Whos role is it anyway

16th November 2007
EU GDPR – 58 Days to Go
Presented by Scott Simpson for IRIS

Scott Simpson
Certified GDPR Consultant
Cyber Security Consultant
Data Protection Officer
Certified ISO 27001
Lead Implementer
CONSULTANCY | AUDITING | TRAINING | TECHNOLOGIES

This Morning’s Objectives
CONSULTANCY | CYBER SECURITY TRAINING | TECHNOLOGIES
§ Understand the GDPR landscape
§ What compliance looks like
§ How to start your compliance project
§ Risk mitigation - what you need to do before 25th May

Commonly Used GDPR Phrases
ON WSHS (GDPR) 12MTHSAGO

Commonly Used GDPR Phrases
Oh No -
I wish we had started
GDPR 12 months ago

GDPR – the new Y2K?
GDPR isn’t just another regulation

Why GDPR is important
— Are the punitive Fines 2-4% of turnover your highest risk?
— Brand and reputational damage
— Loss of clients – current 30-40% customer requirement adoption
— Punitive Fines
— Contract clauses regarding data protection and data breach
— Business value / Share price
— Private Equity implications
— Compromising your clients’ / employees / investors personal information
— GDPR is now part of the standard Due Diligence process

Why GDPR is important
People & businesses will
only work with businesses
they trust to protect their data

How GDPR has changed the landscape
— No more box-ticking compliance
— Demonstrable compliance is here to stay
— Supplier Assurance Programs - Businesses are putting their suppliers
through increased levels of due diligence for information security and
data compliance
— Organisations and their employees must handle personal and sensitive
data differently going forward

Businesses grow faster than they mature
• Corporate Governance
• Risk Management
• Information Security Framework
• Data Protection
• Cyber Resilience / Security
• Policies & Processes
• Records Management

The six data processing principles
• Article 5: Principles relating to processing of personal data
• “The controller shall be responsible for, and be able to demonstrate
compliance

Eight rights of data subjects under GDPR
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling.

GDPR compliance is cultural
It is a governance not an IT issue

What do we have to do to be compliant?
Process personal data in accordance to the 6 Principles of the GDPR
Protect the 8 rights of data subjects
Demonstrable Compliance
Policies & Processes
Data Security & Cyber Resilience/Accreditation
Information registers:
— Corporate Risk Register
— Employee Training Register
— Data Breach Register
— Data Protection Impact Assessments Register
— Data Subject Assess Request Register
— Deleted Information Register
— (Legitimate Interest Assessment Register)
Staff Training
HR Contract Reviews
Compliant supplier contracts and GDPR due diligence

How to start
Assessment & Gap Analysis
Start preparing your compliance plan
Probable implementation time to become compliant 10-12 months

What to have completed by 25th May
1. Implement your plan on a risk based approach
2. Mitigate as much risk as soon as possible from a client & supervisory
perspective

The Process towards compliance
1. Gap Analysis or Assessment
2. Create a Project Team
3. Ensure Board Buy-in
4. Communications – Internal
5. Data Mapping – Inventory, Data Flow Analysis & Process Maps
6. Commence Cyber Resilience
7. Implement Gap Analysis Findings
8. Create Staff Training Programme
9. Create a Risk Management Process
10. Implement a Privacy Compliance Framework & PIMS
11. Implement Information Registers
12. Implement a Data Subject Access Request Process
13. Create and Improve Policies & Procedures
14. Implement an Incident Response Plan
15. Communications - External

1. Have a thorough plan in place towards compliance
2. Have a project team in place
3. Gap Analysis or Assessment
4. Data Mapping – Inventory, Data Flow Analysis & Process Maps
5. Delete all data that you have no lawful basis for processing
6. Document all data processing activities that use PII
7. Conduct DPIAs for all Relevant or high risk processes in the business
8. Cyber Resilience – Cyber Essentials as a minimum

1. Encrypt everything – Hard drives, databases, mobile devices, email
attachments
2. Create Staff Training Programme
3. Have Privacy risk on your Risk Register
4. Implement the Information Registers
5. Implement a Data Subject Access Request Process
6. Implement compliant Policies & Procedures
7. Controller/Processor Agreements in place with processors
8. Supplier GDPR due diligence

GDPR Implementation Process
Gap Analysis or Assessment
§ Detailed Roadmap
§ Security Review
§ Compliance Plan

Do I really need to do this?
Clients only working with GDPR compliant firms
National GDPR Certification likely
Private Equity and investors are now taking the view that they do not want to
invest or buy any B2C business that does haven’t a GDPR Compliance Plan
For B2B businesses, it will reduce the value of the company by a minimum of 10%
Investors & PE need to know any underlying claims, impending fines, legal action
or reputational damage
GDPR is becoming part of standard Due Diligence

Questions?

Whos role is it anyway

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Whos role is it anyway

Similar to Whos role is it anyway (20)

More from IRIS

More from IRIS (10)

Recently uploaded

Recently uploaded (20)

Whos role is it anyway