Full GDPR toolkit: https://quality.eqms.co.uk/gdpr-general-data-protection-regulation-eu-toolkit
This free online training presentation provides you with information about how to comply with the General Data Protection Regulation, managing breaches, engaging employees, key requirements and more.
2. Your team today
Kate Armitage
Product Quality
Assurance
Manager
Chris Owen
Services
Director
3. Welcome
Overview of today: GDPR and your business
Managing data: AR, IPR, DPR
Coffee
Privacy Impact Assessment: (PIA)
Risk management: Systematically managing new data risks and opportunities
Lunch
Data management policies and procedures: Getting your processes fit for purpose
Security breach management: Acting faster in an emergency
Afternoon tea
Training, Awareness and Communication: Managing a compliant workforce
Cultural Change: Taking the right approach to GDPR
Next steps: Measuring, further resources & how to contact us
9.00 – 9.45
9.45 – 10.30
10.30 – 10.45
10.45 – 11.30
11.30 – 12.00
12.15 – 13.00
13.00 – 13.45
13.45 – 14.30
14.30 – 14.45
14.45 – 15.15
15.15 – 15.45
15.45 – 16.00
4. The GDPR challenge
“International transfer of
data”
“Validity”
“Understanding how to meet
the requirements”
“Lack of useful resources”
“Writing the policies and
procedures”
“Buy-in from senior
management”
“Thinking of all the risks &
data mapping”
“No templates”
“Co-workers aren’t interested”
Results of GDPR survey November 2017
7. What we will cover
• GDPR Overview
• History
• Key differences to DPA
• Key principles
• Key personnel rights
• GDPR roles and responsibilities
• DPO
• Data Owners
• Data Processors
• Data Controllers
8. Breakout session
Take three minutes to consider:
1) What are the worst data breaches you can think of?
2) What would be your worst data breach?
3) What are you currently doing to manage data?
9. GDPR: The most significant
change to data protection
regulation in over 20 years
10. Why GDPR?
• Over 3 million data records are lost or stolen every
single day*
• 98% of cloud applications are not GDPR-ready**
• New technologies, new risks & new opportunities!
17%
52%
31%
Out of ten, how ready do you feel for GDPR?
3 or below Between 4 and 7 8 and above
Results of GDPR survey November 2017
*http://www.zdnet.com/article/security-what-security-four-million-data-records-are-stolen-or-lost-every-day/
**https://www.scmagazineuk.com/98-of-enterprise-cloud-apps-are-not-gdpr-ready/article/531268/
11.
12. DPA vs GDPR
Take three minutes to write down as many differences as you can.
Think about:
• Applicability
• Enforcement
• Level of penalty
• Legal requirements
13. DPA vs GDPR
Data Protection Act (DPA) General Data Protection Regulation
Applies to the UK Applies to the whole EU and any global company holding data
on EU citizens
Enforced by the Information Commissioner's Office (ICO) Compliance will be monitored by a Supervisory Authority in
each country
No need for any business to have a dedicated DPO A DPO is mandatory for certain businesses
Subject access requests are £10 per transaction and need to
be within 40 days
Free of charge and must be within 30 days
Breach notifications not mandatory for most organisations Mandatory and must be within 72 hours
No requirement for an organisation to remove all data they
hold on an individual
Individual will have 'Right to erasures - which include all
data including web records with all information being
permanently deleted
Privacy Impact Assessment are not a legal requirement PIAs will be mandatory and must be carried out when there is
a high risk to the freedoms of the individual
Data collection does not necessarily require an opt-in under
the current Data Protection Act.
Individual must opt-in. There must be clear privacy notices.
These notices must be conicide and transparent
Covered personal data and sensitive data. Now also includes online identifiers, location data, and
generic data.
Maximum fine £500,000 Maximum fine 4% of annual turnover or Euro 20 million
(Whichever is greater).
Responsibility rests with the Data Controller Responsibility is with both the controller and processor,
with the controller being able to seek damages from the
processor
14. Breakout session
Take five minutes to consider:
1) How have you managed compliance with the DPA?
2) What do you think will be the biggest changes you will need to
make?
3) Do you manage data on citizens throughout the EU?
15. 3 aims of GDPR
1.Give control back to citizens
and residents over their personal
data.
