SlideShare ist ein Scribd-Unternehmen logo

Cyber safe lambeth | GDPR taster

Als PPTX, PDF herunterladen
The Integrate Agency CIC
The Integrate Agency CIC

Taster session for DCSM Cyber Safe Lambeth for Cyber Skills Immediate Impact Fund

Technologie
1 von 57
GENERALDATA PROTECTION REGULATION w w w . i n t e g r a t e a g e n c y . c o . u k
GDPR Fundamentals and Principles #CyberSafeLambeth | @IntegrateUK
ICO, Controllers, Processors & Subjects Obtaining, recording, storing, accessing, transmitting, disclosing, sharing, using, consultation, manipulating etc. Processing The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. Regulate, audit, investigate, Issue penalties and fines etc. Information Commissioners Office
Any entity (i.e. organisation, person etc.) which determines the manner and purpose for which Personal data is processed. Data Controller Data Processor Service providers, other group companies who provide a service using personal data on behalf of a Data Controller Data Subject Staff, students, learners, suppliers, consultants, agents etc. ICO, Controllers, Processors & Subjects
Overview ‘How do we collect data’ ‘How do we process and store data’ ‘Who do we share data with’ Where Does it Come From? Where Does It Go? What Do We Do With It? #CyberSafeLambeth | @IntegrateUK
Article 24 – Responsibility of the Controller consider Article 6 – Lawfulness of Processing Article 7 – Condition for Consent Article 6 – Contract Rights of the Data Subject Article 12 - Transparent information Article 13 – Information to Be Provided (Privacy Statement) Article 14 – Information to be Provided Article 15– Right of Access Article 16– Right to rectification Article 17– Right of Erasure ‘To Be Forgotten’ Article 18– Right to Restriction of Processing Article 19– Notification Obligation Article 20– Right to Data Portability Article 21– Right to Object Article 22– Automated Decision Making & Profiling Article 9 – Special Categories consider Point of Data Capture Data Type Data Storage & Processing Article 32 - Security of processing Article 35 - Privacy Impact Assessment Article 25 - Privacy by Design / Default Processor Article 28 - Processor consider Hosted On Premise Article 13 – Privacy Statement GDPR Article Flow #CyberSafeLambeth | @IntegrateUK
Evidence Article 5 (2) ‘The controller shall be responsible for, and be able to demonstrate compliance’ #CyberSafeLambeth | @IntegrateUK GDPR Article Flow
Article 30 ‘Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility’ #CyberSafeLambeth | @IntegrateUK GDPR Article Flow Evidence
GDPR Content Breakdown #CyberSafeLambeth | @IntegrateUK
173 Recitals of explanatory text 11 chapters covering 99 Articles: General provisions Data protection principles Rights of the data subject Obligations on controllers and processors Transfer of personal data to third countries or international organisations Independent supervisory authorities Cooperation and consistency between member states Remedies, liability and penalties Provisions relating to specific processing situations #CyberSafeLambeth | @IntegrateUK GDPR Content Breakdown
General Provisions #CyberSafeLambeth | @IntegrateUK
“The controller shall be responsible for, and be able to demonstrate, compliance with the principles.” The onus on data controllers & processors to demonstrate compliance Review all contracts Review Privacy Statement (Web and Paper) Joint responsibility through out the supply chain Both must have robust security measures – regularly tested and certified Processors must report breaches to controllers and must assist with investigations Both could be subject to Penalties. Article 5 (2) #CyberSafeLambeth | @IntegrateUK GDPR General Provisions
Principles #CyberSafeLambeth | @IntegrateUK
Personal data shall be: Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;; Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, (‘accuracy’); kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (‘storage limitation’); Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). Article 5 #CyberSafeLambeth | @IntegrateUK Principles
Lawfulness of Processing #CyberSafeLambeth | @IntegrateUK
a. b. c. d. e. f. Consent Contract Legal Obligation Vital Interests Public interest Legitimate interests Article 6 #CyberSafeLambeth | @IntegrateUK Lawfulness of Processing
Rights of the Data Subject #CyberSafeLambeth | @IntegrateUK “You were involved in a road traffic accident in The last 2 years”
Rights of the Data Subject #CyberSafeLambeth | @IntegrateUK
Privacy procedures – What changes are needed? There is no one-size fits all, the content of these procedures should be based on an organisations’ processing operations and current risk processes and procedures You will need to consider how these requirements will be met in the HR context and document the measures taken to ensure compliance in each case The GDPR introduces new privacy concepts and requirements, for example: 1. Privacy by design and default 2. DPIAs 3. New data subject rights 4. Mandatory breach notification #CyberSafeLambeth | @IntegrateUK Privacy
Information (Articles 13 and 14) Access (Article 15) Rectification (Article 16) Erasure (right to be forgotten) (Article 17) Restrict Processing (Article 18) Data Portability (Article 20) Object to Processing (Article 20) Automated decisions and/or profiling (Article 20) DATA SUBJECT RIGHTS #CyberSafeLambeth | @IntegrateUK Rights of the Data Subject
RIGHT OF ACCESS The right exists now, but is reduced to 1 month, down from 40 days – But can be extended if complex Can no longer charge £10 for processing - but can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive Responses must provide context as to why the data is held Article 15 #CyberSafeLambeth | @IntegrateUK Rights of the Data Subject
Article 16 RIGHT TO RECTIFICATION MUST BE ACTIONED WITHIN 1 MONTH #CyberSafeLambeth | @IntegrateUK Rights of the Data Subject
Article 17 RIGHT TO ERASURE Does not provide an absolute ‘right to be forgotten’ but allows for personal data to be erased and to prevent processing in specific circumstances: Under the DPA, the right to erasure is limited to processing that causes unwarranted and substantial damage or distress. Under the GDPR, this threshold is not present. However, if processing causes damage or distress, this is likely to strengthen the case for erasure Where the data is no longer necessary in relation to the purpose for which it was originally collected/ processed When the individual withdraws consent The data was unlawfully processed (i.e. otherwise in breach of the GDPR) The data has to be erased in order to comply with a legal obligation #CyberSafeLambeth | @IntegrateUK Rights of the Data Subject
37 RIGHT TO RESTRICT PROCESSING Article 18 #CyberSafeLambeth | @IntegrateUK Rights of the Data Subject Accuracy is contested Unlawful processing No longer required but opposes erasure Objects to processing (21/1)
NOTIFICATION OBLIGATION REGARDING RECTIFICATION OR ERASURE OF PERSONAL DATA OR RESTRICTION OF PROCESSING Article 19 #CyberSafeLambeth | @IntegrateUK Rights of the Data Subject
