O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
GDPR
Conference 2018
WIFI: The Space Password: 5pac3002
Welcome
Chris Sargisson
Norfolk Chamber
@Chris_NorfolkCC
Agenda
09:30 Welcome
09:40 Alex Saunders, Leathes Prior
Tom Parsley, Selesti
John Gostling, Breakwater IT
10:30 Refreshmen...
No fire drills – Exits are marked
Toilets outside this room
Phones on silent
Feel free to tweet
House keeping
@norfolk...
www.slido.com
#GDPR
Alex Saunders
Leathes Prior
@leathesprior
@norfolkchamber #NorfolkGDPR
www.slido.com #GDPR
GDPR & THE “CONSENT” MYTH
WITH
ALEX SAUNDERS
GDPR Overview
 Replaces the existing Data Protection Act 1998
 Due to come into force on 25 May 2018
 Most fundamental ...
GDPR Why is it important?
Principles Continuity
DPA 1998
Fair and lawful processing
Specific purposes
Adequate, relevant and not excessive
Accuracy
...
Lawful Processing Basis for processing
CONSENT: you can process personal data where the subject has
given consent to the p...
Lawful Processing Basis for processing (cont…)
PUBLIC TASK: you can process personal data, without consent, to
carry out y...
Lawful Processing Is “consent” always necessary?
MYTH: Consent is always necessary to process personal data
FACT: Consent ...
Consent under GDPR When is consent appropriate?
Consent may be required if you are…
 Direct marketing
 Using or sharing ...
Consent under GDPR Key changes?
DPA 1998
“any freely given specific and informed
indication of his wishes by which the dat...
Consent Practical Changes
DON’T
 Identify basis of processing
Ensure consent is the most appropriate basis for the proces...
X Don’t bundle consent
Keep separate from other terms. Don’t make it a pre-condition of signing up to a service.
X Blanket...
Action Points What now?
Undertake a review of the personal data held by your organisation
If not, consider whether consent...
THANK YOU
Please feel free to get in touch with any questions:
E: asaunders@leathesprior.co.uk
T: 01603 281141
Tom Parsley
Selesti
@Selesti
@norfolkchamber #NorfolkGDPR
www.slido.com #GDPR
GDPR & Marketing: opportunity or threat?
Tom Parsley
With change comes new
opportunities
STAND
OUT
More personalised,
human engagement
Improved focus
Through consent, you can
gain insight into each
individual’s interests to provide
them with information that they
want to ...
FLYBE
FINED
Personalised email
GDPR and PECR apply
Generic marketing
email
Only general marketing consent needed
Dear Amber
Your recom...
Increased trust
93% of online shoppers cite the security of their
personal data as a concern
If we can’t easily explain
what we’re doing with
personal data then
we shouldn’t be doing it
COPYWRITING
Avoid personal pronouns
Active voice
Write in plain English
Highlight the benefits
Make future opt-outs clear
Encourages creativity
THANK
YOU
for brands with ambition.
Strategies, Technologies & Campaigns
tom@selesti.com
John Gostling
Breakwater IT
@BreakwaterIT
@norfolkchamber #NorfolkGDPR
www.slido.com #GDPR
Personal Data
Breaches
WELCOME
John Gostling
Breakwater IT
13 March 2018
INTRODUCTION
About me;
• Worked in IT since 1998
• Nearly 20 years!
• Worked at Breakwater since 2012
• Regularly see diff...
PERSONAL DATA BREACH
• What is a breach?
“A personal data breach means a breach of security leading to the accidental or
u...
PERSONAL DATA BREACH
• What is a breach?
“A personal data breach means a breach of security leading to the accidental or
u...
PERSONAL DATA BREACH
• What is a breach?
“A personal data breach means a breach of security leading to the accidental or
u...
BREACH EXAMPLES
• Carphone Warehouse
• Fined £400,000 in January
• Records for approximately 3,348,869 customers of a numb...
BREACH EXAMPLES
• What is a vulnerability?
A vulnerability is a weakness which allows an attacker to reduce a system's inf...
