Human Capital Department's GDPR Pop Up presentation on GDPR held at Yours Business Networks King's Lynn on the 26/04/18.

1. GDPR POP UP 26th April 2018
Welcome to our HR Forum

2. Guy Pyle
Director

3. Some myths about GDPR
• We are going to be brexiting and this is an EU law and
therefore doesn't apply.
• The ICO is understaffed and only has approx. 15 staff.
• They are not going to look at SME business as they
only fined people like TalkTalk and Tesco.
• We don’t hold any personal data as we only deal in
B2B relationships.
• I have a compliance certificate from a company.

4. Minimise the risk
• Assess the risk – what personal data do you process,
and how?
• Policies
• Responsibilities
• Training and awareness

5. Where to start?
• Perform a GAP analysis looking
at and answering questions
such as;
• What data do we process?
• For what purposes?
• What legal basis do we use?
• Who do we share data with?
• What systems do we have in place
keeping this data safe ?
• What happens if or when we have
a data breach ?

6. What rights to Citizens have now
1. Information ( Privacy Notice).
2. Access there own personal data (subject access request0.
3. Correct their personal Data (Rectification).
4. Erase their Personal Data (Right to be forgotten).
5. Restrict data processing.
6. Object to data processing.
7. Export their personal data to another data controller.(right to
portability).
8. Not to be the subject of automated decision making, Including profiling
(CA).
9. Be notified of data security breech.
10. Sue data controller and or data processor for material or non material
damages resulting from a data breech of GDPR.
11. Report the issue to the ICO for investigation.

7. Don’t leave it to late because
The ICO has issued the following statements when asked
• Are you willing to go the full distance and fine companies 17
million pounds ?
• Response was YES We have to be willing to do so…. It’s absolutely the case that we will be
imposing fines against large and small entities based on the issues that come across our
desks and the areas of risk we identify.
• Will there be any leeway to ease companies into the new,
stricter punishment regime?
• Response was NO. There is not going to be any amnesty or first or second chances. On the
other hand the GDPR does set out criteria when we look at what the scale of the fine we
may issue. We are obliged to take into account the level of cooperation between us and
the controller, the number of affected subjects and the effect of loss on those subjects and
any previous breaches.

8. Thank you for listening
I will be around to answer any question after the presentation have
all be given.

9. Guy Pyle
Director

10. 9

11. GDPR Pop Up Forum
– the Employer/Employee
Perspective

12. The basics
• Who is a “data subject”?
• What is covered?
• Who is a data controller?
• Who is a data processor?

13. The 6 Principles

14. GDPR Information Audit & Review
First Steps…

15. Case Study – Employee data

16. How is data breached

17. Breaches - Fines

18. 17

19. &
How HR systems can help you comply

20. 5 questions you need to ask yourself
1) Is the data you’re responsible for actually
secure?
• Cloud based systems are very tight on data security
• Usernames and password are better than a filing
cabinet

21. 2) How quickly can you access
personal data?
• Having a centralised system let’s you
access data immediately
• Removes cost barrier for providing
subject access requests
• You can decide who has access to
what information

22. • How long does it take
to update a
spreadsheet?
• Employees can update
their own details
3) Is the data you
hold accurate and
up to date?

23. 4) Can you remove all personal data that’s no longer
required?
• Employee have the ‘right to be forgotten’
• Delete means delete in HR software.

24. 5) Can you prove consent to use the
data you hold?
• Transparency of data is achieved through
self-service
• Store contracts and declarations of consent

25. Understanding the relationship
Employee
DATA SUBJECT
You
DATA CONTROLLER
HR System
DATA PROCESSOR
Software acts as the data processor. This means we process clients’ data in
accordance with GDPR and you, the client, act as the data controller.

26. • Holiday Management
• Absence Management
• Document Management
• Instant Reporting
• CRUCIALLY… GDPR COMPLIANCE
What other benefits are
there?

28. GDPR Data Systems Consultancy
• MailChimp (or another email marketing system) is commonly suggested as a
solution to GDPR because it tracks sign-ups and has good tools to enable
subscribers to amend their own records or unsubscribe etc.
• But no organisation uses email marketing systems like MailChimp as their
Contact Database which they access for sending individual emails or looking
up phone numbers etc. because they are not designed for that purpose.
• Therefore, systems like MailChimp have to be used in conjunction with other
systems such as
• email systems (Gmail, Outlook etc.)
• mobile phone contact databases (on Android, Apple etc.)
• accounts systems etc.

29. GDPR Data Systems Consultancy
• When running consent campaigns you should include all your email contacts but
do you verify the email addresses before sending your campain out?
• Doing so can save you from being blacklisted on Spam detection databases.
• If you use a system like MailChimp to send emails out to your mailing list
seeking their consent to remain on your marketing list what happens if
• Contacts don’t open your emails?
• Contacts unsubscribe?
• Contacts amend the information you hold about them?
• Wherever else you hold information on those Contacts, you are supposed to
update or delete the information to prevent re-use or leakage of that
information.
• Would it not be better to have a central Contact Database and only use that
throughout the company?