#CyberSafeLambeth | @IntegrateUK Rights of the Data Subject Article 20 Right to Data Portability The right to data portability only applies: DATA MUST BE AVAILABLE WITHIN 1 MONTH OF THE REQUEST Allows individuals to obtain and reuse their personal data for their own purposes across different services. To personal data an individual has provided to a controller; Where the processing is based on the individual’s consent or for the performance of a contract; and When processing is carried out by automated means (not paper)
Rights of the Data Subject #CyberSafeLambeth | @IntegrateUK RIGHT TO OBJECT Right to prevent direct marketing Immediate effect upon receipt No exemptions or grounds to refuse Article 21
Rights of the Data Subject #CyberSafeLambeth | @IntegrateUKArticle 22 RIGHT PREVENT AUTOMATED DECISION-MAKING AND PROFILING INDIVIDUALS HAVE THE RIGHT NOT TO BE SUBJECT TO A DECISION WHEN: MUST ENSURE THAT INDIVIDUALS ARE ABLE TO: THE RIGHT DOES NOT APPLY IF THE DECISION: It is based on automated processing; and Obtain human intervention; Is necessary for entering into or performance of a contract Is authorised by law (e.g. for the purposes of fraud or tax evasion prevention); or Based on explicit consent. (Article 9(2)). Express their point of view; and It produces a legal effect or a similarly significant effect on the individual. Obtain an explanation of the decision and challenge it.
Rights of the Data Subject #CyberSafeLambeth | @IntegrateUK GDPR DEFINES PROFILING AS ANY FORM OF AUTOMATED PROCESSING INTENDED TO EVALUATE CERTAIN PERSONAL ASPECTS OF AN INDIVIDUAL, IN PARTICULAR TO ANALYSE OR PREDICT THEIR: PROFILING MUST ENSURE THAT APPROPRIATE SAFEGUARDS ARE IN PLACE. AUTOMATED DECISIONS MUST NOT: Performance At Work Economic Situation Health Personal Preferences Reliability Behaviour Location Movements Fair and transparent - providing information about the logic involved, the significance and the envisaged consequences. Concern a child; or Be based on the processing of special categories of data unless: You have the explicit consent of the individual; or The processing is necessary for reasons of substantial public interest on the basis of State law. Technical and organisational measures in place to enable inaccuracies to be corrected and minimise the risk of errors. Secure personal data in a way that is proportionate to the risk to the interests and rights of the individual and prevents discriminatory effects. Article 22
Rights of the Data Subject #CyberSafeLambeth | @IntegrateUK Subject Access Request Discussion
Rights of the Data Subject #CyberSafeLambeth | @IntegrateUK (Exemption) - DPA 2018, Schedule 2, Part 3/4 (16) - Protection of the rights of others (3) In determining whether it is reasonable to disclose the information without consent, the controller must have regard to all the relevant circumstances, including— (b) any duty of confidentiality owed to the other individual, (4) For the purposes of this paragraph— (a) “information relating to another individual” includes information identifying the other individual as the source of information; ICO Guidance - Access to Information Held in Complaint Files recommended by the ICO 1. Not everything in a ‘complaint’ file is the complainant’s personal data, for it to be personal data it must relate to an individual and allow an individual to be identified. Under DPA individuals have a right of subject access about information about themselves, it does not give right of access to information about anyone else. Recital 63 Right of Access A data subject should have the right of access to personal data which have been collected concerning him or her, that right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property. However, the result of those considerations should not be a refusal to provide all information to the data subject.
Rights of the Data Subject #CyberSafeLambeth | @IntegrateUK (DPA 1998 (Subject Access Code of Practice) Current Guidance The Data Protection Act 1998 (DPA) says you do not have to comply with a SAR if to do so would mean disclosing information about another individual who can be identified from that information, If you have not got the consent of the third party and you are not satisfied that it would be reasonable in all the circumstances to disclose the third-party information, then you should withhold it.
#CyberSafeLambeth | @IntegrateUK Controllers & Processors
#CyberSafeLambeth | @IntegrateUK The Controller Obliged to implement appropriate technical and organisational controls Be able to demonstrate that processing is in accordance with the regulation Appropriate data protection policies and procedures are in place Must only use processors who provide sufficient guarantees they will comply with GDPR Must ensure appropriate contracts are in place with processors Records of processing Cooperation with supervisory authorities Things to consider: Responsibilities Article 24
#CyberSafeLambeth | @IntegrateUK The Processor CONTROLLER SHALL ONLY USE PROCESSORS PROVIDING SUFFICIENT GUARANTEES Processor shall not engage another party without prior authorisation CONTRACTS WITH PROCESSOR MUST BE BINDING AND SET OUT: Subject matter and duration of processing Nature and purpose Type of personal data Categories of data subjects Obligations and rights of controller Specific terms to be included in the contract (Article 28) Article 28
#CyberSafeLambeth | @IntegrateUK Security of Processing
#CyberSafeLambeth | @IntegrateUK SO WHAT TIME IS IT ANY WAY..!!
#CyberSafeLambeth | @IntegrateUK Simple or Complex..!! Prevent Unauthorised Access Review the Process, Procedure Stop: Loss, Theft, Compromise of Data
#CyberSafeLambeth | @IntegrateUK Information Security Training eLearning Package Educational emails Organisational Policy Presentations Posters Screen Saver Staff Handbook Information Security Web Portal Bulleting 10. News 11. Induction 1. 2. 3. 4. 5. 6. 7. 8. 9.
#CyberSafeLambeth | @IntegrateUK WWW PHISHING SCAM !WARNING RANSOMWARE
#CyberSafeLambeth | @IntegrateUK 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. Common Failings Checking ID/Credentials – Challenging Visitors Clear Desk/Screen Attention to Detail (email, letters, policy) Regular Accountability/Audit Personal Accountability/Knowledge (Digital Competence) Situation/Third Party Awareness Vigilance/Double Checking The Basics (password protection) Clicking links System updates and patches Anti-virus – Encryption MDM – Mobile Device Management Opening attachments Human Error Common Sense
#CyberSafeLambeth | @IntegrateUK Prevent, Detection, Deter Firewall IPS/IDS Web/Mail Filter Anti-Virus Encryption Backup – (Read Only Encrypted) Patch Management Access Control Manage Risk OWASP Cloud (PaaS, SaaS, IaaS) DR/BCP
