SlideShare uma empresa Scribd logo
1 de 281
Baixar para ler offline
Welcome To
GDPR Scotland
2017
#gdprscot
Martyn Wallace
Conference Chair
@Digital_MW
#gdprscot
Ray Bugg
DIGIT
@digitfyi
#gdprscot
www.digit.fyi
50,000 Monthly Page Views
30,000 Unique Visitors Monthly
News, Views, Opinion, Insight
#gdprscot
Our Next Event
www.digifutures.co.uk
Ken Macdonald
ICO
@ICOnews
#gdprscot
The Great Data
Protection Revamp
Ken Macdonald
Head of ICO Regions
@ICOnews
GDPR Scotland 2017
GDPR LED
DPA
2018
E-
Privacy
25 May 2018 6 May 2018 tbc tbc
GDPR Scotland 2017
GDPR Scotland 2017
GDPR Scotland 2017
GDPR Scotland 2017
GDPR Scotland 2017
GDPR Scotland 2017
GDPR Scotland 2017
GDPR Scotland 2017
GDPR Scotland 2017
GDPR Scotland 2017
@iconews
Keep in touch
Subscribe to our e-newsletter at www.ico.org.uk
or find us on…
ICO Scotland
45 Melville Street
Edinburgh EH3 7HL
T: 0131 244 9001 E: Scotland@ico.org.uk
Toby Stevens
Enterprise Privacy Group
@tobystevens
#gdprscot
GDPR Readiness
Dumb Ways to Fail
Slides removed due to copyright
Toby Stevens, Enterprise Privacy Group Ltd
Dumb Ways to Die © Metro Ways Melbourne dumbwaystodie.com
Dr Rena Gertz
The University of Edinburgh
@RenaRuadh
#gdprscot
The adventures of a DPO
Dr Rena Gertz PC.dp
University of Edinburgh
The ‘W’-Questions:
“Why”
“Who”
GDPR Scotland 2017
Why?
GDPR Article 37 - DPO is needed in any case where:
• The processing is carried out by a public authority or body, except for
courts, or
• The core activities of the Data Controller or the Data Processor consist of
processing operations which, by virtue of their nature, their scope and / or
their purposes, require regular and systematic monitoring of data subjects
on a large scale, or
• The core activities of the Data Controller or the Data Processor consist of
processing large volumes of Special Categories of Data or information
about criminal convictions and offences.
Who?
The DPO must have
• expert knowledge of Data Protection law and practices.
• excellent understanding of the organisation’s governance structure
– “Get the Bored Board on Board”
• necessary resources to fulfil the relevant job functions
• certain level of independence and degree of protection against dismissal
or other sanctions on grounds that relate to their performance of their
DPO tasks.
Who?
The DPO must be
• familiar with organisation’s IT infrastructure and technology.
• employed (“internal DPO”) or have a service contract
(“external DPO”)
The DPO may have
• other tasks within the organisation, so long as no conflict of
interest with the DPO role.
WP29: DPO must not determine the purposes and the
means of the processing of personal data
GDPR Scotland 2017
The role
• Statutory role:
– To inform and advise about obligations to comply with
GDPR and other data protection laws.
– To monitor compliance with the GDPR and other data
protection laws.
– To be the first point of contact for ICO and data subjects.
→ The go to source for data protection advice.
How to find a DPO…
GDPR experts are all around us…
“Beware of GDPR Snake Oil: It's amazing how many
GDPR experts have suddenly appeared on places like
Linkedin and my email in-box.”
(Richard Gough, Head of Group IT Operations & Security at Punter Southall Group)
…who meets all requirements?
• “Wanted: a qualified, experienced DPO…”
• Qualification? Not expressly in GDPR, but often asked for
• Don’t:
– give the job to an existing member of staff and expect them to learn
it on the job;
– nominate a figurehead and then expect the people s/he manages to
do the work → where’s the independence?
• Ensure reporting chain and accessibility
– DPO must report to senior management and be accessible to all
within and outwith organisation
Shared DPOs - the situation
• You need:
– An experienced data protection officer
• You are:
– A small(ish) organisation that still needs a DPO
• They cost:
– Up to £50,000 in large organisations (stop laughing at
the back)
The solution – an external, shared DPO?
Sharing a DPO – a judgment of Solomon?
The pros:
• No political or organisational baggage
• Easy to act in an unbiased manner without fear for their job
• No worries about favouring certain departments or individuals
• Listened to with more respect than an employed colleague
• Lower costs
The cons:
• More difficulty with accessibility to data subjects and readiness to
resolve any issues raised by the subject or Supervisory Authority.
• Not as easily accessible to all sharing parties
• Allocation of time and tasks - service contract?
• Institutions will still need to employ people ‘on the ground’ to ‘do the
doing’ internally
• No intimate knowledge of the workings of the individual institutions and
how these may vary from each other
• What if something happens in two organisations at the same time? What
if the DPO is sick/on holiday?
Time’s running out….
• DPO to implement changes for GDPR?
• Case study (Ken, don’t listen…) senior professors auto-forward emails
to private gmail accounts:
– what would you do – pick your battles??
Breach management
• Putting appropriate system in place
• “Personal data can be paper?? Really???”
• Ensure reporting process involving DPO at early
stage – triage of incident reporting
Effective collaboration
• Be hands-on if you want to achieve something. Don’t rely on
others to do the work.
• Have a good sense of humour!
• Two options:
– Human cloning or:
– Network of Data Protection Champions:
• Properly trained
• Doing triage within Departments
• Only contact DPO for difficult cases
The benefits of diplomacy
• Get endorsement from Service Managers etc to avoid
treading on toes!
Implementing the GDPR in a large organisation –
like herding cats?
GDPR Scotland 2017
Noa Katz
Check Point
@katznoa
#gdprscot
46©2017 Check Point Software Technologies Ltd.
A Proactive Security Approach for GDPR
A GDPR AWARE NETWORK
Noa Katz
Product Management, Mobility & GDPR, Check Point
47©2017 Check Point Software Technologies Ltd.
Security + Regulations =?
48©2017 Check Point Software Technologies Ltd.
•Quick recap
•GDPR compliance: documentation vs. action
•A security approach for GDPR:
̶ Fundamental security controls
̶ Best practices for GDPR
•A proactive security approach for GDPR
Agenda
49©2017 Check Point Software Technologies Ltd.
•Framework: Cultural change to the data
privacy game
•Essence: Data privacy as a fundamental
right
•Impact: Worldwide, high penalties, here
to stay
GDPR – What You Already Know
50©2017 Check Point Software Technologies Ltd.
•Challenges:
̶ GDPR – Can’t tick a box to comply
̶ Not a security standard – limited specificity
̶ Novelty and ambiguity
• Compliance = documentation: Why? How? Where? What for?
• You still own technical responsibility
Documentation Vs. Action
✓ “data security, integrity and
confidentiality”
(Article 32)
51©2017 Check Point Software Technologies Ltd.
̶ ‘Protection by Design’ Art. 25 – architecture focus
̶ Risk-based approach:
̶ Data breach notification (72 hrs)
Data Security Approach for GDPR
52©2017 Check Point Software Technologies Ltd.
• Staffing
• Data Audit and Classification
• Risk Analysis: Control vs. cost
• Logging of Activity and Breach Identification
• Fundamental Controls
A GDPR Aware Network: Where to Start?
53©2017 Check Point Software Technologies Ltd.
Risk-based approach
GDPR Principals – Fundamental Controls
ENCRYPTION
INTEGRITY OF
PROCESSING SYSTEMS
QUICKLY RESTORE
ACCESS
REGULAR
EFFECTIVENESS
ASESSMENT
Defined access Avoid breach
55©2017 Check Point Software Technologies Ltd.
Security Best Practices for GDPR
56©2017 Check Point Software Technologies Ltd.
Assess your Risk – CPCheckMe.com
Enforcement Control Management
57©2017 Check Point Software Technologies Ltd.
Security Controls Implemented
DLP Capsule
Docs
Security
Management
Compliance
Blade
58©2017 Check Point Software Technologies Ltd.
Using Check Point Security Products for GDPR
• Integrated DLP - provides
awareness of personal data
flowing, monitoring of content, and
blocking of unauthorized data
transmission
• Check Point Capsule Docs - tools
for content classification
Classification with
Capsule Docs
Classification of Data
with Check Point DLP
59©2017 Check Point Software Technologies Ltd.
Using Check Point Security Products for GDPR
• Smart Workflow
• SmartLog
Change approval controls,
full logging of
configuration, production
of audit-quality automatic
reports
Check Point R80’s SmartLog
60©2017 Check Point Software Technologies Ltd.
Using Check Point Security Products for GDPR
• Security Management - separation of
duties without impact to operational
efficiency
Check Point
R80
61©2017 Check Point Software Technologies Ltd.
Using Check Point Security Products for GDPR
• Check Point
Compliance Blade –
security definitions
consistent with
GDPR
62©2017 Check Point Software Technologies Ltd.
A Proactive Security Approach for GDPR
A GDPR Aware Network
Why not think PREVENTION?
63
©2017 Check Point Software
Technologies Ltd.
THE CYBER SECURITY ARCHITECTURE OF THE FUTURE
THE FIRST CONSOLIDATED SECURITY ACROSS NETWORKS, CLOUD,
AND MOBILE, PROVIDING THE HIGHEST LEVEL OF THREAT
PREVENTION.
64
©2017 Check Point Software
Technologies Ltd.
NGTX GATEWAYS
Perimeter and
Datacenter protection
SANDBLAST AGENT
Endpoint and Browsers
protection
SANDBLAST CLOUD
Cloud Applications
protection
SANDBLAST API
Custom applications
protection
SHARING COMMON INTELLIGENCE AND THREAT MANAGEMENT
THE FIRST AND ONLY UNIFIED
CROSS-PLATFORM THREAT PREVENTION
Mobile Device
protection
SANDBLAST MOBILE
M O B I L E
65©2017 Check Point Software Technologies Ltd.
•You CAN be proactive in your GDPR efforts
•Strategies : data classification, scope definition, data
usage policies, notifications and audit trails
•Combine security controls with a risk-based approach
•Choose a vendor you trust
•Focus on prevention
Key Takeaways
Download the whitepaper
Noa Katz
Product Marketing, Mobility and GDPR
Check Point Software Technologies
noakatz@checkpoint.com
Don’t be a stranger
Questions &
Discussion
Exhibition, Networking &
Refreshments.
Please check rear of badge
for breakouts
Martin Sloan
Brodies LLP
@Lawyer_Martin
#gdprscot
ABERDEEN • EDINBURGH • GLASGOW • BRUSSELS www.brodies.com/GDPR
Beyond information security – what is GDPR about?
GDPR Scotland Summit
Martin Sloan, Partner
21 November 2017
Blog: http://techblog.brodies.com Twitter: @lawyer_martin
Outline
• Separating fact from fiction
• Embedding privacy and GDPR in your organisation
• Developing a plan for compliance
• Six months to go – key priorities
GDPR Scotland 2017
A quick recap
• The biggest shake-up of data protection law in nearly 25 years
• The General Data Protection Regulation (GDPR)
– New EU-wide data protection law which will have direct effect in EU
member states
– Enters into force on 25 May 2018
– Greater consistency of regulatory treatment
– Stronger and more coherent data protection framework
– Backed by strong enforcement
• The Data Protection Act 1998 will be repealed
Evolutionary
Some concepts remain broadly similar
• Key concepts – personal data, sensitive personal data, processing, data
controllers, data processors etc
• Data protection principles – recognisable, but explicit reference to both
transparency and accountability
• Conditions for processing – similar, but some changes
• Data subject rights – broadly recognisable (subject access, rectification,
processing restrictions), but there are some new ones
• International transfers
• Basic data security obligations – BUT see new data security breach
notification requirements
• The ICO – still a UK national supervisory authority
What’s changing?
• Transparency – enhanced fair processing transparency requirements
• Consent – concept of consent tightened; easier for individuals to withdraw
• Accountability – obligation to demonstrate compliance; use of privacy
impact assessments; training; policies
• Administration – increased administration and record keeping
requirements
• Data subject rights – enhanced rights including subject access, increased
‘rights to be forgotten’ and data portability
• Organisational principles – data protection by design and by default
• Data processors – Statutory responsibility for data processors
• Data protection officers – mandatory for certain organisations
• Breach notification – mandatory breach notification for certain breaches
• Supervisory authorities – lead authority; formal consistency mechanism
• Sanctions – fines of up to 4% of worldwide turnover or €20M
Draft ePrivacy Regulation
• Current law:
– 2002 Directive/Privacy & Electronic Communications Regulations 2003
– Supplements DPA
• Draft ePrivacy Regulation published 10 January 2017
– Rules on electronic marketing largely unchanged – soft opt-in remains
– But incorporates definition of consent from GDPR
– Simplified rules on cookies/tracking tech – use of device settings
– New rules on identifying marketing calls
• Current status
Separating fact from fiction
Some GDPR myths
• GDPR is a revolution in data protection law
• The high fines will cause firms to go bust
• GDPR applies only to personal data processed after 25 May 2018
• Brexit means that we don’t need to worry about GDPR
• GPDR does not apply if personal data has been encrypted
• I can buy a product/service that will make me GDPR compliant
Image: https://iconewsblog.org.uk/
Some GDPR myths
• I can’t process personal data without consent
• There is an exemption for small business
• The right to be forgotten will stop my business from being able to provide
services to customers or employ my staff
• Every personal data breach will need to be reported to the ICO
• If I use the cloud then GDPR compliance is my service provider’s problem
• The ICO is still unlikely to take any enforcement action
Image: https://iconewsblog.org.uk/
Embedding privacy in your
organisation
Accountability
• Controllers are expected to be able to demonstrate that they comply
• New responsibilities include:
– Implementing ‘appropriate and effective measures’ for compliance
including appropriate data protection policies
– Data protection by design and default – building DP compliance (eg
data minimisation) into processing processes and activities
– Conducting privacy impact assessments for processing considered to
be ‘high risk’
– Detailed requirements to keep records of processing activities
– Express obligation to co-operate with regulators
Data Governance
Accountability
• Data processing activities, including:
– Purposes of the processing
– Description of the categories of data subjects and personal data
– Categories of recipients
– Details of data transfers outside the EEA
– Data retention periods
– General description of data security measures
• Register of data processors
• Register of personal data breaches
Record keeping
Accountability
• Mandatory for public authorities and controllers and processors whose core activities involve
– Regular processing of sensitive personal data
– Regular/systematic data monitoring of data subjects on a ‘large scale’
• Can be on group-wide basis so long as DPO is ‘easily accessible’
• DPO must
– have professional qualities and expert knowledge
– be allowed to perform responsibilities in an independent manner
– be supported and properly resourced
• Conflicts of interest
• DPO role – general advisory; compliance monitoring against GDPR and policies; training and
awareness; audits; privacy impact assessments; dealing with regulators – but NOT personally
responsible for compliance
• DPO may be an employee or a contractor
Data Governance – Data Protection Officers
Accountability
• Application
– GDPR requires DPIAs for “high risk” processing
– WP29 recommends DPIAs as an accountability tool in other situations
– WP29 considers the list of activities in article 35(3) to be non-exhaustive
– If no DPIA then you should document why it is not required
• Existing processing
– No need to carry out for existing processing – unless change to risk
• Timing, personnel and consultation
– Early stage and reviewed periodically (at least every three years)
– If you have a DPO then they must be involved
– Obtain views of data subjects (and if not document why)
• Publication
– WP29 recommends that data controllers should publish DPIAs
Data privacy impact assessments
Embedding privacy within your organisation
Policies and procedures and data protection by design
• Review and update your policies and procedures
– Employee facing policies and procedures (eg AUP, employee
monitoring)
– Employee training on data handling, breach reporting
– Team specific training/procedures?
– Data handling policies and procedures, eg
• DSARs, erasure, objections, portability
• Data retention
• Access controls
• New projects
– Data protection by design
– Use of privacy impact assessments
Developing a plan for
compliance
What if we’ve not yet started?
• Our 5 top recommendations
‒ Resource
‒ Data Mapping
‒ Data minimisation
‒ Review processing justifications
‒ Contract reviews
• Download our handy guide to preparing for GDPR:
http://brodi.es/PrepareForGDPR
Area Requirement/Impact Action
General
Resourcing Do you need to appoint/should you
appoint a DPO?
Increased requirements of GDPR will
place additional compliance
obligations on organisations
Ensure responsibility for GDPR is clear at board level.
Appoint a DPO quickly (if you’re appointing one)
Properly resource ongoing compliance. Is there sufficient
expertise within the organisation?
Consider establishment of central compliance function with
responsibility for handling regulatory queries, DSARs/other
individual requests, data security breaches, training etc
Data audit Any GDPR compliance programme
needs to be built on a complete
picture of what data is being
processed, why it is being processed
and by whom it is being processed to
establish where the organisation is not
GDPR compliant and to establish a
prioritised action plan
Conduct a data audit, remembering that the audit should
catch processing
Extra-territorial reach Extra territorial impact will catch
processing outside EU which targets
EU citizens even by organisations that
have no EU presence or nexus
For groups operating outside EU analyse any processing
by non-EU group companies for GDPR compliance.
Consider whether measures can be taken to avoid
unnecessary GDPR reach
Area Requirement/Impact Action
Accountability and Administration
Accountability More generally, organisations will
need to implement appropriate
policies and implement measures that
demonstrate compliance
Consider the adequacy of policies and measures. They
may need revamped and you may need new ones
Transparency GDPR requires more information to be
included in privacy notices
Privacy notices will need to be reviewed and updated.
Use layered and ‘just in time’ notices
Consent based processing Requirements for consent based
processing are tighter. Likely to
impact particularly in areas such as
marketing
Will existing consents be valid for GDPR purposes. If not,
will they need refreshed or can processing for grounded
on an alternative basis?
Data retention Requirement for greater transparency
mean that organisations will face
greater scrutiny around data retention
and destruction practices
Ensure that organisation has appropriate data retention
and destruction policies and procedures and that they are
being actioned both for new and legacy data
Privacy impact assessments PIAs will be on a statutory footing
under GDPR
Organisations must be prepared to carry out PIAs for ‘high
risk’ processing and those operations for which PIAs are
proscribed
Develop PIA process and methodology and appropriate
policies and procedures (see earlier)
Record keeping Many organisations will be required to
keep records of processing being
carried out
Review record keeping to ensure adequacy
Consider if exemption applies (organisations with less than
250 employees provided certain other conditions are met)
Area Requirement/Impact Action
Security
Data security Although data security standards are
broadly the same, the requirements
are more explicit - and the penalties
for data security breach are greater
Consider whether current data security standards are
adequate
Data breaches GDPR introduces requirements for
mandatory data security breach
notifications
Introduce clear policy and procedure for internal reporting
of data security breaches
Establish central breach management unit
Commercial
Contracts New requirements for data
processing agreements
Review data processing agreements which will run post
