3. Some myths about GDPR
• We are going to be brexiting and this is an EU law and
therefore doesn't apply.
• The ICO is understaffed and only has approx. 15 staff.
• They are not going to look at SME business as they
only fined people like TalkTalk and Tesco.
• We don’t hold any personal data as we only deal in
B2B relationships.
• I have a compliance certificate from a company.
4. Minimise the risk
• Assess the risk – what personal data do you process,
and how?
• Policies
• Responsibilities
• Training and awareness
5. Where to start?
• Perform a GAP analysis looking
at and answering questions
such as;
• What data do we process?
• For what purposes?
• What legal basis do we use?
• Who do we share data with?
• What systems do we have in place
keeping this data safe ?
• What happens if or when we have
a data breach ?
6. What rights to Citizens have now
1. Information ( Privacy Notice).
2. Access there own personal data (subject access request0.
3. Correct their personal Data (Rectification).
4. Erase their Personal Data (Right to be forgotten).
5. Restrict data processing.
6. Object to data processing.
7. Export their personal data to another data controller.(right to
portability).
8. Not to be the subject of automated decision making, Including profiling
(CA).
9. Be notified of data security breech.
10. Sue data controller and or data processor for material or non material
damages resulting from a data breech of GDPR.
11. Report the issue to the ICO for investigation.
7. Don’t leave it to late because
The ICO has issued the following statements when asked
• Are you willing to go the full distance and fine companies 17
million pounds ?
• Response was YES We have to be willing to do so…. It’s absolutely the case that we will be
imposing fines against large and small entities based on the issues that come across our
desks and the areas of risk we identify.
• Will there be any leeway to ease companies into the new,
stricter punishment regime?
• Response was NO. There is not going to be any amnesty or first or second chances. On the
other hand the GDPR does set out criteria when we look at what the scale of the fine we
may issue. We are obliged to take into account the level of cooperation between us and
the controller, the number of affected subjects and the effect of loss on those subjects and
any previous breaches.
8. Thank you for listening
I will be around to answer any question after the presentation have
all be given.
20. 5 questions you need to ask yourself
1) Is the data you’re responsible for actually
secure?
• Cloud based systems are very tight on data security
• Usernames and password are better than a filing
cabinet
21. 2) How quickly can you access
personal data?
• Having a centralised system let’s you
access data immediately
• Removes cost barrier for providing
subject access requests
• You can decide who has access to
what information
22. • How long does it take
to update a
spreadsheet?
• Employees can update
their own details
3) Is the data you
hold accurate and
up to date?
23. 4) Can you remove all personal data that’s no longer
required?
• Employee have the ‘right to be forgotten’
• Delete means delete in HR software.
24. 5) Can you prove consent to use the
data you hold?
• Transparency of data is achieved through
self-service
• Store contracts and declarations of consent
25. Understanding the relationship
Employee
DATA SUBJECT
You
DATA CONTROLLER
HR System
DATA PROCESSOR
Software acts as the data processor. This means we process clients’ data in
accordance with GDPR and you, the client, act as the data controller.
26. • Holiday Management
• Absence Management
• Document Management
• Instant Reporting
• CRUCIALLY… GDPR COMPLIANCE
What other benefits are
there?
27.
28. GDPR Data Systems Consultancy
• MailChimp (or another email marketing system) is commonly suggested as a
solution to GDPR because it tracks sign-ups and has good tools to enable
subscribers to amend their own records or unsubscribe etc.
• But no organisation uses email marketing systems like MailChimp as their
Contact Database which they access for sending individual emails or looking
up phone numbers etc. because they are not designed for that purpose.
• Therefore, systems like MailChimp have to be used in conjunction with other
systems such as
• email systems (Gmail, Outlook etc.)
• mobile phone contact databases (on Android, Apple etc.)
• accounts systems etc.
29. GDPR Data Systems Consultancy
• When running consent campaigns you should include all your email contacts but
do you verify the email addresses before sending your campain out?
• Doing so can save you from being blacklisted on Spam detection databases.
• If you use a system like MailChimp to send emails out to your mailing list
seeking their consent to remain on your marketing list what happens if
• Contacts don’t open your emails?
• Contacts unsubscribe?
• Contacts amend the information you hold about them?
• Wherever else you hold information on those Contacts, you are supposed to
update or delete the information to prevent re-use or leakage of that
information.