Security and Data Breaches Security of personal data, key measures: Pseudonymisation and encryption Confidentiality, integrity, availability and resilience of processing systems and services Ability to restore availability and access in a timely manner after an incident Process for regularly testing the measures Take into account the risks of: Accidental/unlawful destruction Loss Alteration Unauthorised disclosure of, or access to personal data #CyberSafeLambeth | @IntegrateUKArticle 32
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data. #CyberSafeLambeth | @IntegrateUK Mandatory Breach Notification GDPR INTRODUCES A DUTY ON ALL ORGANISATIONS TO REPORT WITHIN 72 HOURS CERTAIN TYPES OF DATA BREACH TO THE ICO, AND IN SOME CASES TO THE INDIVIDUALS AFFECTED: WHERE A BREACH IS LIKELY TO RESULT IN A HIGH RISK TO INDIVIDUAL(S) THEY MUST BE NOTIFIED DIRECTLY. A ‘HIGH RISK’ MEANS THE THRESHOLD FOR NOTIFYING INDIVIDUALS IS HIGHER THAN FOR NOTIFYING THE RELEVANT SUPERVISORY AUTHORITY. Must review our internal reporting procedures and training Must maintain records of reports and investigations Article 33/34
Privacy Impact Assessments for all new systems or processes where personal data is processed #CyberSafeLambeth | @IntegrateUK Privacy By Design Regular Risk Assessments Identify all overseas processing Documented Mitigation How is it justified? Review Contracts Determine the supervising authority (local ICO equivalents) Pseudonymous data Some sets of data can be amended in such a way that no individuals can be identified from those data (whether directly or indirectly) without a "key" that allows the data to be re-identified. GDPR explicitly encourages organisations to consider pseudonymisation as a security measure. It can allow organisations to satisfy their obligations of "privacy by design" and may be used to justify processing that would otherwise be deemed "incompatible" with the purposes for which the data were originally collected – Could help legitimate interest problem. Article 25 Justification for accepting risk
Privacy Impact Assessments for all new systems or processes where personal data is processed Regular Risk Assessments Documented Mitigation Justification for accepting risk #CyberSafeLambeth | @IntegrateUK DPIA Article 35
#CyberSafeLambeth | @IntegrateUK Penalties & Liabilities
#CyberSafeLambeth | @IntegrateUK Data Breach The data controller shall without undue delay and where feasible, and not later than 72 hours notify the supervisory authority of a personal data breach Exception: when the data breach is not High Risk to Data Subject When notification is not made within 72 hour, this shall be accompanied with reasons for delay When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. Article 33/34 Article 33 Article 34
#CyberSafeLambeth | @IntegrateUK Liabilities and Penalties COMPENSATION Article 82 For material and non-material damage Liability of controllers and processors
#CyberSafeLambeth | @IntegrateUK Fines Article 83 THIS WILL PROBABLY OPEN US UP TO MORE ACCESS REQUESTS AND MORE COMPLAINTS Fines up to €20 million or 4% of global turnover for a data breach (deliberate or accidental loss) Fines up to €10 million or 2% of global turnover for non compliance of processing records or non appointment of Data Protection Officer
#CyberSafeLambeth | @IntegrateUK Steps to Compliance
#CyberSafeLambeth | @IntegrateUK Road to Compliance Awareness – decision makers and key people Information – document what you hold Communicating privacy information – privacy notices Individuals’ rights – facilitate data subject rights Subject access requests – update procedures Legal basis for processing – identify and document Consent – review how you obtain and record consent Children – review consent processes for minors Data breaches – processes for detecting and reporting Data protection by design and DPIA Data protection officers – appoint one if required International transfers – ensure appropriate legal basis 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12.
WHAT Source WHEN Retention Period #CyberSafeLambeth | @IntegrateUK Actions Required – Information Audit Type Name Address Contact Details Health Details CV Reference CRB Check Passport Details Work Permit Appraisals Annual Leave Disciplinary Tax/NI Bank Account Pension Details Name Contact Details Names Address Email Mobile Phone Names Address Email Mobile Phone Names Email WHY Staff Admin Direct Marketing Individual Third Party Third Party Individual Individual/Third party Individual/Third party Individual Individual/Third party Individual/Third party Individual Not Sure - Find out Individual/Third Party Individual Individual Not Sure - Find out Legal Basis Contract Legal Obligation Legal Obligation Legitimate Interests - Staff Management Contract Contract Contract Vital Interests Consent Consent Originally Pre-Apointment Not Sure find out Appointment Pre-Apointment At the time At Request At the time Appointment Appointment First Contact First Contact Web Enquiries Updated As required Never Never Not Sure find out Not Sure find out Annually Not Sure find out Not Sure find out As required When notified Annual Enrollment Not Sure - Find out Not applicable Termination of Employment + 6 Copy not retained, record of Number only Termination of Employment + 6 3 years End of Financial year + 6 Not Sure find out Termination of employment + 70 Untill staff leave End of relationship unless enrolled in Alumni or consent withdrawn End of relationship or consent withdrawn Not Sure - Find out WHERE HRMIS hosted on premise NCG Data Centre. HRMIS hosted on premise NCG Data Centre. Held on a 3rd Party cloud server hosted in the US WHO Current staff member Emergency Contact Existing Students Potential Students Enquiries Determined by Employment Law/Limitation Law CRB Code of Practice Standard Practice Tax Law Employment Law Durty of Care? Data Protection Data Protection Data ProtectionNot Sure - Find out NCG Finance System hosted on premise NCG Data Centre Not Sure - Find out
Article 24 – Responsibility of the Controller consider Article 6 – Lawfulness of Processing Article 7 – Condition for Consent Article 6 – Contract Rights of the Data Subject Article 12 - Transparent information Article 13 – Information to Be Provided (Privacy Statement) Article 14 – Information to be Provided Article 15– Right of Access Article 16– Right to rectification Article 17– Right of Erasure ‘To Be Forgotten’ Article 18– Right to Restriction of Processing Article 19– Notification Obligation Article 20– Right to Data Portability Article 21– Right to Object Article 22– Automated Decision Making & Profiling Article 9 – Special Categories consider Point of Data Capture Data Type Data Storage & Processing Article 32 - Security of processing Article 35 - Privacy Impact Assessment Article 25 - Privacy by Design / Default Processor Article 28 - Processor consider Hosted On Premise Article 13 – Privacy Statement GDPR Article Flow #CyberSafeLambeth | @IntegrateUK
#CyberSafeLambeth | @IntegrateUK Resources
#CyberSafeLambeth | @IntegrateUK Resources https://gdpr-info.eu/ https://ico.org.uk/
#CyberSafeLambeth | @IntegrateUK QUESTIONS

