This document provides an overview of key concepts related to the General Data Protection Regulation (GDPR) including:
- Definitions of terms like personal data, sensitive personal data, and data controllers.
- Principles of GDPR including requirements that personal data be processed lawfully and securely and that individuals have rights to access and correct their personal data.
- Responsibilities of directors and organizations to implement technical and organizational security measures to protect personal data.
- Considerations for handling personal data in contexts like marketing, human resources, and use of portable devices and electronic records.
Developing a privacy compliance programRaoul Miller
This document discusses developing a privacy compliance program. It begins by outlining key privacy regulations like GDPR and CCPA. It explains that compliance programs should identify the data an organization collects, implement systems to manage that data, and establish roles and processes around data security, access, and deletion. The document recommends using a records management platform to securely store customer data and define policies around data protection, security, and retention. It emphasizes that privacy compliance is important, widespread, and that starting a program does not need to be difficult by focusing first on identifying data and establishing management processes.
This document provides information about a call for software and hardware developers to address issues with electricity metering and billing in Lagos, Nigeria. It discusses data protection compliance for startups and entrepreneurs under Nigeria's National Information Technology Development Agency (NITDA) Nigeria Data Protection Regulation (NDPR). The NDPR aims to protect Nigerians' personal data and ensure privacy within companies' databases, with fines of up to 2 million Naira for noncompliance. The document outlines key NDPR concepts like personal data, data controllers, processors, and subjects' rights.
This document discusses sensitive data and how to protect it. It begins by defining sensitive data as information that must be safeguarded against unwanted disclosure due to legal, privacy or proprietary reasons. It then lists examples of sensitive data and outlines three key aspects to measuring data sensitivity: confidentiality, integrity and availability. Next, it describes the types of sensitive data hackers may target from organizations. Finally, it recommends three steps to protect sensitive data: identify all sensitive data, promptly respond to and assess risks, and monitor and implement adequate security measures. The conclusion emphasizes the importance of protecting sensitive data to build strong business relationships and trust.
This document summarizes a presentation on data protection compliance. It discusses choosing the right partner for data protection services. Specifically:
- Credibility is important - look for recognized brands, references from similar customers, and physical facilities. Trade body memberships also signal credibility.
- Compliance involves standards like ISO 27001 for information security and ISO 9001 for quality management. Shredding services should meet BS EN15713 for secure destruction and CPNI approval for classified documents.
- Culture matters - look for a strong customer focus, comprehensive service scope, health and safety emphasis, and investment in staff and technology.
Fuel Good 2018: Is your Nonprofit at Risk? Security and Privacy Best PracticesSparkrock
This presentation covers security principles for On-Premise organizations, security principles in the Cloud including Azure Deployment and Azure Build Services, and Environment Monitoring.
Managing Data Breach Communication on The Social WebBoyd Neil
This is an update on a presentation I made a year ago on data breaches. It includes a couple of slides on social web comment on the Heartbleed bug, in particular the role of Twitter as the key platform for comment.
This document summarizes a presentation given on GDPR legislation. The key points are:
- GDPR introduces significant changes to data protection law, including expanded definitions of personal data, new lawful processing categories, increased fines and penalties, and enhanced data subject rights.
- Organizations need to undertake various preparations activities to achieve GDPR compliance, including data discovery, policy reviews, training, and documenting accountability records.
- Specific processes like risk assessments, breach notifications, and respecting data subject rights around access, rectification, objection and erasure must be established. Proper documentation will be critical to demonstrate compliance.
Developing a privacy compliance programRaoul Miller
This document discusses developing a privacy compliance program. It begins by outlining key privacy regulations like GDPR and CCPA. It explains that compliance programs should identify the data an organization collects, implement systems to manage that data, and establish roles and processes around data security, access, and deletion. The document recommends using a records management platform to securely store customer data and define policies around data protection, security, and retention. It emphasizes that privacy compliance is important, widespread, and that starting a program does not need to be difficult by focusing first on identifying data and establishing management processes.
This document provides information about a call for software and hardware developers to address issues with electricity metering and billing in Lagos, Nigeria. It discusses data protection compliance for startups and entrepreneurs under Nigeria's National Information Technology Development Agency (NITDA) Nigeria Data Protection Regulation (NDPR). The NDPR aims to protect Nigerians' personal data and ensure privacy within companies' databases, with fines of up to 2 million Naira for noncompliance. The document outlines key NDPR concepts like personal data, data controllers, processors, and subjects' rights.
This document discusses sensitive data and how to protect it. It begins by defining sensitive data as information that must be safeguarded against unwanted disclosure due to legal, privacy or proprietary reasons. It then lists examples of sensitive data and outlines three key aspects to measuring data sensitivity: confidentiality, integrity and availability. Next, it describes the types of sensitive data hackers may target from organizations. Finally, it recommends three steps to protect sensitive data: identify all sensitive data, promptly respond to and assess risks, and monitor and implement adequate security measures. The conclusion emphasizes the importance of protecting sensitive data to build strong business relationships and trust.
This document summarizes a presentation on data protection compliance. It discusses choosing the right partner for data protection services. Specifically:
- Credibility is important - look for recognized brands, references from similar customers, and physical facilities. Trade body memberships also signal credibility.
- Compliance involves standards like ISO 27001 for information security and ISO 9001 for quality management. Shredding services should meet BS EN15713 for secure destruction and CPNI approval for classified documents.
- Culture matters - look for a strong customer focus, comprehensive service scope, health and safety emphasis, and investment in staff and technology.
Fuel Good 2018: Is your Nonprofit at Risk? Security and Privacy Best PracticesSparkrock
This presentation covers security principles for On-Premise organizations, security principles in the Cloud including Azure Deployment and Azure Build Services, and Environment Monitoring.
Managing Data Breach Communication on The Social WebBoyd Neil
This is an update on a presentation I made a year ago on data breaches. It includes a couple of slides on social web comment on the Heartbleed bug, in particular the role of Twitter as the key platform for comment.
This document summarizes a presentation given on GDPR legislation. The key points are:
- GDPR introduces significant changes to data protection law, including expanded definitions of personal data, new lawful processing categories, increased fines and penalties, and enhanced data subject rights.