• Would it not be better to have a central Contact Database and only use that
throughout the company?
30. Customer
Relationship
Management
GDPR Data Systems Consultancy
These systems comprise some or all of the following features
• Centralised Contact Database.
• Multi-user access.
• Reporting and dashboards.
• Sales lead management.
• Deals and Tasks.
• Appointments and scheduling.
• Campaign management.
• Email tracking.
• Social media management.
• Mobile version.
• Lead capture and tracking e.g. using a form on your website.
Who knows what CRM stands for?
31. GDPR Data Systems Consultancy
• CRM systems can solve your GDPR problem by keeping all of your
Contact Data in one centralised database with traceability.
• If you don’t or cannot have all of your data in one system (which is usually
the case) then there is a solution that can help by synchronising in the
background whenever a change is made to the data in any of your systems
(provided that they are cloud based contact management systems like
MailChimp, iCloud, Google Contacts etc.).
• You can see a quick video explanation of this system on the front page of my
website - https://mylocal.org.uk/ - and sign up for a 14 day trial if you wish.
34. Cyber
insurance
Fraud and cyber now make
up 47.3% of crime,
according to Global Data’s
UK Cyber Insurance report.
Fraud
and
cyber
crime
Other
crime
A data breach could cost your UK
business up to £3m on average.
01
Conversion on xe.com/ucc correct as at
12/07/17
35. Cyber
crime in
the UK. A 2016 report about cyber
resilience produced by the
Federation of Small
Businesses (FSB) suggests
smaller firms are
collectively attacked 7
million times per year,
costing the UK economy
an estimated £5.26bn.
Are you
covered?
02
Given the scale of
concern relating to
cyber risks among
SMEs, it is interesting
that only 13.7%
reported holding a
cyber-insurance
policy.
IT and cyber risks
generated the most
concern among SMEs
according to our 2016
UK SME Insurance
Survey.
24% of UK businesses
detected one or more
cyber security breach
or attack over the past
12 months according
to the UK
government’s 2016
Cyber Security
Breaches Survey.
36. 03
Why do you
need Cyber
Insurance
Does your business depend on
technology, data security and the
Internet in order to trade?
If so, you should be taking
preventative measures against
cyber-attacks.
Cyber-attacks can lead to costs from handling a data breach, lost
revenue, a damaged reputation, and legal and regulatory costs – not to
mention the associated business disruption!
That’s why at Swinton Business, we’re pleased to have partnered with
insurers to offer our customers Cyber Insurance, designed to protect
your business against potential cyber-related risks.
What am I covered for with Cyber Insurance?
With cover starting from £100,000, Cyber Insurance can help cover costs
that arise from dealing with a security breach, support against malicious
attempts to seize control of, and withhold access to your operational or
personal data until a fee is paid, and can help cover the loss of income if
a cyber-attack interrupts your business operation.
Having Cyber Insurance also means that you’ll get access to 24/7
support, providing immediate and expert advice to help deal with your
claim and get guidance on preventative measures that can be taken to
stop further damage from happening.
38. The Insurers
we have
partnered with
could help
cover against:
Breach costs: Support in the event of a data breach including
forensic investigations, legal advice and cover for
breach notification and customer assistance
Cyber Business Interruption Loss: Compensation for loss of income
whilst your business recovers from a cyber-attack.
Cyber Extortion: Protection from malicious attempts to seize control
of, and withhold access to, your operational or personal data.
05
Data Corruption: Protection from the damage inflicted by a
cyber-attack that leads to the loss, corruption or alteration of
data as well as the misuse of computer programmes and
systems. .
Cyber Liability: Support for damage and defence costs if a
business fails to keep a customer's personal data safe or
mistakenly infringe someone's copyright.
Cyber Forensic Support: 24/7 support from cyber specialists
recommended by your insurer in the period following a hack
or data breach.
39. Cyber
Insurance at
a glance:
Cover for the costs of investigating
and dealing with data breaches
Cover for the costs of dealing with
cyber liability claims
Cover for business losses from a
cyber-attack
Cover for notifying your customers
of a data breach
24/7 support to help you deal with
the impact of cyber crime
Access to expert advice and
support e.g. IT, legal, forensic and
media relations when an incident
occurs
06
40. 07
Claims
Examples
Data Corruption – Former Employee
System became erratic,
programs unavailable and data
missing.
