This document provides an overview of the General Data Protection Regulation (GDPR). It defines key terms such as personal data, data controllers, data processors, and data subject requests. It outlines the six principles of GDPR regarding transparent, specific, limited, accurate, time limited and secure processing of personal data. It discusses how GDPR applies to organizations in Europe and the UK, potential fines for non-compliance, and rights of data subjects. It also provides guidance to ASL staff on handling data subject requests and directing customers to information on ASL's GDPR compliance.
2. What Is GDPR?
•The General Data Protection Regulation
(GDPR) (Regulation (EU) 2016/679) is a
regulation the European Parliament, the
Council of the European Union and the
European Commission have strengthened to
unify data protection for all individuals within
the European Union (EU).
3. The Six Principles of GDPR?
Transparent, Specific, Limited,
Accurate,Time limited & Secure
The collection, storage and use
of personal data should be…
4. The Orders From Europe
Directives
•Requires each country to interpret the direction, then create
their own laws
(there is a lot of ‘varied interpretation’ across Europe)
Regulation •Immediately applicable law in each county
Enforcement
If breaches of the regulation are apparent, sanctions and fines
can be applied
5. Timeline
Directive Personal data Directive was introduced in 1995
Regulation
May 2016- Regulation entered into force following
publication in the EU Official Journal
Enforcement
25th May 2018 - Following a 2 year post-adoption grace
period, the GDPR will become fully enforceable throughout
the European Union.
6. Post
Brexit
The regulation has been created with a lot
of input from and the full support of, the UK
Government who have committed to the
enforcement of GDPR.
It should be noted that non-EU countries /
organisations who intend to do business
with EU members MUST comply with the
GDPR regulation.
7. Data Subject
An identified natural
person
Data Controller:
Determines the
‘Purpose and Means’ of
the processing
Data Processor:
Processes personal data
on behalf of the
controller
Components of the Regulation
Example
Data Subject -YOU Data Processor - ADP
Personal data
Data Controller - ASL
Personal data
8. 1. Name Trevor Clarence
2. Private email Trevclarence123@gmail.com
3. Photograph
4. Work email Trevor.clarence@asl-group.co.uk
5. IP Address 67.34.252.101
6. Bank Details 60876334-20-23-83
7. Trade Union No 12345678
8. Biometric number AE-17-B3-FG-4B-A3-G8
What is Personal Data?
Important Note: The regulation applies to information held ‘digitally’ &/or on ‘Paper’
Question: Which elements of this information are classed as ‘Special Category’?
Personal data means ‘any information’ that can be used to identify a
natural person (either directly or indirectly)
Note: Company addresses, departmental emails and web
addresses are NOT classed as personal data.
9. • Data Profiling is a method of searching data with
mathematical algorithms to identify trends and hidden
patterns, profile customers, and then predict how these
trends or customers will behave in the future.
Data Profiling
Mr Data Subject
DOB: 18/01/99
Email: dsubject@gmail.com
Union Number: DS125769879uk
10. • Lawful Reason - To meet a contractual obligation
• We promise to deliver within 48 hours! (we will need your
address)
• Legitimate Reason – To fulfill an assumed requirement
• Your support is about to end, we want to contact you to offer the
renewal
• Consent
• Please tick this box if you want to receive information about
similar products
Reasons for ‘holding/processing’
personal data
As a business, which should be the last reason you rely on?
11. • What data do you have on me?
• What consent do you have for processing my data?
• What are you doing with my data?
• Where is the data held?
• Who has access to my data?
• How long will you keep my data?
• I no longer want you to keep my data (forget me!)
What rights does a Data Subject have?
12. • Every Organisation that holds or processes Personal data
• Public Authorities
• Schools, Colleges and Academies
• County & district councils
• Charities and charitable groups
Who is affected?
• Businesses (large, Medium and Small)
• SMEs
• Facebook, Amazon etc
• Kyocera
• ASL
13. Is it another Millennium bug?
•No: Very serious project involving a lot of people and a lot of
money
Is it important? Is there any scaremongering?
• There are two tiers of administrative fines that can be levied:
• 1) Up to €10 million, or 2% annual global turnover – whichever is
higher.
• 2) Up to €20 million, or 4% annual global turnover – whichever is
higher.
• The fines are based on the specific articles of the Regulation that the
organisation has breached.
