general data protection regulation (gdpr) · regulation (gdpr) are you ready? jennifer ryan - data...

General Data Protection Regulation (GDPR)Are you ready?

Jennifer Ryan - Data Protection OfficerSara McAneney – IT Security Officer9th November 2017

There are no magic wands!

A snapshot of GDPR

Principles

Lawful Processing

Purpose Limitation

Transparency

Consent

Retention

Minimisation

Sensitive personal data

Children’s data

New & Enhanced Rights

Transparency & Notification

Access

Erasure

Rectification

Portability

Profiling

Automated decisions

Responsibilities

Data Processors

Data Transfers

Data Breach Reports

Data Protection by Design

DPIAs

DPO

Penalties

“Accountability is at the centre of all this: of getting it right today, getting it right in May 2018, and getting it right beyond that.”

GDPR – Who owns it?

‒ There are many elements to GDPR and it can seem overwhelming however, with a collaborative approach compliance is achievable.

‒ GDPR preparation requires effort across your entire organisation.

‒ Put your governance committees in place and engage and influence the right people in IT, Legal, Risk, Records Management, DPO, Faculties & Support Services.

TCD Data Protection Working Party

Dean of Research

College Solicitor

IT Security Officer

Data Protection Officer

College Secretary

Nominee from Library and Information Policy Committee

Nominee from the School of Law

Director of Student Services

Director of HR

Director of Academic Registry

Director of Alumni & Development

Librarian

Director of Commercial Revenue

President of the Graduate Students’ Union

Trinity College Dublin, The University of Dublin

DPO


GDPR - Appoint your DPO

– Refer to the Data Protection Commissioner and Article 29 Working Party guidance.

– DPO skillset should align with your priorities but they must be able to see the bigger picture.

– A combined understanding of data protection from a legal, risk and technical and security perspective.

– Give them access to the resources they need.


GDPR – Get to know your data What do we

collect, maintain, store, share,

retain, delete?

Why ?

Where is it?Who else has it?

How long do we keep it?


GDPR – Get to know your data

– How does data flow in, out and through your organisation- document and map it.

– Who accesses it, who is it shared with, how is it stored, how long is it kept, is it secure?

– Identify your legal basis for processing – consent, contract etc.

– Identify your sensitive data hotspots and high risk processing.


Personal Data Processing Inventory


GDPR – Review your documents

– Update your Privacy Statement - this defines your organisations approach to personal data.

– Demonstrate fair processing and transparency –no surprises.

– CLEAR AND PLAIN ENGLISH.

– Update your policy documents.

– Review and update data processing agreements.


GDPR – Transparency


GDPR – Communicate

– Training, training, training – the freedom within the higher education environment implies individuals must take responsibility.

– Awareness campaign and online training modules.

– Everyone in your organisation needs to know what their responsibilities are and who they should contact if they have questions.

– Share ideas - GDPR University Group meetings.

People

Process

Technology


GDPR – IT Services Responsibilities

1. Document Data

Processing

2. Data Processor

Compliance

3. Enterprise IT Security Controls

4. Provision of Compliant Services

5. Training & Advice


GDPR – Accountability Principle Article 5(2)

Maintain relevant documentation on processing activities.

Implement measures that meet the principles of data protection by design and by default - Data Minimisation; Pseudonymising Data

Use data protection impact assessments where appropriate.


Statements of the information you collect and process, and the purpose for processing (Article 13 of the GDPR).

Document Data Processing

Business Systems - In house and cloud hosted

• Student System, VLE, HR System, Finance System,

• Document/DPIA in partnership with Business Areas

IT Services Data Processing

• Service Desk Information Systems

• Web forms

• Office 365

• Supporting systems AD, DNS, IDM, WI-FI

• Many, many Log Files


Data Processing

Records

Purposes of the

processing.

Description of the

categories of individuals

and personal data.

Categories of recipients of

personal data.

Details of transfers to third

countries

Retention schedules

Description of technical

and organisational security measures.




• DPIAs are legally mandatory where applicable from May 18

• Article 29 Working Party strongly recommends DPIAs for all high risk operations prior to this date

Data Protection Impact Assessment

Description of Data ProcessingAssessment of necessity and

proportionalityMeasures to demonstrate complianceAssessment of risks to the rights and

freedomsMeasures to address the risksDocumentationMonitoring and review


Data Processors Compliance

"Controller – means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data…

"Processor - means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."


Data Processors - TCD


Data Processor Compliance

• Controller has an obligation to ensure that the processor has provided sufficient guarantees to implement technical and organisational measures that meet the requirements of the GDPR

Due Diligence Contracts – Data processing agreements Security Policies/Certifications/Audits

Breach notification Process


Data Processor Compliance

Must keep records of processing, demonstrate appropriate technical and organisational controls

Data subjects may enforce rights directly against Data Processors

Non-compliant Data Processor open to legal action from Data Controllers and Data Subjects and sanctions from the Regulator – i.e. Fines.


Enterprise IT Controls - Supporting the Security of Personal data

Mobile Devices

Network Perimeter

Applications

Databases

PC’s

Data


Enterprise IT Controls - 2017

External Cyber Security Audit

Significant Security Breach

Ransomware threat – Wannacry etc

GDPR Preparation


Enterprise IT Controls

Program of Security Enhancements 2018

Firewall Upgrade IPS Technology Multifactor Authentication in Office365 End Point Security Enhancements Malware Filtering Mobile Device Encryption


Provision of Compliant Services - Supporting Day-to-Day Processing

Laptops & Mobile Devices

Secure Network Storage

Secure Applications

Microsoft Teams

SharePoint OneDriveDropbox for

Business

Storage – Processing – Sharing - Collaboration


Training - IT Security


Training – Phishing Simulations

• Number of phishing emails sent: 6026 • Recipients who opened the email: 902 • Recipients who opened the attachment & enabled macros: 52


Training - GDPR training for IT Staff

General Advice

and Guidance

Managers

Service Desk

Support Analysts

Project Managers

Developers


Challenges

•Diverse organisation – Teaching - Research –Administration – Campus Companies

•Large volumes of data

•Variable IT skills

•Lack of IT Security Awareness

•Shadow IT


Are you ready?

Questions?

general data protection regulation (gdpr) · regulation (gdpr) are you ready? jennifer ryan - data...

Documents