Data restoration and recreation
required
£26,865 paid
Cyber Liability – Email Virus
IT investigations confirmed a
virus
Former customer sued for
damages after being
infected by e-mail
Damages and legal fees
incurred
£38,250 paid
Cyber Business Interruption
Marketing firm’s website
taken over by hackers
Extensive IT work to regain
control
Significant business loss
£35,714 paid
41. 08
Quotation
Process
Business name, address & location of I.T.
Business Description
Estimated Annual Turnover
Cost to replace Computers, Laptops, Smartphones, Scanners, Copiers, etc.
Cost for Increased Cost of Working/Reinstatement of Data
Details of any previous claims, losses or incidents
Confirmation that you perform back-up’s at least every 7 days, have a
firewall in place and a purchased anti-virus in place (not a ‘free’ product)
As a starting point, the ICO has developed 12 steps to take now – for organisations to make a start in planning how they’re going to comply by May 2018.
You’ll need to check them all, but a few highlights include:
Privacy notices - Under the GDPR there are some additional things you will have to tell people. For example, you will need to explain your legal basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data. Note that the GDPR requires the information to be provided in concise, easy to understand and clear language.
The ICO’s Privacy notices code of practice was revised a couple of months ago and now reflects the new requirements of the GDPR. Make sure you read it and make the changes you need to.
Individual rights - The main rights for individuals under the GDPR will be:
subject access
to have inaccuracies corrected,
to have information erased,
to prevent direct marketing,
to prevent automated decision-making and profiling, and
data portability.
You’re likely to come across some, if not all, of these in schools so you’ll need to know what your obligations are so you can properly deal with any requests you receive.
SARs - The rules for dealing with subject access requests will change under the GDPR. In most cases you will not be able to charge for complying with a request and normally you will have just a month to comply, rather than the current 40 days. There will be different grounds for refusing to comply with subject access request – manifestly unfounded or excessive requests can be charged for or refused. If you want to refuse a request, you will need to have policies and procedures in place to demonstrate why the request meets these criteria.
Consent – if you process any personal data on the basis of consent, you’ll have to review how you are seeking, obtaining and recording consent and whether you need to make any changes. Consent must be freely given, specific, informed and unambiguous, and a positive affirmation of the individual’s agreement. That’s a high standard. This will likely be relevant for any contact preferences you may have set up with parents and alumni, perhaps for school fundraising purposes.
Children - You should start thinking now about whether you will need to gather parental or guardian consent for the data processing you carry out. For the first time, the GDPR will bring in special protection for children’s personal data, particularly (ONLY) in the context of commercial internet services such as social networking. If you arrange for children in your school to sign up for apps in the classroom, or for homework, you’ll need to think about how consent can be obtained.
Data breaches - You should make sure you have the right procedures in place to detect, report and investigate a personal data breach – for example if you lose some personal data or disclose data to the wrong recipient. The GDPR will bring in a breach notification duty for all organisations. Not all breaches will have to be notified to the ICO – only ones where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach. If you do need to report it you’ll have to do it within 72 hours of the breach being discovered.
You should start now to make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Data Protection by Design and Data Protection Impact Assessments – When your school is considering using data in new and innovative ways, or considering implementing new technology to monitor pupils in some way, it’s currently good practice to carry out a privacy impact assessment. This will become a legal requirement in some circumstances under the GDPR. You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments (PIAs) and work out how to implement them in your organisation. You should start to assess the situations where it will be necessary to conduct a DPIA.
It has always been good practice to adopt a privacy by design approach and the ICO has recommended organisations use privacy impact assessments for some time now. However the GDPR will make this a legal requirement for some projects.
Data Protection Officers – Many schools will need to designate a Data Protection Officer. You’ll need to decide who this will be - or at least identify someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. The GDPR will require some organisations to designate a Data Protection Officer – all public authorities must so many schools will require one.
So we’ll read the guidance – but how else do we prepare ourselves?
A good start is to carry out an information asset audit – know what data you have, for what purposes you’re processing it, who you’re sharing it with, what legal basis / schedule conditions are you processing it under.
ICO good practice guidance – such as Conducting privacy impact assessments COP, Privacy notices COP, Data sharing COP, Anonymisation, cloud computing etc – if you don’t already, look at it and see how you could process data in accordance with it, as much of our good practice guidance is included in the GDPR as law.