SlideShare a Scribd company logo

GDPR Presentation slides

N
Naomi Holmes

Norfolk Chamber delivered a morning conference based around the European General Data Protection Regulation (GDPR), which will come into force on May 25 2018. Delegates heared from a variety of GDPR expert speakers from legal, marketing, IT and Data Protection perspectives.

Business
1 of 76
GDPR Conference 2018 WIFI: The Space Password: 5pac3002
Welcome Chris Sargisson Norfolk Chamber @Chris_NorfolkCC
Agenda 09:30 Welcome 09:40 Alex Saunders, Leathes Prior Tom Parsley, Selesti John Gostling, Breakwater IT 10:30 Refreshment Break & Exhibition Darren Chapman, CyberScale Panel Q&A 11:45 Host close 12.00 Free networking, light refreshments & speaker drop-in 12.15 Optional workshops 13.00 Event close
No fire drills – Exits are marked Toilets outside this room Phones on silent Feel free to tweet House keeping @norfolkchamber #NorfolkGDPR WIFI: The Space Password: 5pac3002
www.slido.com #GDPR
Alex Saunders Leathes Prior @leathesprior @norfolkchamber #NorfolkGDPR www.slido.com #GDPR
GDPR & THE “CONSENT” MYTH WITH ALEX SAUNDERS
GDPR Overview  Replaces the existing Data Protection Act 1998  Due to come into force on 25 May 2018  Most fundamental change to data protection law in almost 20 years?  Covers the use of “personal data” – any information that can identify a living individual  Introduces various key new concepts and expands on existing concepts  Applies to:  Organisations operating within EU  Non-EU organisations offering goods/services within the EU  Enforced in UK by Information Commissioner’s Office (“ICO”)  Impact of Brexit?
GDPR Why is it important?
Principles Continuity DPA 1998 Fair and lawful processing Specific purposes Adequate, relevant and not excessive Accuracy Retain only as long as necessary Respect data subjects’ rights Security Transfers outside EEA GDPR Lawfulness, fairness and transparency Purpose limitation Data minimisation Accuracy Storage limitation Integrity and confidentiality (See lawfulness above)
Lawful Processing Basis for processing CONSENT: you can process personal data where the subject has given consent to the processing for one or more specified purpose CONTRACT WITH INDIVIDUAL: you can process personal data, without consent, where required under a contract with the data subject  E.g. employment contract, contract for sale of goods or services VITAL INTERESTS: you can process personal data, without consent, if it’s necessary to protect someone’s life
Lawful Processing Basis for processing (cont…) PUBLIC TASK: you can process personal data, without consent, to carry out your official functions or a task in the public interest – and where you have a legal basis for the processing under UK law  If public authority, likely to apply to most of your processing activities LEGITIMATE INTEREST: you can process personal data, without consent, if you have a genuine and legitimate reason to do so  Legitimate interest can be for commercial benefit  GDPR recitals – direct marketing could be a legitimate interest  BUT exception if your interests are outweighed by harm to the individual’s rights and interests
Lawful Processing Is “consent” always necessary? MYTH: Consent is always necessary to process personal data FACT: Consent is one way to comply with the GDPR, not the only way  “Consent” is only one of six lawful basis for processing personal data  Organisations will need to identify on which ground they are processing personal data Will only be appropriate to use consent where other grounds do not apply
Consent under GDPR When is consent appropriate? Consent may be required if you are…  Direct marketing  Using or sharing personal data in a way that is potentially intrusive or unusual – e.g. selling database  Transferring personal data outside the EEA Consent will not be appropriate if…  You are in a position of power over the individual (employer)  Consent is a pre-condition of using the service  You would still process personal data using a different basis even if consent was withdrawn
Consent under GDPR Key changes? DPA 1998 “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed” GDPR “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” Guidance: “Silence, pre-ticked boxes or inactivity should therefore not constitute consent” GDPR sets a higher standard for obtaining consent
Consent Practical Changes DON’T  Identify basis of processing Ensure consent is the most appropriate basis for the processing. Any other grounds?  Clear and plain language Use language that is easy to understand when obtaining consent. Avoid legal jargon!  Third parties Give details of any third parties who will be relying on the consent.  Keep records Who gave consent? When and how was consent given? Review consents regularly.  Withdrawal Make withdrawal of consent straightforward and simple. Same method as given. DO
X Don’t bundle consent Keep separate from other terms. Don’t make it a pre-condition of signing up to a service. X Blanket consent Get separate consent for separate things where possible. Do not rely on a blanket consent X Don’t use pre-ticked boxes It should be an active opt-in. Don’t rely on implied consent. X Penalising withdrawal Do not penalise individuals who withdraw their consent. X Public authorities Take extra care to show consent has been freely given. Avoid over-reliance on consent. Consent Practical Changes DON’T
Action Points What now? Undertake a review of the personal data held by your organisation If not, consider whether consent meets the GDPR standard. Do you need to obtain fresh GDPR-compliant consent? Identify what data is being processed on the basis of consent. Are there any other lawful basis for processing? Ensure that there are proper procedures in place for recording consent and giving customers the right to withdraw
THANK YOU Please feel free to get in touch with any questions: E: asaunders@leathesprior.co.uk T: 01603 281141
Tom Parsley Selesti @Selesti @norfolkchamber #NorfolkGDPR www.slido.com #GDPR
GDPR & Marketing: opportunity or threat? Tom Parsley
With change comes new opportunities
STAND OUT
More personalised, human engagement
Improved focus
Through consent, you can gain insight into each individual’s interests to provide them with information that they want to receive.
FLYBE FINED
