supporting you with gdpr compliance - groupbc.com · • demonstrate that data governance is being...
TRANSCRIPT
Supporting you with GDPR compliance
24 January 2018
#webinarGBC
Open and close your control panel
Join audio:• Choose Mic & Speakers to use VoIP• Choose Telephone and dial using
the information provided
Submit questions and comments via theQuestions panel
Note: Today’s presentation is beingrecorded and will be emailed to onceavailable
Your Participation
GoToWebinar Housekeeping: Attendee Participation
Publicpublic
Today’s Presenters
Paula TighePartner, Information Governance,
Wright Hassall
Pete Brown,Information Security Manager,
GroupBC
Public
Wright Hassall – approach
FLEXIBLE: • Embrace new ideas• Encourage collaboration• Creative and positive thinking • Adapt strategies to meet changing circumstances• Accessible and accountable
AMBITIOUS: • Create an exceptional client experience • Challenge status quo constructively• Explore new ways of working
INCLUSIVE: • Encourage diversity• Create an environment of openness • Work collaboratively• Share success• Learn from feedback
RESPECTFUL: • Open, honest and transparent in our approach• Value our colleagues and clients• Seek to understand peoples needs and find solutions
Key Points!
DP Bill Preserves
1998 /GDPR
Regulates processing of personal data
6 Principles
ACCOUNTABILITY
SCD / PD Affirmative Consent
Data Processors
mandatory contract clauses
Harder to process criminal records
Codes Practice
Sharing /Marketing
Cross Boarder Data Transfers
Fair & Lawful
Peoples Rights
Clear Open and
Transparent
Affirmative Consent
Data
Access
Understand Processing conditions
Object to processing activities
Port Data
Be Forgotten
Complain Information Authority
Court Proceedings
What does the DP Bill mean?
Set new standards for protecting data in accordance with GDPR
Preserve existing tailored exemptions in the law we are familiar with
Ensure businesses can support leading research/financial/journalism/legal
Framework for criminal justice /national security / intelligence agencies
Protect rights of victims, witnesses and suspects whilst managing threats
Carry out an information security review and document compliance
Deliver your awareness programme
What does the DP Bill mean?
Wider scope - unlimited fines guilty of a new offence under the Bill
Further obligations to delete posts / images in the case of search engines
Identifying individuals from anonymised or pseudonymised data – offence
Altering records - offence
End of pre-ticked boxes and default opt-outs on web forms
Researches – inaccurate data archive may remain if it helps analyse decisions
Children consent from 13 years in UK under bill (16 under GDPR)
What about the Digital Economy Act?
Universal service obligation for fast broadband services
On-line IP offences maximum penalty – ten years imprisonment
Age verification for viewing on-line pornography
Public Sector data sharing
Direct marketing code
Powers for ICO to charge fee’s
Directors liability
Expected compliance picture
Governance library
Mapped Data
Information Authorities
Rights Consent
Security
Training (E’s)
Accountability
DP Officer
External
Trusted
Adviser
Who is caught by the GDPR?
Data Controller and
Processor
• Roles
• Responsibilities
• Accountabilities
Data Use and Transfers
• Controls on use,
sharing and
security
• Consent to process
data
Territorial Scope – Applies
• EU and non-EU organisations
• Where data about a data subject who are in the EU is processed in connection with
“offering goods and services” or “monitoring” their behaviour”
• To organisations not physically processing data in the EU but are established in the EU
Cause jurisdiction to be found where separation of both activities appears artificial
Organisation(s) not established in the EU but captured within the scope of the GDPR – must
• Designate and appoint in writing a representative in the country which the data is processed
• Not applicable if an exemption applies e.g.
