The document discusses GDPR compliance, outlining a phased approach that includes understanding the regulations, assessing risks, implementing necessary measures, and demonstrating control over data management. It emphasizes the need for clear data retention policies, protocols for data breach notifications, and data protection impact assessments. Additionally, it highlights the importance of managing individual rights and obtaining employee consent for HR data processing.

1. @LibertyAppsUK@CYBERTALKLDN
GDPR
Understanding the
risks

2. @LibertyAppsUK@CYBERTALKLDN
Steve Hilton

3. @LibertyAppsUK@CYBERTALKLDN
Trusted Reviews

4. Apps That Mobilise Lives
4
Public Health England Hackathon winners

5. @LibertyAppsUK@CYBERTALKLDN
Liberty Apps

6. @LibertyAppsUK@CYBERTALKLDN

7. @LibertyAppsUK@CYBERTALKLDN
THE
IMPORTANT
STATS

8. @LibertyAppsUK@CYBERTALKLDN

9. @LibertyAppsUK@CYBERTALKLDN

10. @LibertyAppsUK@CYBERTALKLDN

11. @LibertyAppsUK@CYBERTALKLDN

12. @LibertyAppsUK@CYBERTALKLDN

13. @LibertyAppsUK@CYBERTALKLDN
GDPR compliance timeline

14. @LibertyAppsUK@CYBERTALKLDN

15. @LibertyAppsUK@CYBERTALKLDN

16. @LibertyAppsUK@CYBERTALKLDN
Phase 1: Need to understand

17. @LibertyAppsUK@CYBERTALKLDN
Phase 2: Assess Risk

18. @LibertyAppsUK@CYBERTALKLDN
Phase 2: Assess Risk (1 of 2)

19. @LibertyAppsUK@CYBERTALKLDN
Phase 2: Assess Risk (2 of 2)

20. @LibertyAppsUK@CYBERTALKLDN
Phase 3: Implement

21. @LibertyAppsUK@CYBERTALKLDN

22. @LibertyAppsUK@CYBERTALKLDN

23. @LibertyAppsUK@CYBERTALKLDN
Do we have a data retention policy?
It is down to the board of directors to decide what that retention
policy is, when and how will this approval be received? – data
must not be kept for any longer than is deemed necessary.

24. @LibertyAppsUK@CYBERTALKLDN

25. @LibertyAppsUK@CYBERTALKLDN
• How would we erase an individuals’ data?
• What is our process for correcting individuals’ data?
• Can we manage / remove consent for direct marketing and
automated decision making?

26. @LibertyAppsUK@CYBERTALKLDN
What will we do if a customer exercises their rights?
How would we handle a request?
What processes & policies do we have in place should we plan to refus
What will our partners whom we share data with need to do?
Do we have confidence that these partners are compliant and would no

27. @LibertyAppsUK@CYBERTALKLDN

28. @LibertyAppsUK@CYBERTALKLDN

29. @LibertyAppsUK@CYBERTALKLDN
Employers can’t rely on employee consent to process HR
data

30. @LibertyAppsUK@CYBERTALKLDN
Employers can’t rely on employee consent to process HR
data

31. @LibertyAppsUK@CYBERTALKLDN

32. @LibertyAppsUK@CYBERTALKLDN

33. @LibertyAppsUK@CYBERTALKLDN
 What will we do if there is a breach?
 How would we detect, report and investigate a breach?
 To manage effective & efficient investigation:
Assess which types of data are held.
Document which types fall within the notification requirement
and the process to be followed if there is a breach.

34. @LibertyAppsUK@CYBERTALKLDN
Data Breach Notification
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/

35. @LibertyAppsUK@CYBERTALKLDN
Optimal data breach notification timeline

36. @LibertyAppsUK@CYBERTALKLDN
Incident occurs

37. @LibertyAppsUK@CYBERTALKLDN
Clock starts

38. @LibertyAppsUK@CYBERTALKLDN
Key decisions

39. @LibertyAppsUK@CYBERTALKLDN
Notifications

40. @LibertyAppsUK@CYBERTALKLDN
Post notification period

41. @LibertyAppsUK@CYBERTALKLDN
Data Breach Notification

42. @LibertyAppsUK@CYBERTALKLDN
How would we implement an assessment in our organisation?
Who would carry it out?
Would it be run centrally or locally?

43. @LibertyAppsUK@CYBERTALKLDN
A data protection impact assessment (DPIA) is a process to help
you identify and minimise the data protection risks of a project.
Data protection impact assessments (DPIA)

44. @LibertyAppsUK@CYBERTALKLDN
Data protection impact assessments (DPIA)

45. @LibertyAppsUK@CYBERTALKLDN

46. @LibertyAppsUK@CYBERTALKLDN

47. @LibertyAppsUK@CYBERTALKLDN
Phase 4: Demonstrate

48. @LibertyAppsUK@CYBERTALKLDN
Control over processes that collect and use personal
data?

49. @LibertyAppsUK@CYBERTALKLDN
Appropriate measures?

50. @LibertyAppsUK@CYBERTALKLDN
Ability to respond?

51. @LibertyAppsUK@CYBERTALKLDN
Records of what we do?

52. @LibertyAppsUK@CYBERTALKLDN
A published Privacy Notice

53. @LibertyAppsUK@CYBERTALKLDN
Consent and individual rights management.

54. @LibertyAppsUK@CYBERTALKLDN

55. @LibertyAppsUK@CYBERTALKLDN
Difficulty identifying and reporting a breach within 72
hours
2017 VERITAS GDPR REPORT
https://www.veritas.com/content/dam/Veritas/docs/reports/gdpr-report-ch2-en.pdf

56. @LibertyAppsUK@CYBERTALKLDN
Are former employees able to access company data?
2017 VERITAS GDPR REPORT
https://www.veritas.com/content/dam/Veritas/docs/reports/gdpr-report-ch2-en.pdf

57. @LibertyAppsUK@CYBERTALKLDN
The enemy within?
2017 Varonis Data Risk Report
https://info.varonis.com/hubfs/docs/research_reports/2017-data-risk-report.pdf

58. @LibertyAppsUK@CYBERTALKLDN
GDPR is an Evolutionary Process

59. @LibertyAppsUK@CYBERTALKLDN
Key Takeaway

60. @LibertyAppsUK@CYBERTALKLDN
Questions?Questions?
Steve@LibertyApps.co.
uk
@SteveHiltonCEO
+44 0161 883 2450
LibertyApps.co.uk