Personalised email GDPR and PECR apply Generic marketing email Only general marketing consent needed Dear Amber Your recommendations
Increased trust
93% of online shoppers cite the security of their personal data as a concern
If we can’t easily explain what we’re doing with personal data then we shouldn’t be doing it
COPYWRITING Avoid personal pronouns Active voice Write in plain English Highlight the benefits Make future opt-outs clear
Encourages creativity
THANK YOU for brands with ambition. Strategies, Technologies & Campaigns tom@selesti.com
John Gostling Breakwater IT @BreakwaterIT @norfolkchamber #NorfolkGDPR www.slido.com #GDPR
Personal Data Breaches WELCOME John Gostling Breakwater IT 13 March 2018
INTRODUCTION About me; • Worked in IT since 1998 • Nearly 20 years! • Worked at Breakwater since 2012 • Regularly see different hacks, breaches and attempts at fraud
PERSONAL DATA BREACH • What is a breach? “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.”
PERSONAL DATA BREACH • What is a breach? “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.”
PERSONAL DATA BREACH • What is a breach? “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.”
BREACH EXAMPLES • Carphone Warehouse • Fined £400,000 in January • Records for approximately 3,348,869 customers of a number of mobile phone providers • Records for 389 customers across two other companies • Historic transaction details for the period March 2010 – April 2010 • Records of approx. 100 employees
BREACH EXAMPLES • What is a vulnerability? A vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerabilities are the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.
BREACH EXAMPLES • Carphone Warehouse – How did they get in? • Vulnerability? • Password
BREACH EXAMPLES • Carphone Warehouse – How did they get in? • Vulnerability? • Password
BREACH EXAMPLES • Uber • Details of 2.7 million UK drivers and riders • Details of 57 million people worldwide • Email addresses and phone numbers • US Driver license numbers
BREACH EXAMPLES • Uber - How did they get in? • Password stored on Github • What is Github? • Cover up! • ICO Response
BREACH EXAMPLES • Uber – ICO Response “Uber has confirmed its data breach in October 2016 affected approximately 2.7million user accounts in the UK. Uber has said the breach involved names, mobile phone numbers and email addresses. On its own this information is unlikely to pose a direct threat to citizens. However, its use may make other scams, such as bogus emails or calls appear more credible. People should continue to be vigilant and follow the advice from the NCSC.”
BREACH EXAMPLES • Leicester County Council • Email sent to 27 different taxi firms • Accidentally included a large spreadsheet • The spreadsheet contained personal data of thousands of children
PREVENT A BREACH • Vulnerability testing & Penetration testing • Password Management • Risk assess • Two Factor Authentication • Utilise DLP features on key documents • Data Protection training
USEFUL LINKS • Elizabeth Denham Blog - http://bit.ly/2tcP5uA • Carphone Warehouse Monetary Penalty Notice - http://bit.ly/2oR86xs • ICO Statement on Uber Breach - http://bit.ly/2juR7y4 • BBC Article on Leicester City Council - http://bbc.in/2D3V8C9
Refreshment Break See you back in the Auditorium at 11.00 @norfolkchamber #NorfolkGDPR www.slido.com #GDPR
Darren Chapman CyberScale @cyberscaleuk @norfolkchamber #NorfolkGDPR www.slido.com #GDPR
GDPR & Cyber Security GDPR Conference 13th March, 2018 Darren Chapman Director & Principal Security Consultant Pragmatic IT Security
(Why) Does Cyber Security Matter? “Cyber security and data protection are inextricably linked“ CBI Cyber Security Conference, 13 September, 2017
“Processing” Personal Data “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Cyber Security – GDPR Regulations “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” …Article 32, GDPR
Cyber Security – GDPR in practice “A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data” ICO Website – Personal Data Breaches
Cyber Security Fundamentals • For DATA, we use C.I.A. ▫ Confidentiality ▫ Integrity ▫ Availability • Risk based approach ▫ Understand what is critical to your business ▫ Understand the vulnerabilities and threats ▫ Assess the risks and impacts ▫ Apply controls to reduce or mitigate • For reducing risks, we consider ▫ People, Process & Technology
Data - Where is it?
Data – What are the threats? Malware Ransomware Viruses Worms Trojans Phishing Smishing Fire Theft Flood Hardware failure Human error DOS Attack RAT’s Backdoors Corruption Insider threats Zero day attacks Fileless Malware Man in the middle attacks Credential stealing Keyloggers SQL Injection XSS Bluejacking Spear Phishing Whaling “.. accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed” ..Article 32, GDPR
Cyber Security Frameworks
Cyber Security Personal Data Security “.. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services” …Article 32, GDPR Cyber Security Personal Data Security (GDPR) CIA CIA Risk Based Approach - DATA Risk based Approach – PERSONAL DATA No formal requirement Demonstrable Incident Response Plan Breach Response Plan
Cyber Security – Where are you at?
Cyber Security is a journey…
Common Gaps Checking backups AV coverage Copies of data Cloud Security Policies Contracts & SLA’s Staff training Password Management Multi Factor Authentication Encryption (All Devices) BYOD Management Individual User Accounts Monitoring & Auditing Updating Applications Least Privilege DOCUMENTATION! Incident Response Plan
If things do go wrong…. Under the GDPR there is a requirement for organisations to report a personal data breach that affects people’s rights and freedoms, without undue delay and, where feasible, not later than 72 hours after having become aware of it
Key Actions & Take-aways
GDPR & Cyber Security GDPR Conference 13th March, 2018 Darren Chapman Director & Principal Security Consultant Pragmatic IT Security Thank You
Speaker Q+A @norfolkchamber #NorfolkGDPR www.slido.com #GDPR
Workshops Workshop A - A Practical Marketing Approach to GDPR Workshop B – Appointing a Data Protection @norfolkchamber #NorfolkGDPR www.slido.com #GDPR
@norfolkchamber #NorfolkGDPR www.slido.com #GDPR Please feel free to complete these cards which can be found in your Delegate folders, and hand them in at Reception.
Thank you #GDPRConf18

