The document discusses considerations for complying with the General Data Protection Regulation (GDPR) which takes effect in May 2018. It provides an overview of key GDPR aspects like penalties, timescales, and principles of lawful processing. An ideal approach is presented which involves understanding current gaps, prioritizing remediation, and maintaining compliance over time with tools and regular reviews. Common issues organizations face are also outlined, such as ineffective training and not properly identifying all data workflows. The last section discusses how technology from 3GRC can help streamline GDPR compliance through automated surveys, risk management, and progress monitoring.

1. Cyber Security & Data Protection
Steve Smith– CEO - 3GRC www.3grc.co.uk
Considerations for GDPR

2. Session Agenda
04
03
02
01
GDPR Overview
Ideal Approach
Common Issues
Questions
2018 Looms
Overview of the key aspects of
GDPR and how it is going to
impact SMEs on a foundational
level.
A Better Way We Make Mistakes
Mechanisms for getting the
business prepared and
developing matured data centric
methodologies.
Quiz Me
Opportunity to ask industry
specific points and share
experiences in GDPR
preparation.
Common mistakes experienced
by SMEs deploying a data centric
methodology to support GDPR
compliance.

3. GDPR Overview
Key Aspects of GDPR
Penalties
Timescales
Applicability
Scope
Taking effect in May
2018, with an
expectation that
businesses have
begun maturing their
data centric
workflows.
Potential fines locked
at up to 4% of global
turnover or €20m,
based on due
diligence measures
and scale of a data
breach/non
compliance.
European Individuals
data both internally
and through the
supply chain,
leveraging DPIAs for
sensitive data or large
scale processing.
Any organisation
exposed to personally
identifiable material
on a European
Individual, irrespective
of location.
Regional authorities
have the power to
impose and govern,
potentially providing a
local revenue stream
and local precedents.
Accountability

4. GDPR Overview 1. Lawfulness, Fairness & Diversity
Processed data lawfully, fairly and in a
transparent manner in relation to the data
subject – Opt-in
2. Purpose Limitation
Personal data must be collected and
leveraged for specific purposes. Processing
of PI for archiving purposes in the public
interest, or scientific and historical purposes
is ok. Article 83(1) outlines safeguards.
3. Data Minimisation
Personal data must be adequate, relevant
and limited to those which are necessary in
relation to the purposes for which they are
processed.
4. Accuracy
PI must be accurate and where necessary, kept up to date. Steps
taken to ensure inaccurate PI is erased or rectified without delay.
Scope
Doesn’t end at the perimeter and extends
to data flows and relationships with third
parties and even fourth parties.
7. Accountability
The controller shall be responsible for and
be able to demonstrate compliance with
these principles.
6. Integrity & Confidentiality
PI must be processed in a manner ensuring appropriate
security of personal data, including unlawful processing
and accidental loss, destruction or damage.
5. Storage Limitation
PI must be kept in a form which permits
identification of data subject for no longer than
necessary based on purposes for processing.
Key
Principles

5. Ideal Approach
Visibility
Remediation
Maintenance
Understanding the Gaps
Leverage GDPR surveys to identify non-
compliance. Identify disparate business unit as
there is likely to be variances in workflows.
Technology can drive efficient visibility. Seek
funding from the board for remediation.
Working to Compliance
Use standard remediation risk registers to
proactively address gaps and schedule
remediation timescales. Benchmark business
variance where necessary to foster competition
and identify stragglers.
Keeping the Consistency
Once ‘compliance’ is achieved, schedule
reviews bi-annually with disparate business
workflows to identify any lapses as they occur
over time. Continue testing and auditing.
Technology assists with this process.
Logical Methodology
Many organisations are fixing gaps in time for
2018. Informed data-centric tracking is key and
brings wider business benefit through informed
security controls rather than a traditional
perimeter. Internal data flow visibility is key.

6. Assign Data Protection Officer
Not always mandatory, but
recommended for executive buy
in
Adjust Contracts
Apply contract clauses for all
emerging contracts and track
renewals for amendment
Incident Management
Assess your IM process to ensure it
allows speedy identification, or at
least reaction
Audit Trails
Build the data centric audit
trail for future maturity
considering right to audit
Employee Awareness
Embed a ‘little and often’ training
approach for staff, for both risk
and knowledge
Ideal Approach
Data Centric Quick Wins

7. Ideal Approach
Data Governance
Data Silo
Controls
Cross
reference
data asset
maps against
security
mechanisms.
Don’t rely on
the perimeter
and consider
internal
access.
Long term aspirations should include the identification of data, treating PII as a critical data
set separate from a standard hardened perimeter. This good practice is largely transferrable
to any critical business dataset.
Privacy Impact
Assessments
Consider both
privacy by
design and right
to be forgotten
in any new
systems, and
develop plans
for legacy
systems to
include controls.
Subject Access
Requests
Cannot be
charged unless
excessive or
unfounded. 30
days for
delivery,
recommend
user ownership
or data
discovery tools.
Full Data Mapping
Regularly conduct
scheduled
surveys/discovery
scans to identify
data flows,
creating a live data
asset map of PII
attributes. This
includes quantity,
transfer, owner,
data attributes.

8. Common Issues
Training and Awareness
Emphasis on large scale training for
a tick box, then continuing to fight
for business change and
widespread adoption. Scare tactics
alone don’t help.
Data Protection Officer Skills
Having the wrong role spearheading data
protection. A DPO needs to be onboard and
suitably informed on both legislation and
logical good practice.
Data Workflow Identification
Keeping visibility static or focusing on
structured data solely. Not leveraging
business intelligence for ownership
Registered Regulatory Authority
Not considering which regulatory authority
will be responsible for the business.
Decision making location for infosec/data
management can be the locale, rather than
majority of data.
Silo Protection
Becoming focused on doing too much rather than
intelligently applying proportionate controls and
processes based on key risk areas. What works for
one BU doesn’t always work for another.

9. Streamlining with Technology
3GRC – Define GDPR Surveys
Create GDPR Surveys, Use or Tailor Existing Content

10. Streamlining with Technology
3GRC – Define GDPR Surveys
Create GDPR Surveys, Use or Tailor Existing Content

11. Streamlining with Technology
3GRC – Managed GDPR Risks
Generate risks automatically, manage and discuss with
clients and their supply chain

12. Streamlining with Technology
3GRC – Define GDPR Surveys
Generate risks automatically, manage and discuss with
clients and their supply chain

13. Streamlining with Technology
3GRC – Monitor and Measure GDPR Risks
Monitor and measure risk remediation progress