This document discusses key terms and requirements of the GDPR, provides an example of TalkTalk being fined for a data breach, and outlines the three main causes of data breaches and next steps for compliance. It discusses how existing processes, staff, and cybersecurity need to be addressed to comply with GDPR requirements for handling personal data. Specific actions mentioned include performing a data audit and mapping, implementing documentation and policies, and securing data through appropriate technical measures.

1. GDPR – The next steps !

2. KEY TERMS IN GDPR
Personal Data - Your customer and suppliers - includes online and offline information,
such as Names, addresses, IP addresses and phone numbers. If you have DPA
compliance, then the data you need to secure is very similar to GDPR.
Data Subject – a living individual about who your personal data relates.
Data Controller – a person who determines the uses and purposes for the personal
data (in your company)
Data Processor – a person who acts on the Controller’s behalf (this could be a third
party under subcontract to you)
Sensitive personal data – data revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade-union membership, or data concerning health
or sex life.
Personal Data Breach – a breach of security leading to the destruction, loss, alteration,
unauthorised disclosure of, or access to, personal data.

3. 2016 TALKTALK FINED
£400,000 FINE FOR
SECURITY FAILINGS
• October 2015 – Cyber Attack losing over
150,000 Data Subject records.
• HOW ?
• The company had not encrypted some
personal details of customers.
• The company bought Tiscali and failed to
ensure the Tiscali Web pages were
adequately secure allowing hackers
access to the network and the
unencrypted database
• TalkTalk also avoided “two warnings”
prior to the hack which should have
alerted the firm to the problems with its

4. 1 - Existing business processes
The way you capture, handle and process data
today could be your biggest problem. To comply
with the GDPR your business will need to keep a
rigid record of how, when, and why stored data was
used. You must also delete and update data where
necessary.
Carry out a Data Mapping Exercise and/or a Gap
Analysis – Call the Owl, I can help !
THREE CORE CAUSES OF DATA BREACHES

5. THREE CORE CAUSES OF DATA BREACHES
2 - Staff
Your whole company (full time, part time and contractors) needs
to understand the significance of GDPR and the risks relating to
breaches. Without the right training, Staff could unintentionally
facilitate a cyber-attack or disclose personal data.
Training in all aspects of Cybersecurity are widely available but
beware of the validity and the relevance vs the cost !!
IT Governance is, in the Owls opinion one of the better
https://www.itgovernance.co.uk/shop/product/gdpr-staff-
awareness-e-learning-course
£25 + VAT per course

6. 3 - Cybersecurity
Almost half of UK companies
identified a cyber breach or attack in
2017.
Companies commonly known to hold
personal data are about 50% more
likely to be attacked than those that
don’t.
The most common Cybersecurity
threats, leading to breaches are:-
• fraudulent emails
• viruses and malware.
• people impersonating organisations
online and
• ransomware
THREE CORE CAUSES OF DATA BREACHES
Almost ALL of these attacks could have been prevented with the right
Awareness, Vigilance and Cyber Security

7. NEXT STEPS….
Carry out a Data Audit
• What do I have ?
• How do I get it ?
• Where do I store it ?
• Locally (digital), Locally (Physical) or Cloud digital
• Who has access to it
• How secure is it ?
NOTE: GDPR applies to customers AND suppliers
Documentation, Documentation, Documentation
• Document the above
• Proof of consent from all Data Subjects
• Statements about information collected and
processed and purpose
• Documented process for protecting data
• Information Security Policy etc.
Secure that Data !
• “Appropriate technical and organisational Measures”
(ISO/IEC 27001 ISMS)

8. NEXT STEPS….
Documentation and processes
• IT Governance offer complete set of mandatory and
supporting documentation templates “that are easy to
use, customisable and ensure do a full compliance”
• Data protection policy
• Training policy
• Information security policy
• Data protection impact assessment procedure
• Retention of records procedure
• Subject access request form and procedure
• Privacy procedure
• International data transfer procedure
• Data portability procedure
• Data protection officer (DPO) job description
• Complaints procedure
• Audit checklist for compliance
• Privacy notice
• And more….
More info -
https://www.itgovernance.co.uk/shop
/Product/eu-general-data-
protection-regulation-gdpr-
documentation-toolkit

9. NEXT STEPS….
Map that Data and Secure that Data !
Owltech can help you here
• Perform a Data Mapping exercise andGap Analysis
• Factor in current security systems in the above and
• Recommend any new requirements for security for
compliance
• General Data Security best practice
• AntiVirus and AntiMalware
• Encryption
• E-Mail encryption and security
• Cloud computing security
Owltech can also deliver and manage these systems for you

10. Thank
You !