Embed Size (px)
Citation preview
It’s the end of the world as we know it: dark tales of GDPR
Global spend estimated at $300 to $500 billion combating the bug
“Banks could be stung for €5bn under GDPR, screams latest report on industry readiness”
“Worldwide Climate Of Fear Over GDPR Data Compliance Claims Veritas Study”
“Last year's ICO fines would be 79 times higher under GDPR: TalkTalk's £400,000 penalty was big – how about £59 MILLION?”
“Fears data protection rules could close small firms”
“Cyber insurance ‘unlikely to cover massive GDPR fines’ ”
“Last year’s ICO fines would soar to £69 million post-GDPR”
Here be dragons
Don’t make business decisions based on FEAR
“After Brexit the GDPR won’t apply to the UK”
Recent survey revealed 44% of firms think the regulation will not apply to UK business after BrexitUK bring this into law by 25 May 2018 and a new bill is going through Parliament for post Brexit. £££££££££
“I am a GDPR expert offering consultancy”
There is no case law or enforcement actions to offer compliance guidance. We don’t know yet what the final GDPR will look like so how can you be an expert…be sceptical!! ££££££££££
“You can buy our GDPR solutions now”
There is no silver bullet technology solution. GDPR is still an unknown so claims of compliance is premature. ££££££££
“Our product will make you compliant”
There are some solutions that can help with auditing but there is no miraculous product that will make you compliant simply by purchasing and installing it. ££££££££££
Information Commissioner’s Office:
Don’t focus on fines regime “focus on risk, transparency, control and accountability”
Data Protection Key Changes with GDPR
Focus on 4 key changes:
1. Accountability
• Jisc processes personal data belonging to Staff and Members
• We are required to document what personal data we hold, where it came from and who we share it with – Information Audit
• Document personal data flows and processing activities
• Data Processors are now accountable for the personal data that it processes
2. Privacy by Design
• Inclusion of data protection compliance from the outset of systems and process design including research and development and pilot projects and services
• Data Protection Impact assessments where appropriate
3. Consent
• Conditions of consent tightened – clear and concise terms and conditions
• Most of Jisc’s processing is likely to need other justifications (fair and legal processing will no longer apply) – process and privacy changes
Data Protection Key Changes with GDPR
Data Protection Key Changes with GDPR
4. Reputational Damage and Penalties
• Reputational damage of a Member data breach would do Jisc serious harm
• Add to this GDPR maximum fine from £500,000 to 20 million euros or 4% of annual global turnover
• Important change – Rules apply to data processors – we are increasingly processing and giving insight on Member data
Other changes include:
• Breach Notifications
o Breach notification is mandatory
o Notifications will need to be reported within 72 hours of first detection, data processors will be required to notify their customers and controllers “without due delay” after becoming aware of the breach
• Additional Rightso The GDPR also grants data subjects a number of rights over their information (eg access, erasure, portability) –
waiting for final ICO guidance (December at the earliest)
GDPR at Jisc GDPR Working Group
Established GDPR Working Group:
• Head of Information Strategy (Jisc Data Protection Officer)
• Legal Team
• Regulatory Team
• Head of Information Security
• Membership and Sales subject specialist (technology and the law)
• Jisc Resources specialist
Remit to deliver GDPR to Jisc and give guidance and support to the FE HE and Skills Sector
Implementing GDPR at JiscJan 2017 May 2018
11. Children (ICO Step 8) 12. International (ICO Step 12Not applicable to Jisc
Current GDPR Work within Jisc: Information assets
Information Asset Register
✓ Electronic Information requires on-going managementsupported by processes, systems and tools
✓ Current ways of managing information are siloed and outdated
✓ Information gathering exercise to identify our 'informationassets' and obtain key information about them
✓ Produce individual team information asset register with anoverarching corporate one.