May 2018 and update contract templates
Technology refresh New GDPR requirements may
require additional functionality of
legacy IT systems
Review existing IT. is it up to scratch? Consider
contractual position before engaging with suppliers
Procurement Ensure that GDPR is factored into
new IT procurements
Ensure GDPR compliance is factored into procurement
decisions
Consider if a PIA is required
Self Assessment Toolkit
Find out more: http://brodies.com/gdpr-self-assessment-toolkit
Six months to go…
Six months to go - key actions
• Appoint or resource your DPO (if you need to have one)
• Review and update your privacy notices
• Develop a strategy for refreshing consents (especially for direct marketing)
• IT projects/development work:
– re-engineer data collection forms/privacy controls in apps and websites
– review/reconfigure IT systems
– tools for enabling data subject requests
• Start creating key records and registers:
– Data processing register
– Register of data processors
• Get contract amendments in place
• Update policies and procedures
• Staff training and awareness
Questions…
GDPR Hub: http://www.brodies.com/GDPR
Blog: http://techblog.brodies.com
Twitter: @BrodiesTechBlog
@lawyer_martin
ABERDEEN • EDINBURGH • GLASGOW • BRUSSELS www.brodies.com/GDPR
Beyond information security – what is GDPR about?
GDPR Scotland Summit
Martin Sloan, Partner
21 November 2017
Blog: http://techblog.brodies.com Twitter: @lawyer_martin
Leo Cunningham
Zonal
@ZonalUK
#gdprscot
97strictly private & confidential
How will GDPR affect the IT
Department?
N o v e m b e r 2 0 1 8
98strictly private & confidential
▪ Risk Management and Compliance
▪ Security
▪ IT Strategy
▪ The Human Perspective: training, awareness,
collaboration
Agenda
99strictly private & confidential
Risk Management and Compliance
100strictly private & confidential
101strictly private & confidential
102strictly private & confidential
• Review existing privacy policies and statements in order to document how they compare with GDPR
requirements.
• Assess data subject rights to consent, use, access, correct, delete and transfer personal data.
• Discover and classify personal data assets and affected systems.
• Identify potential access risks.
Don’t forget the security requirements:
• Assess the current state of your security policies, identifying gaps, benchmarking maturity and
establishing conformance road maps.
• Identify potential vulnerabilities, supporting security, encryption and privacy by design.
• Discover and classify personal data assets and affected systems in preparation for designing security
controls.
103strictly private & confidential
Risk Management Process
104strictly private & confidential
Option A. Option B.
Bad Data Mapping
105strictly private & confidential
106strictly private & confidential
107strictly private & confidential
108strictly private & confidential
PII Scope
109strictly private & confidential
IT Security
110strictly private & confidential
111strictly private & confidential
112strictly private & confidential
113strictly private & confidential
1. Securing your data is the new imperative
2. Manage access to critical data
3. Hack yourself to anticipate future attacks
4. Strengthen your weakest link: Humans
114strictly private & confidential
IT Strategy
115strictly private & confidential
’’Set priorities, focus energy and resources, strengthen operations,
ensure that employees and other stakeholders are working toward
common goals’’
116strictly private & confidential
117strictly private & confidential
The Human Perspective
118strictly private & confidential
Training
• Issue a monthly GDPR bitesize comms throughout your organisation
• Provide supporting guides for your frameworks covering the basics in 60 seconds
• Drop in surgery
• Establish company wide e-learning to support your goals
• Get your IT department to sign up to sites such as: https://www.us-cert.gov/
https://csrc.nist.gov/ https://www.ncsc.gov.uk https://threatpost.com/
119strictly private & confidential
Awareness
120strictly private & confidential
Collaboration
121strictly private & confidential
122strictly private & confidential
Javier Ruiz
Open Rights Group
@javierruiz
#gdprscot
Beyond Compliance and
the Next Privacy
Challenges
Javier Ruiz, Open Rights Group
Privacy and data protection
• privacy: autonomy, conscience, enabling other rights and
democratic participation
• data protection: legal compliance, fairness, transparency
and accountability
• but it can get complicated
Challenges
Individual
• identifiability: is this personal data?
• complexity: can you explain your machine learning toy?
• micro targeting: fairness vs justice and risk pooling
• collective impacts: it's not who you are, but your data class
• mass manipulation: data, behavioural science and free will
Society
Ultimately it's about
power
How is GDPR going to fix all
this?
• GDPR compliance
• but also about rights: information, access, rectification,
erasure
• limited rights: objection, profiling, portability
• Data protection is a fundamental right under EU law,
which shall be missed after Brexit
Impact of GDPR for rights?
• Should have some positive impact for individuals, e.g.:
• pseudonymous data
• know your data accountability principle
• More on day to day common problems
• Less on difficult collective and social issues
Effectiveness of GDPR
• enforcement by data protection authorities
• individuals know their new rights
• stronger powers for consumer groups
Who gets the value
• Data is not the new oil
• Fair compensation
• A market of personal information?
• Fairness is good, but also justice
Privacy only for those who
can afford it is not OK
Public interest & consent
• Data for a better functioning society and economy
• Promises may be excessive
• but some data can be a force for some good
Public interest and consent
• Consent is doubly abused
• Public interest does not require consent, but it’s very
limited for companies
• But I'm doing a public good with my traffic app!
Privacy by design
• Nobody really knows, but not an afterthought
• Beyond compliance
• Privacy impact assessments
• EU funded VIRT-EU project to develop privacy, ethical
and social impact assessments
Customer centric systems
• Control over their data
• personal data stores, vendor relationship management
and other systems have been around for some time
• managing consent, data access, portability, etc.
• ICO grant to develop tools, talk to us!
Prof. Bill Buchanan OBE
The Cyber Academy
@billatnapier
#gdprscot
Panel Discussion
Javier Ruiz – Open Rights Group
Prof Bill Buchanan – The Cyber Academy
Maureen Falconer – ICO
Kevin Murphy - ISACA
Questions &
Discussion
Drinks and
Networking
Upstairs
Unstructured Data – Getting Prepared for GDPR
Glenn Martin
Copyright © 2017 Veritas Technologies142
https://cdn-images-1.medium.com/max/2000/1*uYJ5E6JcYwotLKpOZcaf-Q.jpeg
Understanding the Challenge (s)
Copyright © 2017 Veritas Technologies143
The Reality of GDPR
Copyright © 2017 Veritas Technologies144
“This law is not about fines. It’s about
putting the consumer and citizen first.
We can’t lose sight of that.”
Elizabeth Denham UK ICO
https://iconewsblog.org.uk/
KEEP
CALM
AND
PREPARE FOR
GDPR
±
Getting control of your unstructured data
Copyright © 2017 Veritas Technologies145
Focus on the BUSINESS CHALLENGES
Copyright © 2017 Veritas Technologies LLC
#3 What you keep must be
protected
#2 Data subjects need to
be found to be forgotten
#1 Get to grips with
your Databerg
146
Personal
Data
Veritas GDPR
FRAMEWORK
Copyright © 2017 Veritas Technologies LLC147
Unstructured Data
Uncover Personal Data
and make it visible
Article 30
Make Personal Data
searchable
Articles 15, 16, 17, 18, 20
Minimise and place controls
around Personal Data
Articles 5, 17
Protect Personal Data
from loss, damage or
breach
Articles 5, 25, 32, 33, 34, 35
Ensure continual
adherence to GDPR
standards
Articles 5, 15, 16, 17, 18, 20,
24, 35, 42, 44
Personal
Data
Copyright © 2017 Veritas Technologies LLC148
Unstructured Data
PII & Personal Data ?
November 2017© 2017 Veritas Technologies LLC149
Personal Data
is similar to
PII
but not the same
November 2017© 2017 Veritas Technologies LLC150
Linked Information
Full Name
Home Address
Email Address
Social Security number
Passport number
Drivers license number
Credit Card numbers
Date of birth
Telephone numbers
Log in details
Linkable Information
First or Last name
Country, State, City, Postcode
Gender
Race
Non-specific age
Job position
Workplace
Personally Identifiable Information (PII)
151
Personal Data
Employment Information
Current and past employers
Position
Employee ID
Photographic Information
Family Photos
FamilyVideos
Student Photos
Employee Photos
Belief Information
Publicly Expressed Religion
Church Directory
Political or Philosophical beliefs
Political Donations
Biometric Information
Fingerprint
Retina scan
Facial image
DNA
Family Information
Spouse Name
Spouse Occupation
Children Names
ChildrenAges
Law Enforcement Information
Driving Record
ParkingTickets
Arrests
Convictions
Health Information
Claim forms
Health Insurance ID
Doctors notes
Medical condition
status
Demographic Information
Date of Birth
Height
Weight
Hair Colour
Government Issued ID
National ID
Driving License ID
Vehicle Registration
Password Number
Communication Information
IP Address
URL’s visited
Comments posted to websites
Email contents
How Dark is your data ?
Data Genomics Report – Real-world Statistics
Copyright © 2017 Veritas Technologies153
https://www.veritas.com/about/research-exchange
© 2017 Veritas Technologies LLC154
Structured data matters but…
Structured data
Well Managed
Well Defined
Visible
Under Control
Unstructured data
Unmanaged
Not defined
Invisible
Out of control
…its not the whole picture
?
?
© 2017 Veritas Technologies LLC155
What about De-structured data?
https://www.forbes.com/sites/forbestechcouncil/2017/06/05/the-big-unstructured-data-problem
ERP / CRM / HR
?
A 1.6Mb Excel file……150k rows of who knows what
PSTs = contains who knows what toxic emails
DB Dumps = the crown jewels
Log files = ?????
ZIPs = who knows
Copyright © 2017 Veritas Technologies156
Not all files are created equal
• File AnalysisTools Report
https://www.gartner.com/doc/3814167/implement-file-analysis-gdpr-challenges
Copyright © 2017 Veritas Technologies.157
Using the RightTools
Veritas Information Map
Copyright © 2017 Veritas Technologies158
What are Backups For ?
Copyright © 2017 Veritas Technologies159
https://ico.org.uk/for-organisations/guide-to-data-protection/encryption/scenarios/backups/
Welcome Financial Services Limited was served a civil
monetary penalty of £150,000 after the loss of more than
half a million customers’ details.The organisation was
unable to locate two backup tapes which contained the
names, addresses and telephone numbers of customers.
Data on the backup tapes was not encrypted.
Copyright © 2017 Veritas Technologies160
Know what you keep……keep what you know
Copyright © 2017 Veritas Technologies161
Data Mapping & Inventory • Why do we have this data
• What it is used for
• What are the categories of personal data
• What external entities is it shared/transferred to
• Where are they located
• What entity controls it
• Who’s got access to it
• Who are the data subjects
• When should it be deleted
• Where is the data is stored
• Where did it come from
Why
Who What When Where
Personal Data
UNDERSTANDING the GDPR from both sides
162 Copyright © 2017 Veritas Technologies.
vs
COMMUNICATION of what is required
163 Copyright © 2017 Veritas Technologies.
The
IT
side
The
LEGAL
sidevs
Building an Article 30 Record
Copyright © 2017 Veritas Technologies LLC164
• Why is personal data processed?
• Staff admin
• About whom?
• Employees
• What is processed?
• Passport info, bank details ,address
• When it is processed?
• When joining/ as needed
• Where it comes from?
• Employee
• Who do you share it with?
• Travel supplier/payroll service
• Where is it stored?
• How is kept secure?
• How long is it kept?
• How is it protected?
Typical Data Inventory Approach
Copyright © 2017 Veritas Technologies165
Top Down
Surveys / Questionnaires
Workshops / Interviews
Documentation Review
Privacy Program
Management
Bottom Up
Structured Unstructured
Content Analysis
Metadata Scan
Content Analysis
Field name / Schema
Scan
Data Discovery
Advisory
Services
Consulting
Software
Source: PWC
1
2
3
Privacy Program ManagementTools
IAPPTechnologyVendor List
✓Assessment
✓Readiness
✓Data Inventory
✓Record Keeping (Article 30)
✓QuestionnaireWorkflow
Unstructured Data Management
https://iapp.org/resources/article/2017-privacy-tech-vendor-report/
Copyright © 2017 Veritas Technologies167
Our approach to managing our own unstructured data ?
Copyright © 2017 Veritas Technologies.168
TheVeritas Approach to Unstructured Data
Identify Personal
Data in the Org
(Structured Data)
Identify the
Actions to be
taken
Find Personal Data
in Unstructured
Repositories
Apply Retention
Policies to
unstructured data
Task 1 Task 2 Task 3 Task 4
HR /CRP /ERM SearchTerms &Tags
Retention Requirements
Unstructured Data search
Data tagged:
• Personal DataType
• Location
• Risk
• Age
Implement Policies by tags:
Actions:
• Leave
• Delete
• Monitor
• Move to…
• Control permissions
• Encrypt
Identify Personal Data in the Org
Structured Datasets
Copyright © 2017 Veritas Technologies LLC169
Data Set Type of
data in
data set
Owner /
Access
Classification
Policy name
Patterns List
Customer
Accounts
Name
Address
Account ID
Bank Detail
Sales
Admin
Marketing
Cust_records Postal MailingAddress
Account # format
HR System DOB
Address
NI number
Phone
Bank Ref
HR HR_records Date of Birth
Postal MailingAddress
U.K. UTR number
U.K. (NINO)
Bank Account Number
Payroll Name
Bank Ref
Tax Ref
Payroll
HR
Bank_records Bank Account Number
Tax reference ID
UK NI
Classification Definitions
Classification Policies
Copyright © 2017 Veritas Technologies170
Classification Phase
Leveraging Metadata & Content Classification HR Customer Supplier
Keep
Archive
Delete
Move
Secure
Encrypt
Action
Try Classification for Free……
https://riskanalyzer.apps.veritas.com
Copyright © 2017 Veritas Technologies172
The Need to be Accountable
GDPR Article 5
Copyright © 2017 Veritas Technologies173
(a) processed lawfully, fairly and in a transparent manner in relation to individuals;
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes shall not be considered to be incompatible with the initial purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are
inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the
personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for
archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the
appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
(f) processed in a manner that ensures appropriate security of the personal data, including protection against
unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate
technical or organisational measures.
Article 5(2) requires that
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.
Copyright © 2017 Veritas Technologies174
The Need to Look AfterYour Data
https://haystax.com/blog/ebook/insider-attacks-industry-survey
What type of insider threats are you most concerned about?
Accountability for your Unstructured Data
Copyright © 2017 Veritas Technologies LLC175
• Open shares
• Unauthorized access
• Protect sensitive data
• Frequency of data access
• Determine who is using data
• Apply user policies
• Lockdown sensitive data
• Provide as-needed access
Source of threats Identify access patterns
Locate at-risk dataUser behavior
The People Problem
Copyright © 2017 Veritas Technologies176
Copyright © 2017 Veritas Technologies177
What about Cloud ?
Copyright © 2017 Veritas Technologies178
Data Controller
Data Processor
I use AWS cloud services
+
AWS cloud is GDPR compliant
=
Am I GDPR compliant?
Copyright © 2017 Veritas Technologies179
GDPR Articles 24 & 28
“The controller shall implement appropriate measures to
ensure that processing is performed in accordance with
this Regulation.”
“The controller shall use only processors providing
sufficient guarantees… to meet the requirements of this
Regulation.”
© 2017 Veritas Technologies LLC180
So, am I GDPR compliant?
Not unless you’ve prepared your organisation as a
Data Controller
AWS have done their bit but you need to do yours!
Veritas Research – 69% of respondents believed that their organisation’s CSP covers data privacy & compliance regs.
Putting it into practice
181
Where’s Glenn?
Copyright © 2017 Veritas Technologies.
Find Glenn Protect Glenn
September 2017© 2017 Veritas Technologies LLC182
www.veritas.com/RiskAnalyzer
www.veritas.com/gdpr
In Summary
bit.ly/infomaptrial
Thank you!
Copyright © 2017 Veritas Technologies. All rights reserved. Veritas and the Veritas Logo are trademarks or registered trademarks of Veritas Technologies or its affiliates in the
U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or
implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Glenn Martin
glenn.martin@veritas.com
Copyright © 2017 Veritas Technologies183
Veritas Information Map
Copyright © 2017 Veritas Technologies184
Implementation of GDPR in a
Professional Services Firm
21st November 2017
Douglas Rintoul – Head of IT and Information Security
• Background in IT
• Focus on information security
• Privacy ties in with information security
• Currently DPO
CITP, CISSP, CISM, PC DP
Professional Services Firm
Herding Cats
Relationships
The Client Journey
Take On Process
Client Created
on CRM system
Money
Laundering
checks
• DPA
• Privacy
Information
Individual or
business
agrees to
become a
client
The Client Journey
Business Lines
Audit
Business Advisory
Business Solutions
Consulting
Corporate Finance
Employer Solutions
Restructuring
Tax
Wealth
Provision of Services
Exec Teams
IT
Marketing
Business Development
HR
Learning and Development
Payroll
Health and Safety
Finance
The Client Journey
Data Protection Assessments / Privacy Impact Assessments
The Client Journey
The client moves on
GDPR Compliance Framework
DPA – Risk
Register
3rd Party
Processors
Privacy By
Design
Subject
Access
Requests
Incident
management/
Data Breach
Reporting
Data subject
Rights
TrainingPrivacy
Information
PIA
GDPR Policy
Information
Security
Policy
Blockers to implementation
Johnston Carmichael
Douglas Rintoul
douglas.rintoul@jcca.co.uk
[01467 621475]
jcca.co.uk
Unstructured Data – Getting Prepared forGDPR
Glenn Martin
www.veritas.com/gdpr
https://cdn-images-1.medium.com/max/2000/1*uYJ5E6JcYwotLKpOZcaf-Q.jpeg
2 Copyright © 2017 Veritas Technologies LLC
Understanding the Challenge (s)
1
9
Copyright © 2017 Veritas Technologies LLC
The Reality ofGDPR
“This law is not about fines. It’s about
putting the consumer and citizen first.
We can’t lose sight of that.”
Elizabeth Denham UKICO
https://iconewsblog.org.uk/
KEEP
CALM
AND
PREPARE FOR
GDPR
±
1
9
Copyright © 2017 Veritas Technologies LLC
Getting control of your unstructured data
2
0
Copyright © 2017 Veritas Technologies LLC
Focus on the BUSINESSCHALLENGES
#3 What you keep must be
protected
#2 Data subjects need to
be found to be forgotten
#1 Get to gripswith
your Databerg
2
0
Copyright © 2017 Veritas Technologies LLC
Personal
Data
2
0
Copyright © 2017 Veritas Technologies LLC
GDPR & Unstructured Data – FIVE FOCUSAREAS
Uncover Personal Data
and make it visible
Article 30
Make Personal Data
searchable
Articles 15, 16, 17, 18, 20
Minimise and place controls
around Personal Data
Articles 5, 17
Protect Personal Data
from loss, damage or
breach
Articles 5, 25, 32, 33, 34, 35
Ensure continual
adherence toGDPR
standards
Articles 5, 15, 16, 17, 18, 20,
24, 35, 42, 44
2
0
Copyright © 2017 Veritas Technologies LLC
Personal
Data
Unstructured Data
How Dark is your data ?
Data Genomics Report – Real-world Statistics
https://www.veritas.com/about/research-exchange
20
5
Copyright © 2017 Veritas Technologies LLC
Structured data matters but…
Structured data
Well Managed
Well Defined
Visible
UnderControl
Unstructured data
Unmanaged
Not defined
Invisible
Out of control
…its not the whole picture
?
?
20
6
Copyright © 2017 Veritas Technologies LLC
What about De-structured data ?
https://www.forbes.com/sites/forbestechcouncil/2017/06/05/the-big-unstructured-data-problem
ERP / CRM /HR
?
20
7
Copyright © 2017 Veritas Technologies LLC
A 1.6Mb Excel file……150k rows of who knows what
PSTs = contains who knows what toxic emails
DB Dumps = the crown jewels
Log files = ?????
ZIPs = who knows
Not all files are created equal
