GDPR Tech briefing and overview

Get ready for GDPR 2018
1Enterprise Online Marketing Solutions < SEO > < PPC > < Social Media > < On-Line Marketing Solutions >
Data
The world’s most valuable resource

GDPR
Don’t get caught out

Cyber Crime - UK Govt. figures
● 2.9m (46%) UK businesses
suffered from a Cyber Attack or
Breach in 2016
○ 66% between 50 - 249
employees
○ 68% - more than 249
employees
● Total cost to the economy - £29.1Bn
○ Average Cost per SME - £1,570
○ Average Cost for larger companies - £19,600

Cyber Crime - UK Govt. figures
1. Phishing - 1,299,178 businesses
2. Virus attacks - 1,288,547 businesses
3. Hacking - 1,022,781 businesses
4. Ransomware - 388,858 businesses

Why replace the Data Protection Act?
○ Online Banking
○ Comparison websites
○ Online Accounting Packages
○ Cloud Storage
○ Cloud Processing
○ Social Media
○ Recruitment Portals
○ CMS’
Huge increase in the volume of
data & the way it’s used

Why replace the Data Protection Act?
● Big changes in the way we use data
● Lots of different ways to access data

What is Data?
Personal Data - Anything that can uniquely identify an individual
● An “online identifier” - IP Address for example
● HR Records
● Customer Lists
● Contact Details
● Supplier Lists
● CCTV files
Special Categories
● Genetic Data
● Biometric Data (fingerprint, Iris scanners)

● Ethnic origin
● Political opinions
● Religious beliefs
● Health data
● Criminal Convictions
● Offenses
What is Data - ‘Special categories’ of data

Data
What have you got & what are you
gathering?

Data Audit - What Do You Already Have?

● Employee Records
● Customer Records
● Supplier Records
● Bid/Tender Records
● Contact Lists
● Marketing Lists
○ Email
○ Phone numbers
○ Mailshot
● HMRC Records
● Expired Customer Records
● Expired Supplier Records
● Recruitment Notes
● Newsletter Subscriptions
● etc…………………..
Data Audit - What Do You Already Have?

Data Audit - Where do you obtain new data?

Data Audit
Where do you keep it?

Data Audit - where do you store it?

Data Audit - How/where do you store it?
Amazon Web Services
Box
DropBox
Google Drive
Mega
One Drive
pCloud
Vimeo
YouTube
current IT systems;
portable media devices;
mobile phones;
mobile data storage ie USBs and external hard drives;
network folders;
spreadsheets (and other such static documentation);
emails and archived inboxes;
other external communications;
social media postings;
microfiche;
back-up tapes;
secure drop boxes;
web sites;

Data Audit - How/where do you store it?
Know WHERE your data is stored
Take adequate measures to protect personal data from
loss, alteration or unauthorised processing
Enter into a Data Processing Agreement with your Cloud
Provider
Ensure your Cloud Provider is GDPR complaint
Ensure you can audit their Data Processing
Ensure data is erased should you change Cloud supplier
and when people leave your platform

Data Audit - How long do you store it?
For as long as it is required
and relevant
Destruction should occur as soon as possible
after this time
a. Paper Records - securely shredded
b. Digital data - deleted, not just abandoned
c. Cloud Data - erased
and NO LONGER

Data Audit
What do you do with it?

Data Audit - What do you do with it?
Using it in any way is called Data Processing and includes
○ Payroll Processing
○ HR
○ Sales Processing
○ Order Processing
○ Contact lists
○ Marketing Lists
○ Christmas Card Lists
○ Banking Records
○ Insurance Details and Records
○ Data Mining
○ Loyalty Card Processing
○ CCTV Recording
○ etc………….

Data Audit - How is it accessed?

Data Audit - Who can access it?

Data Audit - Who can access it?
Ensure people can ONLY access files relevant to their
requirements

Control Audit - Who oversees your Data Policy and use
■ If the processing is carried out by a ‘public authority’.
■ If the ‘core activities’ require regular and systematic monitoring of
data subjects on a ‘large scale’. (e.g. Banks, insurance Companies)
■ If ‘core activities’ involve ‘large scale’ processing of ‘Special
Categories’ of personal data and/or relate to criminal convictions
and offences.
You need a Data Protection Officer

● Data Controller
Control Audit - Who oversees your Data Policy and use
Who processes (uses) your data?
● Data Processors
○ Internal and third party
○ If 3rd party, written contract REQUIRED
Who Manages your data?

Record Keeping
• Name and details of your organisation (and where applicable, of other controllers,
your representative and data protection officer).
• Purposes of the processing.
• Description of the categories of individuals and categories of personal data.
• Categories of recipients of personal data.
• Details of transfers to third countries including documentation of the transfer
mechanism safeguards in place.
• Retention schedules.
• Description of technical and organisational security measures.
You may be required to make these records available to the relevant supervisory authority for purposes
of an investigation.

Record Keeping
All businesses must provide comprehensive, clear and transparent privacy
policies
If you have more than 250 employees you also need to record activities
related to “higher risk processing” such as
• Processing Personal Data that could result in a risk to the rights and
freedoms of an individual
• Processing of “Special Categories” of data or criminal convictions and
offenses

In the event of a breach or loss of data
In the event of a loss of data -
2. Where there's a high risk to the rights and freedoms of individuals you
must notify those concerned, directly
1. You must notify your Data Protection Officer

1. Your Data Protection Officer may also need to notify the Information
Commissioner's Office -
a. Name and Contact details of DPO or other contact point
b. Description of likely consequences of the breach
c. Description of measures taken (or proposed) to deal with the personal
data breach, steps taken to mitigate any possible adverse effects and
measures to ensure that it isn’t repeated

When should notification take place?
● Affected Individuals - without undue delay
● Relevant Supervisory Authority - Within 72 hours of the organisation
becoming aware of the breach
Failure to notify
Fine up to 10m EU or 2% of global T/O

Data Audit - if it goes wrong

Data Subject Request
How do you respond to Data Subject Requests?
Requests must be fulfilled without delay and within 1 month at the latest.
● If complex or numerous, you can extend by 3 months but must inform the
individual within the 1st month as to the reason for the delay
·
There is no longer a “Subject Access Fee” that you can charge - unless
● a request is manifestly unfounded or excessive or repetitive, you can charge
● there is a request for multiple copies of the same information
Fees MUST be based on the administrative cost of providing the information

GDPR Audit Summary
● What have you already got?
● How did you get it?
● Who collects new data, how is it acquired?
● Why do you have it?
● Do you have consent to use it?
● How can it be accessed?
● Who can access it?
● How do you store it?
● How are you using it?
● How long do you need to keep it?
● How do you destroy it?
● How do you respond to “Data Subject Requests”?

GDPR Tech briefing and overview

Recommended

Recommended

More Related Content

More from Andrew Poulton

More from Andrew Poulton (20)

Recently uploaded

Recently uploaded (20)

GDPR Tech briefing and overview

Editor's Notes