In this GDPR Compliance presentation, you can learn more about the key steps to take for GDPR Compliance, including: - What are data management processes and how to identify them at small and medium sized businesses - What is personal data under the GDPR and how to establish a record of processing activities to map personal data - How does encryption help with safeguarding personal data and ensuring GDPR compliance - What your business should do to get ready for the new General Data Protection regulation on time

1. 5 key steps for
SMBs to GDPR
compliance
Wednesday, November 29, 2017
Webinar hosted by:
John Clelland, Managing Director, Founding Partner at
Proteus-Cyber Ltd.
Istvan Lam, Co-founder & CEO at Tresorit

2. Introduction

3. What is the GDPR?
– The GDPR unifies data protection regulations across the EU, will directly
apply in member states from May 25, 2018
– Many obligations – compliance is resource-heavy
– Organizations should prioritize
– What are your most risky areas?
– Data protection principles defined by the GDPR
– fairness, lawfulness and transparency; purpose limitation; data minimisation; data
quality; security, integrity and confidentiality
– Creates an “economy of privacy“: radical changes, heavy fines
3

4. The 5 steps to GDPR compliance: Overview
4
Create data
register to
map personal
data
Check third
parties &
processing
vendors
Apply
technical
safeguards of
the GDPR
Create
policies
for IT
reconciliation
Analyse data
breach risks
in your
organization
1. 2. 3. 4. 5.

5. Step 1.
Create data
register to map
personal data

6. What is a data register?
– GDPR Article 30: Each controller and, where applicable, the controller’s representative, shall
maintain a record of processing activities under its responsibility. That record shall contain
all of the following information:
a. the name and contact details of the controller and, where applicable, the joint controller, the controller’s
representative and the data protection officer;
b.the purposes of the processing;
c. a description of the categories of data subjects and of the categories of personal data;
d.the categories of recipients to whom the personal data have been or will be disclosed including recipients
in third countries or international organisations;
e.where applicable, transfers of personal data to a third country or an international organisation, including
the identification of that third country or international organisation and, in the case of transfers referred to
in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
f. where possible, the envisaged time limits for erasure of the different categories of data;
g.where possible, a general description of the technical and organisational security measures referred to in
Article 32(1).
6

7. Understand how you manage data – (data register)
DPO Business Owners
(who use personal data)
Issue
Data/Process survey
IT data owners
(understand how data is handled)
Issue
IT data handling survey
Data Register &
Article 30 report
PIA
Name
Address
Bank account
no
…
Convert survey to PIA

8. Step 2.
Check third parties
& data processing
vendors

9. Check third parties & data processing vendors
– Which processes disclose data to third parties? (Common processes at
SMBs: billing, HR, marketing)
– How do the third parties handle your data?
– Where do they you store your data?
– What security measures do they apply to your data?
– Who has access to the data?
9

10. Step 1 & 2 – How Proteus®GDPRready™ basic can help
– Simple tool to get a start on GDPR, one site, one user, one survey, one
summary report.
– Designed to start you on the road to GDPR compliance
– Model your most important processes against Personal and Sensitive data
– Establish how you handle that data
– Contains recommendations
– Provides templates for policies
– Contains a plan of action
10

11. 11
Week 1 2 3 4 16
2017/18
Milestone 1
Answer surveys
Milestone 2
Publish 1st reports
Milestone 3
Data handling
Milestone 4
Finish 1st phase
Process/Data Survey 4 days
Identify your processesWhat personal data is linked
How do you process the data
Perform PIA/DPIA 15 days
Controllers/processors
Assess current policies/procedures
Manual or electronic processing
DPIA, reason for processing/storage/disclosure
Data handling – IT surveys 5 days
Encrypted/Pseudonymised
Identify gaps
International transit
Follow-up actions & recommendations
Recommended SMB time-line for Step 1 & 2
Report to the board
Reports within days

12. Step 3.
Apply technical
safeguards of the
GDPR: encryption

13. Encryption highlighted by the GDPR
– “The controller and the processor shall implement appropriate technical and organisational
measures to ensure a level of security appropriate to the risk, including inter alia as
appropriate: the pseudonymisation and encryption of personal data” - GDPR Article 32. Security
of Processing
– What is pseudonymisation?
– Processing personal data so that it can no longer be attributed to a specific individual without the use of
additional information.
– What is encryption?
– In case of a server-side data breach or leak, strongly encrypted datasets are unintelligible to unauthorized
people.
– Encryption makes the re-identification of persons from the leaked datasets impossible with reasonable
efforts
– The persons are protected from harmful effects of data exposure.
13

16. Advantages of encryption
– Protect the personal data of employees, customers, partners, and users.
– Keep your personal data within company walls
– Reduce your liability in case of a data breach.
– Save costs of data breach notifications and potential fines
– Manage consent compatibility
– Enjoy the advantages of public cloud (security, managed infrastructure,
easy deployment) and the highest level of GDPR compliant security
16

17. Use end-to-end encrypted providers
– For cloud-based collaboration – sharing and syncing files conveniently and
securely with Tresorit:
– Swiss provider
– Since 2011
– Automatic end-to-end encryption for all files, during the whole sharing process
– Ideal for internal and external collaboration
– Combining end-to-end encrypted security with file control and data governance features
– Other providers for communicating securely:
– Email: Protonmail, Tutanota
– Messaging: Wire, Threema
17

18. Step 4.
Create policies
for IT reconciliation

19. Create policies for your processes
19
• Social media policy
• Archive policy
• Acceptable Use policy
• Change management policy
• CCTV policy
• Call recording policy
• BYOD policy
• Vendor assessment policy
• Remote working policy
• Privacy by design policy
• Incident management policy
• Generic privacy policy
• Employee data policy
• Disaster recovery policy
• Data subject access policy
• Data sharing policy
• Data security policy
• Data risk policy
• Data retention policy
• Data privacy impact assessment policy
• Data privacy and security audit policy
• Data obfuscation policy
• Data governance policy
• Data Deletion policy
• Data Classification policy
• Backup policy

20. Step 5.
Analyse data
breach risks in your
organization

21. Most common causes of data breaches
Source: 2017 Cost of Data Breach Study by Ponemon Institute
21

22. Identify the riskiest areas in your organization
– Malicious attacks:
– Do you use technical safeguards such as encryption?
– Do you use end-point security measures?
– Do you have a team dedicated for security, or is your IT staff trained for that?
– Do you have internal security policies, how do you enforce that among your staff?
– Human error:
– How do you share personal data internally and externally?
– Do you use tools that allow you to control and revoke data?
– Do you have data governance policies in place?
– Do you have data protection and security trainings to raise awareness?
– System glitches:
– Do you have comprehensive policies for IT and business processes?
– How do you manage your third party providers and data processor vendors?
22

23. Key takeaways + Q & A
1. The GDPR requires a holistic view on data protection within an
organization – prioritize and start with your most risky areas
2. Map your personal data and business processes to know what you need
to protect
3. Apply safeguards highlighted by the GDPR such as encryption
23

24. Thank you
24
– Find more information at:
– www.proteuscyber.com
– www.tresorit.com/gdpr
– Contact us:
– contact@proteuscyber.com
– info@tresorit.com