20
8
Copyright © 2017 Veritas Technologies LLC
• FileAnalysisToolsReport
https://www.gartner.com/doc/3814167/implement-file-analysis-gdpr-challenges
Copyright © 2017 Veritas Technologies LLC.14
Using the RightTools
Veritas Information Map
21
0
Copyright © 2017 Veritas Technologies LLC
What are Backups For ?
https://ico.org.uk/for-organisations/guide-to-data-protection/encryption/scenarios/backups/
Welcome Financial Services Limited was served a civil
monetary penalty of £150,000 after the loss of more than
half a million customers’ details.The organisation was
unable to locate two backup tapes which contained the
names, addresses and telephone numbers of customers.
Data on the backup tapes was not encrypted.
21
1
Copyright © 2017 Veritas Technologies LLC
17 Copyright © 2017 Veritas Technologies LLC
Know what you keep……keep what you know
November 201719
Linked Information
Full Name
HomeAddress
EmailAddress
Social Security number
Passport number
Drivers license number
CreditCard numbers
Date of birth
Telephone numbers
Log in details
Linkable Information
First or Last name
Country, State, City, Postcode
Gender
Race
Non-specific age
Job position
Workplace
Personally Identifiable Information (PII)
Copyright © 2017 Veritas Technologies LLC
20
Personal Data
Employment Information
Current and past employers
Position
Employee ID
Photographic Information
Family Photos
Family Videos
Student Photos
Employee Photos
Belief Information
Publicly Expressed Religion
Church Directory
Political or Philosophical beliefs
Political Donations
Biometric Information
Fingerprint
Retina scan
Facial image
DNA
Family Information
Spouse Name
SpouseOccupation
Children Names
Children Ages
Law Enforcement Information
Driving Record
ParkingTickets
Arrests
Convictions
Health Information
Claim forms
Health Insurance ID
Doctors notes
Medical condition
status
Demographic Information
Date ofBirth
Height
Weight
HairColour
Government Issued ID
National ID
Driving License ID
Vehicle Registration
Password Number
Communication Information
IPAddress
URL’s visited
Comments posted to websites
Email contents
UNDERSTANDING the GDPR from both sides
vs
21 Copyright © 2017 Veritas Technologies LLC.
COMMUNICATION of what is required
The
IT
side
The
LEGAL
side
22 Copyright © 2017 Veritas Technologies LLC.
vs
Data Mapping & Inventory • Why do we have this data
• What it is used for
• What are the categories of personal data
• What external entities is it shared/transferred to
• Where are they located
• What entity controls it
• Who’s got access to it
• Who are the data subjects
• When should it be deleted
• Where is the data stored
• Where did it come from
Why
Who What When Where
Personal Data
23 Copyright © 2017 Veritas Technologies LLC
Building an Article 30Record
• Why is personal data processed?
• Staff admin
• About whom?
• Employees
• What is processed?
• Passport info, bank details ,address
• When it is processed?
• When joining/ as needed
• Where it comes from?
• Employee
• Who do you share it with?
• Travel supplier/payroll service
• Where is it stored?
• How is kept secure?
• How long is it kept?
• How is it protected?
24 Copyright © 2017 Veritas Technologies LLC
Typical Data Inventory Approach
Documentation Review
Workshops / Interviews
Surveys / Questionnaires
Privacy Program
Management
Top Down
BottomUp
25 Copyright © 2017 Veritas Technologies LLC
Structured Unstructured
Content Analysis Content Analysis
Field name / SchemaScan MetadataScan
Data Discovery
AdvisoryServices
Consulting
Privacy-ManagementTools
Software
Source: PWC
Privacy Program ManagementTools
IAPPTechnologyVendorList
✓Assessment
✓Readiness
✓Data Inventory
✓Record Keeping (Article 30)
✓QuestionnaireWorkflow
Unstructured Data Management
https://iapp.org/resources/article/2017-privacy-tech-vendor-report/
26 Copyright © 2017 Veritas Technologies LLC
Our approach to managing our own unstructured data ?
27 Copyright © 2017 Veritas Technologies LLC
The Veritas Approach to UnstructuredData
Identify Personal
Data in the Org
(StructuredData)
Define Action&
Tags
Find Personal Data
in Unstructured
Repositories
Apply Retention
Policies to
unstructured data
Task 1 Task 2 Task 3 Task 4
HR /CRP/ERM
Set Policy for:
SearchTerms &Tags
Retention/Actions
Unstructured Data
Meta Data /Content
Classification
Data tagged:
• Location
• Age
• Personal DataType
• Risk
Implement Policies by
tags:
28 Copyright © 2017 Veritas Technologies LLC.
Actions:
• Leave
• Delete
• Monitor
• Move to…
• Control permissions
• Encrypt
Identify Personal Data in theOrg
Structured Datasets
Classification Definitions
Data Set Type of
data in
data set
Owner /
Access
Classification
Policy name
Patterns List
Customer
Accounts
Name
Address
Account ID
BankDetail
Sales
Admin
Marketing
Cust_records Postal MailingAddress
Account # format
C
HR System DOB
Address
NInumber
Phone
Bank Ref
HR HR_records Date of Birth
Postal MailingAddress
U.K. UTR number
U.K. (NINO)
Bank AccountNumber
Payroll Name
BankRef
Tax Ref
Payroll
HR
Bank_records Bank AccountNumber
Tax reference ID
UK NI
29 Copyright © 2017 Veritas Technologies LLC.
lassification Policies
Copyright © 2017 Veritas Technologies LLC30
Classification Phase
Leveraging Metadata & ContentClassification HR Customer Supplier
Keep
Archive Move
Secure
Encrypt
Action
Delete
Risk & Classification Analyzer
https://riskanalyzer.apps.veritas.com
Copyright © 2017 Veritas Technologies LLC.31
32 Copyright © 2017 Veritas Technologies LLC
The Need to be Accountable
GDPR Article5
(a) processed lawfully, fairly and in a transparent manner in relation to individuals;
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes shall not be considered to be incompatible with the initial purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are
inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e)kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the
personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for
archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the
appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
(f)processed in a manner that ensures appropriate security of the personal data, including protection against
unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate
technical or organisational measures.
Article 5(2) requires that
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.
33 Copyright © 2017 Veritas Technologies LLC
The Need to Look AfterYour Data
https://haystax.com/blog/ebook/insider-attacks-industry-survey
34 Copyright © 2017 Veritas Technologies LLC
What type of insider threats are you most concerned about?
Accountability for your Unstructured Data
• Open shares
• Unauthorized access
• Protect sensitive data
• Frequency of data access
• Determine who is using data
• Apply user policies
• Lockdown sensitive data
• Provide as-needed access
Source of threats Identify access patterns
Locate at-risk dataUser behavior
35 Copyright © 2017 Veritas Technologies LLC
The People Problem
36 Copyright © 2017 Veritas Technologies LLC
37 Copyright © 2017 Veritas Technologies LLC
What about Cloud?
DataController
38 Copyright © 2017 Veritas Technologies LLC
Data Processor
I useAWS cloud services
+
AWS cloud is GDPR compliant
=
Am I GDPR compliant?
GDPR Articles 24 &28
39 Copyright © 2017 Veritas Technologies LLC
“The controller shall implement appropriate measures to
ensure that processing is performed in accordance with
this Regulation.”
“The controller shall use only processors providing
sufficient guarantees… to meet the requirements of this
Regulation.”
© 2017 Veritas Technologies LLC40
So, am I GDPR compliant?
Not unless you’ve prepared your organisation as a
DataController
AWS have done their bit but you need to do yours!
Veritas Research – 69% of respondents believed that their organisation’s CSP covers data privacy & compliance regs.
Putting it into practice
Where’sGlenn?
41 Copyright © 2017 Veritas Technologies LLC.
Find Glenn ProtectGlenn
September2017Copyright © 2017 Veritas Technologies LLC.42
www.veritas.com/RiskAnalyzer
www.veritas.com/gdpr
In Summary
bit.ly/infomaptrial
Thank you!
Copyright© 2017 VeritasTechnologiesLLC. All rights reserved.Veritas and the VeritasLogo are trademarksor registered trademarksof VeritasTechnologies LLC or its
affiliatesin the U.S. and other countries.Other names may be trademarksof their respective owners.
This document is provided for informationalpurposes only and is not intended as advertising. All warrantiesrelatingto the information in this document,either express or
implied, are disclaimedto the maximum extent allowed by law. The informationin this document is subjectto change withoutnotice.
Glenn Martin
glenn.martin@veritas.com
Marketing under the GDPR
Janine Paterson, Solicitor & legal manager, DMA Group
A watershed moment to
transform your approach to
privacy
GDPR: an opportunity to progress
In the words of the ICO
It’s evolution not revolution. And it’s an opportunity.
Those organisations which thrive in the changing environment will be the
ones that look at the handling of personal information with a mindset that
appreciates what citizens and consumers want and expect.
That means moving away from looking at data protection as a tick box
compliance exercise, to making a commitment to manage data sensitively
and ethically.
When you commit, compliance will follow.
Source: Elizabeth Denham, Information Commissioner at the Institute of Directors Digital Summit, 17th October 2017
Privacy by Design
• 7 Foundational Principles
• Proactive not reactive; preventative not remedial: anticipates and prevents
privacy invasive events before they happen
• Privacy as the default setting: maximum degree of privacy as standard –
individual need not do anything.
• Privacy embedded into design: privacy is integral to the system not a bolt on
after the fact
• Full functionality – positive sum not zero sum: you can have both privacy and
security – one does not have to suffer at the hands of the other.
Privacy by Design
• End to end security – full lifecycle protection: privacy having been there at the
birth extends through the whole lifecycle of the data.
• Visibility and transparency – keep it open: everything is visible so individuals
can see compliance with the rules
• Respect for user privacy – keep it user-centric: put the individual first – strong
privacy defaults, appropriate notice and empowering user friendly options.
What about consumers?
Only 20% of UK public have trust and
confidence in companies and organisations
storing their personal information
Source: ICO Survey July 2017
ICO Survey
• UK citizens more likely trust public bodies than private companies or
organisations
• 61% have trust/confidence in NHS/GP using and storing their data
• 53% police
• 49% national government departments
• 12% social messaging platforms
• 8% have good understanding how personal data made available third
parties
• Older people more likely say have little trust and confidence.
ICO Survey
• “As personal information becomes the currency by which society does
business, organisations need to start making people’s data protection
rights a priority. Putting data protection at the centre of digital businesses
strategies is the key to improving trust and digital growth. ”
• “Changes to data protection legislation, which include the introduction of
the GDPR, offer organisations an opportunity to re-engage with their
customers about data. The new laws require organisations to be more
accountable for data protection and this is a real commitment to putting
the consumer at the heart of business.”
Steve Wood, Deputy Commissioner
GDPR Legal grounds
• Need a legal ground for processing personal information under GDPR plus
compliance with the GDPR principles
• GDPR Principles very similar to Data Protection Act Principles
• 6 legal grounds available under GDPR
• No hierarchy of legal grounds – all are equally valid
• Direct marketing activities – two most likely to use are consent and legitimate
interests
• Consent could be problematic
• Legitimate interests
• Others grounds are 1) performance of a contract, 2) necessary for compliance
with a legal obligation, 3) protect vital interest of an individual. 4) necessary for
public interest/official authority task
Marketing under GDPR:
consent or legitimate interests
What is GDPR consent?
Consent of the data subject means any freely given, specific, informed and
unambiguous indication of the data subject's wishes by which he or she, by a
statement or by a clear affirmative action, signifies agreement to the
processing of personal data relating to him or her.
• Pre-ticked boxes will not be valid consent
• An end to conditional (tied-in) consent
• Must be collected in an ‘intelligible and easily accessible form, using
clear and plain language’
• Must be as easy to withdraw as to give consent
Why choose consent?
Consent? Legitimate
Interests?
I would rather opt in
than opt out. Opting
out is a sneaky way
of doing business
I distrust companies who expect
you to opt out, rather than invite
their customers to opt in. This
may lead to smaller numbers of
customers, but they will be
much more positive about your
company.
Too many options to tick. This
sort of thing should be kept as
simple as possible so people are
not confused. They should ask if
you want to opt in not out.
Opt in boxes are
so much more
customer
friendly
Brilliant. Leaves
you in total
control whether
you want further
information
This positive answer is
much better. Clearer
and less ambiguous. It
feels less like the
company is trying to
trick you into saying yes!
At xxxxx, we have exciting offers and news about our
products and services that we hope you’d like to hear about.
We will treat your data with respect and you can find the
details of our Contact Promise here.
I’d like to receive updates by email from xxxx based on
my details
You can stop receiving our updates at any time and if you
prefer that we do not use your information to predict what
you might be interested in let us know here.
GDPR Scotland 2017
GDPR Scotland 2017
GDPR Scotland 2017
GDPR Scotland 2017
GDPR Scotland 2017
GDPR Scotland 2017
GDPR Scotland 2017
GDPR Scotland 2017
GDPR Scotland 2017
Legitimate interests
Not a new concept.
What is it?
Article 6 (1) (f):
Processing will be lawful if it is necessary for the purposes of the
legitimate interests pursued by the controller or a third party, except
where such interests are overridden by the interests or fundamental
rights and freedoms of the data subject which require protection of
Personal data, in particular where the data subject is a child
Use for direct marketing?
• Direct marketing recognised as a
legitimate interest in text of Regulation
• Cannot use it where fundamental rights
and freedoms of individuals override
rights of organisations - Need for
balancing test
• Provision of unsubscribe/.opt-out
normally satisfies test
• Cannot use it for processing personal
data about children
• Processing must be necessary for
purpose of legitimate interest pursued
• Requires a connection between the
processing and the interests pursued
• Need to consider if other less privacy
intrusive methods are available to
achieve legitimate interests
• DPN legitimate Interests guidance
Affect on data subject’s rights
Examples of legitimate interests – recitals 47 - 50
• where the data subject is in the
service of the controller
• where the data subject is a client
of the controller
• Intra-group transfers for internal
admin purposes
• fraud prevention
• network and information
security
• Direct marketing (maybe)
Further practical examples
• evidential purposes
• suppression lists
• bona fide service messages to
customers
• analytics
• employee relations
Legitimate Interests – in practice
Where a Controller wishes to rely on Legitimate Interests as the
legal basis for a processing operation, it will need to be able to
demonstrate to a Supervisory Authority and/or an individual,
when challenged, that Legitimate Interests is an appropriate
legal basis for that processing activity and be in a position to
defend the reasoning behind its decision to proceed with
processing.
• There are several factors to consider when making a
decision regarding whether an individual’s rights would
override a business Legitimate Interest. These include:
• the nature of the interests;
• the impact of processing;
• any safeguards which are or could be put in place.
Legitimate Interest Assessments (LIAs)
Whether a
Legitimate
Interest exists
Whether the
processing is
necessary
Balancing Test
Information rights
• Regardless of your ground for
processing personal data you do
need to provide the enhanced
information rights in your
privacy policy.
Transparency – Information
Requirements
• Who is the Data Controller?
• Their contact details
• What are the legal bases and
purposes of processing?
• Are Legitimate Interests being relied
upon by you or third parties?
• Who the recipients of the data may
be
• If the data will be transferred outside
the EU and how this is protected
• How long will it be stored?
• How to exercise rights
• The right to withdraw consent
• The right to complain to the
Supervisory Authority
• Whether data is required for
contractual purposes and the
consequences of refusing
• Whether profiling with legal effect
exists (also other profiling)
You will need to give some thought to how
best to tailor your consent requests and
methods to ensure clear and
comprehensive information without
confusing people or disrupting the user
experience – for example, by developing
user-friendly layered information and just-
in-time consents.
ICO Draft Consent Guidance
Example privacy policy wording
Privacy policy
We process personal information for certain legitimate business purposes, which include some or all of the
following:
• where the processing enables us to enhance, modify, personalise or otherwise improve our services /
communications for the benefit of our customers
• to identify and prevent fraud
• to enhance the security of our network and information systems
• to better understand how people interact with our websites
• to provide postal communications which we think will be of interest to you
• to determine the effectiveness of promotional campaigns and advertising.
Whenever we process data for these purposes we will ensure that we always keep your Personal Data rights in high
regard and take account of these rights. You have the right to object to this processing if you wish, and if you wish
to do so please click here. Please bear in mind that if you object this may affect our ability to carry out tasks above
for your benefit.
Data collection statements
You will need to update you data
statements wherever they appear,
offline and online to be clearer and
more transparent.
We may process your personal
information for carefully considered and
specific purposes which are in our
interests and enable us to enhance the
services we provide, but which we
believe also benefit our customers. Click
here to learn more about these
interests and when we may process
your information in this way.
Legacy Data
• Bringing your customer database up to the standard required for whatever legal ground you are
using under the GDPR
• Updating your privacy policy with the information requirements.
• Updating data collection notices to be clear and transparent about the use of data.
Raising the bar to GDPR standards
• Consent under GDPR is a much higher standard than consent under Data Protection
Act and Privacy and Electronic Communications Regulations
• ICO draft GDPR Consent Guidance published for consultation Spring 2017. Final
version will not be published until December 2017 because of European level work.
• Consent must be:
• Unbundled
• Positive opt-in
• Granular
• Named
• Documented
• Easy to withdraw
• No imbalance in the relationship
Bringing data up to GDPR consent
• Easier task than bringing data up to consent standards
• Legitimate interests can be used for all marketing channels which operate currently on an
unsubscribe/opt-out basis
• Postal mail, live voice call telemarketing, email and SMS marketing if using existing customer/ soft opt-
in exemption
• DMA view – cannot use legitimate interests
• 1) where law requires you to use subscribe/opt-in consent such as charities sending email marketing
to donors/supporters
• 2) Where organisation is already using a subscribe/opt-in
.
Bringing data up to legitimate interests
GDPR Scotland 2017

