Slides from my CIO Summit talk on the impact of EU General Data Protection Regulations. Quick take away: GDPR is not a technology challenge as such, there is no single piece of software to meet its requirements. It is more about people and your organisations processes. IT alone will not successfully achieve compliance. The regulation promotes good information management. If the opportunity is take it is a great opportunity to engage with different parts of business such as marketing.

1. EU General Data Protection Regulation after Brexit
EU GDPR post Brexit
John Culkin

3. Content
• Brexit and the General Data Protection Regulation (GDPR)
• What the GDPR says
• Immediate areas of focus & making the business case
• How information governance can help you

4. Brexit and the GDPR
• Approved by MEPs (Parliament) and Member States (Council)
after 4 years of negotiation
• Brexit doesn’t affect it
• It is the law now!
• Current ICO guidance being developed
Will become enforceable law in the UK & Ireland
(and member states) on the 24th May 2018

5. What the GDPR says

6. 05
The new principles
The new principles are that information is:
01 04
02
0603
07
Processed fairly, lawfully
& in a transparent manner
Collected for specific, explicit
and legitimate purposes
Adequate, relevant and
limited to what is necessary to
meet the purpose
Accurate and up to date
Must not be kept for
longer than is necessary
Kept secure to maintain integrity
and confidentiality
Processed by controllers
and processors able to
demonstrate compliance

7. Name
and
contact
details
The
envisaged
time limits for
erasure data
Technical and
organisational
security
measures
Categories:
- Data subjects
- Personal data
Purposes
of
processes
To whom
personal
data was
disclosed
Transfers
of personal
data
Each controller must
maintain a record of
processing activities. That
record must contain the
following information:
Demonstrate compliance

8. GDPR Requirements
Governance
& policy
Data
inventory
Third
party
mgmt.
Information
security
Risk
mgmt.
Incident &
breach
management
Procedures
& controls
- Marketing & Data collection
(incl.Consent management)
- Complaints & Data Subject’s Rights
- Automated decision making & Risk
profiling
- Employment processing
Assurance

9. Fines
Inadequate processing of child data
Processing which does not require identification
Inadequate Data Protection by Design
Inadequate controller & processor management
Inadequate security controls
Non notification of breaches
Inadequate Data Protection Officer appointment
Breaches of Codes of Conduct and/or Certifications
Each supervisory authority shall have the power to issue
administrative fines of up to 10 million euros for breaches of;

10. Fines
Breaches of the basic principles for processing including conditions for consent
Inadequate compliance with Data Subject rights
Inappropriate transfers outside of the EEA
Breaches of relevant member state law
Non-compliance with an order from the Supervisory Authority
Each supervisory authority shall have the power to issue
administrative fines of up to 20 million euros for breaches of;

11. Good Information Governance could
save your skin!
It assists with compliance
requirements, making some
elements of the GDPR less
burdensome
additional efficiency benefits
to the organisation
By keeping accurate and robust
records on your processing
activities and controls you can
defend your position better with
a regulator or a data subject
It makes it easier to
risk manage your
estate & infrastructure
& investigate incidents
faster

12. Unknown unknowns…
• Equivalency not recognised or drift apart
• Maybe we want higher standards
• The Trump effect – US data transfers
• Privacy awareness impact
• Monetising data – my data my money
• Case law developments – permission previously given?

13. Immediate areas of focus
What you have
Where it is
Where you are
sending to
Why you have it
What form it is in
How long you need
to keep it
Ultimately you need
to know

14. How can you achieve this?

15. Understand what information
you have and what you need:
• Information lifecycle
• Information management
platform
• Policies and procedures
1. Begin with an information audit

16. 2. Decide what data to keep

17. 3. Securely destroy unnecessary data
10100010110101001011010100110101101000101101
01101000110101011011010110101001101010101000
10100010110101001011010100110101101000101101
00101000110101011011011010100110101010001010
10100010110110110101001101010100010110100101
00101000110101011011010100110101101000100001

18. 4. Set a budget for a Data Protection
Officer and oversee the appointment

19. 5. Begin staff training and review your
information governance framework

20. 6. Put a clear and effective reporting
process in place for data breaches

21. 7. Create a remediation
programme to deliver
compliance with GDPR

22. 8. Create a business case for IG focusing on value

23. Don’t make the headlines:
Reputational damage is more expensive than fines

24. ARE THERE ANY
QUESTIONS

25. Thank you

26. For more information about GDPR please visit
www.crownrms.com/gdpr
Contact
+44 (0)20 8443 6016
sales.uk@crownrms.com
John Culkin – Director Information Management
jculkin@Crownww.com