- Organizations need to undertake various preparations activities to achieve GDPR compliance, including data discovery, policy reviews, training, and documenting accountability records.
- Specific processes like risk assessments, breach notifications, and respecting data subject rights around access, rectification, objection and erasure must be established. Proper documentation will be critical to demonstrate compliance.
This document discusses security considerations for data lakes. It notes that data lakes consolidate an organization's most valuable data, making them an attractive target for hackers. The document outlines key risks like housing all customer data in a single repository and in the cloud. It proposes security design principles like zero trust and least privilege. The document then presents a protection framework with components like access controls, network security, data protection policies and governance. Specific capabilities are described for areas like platform access, policies, network isolation, and data protection. The goal is to properly secure the data lake while still enabling data sharing and analytics.
This document provides information on data classification, including its importance, goals, and how to implement a classification system. Classification involves organizing data into categories to facilitate effective use while achieving goals like availability, integrity, compliance and mitigating risks. The document outlines a process for classification that includes understanding information types and risks, creating a classification scheme, implementing policies, and ongoing maintenance through education and improvement.
The document discusses strategies for planning and resourcing digital archives and recordkeeping over the long term. It emphasizes understanding information needs, designing systems to support records, using open formats, applying metadata, managing migration, educating staff, and securing funding for projects through building support and linking to popular ideas. Free tools and resources are also mentioned.
Data Loss Prevention (DLP) is often the number one concern for most organizations. With the growth of mobile devices and cloud storage, most network perimeters look more like swiss cheese than brick walls.
See Full Webinar: http://www.gti1.com/webinars/?commid=64955
Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...Edge Pereira
Edge Pereira presentation at Microsoft TechEd Australia. Session OSS304 Regulatory Compliance and Microsoft Office 365 - data leakage protection, dlp, privacy, sharepoint
This document discusses individual rights under the GDPR, including the right to be informed, right to access data, right to rectification, right to erasure, right to restrict processing, right to object, and right to data portability. It provides details on the elements of data portability, specifying that it applies to personal data provided by the individual based on consent or contract, must be in a structured and machine readable format, excludes inferred data, and considers third party rights during transfer between controllers. The document also compares the process for an access request versus a data portability request, noting they have similar timelines and identification requirements but data portability applies only to automated personal data.
This document discusses information security and compliance. It covers identifying information leaks, shielding against sensitive information loss, and presenting preventive solutions. Topics include compliance with laws and regulations, reducing financial risk, preventing legal liability, securing sensitive information, vulnerability checks, managing information flow, data breach prevention, and secure online file sharing.
With the latest news of privacy violations on popular social media platforms and the new regulations coming from the European Union (EU) – The General Data Protection Regulations (GDPR), how companies use data and the laws protecting consumers is in the forefront of many person’s minds.
Big data analytics for legal fact findingjcscholtes
This eLaw presentation was done at Thursday March 14 I at café ‘t Keizertje, Kaiserstraat in Leiden. The presentation contains a brief overview of big data analytics for legal fact finding.
Classifying Data to Help Secure Business Information - Template fromMicrosoftDavid J Rosenthal
This document provides guidance on classifying and protecting business information. It discusses classifying information as high, moderate, or low business impact based on the potential effect of unauthorized disclosure. It also recommends tools for protecting information, such as Information Rights Management, BitLocker encryption, and Secure/Multipurpose Internet Mail Extensions. Guidelines are provided for sending, sharing, storing, backing up, and disposing of information based on its classification.
GDPR offers chances to enhance trust in your organisation, by showing that data is safe with you. Chances to show you take social responsibility, transparency and privacy seriously. Chances to minimise the risks of identity fraud and data leaks.
We can help you with our pragmatic approach from our expertise in information security, processes and privacy law.
Do you want to be ready for GDPR on May 25th, 2018? Call or mail me.
r.kranendonk@rent-a-dpo.nl
+31 (0) 30 227 0960
+31 (0) 6 286 388 46
This document discusses key terms and requirements of the GDPR, provides an example of TalkTalk being fined for a data breach, and outlines the three main causes of data breaches and next steps for compliance. It discusses how existing processes, staff, and cybersecurity need to be addressed to comply with GDPR requirements for handling personal data. Specific actions mentioned include performing a data audit and mapping, implementing documentation and policies, and securing data through appropriate technical measures.
Cross border - off-shoring and outsourcing privacy sensitive dataUlf Mattsson
Ulf Mattsson is the CTO of Protegrity, with over 20 years of experience in research and development and global services at IBM. He has been involved in developing encryption, tokenization, and intrusion prevention technologies. The document discusses cross-border offshoring and outsourcing of privacy sensitive data in the cloud. It notes that cloud services are often provided by third parties and can involve data being stored in multiple locations. Regulations like PCI DSS and national privacy laws apply when data crosses borders or is outsourced. Sensitive data needs to be protected to comply with regulations and address threats while also enabling useful insights from the data. Methods like de-identification through tokenization and encryption can protect identifiable data
Top Ten IT Legal Issues for the EnterpriseHawley Troxell
The document outlines the top 10 legal issues for IT in enterprises: 1) BYOD/mobility policies need to control employee devices to prevent misuse. 2) Privacy policies must comply with regulations like HIPAA and protect personal information. 3) Data ownership policies are needed regarding who owns collected data. 4) Social media policies should prevent legal issues like defamation. 5) Cloud/SaaS agreements differ from licenses and must be understood. 6) Document retention policies ensure compliance with litigation requirements. 7) Idaho law clarifies cloud services taxation. 8) Data backup/security policies should match contractual commitments. 9) Software audits require license compliance. 10) Data breach response plans follow state regulations to mitigate issues.
The document discusses key aspects of the General Data Protection Regulation (GDPR), including penalties, definitions of data protection terms, and principles for handling personal data. It notes that GDPR sets fines up to €20 million or 4% of annual global turnover for noncompliance. It defines terms like data controller, data processor, and personal data. It outlines principles of GDPR such as purpose limitation, data minimization, accuracy, and integrity and confidentiality for appropriately handling personal data. It also discusses GDPR's information lifecycle requirements around assessing, capturing, storing, using, and destroying personal data.