Mais conteúdo relacionado

Mais procurados

GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceCobweb
 
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...DATUM LLC
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion
 
Sharp Cookie Advisors legal_botar_ai_dataskydd_gdpr
Sharp Cookie Advisors legal_botar_ai_dataskydd_gdprSharp Cookie Advisors legal_botar_ai_dataskydd_gdpr
Sharp Cookie Advisors legal_botar_ai_dataskydd_gdprSharp Cookie Advisors
 
DAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of  Personal (PII) DataDAMA Webinar: The Data Governance of  Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDATAVERSITY
 
Navigating the Complex World of Compliance Guidelines
Navigating the Complex World of Compliance GuidelinesNavigating the Complex World of Compliance Guidelines
Navigating the Complex World of Compliance GuidelinesDATAVERSITY
 
Practical steps to GDPR compliance
Practical steps to GDPR compliance Practical steps to GDPR compliance
Practical steps to GDPR compliance Jean-Michel Franco
 
A practical guide to GDPR preparation
A practical guide to GDPR preparationA practical guide to GDPR preparation
A practical guide to GDPR preparationPromapp Solutions
 
Geek Sync | Tackling Key GDPR Challenges with Data Modeling and Governance
Geek Sync | Tackling Key GDPR Challenges with Data Modeling and GovernanceGeek Sync | Tackling Key GDPR Challenges with Data Modeling and Governance
Geek Sync | Tackling Key GDPR Challenges with Data Modeling and GovernanceIDERA Software
 
Managing Multiple Compliance Priorities - GDPR, CCPA, HIPAA, APEC, ISO 27001,...
Managing Multiple Compliance Priorities - GDPR, CCPA, HIPAA, APEC, ISO 27001,...Managing Multiple Compliance Priorities - GDPR, CCPA, HIPAA, APEC, ISO 27001,...
Managing Multiple Compliance Priorities - GDPR, CCPA, HIPAA, APEC, ISO 27001,...TrustArc
 
Your Worst GDPR Nightmare - Unstructured Data
Your Worst GDPR Nightmare - Unstructured DataYour Worst GDPR Nightmare - Unstructured Data
Your Worst GDPR Nightmare - Unstructured DataDATAVERSITY
 
ROI of Privacy: Building a Case for Investment [Webinar Slides]
ROI of Privacy: Building a Case for Investment [Webinar Slides]ROI of Privacy: Building a Case for Investment [Webinar Slides]
ROI of Privacy: Building a Case for Investment [Webinar Slides]TrustArc
 
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...ObservePoint
 
Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPRTeradata's approach to addressing GDPR
Teradata's approach to addressing GDPRPaul O'Carroll
 
The Data Value Map for GDPR - May 2018 - GDPR summit Dublin
The Data Value Map for GDPR - May 2018 - GDPR summit DublinThe Data Value Map for GDPR - May 2018 - GDPR summit Dublin
The Data Value Map for GDPR - May 2018 - GDPR summit DublinKen O'Connor
 
May 6 evolving international privacy regulations and cross border data tran...
May 6   evolving international privacy regulations and cross border data tran...May 6   evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...Ulf Mattsson
 
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020Delphix
 
Data Discovery & Search: Making it an Integral Part of Analytics, Compliance ...
Data Discovery & Search: Making it an Integral Part of Analytics, Compliance ...Data Discovery & Search: Making it an Integral Part of Analytics, Compliance ...
Data Discovery & Search: Making it an Integral Part of Analytics, Compliance ...DATUM LLC
 
Marketing under the GDPR: What You Can and Cannot Do [Webinar Slides]
Marketing under the GDPR: What You Can and Cannot Do [Webinar Slides]Marketing under the GDPR: What You Can and Cannot Do [Webinar Slides]
Marketing under the GDPR: What You Can and Cannot Do [Webinar Slides]TrustArc
 

Mais procurados (20)

GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
 
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
 
Sharp Cookie Advisors legal_botar_ai_dataskydd_gdpr
Sharp Cookie Advisors legal_botar_ai_dataskydd_gdprSharp Cookie Advisors legal_botar_ai_dataskydd_gdpr
Sharp Cookie Advisors legal_botar_ai_dataskydd_gdpr
 
DAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of  Personal (PII) DataDAMA Webinar: The Data Governance of  Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) Data
 
Navigating the Complex World of Compliance Guidelines
Navigating the Complex World of Compliance GuidelinesNavigating the Complex World of Compliance Guidelines
Navigating the Complex World of Compliance Guidelines
 
Practical steps to GDPR compliance
Practical steps to GDPR compliance Practical steps to GDPR compliance
Practical steps to GDPR compliance
 
A practical guide to GDPR preparation
A practical guide to GDPR preparationA practical guide to GDPR preparation
A practical guide to GDPR preparation
 
Geek Sync | Tackling Key GDPR Challenges with Data Modeling and Governance
Geek Sync | Tackling Key GDPR Challenges with Data Modeling and GovernanceGeek Sync | Tackling Key GDPR Challenges with Data Modeling and Governance
Geek Sync | Tackling Key GDPR Challenges with Data Modeling and Governance
 
Managing Multiple Compliance Priorities - GDPR, CCPA, HIPAA, APEC, ISO 27001,...
Managing Multiple Compliance Priorities - GDPR, CCPA, HIPAA, APEC, ISO 27001,...Managing Multiple Compliance Priorities - GDPR, CCPA, HIPAA, APEC, ISO 27001,...
Managing Multiple Compliance Priorities - GDPR, CCPA, HIPAA, APEC, ISO 27001,...
 