Empfohlen

Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in IndiaHome
 
Data Privacy
Data PrivacyData Privacy
Data Privacycliff_rudolph
 
Convince your board - Ten steps to GDPR compliance
Convince your board - Ten steps to GDPR complianceConvince your board - Ten steps to GDPR compliance
Convince your board - Ten steps to GDPR complianceDave James
 
Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Ulf Mattsson
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection RegulationBCC - Solutions for IBM Collaboration Software
 
India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law Priyanka Aash
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)Extentia Information Technology
 
Managing Consent and Legitimate Interests Under the GDPR [Webinar Slides]
Managing Consent and Legitimate Interests Under the GDPR [Webinar Slides]Managing Consent and Legitimate Interests Under the GDPR [Webinar Slides]
Managing Consent and Legitimate Interests Under the GDPR [Webinar Slides]TrustArc
 

Empfohlen

Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in IndiaHome
 
Data Privacy
Data PrivacyData Privacy
Data Privacycliff_rudolph
 
Convince your board - Ten steps to GDPR compliance
Convince your board - Ten steps to GDPR complianceConvince your board - Ten steps to GDPR compliance
Convince your board - Ten steps to GDPR complianceDave James
 
Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Ulf Mattsson
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection RegulationBCC - Solutions for IBM Collaboration Software
 
India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law Priyanka Aash
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)Extentia Information Technology
 
Managing Consent and Legitimate Interests Under the GDPR [Webinar Slides]
Managing Consent and Legitimate Interests Under the GDPR [Webinar Slides]Managing Consent and Legitimate Interests Under the GDPR [Webinar Slides]
Managing Consent and Legitimate Interests Under the GDPR [Webinar Slides]TrustArc
 
Building Consumer Trust through Individual Rights / DSAR Management
Building Consumer Trust through Individual Rights / DSAR ManagementBuilding Consumer Trust through Individual Rights / DSAR Management
Building Consumer Trust through Individual Rights / DSAR ManagementTrustArc
 
GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!Fintan Swanton
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesDimitri Sirota
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analyticsshekharkanodia
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Financial Poise
 
Getting Started with GDPR Compliance
Getting Started with GDPR ComplianceGetting Started with GDPR Compliance
Getting Started with GDPR ComplianceDATAVERSITY
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsUlf Mattsson
 
Best Practices for Managing Individual Rights under the GDPR [Webinar Slides]
Best Practices for Managing Individual Rights under the GDPR [Webinar Slides]Best Practices for Managing Individual Rights under the GDPR [Webinar Slides]
Best Practices for Managing Individual Rights under the GDPR [Webinar Slides]TrustArc
 
Gdpr in a nutshell
Gdpr in a nutshellGdpr in a nutshell
Gdpr in a nutshellMatthew Butler
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsTrustArc
 
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...TrustArc
 
Personal Data Protection Bill 2018
Personal Data Protection Bill 2018Personal Data Protection Bill 2018
Personal Data Protection Bill 2018Nanda Mohan Shenoy
 
Preparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must KnowPreparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must KnowIntegrate
 
VMTN6642E - GDPR Slide Deck
VMTN6642E - GDPR Slide DeckVMTN6642E - GDPR Slide Deck
VMTN6642E - GDPR Slide DeckKyle Davies
 
Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Jan Carroza
 
Becoming PIPL Compliant In No Time
Becoming PIPL Compliant In No TimeBecoming PIPL Compliant In No Time
Becoming PIPL Compliant In No TimeTrustArc
 
Ensuring GDPR Compliance - A Zymplify Guide
Ensuring GDPR Compliance - A Zymplify GuideEnsuring GDPR Compliance - A Zymplify Guide
Ensuring GDPR Compliance - A Zymplify GuideZymplify
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slidesNaomi Holmes
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 
Data privacy & social media
Data privacy & social mediaData privacy & social media
Data privacy & social mediaProf. Jacques Folon (Ph.D)
 
#CyberSafeLambeth
#CyberSafeLambeth#CyberSafeLambeth
#CyberSafeLambethThe Integrate Agency CIC
 
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalData protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalDr. Donald Macfarlane
 

Weitere ähnliche Inhalte

Was ist angesagt?

Building Consumer Trust through Individual Rights / DSAR Management
Building Consumer Trust through Individual Rights / DSAR ManagementBuilding Consumer Trust through Individual Rights / DSAR Management
Building Consumer Trust through Individual Rights / DSAR ManagementTrustArc
 
GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!Fintan Swanton
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesDimitri Sirota
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analyticsshekharkanodia
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Financial Poise
 
Getting Started with GDPR Compliance
Getting Started with GDPR ComplianceGetting Started with GDPR Compliance
Getting Started with GDPR ComplianceDATAVERSITY
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsUlf Mattsson
 
Best Practices for Managing Individual Rights under the GDPR [Webinar Slides]
Best Practices for Managing Individual Rights under the GDPR [Webinar Slides]Best Practices for Managing Individual Rights under the GDPR [Webinar Slides]
Best Practices for Managing Individual Rights under the GDPR [Webinar Slides]TrustArc
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsTrustArc
 
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...TrustArc
 
Personal Data Protection Bill 2018
Personal Data Protection Bill 2018Personal Data Protection Bill 2018
Personal Data Protection Bill 2018Nanda Mohan Shenoy
 
Preparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must KnowPreparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must KnowIntegrate
 
VMTN6642E - GDPR Slide Deck
VMTN6642E - GDPR Slide DeckVMTN6642E - GDPR Slide Deck
VMTN6642E - GDPR Slide DeckKyle Davies
 
Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Jan Carroza
 
Becoming PIPL Compliant In No Time
Becoming PIPL Compliant In No TimeBecoming PIPL Compliant In No Time
Becoming PIPL Compliant In No TimeTrustArc
 
Ensuring GDPR Compliance - A Zymplify Guide
Ensuring GDPR Compliance - A Zymplify GuideEnsuring GDPR Compliance - A Zymplify Guide
Ensuring GDPR Compliance - A Zymplify GuideZymplify
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slidesNaomi Holmes
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 

Was ist angesagt? (20)

Building Consumer Trust through Individual Rights / DSAR Management
Building Consumer Trust through Individual Rights / DSAR ManagementBuilding Consumer Trust through Individual Rights / DSAR Management
Building Consumer Trust through Individual Rights / DSAR Management
 
GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar Slides
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analytics
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
 
Getting Started with GDPR Compliance
Getting Started with GDPR ComplianceGetting Started with GDPR Compliance
Getting Started with GDPR Compliance
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulations
 
Best Practices for Managing Individual Rights under the GDPR [Webinar Slides]
Best Practices for Managing Individual Rights under the GDPR [Webinar Slides]Best Practices for Managing Individual Rights under the GDPR [Webinar Slides]
Best Practices for Managing Individual Rights under the GDPR [Webinar Slides]
 
Gdpr in a nutshell
Gdpr in a nutshellGdpr in a nutshell
Gdpr in a nutshell
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & Implications
 
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
 
Personal Data Protection Bill 2018
Personal Data Protection Bill 2018Personal Data Protection Bill 2018
Personal Data Protection Bill 2018
 
Preparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must KnowPreparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must Know
 
VMTN6642E - GDPR Slide Deck
VMTN6642E - GDPR Slide DeckVMTN6642E - GDPR Slide Deck
VMTN6642E - GDPR Slide Deck
 
Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...
 
Becoming PIPL Compliant In No Time
Becoming PIPL Compliant In No TimeBecoming PIPL Compliant In No Time
Becoming PIPL Compliant In No Time
 
Ensuring GDPR Compliance - A Zymplify Guide
Ensuring GDPR Compliance - A Zymplify GuideEnsuring GDPR Compliance - A Zymplify Guide
Ensuring GDPR Compliance - A Zymplify Guide
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
 
Data privacy & social media
Data privacy & social mediaData privacy & social media
Data privacy & social media
 

Ähnlich wie Cyber safe lambeth | GDPR taster

Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalData protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalDr. Donald Macfarlane
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalDr. Donald Macfarlane
 
OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014
OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014
OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014UsmanMAmeer
 
GDPR Is Coming - Get Over It Webinar
GDPR Is Coming - Get Over It WebinarGDPR Is Coming - Get Over It Webinar
GDPR Is Coming - Get Over It WebinarSagittarius
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. dan hyde
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationJake DiMare
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law Owako Rodah
 
My presentation- Ala about privacy and GDPR
My presentation- Ala about privacy and GDPRMy presentation- Ala about privacy and GDPR
My presentation- Ala about privacy and GDPRzayadeen2003
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupThe Pathway Group
 
NetSquared London - GDPR for charities
NetSquared London - GDPR for charitiesNetSquared London - GDPR for charities
NetSquared London - GDPR for charitiesTech Trust
 
Paul Stephen - GDPR The Opportunity & Sitecore Tool
Paul Stephen - GDPR The Opportunity & Sitecore ToolPaul Stephen - GDPR The Opportunity & Sitecore Tool
Paul Stephen - GDPR The Opportunity & Sitecore ToolSagittarius
 
GDPR and Analytics
GDPR and AnalyticsGDPR and Analytics
GDPR and Analyticsbrunomase
 
GDPR: Protecting Your Data
GDPR: Protecting Your DataGDPR: Protecting Your Data
GDPR: Protecting Your DataUlf Mattsson
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRCase IQ
 

Ähnlich wie Cyber safe lambeth | GDPR taster (20)

#CyberSafeLambeth
#CyberSafeLambeth#CyberSafeLambeth
#CyberSafeLambeth
 
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalData protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-final
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
 
OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014
OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014
OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014
 
GDPR Is Coming - Get Over It Webinar
GDPR Is Coming - Get Over It WebinarGDPR Is Coming - Get Over It Webinar
GDPR Is Coming - Get Over It Webinar
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
 
GDPR
GDPRGDPR
GDPR
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law
 
My presentation- Ala about privacy and GDPR
My presentation- Ala about privacy and GDPRMy presentation- Ala about privacy and GDPR
My presentation- Ala about privacy and GDPR
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway Group
 
GPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-RightGPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-Right
 
NetSquared London - GDPR for charities
NetSquared London - GDPR for charitiesNetSquared London - GDPR for charities
NetSquared London - GDPR for charities
 
Paul Stephen - GDPR The Opportunity & Sitecore Tool
Paul Stephen - GDPR The Opportunity & Sitecore ToolPaul Stephen - GDPR The Opportunity & Sitecore Tool
Paul Stephen - GDPR The Opportunity & Sitecore Tool
 
GDPR and Analytics
GDPR and AnalyticsGDPR and Analytics
GDPR and Analytics
 
GDPR Summary
GDPR SummaryGDPR Summary
GDPR Summary
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
 
GDPR: Protecting Your Data
GDPR: Protecting Your DataGDPR: Protecting Your Data
GDPR: Protecting Your Data
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPR
 