Recommended

General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?
Martin Hawksey
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
Jane Lambert
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
Caroline Boscher
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
Qualsys Ltd
 

Recommended

General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?
Martin Hawksey
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
Jane Lambert
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
Caroline Boscher
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
Priyab Satoshi
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
DipanjanDey12
 
GDPR
GDPRGDPR
GDPR
Gopi PD
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data Security
WilmerHale
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
Acquia
 
GDPR training
GDPR training GDPR training
GDPR training
ASL
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
Sudarsan Reddy
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
Eryk Budi Pratama
 
Data protection
Data protectionData protection
Data protection
RaviPrashant5
 
GDPR infographic
GDPR infographicGDPR infographic
GDPR infographic
Marketing Team at Crown Worldwide Group
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
The Pathway Group
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
sp_krishna
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance
AIIM International
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and Privacy
Vertex Holdings
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection ActSaimaRafiq
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
SPIN Chennai
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
Trish McGinity, CCSK
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy
Amiit Keshav Naik
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
Tushar Rajput
 
NetSquared London - GDPR for charities
NetSquared London - GDPR for charitiesNetSquared London - GDPR for charities
NetSquared London - GDPR for charities
Tech Trust
 
Checklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR complianceChecklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR compliance
Sarah Fox
 

More Related Content

What's hot

Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
Priyab Satoshi
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
DipanjanDey12
 
GDPR
GDPRGDPR
GDPR
Gopi PD
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data Security
WilmerHale
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
Acquia
 
GDPR training
GDPR training GDPR training
GDPR training
ASL
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
Sudarsan Reddy
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
Eryk Budi Pratama
 