BREACH EXAMPLES
• Carphone Warehouse – How did they get in?
• Vulnerability?
• Password
BREACH EXAMPLES
• Carphone Warehouse – How did they get in?
• Vulnerability?
• Password
BREACH EXAMPLES
• Uber
• Details of 2.7 million UK drivers and riders
• Details of 57 million people worldwide
• Email add...
BREACH EXAMPLES
• Uber - How did they get in?
• Password stored on Github
• What is Github?
• Cover up!
• ICO Response
BREACH EXAMPLES
• Uber – ICO Response
“Uber has confirmed its data breach in October 2016 affected approximately 2.7millio...
BREACH EXAMPLES
• Leicester County Council
• Email sent to 27 different taxi firms
• Accidentally included a large spreads...
PREVENT A BREACH
• Vulnerability testing & Penetration testing
• Password Management
• Risk assess
• Two Factor Authentica...
USEFUL LINKS
• Elizabeth Denham Blog - http://bit.ly/2tcP5uA
• Carphone Warehouse Monetary Penalty Notice -
http://bit.ly/...
Refreshment
Break
See you back in the
Auditorium at 11.00
@norfolkchamber #NorfolkGDPR
www.slido.com #GDPR
Darren Chapman
CyberScale
@cyberscaleuk
@norfolkchamber #NorfolkGDPR
www.slido.com #GDPR
GDPR & Cyber Security
GDPR Conference 13th March, 2018
Darren Chapman
Director & Principal Security Consultant
Pragmatic I...
(Why) Does Cyber Security Matter?
“Cyber security and data protection are inextricably linked“
CBI Cyber Security Conferen...
“Processing” Personal Data
“Processing” means any operation or set of operations which is performed on
personal data or on...
Cyber Security – GDPR Regulations
“the controller and the processor shall
implement appropriate technical and
organisation...
Cyber Security – GDPR in practice
“A personal data breach can be broadly
defined as a security incident that has
affected ...
Cyber Security Fundamentals
• For DATA, we use C.I.A.
▫ Confidentiality
▫ Integrity
▫ Availability
• Risk based approach
▫...
Data - Where is it?
Data – What are the threats?
Malware Ransomware Viruses Worms Trojans Phishing Smishing
Fire Theft Flood
Hardware
failure
...
Cyber Security Frameworks
Cyber Security Personal Data Security
“.. the ability to ensure the ongoing
confidentiality, integrity, availability and
r...
Cyber Security – Where are you at?
Cyber Security is a journey…
Common Gaps
Checking backups AV coverage Copies of data Cloud Security Policies
Contracts & SLA’s Staff training
Password
...
If things do go wrong….
Under the GDPR there is a
requirement for organisations to
report a personal data breach that
affe...
Key Actions & Take-aways
GDPR & Cyber Security
GDPR Conference 13th March, 2018
Darren Chapman
Director & Principal Security Consultant
Pragmatic I...
Speaker Q+A
@norfolkchamber #NorfolkGDPR
www.slido.com #GDPR
Workshops
Workshop A -
A Practical Marketing Approach
to GDPR
Workshop B – Appointing a
Data Protection
@norfolkchamber #N...
@norfolkchamber #NorfolkGDPR
www.slido.com #GDPR
Please feel free to complete these cards which
can be found in your Deleg...
Thank you #GDPRConf18
GDPR Presentation slides
GDPR Presentation slides
GDPR Presentation slides
GDPR Presentation slides
Próximos SlideShares
Carregando em…5
×

GDPR Presentation slides

Norfolk Chamber delivered a morning conference based around the European General Data Protection Regulation (GDPR), which will come into force on May 25 2018. Delegates heared from a variety of GDPR expert speakers from legal, marketing, IT and Data Protection perspectives.

