63. 63. 63 Data Protection Officers (DPO) Required in certain cases Core activities of the controller or processor involve Regular or systematic monitoring of data subjects on a large scale; or Large scale processing of special categories of data Single DPO for a Group, provided he/she is easily accessible Professional qualities, knowledge and ability required Can be an employee, or contractor #CyberSafeLambeth | @IntegrateUK Other Requirements Article 37/38/39
  64. 64. 64 #CyberSafeLambeth | @IntegrateUK Data Protection Officer (DPO) “I think the role of DPO can be one of the toughest jobs around. You have to help your organisations deliver, but you have to do it in a privacy responsible and transparent way. That’s really challenging in lots of varied situations.” - Elizabeth Denham, The Information Commissioner Article 37/38/39
  65. 65. 65 #CyberSafeLambeth | @IntegrateUK Module 4 Penalties & Liabilities
  66. 66. 66 #CyberSafeLambeth | @IntegrateUK Data Breach The data controller shall without undue delay and where feasible, and not later than 72 hours notify the supervisory authority of a personal data breach Exception: when the data breach is not High Risk to Data Subject When notification is not made within 72 hour, this shall be accompanied with reasons for delay When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. Article 33/34 Article 33 Article 34
  67. 67. 67 #CyberSafeLambeth | @IntegrateUK Liabilities and Penalties COMPENSATION Article 82 For material and non-material damage Liability of controllers and processors
  68. 68. 68 #CyberSafeLambeth | @IntegrateUK Fines Article 83 THIS WILL PROBABLY OPEN US UP TO MORE ACCESS REQUESTS AND MORE COMPLAINTS Fines up to €20 million or 4% of global turnover for a data breach (deliberate or accidental loss) Fines up to €10 million or 2% of global turnover for non compliance of processing records or non appointment of Data Protection Officer
  69. 69. 69 #CyberSafeLambeth | @IntegrateUK Module 5 Supervisory Authority
  70. 70. 70 #CyberSafeLambeth | @IntegrateUK Supervisory Authority Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (‘supervisory authority’). Article 51
  71. 71. 71 #CyberSafeLambeth | @IntegrateUK Supervisory Authority Tasks Each supervisory authority shall (sample of A.57) Monitor and enforce the application of this Regulation; Promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention; Promote the awareness of controllers and processors of their obligations under this Regulation; Upon request, provide information to any data subject concerning the exercise of their rights under this Regulation and, if appropriate, cooperate with the supervisory authorities in other Member States to that end; Handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary; Cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation; Conduct investigations on the application of this Regulation, including on the basis of information received from another supervisory authority or other public authority; Conduct the accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43; Keep internal records of infringements of this Regulation and of measures taken in accordance with Article 58(2); and Fulfil any other tasks related to the protection of personal data. Article 57
  72. 72. 72 #CyberSafeLambeth | @IntegrateUK Tasks Each supervisory authority shall have all of the following investigative powers: (sample of A.58) To order the controller and the processor, and, where applicable, the controller’s or the processor’s representative to provide any information it requires for the performance of its tasks; To carry out investigations in the form of data protection audits; To notify the controller or the processor of an alleged infringement of this Regulation; To obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks; To obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law. Supervisory Authority Article 58
  73. 73. 73 #CyberSafeLambeth | @IntegrateUK Tasks Each supervisory authority shall have all of the following corrective powers: (sample of A.58) To issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation; To issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation; To order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this Regulation; To order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period; To order the controller to communicate a personal data breach to the data subject; To impose a temporary or definitive limitation including a ban on processing; To order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19; To withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met; To impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case; To order the suspension of data flows to a recipient in a third country or to an international organisation. Supervisory Authority Article 58
  74. 74. 74 #CyberSafeLambeth | @IntegrateUK Module 6 Steps to Compliance
  75. 75. 75 #CyberSafeLambeth | @IntegrateUK Road to Compliance Awareness – decision makers and key people Information – document what you hold Communicating privacy information – privacy notices Individuals’ rights – facilitate data subject rights Subject access requests – update procedures Legal basis for processing – identify and document Consent – review how you obtain and record consent Children – review consent processes for minors Data breaches – processes for detecting and reporting Data protection by design and DPIA Data protection officers – appoint one if required International transfers – ensure appropriate legal basis 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12.