2.Simplify the regulatory
environment by unifying
regulations across the EU.
3.Update the 1995 Data Protection
Directive.
EU General
Data
Protection
Regulation
Systems
OrganisationProcesses
16. Key GDPR principles
The GDPR provides the following rights for
individuals:
• The right to be informed
• The right of access
• The right to rectification
• The right to erase
• The right to restrict processing
• The right to data portability
• The right to object
Article 5
Lawfully
processes,
fairly in a
transparent
manner
Spcified,
explicit and
legitimate
purposes
Adequate,
relevant and
limited
Accurate
Kept in a form
which permits
identification
no longer than
necessary
Ensure
appropriate
security
17. Breakout session
Rights Description
The right to be
________
This right encompasses your obligated to provide ‘fair processing information’,
typically through a privacy notice.
The right of ______ This right allows individuals to be aware of and verify the lawfulness of the
processing.
The right to __________ Individuals have the right to change their personal data if it is inaccurate or
incomplete.
The right to be _______ This right enables an individual to request the deletion or removal of personal data
where there is no compelling reason for its continued processing.
The right to
________________
This right enables individuals to have a right to ‘block’ or suppress processing of
personal data. When processing is restricted, you are permitted to store the persona
l data, but not further process it. You can retain just enough information about the
individual to ensure that the restriction is respected in future.
The right to
___________________
This right allows individuals to obtain and reuse their personal data for their own
purposes across different services. It allows them to move, copy or transfer persona
l data easily from one IT environment to another in a safe and secure way, without h
indrance to usability.
Rights
______________________
This right gives allows individuals to object to processing based on legitimate inte
rests or the performance of a task in the public interest/exercise of official autho
rity (including profiling); direct marketing (including profiling).
18. Breakout session
Rights Description
The right to be
informed
This right encompasses your obligated to provide ‘fair processing information’,
typically through a privacy notice.
The right of access This right allows individuals to be aware of and verify the lawfulness of the
processing.
The right to
rectification
Individuals have the right to change their personal data if it is inaccurate or
incomplete.
The right to be erased This right enables an individual to request the deletion or removal of personal data
where there is no compelling reason for its continued processing.
The right to restrict
processing
This right enables individuals to have a right to ‘block’ or suppress processing of
personal data. When processing is restricted, you are permitted to store the persona
l data, but not further process it. You can retain just enough information about the
individual to ensure that the restriction is respected in future.
The right to data
portability
This right allows individuals to obtain and reuse their personal data for their own
purposes across different services. It allows them to move, copy or transfer persona
l data easily from one IT environment to another in a safe and secure way, without h
indrance to usability.
Rights related to
automated decision
making
This right gives allows individuals to object to processing based on legitimate inte
rests or the performance of a task in the public interest/exercise of official autho
rity (including profiling); direct marketing (including profiling).
19. Roles and responsibilities
Controller
• Maintain
records of
personal data
and processing
activities
• Legal liability
Processor
• Processes data
on behalf of a
controller
• Legal liability
20. Breakout session
Data controller or processor?
1. Collects the personal data in the first place, and the legal basis for doing so.
2. Can decide what IT systems or other methods to use to collect personal data.
3. Decide which items of personal data to collect, i.e. the content of the data.
4. Example businesses: market research companies, cloud providers, accountants.
5. Decide the purpose or purposes the data are to be used for.
6. Decide how long to retain the data or whether to make non-routine amendments to the data.
21. Answers
• Answers:
1, 3, 5, 6 - Data Controller
2, 4 Data Processor
Answers:
1, 3, 5, 6 - Data Controller
2, 4 Data Processor
25. Managing data
• Personal Data
• Information Assets
• Asset Register (AR)
• Information Asset Register
(IAR)
• Data Processing Register (DPR)
• Prepare for your Privacy Impact
Assessment
26. Personal Data
Personal data and unique
identifiers:
• Name
• Online identifiers
• Location data: IP Addresses,
mobile device IDs.
Pseudonymous data:
• Encrypted data is still subject
to GDPR rules
• GDPR encourages
pseudonymising data because it
enhances security
Genetic data and biometric data:
• Genetic data and biometric data
are both treated as sensitive
personal data under the GDPR.
