Embed Size (px)
Citation preview
General Data Protection
Regulation (GDPR)
Ian Walters
Learning and development director
SD Worx UK Ltd
European General Data Protection Regulation July 2017
GDPR
The General Data Protection
Regulation promises the
biggest shake-up to European
Privacy laws for 20 years. The
changes needed to comply
with the Regulation are
significant and the two year
implementation period is likely
to go quickly, you should start
to prepare for them now.
Elizabeth Denham, ICO 2016
Change of scope
Law
Brexit
Existing Services
Applies to all EU companies AND to foreign companies that offer services to individuals in EU
Services
Becomes Law on 25th May 2018
Law
It greatly extends existing data
protection laws
.
Existing
Whatever happens with Brexit it has no
impact on this law
Brexit
Terms
Personal Data Any data from which a person can be identified Data Subject Who the data is about, usually an employee or client’s employee Data Controller Who owns the data, usually a client Data Processor The person processing data on behalf of the controller Processing Doing anything with data – reading, amending, storing, destroying etc.
Our Data Protection Legal Duties
8 Data Protection Principles New Legal Duties under the
Principles
(comes into effect May 2018 regardless of brexit)
Duty to report Data
Breaches
Right for Data subject to
access data
Right to Rectification
Right to be Forgotten
Data Portability (format)
Privacy by Design
Data Protection Officers
1. Fair & Lawful
2. Specified Purpose
3. Adequacy
4. Accuracy
5. Retention
6. Rights
7. Security
8. International
Getting it wrong has serious consequences
Fines
Serious fundamental breaches (basic principles,
data transfer) can result in fines of €20m or 4% of
global turnover, whichever is greater
Lesser infringements (non reporting) can result in
fines of €10m or 2%, whichever is greater
Compensation
Any person who has suffered damage as a result
of infringement has the right to compensation
Not to mention the impact on
reputation
Fines
Market Reaction
Companies are worried about new
legal duties and increased liability
Customers are seeking to avoid the
issue by putting unlimited liability
onto Suppliers
This is only being further endorsed by
scaremongering in the market place.
New professionals establishing
themselves as GDPR experts!
Reality
For data processor and data owner
Legal duty and liability is now placed on
data processor as well as data owner
− Legislation requires authorities to fine
according to blame
− Size of fines will reflect behaviour
− Focus for all should be on technical
compliance
− Companies can take out liability insurance
Ensuring you are GDPR Ready
ISO27001 accreditation
− Gives an independent certification you are doing the right
things
− Provides framework to ensure you meet legal obligations
− Builds a culture of security allowing you to manage and
reduce risk
− Offshore transfers will be subject to same controls
− Ideally gain accreditation prior to implementation of GDPR
legislation in May 2018
Maintaining investment in your security
ISO27001 & GDPR compliance
− Require you to document what you hold, why and how
you protect it
− Privacy impact assessments require same inputs as risk
management
− Awareness and training require consistent messages
− Breach notification & Security Incident management go
hand in hand
Focus on technical compliance
− Broad Risk Management Approach: Understand the
requirements, identify gaps and have a plan to close
− Encryption and Anonymisation should be planned in to
improve technical and organisation measures
Focus on internal & colleague compliance
− Consider a GDPR readiness team – action plans for
all areas
− Audit of your programme
− Full review of all incident, security & privacy policies
and processes to ensure integration of GDPR
requirements
− Risk assessments across all relevant areas of your
business: IT, Operation etc.
− Full Security & GDPR training should be provided for
all colleagues
Maintaining investment in your security
Ensuring you are GDPR Ready
Think Check Act
New Security Awareness Communications
Kind Regards
Charlie
Charles Knox
Head of Technology
THINK
CHECK
ACT
As a leading HR & Payroll company, SD Worx are in
receipt of highly confidential customer information;
ensuring that we do everything we can to protect this
data is vitally important to our organisation
It’s important you fully know and understand direct
responsibilities to protect data at all times
Look out for our new security awareness campaign
Think. Check. Act.
These posters and internal communications will share
with you best practice, give hints and tips on ways to
keep data safe and how you can apply Think. Check.