  76. 76. 76 #CyberSafeLambeth | @IntegrateUK What Organisations Must Do (in a nutshell) Implement “Privacy by Default” and “Privacy by Design” Maintain appropriate data security Notify of data breaches Get appropriate consent for most personal data collection and provide notification of personal data processing activities Get a parent’s consent to collect data for children under 16? Keep records of all processing of personal information Appoint a Data Protection Officer (If applicable) Take responsibility for the security and processing activities of third-party vendors Conduct Data Protection Impact Assessments on new processing activities Institute safeguards for cross-border data transfers Consult with regulators before certain processing activities Be able to demonstrate compliance on demand Provide appropriate data protection training to personnel having permanent or regular access to personal data
  77. 77. 77 #CyberSafeLambeth | @IntegrateUK Next Steps The GDPR – “accountability” and “demonstrating compliance” What does this mean in practice? “Just write stuff down...” 1. 2. 3. 4. 5. 6. 7. Appropriate policies and procedures Training and awareness Record keeping Auditing, testing and monitoring compliance Internal reporting Documenting risk decisions Evidence in process and procedure
  78. 78. 78 #CyberSafeLambeth | @IntegrateUK Next Steps It is vital that understanding and awareness of data protection is live within an organisation All individuals and processor personnel who process or have access to personal data must be trained on their obligations under the GDPR Training must be monitored and tracked, completion rates set for compliance and escalation processes put in place if training is not completed Training should take place regularly, not just on induction High risk or high volume processing should have specific bespoke training provided, for example in relation to health data, diversity monitoring data and criminal conviction checks
  79. 79. 79 #CyberSafeLambeth | @IntegrateUK Next Steps Recruitment - do you provide applicants with an appropriate privacy notice explaining how their personal data will be used? Do you ensure that the personal data collected at each stage of the recruitment process is proportionate and necessary? Do you have clear arrangements with recruitment agencies? Background checks – are these proportionate and only carried out once a job offer has been made? Legal basis for processing – do you ask for consent when you have another legal basis for processing (e.g. the processing is necessary for you to comply with law or a duty on you as an employer)? Is your employee monitoring lawful? Privacy notice – do you provide employees with a clear and transparent privacy notice explaining how their personal data is used and explaining their rights as a data subject? Policies and processes - have you reviewed your data policies and processes for handling personal data? Privacy assessments – do you carry out a privacy impact assessment prior to any new project? Third party data processors - have you reviewed your contracts with third parties to ensure that they comply with the requirements of GDPR? Subject access requests – do you have sufficient resource to deal with a likely increase in data subject access requests? Can you use technology to simplify findings and identifying information that may be disclosable? Data minimisation – the scope of a subject access request can be reduced by minimising the amount of personal data you hold. Do you have a records retention policy in place? Are HR personnel and line managers aware that records they retain may be disclosable? SPECIFIC ISSUES
  80. 80. 80 #CyberSafeLambeth | @IntegrateUK Next Steps Create an information asset register – what personal information and where, why, how and with whom do you process it. Review your recruitment processes and template documentation map out your processes and procedures and align with GDPR Articles Review your employee privacy notices to ensure they meet the new requirements. Review your processes and systems for dealing with data subjects rights and monitoring employees. Implement data governance policies and measures and training to ensure your HR department operates in Accordance with the requirements of the GDPR. Review your contracts with recruitment agencies and employment businesses. Review your supply chain arrangements with data processors, such as IT and outsourced service providers. Review the data you hold and your data retention policies and practices. WHAT YOU NEED TO DO NOW