Data protection
Data protectionData protection
Data protection
RaviPrashant5
 
GDPR infographic
GDPR infographicGDPR infographic
GDPR infographic
Marketing Team at Crown Worldwide Group
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
The Pathway Group
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
sp_krishna
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance
AIIM International
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and Privacy
Vertex Holdings
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection ActSaimaRafiq
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
SPIN Chennai
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
Trish McGinity, CCSK
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy
Amiit Keshav Naik
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
Tushar Rajput
 

What's hot (20)

Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
 
GDPR
GDPRGDPR
GDPR
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data Security
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
 
GDPR training
GDPR training GDPR training
GDPR training
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
 
Data protection
Data protectionData protection
Data protection
 
GDPR infographic
GDPR infographicGDPR infographic
GDPR infographic
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and Privacy
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection Act
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 

Similar to GDPR Presentation slides

NetSquared London - GDPR for charities
NetSquared London - GDPR for charitiesNetSquared London - GDPR for charities
NetSquared London - GDPR for charities
Tech Trust
 
Checklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR complianceChecklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR compliance
Sarah Fox
 
Digital Disruption and Consumer Trust - Resolving the Challenge of GDPR
Digital Disruption and Consumer Trust - Resolving the Challenge of GDPRDigital Disruption and Consumer Trust - Resolving the Challenge of GDPR
Digital Disruption and Consumer Trust - Resolving the Challenge of GDPR
Richard Veryard
 
What is GDPR and why does it matter to me?
What is GDPR and why does it matter to me? What is GDPR and why does it matter to me?
What is GDPR and why does it matter to me?
Desynit
 
Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...
Peter Procházka
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
Ogilvy Consulting
 
GDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONGDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATION
Saurabh Pandey
 
GDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONGDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATION
Saurabh Pandey
 
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
Human Capital Department
 
GDPR_Skillcast Presentation Template (1).pptx
GDPR_Skillcast Presentation Template (1).pptxGDPR_Skillcast Presentation Template (1).pptx
GDPR_Skillcast Presentation Template (1).pptx
kimonesinghunicomerc
 
CHASE 2014 data protection presentation Paul Ticher
CHASE 2014 data protection presentation Paul TicherCHASE 2014 data protection presentation Paul Ticher
CHASE 2014 data protection presentation Paul Ticheramy_hatton
 
Webinar: Introduction to GDPR - What It Is and How It Will Affect Your Business
Webinar: Introduction to GDPR - What It Is and How It Will Affect Your BusinessWebinar: Introduction to GDPR - What It Is and How It Will Affect Your Business
Webinar: Introduction to GDPR - What It Is and How It Will Affect Your Business
WithumSmith+Brown, formerly Portal Solutions
 
Scotland legal update 25 sept
Scotland legal update 25 septScotland legal update 25 sept
Scotland legal update 25 sept
Rachel Aldighieri
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
Dieter Hovorka
 
How the EU-GDPR May Affect Your Website
How the EU-GDPR May Affect Your WebsiteHow the EU-GDPR May Affect Your Website
How the EU-GDPR May Affect Your Website
SilverTech
 
57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR
57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR
57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR
ICCA (International Congress and Convention Association)
 
A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?
NCVO - National Council for Voluntary Organisations
 
How will GDPR affect small businesses?
How will GDPR affect small businesses?How will GDPR affect small businesses?
How will GDPR affect small businesses?
AllBusinessTemplates
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Financial Poise
 
How to get your business GDPR ready
How to get your business GDPR readyHow to get your business GDPR ready
How to get your business GDPR ready
Premier EPOS
 

Similar to GDPR Presentation slides (20)

NetSquared London - GDPR for charities
NetSquared London - GDPR for charitiesNetSquared London - GDPR for charities
NetSquared London - GDPR for charities
 
Checklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR complianceChecklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR compliance
 
Digital Disruption and Consumer Trust - Resolving the Challenge of GDPR
Digital Disruption and Consumer Trust - Resolving the Challenge of GDPRDigital Disruption and Consumer Trust - Resolving the Challenge of GDPR
Digital Disruption and Consumer Trust - Resolving the Challenge of GDPR
 
What is GDPR and why does it matter to me?
What is GDPR and why does it matter to me? What is GDPR and why does it matter to me?
What is GDPR and why does it matter to me?
 
Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
 
GDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONGDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATION
 
GDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONGDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATION
 
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
 
GDPR_Skillcast Presentation Template (1).pptx
GDPR_Skillcast Presentation Template (1).pptxGDPR_Skillcast Presentation Template (1).pptx
GDPR_Skillcast Presentation Template (1).pptx
 
CHASE 2014 data protection presentation Paul Ticher
CHASE 2014 data protection presentation Paul TicherCHASE 2014 data protection presentation Paul Ticher
CHASE 2014 data protection presentation Paul Ticher
 
Webinar: Introduction to GDPR - What It Is and How It Will Affect Your Business
Webinar: Introduction to GDPR - What It Is and How It Will Affect Your BusinessWebinar: Introduction to GDPR - What It Is and How It Will Affect Your Business
Webinar: Introduction to GDPR - What It Is and How It Will Affect Your Business
 
Scotland legal update 25 sept
Scotland legal update 25 septScotland legal update 25 sept
Scotland legal update 25 sept
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
 
How the EU-GDPR May Affect Your Website
How the EU-GDPR May Affect Your WebsiteHow the EU-GDPR May Affect Your Website
How the EU-GDPR May Affect Your Website
 
57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR
57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR
57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR
 
A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?
 
How will GDPR affect small businesses?
How will GDPR affect small businesses?How will GDPR affect small businesses?
How will GDPR affect small businesses?
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
 
How to get your business GDPR ready
How to get your business GDPR readyHow to get your business GDPR ready
How to get your business GDPR ready
 

Recently uploaded

Unveiling the Secrets How Does Generative AI Work.pdf
Unveiling the Secrets How Does Generative AI Work.pdfUnveiling the Secrets How Does Generative AI Work.pdf
Unveiling the Secrets How Does Generative AI Work.pdf
Sam H
 
Role of Remote Sensing and Monitoring in Mining
Role of Remote Sensing and Monitoring in MiningRole of Remote Sensing and Monitoring in Mining
Role of Remote Sensing and Monitoring in Mining
Naaraayani Minerals Pvt.Ltd
 
chapter 10 - excise tax of transfer and business taxation
chapter 10 - excise tax of transfer and business taxationchapter 10 - excise tax of transfer and business taxation
chapter 10 - excise tax of transfer and business taxation
AUDIJEAngelo
 
3.0 Project 2_ Developing My Brand Identity Kit.pptx
3.0 Project 2_ Developing My Brand Identity Kit.pptx3.0 Project 2_ Developing My Brand Identity Kit.pptx
3.0 Project 2_ Developing My Brand Identity Kit.pptx
tanyjahb
 
What are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdfWhat are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdf
HumanResourceDimensi1
 
Brand Analysis for an artist named Struan
Brand Analysis for an artist named StruanBrand Analysis for an artist named Struan
Brand Analysis for an artist named Struan
sarahvanessa51503
 
Affordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n PrintAffordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n Print
Navpack & Print
 
Exploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social DreamingExploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social Dreaming
Nicola Wreford-Howard
 
April 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products NewsletterApril 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products Newsletter
NathanBaughman3
 
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdfMeas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
dylandmeas
 
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
BBPMedia1
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
SynapseIndia
 
Business Valuation Principles for Entrepreneurs
Business Valuation Principles for EntrepreneursBusiness Valuation Principles for Entrepreneurs
Business Valuation Principles for Entrepreneurs
Ben Wann
 
Pitch Deck Teardown: RAW Dating App's $3M Angel deck
Pitch Deck Teardown: RAW Dating App's $3M Angel deckPitch Deck Teardown: RAW Dating App's $3M Angel deck
Pitch Deck Teardown: RAW Dating App's $3M Angel deck
HajeJanKamps
 
Enterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdfEnterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdf
KaiNexus
 
Set off and carry forward of losses and assessment of individuals.pptx
Set off and carry forward of losses and assessment of individuals.pptxSet off and carry forward of losses and assessment of individuals.pptx
Set off and carry forward of losses and assessment of individuals.pptx
HARSHITHV26
 
Lookback Analysis
Lookback AnalysisLookback Analysis
Lookback Analysis
Safe PaaS
 
Skye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto AirportSkye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto Airport
marketingjdass
 
FINAL PRESENTATION.pptx12143241324134134
FINAL PRESENTATION.pptx12143241324134134FINAL PRESENTATION.pptx12143241324134134
FINAL PRESENTATION.pptx12143241324134134
LR1709MUSIC
 
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
Kumar Satyam
 

Recently uploaded (20)

Unveiling the Secrets How Does Generative AI Work.pdf
Unveiling the Secrets How Does Generative AI Work.pdfUnveiling the Secrets How Does Generative AI Work.pdf
Unveiling the Secrets How Does Generative AI Work.pdf
 