14. Top 20 ICO FinesTo Date
• The Independent Enquiry into Child Sex Abuse £200,000 Sent a bulk email identifying possible victims of abuseOct-17
• Newday Limited £230,000 Unsolicited emails Nov-18
• Barrington Claims £250,000 Unrequested automated marketing calls Sep-17
• Yahoo £250,000 500 million user accounts compromised Sep-18
• EasyLeads Limited £260,00016.7 million automated marketing callsSep-18
• Road Accident Consulting (trading as MediaTactics) £270,000 22 million unsolicted personal injury calls Mar-17
• Holmes Financial Solutions £300,000 8.8 million marketing calls Jan-18
• Brighton & Sussex University Hospital FoundationTrust £325,000The trust was fined when a contractor hired to delete
personal data from PC hard drives sold the drives on Ebay Jun-17
• The Crown Prosecution Service £325,000 Lost unencrypted DVDs of video recorded testimony from victims of child
abuse May-18
15. Top 20 ICO FinesTo Date
• Miss-Sold Products UK £350,000 75 million unsolicted PPI claim calls Jan-18
• Your Money Rights £350,000 146 million unsolicted PPI claim calls Sep-17
• Uber £385,000 Paying off hackers who stole personal data on 2.7 million customers and neglected to tell the customers
this had happened Nov-18
• Carphone Warehouse £400,0003 million credit card data records lost to hackers Jan-18
• Kuerboom Communications £400,00099 million nuisance PPI calls May-17
• TalkTalk £400,000157,000 data records lost to hackers including bank sort and account numbers Oct-16
• Equifax £500,000 15 million data records lost to hackers including name, address, bank and driving licence
detailsSep-18
• Facebook £500,000 87 million FB users information shared with Cambridge Analytica Oct-18
16. Do organisations need to take it seriously?
Our customers have rights under the legislation
Data Subject requests are a possibility
Telephone calls already to ASL
What is ASL’s policy?
Requests inTenders
The ‘data privacy aspects’ of the contract between the customer and ASL.
What assurances can be given to the customer that ASL is fully compliant with GDPR?
Is it important?
Is there any scaremongering?
17. Buy-in from the Board
Department Heads
In-house project
Review all processes that hold-process Personal Data
What data,What do we do with it, Where held, Who access, How long etc
What are ASL doing?
Staff training/overview of GDPR
Sales Opportunities
Sales/marketing gain interest from the customer (Mail-Shot, Sales meetings)
Detailed customer review from Professional services
PDF with 4 sections
GDPR Overview
How ASL can help with GDPR compliance
Extending GDPR compliance with Cyber Security
ASL’s Commitment to GDPR (Statement from the MD)
18. How ASL can help it’s customers
(with the products & services supplied by ASL)
• Your Printer/MFD may have an internal (HDD) Hard Disk
Drive or (SSD) Solid State Drive, these drive's hold data and
complete varies functions in the processing of scanning,
copying and printing (user settings, device information, image
data etc).The sensitive or confidential information that is
stored on these drives should not be leaked from the
MFD/Printer, the various protection methods include:
• HDD/SSD Encryption.
• Automatic HDD Overwrite.
19. Business culture
• ICO = Information Commissioning Office -
we want to see a business culture
• GDPR is not a ‘Tick Box’ regulation
By design and default
• ICO = Personal data protection should be a
business fundamental
The fines and business drivers
• 20 Million Euros
• Can you respond within 1 month to a Data
Subject Request?
GDPR ‘gossip’
Data Subject Requests
Can beVerbal
Know what to do if you get one!
The ‘right’ to complain
If I’m not satisfied, I will report you to the ICO
DPO (Data Protection Officer)
Must have if: Public body, or high risk to data
subjects
Is GDPR the new PPI?
Are people mis-selling the importance of the
GDPR
Lawyers are getting ready to support the claims
20. Data Subject: An identified natural person
Data Controller: Determines the ‘Purpose and Means’ of the processing
Data Processor: Processes personal data on behalf of the controller
Data Processing: Collection, storage, making available, use, alteration
Data Profiling: Automated processing to predict: interests, wealth etc
Six Principles Transparent, Specific, Limited, Accurate, Duration, Secure
ICO: The UK GDPR supervisors (advertising campaign)
Data Breach: Loss, destruction, unauthorised disclosure
GDPR Key Definitions
21. Data Subject Request: Take any contact details
Ascertain the nature of the request
Pass this to your line manager – preferably in writing (email)
If your line manager is unavailable –Trevor Clarence
GDPR Key Staff Actions
ASL Policy Request: Take contact details - Pass this to your line manager –
preferably in writing (email)
Ascertain the nature of the request
Send a copy of the GDPR PDF document
Steer the contact to the GDPR section of the ASL website