30. Customer
Relationship
Management
GDPR Data Systems Consultancy
These systems comprise some or all of the following features
• Centralised Contact Database.
• Multi-user access.
• Reporting and dashboards.
• Sales lead management.
• Deals and Tasks.
• Appointments and scheduling.
• Campaign management.
• Email tracking.
• Social media management.
• Mobile version.
• Lead capture and tracking e.g. using a form on your website.
Who knows what CRM stands for?

31. GDPR Data Systems Consultancy
• CRM systems can solve your GDPR problem by keeping all of your
Contact Data in one centralised database with traceability.
• If you don’t or cannot have all of your data in one system (which is usually
the case) then there is a solution that can help by synchronising in the
background whenever a change is made to the data in any of your systems
(provided that they are cloud based contact management systems like
MailChimp, iCloud, Google Contacts etc.).
• You can see a quick video explanation of this system on the front page of my
website - https://mylocal.org.uk/ - and sign up for a 14 day trial if you wish.

33. Cyber
Insurance
with
Swinton
Business

34. Cyber
insurance
Fraud and cyber now make
up 47.3% of crime,
according to Global Data’s
UK Cyber Insurance report.
Fraud
and
cyber
crime
Other
crime
A data breach could cost your UK
business up to £3m on average.
01
Conversion on xe.com/ucc correct as at
12/07/17

35. Cyber
crime in
the UK. A 2016 report about cyber
resilience produced by the
Federation of Small
Businesses (FSB) suggests
smaller firms are
collectively attacked 7
million times per year,
costing the UK economy
an estimated £5.26bn.
Are you
covered?
02
Given the scale of
concern relating to
cyber risks among
SMEs, it is interesting
that only 13.7%
reported holding a
cyber-insurance
policy.
IT and cyber risks
generated the most
concern among SMEs
according to our 2016
UK SME Insurance
Survey.
24% of UK businesses
detected one or more
cyber security breach
or attack over the past
12 months according
to the UK
government’s 2016
Cyber Security
Breaches Survey.

36. 03
Why do you
need Cyber
Insurance
Does your business depend on
technology, data security and the
Internet in order to trade?
If so, you should be taking
preventative measures against
cyber-attacks.
Cyber-attacks can lead to costs from handling a data breach, lost
revenue, a damaged reputation, and legal and regulatory costs – not to
mention the associated business disruption!
That’s why at Swinton Business, we’re pleased to have partnered with
insurers to offer our customers Cyber Insurance, designed to protect
your business against potential cyber-related risks.
What am I covered for with Cyber Insurance?
With cover starting from £100,000, Cyber Insurance can help cover costs
that arise from dealing with a security breach, support against malicious
attempts to seize control of, and withhold access to your operational or
personal data until a fee is paid, and can help cover the loss of income if
a cyber-attack interrupts your business operation.
Having Cyber Insurance also means that you’ll get access to 24/7
support, providing immediate and expert advice to help deal with your
claim and get guidance on preventative measures that can be taken to
stop further damage from happening.

37. What am I
actually
covered
for?

38. The Insurers
we have
partnered with
could help
cover against:
 Breach costs: Support in the event of a data breach including
forensic investigations, legal advice and cover for
breach notification and customer assistance
 Cyber Business Interruption Loss: Compensation for loss of income
whilst your business recovers from a cyber-attack.
 Cyber Extortion: Protection from malicious attempts to seize control
of, and withhold access to, your operational or personal data.
05
 Data Corruption: Protection from the damage inflicted by a
cyber-attack that leads to the loss, corruption or alteration of
data as well as the misuse of computer programmes and
systems. .
 Cyber Liability: Support for damage and defence costs if a
business fails to keep a customer's personal data safe or
mistakenly infringe someone's copyright.
Cyber Forensic Support: 24/7 support from cyber specialists
recommended by your insurer in the period following a hack
or data breach.

39. Cyber
Insurance at
a glance:
 Cover for the costs of investigating
and dealing with data breaches
 Cover for the costs of dealing with
cyber liability claims
 Cover for business losses from a
cyber-attack
 Cover for notifying your customers
of a data breach
 24/7 support to help you deal with
the impact of cyber crime
 Access to expert advice and
support e.g. IT, legal, forensic and
media relations when an incident
occurs
06

40. 07
Claims
Examples
Data Corruption – Former Employee
 System became erratic,
programs unavailable and data
missing.
 Data restoration and recreation
required
£26,865 paid
Cyber Liability – Email Virus
 IT investigations confirmed a
virus
 Former customer sued for
damages after being
infected by e-mail
 Damages and legal fees
incurred
£38,250 paid
Cyber Business Interruption
 Marketing firm’s website
taken over by hackers
 Extensive IT work to regain
control
 Significant business loss
£35,714 paid

41. 08
Quotation
Process
 Business name, address & location of I.T.
 Business Description
 Estimated Annual Turnover
 Cost to replace Computers, Laptops, Smartphones, Scanners, Copiers, etc.
 Cost for Increased Cost of Working/Reinstatement of Data
 Details of any previous claims, losses or incidents
 Confirmation that you perform back-up’s at least every 7 days, have a
firewall in place and a purchased anti-virus in place (not a ‘free’ product)

42. 00
Thank you

43. 42
Questions and Answers

44. Leadership and Management Development
31st May 2018
Our next HR Forum