Kürzlich hochgeladen

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 

Kürzlich hochgeladen (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 

Cyber safe lambeth | GDPR taster

  • 1. GENERALDATA PROTECTION REGULATION w w w . i n t e g r a t e a g e n c y . c o . u k
  • 2. GDPR Fundamentals and Principles #CyberSafeLambeth | @IntegrateUK
  • 3. ICO, Controllers, Processors & Subjects Obtaining, recording, storing, accessing, transmitting, disclosing, sharing, using, consultation, manipulating etc. Processing The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. Regulate, audit, investigate, Issue penalties and fines etc. Information Commissioners Office
  • 4. Any entity (i.e. organisation, person etc.) which determines the manner and purpose for which Personal data is processed. Data Controller Data Processor Service providers, other group companies who provide a service using personal data on behalf of a Data Controller Data Subject Staff, students, learners, suppliers, consultants, agents etc. ICO, Controllers, Processors & Subjects
  • 5. Overview ‘How do we collect data’ ‘How do we process and store data’ ‘Who do we share data with’ Where Does it Come From? Where Does It Go? What Do We Do With It? #CyberSafeLambeth | @IntegrateUK
  • 6. Article 24 – Responsibility of the Controller consider Article 6 – Lawfulness of Processing Article 7 – Condition for Consent Article 6 – Contract Rights of the Data Subject Article 12 - Transparent information Article 13 – Information to Be Provided (Privacy Statement) Article 14 – Information to be Provided Article 15– Right of Access Article 16– Right to rectification Article 17– Right of Erasure ‘To Be Forgotten’ Article 18– Right to Restriction of Processing Article 19– Notification Obligation Article 20– Right to Data Portability Article 21– Right to Object Article 22– Automated Decision Making & Profiling Article 9 – Special Categories consider Point of Data Capture Data Type Data Storage & Processing Article 32 - Security of processing Article 35 - Privacy Impact Assessment Article 25 - Privacy by Design / Default Processor Article 28 - Processor consider Hosted On Premise Article 13 – Privacy Statement GDPR Article Flow #CyberSafeLambeth | @IntegrateUK
  • 7. Evidence Article 5 (2) ‘The controller shall be responsible for, and be able to demonstrate compliance’ #CyberSafeLambeth | @IntegrateUK GDPR Article Flow
  • 8. Article 30 ‘Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility’ #CyberSafeLambeth | @IntegrateUK GDPR Article Flow Evidence
  • 10. 173 Recitals of explanatory text 11 chapters covering 99 Articles: General provisions Data protection principles Rights of the data subject Obligations on controllers and processors Transfer of personal data to third countries or international organisations Independent supervisory authorities Cooperation and consistency between member states Remedies, liability and penalties Provisions relating to specific processing situations #CyberSafeLambeth | @IntegrateUK GDPR Content Breakdown
  • 12. “The controller shall be responsible for, and be able to demonstrate, compliance with the principles.” The onus on data controllers & processors to demonstrate compliance Review all contracts Review Privacy Statement (Web and Paper) Joint responsibility through out the supply chain Both must have robust security measures – regularly tested and certified Processors must report breaches to controllers and must assist with investigations Both could be subject to Penalties. Article 5 (2) #CyberSafeLambeth | @IntegrateUK GDPR General Provisions
  • 14. Personal data shall be: Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;; Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, (‘accuracy’); kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (‘storage limitation’); Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). Article 5 #CyberSafeLambeth | @IntegrateUK Principles
  • 16. a. b. c. d. e. f. Consent Contract Legal Obligation Vital Interests Public interest Legitimate interests Article 6 #CyberSafeLambeth | @IntegrateUK Lawfulness of Processing
  • 17. Rights of the Data Subject #CyberSafeLambeth | @IntegrateUK “You were involved in a road traffic accident in The last 2 years”
  • 18. Rights of the Data Subject #CyberSafeLambeth | @IntegrateUK
  • 19. Privacy procedures – What changes are needed? There is no one-size fits all, the content of these procedures should be based on an organisations’ processing operations and current risk processes and procedures You will need to consider how these requirements will be met in the HR context and document the measures taken to ensure compliance in each case The GDPR introduces new privacy concepts and requirements, for example: 1. Privacy by design and default 2. DPIAs 3. New data subject rights 4. Mandatory breach notification #CyberSafeLambeth | @IntegrateUK Privacy
  • 20. Information (Articles 13 and 14) Access (Article 15) Rectification (Article 16) Erasure (right to be forgotten) (Article 17) Restrict Processing (Article 18) Data Portability (Article 20) Object to Processing (Article 20) Automated decisions and/or profiling (Article 20) DATA SUBJECT RIGHTS #CyberSafeLambeth | @IntegrateUK Rights of the Data Subject
  • 21. RIGHT OF ACCESS The right exists now, but is reduced to 1 month, down from 40 days – But can be extended if complex Can no longer charge £10 for processing - but can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive Responses must provide context as to why the data is held Article 15 #CyberSafeLambeth | @IntegrateUK Rights of the Data Subject
  • 22. Article 16 RIGHT TO RECTIFICATION MUST BE ACTIONED WITHIN 1 MONTH #CyberSafeLambeth | @IntegrateUK Rights of the Data Subject
  • 23. Article 17 RIGHT TO ERASURE Does not provide an absolute ‘right to be forgotten’ but allows for personal data to be erased and to prevent processing in specific circumstances: Under the DPA, the right to erasure is limited to processing that causes unwarranted and substantial damage or distress. Under the GDPR, this threshold is not present. However, if processing causes damage or distress, this is likely to strengthen the case for erasure Where the data is no longer necessary in relation to the purpose for which it was originally collected/ processed When the individual withdraws consent The data was unlawfully processed (i.e. otherwise in breach of the GDPR) The data has to be erased in order to comply with a legal obligation #CyberSafeLambeth | @IntegrateUK Rights of the Data Subject
  • 24. 37 RIGHT TO RESTRICT PROCESSING Article 18 #CyberSafeLambeth | @IntegrateUK Rights of the Data Subject Accuracy is contested Unlawful processing No longer required but opposes erasure Objects to processing (21/1)
  • 25. NOTIFICATION OBLIGATION REGARDING RECTIFICATION OR ERASURE OF PERSONAL DATA OR RESTRICTION OF PROCESSING Article 19 #CyberSafeLambeth | @IntegrateUK Rights of the Data Subject
