Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Intercity Technology - GDPR your training toolkit
1.
2. GDPR Regulation
• Comes in to force - 25th May 2018
• Legislation is now European law
• Breech's can see fines of up to 4% gross
turnover or €20m
• There are 6 data processing principles which
should followed.
3. The GDPR Lingo!
− Personal Data - information relating to an identified or identifiable natural person (‘Data Subject’);
− Process, Processed, Processing - collection, recording, organisation, structuring, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or
otherwise making available, alignment or combination, restriction, erasure or destruction;
− Data Processors - processes personal data on behalf of the controller;
− Controller - alone or jointly with others, determines the purposes and means of the processing of
personal data;
− Consent - signifies agreement to the processing of personal data relating to him or her;
− Third Party – Some body other than the data subject, controller, processor and persons who, under
the direct authority of the controller or processor, are authorised to process personal data.
− Special Categories or Sensitive Data
5. Company details
Address without a name
A generic email address
such as info@company
Corporate accounts with
summary payroll data
Sensitive DataPersonal DataJust Data!
Name and address of a data
subject
Email address with
firstname.surname@company
Pay records with gender, age,
job title (even without a
name)
A web cookie
Racial or ethnic origin
Political Opinions
Religious beliefs
Sexual preferences
Biometric information
6. Objective, Subjective or Sensitive
Any information relating to an individual
can be classed as personal data when it
can identify the data subject!
7. Personal Data held by the company in
electronic format and manual records
which form part of a relevant filing system.
9. − All employee/company data
−HR data
−Payroll
−IT data – IP, Cookie
−CCTV
−Mobile data
−Financial data
−Proof of Identification
−Pension
−Performance reviews
− Customer data
−Contact details
−Mobile data
−Pictures – (TT)
−Financial data (individual
contracts)
−Contracts (Consent)
−Call recordings
10. Business Business
You can rely on legitimate
interests if you can show the way
you use people’s data is
proportionate, has a minimal
privacy impact, and people would
not be surprised or likely to
object to what you are doing.
Note: You still need to be
compliant to Privacy and
Electronic Communications
Regulations (PECR).
Always include an Opt out – The
Right to object!
Who can/can't I contact - Marketing!
Be Mindful of B > C, Sole Traders and Partnerships
Existing Products
New Products
Events
Company Information
11. Business Consumer
• Consent must be freely given
• Consent should be obvious and
require a positive action to opt in.
Consent requests must be
prominent, unbundled from other
terms and conditions, concise and
easy to understand, and user-
friendly.
• Consent must specifically cover
the controller’s name, the
purposes of the processing and
the types of processing activity.
• You must make it easy for people
to withdraw consent at any time
they choose.
Who can/can't I contact - Marketing!
Can include Sole Traders and Partnerships
Consent
16. A Data Breach is a confirmed
incident in which sensitive,
confidential or otherwise
protected data has been
accessed and/or disclosed in
an unauthorized fashion.
19. Everybody has a responsibility
towards protecting the
company's information.
It is essential for everyone to
follow Acceptable use
guidance's.
Hardware Software Paper Physical Security
20. Hardware &
Software
• Only hardware and software
authorised by your company
should be used in any
connection with the company
network.
• The business may be unable
to support any unauthorised
hardware or software.
• Use of unauthorised hardware
or software, which may expose
the business to the risk of
unauthorised access or virus
infection.
21. Company Owned Computers
• Use network/cloud
drives to create and
store documents.
• Passwords – Only
effective if kept secret !
• Think about what’s on
your screen and where
you are.
• Anti Virus is there for a
reason!
22. Mobile Phones
• Passwords
• Ability to wipe phones
• Data protection includes
mobiles! Think about what and
who you are messaging.
23. Email / Internet
• THINK - Who are you sending too? - What are you
sending ?
• Secure ISDX transfer
• Look at for attachments or requests from known &
unknown sources. – virus or malware
• Never use you personal email for work
• May monitor or block email traffic in certain
circumstances.
• Out of offices – Think before you type!
24. Paper
• Its not just our data
• Shred documents
• Clear desk policy
• Locked cabinets
• Templates have
disclaimers
26. Thank You for your time
For more information visit
www.intercity.technology/gpdr
Editor's Notes
To reiterate the 6 data processing principles . . . .
Electronic filing system can be anything computerise. Including email
Be prudent about making comments which may be later disclosed.
Minutes of meetings
And how they are recorded – Notebooks
Document date, method, content of disclosure, validity
If they ask you to stop it, then make sure we stop it.
Social engineering – Be careful
Simple mistakes – eg: sending To rather than BCC
We have 72 hours to report a breech. Straight away if it is of high risk of breeching the rights of individuals.
Must be returned what is issued
Asset tags must not be removed
No unauthorised equipment
Policy of automatic lock – Turned on
Software should be authorised
Theft is to be reported
Your desk top s not backed up – One drive.
Watch what you are plugging into your PC
Lock your work station
Passwords
Whats on your screens
Make sure you connect to the network for updates
Where do you leave your laptop?
Think about what you are saying in public places.
Toggle o get access but don’t by pass a network machine.
Boxer – BYOD – Policy – Not provided with a company mobile.?
Don’t look at stuff you shouldn’t ! - Offensive, pornographc, illegal etc. .
Web pages may be blocked. They are blocked for a reason
Secure sites have a padlock or HTTPS://