Role of Remote Sensing and Monitoring in Mining
Role of Remote Sensing and Monitoring in MiningRole of Remote Sensing and Monitoring in Mining
Role of Remote Sensing and Monitoring in Mining
 
chapter 10 - excise tax of transfer and business taxation
chapter 10 - excise tax of transfer and business taxationchapter 10 - excise tax of transfer and business taxation
chapter 10 - excise tax of transfer and business taxation
 
3.0 Project 2_ Developing My Brand Identity Kit.pptx
3.0 Project 2_ Developing My Brand Identity Kit.pptx3.0 Project 2_ Developing My Brand Identity Kit.pptx
3.0 Project 2_ Developing My Brand Identity Kit.pptx
 
What are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdfWhat are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdf
 
Brand Analysis for an artist named Struan
Brand Analysis for an artist named StruanBrand Analysis for an artist named Struan
Brand Analysis for an artist named Struan
 
Affordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n PrintAffordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n Print
 
Exploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social DreamingExploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social Dreaming
 
April 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products NewsletterApril 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products Newsletter
 
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdfMeas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
 
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
 
Business Valuation Principles for Entrepreneurs
Business Valuation Principles for EntrepreneursBusiness Valuation Principles for Entrepreneurs
Business Valuation Principles for Entrepreneurs
 
Pitch Deck Teardown: RAW Dating App's $3M Angel deck
Pitch Deck Teardown: RAW Dating App's $3M Angel deckPitch Deck Teardown: RAW Dating App's $3M Angel deck
Pitch Deck Teardown: RAW Dating App's $3M Angel deck
 
Enterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdfEnterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdf
 
Set off and carry forward of losses and assessment of individuals.pptx
Set off and carry forward of losses and assessment of individuals.pptxSet off and carry forward of losses and assessment of individuals.pptx
Set off and carry forward of losses and assessment of individuals.pptx
 
Lookback Analysis
Lookback AnalysisLookback Analysis
Lookback Analysis
 
Skye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto AirportSkye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto Airport
 
FINAL PRESENTATION.pptx12143241324134134
FINAL PRESENTATION.pptx12143241324134134FINAL PRESENTATION.pptx12143241324134134
FINAL PRESENTATION.pptx12143241324134134
 