  • 26. #CyberSafeLambeth | @IntegrateUK Rights of the Data Subject Article 20 Right to Data Portability The right to data portability only applies: DATA MUST BE AVAILABLE WITHIN 1 MONTH OF THE REQUEST Allows individuals to obtain and reuse their personal data for their own purposes across different services. To personal data an individual has provided to a controller; Where the processing is based on the individual’s consent or for the performance of a contract; and When processing is carried out by automated means (not paper)
  • 27. Rights of the Data Subject #CyberSafeLambeth | @IntegrateUK RIGHT TO OBJECT Right to prevent direct marketing Immediate effect upon receipt No exemptions or grounds to refuse Article 21
  • 28. Rights of the Data Subject #CyberSafeLambeth | @IntegrateUKArticle 22 RIGHT PREVENT AUTOMATED DECISION-MAKING AND PROFILING INDIVIDUALS HAVE THE RIGHT NOT TO BE SUBJECT TO A DECISION WHEN: MUST ENSURE THAT INDIVIDUALS ARE ABLE TO: THE RIGHT DOES NOT APPLY IF THE DECISION: It is based on automated processing; and Obtain human intervention; Is necessary for entering into or performance of a contract Is authorised by law (e.g. for the purposes of fraud or tax evasion prevention); or Based on explicit consent. (Article 9(2)). Express their point of view; and It produces a legal effect or a similarly significant effect on the individual. Obtain an explanation of the decision and challenge it.
  • 29. Rights of the Data Subject #CyberSafeLambeth | @IntegrateUK GDPR DEFINES PROFILING AS ANY FORM OF AUTOMATED PROCESSING INTENDED TO EVALUATE CERTAIN PERSONAL ASPECTS OF AN INDIVIDUAL, IN PARTICULAR TO ANALYSE OR PREDICT THEIR: PROFILING MUST ENSURE THAT APPROPRIATE SAFEGUARDS ARE IN PLACE. AUTOMATED DECISIONS MUST NOT: Performance At Work Economic Situation Health Personal Preferences Reliability Behaviour Location Movements Fair and transparent - providing information about the logic involved, the significance and the envisaged consequences. Concern a child; or Be based on the processing of special categories of data unless: You have the explicit consent of the individual; or The processing is necessary for reasons of substantial public interest on the basis of State law. Technical and organisational measures in place to enable inaccuracies to be corrected and minimise the risk of errors. Secure personal data in a way that is proportionate to the risk to the interests and rights of the individual and prevents discriminatory effects. Article 22
  • 30. Rights of the Data Subject #CyberSafeLambeth | @IntegrateUK Subject Access Request Discussion
  • 31. Rights of the Data Subject #CyberSafeLambeth | @IntegrateUK (Exemption) - DPA 2018, Schedule 2, Part 3/4 (16) - Protection of the rights of others (3) In determining whether it is reasonable to disclose the information without consent, the controller must have regard to all the relevant circumstances, including— (b) any duty of confidentiality owed to the other individual, (4) For the purposes of this paragraph— (a) “information relating to another individual” includes information identifying the other individual as the source of information; ICO Guidance - Access to Information Held in Complaint Files recommended by the ICO 1. Not everything in a ‘complaint’ file is the complainant’s personal data, for it to be personal data it must relate to an individual and allow an individual to be identified. Under DPA individuals have a right of subject access about information about themselves, it does not give right of access to information about anyone else. Recital 63 Right of Access A data subject should have the right of access to personal data which have been collected concerning him or her, that right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property. However, the result of those considerations should not be a refusal to provide all information to the data subject.
  • 32. Rights of the Data Subject #CyberSafeLambeth | @IntegrateUK (DPA 1998 (Subject Access Code of Practice) Current Guidance The Data Protection Act 1998 (DPA) says you do not have to comply with a SAR if to do so would mean disclosing information about another individual who can be identified from that information, If you have not got the consent of the third party and you are not satisfied that it would be reasonable in all the circumstances to disclose the third-party information, then you should withhold it.
  • 34. #CyberSafeLambeth | @IntegrateUK The Controller Obliged to implement appropriate technical and organisational controls Be able to demonstrate that processing is in accordance with the regulation Appropriate data protection policies and procedures are in place Must only use processors who provide sufficient guarantees they will comply with GDPR Must ensure appropriate contracts are in place with processors Records of processing Cooperation with supervisory authorities Things to consider: Responsibilities Article 24
  • 35. #CyberSafeLambeth | @IntegrateUK The Processor CONTROLLER SHALL ONLY USE PROCESSORS PROVIDING SUFFICIENT GUARANTEES Processor shall not engage another party without prior authorisation CONTRACTS WITH PROCESSOR MUST BE BINDING AND SET OUT: Subject matter and duration of processing Nature and purpose Type of personal data Categories of data subjects Obligations and rights of controller Specific terms to be included in the contract (Article 28) Article 28
  • 37. #CyberSafeLambeth | @IntegrateUK SO WHAT TIME IS IT ANY WAY..!!
  • 38. #CyberSafeLambeth | @IntegrateUK Simple or Complex..!! Prevent Unauthorised Access Review the Process, Procedure Stop: Loss, Theft, Compromise of Data
  • 39. #CyberSafeLambeth | @IntegrateUK Information Security Training eLearning Package Educational emails Organisational Policy Presentations Posters Screen Saver Staff Handbook Information Security Web Portal Bulleting 10. News 11. Induction 1. 2. 3. 4. 5. 6. 7. 8. 9.
  • 41. #CyberSafeLambeth | @IntegrateUK 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. Common Failings Checking ID/Credentials – Challenging Visitors Clear Desk/Screen Attention to Detail (email, letters, policy) Regular Accountability/Audit Personal Accountability/Knowledge (Digital Competence) Situation/Third Party Awareness Vigilance/Double Checking The Basics (password protection) Clicking links System updates and patches Anti-virus – Encryption MDM – Mobile Device Management Opening attachments Human Error Common Sense
  • 42. #CyberSafeLambeth | @IntegrateUK Prevent, Detection, Deter Firewall IPS/IDS Web/Mail Filter Anti-Virus Encryption Backup – (Read Only Encrypted) Patch Management Access Control Manage Risk OWASP Cloud (PaaS, SaaS, IaaS) DR/BCP