The talk discusses how analytics can attack privacy and what we can do about it. It discusses the legal responses (e.g. GDPR) as well technical responses ( differential privacy and homomorphic encryption).
The video is in https://www.facebook.com/eduscopelive/videos/314847475765297/ from 1.18.
This document discusses key aspects of complying with the General Data Protection Regulation (GDPR) for businesses. It outlines the changes GDPR introduced, including new accountability responsibilities and geographic scope. It provides simplified questions organizations should ask about the personal data they hold, including what data they have, why they have it, where it is stored, who has access, who they share it with, how they protect it, and when they need to destroy it. The document then discusses specific GDPR requirements around documenting data processing activities, having a lawful basis for processing data, data storage and retention policies, data sharing and third parties, access controls, security measures, handling data breaches and subject access requests.
Digitala Era 2017 - ALSO - Artjoms Krūmiņš - Personas datu regulas (EU GDPR) ...Andris Soroka
Jaunā Eiropas Savienības personas datu aizsardzības regula teju ikvienā uzņēmumā kļūst par arvien apspriestāku jautājumu, jo tās spēkā stāšanās termiņš (2018.gada 25.maijs) strauji tuvojas. Tādēļ jau ceturto gadu pēc kārtas, sadarbojoties ar “Latvijas Sertificēto Personas Datu Aizsardzības Speciālistu Asociāciju”, viens no vadošajiem kiberdrosības uzņēmumiem Baltijā “Data Security Solutions” 26.aprīlī rīko Latvijas lielāko personas datu aizsardzības regulas pasākumu (EU GDPR - General Data Protection Regulation) “Digitālā Ēra 2017”, kurā vadošie speciālisti no privātā un valsts sektora dalīsies pieredzē un zināšanās, aplūkojot jaunākos un inovatīvākos risinājumus, kā arī jaunākās tirgus tendences un regulatīvās normas kā Latvijā, tā visā Eiropas Savienībā. Vairāk: https://digitalaera.dss.lv/
ControlCase discusses the following:
What is GDPR?
- How will it impact me?
- How can I become compliant?
- What is the timeline?
- What are consequences if not met?
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...Harrison Clark Rickerbys
Slideshow from GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Directors, IT Directors & Ops Directors, on 7th March 2018 at Hilton Puckrup Hall
This document discusses security considerations for data lakes. It notes that data lakes consolidate an organization's most valuable data, making them an attractive target for hackers. The document outlines key risks like housing all customer data in a single repository and in the cloud. It proposes security design principles like zero trust and least privilege. The document then presents a protection framework with components like access controls, network security, data protection policies and governance. Specific capabilities are described for areas like platform access, policies, network isolation, and data protection. The goal is to properly secure the data lake while still enabling data sharing and analytics.
This document provides information on data classification, including its importance, goals, and how to implement a classification system. Classification involves organizing data into categories to facilitate effective use while achieving goals like availability, integrity, compliance and mitigating risks. The document outlines a process for classification that includes understanding information types and risks, creating a classification scheme, implementing policies, and ongoing maintenance through education and improvement.
The document discusses strategies for planning and resourcing digital archives and recordkeeping over the long term. It emphasizes understanding information needs, designing systems to support records, using open formats, applying metadata, managing migration, educating staff, and securing funding for projects through building support and linking to popular ideas. Free tools and resources are also mentioned.
Data Loss Prevention (DLP) is often the number one concern for most organizations. With the growth of mobile devices and cloud storage, most network perimeters look more like swiss cheese than brick walls.
See Full Webinar: http://www.gti1.com/webinars/?commid=64955
Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...Edge Pereira
Edge Pereira presentation at Microsoft TechEd Australia. Session OSS304 Regulatory Compliance and Microsoft Office 365 - data leakage protection, dlp, privacy, sharepoint
This document discusses individual rights under the GDPR, including the right to be informed, right to access data, right to rectification, right to erasure, right to restrict processing, right to object, and right to data portability. It provides details on the elements of data portability, specifying that it applies to personal data provided by the individual based on consent or contract, must be in a structured and machine readable format, excludes inferred data, and considers third party rights during transfer between controllers. The document also compares the process for an access request versus a data portability request, noting they have similar timelines and identification requirements but data portability applies only to automated personal data.
This document discusses information security and compliance. It covers identifying information leaks, shielding against sensitive information loss, and presenting preventive solutions. Topics include compliance with laws and regulations, reducing financial risk, preventing legal liability, securing sensitive information, vulnerability checks, managing information flow, data breach prevention, and secure online file sharing.
With the latest news of privacy violations on popular social media platforms and the new regulations coming from the European Union (EU) – The General Data Protection Regulations (GDPR), how companies use data and the laws protecting consumers is in the forefront of many person’s minds.
Big data analytics for legal fact findingjcscholtes
This eLaw presentation was done at Thursday March 14 I at café ‘t Keizertje, Kaiserstraat in Leiden. The presentation contains a brief overview of big data analytics for legal fact finding.
Classifying Data to Help Secure Business Information - Template fromMicrosoftDavid J Rosenthal
This document provides guidance on classifying and protecting business information. It discusses classifying information as high, moderate, or low business impact based on the potential effect of unauthorized disclosure. It also recommends tools for protecting information, such as Information Rights Management, BitLocker encryption, and Secure/Multipurpose Internet Mail Extensions. Guidelines are provided for sending, sharing, storing, backing up, and disposing of information based on its classification.
GDPR offers chances to enhance trust in your organisation, by showing that data is safe with you. Chances to show you take social responsibility, transparency and privacy seriously. Chances to minimise the risks of identity fraud and data leaks.
We can help you with our pragmatic approach from our expertise in information security, processes and privacy law.
Do you want to be ready for GDPR on May 25th, 2018? Call or mail me.
r.kranendonk@rent-a-dpo.nl
+31 (0) 30 227 0960
+31 (0) 6 286 388 46
This document discusses key terms and requirements of the GDPR, provides an example of TalkTalk being fined for a data breach, and outlines the three main causes of data breaches and next steps for compliance. It discusses how existing processes, staff, and cybersecurity need to be addressed to comply with GDPR requirements for handling personal data. Specific actions mentioned include performing a data audit and mapping, implementing documentation and policies, and securing data through appropriate technical measures.