For the BusinessData QualityHaving a whole company approach so we have a consistency with our metadata and taxonomy. IAR tool can support quality processes (ISO 9001)
Operational ImprovementsThe process of populating and maintaining an IAR will highlight information that no longer has value
Usability in Office 365Team sites and document libraries can be tailored to suit specialised work. It will be designed to minimally impact on users
For GI teamsDisaster RecoveryIdentify business critical information allowing us to prioritise what is restored first
Service ControlBusiness requirements for usability of information can be incorporated into business continuity plans
PermissionsIdentify who needs to access information (internally and externally)
For Jisc
GDPR and Information SecurityIAR Identifies personal and commercially sensitive information assets so appropriate security can be applied. Mandatory requirement for the GDPR
Information GovernanceBusiness Asset Owners will use the IAR as an overview of the information under their care – idea for induction for new staff
Information Risk ManagementIdentifying and analysing risks to information that can be controlled through risk registers
Information and Records ManagementIAR will identify metadata, target training, identify retention and disposal
Access to InformationIAR will identify who needs to access the information (within the
team, with wider Jisc or external parties)
Current GDPR Work within Jisc: Information assets
Information Asset RegisterOur Process
IdentifyInformation Assets
Gather additional information on each
asset through interviews
Build individual team IAR based on
the structure of the companywide
one
Topics
• Ownership of information• Internal and External Sharing• Hosting and systems• Classification and sensitivity of
information• Retention and Risk assessment• Versioning and permissions
What are your key business functions?
• Take each function and break down what Activities you do
• Do each of these activities need breaking down further?
These activities will be your Information Assets and the focus of the Information Gathering Workshops
Examples:
Risk Management
Data Governance
Functions
Systems SupportContract Advice
Recruitment
Board Papers
Training Papers
Policies
Activities
Company IAR
Individual team IAR Individual team IAR Individual team IAR Individual team IAR
Current GDPR Work within Jisc: Identifying and mitigating risk
Jisc Services and Systems Data Assessment
Current GDPR Work within Jisc: Identifying and mitigating risk
Jisc GDPR Customer data risk matrix
Risk level Risk Current example Legal DP Ts & Cs templates
Privacy notices templates
Legal basis test
DP Impact Assessments criteria
1 People using this service have direct interactions with Jisc (eg read a website, ask for information)
Jisc websiteJisc Collections websiteArchives HubHelpdesk
X ✓ X X
2 People using this service have direct longer term relationship with Jisc (subscribe/register for service)
ZetocSherpaCfP
✓ ✓ ✓ X
3 A service with remotely administeredusers (ie not managed by Jisc –third parties) Jisc relies on 3rd party to communicate to users
BOSRDSSLiberateEduroam
✓ ✓ ✓ X
4 A service where we have no relationship with the users at all but we are processing their data for a Data Controller
Learning analyticsSecurity Services
✓ ✓ ✓ ✓
Current GDPR Work within Jisc: Identifying and mitigating risk
Customer Service Data risk matrix templates
• Contract templates being worked by Legal team
• Master privacy notice on our website
• Templated shorter notes (on each data collection page giving details specific to that service and linking to the master privacy notice)
• Apply to all new and existing Services and systems including r and d, beta and development projects using customer data
[This is the approved approach of the Information Commissioner’s Office]
Current GDPR Work within Jisc: Identifying and mitigating risk
GDPR readiness for Employee data and systems
Risk level Risk Current examples Legal DP Ts & Cs templates
Privacy notices templates
Legal basis test
DP Impact Assessments criteria
1 Where employees volunteer personal data
Jisc Website X ✓ X X
2 Where employees are required to provide information
Expenses system✓ ✓ ✓ X
3 Where employees are required to provide special category data (known as sensitive personal date under Data Protection Act 1998)
New HR System; Finance System; SharePoint; TeamSeer
✓ ✓ ✓ ✓
Employee data and systems next steps
• Data protection requirements are now included in the procurement templates to make sure that data protection is included at the early stages of any new supplier system procurements
• Once the contract templates are completed all existing supplier contracts will be reviewed and altered for GDPR compliance
• Produce a master privacy statement for the intranet with separate shorter notes for the different levels and systems
Jisc website
For more details about Jisc’s approach to GDPR and their support to the HE FE and Skills Sector see:
www.Jisc.ac.uk/GDPR
Final thought
“ Don’t forget that 25th May 2018 is……
Day one”