  • 43. Security and Data Breaches Security of personal data, key measures: Pseudonymisation and encryption Confidentiality, integrity, availability and resilience of processing systems and services Ability to restore availability and access in a timely manner after an incident Process for regularly testing the measures Take into account the risks of: Accidental/unlawful destruction Loss Alteration Unauthorised disclosure of, or access to personal data #CyberSafeLambeth | @IntegrateUKArticle 32
  • 44. A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data. #CyberSafeLambeth | @IntegrateUK Mandatory Breach Notification GDPR INTRODUCES A DUTY ON ALL ORGANISATIONS TO REPORT WITHIN 72 HOURS CERTAIN TYPES OF DATA BREACH TO THE ICO, AND IN SOME CASES TO THE INDIVIDUALS AFFECTED: WHERE A BREACH IS LIKELY TO RESULT IN A HIGH RISK TO INDIVIDUAL(S) THEY MUST BE NOTIFIED DIRECTLY. A ‘HIGH RISK’ MEANS THE THRESHOLD FOR NOTIFYING INDIVIDUALS IS HIGHER THAN FOR NOTIFYING THE RELEVANT SUPERVISORY AUTHORITY. Must review our internal reporting procedures and training Must maintain records of reports and investigations Article 33/34
  • 45. Privacy Impact Assessments for all new systems or processes where personal data is processed #CyberSafeLambeth | @IntegrateUK Privacy By Design Regular Risk Assessments Identify all overseas processing Documented Mitigation How is it justified? Review Contracts Determine the supervising authority (local ICO equivalents) Pseudonymous data Some sets of data can be amended in such a way that no individuals can be identified from those data (whether directly or indirectly) without a "key" that allows the data to be re-identified. GDPR explicitly encourages organisations to consider pseudonymisation as a security measure. It can allow organisations to satisfy their obligations of "privacy by design" and may be used to justify processing that would otherwise be deemed "incompatible" with the purposes for which the data were originally collected – Could help legitimate interest problem. Article 25 Justification for accepting risk
  • 46. Privacy Impact Assessments for all new systems or processes where personal data is processed Regular Risk Assessments Documented Mitigation Justification for accepting risk #CyberSafeLambeth | @IntegrateUK DPIA Article 35
  • 48. #CyberSafeLambeth | @IntegrateUK Data Breach The data controller shall without undue delay and where feasible, and not later than 72 hours notify the supervisory authority of a personal data breach Exception: when the data breach is not High Risk to Data Subject When notification is not made within 72 hour, this shall be accompanied with reasons for delay When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. Article 33/34 Article 33 Article 34
  • 49. #CyberSafeLambeth | @IntegrateUK Liabilities and Penalties COMPENSATION Article 82 For material and non-material damage Liability of controllers and processors
  • 50. #CyberSafeLambeth | @IntegrateUK Fines Article 83 THIS WILL PROBABLY OPEN US UP TO MORE ACCESS REQUESTS AND MORE COMPLAINTS Fines up to €20 million or 4% of global turnover for a data breach (deliberate or accidental loss) Fines up to €10 million or 2% of global turnover for non compliance of processing records or non appointment of Data Protection Officer
  • 52. #CyberSafeLambeth | @IntegrateUK Road to Compliance Awareness – decision makers and key people Information – document what you hold Communicating privacy information – privacy notices Individuals’ rights – facilitate data subject rights Subject access requests – update procedures Legal basis for processing – identify and document Consent – review how you obtain and record consent Children – review consent processes for minors Data breaches – processes for detecting and reporting Data protection by design and DPIA Data protection officers – appoint one if required International transfers – ensure appropriate legal basis 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12.
  • 53. WHAT Source WHEN Retention Period #CyberSafeLambeth | @IntegrateUK Actions Required – Information Audit Type Name Address Contact Details Health Details CV Reference CRB Check Passport Details Work Permit Appraisals Annual Leave Disciplinary Tax/NI Bank Account Pension Details Name Contact Details Names Address Email Mobile Phone Names Address Email Mobile Phone Names Email WHY Staff Admin Direct Marketing Individual Third Party Third Party Individual Individual/Third party Individual/Third party Individual Individual/Third party Individual/Third party Individual Not Sure - Find out Individual/Third Party Individual Individual Not Sure - Find out Legal Basis Contract Legal Obligation Legal Obligation Legitimate Interests - Staff Management Contract Contract Contract Vital Interests Consent Consent Originally Pre-Apointment Not Sure find out Appointment Pre-Apointment At the time At Request At the time Appointment Appointment First Contact First Contact Web Enquiries Updated As required Never Never Not Sure find out Not Sure find out Annually Not Sure find out Not Sure find out As required When notified Annual Enrollment Not Sure - Find out Not applicable Termination of Employment + 6 Copy not retained, record of Number only Termination of Employment + 6 3 years End of Financial year + 6 Not Sure find out Termination of employment + 70 Untill staff leave End of relationship unless enrolled in Alumni or consent withdrawn End of relationship or consent withdrawn Not Sure - Find out WHERE HRMIS hosted on premise NCG Data Centre. HRMIS hosted on premise NCG Data Centre. Held on a 3rd Party cloud server hosted in the US WHO Current staff member Emergency Contact Existing Students Potential Students Enquiries Determined by Employment Law/Limitation Law CRB Code of Practice Standard Practice Tax Law Employment Law Durty of Care? Data Protection Data Protection Data ProtectionNot Sure - Find out NCG Finance System hosted on premise NCG Data Centre Not Sure - Find out
  • 54. Article 24 – Responsibility of the Controller consider Article 6 – Lawfulness of Processing Article 7 – Condition for Consent Article 6 – Contract Rights of the Data Subject Article 12 - Transparent information Article 13 – Information to Be Provided (Privacy Statement) Article 14 – Information to be Provided Article 15– Right of Access Article 16– Right to rectification Article 17– Right of Erasure ‘To Be Forgotten’ Article 18– Right to Restriction of Processing Article 19– Notification Obligation Article 20– Right to Data Portability Article 21– Right to Object Article 22– Automated Decision Making & Profiling Article 9 – Special Categories consider Point of Data Capture Data Type Data Storage & Processing Article 32 - Security of processing Article 35 - Privacy Impact Assessment Article 25 - Privacy by Design / Default Processor Article 28 - Processor consider Hosted On Premise Article 13 – Privacy Statement GDPR Article Flow #CyberSafeLambeth | @IntegrateUK