2. Scott Simpson
Certified GDPR Consultant
Cyber Security Consultant
Data Protection Officer
Certified ISO 27001
Lead Implementer
CONSULTANCY | AUDITING | TRAINING | TECHNOLOGIES
3. This Morning’s Objectives
CONSULTANCY | CYBER SECURITY TRAINING | TECHNOLOGIES
§ Understand the GDPR landscape
§ What compliance looks like
§ How to start your compliance project
§ Risk mitigation - what you need to do before 25th May
4. Commonly Used GDPR Phrases
ON WSHS (GDPR) 12MTHSAGO
CONSULTANCY | AUDITING | TRAINING | TECHNOLOGIES
5. Commonly Used GDPR Phrases
Oh No -
I wish we had started
GDPR 12 months ago
CONSULTANCY | AUDITING | TRAINING | TECHNOLOGIES
6. GDPR – the new Y2K?
GDPR isn’t just another regulation
CONSULTANCY | AUDITING | TRAINING | TECHNOLOGIES
7. Why GDPR is important
— Are the punitive Fines 2-4% of turnover your highest risk?
— Brand and reputational damage
— Loss of clients – current 30-40% customer requirement adoption
— Punitive Fines
— Contract clauses regarding data protection and data breach
— Business value / Share price
— Private Equity implications
— Compromising your clients’ / employees / investors personal information
— GDPR is now part of the standard Due Diligence process
CONSULTANCY | AUDITING | TRAINING | TECHNOLOGIES
8. Why GDPR is important
People & businesses will
only work with businesses
they trust to protect their data
CONSULTANCY | AUDITING | TRAINING | TECHNOLOGIES
9. How GDPR has changed the landscape
— No more box-ticking compliance
— Demonstrable compliance is here to stay
— Supplier Assurance Programs - Businesses are putting their suppliers
through increased levels of due diligence for information security and
data compliance
— Organisations and their employees must handle personal and sensitive
data differently going forward
CONSULTANCY | AUDITING | TRAINING | TECHNOLOGIES
10. Businesses grow faster than they mature
• Corporate Governance
• Risk Management
• Information Security Framework
• Data Protection
• Cyber Resilience / Security
• Policies & Processes
• Records Management
CONSULTANCY | AUDITING | TRAINING | TECHNOLOGIES
11. The six data processing principles
• Article 5: Principles relating to processing of personal data
• “The controller shall be responsible for, and be able to demonstrate
compliance
CONSULTANCY | AUDITING | TRAINING | TECHNOLOGIES
12. Eight rights of data subjects under GDPR
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling.
CONSULTANCY | AUDITING | TRAINING | TECHNOLOGIES
13. GDPR compliance is cultural
It is a governance not an IT issue
CONSULTANCY | AUDITING | TRAINING | TECHNOLOGIES
14. What do we have to do to be compliant?
Process personal data in accordance to the 6 Principles of the GDPR
Protect the 8 rights of data subjects
Demonstrable Compliance
Policies & Processes
Data Security & Cyber Resilience/Accreditation
Information registers:
— Corporate Risk Register
— Employee Training Register
— Data Breach Register
— Data Protection Impact Assessments Register
— Data Subject Assess Request Register
— Deleted Information Register
— (Legitimate Interest Assessment Register)
Staff Training
HR Contract Reviews
Compliant supplier contracts and GDPR due diligence
CONSULTANCY | AUDITING | TRAINING | TECHNOLOGIES
15. How to start
Assessment & Gap Analysis
Start preparing your compliance plan
Probable implementation time to become compliant 10-12 months
CONSULTANCY | AUDITING | TRAINING | TECHNOLOGIES
16. What to have completed by 25th May
1. Implement your plan on a risk based approach
2. Mitigate as much risk as soon as possible from a client & supervisory
perspective
CONSULTANCY | AUDITING | TRAINING | TECHNOLOGIES
17. The Process towards compliance
1. Gap Analysis or Assessment
2. Create a Project Team
3. Ensure Board Buy-in
4. Communications – Internal
5. Data Mapping – Inventory, Data Flow Analysis & Process Maps
6. Commence Cyber Resilience
7. Implement Gap Analysis Findings
8. Create Staff Training Programme
9. Create a Risk Management Process
10. Implement a Privacy Compliance Framework & PIMS
11. Implement Information Registers
12. Implement a Data Subject Access Request Process
13. Create and Improve Policies & Procedures
14. Implement an Incident Response Plan
15. Communications - External
CONSULTANCY | AUDITING | TRAINING | TECHNOLOGIES
18. What to have completed by 25th May
1. Have a thorough plan in place towards compliance
2. Have a project team in place
3. Gap Analysis or Assessment
4. Data Mapping – Inventory, Data Flow Analysis & Process Maps
5. Delete all data that you have no lawful basis for processing
6. Document all data processing activities that use PII
7. Conduct DPIAs for all Relevant or high risk processes in the business
8. Cyber Resilience – Cyber Essentials as a minimum
CONSULTANCY | AUDITING | TRAINING | TECHNOLOGIES
19. What to have completed by 25th May
1. Encrypt everything – Hard drives, databases, mobile devices, email
attachments
2. Create Staff Training Programme
3. Have Privacy risk on your Risk Register
4. Implement the Information Registers
5. Implement a Data Subject Access Request Process
6. Implement compliant Policies & Procedures
7. Controller/Processor Agreements in place with processors
8. Supplier GDPR due diligence
CONSULTANCY | AUDITING | TRAINING | TECHNOLOGIES
20. GDPR Implementation Process
Gap Analysis or Assessment
§ Detailed Roadmap
§ Security Review
§ Compliance Plan
CONSULTANCY | AUDITING | TRAINING | TECHNOLOGIES
21. Do I really need to do this?
Clients only working with GDPR compliant firms
National GDPR Certification likely
Private Equity and investors are now taking the view that they do not want to
invest or buy any B2C business that does haven’t a GDPR Compliance Plan
For B2B businesses, it will reduce the value of the company by a minimum of 10%
Investors & PE need to know any underlying claims, impending fines, legal action
or reputational damage
GDPR is becoming part of standard Due Diligence
CONSULTANCY | AUDITING | TRAINING | TECHNOLOGIES