GDPRFOUR SMALL LETTERS. ONE MASSIVE IMPACT.

networkroi.co.uk

2

GDPRFOUR SMALL LETTERS. ONE MASSIVE IMPACT.

1 2 4 5 63

What is the GDPR?

A data protection game changer!

Has global reach

Legislationwith teeth

Requires a risk-based approachto systems and

strategies

Makingorganisationsaccountable

Longoverdue

3

The EU General Data Protection Regulation, or GDPR as it’s more commonly known, comes into effect on May 25th, 2018.

The GDPR replaces the Data Protection Act 1998 and was designed to harmonise data protection laws across Europe to secure all EU subjects’ personal data and to reshape the way organisations across the region approach data protection.

Consideration has been given to new technologies, business processes and data usage that have become part of the digital economy in recent years.

If you process personal data that belongs to EU subjects, then the GDPR affects you regardless of your geographic location.

Managing data correctly is the responsibility of data controllers and data processors.

Under GDPR rules, responsibility and liability for data protection issues are assumed at board-level.

What is the GDPR?

4

GDPRFOUR SMALL LETTERS. ONE MASSIVE IMPACT.

6 GDPR myths

I am only a data processor

GDPR doesn’t take effect until May

I have great EU customers

My businessis an SME

GDPR is all about security

The ICO won’timpose large fines

6 1

5 2

4 3

5

4 - I have great EU customersbut my business is located outside Europe so GDPR does not apply to us. FALSE

5 - GDPR doesn’t take effect until Maymy organisation has plenty time to achieve GDPR compliance. FALSE

6 - I am only a data processorthe GDPR (and the big fines) only apply to data controllers. FALSE

1 - My business is an SMEthis new regulation does not apply to us. FALSE

2 - GDPR is all about securityif I have robust security and encryption I will be compliant. FALSE

3 - The ICO won’t impose large fines we are less likely to receive a large fine and more likely to get a warning.FALSE

GDPR myths busted

6

GDPRFOUR SMALL LETTERS. ONE MASSIVE IMPACT.

6 benefits of GDPR compliance

Reduce reputational risks Reduce

financial risksOrganise

your data

Build trust

Reduce chaos

Peace of mind

1

2

3

4

5

6

7

1 - Reduce reputational risksNo organisation wants to be in a position where its data breach is the subject of a newspaper headline. Having your reputation sullied is bad for business. If you are compliant with GDPR legislation, you are reducing the risk of reputational damage and protecting your organisation.

2 - Reduce financial risksThe financial risks of a data breach are far-reaching. Large fines, compensation, lost revenue and long-term reputational damage are just some of the ways data breaches as a result of GDPR non-compliance will impact organisational finances.

3 - Organise your dataCompliance with GDPR legislation means you will have to clearly identify and manage personal data you hold. This type of data organisation carries potential advantages that include streamlining data-related processes, efficient data management and potential long-term reduction of data management costs.

4 - Build trustTrust is the backbone of every transaction and as more business is conducted online, it is important to take data protection seriously. Having a GDPR-first approach will offer reassurance to clients and partners.

5 - Reduce chaosOrganisations who have put in timely measures and controls to comply with GDPR legislation will be able to avoid the chaos and business disruption that could ensue through either a data breach which is not managed correctly or a last-minute realisation that the legislation is now fully in force.

6 - Peace of mindKnowing that your organisation is legally compliant and that you are therefore reducing risks of reputational damage, fines, identity theft and credit card fraud amongst others is a huge benefit to any organisation and allows efforts to be focused on protecting and growing the business.

Benefits of GDPR compliance explained

8

GDPRFOUR SMALL LETTERS. ONE MASSIVE IMPACT.

Personal information shall be retained only for as long as

necessary

Personal information shall be processed lawfully, fairly and in a transparent manner

Personal information shall be adequate, relevant and limited to what is necessary

Personal information shall be accurate and, where necessary,

kept up-to-date

Personal information shall be collected for specified, explicit and legitimate purposes

Personal information shall be processed in an appropriate manner to maintain security

6 principles of GDPR

GDPR

1

2

3

4

5

6

9

Individuals’rights

The rightto be informed

The rightof access

The rightto erasure

The rightto restrict processing

The rightto data portability

The rightto rectification

The rightto object

Rightsrelated to automated

decision making

10

GDPRFOUR SMALL LETTERS. ONE MASSIVE IMPACT.