27. Breakout session
Take two minutes to highlight/circle all the data types that apply to your business
Names
Email addresses
Telephone numbers
Performance at work
Economic situation
IP addresses
Cookies
Profiling data
Health
Personal preferences
Location
Movements
Biometric data
Genetic data
Medical data
Other?
28. Data considerations
• What data
• Where the data is
• How personal data is used
• Why are we storing and
processing the data
• When we should keep and
remove data
• Who is responsible /
accountable
29. 5 data W’s
W’s Scope
What Definition / catalogue
Where Data landscape / inventory
Why Legitimate basis / decision tree
When Retention policy
Who Accountability
30. Information asset: a body of knowledge that is organised and
managed as a single entity. Like any other corporate asset, an
organisation's information assets have financial value. That
value of the asset increases in direct relationship to the number
of people who are able to make use of the information.
31. Asset register (AR)
This is a register of fixed assets in a
firm. The register tends to show the owner
of the asset, their value, their location,
their set up etc. Information that is
necessary to manage the assets within a
company. Not mandatory for GDPR but helps
inform the Information Asset Register
which in turns helps inform the Data
Processing Register.
ISO 55000 defines Asset management as the
"coordinated activity of an organization to
realize value from assets". In turn, Assets
are defined as follows: "An asset is an
item, thing or entity that has potential or
actual value to an organization".
32. Information asset register (IAR)
• Your information asset register needs to have:
• Information held and processes
• Where it is stored
• How it moves
• Who we share it with
• What the data is
• Assign a classification
• Level of protection reflecting its classification
• Indicator of Integrity, Availability and Confidentiality
Example information asset register:
33. Data Processing Register (DPR)
• The name and contact details of the controller.
Where applicable, the joint controller, the
controller’s representative and the data
protection officer;
• The purposes of the processing;
• A description of the categories of data subjects
and of the categories of personal data;
• The categories of recipients to whom the
personal data have been or will be disclosed
including recipients in third countries or
international organisations;
34. Breakout session
Take two minutes to write down as many differences between an AR, IAR and DPR as you
Think about:
• Content
• Scope
• Responsibility
• Relevance to GDPR
35. Differences between AR, IAR and DPR
Register type What is is
Asset register (AR) ● Fixed assets
● Limited information on the data contained
Information asset
register (IAR)
● Personal or commercial
● Information on format
● Location and confidentiality
Data processing
register (DPR)
● Detailed record of personal data processed
● What, when, how, legal purpose, format, controls,
security, retention
38. Privacy Impact Assessment – 10.45
• What is it?
• Why it is needed?
• What are the benefits?
• How do I do it?
21
69
9
Have you completed a privacy impact
assessment (PIA)?
Yes No Unsure
Results from GDPR survey November 2017
39. What is a DPIA?
Data protection impact
assessments (DPIAs) help
organisations to identify the
most effective way to comply
with their data protection
obligations and meet
individuals’ expectations of
privacy.
DPIAs can be an integral part
of taking a privacy by design
approach.
The GDPR sets out the
circumstances in which a DPIA
must be carried out.
40. When do I need to conduct a DPIA?
You must carry out a DPIA when using new technologies, and when the processing is
likely to result in a high risk to the rights and freedoms of individuals.
Processing that is likely to result in a high risk includes (but is not limited to):
• Systematic and extensive processing activities, including profiling and where
decisions that have legal effects – or similarly significant effects – on
individuals might be made.
• Large-scale processing of special categories of data or personal data relating to
criminal convictions or offences. This includes processing a considerable amount
of personal data at regional, national or supranational level; that affects a
large number of individuals; and that involves a high risk to rights and freedoms
e.g. based on the sensitivity of the processing activity.
• Large scale, systematic monitoring of public areas (such as CCTV).
41. Privacy Impact Assessment
• A tool to identify the most effective way
to comply with GDPR obligations.
• Understand what personal data is
transferred, processed, handled, stored
and passed on by the organisation.
• An effective PIA will allow organisations
to identify risk and implement controls.
• Conducting a PIA involves working with
employees, stakeholders, partner
organisations and the people affected to
identify and reduce privacy risks.
• PIAs are an integral part of taking
a privacy by design approach.