Act. everyday
Please read fully these communications, you play the
most important part in keeping all data safe
Demonstrate your Expertise
This is your opportunity to lead the way!
− Great chance to lead your organisation
discussion on GDPR and reduce the worry
− If you are interested in signing up to a industry
code of conduct let me know
− This is a fantastic opportunity to present the
case for our profession and how we can
improve compliance
− 3 out of 4 HR leaders see data privacy and
compliance as a factor influencing their
purchasing decisions, your action may
influence how your company chooses to go
forward
1. How do we know your Security/ Privacy
Policies/ Practices/ Technologies are
compliant and at least as good as ours?
2. How do we know you will be ready for
GDPR and what if you are not?
3. If it goes wrong how can I prove I have
made the right decisions and cover myself?
4. Does your company insurance cover
customer liability too?
Questions & Answers
FAQs from prospects
GDPR Questions & Answers
As an outsourcer we invest significant amounts in Security, Privacy and
Compliance related activities and will continue to do so. Compliance is the
foundation of everything we do
We have been dealing with legislative change for a number of years and
never failed to be ready, recent examples being RTI/Pensions
− Our Security Standards are consistent with industry best practice and we
are on the journey to certification (review opportunity to get interim
statement from Q3)
− We partner with some of the best names in the industry to ensure our
systems remain secure
− We invest in our people, ensuring they know what is coming and how to
deal with it
How do we know your Security/Privacy
Policies/Practices/Technologies are compliant and at least as good
as ours?
GDPR Questions & Answers
As a leading European organisation we are used to working under strong
data protection legislation and are confident we understand what is required.
Personal and sensitive data is key to every transaction so we live and
breathe it
We have been watching the legislation from the start and investment started
last year
We have a comprehensive action plan and will share regular updates on
readiness from an Organisational and Product perspective
Integrity has been one of our core values for a number of years, it requires a
systematic approach and transparency
How do we know you will be ready for GDPR?
GDPR Questions & Answers
− We have the following standard documentation that outlines the technical
and organisational controls we have in place
− You can have access to our independent security and compliance reports
− We will be transparent in every audit, all of which give you confidence that
this is the right decision
If it goes wrong how can I prove I made the right decisions and cover
myself?
GDPR Questions & Answers
Does your company insurance cover customer liability under
GDPR?
Yes, SD Worx takes out insurance to cover its own liabilities as data controller
over its own employee data and for its commercial liabilities as a technology
services provider
It’s important to note though this cover does not extend to customers and their
own liabilities to their employees. Customers should seek to put in place their
own insurance provision
However, as technology it is prohibitively expensive for us to take out
insurance to cover our customers’ liabilities as well
Time to get your thinking caps on!!
Question 1
Heads - Brexit will override GDPR
Tails - It will have no impact
What difference will Brexit make to this
legislation?
Brexit Whatever happens with
Brexit it has no impact
on this law
Brexit
Question 2
Heads - ISO 27001
Tails - ISO 29001
What is the name of the ISO
Standard to support this
legislation?
Question 3
Heads - Who the data is about
Tails - Who owns the data
What term best describes the “Data Subject”?
Glossary
Data
Subject
Who the data is about – usually a
client’s employees
Question 4
Heads - 31st May 2018
Tails - 25th May 2018
When will the law come into effect?
Bre
xit Law
Becomes Law on 25th May 2018
Law
Question 5
Heads - €40m or 6%, whichever is greater
Tails - €20m or 4%, whichever is greater
What is the maximum fine
companies can receive?
€20m or 4%, whichever is greater
Question 6
Heads - Just EU Companies
Tails - Anyone providing services to people in the EU
Which companies does this affect?
Services
Applies to all EU companies AND to foreign companies that offer services to individuals in EU
Services
Question 7
Heads - Unlimited
Tails - €1M
What is the maximum
compensation payable to an
individual affected?
Unlimited
Question 8
Heads - The person processing data
Tails - Who owns the data
What term best describes the “Data Controller”?
Glossary
Data Controller Who owns the data – usually a client
Decider…
£400,000
What is the largest fine ever issued under DPA
legislation?
How many people were affected?
157,000
What is the largest fine allowed under current DPA law?
£500,000
Questions?