Cyber security and data protection are tightly integrated

Technical measures

Organisational measures

Cyber security & GDPR

Data security and data privacy have always been linked. Privacy depends on security. No obligation to provide privacy will be meaningful if the data to be protected are accessed or stolen by unauthorized third parties.

Technical measures are generally managed by the IT department and include but are not restricted to: Anti-Virus, email security, firewall installation, Password management tools, identity management, intrusion detection and data loss prevention.

Organisational measures include: policies, processes, training and access limitations.

11

Encryption - at rest and in transit

Information security framework

Ignore at your peril

Cyber security & GDPR

Data should be encrypted wherever it is stored and/or transmitted. This includes data held on mobile devices, servers, PCs or the cloud as well as information transmitted to remote systems.

Implementing an information security framework such as ISO 27001 or IASME will greatly assist with GDPR compliance and demonstrate good data protection principles.

GDPR is happening and it’s going to affect you. We strongly advise working towards compliance in a structured manner sooner rather than later.

12

GDPRFOUR SMALL LETTERS. ONE MASSIVE IMPACT.

Impactassessment

Limitwho sees data

Limitdata collection

Record keeping

Limitprocessing

Continuousassessment

Privacy by design

13

Data Protection Impact Assessment (DPIA)DPIAs help organisations to identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.

Limit who sees dataRole-based access controls to ensure only those individuals with a need to see data can.

Limit data collectionCollect only the data that you actually need to fulfil the tasks or data processing activities as set out in your company privacy policy.

Record keepingThe GDPR contains explicit provisions about documenting your processing activities. You must maintain records on several things such as processing purposes, data sharing and retention. Records must be kept in writing.

Limit processingData must be collected and processed for the specific purposes as outlined in your company privacy policy. You must not process individuals’ data for any other unspecified purposes.

Continuous assessmentCheck you are ensuring the ongoing confidentiality, integrity and availability of your information.

Privacy by design explained

14

GDPRFOUR SMALL LETTERS. ONE MASSIVE IMPACT.

Take actionBecome aware and

take action now

Things to do now

Roll out staff training across your organisation.

Train your staff

Gap analysis Identify where you are today and where you need to be for GDPR

compliance.

Ensure you have allocated sufficient

time, budget and staff.

Assign resource

Create a roadmapCreate a detailed

compliance roadmap with clear timelines.

Assess whether you need to appoint a Data

Protection Officer.

DPO

15

6 steps to GDPR compliance

Data analysisIdentify the personal data you collect and where it is stored.

Review the type of data processing you carry out,

identify the legal basis for carrying it out and

document it.

Data review

Privacy noticeReview your current internal and external

privacy notices/ policies and do a refresh with necessary changes for

transparency.

Review if and how you seek, obtain and record

consent and whether any changes are needed.

Review consent

Review rightsReview how you will handle all applicable

individuals’ rights.

Review your processor and sub-processor

agreements.

Review agreements

About Network ROI

Network ROI has been providing high quality and reliable managed IT support, connectivity and communications services since 2003. In that time, we’ve helped growing businesses focus on what they do best by looking after their Information Technology needs.

Our company vision is ‘empowering your business by making life with technology easier.’ This simple statement resonates with business owners and managers who don’t have the time or in-house expertise to worry about problems with their information and technology systems.

Our security-first approach to business technology ensures the information on our clients’ networks remains private. We are IASME and Cyber Essentials certified, making Network ROI the perfect choice to advise SMEs from all sectors throughout the UK on GDPR cyber security and information assurance.

Location: Network ROI Ltd Stobo House, Roslin, Midlothian EH25 9RE

Contact us: enquiries@networkroi.co.uk 0131 510 3456

GDPRFOUR SMALL LETTERS. ONE MASSIVE IMPACT.

networkroi.co.uk @NetworkROI Network ROI Network ROI Ltd