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
 

GDPR Presentation slides

  • 1. GDPR Conference 2018 WIFI: The Space Password: 5pac3002
  • 3. Agenda 09:30 Welcome 09:40 Alex Saunders, Leathes Prior Tom Parsley, Selesti John Gostling, Breakwater IT 10:30 Refreshment Break & Exhibition Darren Chapman, CyberScale Panel Q&A 11:45 Host close 12.00 Free networking, light refreshments & speaker drop-in 12.15 Optional workshops 13.00 Event close
  • 4. No fire drills – Exits are marked Toilets outside this room Phones on silent Feel free to tweet House keeping @norfolkchamber #NorfolkGDPR WIFI: The Space Password: 5pac3002
  • 7. GDPR & THE “CONSENT” MYTH WITH ALEX SAUNDERS
  • 8. GDPR Overview  Replaces the existing Data Protection Act 1998  Due to come into force on 25 May 2018  Most fundamental change to data protection law in almost 20 years?  Covers the use of “personal data” – any information that can identify a living individual  Introduces various key new concepts and expands on existing concepts  Applies to:  Organisations operating within EU  Non-EU organisations offering goods/services within the EU  Enforced in UK by Information Commissioner’s Office (“ICO”)  Impact of Brexit?
  • 9. GDPR Why is it important?
  • 10. Principles Continuity DPA 1998 Fair and lawful processing Specific purposes Adequate, relevant and not excessive Accuracy Retain only as long as necessary Respect data subjects’ rights Security Transfers outside EEA GDPR Lawfulness, fairness and transparency Purpose limitation Data minimisation Accuracy Storage limitation Integrity and confidentiality (See lawfulness above)
  • 11. Lawful Processing Basis for processing CONSENT: you can process personal data where the subject has given consent to the processing for one or more specified purpose CONTRACT WITH INDIVIDUAL: you can process personal data, without consent, where required under a contract with the data subject  E.g. employment contract, contract for sale of goods or services VITAL INTERESTS: you can process personal data, without consent, if it’s necessary to protect someone’s life
  • 12. Lawful Processing Basis for processing (cont…) PUBLIC TASK: you can process personal data, without consent, to carry out your official functions or a task in the public interest – and where you have a legal basis for the processing under UK law  If public authority, likely to apply to most of your processing activities LEGITIMATE INTEREST: you can process personal data, without consent, if you have a genuine and legitimate reason to do so  Legitimate interest can be for commercial benefit  GDPR recitals – direct marketing could be a legitimate interest  BUT exception if your interests are outweighed by harm to the individual’s rights and interests
  • 13. Lawful Processing Is “consent” always necessary? MYTH: Consent is always necessary to process personal data FACT: Consent is one way to comply with the GDPR, not the only way  “Consent” is only one of six lawful basis for processing personal data  Organisations will need to identify on which ground they are processing personal data Will only be appropriate to use consent where other grounds do not apply
  • 14. Consent under GDPR When is consent appropriate? Consent may be required if you are…  Direct marketing  Using or sharing personal data in a way that is potentially intrusive or unusual – e.g. selling database  Transferring personal data outside the EEA Consent will not be appropriate if…  You are in a position of power over the individual (employer)  Consent is a pre-condition of using the service  You would still process personal data using a different basis even if consent was withdrawn
  • 15. Consent under GDPR Key changes? DPA 1998 “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed” GDPR “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” Guidance: “Silence, pre-ticked boxes or inactivity should therefore not constitute consent” GDPR sets a higher standard for obtaining consent
  • 16. Consent Practical Changes DON’T  Identify basis of processing Ensure consent is the most appropriate basis for the processing. Any other grounds?  Clear and plain language Use language that is easy to understand when obtaining consent. Avoid legal jargon!  Third parties Give details of any third parties who will be relying on the consent.  Keep records Who gave consent? When and how was consent given? Review consents regularly.  Withdrawal Make withdrawal of consent straightforward and simple. Same method as given. DO
  • 17. X Don’t bundle consent Keep separate from other terms. Don’t make it a pre-condition of signing up to a service. X Blanket consent Get separate consent for separate things where possible. Do not rely on a blanket consent X Don’t use pre-ticked boxes It should be an active opt-in. Don’t rely on implied consent. X Penalising withdrawal Do not penalise individuals who withdraw their consent. X Public authorities Take extra care to show consent has been freely given. Avoid over-reliance on consent. Consent Practical Changes DON’T
  • 18. Action Points What now? Undertake a review of the personal data held by your organisation If not, consider whether consent meets the GDPR standard. Do you need to obtain fresh GDPR-compliant consent? Identify what data is being processed on the basis of consent. Are there any other lawful basis for processing? Ensure that there are proper procedures in place for recording consent and giving customers the right to withdraw
  • 19. THANK YOU Please feel free to get in touch with any questions: E: asaunders@leathesprior.co.uk T: 01603 281141
  • 21. GDPR & Marketing: opportunity or threat? Tom Parsley
  • 22.
  • 23.
  • 24. With change comes new opportunities
  • 27.
  • 29. Through consent, you can gain insight into each individual’s interests to provide them with information that they want to receive.
  • 31. Personalised email GDPR and PECR apply Generic marketing email Only general marketing consent needed Dear Amber Your recommendations
  • 33. 93% of online shoppers cite the security of their personal data as a concern