42. 10 benefits of a PIA
1. Improve transparency
2. Make it easier to understand how and
why information is being used/held
3. Demonstrate how personal data
processing complies with the DPA
4. Best practice – improve customer
confidence
5. Identify risk
6. Implement a robust process
7. Deeper customer insights
8. Stronger decision making when
building policies, systems and
technical controls
9. Improve efficiency - reduce overheads
10.Boost profitability
46. Data Risk Management – 11.30
• ISO 31000
• Supporting the GDPR process
• Key definitions
• Stakeholders
• Managing outputs of PIA
47. ISO 31000: Risk Management
• Establishing the Context
• Risk Assessment
• Risk Identification
• Risk Analysis
• Risk Evaluation
• Risk Treatment
• Monitoring and Review
• Communication and Consultation
48. Stakeholders
• Risks can be categorised and
different permissions applied
• Multiple assets can be identified
as associated to a risk
• Net and Target Assessments can be
carried out against a risk
• Multiple control types and controls
can be applied to a risk
• Sign off on risks and in turn
complete the PIA
• Evidence of compliance includes:
Risk Register, Risk Assessments and
Risk Reporting
Risks
Internal /
HR
Financial
Sales and
Marketing
IT
Third
parties
Customers
49.
50. Breakout session: create your own fishbone
Cause Effect
Materials Methods Measures
PeopleEnvironmentMachines
Training
KPIs
Onboarding
Power outageWebsite update
Order forms
Audit
Manual vs
auto picking
CPIs
Shipping software
Mis-shipped
product
53. Policies and Procedures – 1.00
• Output of PIA – processes and procedures to manage the Risks and
Controls
• Retention Policies
• Labelling Procedures
• Privacy Statement
• GDPR Statement
• Risk Management Process
• NDAs
• Contracts
• Security Breach Management – see later
55. 1. Your business has a cookies policy on your website, but you haven’t previously requested users to accept. What must the
company do prior to 25 May?
2. Your marketing team purchased a list of 10,000 business email addresses in 2015. It includes names, phone numbers, job titles
etc. What must your business do?
3. You work in a shop and have recently been told you need to collect email addresses to send an e-receipt. What should your
business consider in order to be GDPR-compliant?
4. Your HR team sends new employees a list of documents they must complete. What must they consider?
5. Your IT team thinks there has been a security breach. Consider your approach.
6. You are putting a new operational process in place. What do you need to consider?
Breakout session
Take five minutes to consider how to apply your policies,
procedures and processes to the following scenarios. We'll discuss
as a group.
58. Security Breach Management – 1.45
• Overview
• Importance
• Consequences
• Key Requirements
• Clearly defined R+R
• Clearly defined process
• Evidence Gathering and its retention / storage
• Reporting
• Timeframes
• Role of the DPO
• Close relationship with 27001.
59. Example data breaches
• Access by an unauthorised third
party;
• Deliberate or accidental action (or
inaction) by a controller or
processor;
• Sending personal data to an incorrect
recipient;
• Computing devices containing personal
data being lost or stolen;
• Alteration of personal data without
permission; and
• Loss of availability of personal
data.
60. Reporting a breach
• Contact the ICO either through links on the ICO website. Either
fill in the Security Breach Notification form or ring the Security
Breach helpline: 0303 123 1113.
• They may:
• Record the breach and take no further action
• Investigate circumstances, leading to:
• No further action
• Formal enforcement action
• Serve a monetary penalty notice
• Failure to notify the ICO can result in a significant fine up to 20
million euros or four per cent of your global turnover.
• The ICO won’t make the security breach public, but may
recommend taking it public in the interests of implicated
individuals.
66. Training, Awareness, Competency and
Communication – 2.45
• Importance of communication
• Communications Plan
• Who
• Why
• When
• What
• Importance of training, awareness and competency
• Most NCFs arise from humans
• Many risks are people related
• How to train
• Quizzes – TRGMGR Example
• Presentations
• Competency matrix
67. Data breaches are usually preventable
Poor Passwords
Weak remote
access
Unpatched flaws
Misconfigurations
Malicious Insider
The average time between
breach and discovery is
188 DAYS
http://www.computerworlduk.com/security/most-data-breaches-still-discovered-by-third-parties-3615783/
68. Developing your communication plan
• Top-down engagement
• Implement a data protection policy
• Build data protection in from the ground up
• Communications, training and development
• Access management
69. Framing your approach
Strategic
Outcome
Objective (so that) Activity (we will)
Fix our data
Be totally
trusted with
data:
1) Internally
–
colleagues
can use
data and
take
decisions
with
confidence
2) Externally
– members
and
customers
feel safe,
secure and
respected.