Your Worst GDPR Nightmare - Unstructured Data
Your Worst GDPR Nightmare - Unstructured DataYour Worst GDPR Nightmare - Unstructured Data
Your Worst GDPR Nightmare - Unstructured Data
 
ROI of Privacy: Building a Case for Investment [Webinar Slides]
ROI of Privacy: Building a Case for Investment [Webinar Slides]ROI of Privacy: Building a Case for Investment [Webinar Slides]
ROI of Privacy: Building a Case for Investment [Webinar Slides]
 
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...
 
Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPRTeradata's approach to addressing GDPR
Teradata's approach to addressing GDPR
 
The Data Value Map for GDPR - May 2018 - GDPR summit Dublin
The Data Value Map for GDPR - May 2018 - GDPR summit DublinThe Data Value Map for GDPR - May 2018 - GDPR summit Dublin
The Data Value Map for GDPR - May 2018 - GDPR summit Dublin
 
GDPR Readiness
GDPR ReadinessGDPR Readiness
GDPR Readiness
 
May 6 evolving international privacy regulations and cross border data tran...
May 6   evolving international privacy regulations and cross border data tran...May 6   evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...
 
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
 
Data Discovery & Search: Making it an Integral Part of Analytics, Compliance ...
Data Discovery & Search: Making it an Integral Part of Analytics, Compliance ...Data Discovery & Search: Making it an Integral Part of Analytics, Compliance ...
Data Discovery & Search: Making it an Integral Part of Analytics, Compliance ...
 
Marketing under the GDPR: What You Can and Cannot Do [Webinar Slides]
Marketing under the GDPR: What You Can and Cannot Do [Webinar Slides]Marketing under the GDPR: What You Can and Cannot Do [Webinar Slides]
Marketing under the GDPR: What You Can and Cannot Do [Webinar Slides]
 

Semelhante a GDPR Scotland 2017

GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers Gary Dodson
 
12th July GDPR event slides
12th July GDPR event slides12th July GDPR event slides
12th July GDPR event slidesExponential_e
 
O365Engage17 - Black belting office 365 security with secure score
O365Engage17 - Black belting office 365 security with secure scoreO365Engage17 - Black belting office 365 security with secure score
O365Engage17 - Black belting office 365 security with secure scoreNCCOMMS
 
Big Data LDN 2017: Applied AI for GDPR
Big Data LDN 2017: Applied AI for GDPRBig Data LDN 2017: Applied AI for GDPR
Big Data LDN 2017: Applied AI for GDPRMatt Stubbs
 
Why care about GDPR and avoid over $20 million fines, even outside EU ?
Why care about GDPR and avoid over $20 million fines, even outside EU ?Why care about GDPR and avoid over $20 million fines, even outside EU ?
Why care about GDPR and avoid over $20 million fines, even outside EU ?FactoVia
 
Digital Identities in the Internet of Things - Securely Manage Devices at Scale
Digital Identities in the Internet of Things - Securely Manage Devices at ScaleDigital Identities in the Internet of Things - Securely Manage Devices at Scale
Digital Identities in the Internet of Things - Securely Manage Devices at ScaleForgeRock
 
GDPR Privacy Introduction
GDPR Privacy IntroductionGDPR Privacy Introduction
GDPR Privacy IntroductionNiclasGranqvist
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningUlf Mattsson
 
Gdpr action plan - ISSA
Gdpr action plan - ISSAGdpr action plan - ISSA
Gdpr action plan - ISSAUlf Mattsson
 
Webinar Metalogix "Auf der Zielgeraden zur DSGVO!"
Webinar Metalogix "Auf der Zielgeraden zur DSGVO!"Webinar Metalogix "Auf der Zielgeraden zur DSGVO!"
Webinar Metalogix "Auf der Zielgeraden zur DSGVO!"Ragnar Heil
 
Discovery, Risk, and Insight in a Metadata-Driven World Webinar
Discovery, Risk, and Insight in a Metadata-Driven World WebinarDiscovery, Risk, and Insight in a Metadata-Driven World Webinar
Discovery, Risk, and Insight in a Metadata-Driven World WebinarConcept Searching, Inc
 
#HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance #HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance Dovetail Software
 
TLabs - deutsche telekom
TLabs -  deutsche telekomTLabs -  deutsche telekom
TLabs - deutsche telekomChristina Azzam
 
Data compliance - get it right the first time (Full color PDF)
Data compliance - get it right the first time (Full color PDF)Data compliance - get it right the first time (Full color PDF)
Data compliance - get it right the first time (Full color PDF)Peter GEELEN ✔
 
Data compliance - get it right the first time (Black/White printable PDF)
Data compliance - get it right the first time (Black/White printable PDF)Data compliance - get it right the first time (Black/White printable PDF)
Data compliance - get it right the first time (Black/White printable PDF)Peter GEELEN ✔
 
Launch of the #OYOD idea at the 2014 Computers, Privacy and Data Protection C...
Launch of the #OYOD idea at the 2014 Computers, Privacy and Data Protection C...Launch of the #OYOD idea at the 2014 Computers, Privacy and Data Protection C...
Launch of the #OYOD idea at the 2014 Computers, Privacy and Data Protection C...Bruno Segers
 

Semelhante a GDPR Scotland 2017 (20)

GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
 
GDPR- The Buck Stops Here
GDPR-  The Buck Stops HereGDPR-  The Buck Stops Here
GDPR- The Buck Stops Here
 
GDPRforum London
GDPRforum LondonGDPRforum London
GDPRforum London
 
Ritz 4th-july-gdpr
Ritz 4th-july-gdprRitz 4th-july-gdpr
Ritz 4th-july-gdpr
 
12th July GDPR event slides
12th July GDPR event slides12th July GDPR event slides
12th July GDPR event slides
 
O365Engage17 - Black belting office 365 security with secure score
O365Engage17 - Black belting office 365 security with secure scoreO365Engage17 - Black belting office 365 security with secure score
O365Engage17 - Black belting office 365 security with secure score
 
Big Data LDN 2017: Applied AI for GDPR
Big Data LDN 2017: Applied AI for GDPRBig Data LDN 2017: Applied AI for GDPR
Big Data LDN 2017: Applied AI for GDPR
 
Why care about GDPR and avoid over $20 million fines, even outside EU ?
Why care about GDPR and avoid over $20 million fines, even outside EU ?Why care about GDPR and avoid over $20 million fines, even outside EU ?
Why care about GDPR and avoid over $20 million fines, even outside EU ?
 
Digital Identities in the Internet of Things - Securely Manage Devices at Scale
Digital Identities in the Internet of Things - Securely Manage Devices at ScaleDigital Identities in the Internet of Things - Securely Manage Devices at Scale
Digital Identities in the Internet of Things - Securely Manage Devices at Scale
 
GDPR Privacy Introduction
GDPR Privacy IntroductionGDPR Privacy Introduction
GDPR Privacy Introduction
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learning
 
Gdpr action plan - ISSA
Gdpr action plan - ISSAGdpr action plan - ISSA
Gdpr action plan - ISSA
 
Webinar Metalogix "Auf der Zielgeraden zur DSGVO!"
Webinar Metalogix "Auf der Zielgeraden zur DSGVO!"Webinar Metalogix "Auf der Zielgeraden zur DSGVO!"
Webinar Metalogix "Auf der Zielgeraden zur DSGVO!"
 
Discovery, Risk, and Insight in a Metadata-Driven World Webinar
Discovery, Risk, and Insight in a Metadata-Driven World WebinarDiscovery, Risk, and Insight in a Metadata-Driven World Webinar
Discovery, Risk, and Insight in a Metadata-Driven World Webinar
 
#HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance #HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance
 
TLabs - deutsche telekom
TLabs -  deutsche telekomTLabs -  deutsche telekom
TLabs - deutsche telekom
 
Data compliance - get it right the first time (Full color PDF)
Data compliance - get it right the first time (Full color PDF)Data compliance - get it right the first time (Full color PDF)
Data compliance - get it right the first time (Full color PDF)
 
Data compliance - get it right the first time (Black/White printable PDF)
Data compliance - get it right the first time (Black/White printable PDF)Data compliance - get it right the first time (Black/White printable PDF)
Data compliance - get it right the first time (Black/White printable PDF)
 
Launch of the #OYOD idea at the 2014 Computers, Privacy and Data Protection C...
Launch of the #OYOD idea at the 2014 Computers, Privacy and Data Protection C...Launch of the #OYOD idea at the 2014 Computers, Privacy and Data Protection C...
Launch of the #OYOD idea at the 2014 Computers, Privacy and Data Protection C...
 
14.3.2018, Παρουσίαση Κώστα Γκρίτση στην εκδήλωση «Προστασία Προσωπικών Δεδομ...
14.3.2018, Παρουσίαση Κώστα Γκρίτση στην εκδήλωση «Προστασία Προσωπικών Δεδομ...14.3.2018, Παρουσίαση Κώστα Γκρίτση στην εκδήλωση «Προστασία Προσωπικών Δεδομ...
14.3.2018, Παρουσίαση Κώστα Γκρίτση στην εκδήλωση «Προστασία Προσωπικών Δεδομ...
 

Mais de Ray Bugg

Digit Leaders 2023
Digit Leaders 2023 Digit Leaders 2023
Digit Leaders 2023 Ray Bugg
 
DIGIT North 2022
DIGIT North 2022DIGIT North 2022
DIGIT North 2022Ray Bugg
 
Digital Transformation Summit 2021
Digital Transformation Summit 2021Digital Transformation Summit 2021
Digital Transformation Summit 2021Ray Bugg
 
ScotSecure 2020
ScotSecure 2020ScotSecure 2020
ScotSecure 2020Ray Bugg
 
Data Protection Scotland Summit 2019
Data Protection Scotland Summit 2019Data Protection Scotland Summit 2019
Data Protection Scotland Summit 2019Ray Bugg
 
DIGIT Expo 2019
DIGIT Expo 2019DIGIT Expo 2019
DIGIT Expo 2019Ray Bugg
 
DIGIT Expo 2019
DIGIT Expo 2019DIGIT Expo 2019
DIGIT Expo 2019Ray Bugg
 
Scotland's FinTech Summit 2019
Scotland's FinTech Summit 2019Scotland's FinTech Summit 2019
Scotland's FinTech Summit 2019Ray Bugg
 
Intelligent Automation 2019
Intelligent Automation 2019Intelligent Automation 2019
Intelligent Automation 2019Ray Bugg
 
DIGIT Leader 2019
DIGIT Leader 2019DIGIT Leader 2019
DIGIT Leader 2019Ray Bugg
 
DIgital Energy 2019
DIgital Energy 2019DIgital Energy 2019
DIgital Energy 2019Ray Bugg
 
Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)Ray Bugg
 
Scot Secure 2019 Edinburgh (Day 1)
Scot Secure 2019 Edinburgh (Day 1)Scot Secure 2019 Edinburgh (Day 1)
Scot Secure 2019 Edinburgh (Day 1)Ray Bugg
 
Digital Transformation Scotland 2019
Digital Transformation Scotland 2019Digital Transformation Scotland 2019
Digital Transformation Scotland 2019Ray Bugg
 
GDPR Scotland 2018
GDPR Scotland 2018GDPR Scotland 2018
GDPR Scotland 2018Ray Bugg
 
Fintech 2018 Edinburgh
Fintech 2018 EdinburghFintech 2018 Edinburgh
Fintech 2018 EdinburghRay Bugg
 
DIGIT Leader Summit 2018 - Edinburgh
DIGIT Leader Summit 2018 - EdinburghDIGIT Leader Summit 2018 - Edinburgh
DIGIT Leader Summit 2018 - EdinburghRay Bugg
 
IoT Scotland 2018
IoT Scotland 2018IoT Scotland 2018
IoT Scotland 2018Ray Bugg
 
Digital Energy 2018 Day 1
Digital Energy 2018 Day 1Digital Energy 2018 Day 1
Digital Energy 2018 Day 1Ray Bugg
 
Digital Energy 2018 Day 2
Digital Energy 2018 Day 2Digital Energy 2018 Day 2
Digital Energy 2018 Day 2Ray Bugg
 

Mais de Ray Bugg (20)

Digit Leaders 2023
Digit Leaders 2023 Digit Leaders 2023
Digit Leaders 2023
 
DIGIT North 2022
DIGIT North 2022DIGIT North 2022
DIGIT North 2022
 
Digital Transformation Summit 2021
Digital Transformation Summit 2021Digital Transformation Summit 2021
Digital Transformation Summit 2021
 
ScotSecure 2020
ScotSecure 2020ScotSecure 2020
ScotSecure 2020
 
Data Protection Scotland Summit 2019
Data Protection Scotland Summit 2019Data Protection Scotland Summit 2019
Data Protection Scotland Summit 2019
 
DIGIT Expo 2019
DIGIT Expo 2019DIGIT Expo 2019
DIGIT Expo 2019
 
DIGIT Expo 2019
DIGIT Expo 2019DIGIT Expo 2019
DIGIT Expo 2019
 
Scotland's FinTech Summit 2019
Scotland's FinTech Summit 2019Scotland's FinTech Summit 2019
Scotland's FinTech Summit 2019
 
Intelligent Automation 2019
Intelligent Automation 2019Intelligent Automation 2019
Intelligent Automation 2019
 
DIGIT Leader 2019
DIGIT Leader 2019DIGIT Leader 2019
DIGIT Leader 2019
 
DIgital Energy 2019
DIgital Energy 2019DIgital Energy 2019
DIgital Energy 2019
 
Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)
 