Cross border - off-shoring and outsourcing privacy sensitive dataUlf Mattsson
Ulf Mattsson is the CTO of Protegrity, with over 20 years of experience in research and development and global services at IBM. He has been involved in developing encryption, tokenization, and intrusion prevention technologies. The document discusses cross-border offshoring and outsourcing of privacy sensitive data in the cloud. It notes that cloud services are often provided by third parties and can involve data being stored in multiple locations. Regulations like PCI DSS and national privacy laws apply when data crosses borders or is outsourced. Sensitive data needs to be protected to comply with regulations and address threats while also enabling useful insights from the data. Methods like de-identification through tokenization and encryption can protect identifiable data
Top Ten IT Legal Issues for the EnterpriseHawley Troxell
The document outlines the top 10 legal issues for IT in enterprises: 1) BYOD/mobility policies need to control employee devices to prevent misuse. 2) Privacy policies must comply with regulations like HIPAA and protect personal information. 3) Data ownership policies are needed regarding who owns collected data. 4) Social media policies should prevent legal issues like defamation. 5) Cloud/SaaS agreements differ from licenses and must be understood. 6) Document retention policies ensure compliance with litigation requirements. 7) Idaho law clarifies cloud services taxation. 8) Data backup/security policies should match contractual commitments. 9) Software audits require license compliance. 10) Data breach response plans follow state regulations to mitigate issues.
The document discusses key aspects of the General Data Protection Regulation (GDPR), including penalties, definitions of data protection terms, and principles for handling personal data. It notes that GDPR sets fines up to €20 million or 4% of annual global turnover for noncompliance. It defines terms like data controller, data processor, and personal data. It outlines principles of GDPR such as purpose limitation, data minimization, accuracy, and integrity and confidentiality for appropriately handling personal data. It also discusses GDPR's information lifecycle requirements around assessing, capturing, storing, using, and destroying personal data.
The talk discusses how analytics can attack privacy and what we can do about it. It discusses the legal responses (e.g. GDPR) as well technical responses ( differential privacy and homomorphic encryption).
The video is in https://www.facebook.com/eduscopelive/videos/314847475765297/ from 1.18.
This document discusses key aspects of complying with the General Data Protection Regulation (GDPR) for businesses. It outlines the changes GDPR introduced, including new accountability responsibilities and geographic scope. It provides simplified questions organizations should ask about the personal data they hold, including what data they have, why they have it, where it is stored, who has access, who they share it with, how they protect it, and when they need to destroy it. The document then discusses specific GDPR requirements around documenting data processing activities, having a lawful basis for processing data, data storage and retention policies, data sharing and third parties, access controls, security measures, handling data breaches and subject access requests.
Digitala Era 2017 - ALSO - Artjoms Krūmiņš - Personas datu regulas (EU GDPR) ...Andris Soroka
Jaunā Eiropas Savienības personas datu aizsardzības regula teju ikvienā uzņēmumā kļūst par arvien apspriestāku jautājumu, jo tās spēkā stāšanās termiņš (2018.gada 25.maijs) strauji tuvojas. Tādēļ jau ceturto gadu pēc kārtas, sadarbojoties ar “Latvijas Sertificēto Personas Datu Aizsardzības Speciālistu Asociāciju”, viens no vadošajiem kiberdrosības uzņēmumiem Baltijā “Data Security Solutions” 26.aprīlī rīko Latvijas lielāko personas datu aizsardzības regulas pasākumu (EU GDPR - General Data Protection Regulation) “Digitālā Ēra 2017”, kurā vadošie speciālisti no privātā un valsts sektora dalīsies pieredzē un zināšanās, aplūkojot jaunākos un inovatīvākos risinājumus, kā arī jaunākās tirgus tendences un regulatīvās normas kā Latvijā, tā visā Eiropas Savienībā. Vairāk: https://digitalaera.dss.lv/
ControlCase discusses the following:
What is GDPR?
- How will it impact me?
- How can I become compliant?
- What is the timeline?
- What are consequences if not met?
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...Harrison Clark Rickerbys
Slideshow from GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Directors, IT Directors & Ops Directors, on 7th March 2018 at Hilton Puckrup Hall
This document summarizes a GDPR breakfast briefing that was held on March 8, 2018. It discusses why the new GDPR regulations are being introduced, as the current Data Protection Act is outdated. Key points of the new GDPR are outlined, including increased responsibilities for controllers and processors of personal data, new rights for individuals, and the six principles of lawful personal data processing. Businesses are advised to conduct a data audit, develop a GDPR compliance strategy and roadmap, and address questions about registration, training, data protection officers and data breaches to prepare for the introduction of GDPR by May 2018.
The slide deck provides an overview of key aspects of the General Data Protection Regulation (GDPR) that businesses need to be aware of and comply with. Some of the main points covered include:
1) GDPR requirements for obtaining and documenting valid consent for processing personal data, providing privacy notices, and respecting individual rights to access, rectify and erase their data.
2) The roles and responsibilities of controllers and processors of personal data and requirements for contracts between them.
3) Lawful bases for processing personal data and additional conditions for processing special categories of sensitive personal data.
4) Requirements for data protection by design and default, conducting data protection impact assessments, and managing data breaches.
This document provides an overview of Polar's approach to complying with the General Data Protection Regulation (GDPR). It discusses Polar's commitment to privacy, what GDPR is, some of the key challenges of implementation, and the processes and reviews Polar has put in place. The director introduces himself and his role at Polar, and then covers key aspects of GDPR including data subject rights, the definitions of controllers and processors, lawful bases for processing, and requirements around consent, documentation, accountability, and security.
For more information visit https://www.thesaurus.ie or https://www.brightpay.ie
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 with the aim of protecting all EU citizens from privacy and data breaches in an increasingly data driven world.
Payroll bureaus process large amounts of personal data, not least in relation to their customers, their customers’ employees, and their own employees. Consequently, the GDPR will impact most if not all areas of the business and the impact it will have cannot be overstated.
In this CPD accredited webinar, we will peel back the legislation to outline clearly:
What is GDPR and why is it being implemented?