a) Processing takes place on an occasional basis b) Does not include processing on a large scale c) Does not include processing special categories d) Organisation is a public body e) Criminal convictions and offences
Territorial Scope – Applies
Supervisory Authority – concerned
• Supervisory Authority - Independent public authority which is
established by a Member State
• Supervisory Authority Concerned - is concerned by the processing of
the personal data because:
- Controller or Processor is established in the territory of the
Member State of that supervisory authority
- Data subjects resides in the Member State and are
substantially affected or likely by the processing
- A complaint has been lodged with that supervisory authority
Governance and Accountability
• There needs to be a set of measures to identify and reduce risk of non-
compliance
• Demonstrate that data governance is being managed at the highest
level and DPO’s report to the most senior management level of the
organisation
• Audit trail of compliance, mitigation of risk and how implementation has
lead to change and mitigation
• Robust policies, procedures and standards which are embed
Governance and Accountability
Data Protection Officer
• GDPR requires a controller or processor to determine if they need a
mandatory or voluntary DPO
• where core activities consist of processing operations which
require “regular and systematic monitoring” of data subjects on a
“large scale”
• Core activities consist of processing of special categories of data
on a “large scale”
• Required under Member State law
• DPO should report to the highest management level and supported
with resources (people and money)
• Publish the identify of the DPO to the Supervisory Authority
Governance and Accountability
Training
• GDPR requires a controller or processor to ensure their DPO,
implements training which is appropriate
• Where there is no requirement for a mandatory DPO there is no
express obligation to carry out training
Note of caution: How can you demonstrate compliance without
controls and people lead training?
• Privacy by design should be at the heart of everything a controller or
processor do, where data subjects data is being processed
Reporting Breaches
• Breach management
procedure
• Roles, responsibilities and
accountabilities
• May not be you but did you
deploy your BC/DR/Cyber
process – NHS Hack?
• Record your approach and
findings
Governance Controls – Privacy Impact Assessment
Identify React
Assess Monitor
Status GDPR Compliance
Position Plan
Review data processors
Map data flows
Record Regulators
Legal Gateways Consent
Retention
Security
RRA’s
DPO
Training (E’s)
Stage 1
Position Statement
Compliance review and report
Strategic understanding and approach
Roles and Accountabilities
Mandatory DP Officer / Office (GDPR Resources)
Strategic Message – Foot Print In The Sand
Operational engagement and ownership
Steering Group
Sensitive
categories
data Personal
data
Yes
No
Life cycle
Data
Type
Mobile
working
RECORDS
Children's
Data
Typical GDPR Map
24
Data Mapping & Security and beyond data…
Evaluation
Visualizer-
Business capture
Compliance
Evaluator
Integrity / quality
Classification
Type / level
Purpose
Sole / multi
Certify
Cyber Essentials
Auditing
• Audit
• Actions
• Capture compliance: users
• Change tracker
• User support
Protection• Electronic / paper
• Office / clear desk
• Use of data / Where is data held
Database • Data audit, filter, alerts, SIEM
• File store
• Multiply locations
Data
management
security
assessment
Regulations,
auditor’s
requests…
Security
breach
Management
decision
Encryption • Encryption
• Data out – data in
Governance and Accountability
Privacy Impact Assessments
• GDPR requires a controller or processor to carry out mandatory
privacy impact assessments
• Where there is a systematic monitoring of a publicly accessible area or
in the context of profiling on which decisions are based that produce a
legal affect
• Demonstrate transparency and accountability
• Aid to identify and mitigate risk
• Support organisations establish their compliance obligations
• They are not a tick box exercise
I.A.R.M - identify, assess/act, report, monitor
Protect throughout the lifecycle
Current footprint to compliance
Govern collection and processing
• Protect by applying with risk aware based conditions
• Safeguard data with built-in privacy by design and security
• Rapidly respond to intrusions with built-in controls to detect and respond to data breaches
• Develop and issue governance controls (PPS)
• Issue data consent requirements (Dashboard)
• Retain and classify data for simplified compliance
• Process map of data obligations
• Easily respond to data requests, transparency and accountability requirements
• Easily discover and catalogue data sources
• Increase visibility with auditing capabilities
• Identify where PD & SC data resides – current and former paper, devices, apps and platforms
• Information authorities and scope
• Data processors and obligations
• Mandatory DPO
1
00
1
100
Stage 2
Project approach timely and effective
• Planning and preparation
• Roles and Responsibilities
• Strategic (Directors) Accountability
Leaders Accountability is paramount
• Achievable Milestones based on budget and resources
• Identify Processing Purposes Justify and Identify data involved
• Where is the data going Provide an overview of the data sharing activities and controls
• Identify what data is being shared Determine the current state of personal and special categories of data. Are their any expected unjustified impact on individuals
• Examine potential data security and compliance risksDetermine and agree the levels of security required
Privacy Impact Assessments
• Understand compliance objectives Gain a common understanding of compliance objectives of mitigating the risk of non compliance
• Create data road mapProvide a prioritised and actionable checklist / roadmap, ready for legal/ advisory review
• Check you legal gateways on consent6 Gateways for personal and 12 Gateways for Special Categories
Privacy Impact Assessments
Stage 3 GDPR Compliance
Position Plan
Review data processors
Map data flows
Record Regulators
Legal Gateways Consent
Retention
Security
RRA’s
DPO
Training (E’s)
Your next steps
1. Mandatory DP Officer
2. Accountabilities
3. Budget / Resources
4. Message
Agree1
1. Strategic sponsor at Board /
Executive
2. Project milestones
3. Accountability
Manage2
Steering Group
Role and deliverables
Steering group – deliver to ET
Protect3
Keep required documentation,
manage data requests and breach
notifications
Report4
Public
01926 884 697
© all rights reserved
Public
Supporting you with GDPR compliance
24th January 2018
Public
Agenda
Keynote:The legal changes
GroupBCActivity
Discussion
Public
Legal Changes – why we are here
Data Processors and Data Controllers are jointly liable for Data Protection
o Us - the supply chain
o You - the customer
o We are both liable
Need to agree the appropriate system delivery and contractual clauses to define responsibilities to deliver against GDPR.
Public
1. Review of Internet
2. Review using ICO website
3. Review of GDPR
4. Creation of Feedback document
5. Creation of Treatment plan
Work to Date
Public
Having been informed by other people’s views, it was time to review GDPR for ourselves.
oReviewed every clause against us as a business
oNoted those we need to provide proof of compliance to
oResult = 90
oProducing Public Treatment Document
Review of GDPR
Public
Having gathered the evidence and interpreted the regulation we formed a strategy.
oTo boil down all of the things we needed to do into a standard set of actions
Treatment of GDPR
Public
Treatment of GDPR
We assessed ourselves as the following actors:
1. As a data controller – of our own employee data e.g. new starter form, payroll system
2. As a data controller or processor of third party data (other than through BC SaaS provision) e.g. marketing lists, CRM record storage, Freshdesk record storage
3. As a SaaS supplier – customers hold personal data and we process it – where we have joint liability e.g. implementing the appropriate cyber defence.
4. As a software development house
Public
1. Employee consent - do we have adequate consent from all employees to hold the data we do.
2. Introduce an Information Asset Register. What data do we hold and why. Did we carry out due diligence on the supplier.
3. Carry out Impact Assessments when significant business events occur, we did one for the change of IaaS supplier for example.
4. Update the Data Protection Policy
5. Introduce a data breach policy, what do we do, who does what.
6. Introduce a subject access policy, how do we record a request and what do we do. Incidentally we can’t charge for that now.
Treatment Identified – Employer and Controller
Public
1. Introduce a Direct Marketing Policy
2. Justify why we do not consider ourselves as carrying out “profiling”, the automated decision making about people.
3. Update the communications matrix
4. Supplier clauses - we need to make sure our supply chain is GDPR compliant, they can’t just make a claim to be.
Treatment Identified – Marketing Organisation
Public
1. Standard customer contractual clauses, starting with G-Cloud.
2. SaaS platform - we need to make some changes to the software so we don’t collect information we won’t use.
3. Ensure that our supply chain is maintaining its certification regime.
4. Review the possible Cyber Security we can offer customers, through partners, in order that appropriate defences are in place for the data we are holding.