Scot Secure 2019 Edinburgh (Day 1)
Scot Secure 2019 Edinburgh (Day 1)Scot Secure 2019 Edinburgh (Day 1)
Scot Secure 2019 Edinburgh (Day 1)
 
Digital Transformation Scotland 2019
Digital Transformation Scotland 2019Digital Transformation Scotland 2019
Digital Transformation Scotland 2019
 
GDPR Scotland 2018
GDPR Scotland 2018GDPR Scotland 2018
GDPR Scotland 2018
 
Fintech 2018 Edinburgh
Fintech 2018 EdinburghFintech 2018 Edinburgh
Fintech 2018 Edinburgh
 
DIGIT Leader Summit 2018 - Edinburgh
DIGIT Leader Summit 2018 - EdinburghDIGIT Leader Summit 2018 - Edinburgh
DIGIT Leader Summit 2018 - Edinburgh
 
IoT Scotland 2018
IoT Scotland 2018IoT Scotland 2018
IoT Scotland 2018
 
Digital Energy 2018 Day 1
Digital Energy 2018 Day 1Digital Energy 2018 Day 1
Digital Energy 2018 Day 1
 
Digital Energy 2018 Day 2
Digital Energy 2018 Day 2Digital Energy 2018 Day 2
Digital Energy 2018 Day 2
 

Último

Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 

Último (20)

Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 

GDPR Scotland 2017

  • 4. www.digit.fyi 50,000 Monthly Page Views 30,000 Unique Visitors Monthly News, Views, Opinion, Insight #gdprscot
  • 7. The Great Data Protection Revamp Ken Macdonald Head of ICO Regions @ICOnews
  • 9. GDPR LED DPA 2018 E- Privacy 25 May 2018 6 May 2018 tbc tbc
  • 20. @iconews Keep in touch Subscribe to our e-newsletter at www.ico.org.uk or find us on… ICO Scotland 45 Melville Street Edinburgh EH3 7HL T: 0131 244 9001 E: Scotland@ico.org.uk
  • 21. Toby Stevens Enterprise Privacy Group @tobystevens #gdprscot
  • 22. GDPR Readiness Dumb Ways to Fail Slides removed due to copyright Toby Stevens, Enterprise Privacy Group Ltd Dumb Ways to Die © Metro Ways Melbourne dumbwaystodie.com
  • 23. Dr Rena Gertz The University of Edinburgh @RenaRuadh #gdprscot
  • 24. The adventures of a DPO Dr Rena Gertz PC.dp University of Edinburgh
  • 27. Why? GDPR Article 37 - DPO is needed in any case where: • The processing is carried out by a public authority or body, except for courts, or • The core activities of the Data Controller or the Data Processor consist of processing operations which, by virtue of their nature, their scope and / or their purposes, require regular and systematic monitoring of data subjects on a large scale, or • The core activities of the Data Controller or the Data Processor consist of processing large volumes of Special Categories of Data or information about criminal convictions and offences.
  • 28. Who? The DPO must have • expert knowledge of Data Protection law and practices. • excellent understanding of the organisation’s governance structure – “Get the Bored Board on Board” • necessary resources to fulfil the relevant job functions • certain level of independence and degree of protection against dismissal or other sanctions on grounds that relate to their performance of their DPO tasks.
  • 29. Who? The DPO must be • familiar with organisation’s IT infrastructure and technology. • employed (“internal DPO”) or have a service contract (“external DPO”) The DPO may have • other tasks within the organisation, so long as no conflict of interest with the DPO role. WP29: DPO must not determine the purposes and the means of the processing of personal data
  • 31. The role • Statutory role: – To inform and advise about obligations to comply with GDPR and other data protection laws. – To monitor compliance with the GDPR and other data protection laws. – To be the first point of contact for ICO and data subjects. → The go to source for data protection advice.
  • 32. How to find a DPO… GDPR experts are all around us… “Beware of GDPR Snake Oil: It's amazing how many GDPR experts have suddenly appeared on places like Linkedin and my email in-box.” (Richard Gough, Head of Group IT Operations & Security at Punter Southall Group)
  • 33. …who meets all requirements? • “Wanted: a qualified, experienced DPO…”
  • 34. • Qualification? Not expressly in GDPR, but often asked for • Don’t: – give the job to an existing member of staff and expect them to learn it on the job; – nominate a figurehead and then expect the people s/he manages to do the work → where’s the independence? • Ensure reporting chain and accessibility – DPO must report to senior management and be accessible to all within and outwith organisation
  • 35. Shared DPOs - the situation • You need: – An experienced data protection officer • You are: – A small(ish) organisation that still needs a DPO • They cost: – Up to £50,000 in large organisations (stop laughing at the back) The solution – an external, shared DPO?
  • 36. Sharing a DPO – a judgment of Solomon?
  • 37. The pros: • No political or organisational baggage • Easy to act in an unbiased manner without fear for their job • No worries about favouring certain departments or individuals • Listened to with more respect than an employed colleague • Lower costs
  • 38. The cons: • More difficulty with accessibility to data subjects and readiness to resolve any issues raised by the subject or Supervisory Authority. • Not as easily accessible to all sharing parties • Allocation of time and tasks - service contract? • Institutions will still need to employ people ‘on the ground’ to ‘do the doing’ internally • No intimate knowledge of the workings of the individual institutions and how these may vary from each other • What if something happens in two organisations at the same time? What if the DPO is sick/on holiday?
  • 39. Time’s running out…. • DPO to implement changes for GDPR? • Case study (Ken, don’t listen…) senior professors auto-forward emails to private gmail accounts: – what would you do – pick your battles??
  • 40. Breach management • Putting appropriate system in place • “Personal data can be paper?? Really???” • Ensure reporting process involving DPO at early stage – triage of incident reporting
  • 41. Effective collaboration • Be hands-on if you want to achieve something. Don’t rely on others to do the work. • Have a good sense of humour! • Two options: – Human cloning or: – Network of Data Protection Champions: • Properly trained • Doing triage within Departments • Only contact DPO for difficult cases
  • 42. The benefits of diplomacy • Get endorsement from Service Managers etc to avoid treading on toes!
  • 43. Implementing the GDPR in a large organisation – like herding cats?
  • 46. 46©2017 Check Point Software Technologies Ltd. A Proactive Security Approach for GDPR A GDPR AWARE NETWORK Noa Katz Product Management, Mobility & GDPR, Check Point
  • 47. 47©2017 Check Point Software Technologies Ltd. Security + Regulations =?
  • 48. 48©2017 Check Point Software Technologies Ltd. •Quick recap •GDPR compliance: documentation vs. action •A security approach for GDPR: ̶ Fundamental security controls ̶ Best practices for GDPR •A proactive security approach for GDPR Agenda
  • 49. 49©2017 Check Point Software Technologies Ltd. •Framework: Cultural change to the data privacy game •Essence: Data privacy as a fundamental right •Impact: Worldwide, high penalties, here to stay GDPR – What You Already Know
  • 50. 50©2017 Check Point Software Technologies Ltd. •Challenges: ̶ GDPR – Can’t tick a box to comply ̶ Not a security standard – limited specificity ̶ Novelty and ambiguity • Compliance = documentation: Why? How? Where? What for? • You still own technical responsibility Documentation Vs. Action ✓ “data security, integrity and confidentiality” (Article 32)
  • 51. 51©2017 Check Point Software Technologies Ltd. ̶ ‘Protection by Design’ Art. 25 – architecture focus ̶ Risk-based approach: ̶ Data breach notification (72 hrs) Data Security Approach for GDPR
  • 52. 52©2017 Check Point Software Technologies Ltd. • Staffing • Data Audit and Classification • Risk Analysis: Control vs. cost • Logging of Activity and Breach Identification • Fundamental Controls A GDPR Aware Network: Where to Start?
  • 53. 53©2017 Check Point Software Technologies Ltd. Risk-based approach GDPR Principals – Fundamental Controls ENCRYPTION INTEGRITY OF PROCESSING SYSTEMS QUICKLY RESTORE ACCESS REGULAR EFFECTIVENESS ASESSMENT Defined access Avoid breach
  • 54. 55©2017 Check Point Software Technologies Ltd. Security Best Practices for GDPR
  • 55. 56©2017 Check Point Software Technologies Ltd. Assess your Risk – CPCheckMe.com Enforcement Control Management
  • 56. 57©2017 Check Point Software Technologies Ltd. Security Controls Implemented DLP Capsule Docs Security Management Compliance Blade
  • 57. 58©2017 Check Point Software Technologies Ltd. Using Check Point Security Products for GDPR • Integrated DLP - provides awareness of personal data flowing, monitoring of content, and blocking of unauthorized data transmission • Check Point Capsule Docs - tools for content classification Classification with Capsule Docs Classification of Data with Check Point DLP
  • 58. 59©2017 Check Point Software Technologies Ltd. Using Check Point Security Products for GDPR • Smart Workflow • SmartLog Change approval controls, full logging of configuration, production of audit-quality automatic reports Check Point R80’s SmartLog
  • 59. 60©2017 Check Point Software Technologies Ltd. Using Check Point Security Products for GDPR • Security Management - separation of duties without impact to operational efficiency Check Point R80
  • 60. 61©2017 Check Point Software Technologies Ltd. Using Check Point Security Products for GDPR • Check Point Compliance Blade – security definitions consistent with GDPR
  • 61. 62©2017 Check Point Software Technologies Ltd. A Proactive Security Approach for GDPR A GDPR Aware Network Why not think PREVENTION?
  • 62. 63 ©2017 Check Point Software Technologies Ltd. THE CYBER SECURITY ARCHITECTURE OF THE FUTURE THE FIRST CONSOLIDATED SECURITY ACROSS NETWORKS, CLOUD, AND MOBILE, PROVIDING THE HIGHEST LEVEL OF THREAT PREVENTION.
  • 63. 64 ©2017 Check Point Software Technologies Ltd. NGTX GATEWAYS Perimeter and Datacenter protection SANDBLAST AGENT Endpoint and Browsers protection SANDBLAST CLOUD Cloud Applications protection SANDBLAST API Custom applications protection SHARING COMMON INTELLIGENCE AND THREAT MANAGEMENT THE FIRST AND ONLY UNIFIED CROSS-PLATFORM THREAT PREVENTION Mobile Device protection SANDBLAST MOBILE M O B I L E
  • 64. 65©2017 Check Point Software Technologies Ltd. •You CAN be proactive in your GDPR efforts •Strategies : data classification, scope definition, data usage policies, notifications and audit trails •Combine security controls with a risk-based approach •Choose a vendor you trust •Focus on prevention Key Takeaways
  • 65. Download the whitepaper Noa Katz Product Marketing, Mobility and GDPR Check Point Software Technologies noakatz@checkpoint.com Don’t be a stranger
  • 67. Exhibition, Networking & Refreshments. Please check rear of badge for breakouts
  • 69. ABERDEEN • EDINBURGH • GLASGOW • BRUSSELS www.brodies.com/GDPR Beyond information security – what is GDPR about? GDPR Scotland Summit Martin Sloan, Partner 21 November 2017 Blog: http://techblog.brodies.com Twitter: @lawyer_martin
  • 70. Outline • Separating fact from fiction • Embedding privacy and GDPR in your organisation • Developing a plan for compliance • Six months to go – key priorities
  • 72. A quick recap • The biggest shake-up of data protection law in nearly 25 years • The General Data Protection Regulation (GDPR) – New EU-wide data protection law which will have direct effect in EU member states – Enters into force on 25 May 2018 – Greater consistency of regulatory treatment – Stronger and more coherent data protection framework – Backed by strong enforcement • The Data Protection Act 1998 will be repealed
  • 73. Evolutionary Some concepts remain broadly similar • Key concepts – personal data, sensitive personal data, processing, data controllers, data processors etc • Data protection principles – recognisable, but explicit reference to both transparency and accountability • Conditions for processing – similar, but some changes • Data subject rights – broadly recognisable (subject access, rectification, processing restrictions), but there are some new ones • International transfers • Basic data security obligations – BUT see new data security breach notification requirements • The ICO – still a UK national supervisory authority
  • 74. What’s changing? • Transparency – enhanced fair processing transparency requirements • Consent – concept of consent tightened; easier for individuals to withdraw • Accountability – obligation to demonstrate compliance; use of privacy impact assessments; training; policies • Administration – increased administration and record keeping requirements • Data subject rights – enhanced rights including subject access, increased ‘rights to be forgotten’ and data portability • Organisational principles – data protection by design and by default • Data processors – Statutory responsibility for data processors • Data protection officers – mandatory for certain organisations • Breach notification – mandatory breach notification for certain breaches • Supervisory authorities – lead authority; formal consistency mechanism • Sanctions – fines of up to 4% of worldwide turnover or €20M
  • 75. Draft ePrivacy Regulation • Current law: – 2002 Directive/Privacy & Electronic Communications Regulations 2003 – Supplements DPA • Draft ePrivacy Regulation published 10 January 2017 – Rules on electronic marketing largely unchanged – soft opt-in remains – But incorporates definition of consent from GDPR – Simplified rules on cookies/tracking tech – use of device settings – New rules on identifying marketing calls • Current status
  • 77. Some GDPR myths • GDPR is a revolution in data protection law • The high fines will cause firms to go bust • GDPR applies only to personal data processed after 25 May 2018 • Brexit means that we don’t need to worry about GDPR • GPDR does not apply if personal data has been encrypted • I can buy a product/service that will make me GDPR compliant Image: https://iconewsblog.org.uk/
  • 78. Some GDPR myths • I can’t process personal data without consent • There is an exemption for small business • The right to be forgotten will stop my business from being able to provide services to customers or employ my staff • Every personal data breach will need to be reported to the ICO • If I use the cloud then GDPR compliance is my service provider’s problem • The ICO is still unlikely to take any enforcement action Image: https://iconewsblog.org.uk/
  • 79. Embedding privacy in your organisation
  • 80. Accountability • Controllers are expected to be able to demonstrate that they comply • New responsibilities include: – Implementing ‘appropriate and effective measures’ for compliance including appropriate data protection policies – Data protection by design and default – building DP compliance (eg data minimisation) into processing processes and activities – Conducting privacy impact assessments for processing considered to be ‘high risk’ – Detailed requirements to keep records of processing activities – Express obligation to co-operate with regulators Data Governance
  • 81. Accountability • Data processing activities, including: – Purposes of the processing – Description of the categories of data subjects and personal data – Categories of recipients – Details of data transfers outside the EEA – Data retention periods – General description of data security measures • Register of data processors • Register of personal data breaches Record keeping
  • 82. Accountability • Mandatory for public authorities and controllers and processors whose core activities involve – Regular processing of sensitive personal data – Regular/systematic data monitoring of data subjects on a ‘large scale’ • Can be on group-wide basis so long as DPO is ‘easily accessible’ • DPO must – have professional qualities and expert knowledge – be allowed to perform responsibilities in an independent manner – be supported and properly resourced • Conflicts of interest • DPO role – general advisory; compliance monitoring against GDPR and policies; training and awareness; audits; privacy impact assessments; dealing with regulators – but NOT personally responsible for compliance • DPO may be an employee or a contractor Data Governance – Data Protection Officers
  • 83. Accountability • Application – GDPR requires DPIAs for “high risk” processing – WP29 recommends DPIAs as an accountability tool in other situations – WP29 considers the list of activities in article 35(3) to be non-exhaustive – If no DPIA then you should document why it is not required • Existing processing – No need to carry out for existing processing – unless change to risk • Timing, personnel and consultation – Early stage and reviewed periodically (at least every three years) – If you have a DPO then they must be involved – Obtain views of data subjects (and if not document why) • Publication – WP29 recommends that data controllers should publish DPIAs Data privacy impact assessments
  • 84. Embedding privacy within your organisation Policies and procedures and data protection by design • Review and update your policies and procedures – Employee facing policies and procedures (eg AUP, employee monitoring) – Employee training on data handling, breach reporting – Team specific training/procedures? – Data handling policies and procedures, eg • DSARs, erasure, objections, portability • Data retention • Access controls • New projects – Data protection by design – Use of privacy impact assessments
  • 85. Developing a plan for compliance
  • 86. What if we’ve not yet started? • Our 5 top recommendations ‒ Resource ‒ Data Mapping ‒ Data minimisation ‒ Review processing justifications ‒ Contract reviews • Download our handy guide to preparing for GDPR: http://brodi.es/PrepareForGDPR
  • 87. Area Requirement/Impact Action General Resourcing Do you need to appoint/should you appoint a DPO? Increased requirements of GDPR will place additional compliance obligations on organisations Ensure responsibility for GDPR is clear at board level. Appoint a DPO quickly (if you’re appointing one) Properly resource ongoing compliance. Is there sufficient expertise within the organisation? Consider establishment of central compliance function with responsibility for handling regulatory queries, DSARs/other individual requests, data security breaches, training etc Data audit Any GDPR compliance programme needs to be built on a complete picture of what data is being processed, why it is being processed and by whom it is being processed to establish where the organisation is not GDPR compliant and to establish a prioritised action plan Conduct a data audit, remembering that the audit should catch processing Extra-territorial reach Extra territorial impact will catch processing outside EU which targets EU citizens even by organisations that have no EU presence or nexus For groups operating outside EU analyse any processing by non-EU group companies for GDPR compliance. Consider whether measures can be taken to avoid unnecessary GDPR reach
  • 88. Area Requirement/Impact Action Accountability and Administration Accountability More generally, organisations will need to implement appropriate policies and implement measures that demonstrate compliance Consider the adequacy of policies and measures. They may need revamped and you may need new ones Transparency GDPR requires more information to be included in privacy notices Privacy notices will need to be reviewed and updated. Use layered and ‘just in time’ notices Consent based processing Requirements for consent based processing are tighter. Likely to impact particularly in areas such as marketing Will existing consents be valid for GDPR purposes. If not, will they need refreshed or can processing for grounded on an alternative basis? Data retention Requirement for greater transparency mean that organisations will face greater scrutiny around data retention and destruction practices Ensure that organisation has appropriate data retention and destruction policies and procedures and that they are being actioned both for new and legacy data Privacy impact assessments PIAs will be on a statutory footing under GDPR Organisations must be prepared to carry out PIAs for ‘high risk’ processing and those operations for which PIAs are proscribed Develop PIA process and methodology and appropriate policies and procedures (see earlier) Record keeping Many organisations will be required to keep records of processing being carried out Review record keeping to ensure adequacy Consider if exemption applies (organisations with less than 250 employees provided certain other conditions are met)
  • 89. Area Requirement/Impact Action Security Data security Although data security standards are broadly the same, the requirements are more explicit - and the penalties for data security breach are greater Consider whether current data security standards are adequate Data breaches GDPR introduces requirements for mandatory data security breach notifications Introduce clear policy and procedure for internal reporting of data security breaches Establish central breach management unit Commercial Contracts New requirements for data processing agreements Review data processing agreements which will run post May 2018 and update contract templates Technology refresh New GDPR requirements may require additional functionality of legacy IT systems Review existing IT. is it up to scratch? Consider contractual position before engaging with suppliers Procurement Ensure that GDPR is factored into new IT procurements Ensure GDPR compliance is factored into procurement decisions Consider if a PIA is required
  • 90. Self Assessment Toolkit Find out more: http://brodies.com/gdpr-self-assessment-toolkit
  • 91. Six months to go…
  • 92. Six months to go - key actions • Appoint or resource your DPO (if you need to have one) • Review and update your privacy notices • Develop a strategy for refreshing consents (especially for direct marketing) • IT projects/development work: – re-engineer data collection forms/privacy controls in apps and websites – review/reconfigure IT systems – tools for enabling data subject requests • Start creating key records and registers: – Data processing register – Register of data processors • Get contract amendments in place • Update policies and procedures • Staff training and awareness
  • 93. Questions… GDPR Hub: http://www.brodies.com/GDPR Blog: http://techblog.brodies.com Twitter: @BrodiesTechBlog @lawyer_martin
  • 94. ABERDEEN • EDINBURGH • GLASGOW • BRUSSELS www.brodies.com/GDPR Beyond information security – what is GDPR about? GDPR Scotland Summit Martin Sloan, Partner 21 November 2017 Blog: http://techblog.brodies.com Twitter: @lawyer_martin
  • 96. 97strictly private & confidential How will GDPR affect the IT Department? N o v e m b e r 2 0 1 8
  • 97. 98strictly private & confidential ▪ Risk Management and Compliance ▪ Security ▪ IT Strategy ▪ The Human Perspective: training, awareness, collaboration Agenda
  • 98. 99strictly private & confidential Risk Management and Compliance
  • 99. 100strictly private & confidential
  • 100. 101strictly private & confidential
  • 101. 102strictly private & confidential • Review existing privacy policies and statements in order to document how they compare with GDPR requirements. • Assess data subject rights to consent, use, access, correct, delete and transfer personal data. • Discover and classify personal data assets and affected systems. • Identify potential access risks. Don’t forget the security requirements: • Assess the current state of your security policies, identifying gaps, benchmarking maturity and establishing conformance road maps. • Identify potential vulnerabilities, supporting security, encryption and privacy by design. • Discover and classify personal data assets and affected systems in preparation for designing security controls.
  • 102. 103strictly private & confidential Risk Management Process
  • 103. 104strictly private & confidential Option A. Option B. Bad Data Mapping
  • 104. 105strictly private & confidential
  • 105. 106strictly private & confidential
  • 106. 107strictly private & confidential
  • 107. 108strictly private & confidential PII Scope
  • 108. 109strictly private & confidential IT Security
  • 109. 110strictly private & confidential
  • 110. 111strictly private & confidential
  • 111. 112strictly private & confidential
  • 112. 113strictly private & confidential 1. Securing your data is the new imperative 2. Manage access to critical data 3. Hack yourself to anticipate future attacks 4. Strengthen your weakest link: Humans
  • 113. 114strictly private & confidential IT Strategy
  • 114. 115strictly private & confidential ’’Set priorities, focus energy and resources, strengthen operations, ensure that employees and other stakeholders are working toward common goals’’
  • 115. 116strictly private & confidential
  • 116. 117strictly private & confidential The Human Perspective