Why employers need to take it seriously
How it will impact payroll bureaus
How to prepare for GDPR
How we are working to help you
The document provides an agenda and overview for a data protection training seminar. It discusses why data protection is important, key terms and principles of the Data Protection Act 1998 and Privacy and Electronic Communications Regulation 2003. These include the definition of personal data, the rights of individuals, and security requirements. It also offers practical tips for marketers regarding obtaining consent, using data, and regaining lost permissions. The seminar aims to help participants understand UK data protection law and its implications for their marketing activities.
The document provides an overview and agenda for a data protection training session. It discusses why data protection is important, key terms and principles of the Data Protection Act 1998 and Privacy and Electronic Communications Regulation 2003. It offers practical tips for marketers on obtaining consent, permissions management, sourcing data, and regaining lost permissions. The session aims to help participants understand data protection law and their responsibilities to comply.
TrustArc Webinar: Challenges & Risks Of Data GraveyardsTrustArc
With the rise of big data, companies now obtain and store many data in massive quantities. As a result, they end up having giant repositories of unused data stored in their servers, also called data graveyards.
Storage infrastructure, maintenance costs, compliance with privacy laws, security gaps, and risk of data corruption: risks due to data graveyards are numerous.
What can organizations do with a large amount of data? How can you uncover the value of data before storing it? How can you manage the maintenance costs of big data?
Join our panel in this webinar as we explore how your company should manage the risks and challenges associated with data graveyards.
This webinar will review:
- What data graveyards are
- How to manage data graveyards risks
- How to define data retention periods and stay compliant
For more information visit thesaurus.ie or brightpay.ie
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 with the aim of protecting all EU citizens from privacy and data breaches in an increasingly data driven world.
Employers process large amounts of personal data, not least in relation to their customers and their own employees. Consequently, the GDPR will impact most if not all areas of the business and the impact it will have cannot be overstated.
In this webinar, we will peel back the legislation to outline clearly:
What is GDPR and why is it being implemented?
Why employers need to take it seriously
How to prepare for GDPR
How we are working to help you
The document discusses how Acronis solutions help organizations comply with the GDPR through features that allow for privacy impact assessments, data access governance, secure backup storage, data breach response, and data deletion in accordance with data subject rights like access, rectification, erasure and portability. It outlines how Acronis Backup, Storage, Backup Cloud and Disaster Recovery Service provide control over data location, strong encryption, easy data access and modification, fast recovery, and logging to meet GDPR requirements.
For more information visit https://www.brightpay.co.uk
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 with the aim of protecting all EU citizens from privacy and data breaches in an increasingly data driven world.
Employers process large amounts of personal data, not least in relation to their customers and their own employees. Consequently, the GDPR will impact most if not all areas of the business and the impact it will have cannot be overstated.
In this webinar, we will peel back the legislation to outline clearly:
What is GDPR and why is it being implemented?
Why employers need to take it seriously
How to prepare for GDPR
How we are working to help you
CERN 5 Things you should know about Data ProtectionEUDAT
The document provides an overview of key aspects of data protection that organizations should be aware of:
1) Personal data belongs to individuals and must be processed fairly and for specific purposes, with transparency about how and why data is used.
2) Inappropriately handling personal data without consent or legitimate basis is illegal. Organizations must implement training, policies, and accountability measures to ensure compliant internal data practices.
3) Personal data cannot be freely shared without appropriate safeguards like contracts, as the controller remains responsible for privacy protections. International transfers require ensuring an adequate level of protection.
4) Organizations have an obligation to appropriately secure personal data and respect individuals' rights to their data, such as access,
This document provides an overview of key aspects of the General Data Protection Regulation (GDPR) for businesses:
1) It outlines the six principles of GDPR for processing personal data, including lawfulness, transparency, purpose limitation, data minimization, accuracy, and storage limitation.
2) It explains that GDPR applies to any organization that processes personal data of EU individuals, including data controllers and processors.
3) It defines personal data and sensitive personal data, and outlines the legal bases for processing each type of data, including consent, contractual obligations, and legitimate interests.
4) It provides guidance on complying with GDPR requirements such as conducting a data inventory, managing consent and privacy notices,
The document summarizes a presentation on legal and data protection updates. It covered:
1. The Data Protection Act 1998 and Privacy and Electronic Communications Regulations 2003, including key principles like fair collection of data, processing for limited purposes, security measures, and rights of individuals.
2. Practical tips for marketers around obtaining consent, marketing permissions, sourcing data, and regaining lost permissions.
3. Determining roles as a data controller or processor and ensuring responsibilities are established in processing contracts.
4. An overview of the proposed new EU Data Protection Regulation which aims to update privacy laws for new technologies and networks.
For more information visit https://www.brightpay.co.uk
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 with the aim of protecting all EU citizens from privacy and data breaches in an increasingly data driven world.
Employers process large amounts of personal data, not least in relation to their customers and their own employees. Consequently, the GDPR will impact most if not all areas of the business and the impact it will have cannot be overstated.
In this webinar, we will peel back the legislation to outline clearly:
What is GDPR and why is it being implemented?
Why employers need to take it seriously
How to prepare for GDPR
How we are working to help you
The document provides an overview and agenda for a conference on achieving compliance with the General Data Protection Regulation (GDPR). It discusses key aspects of GDPR compliance including identifying personal data, data subject rights, security requirements, international data transfers, and remedies for non-compliance. Various vendors also present on how their products can help organizations meet GDPR requirements through features such as digital consent management and customizable reporting on personal data. An example case study highlights how one company used DocuSign to address challenges around manual processes, GDPR readiness, and security of personal information.
General Data Protection Regulation (GDPR) tidal wave that has hit, are you ready? Is your organization prepared for the extensive privacy requirements GDPR puts forth for any organization handling EU Data Subjects' personal Data? At this point, organizations must have a complete inventory of personal data and have conducted a DPIA against it. A handful of supervisory authorities have issued compliance guidelines, but your organizations must be able to assess compliance with this ambiguous regulation at any time.
Many aspects of GDPR define the distinction between a data collector and a data processor, their respective responsibilities and compliance requirements. Those responsibilities will have an effect on the contracts you negotiate with third parties, the way in which you evaluate the risks involved with establishing a business relationship and the policies you develop to maintain compliance to the regulations.
Join this webinar to learn:
*More information about GDPR and what the industry is experiencing to date
*What minimum requirements you should have had in place by May 25, 2018
*What you should plan to do for the next 12-18 months if you are not completely ready
*What the SEC Privacy Shield program is and why you should self-certify
*How to continuously monitor vendor risk KPIs
Zodiac Signs and Food Preferences_ What Your Sign Says About Your Tastemy Pandit
Know what your zodiac sign says about your taste in food! Explore how the 12 zodiac signs influence your culinary preferences with insights from MyPandit. Dive into astrology and flavors!
B2B payments are rapidly changing. Find out the 5 key questions you need to be asking yourself to be sure you are mastering B2B payments today. Learn more at www.BlueSnap.com.
An introduction to the cryptocurrency investment platform Binance Savings.Any kyc Account
Learn how to use Binance Savings to expand your bitcoin holdings. Discover how to maximize your earnings on one of the most reliable cryptocurrency exchange platforms, as well as how to earn interest on your cryptocurrency holdings and the various savings choices available.
In the Adani-Hindenburg case, what is SEBI investigating.pptxAdani case
Adani SEBI investigation revealed that the latter had sought information from five foreign jurisdictions concerning the holdings of the firm’s foreign portfolio investors (FPIs) in relation to the alleged violations of the MPS Regulations. Nevertheless, the economic interest of the twelve FPIs based in tax haven jurisdictions still needs to be determined. The Adani Group firms classed these FPIs as public shareholders. According to Hindenburg, FPIs were used to get around regulatory standards.
Digital Transformation and IT Strategy Toolkit and TemplatesAurelien Domont, MBA
This Digital Transformation and IT Strategy Toolkit was created by ex-McKinsey, Deloitte and BCG Management Consultants, after more than 5,000 hours of work. It is considered the world's best & most comprehensive Digital Transformation and IT Strategy Toolkit. It includes all the Frameworks, Best Practices & Templates required to successfully undertake the Digital Transformation of your organization and define a robust IT Strategy.
Editable Toolkit to help you reuse our content: 700 Powerpoint slides | 35 Excel sheets | 84 minutes of Video training
This PowerPoint presentation is only a small preview of our Toolkits. For more details, visit www.domontconsulting.com
Industrial Tech SW: Category Renewal and CreationChristian Dahlen
Every industrial revolution has created a new set of categories and a new set of players.
Multiple new technologies have emerged, but Samsara and C3.ai are only two companies which have gone public so far.
Manufacturing startups constitute the largest pipeline share of unicorns and IPO candidates in the SF Bay Area, and software startups dominate in Germany.
Top mailing list providers in the USA.pptxJeremyPeirce1
Discover the top mailing list providers in the USA, offering targeted lists, segmentation, and analytics to optimize your marketing campaigns and drive engagement.
FIA officials brutally tortured innocent and snatched 200 Bitcoins of worth 4...jamalseoexpert1978
Farman Ayaz Khattak and Ehtesham Matloob are government officials in CTW Counter terrorism wing Islamabad, in Federal Investigation Agency FIA Headquarters. CTW and FIA kidnapped crypto currency owner from Islamabad and snatched 200 Bitcoins those worth of 4 billion rupees in Pakistan currency. There is not Cryptocurrency Regulations in Pakistan & CTW is official dacoit and stealing digital assets from the innocent crypto holders and making fake cases of terrorism to keep them silent.
Recruiting in the Digital Age: A Social Media MasterclassLuanWise
In this masterclass, presented at the Global HR Summit on 5th June 2024, Luan Wise explored the essential features of social media platforms that support talent acquisition, including LinkedIn, Facebook, Instagram, X (formerly Twitter) and TikTok.
LA HUG - Video Testimonials with Chynna Morgan - June 2024Lital Barkan
Have you ever heard that user-generated content or video testimonials can take your brand to the next level? We will explore how you can effectively use video testimonials to leverage and boost your sales, content strategy, and increase your CRM data.🤯
We will dig deeper into:
1. How to capture video testimonials that convert from your audience 🎥
2. How to leverage your testimonials to boost your sales 💲
3. How you can capture more CRM data to understand your audience better through video testimonials. 📊
LA HUG - Video Testimonials with Chynna Morgan - June 2024
GDPR introduction
1.
2. The jargon
• Data processing
• Data Controllers
• Data Processors
• Personal data
• Sensitive personal
data
• Data Protection
Officer
2
3. GDPR principles
Article 5 of GDPR says that
personal data shall be:-
• Processed lawfully, fairly &
transparently
• Relevant, adequate, but
limited to what’s needed
• Accurate
• Kept for no longer than
necessary
• Protected against accidental
loss, destruction or damage
3
4. Individual rights
• Right to be informed
• Right of access
• Right to rectification
• Right to erasure
• Right to restrict
processing
• Right to data portability
• Right to object
• Rights related to
automated decision
making
4
5. Directors’ responsibilities
• Technical &
organisational
measures
• Documentation
• Consider appointing a
DPO
• Data protection by
design
• Consider a Data
Protection Impact
assessment
5
6. Data security
• Portable devices
• Desk-top devices
• Physical records
• Electronic records
• Data duplication
• Communications
• Clear desk/screen
6
8. GDPR & Human Resources
• Personal data in HR
– Personal data
– Sensitive personal
data
• Data Processors
– HR Champions/Acorn
H&S
– Lower-risk DPs
• Keeping
records/retention
periods
8
10. 10
“We free you get on with your business”
Our capabilities range from CE marking, practical application of
quality, environmental & safety management, to fully certified “ISO”
systems.
Contact Richard Shearwood-Porter
01934 316224 / 07909 528942
info@theHSQEdepartment.com
www.theHSQEdepartment.com
Editor's Notes
First, some GDPR facts….
Businesses in the EU have to deal with 28 different data protection laws, which creates costs for SMEs that want to trade across Europe.
EU GDPR is a single harmonised regulation on data protection that applies to any company that wants to do business in the EU.
The UK has been instrumental in drawing GDPR up and is implementing it as the Data Protection Bill.
Government has confirmed that the Data Protection Bill will not be repealed when the UK leaves the EU.
In the UK we already have the Data Protection Act and the Privacy and Electronic Communications Regulations (PECR), which both have an impact on how companies manage personal data and carry out marketing activities.
The Data Protection Bill will repeal the old Act and strengthen data protection rules.
GDPR applies to any data that could be used to identify an individual, such as name, address, phone number, e-mail, IP address.
The regulator is the Information Commissioner’s Office (ICO)
The consequences of a serious data breach under GDPR are up to 20m euros or 4% of turnover, but the ICO has declared that it will aim to work with companies to strengthen data protection rather than go for a big fine in the first instance.
There are a number of terms that we need to get our heads around if we’re to get to grips with GDPR
Data processing
Any activity that changes the state of personal data. This can be as simple as saving contact details to a ‘phone or adding details to a database.
Data Controller – a body or person that
Decides the purposes for which personal data is used and the way in which this is done
Companies that make use of personal data will be Data Controllers, whether or not they actually process data them selves.
Data Controllers have specific legal obligations such as keeping records of what data is being kept and how it’s being processed, and are liable for any data breach.
Data Processor – a body or person that
Is responsible for handling data on behalf of a Data Controller, such as for the purpose of running payroll, providing marketing lists, carry out health surveillance and so on.
Any Data Processor needs to be appointed under a contract.
The Data Controller is legally liable for any loss of its data by the Data Processor, so needs to carry out reasonable due diligence on the Data Processor’s protection measures.
Personal Data
As mentioned earlier, GDPR applies to any data that could be used to identify an individual, such as name, address, phone number, e-mail, IP address and this can be in any form.
Sensitive personal data
Information that could be used to stigmatise or discriminate against someone.
Sensitive personal data must be protected with extra care.
Data Protection Officer
A DPO is a named person, with no vested interest in data processing, who has an appropriate level of knowledge of data protection and who acts as an unbiased advisor to the Data Controller’s senior team.
The DPO also acts as the point of contact for the ICO and for enquiries about data protection.
There a rules on when companies need to appoint a DPO and the majority of SMEs are excluded.
A DPO must be appointed by public authorities, or by other organisations whose main purpose is large-scale, systematic and regular monitoring of individuals (such as Facebook) or where they carry out processing of special categories of data on a large scale, such as BUPA.
Exempt organisations still need to have a named person responsible for data protection and can opt to appoint a DPO if they see it as helpful.
Processing lawfully, fairly & transparently
Data subjects must actively opt-in. They can not longer be tricked with a pre-ticked box.
There are 6 lawful reasons for processing information and the Data Controller needs to record which of these apply and why:-
Consent (opt-in)
Contract (need the data in order to carry out the contract with the subject of the data)
Legal obligation (employer’s and landlords are required to check a person’s right to be in this country)
Vital interest (where data is needed to protect someone’s life, but they are unable to give consent, e.g. treatment after a serious accident)
Public task (any body that has official authority or that carries out work in the public interest)
Legitimate interest – the most flexible basis by which to hold data. Can be used when you hold and use data in a way that people could reasonably expect, for reasons directly related to the purpose of the organisation (for example lists of people that have purchased from you or who have made enquiries)
The most likely lawful reasons for most organisations will be Consent, Contract & Legitimate interests.
Relevant, adequate, limited
(Speaks for itself)
Accurate
Inaccurate data can cause individuals all sorts of problems & create huge amounts of unwarranted stress. For example:-
Threatening letters from debt collectors, chasing a previous occupier.
Being wrongly identified as an executor to a will and being chased for money.
Bills from two electricity companies after switching – covering the same period of time.
After May 25th these would be offences.
Kept for no longer than necessary
Some common sense needs to be applied here as to what a reasonable left of time might be, but you need to be able to justify the time period if asked. Two examples at extreme ends of the spectrum:-
CV’s from a recruitment drive: The person you initially choose may pull out at the last minute, may leave shortly after arriving or may be asked to leave within their probation period. So it would be reasonable to retain the CVs of others on the short list until a probation period is up. CVs that don’t make a short-list should probably be destroyed once they have been screened out.
Health surveillance records: Ex employees may make a claim for disability many years after leaving employment. It would therefore be sensible and legitimate to keep health surveillance records more or less forever.
Protected against accidental loss, destruction or damage
This clause refers to a data breach, which can include:-
Access by an unauthorised third party
Deliberate or accidental action/inaction by a Data Controller or Processor
Sending personal data to an incorrect recipient
Loss or theft of documents or electronic devices
Alteration of data without permission
Loss of availability of personal data (for example by deleting, shredding or hard drive failure)
Right to be informed
At the time someone opts-in they must be told what information will be kept, how it will be used, how long it will be retained and who it will be shared with. This is called “Privacy Information”.
If you get personal data from a source other than the individual, they must be informed within a month. This would apply to marketing lists, but you would probably be informing them by means of direct marketing.
Right of access
Individuals must be able to access the information that you hold on them and be able verify that any processing is lawful.
Companies must therefore be able to respond to information requests.
Right to rectification
Individuals can ask, verbally or in writing, for inaccurate data to be corrected and the Data Controller has one calendar month to respond.
If the Data Controller decides the data is accurate, they can refuse to change it.
If the request is vexatious or excessive, the Data Controller can also refuse to comply.
Right to erasure
Also known as “the right to be forgotten”.
Individuals can ask, verbally or in writing, for data to be deleted and the Data Controller has one calendar month to respond.
This right applies if:-
Data isn’t needed any more
The Data Controller is relying on Consent and consent is withdrawn
The Data Controller is relying on legitimate interest and this is overridden by the individual’s interest
The individual objects to direct marketing
The data has been processed unlawfully e.g. passed on by a data broker without consent
Erasure complies with a legal obligation e.g. to enforce a court order on erasure
The data relates to a child
Right to restrict processing
This isn’t an absolute right and only applies in certain circumstances.
Individuals can ask, verbally or in writing, for data to be restricted and the Data Controller has one calendar month to respond.
This right applies if:-
The individual has asked for data to be corrected and this is under investigation
The individual objects to their data being processed but the Data Controller is investigating whether it has a legitimate interest to keep it
Data has been unlawfully processed and the individual wants it to be retained, but not used (Facebook?)
The data isn’t needed any more by the Data Controller, but the individual needs it to be kept, for instance to defend a legal claim
Right to data portability
This allows individuals to obtain and reuse their personal data for their own purposes across different services, for example when changing bank or utility company.
Right to object
Individuals have a right to object to:-
Processing based on Legitimate Interests or Performance of a Task in the Public Interest/Exercise of Official Authority
Direct marketing
Processing for scientific/historical research or statistics
Rights related to automated decision making including profiling
This relates to when data is analysed and acted on without the intervention of humans. Examples would be:-
On-line applications for a loan or insurance
On-line aptitude test as part of a job application
Predicting someone’s preferences from their on-line profiles or searches.
Because this is seen as high-risk, Data Controllers and Processors must ensure that:-
They have carried out a Data Impact Assessment
Data subjects can appeal and receive an explanation for a decision
Data subjects can express an opinion
Humans can intervene
Technical & organisational measures
Data protection policies – Privacy; Access Control; Data Security; Information Requests; Data Breach.
HR policies – Sensitive information; Appropriate Use (including social media)
Staff training – GDPR & data security
Internal audit
Documentation
Data mapping
Purpose of processing
Legal basis for processing – mainly Contractual & Legitimate Interest
Privacy notices
Records of Consent (where used)
Records of due diligence on Data Processors
Contracts with Data Processors
DPO
Discussed earlier
Data protection by design & default
This refers to making sure that organisational measures and technical measures work together to protect data from loss.
Data protection impact assessment
A data protection impact assessment is a systematic analysis of how data is processed and where it is vulnerable to loss of damage, but is compulsory only where processing carries a high risk to individuals.
Examples would be:-
There is systematic and extensive profiling with significant effects, for instance health insurance
Personal data is sensitive or about criminal offences
CCTV records of public places
We’ve checked what is in place and have recommended some further security measures, so what does this mean for you?
Portable devices
Laptops & phones protected by PIN, password or biometrics
Don’t load personal information onto removable media
Set device to lock after a period of inactivity
Enable remote wiping
Apps from trusted sources only
Essential personal data only
Report if lost or stolen
Desk-top devices
Secure account log-in
Don’t share passwords
Set to lock after a period of inactivity
Screens positioned to prevent “shoulder surfing” or fitted with a clip-on privacy screen
Only visit trusted websites
Physical records
Lock personal data away when not in use
Securely destroy personal data when no-longer needed
Carry only essential personal data when off-site
Electronic records
Restrict access to those that need it
Securely “shred” personal data, for example with CCleaner
Ensure that back-ups are effective
Data duplication
Central archive with secure back-up
Communications
Only share personal data with people that have a legitimate use for it
Make sure communications are addressed to the right person (reply-all and auto addressing)
Only open communications from trusted sources and never open links in e-mails. If in doubt – call the apparent sender
Follow organisational policy on use of social media
Clear desk/screen
When working with personal data, lock screen and clear papers away when away from the desk
Direct marketing has been controlled under the Privacy in Electronic Communications Regulations (PECR), which came out in 2003 and has been strengthened a number of time by amendments. The rules are reinforced under GDPR.
Data brokers
You can use data brokers if:-
Your data broker can prove to you that the contact has opted-in to having their details passed to a company such as BituChem for the purpose of direct marketing. This could be done by picking some data subjects at random and asking to see evidence of their consent.
The data broker will have a process to unsubscribe anyone that objects.
The same rules about direct marketing will apply to you as now (Privacy & Electronic Communications Regs).
You'll need a publicly available privacy policy - this can be on a web site - and communications with prospective clients will point them to the policy.
The policy will need to cover a range of points, but one of these will be the right to be removed from your list.
You tell the prospect where you got their contact details from.
Trade Directories
Companies and their named contacts that sign up to a specialised trade directory, such as “ESI External Works” can reasonably expect that they will be contacted directly by other companies working in the sector.
This allows you to claim “Legitimate Interest” to hold their contact details and to contact them, but you must say where you got their contact details.
The named contact has the right to opt-out of further contacts.
Internal lists
Web sites must now carry a privacy notice and a positive opt-in to receiving marketing information.
Potential customer’s that have visited a web site and have opted-in can be contacted directly, but evidence needs to be kept of the opt-in.
Potential customers that have visited a web site but have not opted-in, or who have opted-out at a later date, cannot be contacted and you cannot retain their data.
Existing customers can reasonably be expected to have an interest in learning about your new products and can be contacted under “Legitimate Interest”. This is known as a “soft opt-in”.
HR is where you are most likely to hold “sensitive personal data” and be involved with “Data Processors”, so is an area that is particularly sensitive.
Simple personal data
Contact details
Next of kin
Employment history
CVs
Sensitive personal data – tighter control needed
Racial, ethnic, religious & sexual details/preferences
Prosecutions & criminal history
Health records including occupational health results (Acorn H&S surveillance reports; report into risks of chemical dermatitis for an individual employee)
Outsourced HR & H&S
Data Processors posing a higher risk to you because they hold sensitive personal data.
Send a Duty of Care questionnaire.
You are legally responsible for any leakage of employee data from these companies.
Providers of pensions, payroll, insurance, tacho-card analysis etc.
Data Processors, but lower risk because the hold no sensitive data on employees.
Keeping records & retention periods
Back to basics:
Keep only what’s necessary
It must be accurate
It must be secure
Keep only as long as necessary
Examples at the extreme ends of the spectrum were discussed earlier:-
CVs
Health records
Consider:-
Do you need paper records and, if so, how will you keep them secure?
Do you need duplicate copies of things like health surveillance reports to be kept in user accounts, or would one central copy be safer?
How long will you hold personal data before it becomes obsolete – for example company contact details?
How will you clean and confidentially delete data that isn’t needed anymore?
We’ve looked at:-
Some basic facts about GDPR
The principles of GDPR
The rights of data subjects
Your responsibilities
What GPDR means for marketing
The effect on HR
Any questions?