Regulatory
and legal
compliance
‘Why this data’
For collecting / holding /
using
● The information interpretation of the business problems and objectives
● Build a collective & consistent language and understanding group-wide
● Identify meaningful & important data sets, and related heat maps
● Record data set relationships
Why this data
Relevant / correct/ clean /
consistent data
● Definition of data (sets & attributes) & classifications (legal /
regulatory / other)
● Set quality criterion & define standards
● Define implementation methods & management processes to ensure adherence
Where is the data
Visibility of data at rest and
tracking movement across the
estate (physical and digital)
● Define and build business orientated information landscapes &
technically oriented data models & structures
● Track data of interest tags / audit / Data Flows / Lineage / Provenance
● Data Waivers to manage production data outside production environment
How is the data used
Definition, oversight &
assurance through
● Development of Member data principles
● Development & alignment of artefacts including policy group-wide
● Implement & run policy & standards for Digital
Who is responsible ● Define and support implementation of Ownership / stewardship /
custodianship
● Define accountabilities and embed into role profiles & objectives
● Define and build problem solving & escalation structures
When do we do what with the
data
● Develop retention policy & build schedule
● Embed processes to manage data retention and deletion
● Define requirements for technical capabilities including audit / logs
and tags
70. Roles & responsibilities
As an
Analyst
I must
understand what
personal data is
So that
I can apply the
right working
practices and
enact associated
policy
As a
Technology Owner
I must
be able to find
personal
information about
an individual
So that
We can answer A
Subject Access
Request
As a
Product Manager
I must
Understand how and
why an
individual's data
is processed
So that
We can action a
request to
restrict
71. 8 step communications plan
•Purpose
Identify your
audience
Plan and
design your
message
Consider your
resources
Contingency
plan
Strategy and
messaging
Create an
action plan
Refine
74. Cultural Change – 3.15
• Reiterate importance of GDPR
• Relates to everyone as we all
have personal data
• Guidance needs to be from top
down
• Imperative to involve and
empower staff
75. Cultural change is a journey
• Quantitatively measure your
current cultural values.
• Intentionally align culture,
strategy, and structure.
• Ensure staff and stakeholder
participation.
• Communicate and demonstrate
the change, again and again
and again and then … again.
• Manage the emotional response
— yours and your employees.
77. Round Up – 3.45
• Summary
• Interaction with ISO 9001 and 27001
• Challenges faced
• FAQs
78.
79. 1. You can add cookies as long as your contact doesn’t opt out.
2. You only need to be GDPR-compliant with your customer data.
3. You need to have an opt-out option on every marketing email.
4. GDPR applies to all businesses in the EU.
5. GDPR will be enforced officially on May 18th, 2018.
6. Personal data you have prior to the GDPR being enforced can be kept as long as they haven’t opted out.
7. My employee has the right to be forgotten.
8. GDPR prefers you to pseudonymise personal data.
9. You must complete a DPIA.
10. My employee has subject request rights.
11. If you're ISO 27001-compliant, you’ll comply with GDPR as well.
Breakout session
Take five minutes to answer the following true/false questions:
80. 1. You can add cookies as long as your contact doesn’t opt out. (False)
2. You only need to be GDPR-compliant with your customer data. (False)
3. You need to have an opt-out option on every marketing email. (True)
4. GDPR applies to all businesses in the EU. (True)
5. GDPR will be enforced officially on May 18th, 2018. (False)
6. Personal data you have prior to the GDPR being enforced can be kept as long as they haven’t opted out.
(False)
7. My employee has the right to be forgotten. (True)
8. GDPR prefers you to pseudonymise personal data. (True)
9. You must complete a DPIA. (False)
10. My employee has subject request rights. (True)
11. If you have ISO 27001 certification, you’ll comply with GDPR as well. (False)
Breakout session
Take five minutes to answer the following true/false questions: