gdpr - network roi€¦ · things to do now roll out staff training across your organisation. train...
TRANSCRIPT
2
GDPRFOUR SMALL LETTERS. ONE MASSIVE IMPACT.
1 2 4 5 63
What is the GDPR?
A data protection game changer!
Has global reach
Legislationwith teeth
Requires a risk-based approachto systems and
strategies
Makingorganisationsaccountable
Longoverdue
3
The EU General Data Protection Regulation, or GDPR as it’s more commonly known, comes into effect on May 25th, 2018.
The GDPR replaces the Data Protection Act 1998 and was designed to harmonise data protection laws across Europe to secure all EU subjects’ personal data and to reshape the way organisations across the region approach data protection.
Consideration has been given to new technologies, business processes and data usage that have become part of the digital economy in recent years.
If you process personal data that belongs to EU subjects, then the GDPR affects you regardless of your geographic location.
Managing data correctly is the responsibility of data controllers and data processors.
Under GDPR rules, responsibility and liability for data protection issues are assumed at board-level.
What is the GDPR?
4
GDPRFOUR SMALL LETTERS. ONE MASSIVE IMPACT.
6 GDPR myths
I am only a data processor
GDPR doesn’t take effect until May
I have great EU customers
My businessis an SME
GDPR is all about security
The ICO won’timpose large fines
6 1
5 2
4 3
5
4 - I have great EU customersbut my business is located outside Europe so GDPR does not apply to us. FALSE
5 - GDPR doesn’t take effect until Maymy organisation has plenty time to achieve GDPR compliance. FALSE
6 - I am only a data processorthe GDPR (and the big fines) only apply to data controllers. FALSE
1 - My business is an SMEthis new regulation does not apply to us. FALSE
2 - GDPR is all about securityif I have robust security and encryption I will be compliant. FALSE
3 - The ICO won’t impose large fines we are less likely to receive a large fine and more likely to get a warning.FALSE
GDPR myths busted
6
GDPRFOUR SMALL LETTERS. ONE MASSIVE IMPACT.
6 benefits of GDPR compliance
Reduce reputational risks Reduce
financial risksOrganise
your data
Build trust
Reduce chaos
Peace of mind
1
2
3
4
5
6
7
1 - Reduce reputational risksNo organisation wants to be in a position where its data breach is the subject of a newspaper headline. Having your reputation sullied is bad for business. If you are compliant with GDPR legislation, you are reducing the risk of reputational damage and protecting your organisation.
2 - Reduce financial risksThe financial risks of a data breach are far-reaching. Large fines, compensation, lost revenue and long-term reputational damage are just some of the ways data breaches as a result of GDPR non-compliance will impact organisational finances.
3 - Organise your dataCompliance with GDPR legislation means you will have to clearly identify and manage personal data you hold. This type of data organisation carries potential advantages that include streamlining data-related processes, efficient data management and potential long-term reduction of data management costs.
4 - Build trustTrust is the backbone of every transaction and as more business is conducted online, it is important to take data protection seriously. Having a GDPR-first approach will offer reassurance to clients and partners.
5 - Reduce chaosOrganisations who have put in timely measures and controls to comply with GDPR legislation will be able to avoid the chaos and business disruption that could ensue through either a data breach which is not managed correctly or a last-minute realisation that the legislation is now fully in force.
6 - Peace of mindKnowing that your organisation is legally compliant and that you are therefore reducing risks of reputational damage, fines, identity theft and credit card fraud amongst others is a huge benefit to any organisation and allows efforts to be focused on protecting and growing the business.
Benefits of GDPR compliance explained
8
GDPRFOUR SMALL LETTERS. ONE MASSIVE IMPACT.
Personal information shall be retained only for as long as
necessary
Personal information shall be processed lawfully, fairly and in a transparent manner
Personal information shall be adequate, relevant and limited to what is necessary
Personal information shall be accurate and, where necessary,
kept up-to-date
Personal information shall be collected for specified, explicit and legitimate purposes
Personal information shall be processed in an appropriate manner to maintain security
6 principles of GDPR
GDPR
1
2
3
4
5
6
9
Individuals’rights
The rightto be informed
The rightof access
The rightto erasure
The rightto restrict processing
The rightto data portability
The rightto rectification
The rightto object
Rightsrelated to automated
decision making
10
GDPRFOUR SMALL LETTERS. ONE MASSIVE IMPACT.
Cyber security and data protection are tightly integrated
Technical measures
Organisational measures
Cyber security & GDPR
Data security and data privacy have always been linked. Privacy depends on security. No obligation to provide privacy will be meaningful if the data to be protected are accessed or stolen by unauthorized third parties.
Technical measures are generally managed by the IT department and include but are not restricted to: Anti-Virus, email security, firewall installation, Password management tools, identity management, intrusion detection and data loss prevention.
Organisational measures include: policies, processes, training and access limitations.
11
Encryption - at rest and in transit
Information security framework
Ignore at your peril
Cyber security & GDPR
Data should be encrypted wherever it is stored and/or transmitted. This includes data held on mobile devices, servers, PCs or the cloud as well as information transmitted to remote systems.
Implementing an information security framework such as ISO 27001 or IASME will greatly assist with GDPR compliance and demonstrate good data protection principles.
GDPR is happening and it’s going to affect you. We strongly advise working towards compliance in a structured manner sooner rather than later.
12
GDPRFOUR SMALL LETTERS. ONE MASSIVE IMPACT.
Impactassessment
Limitwho sees data
Limitdata collection
Record keeping
Limitprocessing
Continuousassessment
Privacy by design
13
Data Protection Impact Assessment (DPIA)DPIAs help organisations to identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.
Limit who sees dataRole-based access controls to ensure only those individuals with a need to see data can.
Limit data collectionCollect only the data that you actually need to fulfil the tasks or data processing activities as set out in your company privacy policy.
Record keepingThe GDPR contains explicit provisions about documenting your processing activities. You must maintain records on several things such as processing purposes, data sharing and retention. Records must be kept in writing.
Limit processingData must be collected and processed for the specific purposes as outlined in your company privacy policy. You must not process individuals’ data for any other unspecified purposes.
Continuous assessmentCheck you are ensuring the ongoing confidentiality, integrity and availability of your information.
Privacy by design explained
14
GDPRFOUR SMALL LETTERS. ONE MASSIVE IMPACT.
Take actionBecome aware and
take action now
Things to do now
Roll out staff training across your organisation.
Train your staff
Gap analysis Identify where you are today and where you need to be for GDPR
compliance.
Ensure you have allocated sufficient
time, budget and staff.
Assign resource
Create a roadmapCreate a detailed
compliance roadmap with clear timelines.
Assess whether you need to appoint a Data
Protection Officer.
DPO
15
6 steps to GDPR compliance
Data analysisIdentify the personal data you collect and where it is stored.
Review the type of data processing you carry out,
identify the legal basis for carrying it out and
document it.
Data review
Privacy noticeReview your current internal and external
privacy notices/ policies and do a refresh with necessary changes for
transparency.
Review if and how you seek, obtain and record
consent and whether any changes are needed.
Review consent
Review rightsReview how you will handle all applicable
individuals’ rights.
Review your processor and sub-processor
agreements.
Review agreements
About Network ROI
Network ROI has been providing high quality and reliable managed IT support, connectivity and communications services since 2003. In that time, we’ve helped growing businesses focus on what they do best by looking after their Information Technology needs.
Our company vision is ‘empowering your business by making life with technology easier.’ This simple statement resonates with business owners and managers who don’t have the time or in-house expertise to worry about problems with their information and technology systems.
Our security-first approach to business technology ensures the information on our clients’ networks remains private. We are IASME and Cyber Essentials certified, making Network ROI the perfect choice to advise SMEs from all sectors throughout the UK on GDPR cyber security and information assurance.
Location: Network ROI Ltd Stobo House, Roslin, Midlothian EH25 9RE
Contact us: [email protected] 0131 510 3456
GDPRFOUR SMALL LETTERS. ONE MASSIVE IMPACT.
networkroi.co.uk @NetworkROI Network ROI Network ROI Ltd