  • Seja o primeiro a comentar

GDPR Presentation slides

  1. 1. GDPR Conference 2018 WIFI: The Space Password: 5pac3002
  2. 2. Welcome Chris Sargisson Norfolk Chamber @Chris_NorfolkCC
  3. 3. Agenda 09:30 Welcome 09:40 Alex Saunders, Leathes Prior Tom Parsley, Selesti John Gostling, Breakwater IT 10:30 Refreshment Break & Exhibition Darren Chapman, CyberScale Panel Q&A 11:45 Host close 12.00 Free networking, light refreshments & speaker drop-in 12.15 Optional workshops 13.00 Event close
  4. 4. No fire drills – Exits are marked Toilets outside this room Phones on silent Feel free to tweet House keeping @norfolkchamber #NorfolkGDPR WIFI: The Space Password: 5pac3002
  5. 5. www.slido.com #GDPR
  6. 6. Alex Saunders Leathes Prior @leathesprior @norfolkchamber #NorfolkGDPR www.slido.com #GDPR
  7. 7. GDPR & THE “CONSENT” MYTH WITH ALEX SAUNDERS
  8. 8. GDPR Overview  Replaces the existing Data Protection Act 1998  Due to come into force on 25 May 2018  Most fundamental change to data protection law in almost 20 years?  Covers the use of “personal data” – any information that can identify a living individual  Introduces various key new concepts and expands on existing concepts  Applies to:  Organisations operating within EU  Non-EU organisations offering goods/services within the EU  Enforced in UK by Information Commissioner’s Office (“ICO”)  Impact of Brexit?
  9. 9. GDPR Why is it important?
  10. 10. Principles Continuity DPA 1998 Fair and lawful processing Specific purposes Adequate, relevant and not excessive Accuracy Retain only as long as necessary Respect data subjects’ rights Security Transfers outside EEA GDPR Lawfulness, fairness and transparency Purpose limitation Data minimisation Accuracy Storage limitation Integrity and confidentiality (See lawfulness above)
  11. 11. Lawful Processing Basis for processing CONSENT: you can process personal data where the subject has given consent to the processing for one or more specified purpose CONTRACT WITH INDIVIDUAL: you can process personal data, without consent, where required under a contract with the data subject  E.g. employment contract, contract for sale of goods or services VITAL INTERESTS: you can process personal data, without consent, if it’s necessary to protect someone’s life
  12. 12. Lawful Processing Basis for processing (cont…) PUBLIC TASK: you can process personal data, without consent, to carry out your official functions or a task in the public interest – and where you have a legal basis for the processing under UK law  If public authority, likely to apply to most of your processing activities LEGITIMATE INTEREST: you can process personal data, without consent, if you have a genuine and legitimate reason to do so  Legitimate interest can be for commercial benefit  GDPR recitals – direct marketing could be a legitimate interest  BUT exception if your interests are outweighed by harm to the individual’s rights and interests
  13. 13. Lawful Processing Is “consent” always necessary? MYTH: Consent is always necessary to process personal data FACT: Consent is one way to comply with the GDPR, not the only way  “Consent” is only one of six lawful basis for processing personal data  Organisations will need to identify on which ground they are processing personal data Will only be appropriate to use consent where other grounds do not apply
  14. 14. Consent under GDPR When is consent appropriate? Consent may be required if you are…  Direct marketing  Using or sharing personal data in a way that is potentially intrusive or unusual – e.g. selling database  Transferring personal data outside the EEA Consent will not be appropriate if…  You are in a position of power over the individual (employer)  Consent is a pre-condition of using the service  You would still process personal data using a different basis even if consent was withdrawn
  15. 15. Consent under GDPR Key changes? DPA 1998 “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed” GDPR “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” Guidance: “Silence, pre-ticked boxes or inactivity should therefore not constitute consent” GDPR sets a higher standard for obtaining consent
  16. 16. Consent Practical Changes DON’T  Identify basis of processing Ensure consent is the most appropriate basis for the processing. Any other grounds?  Clear and plain language Use language that is easy to understand when obtaining consent. Avoid legal jargon!  Third parties Give details of any third parties who will be relying on the consent.  Keep records Who gave consent? When and how was consent given? Review consents regularly.  Withdrawal Make withdrawal of consent straightforward and simple. Same method as given. DO