  • 34. If we can’t easily explain what we’re doing with personal data then we shouldn’t be doing it
  • 35. COPYWRITING Avoid personal pronouns Active voice Write in plain English Highlight the benefits Make future opt-outs clear
  • 37.
  • 38. THANK YOU for brands with ambition. Strategies, Technologies & Campaigns tom@selesti.com
  • 41. INTRODUCTION About me; • Worked in IT since 1998 • Nearly 20 years! • Worked at Breakwater since 2012 • Regularly see different hacks, breaches and attempts at fraud
  • 42. PERSONAL DATA BREACH • What is a breach? “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.”
  • 43. PERSONAL DATA BREACH • What is a breach? “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.”
  • 44. PERSONAL DATA BREACH • What is a breach? “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.”
  • 45. BREACH EXAMPLES • Carphone Warehouse • Fined £400,000 in January • Records for approximately 3,348,869 customers of a number of mobile phone providers • Records for 389 customers across two other companies • Historic transaction details for the period March 2010 – April 2010 • Records of approx. 100 employees
  • 46. BREACH EXAMPLES • What is a vulnerability? A vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerabilities are the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.
  • 47. BREACH EXAMPLES • Carphone Warehouse – How did they get in? • Vulnerability? • Password
  • 48. BREACH EXAMPLES • Carphone Warehouse – How did they get in? • Vulnerability? • Password
  • 49. BREACH EXAMPLES • Uber • Details of 2.7 million UK drivers and riders • Details of 57 million people worldwide • Email addresses and phone numbers • US Driver license numbers
  • 50. BREACH EXAMPLES • Uber - How did they get in? • Password stored on Github • What is Github? • Cover up! • ICO Response
  • 51. BREACH EXAMPLES • Uber – ICO Response “Uber has confirmed its data breach in October 2016 affected approximately 2.7million user accounts in the UK. Uber has said the breach involved names, mobile phone numbers and email addresses. On its own this information is unlikely to pose a direct threat to citizens. However, its use may make other scams, such as bogus emails or calls appear more credible. People should continue to be vigilant and follow the advice from the NCSC.”
  • 52. BREACH EXAMPLES • Leicester County Council • Email sent to 27 different taxi firms • Accidentally included a large spreadsheet • The spreadsheet contained personal data of thousands of children
  • 53. PREVENT A BREACH • Vulnerability testing & Penetration testing • Password Management • Risk assess • Two Factor Authentication • Utilise DLP features on key documents • Data Protection training
  • 54. USEFUL LINKS • Elizabeth Denham Blog - http://bit.ly/2tcP5uA • Carphone Warehouse Monetary Penalty Notice - http://bit.ly/2oR86xs • ICO Statement on Uber Breach - http://bit.ly/2juR7y4 • BBC Article on Leicester City Council - http://bbc.in/2D3V8C9
  • 55. Refreshment Break See you back in the Auditorium at 11.00 @norfolkchamber #NorfolkGDPR www.slido.com #GDPR
  • 57. GDPR & Cyber Security GDPR Conference 13th March, 2018 Darren Chapman Director & Principal Security Consultant Pragmatic IT Security
  • 58. (Why) Does Cyber Security Matter? “Cyber security and data protection are inextricably linked“ CBI Cyber Security Conference, 13 September, 2017
  • 59. “Processing” Personal Data “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • 60. Cyber Security – GDPR Regulations “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” …Article 32, GDPR
  • 61. Cyber Security – GDPR in practice “A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data” ICO Website – Personal Data Breaches
  • 62. Cyber Security Fundamentals • For DATA, we use C.I.A. ▫ Confidentiality ▫ Integrity ▫ Availability • Risk based approach ▫ Understand what is critical to your business ▫ Understand the vulnerabilities and threats ▫ Assess the risks and impacts ▫ Apply controls to reduce or mitigate • For reducing risks, we consider ▫ People, Process & Technology
  • 63. Data - Where is it?
  • 64. Data – What are the threats? Malware Ransomware Viruses Worms Trojans Phishing Smishing Fire Theft Flood Hardware failure Human error DOS Attack RAT’s Backdoors Corruption Insider threats Zero day attacks Fileless Malware Man in the middle attacks Credential stealing Keyloggers SQL Injection XSS Bluejacking Spear Phishing Whaling “.. accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed” ..Article 32, GDPR
  • 66. Cyber Security Personal Data Security “.. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services” …Article 32, GDPR Cyber Security Personal Data Security (GDPR) CIA CIA Risk Based Approach - DATA Risk based Approach – PERSONAL DATA No formal requirement Demonstrable Incident Response Plan Breach Response Plan
  • 67. Cyber Security – Where are you at?
  • 68. Cyber Security is a journey…
  • 69. Common Gaps Checking backups AV coverage Copies of data Cloud Security Policies Contracts & SLA’s Staff training Password Management Multi Factor Authentication Encryption (All Devices) BYOD Management Individual User Accounts Monitoring & Auditing Updating Applications Least Privilege DOCUMENTATION! Incident Response Plan
  • 70. If things do go wrong…. Under the GDPR there is a requirement for organisations to report a personal data breach that affects people’s rights and freedoms, without undue delay and, where feasible, not later than 72 hours after having become aware of it
  • 71. Key Actions & Take-aways
  • 72. GDPR & Cyber Security GDPR Conference 13th March, 2018 Darren Chapman Director & Principal Security Consultant Pragmatic IT Security Thank You
  • 74. Workshops Workshop A - A Practical Marketing Approach to GDPR Workshop B – Appointing a Data Protection @norfolkchamber #NorfolkGDPR www.slido.com #GDPR
  • 75. @norfolkchamber #NorfolkGDPR www.slido.com #GDPR Please feel free to complete these cards which can be found in your Delegate folders, and hand them in at Reception.