  81. 81. WHAT Source WHEN Retention Period 81 #CyberSafeLambeth | @IntegrateUK Actions Required – Information Audit Type Name Address Contact Details Health Details CV Reference CRB Check Passport Details Work Permit Appraisals Annual Leave Disciplinary Tax/NI Bank Account Pension Details Name Contact Details Names Address Email Mobile Phone Names Address Email Mobile Phone Names Email WHY Staff Admin Direct Marketing Individual Third Party Third Party Individual Individual/Third party Individual/Third party Individual Individual/Third party Individual/Third party Individual Not Sure - Find out Individual/Third Party Individual Individual Not Sure - Find out Legal Basis Contract Legal Obligation Legal Obligation Legitimate Interests - Staff Management Contract Contract Contract Vital Interests Consent Consent Originally Pre-Apointment Not Sure find out Appointment Pre-Apointment At the time At Request At the time Appointment Appointment First Contact First Contact Web Enquiries Updated As required Never Never Not Sure find out Not Sure find out Annually Not Sure find out Not Sure find out As required When notified Annual Enrollment Not Sure - Find out Not applicable Termination of Employment + 6 Copy not retained, record of Number only Termination of Employment + 6 3 years End of Financial year + 6 Not Sure find out Termination of employment + 70 Untill staff leave End of relationship unless enrolled in Alumni or consent withdrawn End of relationship or consent withdrawn Not Sure - Find out WHERE HRMIS hosted on premise NCG Data Centre. HRMIS hosted on premise NCG Data Centre. Held on a 3rd Party cloud server hosted in the US WHO Current staff member Emergency Contact Existing Students Potential Students Enquiries Determined by Employment Law/Limitation Law CRB Code of Practice Standard Practice Tax Law Employment Law Durty of Care? Data Protection Data Protection Data ProtectionNot Sure - Find out NCG Finance System hosted on premise NCG Data Centre Not Sure - Find out
  82. 82. 82 #CyberSafeLambeth | @IntegrateUK Resources
  83. 83. 83 #CyberSafeLambeth | @IntegrateUK Resources https://gdpr-info.eu/ https://ico.org.uk/
  84. 84. 84 #CyberSafeLambeth | @IntegrateUK Marketing
  85. 85. 85 #CyberSafeLambeth | @IntegrateUK Obtaining Consent Use Opt-In boxes Specify methods of communication Email Text Phone Recorded Call Post Ask for Consent to pass details to third parties for marketing and name or clearly describe those parties Record when and how Consent was gained and exactly what it covers
  86. 86. 86 #CyberSafeLambeth | @IntegrateUK Bought in Lists Check the seller is a member of a professional body or accredited in some way The product, service or ideals we are marketing are the same or similar to those that the individuals originally consented to receive marketing for We only use the information on the lists for marketing purposes We delete any irrelevant or excessive personal information We screen the names on bought-in lists against our own list of people who say they don't want our calls (suppression list) We carry out small sampling exercises to assess the reliability of the data on the lists We have procedures for dealing with inaccuracies and complaints. When marketing by post, email or fax we include our company name address and telephone number in the content We tell people where we obtained their details We provide people with a privacy notice (where it is practicable to do so) We tie the seller into a contract which confirms the reliability of the list and gives us the ability to audit
  87. 87. 71 #CyberSafeLambeth | @IntegrateUK The seller can verify that the people on the list: 87 #CyberSafeLambeth | @IntegrateUK Gave specific consent to receive marketing from us Were provided with readily accessible, clear and intelligible information about how their contact details would be used (e.g. privacy notices were easy to find and understand) Were offered a clear and genuine choice whether or not to have their details used for marketing purposes Took positive action to indicate their consent (e.g. ticked a box, checked a button, double opt-in or subscribed to a service) Gave their consent reasonably recently (within the last six months): and In the case of texts, emails or automated calls, gave specific consent to receive marketing by those means.
  88. 88. 88 #CyberSafeLambeth | @IntegrateUK Marketing by Email The individuals on the list have at least given a general statement that they are happy to receive marketing from us Where the individuals haven't given specific consent, marketing is consistent with context in which the information was provided and concerns a similar product, service or ideal We have screened the names and addresses against the Mail Preference Service
  89. 89. 89 #CyberSafeLambeth | @IntegrateUK Live Calls We screen the numbers against the Telephone Preference Service (TPS) (or for corporate subscribers the Corporate Telephone Preference Service (CTPS)) We keep our own do-not-call list of anyone who says they don't want our calls We screen against our do-not-call list We display our number to the person we're calling
  90. 90. #CyberSafeLambeth | @IntegrateUK Automated Calls We only make recorded calls where we have opt-in consent We display our number to the person we are calling 90Article 57
  91. 91. 91 #CyberSafeLambeth | @IntegrateUK Marketing by Email or Text We only text or email with opt-in consent We offer an opt-out by reply or unsubscribe We keep a list of anyone who opts-out We screen against our opt-out list
  92. 92. #CyberSafeLambeth | @IntegrateUK Faxes The individuals on the list have specifically consented to receiving marketing faxes from us We have screened their numbers against the Fax Preference Service (FPS) 92
  93. 93. #CyberSafeLambeth | @IntegrateUK QUESTIONS 93

×