  17. 17. X Don’t bundle consent Keep separate from other terms. Don’t make it a pre-condition of signing up to a service. X Blanket consent Get separate consent for separate things where possible. Do not rely on a blanket consent X Don’t use pre-ticked boxes It should be an active opt-in. Don’t rely on implied consent. X Penalising withdrawal Do not penalise individuals who withdraw their consent. X Public authorities Take extra care to show consent has been freely given. Avoid over-reliance on consent. Consent Practical Changes DON’T
  18. 18. Action Points What now? Undertake a review of the personal data held by your organisation If not, consider whether consent meets the GDPR standard. Do you need to obtain fresh GDPR-compliant consent? Identify what data is being processed on the basis of consent. Are there any other lawful basis for processing? Ensure that there are proper procedures in place for recording consent and giving customers the right to withdraw
  19. 19. THANK YOU Please feel free to get in touch with any questions: E: asaunders@leathesprior.co.uk T: 01603 281141
  20. 20. Tom Parsley Selesti @Selesti @norfolkchamber #NorfolkGDPR www.slido.com #GDPR
  21. 21. GDPR & Marketing: opportunity or threat? Tom Parsley
  22. 22. With change comes new opportunities
  23. 23. STAND OUT
  24. 24. More personalised, human engagement
  25. 25. Improved focus
  26. 26. Through consent, you can gain insight into each individual’s interests to provide them with information that they want to receive.
  27. 27. FLYBE FINED
  28. 28. Personalised email GDPR and PECR apply Generic marketing email Only general marketing consent needed Dear Amber Your recommendations
  29. 29. Increased trust
  30. 30. 93% of online shoppers cite the security of their personal data as a concern
  31. 31. If we can’t easily explain what we’re doing with personal data then we shouldn’t be doing it
  32. 32. COPYWRITING Avoid personal pronouns Active voice Write in plain English Highlight the benefits Make future opt-outs clear
  33. 33. Encourages creativity
  34. 34. THANK YOU for brands with ambition. Strategies, Technologies & Campaigns tom@selesti.com
  35. 35. John Gostling Breakwater IT @BreakwaterIT @norfolkchamber #NorfolkGDPR www.slido.com #GDPR
  36. 36. Personal Data Breaches WELCOME John Gostling Breakwater IT 13 March 2018
  37. 37. INTRODUCTION About me; • Worked in IT since 1998 • Nearly 20 years! • Worked at Breakwater since 2012 • Regularly see different hacks, breaches and attempts at fraud
  38. 38. PERSONAL DATA BREACH • What is a breach? “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.”
  39. 39. PERSONAL DATA BREACH • What is a breach? “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.”
  40. 40. PERSONAL DATA BREACH • What is a breach? “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.”
  41. 41. BREACH EXAMPLES • Carphone Warehouse • Fined £400,000 in January • Records for approximately 3,348,869 customers of a number of mobile phone providers • Records for 389 customers across two other companies • Historic transaction details for the period March 2010 – April 2010 • Records of approx. 100 employees
  42. 42. BREACH EXAMPLES • What is a vulnerability? A vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerabilities are the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.
  43. 43. BREACH EXAMPLES • Carphone Warehouse – How did they get in? • Vulnerability? • Password
  44. 44. BREACH EXAMPLES • Carphone Warehouse – How did they get in? • Vulnerability? • Password
  45. 45. BREACH EXAMPLES • Uber • Details of 2.7 million UK drivers and riders • Details of 57 million people worldwide • Email addresses and phone numbers • US Driver license numbers
  46. 46. BREACH EXAMPLES • Uber - How did they get in? • Password stored on Github • What is Github? • Cover up! • ICO Response
  47. 47. BREACH EXAMPLES • Uber – ICO Response “Uber has confirmed its data breach in October 2016 affected approximately 2.7million user accounts in the UK. Uber has said the breach involved names, mobile phone numbers and email addresses. On its own this information is unlikely to pose a direct threat to citizens. However, its use may make other scams, such as bogus emails or calls appear more credible. People should continue to be vigilant and follow the advice from the NCSC.”
  48. 48. BREACH EXAMPLES • Leicester County Council • Email sent to 27 different taxi firms • Accidentally included a large spreadsheet • The spreadsheet contained personal data of thousands of children
  49. 49. PREVENT A BREACH • Vulnerability testing & Penetration testing • Password Management • Risk assess • Two Factor Authentication • Utilise DLP features on key documents • Data Protection training
  50. 50. USEFUL LINKS • Elizabeth Denham Blog - http://bit.ly/2tcP5uA • Carphone Warehouse Monetary Penalty Notice - http://bit.ly/2oR86xs • ICO Statement on Uber Breach - http://bit.ly/2juR7y4 • BBC Article on Leicester City Council - http://bbc.in/2D3V8C9
  51. 51. Refreshment Break See you back in the Auditorium at 11.00 @norfolkchamber #NorfolkGDPR www.slido.com #GDPR
  52. 52. Darren Chapman CyberScale @cyberscaleuk @norfolkchamber #NorfolkGDPR www.slido.com #GDPR
  53. 53. GDPR & Cyber Security GDPR Conference 13th March, 2018 Darren Chapman Director & Principal Security Consultant Pragmatic IT Security
  54. 54. (Why) Does Cyber Security Matter? “Cyber security and data protection are inextricably linked“ CBI Cyber Security Conference, 13 September, 2017
  55. 55. “Processing” Personal Data “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  56. 56. Cyber Security – GDPR Regulations “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” …Article 32, GDPR
  57. 57. Cyber Security – GDPR in practice “A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data” ICO Website – Personal Data Breaches
  58. 58. Cyber Security Fundamentals • For DATA, we use C.I.A. ▫ Confidentiality ▫ Integrity ▫ Availability • Risk based approach ▫ Understand what is critical to your business ▫ Understand the vulnerabilities and threats ▫ Assess the risks and impacts ▫ Apply controls to reduce or mitigate • For reducing risks, we consider ▫ People, Process & Technology
  59. 59. Data - Where is it?
  60. 60. Data – What are the threats? Malware Ransomware Viruses Worms Trojans Phishing Smishing Fire Theft Flood Hardware failure Human error DOS Attack RAT’s Backdoors Corruption Insider threats Zero day attacks Fileless Malware Man in the middle attacks Credential stealing Keyloggers SQL Injection XSS Bluejacking Spear Phishing Whaling “.. accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed” ..Article 32, GDPR
  61. 61. Cyber Security Frameworks
  62. 62. Cyber Security Personal Data Security “.. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services” …Article 32, GDPR Cyber Security Personal Data Security (GDPR) CIA CIA Risk Based Approach - DATA Risk based Approach – PERSONAL DATA No formal requirement Demonstrable Incident Response Plan Breach Response Plan
  63. 63. Cyber Security – Where are you at?
  64. 64. Cyber Security is a journey…
  65. 65. Common Gaps Checking backups AV coverage Copies of data Cloud Security Policies Contracts & SLA’s Staff training Password Management Multi Factor Authentication Encryption (All Devices) BYOD Management Individual User Accounts Monitoring & Auditing Updating Applications Least Privilege DOCUMENTATION! Incident Response Plan
  66. 66. If things do go wrong…. Under the GDPR there is a requirement for organisations to report a personal data breach that affects people’s rights and freedoms, without undue delay and, where feasible, not later than 72 hours after having become aware of it
  67. 67. Key Actions & Take-aways
  68. 68. GDPR & Cyber Security GDPR Conference 13th March, 2018 Darren Chapman Director & Principal Security Consultant Pragmatic IT Security Thank You
  69. 69. Speaker Q+A @norfolkchamber #NorfolkGDPR www.slido.com #GDPR
  70. 70. Workshops Workshop A - A Practical Marketing Approach to GDPR Workshop B – Appointing a Data Protection @norfolkchamber #NorfolkGDPR www.slido.com #GDPR
  71. 71. @norfolkchamber #NorfolkGDPR www.slido.com #GDPR Please feel free to complete these cards which can be found in your Delegate folders, and hand them in at Reception.
  72. 72. Thank you #GDPRConf18

×