Dave Lovatt from Disability Solutions West Midlands taking us through their GDPR Journey at the Midlands Cyber Security Expo 2019 #midscybersecurity19

1. <DAVE LOVATT>
Disability Solutions West Midlands
Our GDPRJourney

2. OUR
GENERAL
DATA
PROTECTION
REGULATION
S
JOURNEYDavid James Lovatt

3. Disability Solutions West Midlands (DSWM) is a Stoke on Trent based charity that has been
support people with disabilities and long term health conditions including cancer for 38
years. We are A Disabled Peoples User Led Organisation (DPULO) and a company limited
by guarantee.
Our specialist areas include:
 Insight and Knowledge regarding Disability taking a pan-disability approach
 Tribunal Representation & Support
 Welfare Benefits Advice & Support
 Cancer Related Benefits & Support
 Independent Aids & Adaptations, Assistive Technology
 Equality Act, LGBTQ & Disability Awareness Training
From 1st April 2018 – 31st March 2019 we found solutions and supported over 8,300 people
We work today to improve peoples tomorrows

4. So, when it came to the start of our GDPR journey a lot had to be considered...
we work with a high level of sensitive and highly confidential information daily.
From April 1st 2018 – 31th March 2019 we processed:
 Over 8,300 Clients
 24,407 Contacts
 561 Appeals and Tribunals
 All involving Special Category Data
The highly confidential nature of all the data we obtain, process, handle and store required us to
ensure we considered every possible area in relation to GDPR - ensuring we didn’t overlook anything.

5. 1500+ hours reading
 3-6 months cumulative total of meticulous research
 Ongoing research until the GDPR deadline - and beyond!
 Attended multiple information events across the country
 I lived on the ICO website
 I read many Green and White Papers
 I spoke with the National Association of Solicitors, National Association of Welfare Rights
Advisers, Advice Quality Standard…
 3 years looking into every possible area of GDPR
One thing I found was constant - no one was a 100% sure regarding GDPR.

6. The kind of data we process on a daily basis
consists of:
 Medical Records
 NHS paperwork
 X-rays and Scans
 Mental Health reports
 Her Majesty's Courts & Tribunal Service
Paperwork
 DWP information
 Bank Details
 Care Plans
 Care Assessments
 Disability and/or Health condition or Cancer
diagnosis
 Financial Reports in cases of financial abuse

7. First was our audit and it was a big piece of work.
To begin our journey towards GDPR compliance this
was our first step:
 General Full Audit
 Data Audit
 Data Risk and Prevention Audit
 IT Assets Audit
 Information Audit
 Software Audit
Every possible area that was relevant to or part of any
data processing or storage was audited.

8.  Audit pictures here

9.  Resources and Cost
 We Have 45 volunteers and new ones applying every week
 Some staff didn’t think GDPR applied to us as a small charity
 Finalising the audit and ensuring everything was in the documentation
 Communicating with all workforce to ensure transparency
 Workforce accepting the potential alterations in their roles re data processing and security
 Workforce accepting additional procedures
 Ensuring all systems interlinked and all areas were explored
 Brexit (as people were convinced that come Brexit GDPR would no longer exist)
These are just a few difficulties. No GDPR journey will ever be difficulty free,
however the difficulties are what helps to round off the GDPR journey in the end

10. For GDPR compliance we put in place additional security protocols
and reporting systems and mechanisms.
These included:
 Increased password complexity that changes every quarter
 2 Factor Authentication for every user
 Automatic Log Out on computers after 8 minutes of inactivity
 No access to work systems out of the office
 Restricted access to areas unnecessary to their role
 15 New Policies and 3 Influencing Documents
 Clear Desk Policy!
The workforce viewed the additional security requirements as extra
layers that negatively impacted upon their streamlined work flow.
After months of getting used to the new systems the workforce now
find some of my “quirky” traits around GDPR funny.
WHAT THE
WORKFORCE
FOUND
DIFFICULT AT
FIRST.

11. The Human element does add a additional layer that needs to be considered.
This became a big part of our journey; we may only have 17 staff but we have 45 volunteers also.
Ensuring they were all appropriately trained and aware of GDPR requirements and their
responsibilities as data processers was challenging at points, people don’t like:
 Change
 Unfamiliar Systems
 Extra things to remember and pressure not to forget…
…and at the end of the day we can all make errors inadvertently.
This is certainly a difficult part of the journey. I lost count of how many individual and group
discussions I had, as well as official meetings around GDPR with the workforce.
You can have all the systems in place but at the end of the day the workforce a main component to
success and compliance.

12. Once the ground work regarding GDPR was complete, the final hurdle was to train the
workforce.
The training package had to be informative, targeted and highlight all the important areas
and changes, while also being transparent, easily understood and workforce friendly.
Before they could complete the training and we stamped them as GDPR Ready, each
workforce member was required to participate in:
 2 training sessions - 5 hours each session
 Show they understood the changes to the systems and the new policies
 Put the changes into practice consistently and reliably.

13. We had the a robust system in place prior to GDPR, but what GDPR compliance did was ensure we
revamped our processes, systems and procedures and added a few more layers where required, the
additional layers look like:
 15 New Policies
 3 Influential Documents
 Additional Security Protocols
 A Data Risk Register
 Continued Data Audit where additional systems, procedures, processes are added when needed
 Workforce Data Protection training every quarter
 System security and processes tests monthly, with ongoing monitoring.

14. WHAT OUR
GDPR
SYSTEMS
@ DSWM
HAVE
CAUGHT
So far we have caught multiple potential data breaches
by other organisations across public, private, community
and charitable sectors.
We have processed 12 data subject access requests –
 4 right to be forgotten
 8 data access requests
Other organisations I have supported with their GDPR
compliance journey (systems and training):
 North Staffordshire Medical Institute
 Green Door Charity
 Multiple and Complex Needs and Abilities Charity
 Bentley’s Caterers

15.  The GDPR journey never ends,
 There will always be a new system to consider, a new workforce member to train, a new
project to audit etc.
 Yes once we had the necessary areas in place the journey wasn’t as difficult, but the
journey from this point moving forward will still require tweaks and additions for as long as
GDPR regulations exist………….so forever.
 The hardest part of DSWM’s journey is done, but the journey is far from over.
 With changing technology's, systems, upgrades, workforce etc. it will always require us to
keep a driver in the driving seat.
 You will never hear me say “We are a 100% GDPR compliant”, to me we are as compliant
as can be at any one time.

16. Thank you for your time
David James Lovatt
Director of Research and Development
Tel: 01782 667336
Email: dlovatt@disability-solutions.net