5. Introduce “focussed” privacy policies rather than a single generic policy, amending the web site to ensure consent is clear to respect the policies.
6. Ensure we maintain ISO 27001 certification.
7. Review the data handling policy.
Treatment Identified – SaaS provider
Public
1. Ensure we maintain our processes identified in the Secure Development Policy.
Treatment Identified – Secure Development
Public
oBC Platform Compliance Features
oStandard Customer Contractual Clauses
oSecure Development Policy
oGroupBC ISO 27001:2013 certification
oData Handling Policy
oInfrastructure Provider Cyber Security Options
oInfrastructure Provider and Hosting Provider certifications
oGDPR Treatment Document
oCustomer Compliance Statements will be returned
Items Identified relevant to assist customers with GDPR
PublicInternal Use / Confidential / Public
Who are We, Where are we?
Public
GroupBC
We are a SaaS provider:
o Solely developed in the UK
o Solely hosted in the UK
No cross border data transfers
[No Patriot Act enforcement]
Public
Customer Documents Available in May
PublicInternal Use / Confidential / Public
Useful links
Public
Useful links
Video about preparing for the GDPR presented by ICO.
https://vimeo.com/album/3957971/video/161056791
Guidance relating to the steps to take to prepare for GDPR
https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf
An ICO website containing an overview of the GDPRhttps://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-
gdpr/
An ICO website containing material related to Data Protection reform. Mostly GDPRhttps://ico.org.uk/for-organisations/data-protection-reform/
Public
Useful links
An ICO website containing material related to Data Protection reform. Mostly GDPR
https://ico.org.uk/for-organisations/data-protection-reform/
An ICO Data Protection Toolkit assessment is available here:The Information Security Toolkit is also available in the same location. https://ico.org.uk/for-organisations/improve-your-practices/data-protection-self-assessment-toolkit/
A C-Level engagement video is available:
https://www.youtube.com/watch?v=vI39FRkM3DA
The GDPR in 3 mins video suitable for a wide range of staff is available here: https://www.youtube.com/watch?v=n5WJOncaHt4
Public
Useful links
GDPR in 1 hour – 10 things to know – the legal perspective from abroadhttps://www.youtube.com/watch?v=NxgZ57BTkFQ
The GDPR http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf
The European GDPR sitehttp://www.eugdpr.org/
Obligations on data processorshttps://www.taylorwessing.com/globaldatahub/article-obligations-on-data-
processors-under-gdpr.html
GDPR and Cloudhttps://www.youtube.com/watch?v=1XwUwUnCeuA
Public
Useful links
GDPR and processorshttps://www.youtube.com/watch?v=1EvcNn95BC4
Information about using marketing lists
https://www.scl.org/articles/3576-gdpr-the-end-for-the-marketing-list-industryhttps://www.scl.org/articles/3576-gdpr-the-end-for-the-marketing-list-industry
The British standard management system for personal information
https://www.bsigroup.com/en-GB/BS-10012-Personal-information-management/
Public
Useful links
Notes on GDPR from BSI
https://memberportal.bsigroup.com/premium/2017/june/live/standard-for-data-protection-revised/?utm_source=pardot&utm_medium=email&utm_campaign=SM-SUB-NEWS-MEM-Membership-MEM-1706
BSI notes on direct marketing
https://memberportal.bsigroup.com/premium/2017/may/digital-economy-act-tightens-up-regulation-of-direct-marketing/
Public
Questions
• Please continue to submit your textquestions and comments using theQuestions panel
For more information, please [email protected]
Note: Today’s presentation is beingrecorded and will be emailed to onceavailable
Your Participation
GoToWebinar Housekeeping: Time for Questions
Public
Copyright ©2018 GroupBC. GroupBC is the trading name for Business Collaborator Ltd.
Disclaimer: The information shared today regarding future product features is considered confidential. Furthermore, it does not represent on the part of GroupBC to
deliver the new functionality that is discussed, nor does it obligate GroupBC to deliver any new functionality within any specific timeframe.
www.groupbc.com
@GroupBC_Ltd