  • 117. 118strictly private & confidential Training • Issue a monthly GDPR bitesize comms throughout your organisation • Provide supporting guides for your frameworks covering the basics in 60 seconds • Drop in surgery • Establish company wide e-learning to support your goals • Get your IT department to sign up to sites such as: https://www.us-cert.gov/ https://csrc.nist.gov/ https://www.ncsc.gov.uk https://threatpost.com/
  • 118. 119strictly private & confidential Awareness
  • 119. 120strictly private & confidential Collaboration
  • 120. 121strictly private & confidential
  • 121. 122strictly private & confidential
  • 122. Javier Ruiz Open Rights Group @javierruiz #gdprscot
  • 123. Beyond Compliance and the Next Privacy Challenges Javier Ruiz, Open Rights Group
  • 124. Privacy and data protection • privacy: autonomy, conscience, enabling other rights and democratic participation • data protection: legal compliance, fairness, transparency and accountability • but it can get complicated
  • 125. Challenges Individual • identifiability: is this personal data? • complexity: can you explain your machine learning toy? • micro targeting: fairness vs justice and risk pooling • collective impacts: it's not who you are, but your data class • mass manipulation: data, behavioural science and free will Society
  • 127. How is GDPR going to fix all this? • GDPR compliance • but also about rights: information, access, rectification, erasure • limited rights: objection, profiling, portability • Data protection is a fundamental right under EU law, which shall be missed after Brexit
  • 128. Impact of GDPR for rights? • Should have some positive impact for individuals, e.g.: • pseudonymous data • know your data accountability principle • More on day to day common problems • Less on difficult collective and social issues
  • 129. Effectiveness of GDPR • enforcement by data protection authorities • individuals know their new rights • stronger powers for consumer groups
  • 130. Who gets the value • Data is not the new oil • Fair compensation • A market of personal information? • Fairness is good, but also justice
  • 131. Privacy only for those who can afford it is not OK
  • 132. Public interest & consent • Data for a better functioning society and economy • Promises may be excessive • but some data can be a force for some good
  • 133. Public interest and consent • Consent is doubly abused • Public interest does not require consent, but it’s very limited for companies • But I'm doing a public good with my traffic app!
  • 134. Privacy by design • Nobody really knows, but not an afterthought • Beyond compliance • Privacy impact assessments • EU funded VIRT-EU project to develop privacy, ethical and social impact assessments
  • 135. Customer centric systems • Control over their data • personal data stores, vendor relationship management and other systems have been around for some time • managing consent, data access, portability, etc. • ICO grant to develop tools, talk to us!
  • 136. Prof. Bill Buchanan OBE The Cyber Academy @billatnapier #gdprscot
  • 137. Panel Discussion Javier Ruiz – Open Rights Group Prof Bill Buchanan – The Cyber Academy Maureen Falconer – ICO Kevin Murphy - ISACA
  • 140. Unstructured Data – Getting Prepared for GDPR Glenn Martin
  • 141. Copyright © 2017 Veritas Technologies142 https://cdn-images-1.medium.com/max/2000/1*uYJ5E6JcYwotLKpOZcaf-Q.jpeg Understanding the Challenge (s)
  • 142. Copyright © 2017 Veritas Technologies143
  • 143. The Reality of GDPR Copyright © 2017 Veritas Technologies144 “This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.” Elizabeth Denham UK ICO https://iconewsblog.org.uk/ KEEP CALM AND PREPARE FOR GDPR ±
  • 144. Getting control of your unstructured data Copyright © 2017 Veritas Technologies145
  • 145. Focus on the BUSINESS CHALLENGES Copyright © 2017 Veritas Technologies LLC #3 What you keep must be protected #2 Data subjects need to be found to be forgotten #1 Get to grips with your Databerg 146
  • 146. Personal Data Veritas GDPR FRAMEWORK Copyright © 2017 Veritas Technologies LLC147 Unstructured Data
  • 147. Uncover Personal Data and make it visible Article 30 Make Personal Data searchable Articles 15, 16, 17, 18, 20 Minimise and place controls around Personal Data Articles 5, 17 Protect Personal Data from loss, damage or breach Articles 5, 25, 32, 33, 34, 35 Ensure continual adherence to GDPR standards Articles 5, 15, 16, 17, 18, 20, 24, 35, 42, 44 Personal Data Copyright © 2017 Veritas Technologies LLC148 Unstructured Data
  • 148. PII & Personal Data ? November 2017© 2017 Veritas Technologies LLC149 Personal Data is similar to PII but not the same
  • 149. November 2017© 2017 Veritas Technologies LLC150 Linked Information Full Name Home Address Email Address Social Security number Passport number Drivers license number Credit Card numbers Date of birth Telephone numbers Log in details Linkable Information First or Last name Country, State, City, Postcode Gender Race Non-specific age Job position Workplace Personally Identifiable Information (PII)
  • 150. 151 Personal Data Employment Information Current and past employers Position Employee ID Photographic Information Family Photos FamilyVideos Student Photos Employee Photos Belief Information Publicly Expressed Religion Church Directory Political or Philosophical beliefs Political Donations Biometric Information Fingerprint Retina scan Facial image DNA Family Information Spouse Name Spouse Occupation Children Names ChildrenAges Law Enforcement Information Driving Record ParkingTickets Arrests Convictions Health Information Claim forms Health Insurance ID Doctors notes Medical condition status Demographic Information Date of Birth Height Weight Hair Colour Government Issued ID National ID Driving License ID Vehicle Registration Password Number Communication Information IP Address URL’s visited Comments posted to websites Email contents
  • 151. How Dark is your data ?
  • 152. Data Genomics Report – Real-world Statistics Copyright © 2017 Veritas Technologies153 https://www.veritas.com/about/research-exchange
  • 153. © 2017 Veritas Technologies LLC154 Structured data matters but… Structured data Well Managed Well Defined Visible Under Control Unstructured data Unmanaged Not defined Invisible Out of control …its not the whole picture ? ?
  • 154. © 2017 Veritas Technologies LLC155 What about De-structured data? https://www.forbes.com/sites/forbestechcouncil/2017/06/05/the-big-unstructured-data-problem ERP / CRM / HR ?
  • 155. A 1.6Mb Excel file……150k rows of who knows what PSTs = contains who knows what toxic emails DB Dumps = the crown jewels Log files = ????? ZIPs = who knows Copyright © 2017 Veritas Technologies156 Not all files are created equal
  • 156. • File AnalysisTools Report https://www.gartner.com/doc/3814167/implement-file-analysis-gdpr-challenges Copyright © 2017 Veritas Technologies.157 Using the RightTools
  • 157. Veritas Information Map Copyright © 2017 Veritas Technologies158
  • 158. What are Backups For ? Copyright © 2017 Veritas Technologies159 https://ico.org.uk/for-organisations/guide-to-data-protection/encryption/scenarios/backups/ Welcome Financial Services Limited was served a civil monetary penalty of £150,000 after the loss of more than half a million customers’ details.The organisation was unable to locate two backup tapes which contained the names, addresses and telephone numbers of customers. Data on the backup tapes was not encrypted.
  • 159. Copyright © 2017 Veritas Technologies160 Know what you keep……keep what you know
  • 160. Copyright © 2017 Veritas Technologies161 Data Mapping & Inventory • Why do we have this data • What it is used for • What are the categories of personal data • What external entities is it shared/transferred to • Where are they located • What entity controls it • Who’s got access to it • Who are the data subjects • When should it be deleted • Where is the data is stored • Where did it come from Why Who What When Where Personal Data
  • 161. UNDERSTANDING the GDPR from both sides 162 Copyright © 2017 Veritas Technologies. vs
  • 162. COMMUNICATION of what is required 163 Copyright © 2017 Veritas Technologies. The IT side The LEGAL sidevs
  • 163. Building an Article 30 Record Copyright © 2017 Veritas Technologies LLC164 • Why is personal data processed? • Staff admin • About whom? • Employees • What is processed? • Passport info, bank details ,address • When it is processed? • When joining/ as needed • Where it comes from? • Employee • Who do you share it with? • Travel supplier/payroll service • Where is it stored? • How is kept secure? • How long is it kept? • How is it protected?
  • 164. Typical Data Inventory Approach Copyright © 2017 Veritas Technologies165 Top Down Surveys / Questionnaires Workshops / Interviews Documentation Review Privacy Program Management Bottom Up Structured Unstructured Content Analysis Metadata Scan Content Analysis Field name / Schema Scan Data Discovery Advisory Services Consulting Software Source: PWC 1 2 3
  • 165. Privacy Program ManagementTools IAPPTechnologyVendor List ✓Assessment ✓Readiness ✓Data Inventory ✓Record Keeping (Article 30) ✓QuestionnaireWorkflow Unstructured Data Management https://iapp.org/resources/article/2017-privacy-tech-vendor-report/
  • 166. Copyright © 2017 Veritas Technologies167 Our approach to managing our own unstructured data ?
  • 167. Copyright © 2017 Veritas Technologies.168 TheVeritas Approach to Unstructured Data Identify Personal Data in the Org (Structured Data) Identify the Actions to be taken Find Personal Data in Unstructured Repositories Apply Retention Policies to unstructured data Task 1 Task 2 Task 3 Task 4 HR /CRP /ERM SearchTerms &Tags Retention Requirements Unstructured Data search Data tagged: • Personal DataType • Location • Risk • Age Implement Policies by tags: Actions: • Leave • Delete • Monitor • Move to… • Control permissions • Encrypt
  • 168. Identify Personal Data in the Org Structured Datasets Copyright © 2017 Veritas Technologies LLC169 Data Set Type of data in data set Owner / Access Classification Policy name Patterns List Customer Accounts Name Address Account ID Bank Detail Sales Admin Marketing Cust_records Postal MailingAddress Account # format HR System DOB Address NI number Phone Bank Ref HR HR_records Date of Birth Postal MailingAddress U.K. UTR number U.K. (NINO) Bank Account Number Payroll Name Bank Ref Tax Ref Payroll HR Bank_records Bank Account Number Tax reference ID UK NI Classification Definitions Classification Policies
  • 169. Copyright © 2017 Veritas Technologies170 Classification Phase Leveraging Metadata & Content Classification HR Customer Supplier Keep Archive Delete Move Secure Encrypt Action
  • 170. Try Classification for Free…… https://riskanalyzer.apps.veritas.com
  • 171. Copyright © 2017 Veritas Technologies172 The Need to be Accountable
  • 172. GDPR Article 5 Copyright © 2017 Veritas Technologies173 (a) processed lawfully, fairly and in a transparent manner in relation to individuals; (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes; (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.
  • 173. Copyright © 2017 Veritas Technologies174 The Need to Look AfterYour Data https://haystax.com/blog/ebook/insider-attacks-industry-survey What type of insider threats are you most concerned about?
  • 174. Accountability for your Unstructured Data Copyright © 2017 Veritas Technologies LLC175 • Open shares • Unauthorized access • Protect sensitive data • Frequency of data access • Determine who is using data • Apply user policies • Lockdown sensitive data • Provide as-needed access Source of threats Identify access patterns Locate at-risk dataUser behavior
  • 175. The People Problem Copyright © 2017 Veritas Technologies176
  • 176. Copyright © 2017 Veritas Technologies177 What about Cloud ?
  • 177. Copyright © 2017 Veritas Technologies178 Data Controller Data Processor I use AWS cloud services + AWS cloud is GDPR compliant = Am I GDPR compliant?
  • 178. Copyright © 2017 Veritas Technologies179 GDPR Articles 24 & 28 “The controller shall implement appropriate measures to ensure that processing is performed in accordance with this Regulation.” “The controller shall use only processors providing sufficient guarantees… to meet the requirements of this Regulation.”
  • 179. © 2017 Veritas Technologies LLC180 So, am I GDPR compliant? Not unless you’ve prepared your organisation as a Data Controller AWS have done their bit but you need to do yours! Veritas Research – 69% of respondents believed that their organisation’s CSP covers data privacy & compliance regs.
  • 180. Putting it into practice 181 Where’s Glenn? Copyright © 2017 Veritas Technologies. Find Glenn Protect Glenn
  • 181. September 2017© 2017 Veritas Technologies LLC182 www.veritas.com/RiskAnalyzer www.veritas.com/gdpr In Summary bit.ly/infomaptrial
  • 182. Thank you! Copyright © 2017 Veritas Technologies. All rights reserved. Veritas and the Veritas Logo are trademarks or registered trademarks of Veritas Technologies or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Glenn Martin glenn.martin@veritas.com Copyright © 2017 Veritas Technologies183
  • 183. Veritas Information Map Copyright © 2017 Veritas Technologies184
  • 184. Implementation of GDPR in a Professional Services Firm 21st November 2017
  • 185. Douglas Rintoul – Head of IT and Information Security • Background in IT • Focus on information security • Privacy ties in with information security • Currently DPO CITP, CISSP, CISM, PC DP
  • 188. The Client Journey Take On Process Client Created on CRM system Money Laundering checks • DPA • Privacy Information Individual or business agrees to become a client
  • 189. The Client Journey Business Lines Audit Business Advisory Business Solutions Consulting Corporate Finance Employer Solutions Restructuring Tax Wealth Provision of Services Exec Teams IT Marketing Business Development HR Learning and Development Payroll Health and Safety Finance
  • 190. The Client Journey Data Protection Assessments / Privacy Impact Assessments
  • 191. The Client Journey The client moves on
  • 192. GDPR Compliance Framework DPA – Risk Register 3rd Party Processors Privacy By Design Subject Access Requests Incident management/ Data Breach Reporting Data subject Rights TrainingPrivacy Information PIA GDPR Policy Information Security Policy
  • 195. Unstructured Data – Getting Prepared forGDPR Glenn Martin www.veritas.com/gdpr
  • 196. https://cdn-images-1.medium.com/max/2000/1*uYJ5E6JcYwotLKpOZcaf-Q.jpeg 2 Copyright © 2017 Veritas Technologies LLC Understanding the Challenge (s)
  • 197. 1 9 Copyright © 2017 Veritas Technologies LLC
  • 198. The Reality ofGDPR “This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.” Elizabeth Denham UKICO https://iconewsblog.org.uk/ KEEP CALM AND PREPARE FOR GDPR ± 1 9 Copyright © 2017 Veritas Technologies LLC
  • 199. Getting control of your unstructured data 2 0 Copyright © 2017 Veritas Technologies LLC
  • 200. Focus on the BUSINESSCHALLENGES #3 What you keep must be protected #2 Data subjects need to be found to be forgotten #1 Get to gripswith your Databerg 2 0 Copyright © 2017 Veritas Technologies LLC
  • 201. Personal Data 2 0 Copyright © 2017 Veritas Technologies LLC GDPR & Unstructured Data – FIVE FOCUSAREAS
  • 202. Uncover Personal Data and make it visible Article 30 Make Personal Data searchable Articles 15, 16, 17, 18, 20 Minimise and place controls around Personal Data Articles 5, 17 Protect Personal Data from loss, damage or breach Articles 5, 25, 32, 33, 34, 35 Ensure continual adherence toGDPR standards Articles 5, 15, 16, 17, 18, 20, 24, 35, 42, 44 2 0 Copyright © 2017 Veritas Technologies LLC Personal Data Unstructured Data
  • 203. How Dark is your data ?
  • 204. Data Genomics Report – Real-world Statistics https://www.veritas.com/about/research-exchange 20 5 Copyright © 2017 Veritas Technologies LLC
  • 205. Structured data matters but… Structured data Well Managed Well Defined Visible UnderControl Unstructured data Unmanaged Not defined Invisible Out of control …its not the whole picture ? ? 20 6 Copyright © 2017 Veritas Technologies LLC
  • 206. What about De-structured data ? https://www.forbes.com/sites/forbestechcouncil/2017/06/05/the-big-unstructured-data-problem ERP / CRM /HR ? 20 7 Copyright © 2017 Veritas Technologies LLC
  • 207. A 1.6Mb Excel file……150k rows of who knows what PSTs = contains who knows what toxic emails DB Dumps = the crown jewels Log files = ????? ZIPs = who knows Not all files are created equal 20 8 Copyright © 2017 Veritas Technologies LLC
  • 209. Veritas Information Map 21 0 Copyright © 2017 Veritas Technologies LLC
  • 210. What are Backups For ? https://ico.org.uk/for-organisations/guide-to-data-protection/encryption/scenarios/backups/ Welcome Financial Services Limited was served a civil monetary penalty of £150,000 after the loss of more than half a million customers’ details.The organisation was unable to locate two backup tapes which contained the names, addresses and telephone numbers of customers. Data on the backup tapes was not encrypted. 21 1 Copyright © 2017 Veritas Technologies LLC
  • 211. 17 Copyright © 2017 Veritas Technologies LLC Know what you keep……keep what you know
  • 212. November 201719 Linked Information Full Name HomeAddress EmailAddress Social Security number Passport number Drivers license number CreditCard numbers Date of birth Telephone numbers Log in details Linkable Information First or Last name Country, State, City, Postcode Gender Race Non-specific age Job position Workplace Personally Identifiable Information (PII) Copyright © 2017 Veritas Technologies LLC
  • 213. 20 Personal Data Employment Information Current and past employers Position Employee ID Photographic Information Family Photos Family Videos Student Photos Employee Photos Belief Information Publicly Expressed Religion Church Directory Political or Philosophical beliefs Political Donations Biometric Information Fingerprint Retina scan Facial image DNA Family Information Spouse Name SpouseOccupation Children Names Children Ages Law Enforcement Information Driving Record ParkingTickets Arrests Convictions Health Information Claim forms Health Insurance ID Doctors notes Medical condition status Demographic Information Date ofBirth Height Weight HairColour Government Issued ID National ID Driving License ID Vehicle Registration Password Number Communication Information IPAddress URL’s visited Comments posted to websites Email contents
  • 214. UNDERSTANDING the GDPR from both sides vs 21 Copyright © 2017 Veritas Technologies LLC.
  • 215. COMMUNICATION of what is required The IT side The LEGAL side 22 Copyright © 2017 Veritas Technologies LLC. vs
  • 216. Data Mapping & Inventory • Why do we have this data • What it is used for • What are the categories of personal data • What external entities is it shared/transferred to • Where are they located • What entity controls it • Who’s got access to it • Who are the data subjects • When should it be deleted • Where is the data stored • Where did it come from Why Who What When Where Personal Data 23 Copyright © 2017 Veritas Technologies LLC
  • 217. Building an Article 30Record • Why is personal data processed? • Staff admin • About whom? • Employees • What is processed? • Passport info, bank details ,address • When it is processed? • When joining/ as needed • Where it comes from? • Employee • Who do you share it with? • Travel supplier/payroll service • Where is it stored? • How is kept secure? • How long is it kept? • How is it protected? 24 Copyright © 2017 Veritas Technologies LLC
  • 218. Typical Data Inventory Approach Documentation Review Workshops / Interviews Surveys / Questionnaires Privacy Program Management Top Down BottomUp 25 Copyright © 2017 Veritas Technologies LLC Structured Unstructured Content Analysis Content Analysis Field name / SchemaScan MetadataScan Data Discovery AdvisoryServices Consulting Privacy-ManagementTools Software Source: PWC
  • 219. Privacy Program ManagementTools IAPPTechnologyVendorList ✓Assessment ✓Readiness ✓Data Inventory ✓Record Keeping (Article 30) ✓QuestionnaireWorkflow Unstructured Data Management https://iapp.org/resources/article/2017-privacy-tech-vendor-report/ 26 Copyright © 2017 Veritas Technologies LLC
  • 220. Our approach to managing our own unstructured data ? 27 Copyright © 2017 Veritas Technologies LLC
  • 221. The Veritas Approach to UnstructuredData Identify Personal Data in the Org (StructuredData) Define Action& Tags Find Personal Data in Unstructured Repositories Apply Retention Policies to unstructured data Task 1 Task 2 Task 3 Task 4 HR /CRP/ERM Set Policy for: SearchTerms &Tags Retention/Actions Unstructured Data Meta Data /Content Classification Data tagged: • Location • Age • Personal DataType • Risk Implement Policies by tags: 28 Copyright © 2017 Veritas Technologies LLC. Actions: • Leave • Delete • Monitor • Move to… • Control permissions • Encrypt
  • 222. Identify Personal Data in theOrg Structured Datasets Classification Definitions Data Set Type of data in data set Owner / Access Classification Policy name Patterns List Customer Accounts Name Address Account ID BankDetail Sales Admin Marketing Cust_records Postal MailingAddress Account # format C HR System DOB Address NInumber Phone Bank Ref HR HR_records Date of Birth Postal MailingAddress U.K. UTR number U.K. (NINO) Bank AccountNumber Payroll Name BankRef Tax Ref Payroll HR Bank_records Bank AccountNumber Tax reference ID UK NI 29 Copyright © 2017 Veritas Technologies LLC. lassification Policies
  • 223. Copyright © 2017 Veritas Technologies LLC30 Classification Phase Leveraging Metadata & ContentClassification HR Customer Supplier Keep Archive Move Secure Encrypt Action Delete
  • 224. Risk & Classification Analyzer https://riskanalyzer.apps.veritas.com Copyright © 2017 Veritas Technologies LLC.31
  • 225. 32 Copyright © 2017 Veritas Technologies LLC The Need to be Accountable
  • 226. GDPR Article5 (a) processed lawfully, fairly and in a transparent manner in relation to individuals; (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes; (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; (e)kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; (f)processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles. 33 Copyright © 2017 Veritas Technologies LLC
  • 227. The Need to Look AfterYour Data https://haystax.com/blog/ebook/insider-attacks-industry-survey 34 Copyright © 2017 Veritas Technologies LLC What type of insider threats are you most concerned about?
  • 228. Accountability for your Unstructured Data • Open shares • Unauthorized access • Protect sensitive data • Frequency of data access • Determine who is using data • Apply user policies • Lockdown sensitive data • Provide as-needed access Source of threats Identify access patterns Locate at-risk dataUser behavior 35 Copyright © 2017 Veritas Technologies LLC
  • 229. The People Problem 36 Copyright © 2017 Veritas Technologies LLC
  • 230. 37 Copyright © 2017 Veritas Technologies LLC What about Cloud?
  • 231. DataController 38 Copyright © 2017 Veritas Technologies LLC Data Processor I useAWS cloud services + AWS cloud is GDPR compliant = Am I GDPR compliant?
  • 232. GDPR Articles 24 &28 39 Copyright © 2017 Veritas Technologies LLC “The controller shall implement appropriate measures to ensure that processing is performed in accordance with this Regulation.” “The controller shall use only processors providing sufficient guarantees… to meet the requirements of this Regulation.”
  • 233. © 2017 Veritas Technologies LLC40 So, am I GDPR compliant? Not unless you’ve prepared your organisation as a DataController AWS have done their bit but you need to do yours! Veritas Research – 69% of respondents believed that their organisation’s CSP covers data privacy & compliance regs.
  • 234. Putting it into practice Where’sGlenn? 41 Copyright © 2017 Veritas Technologies LLC. Find Glenn ProtectGlenn
  • 235. September2017Copyright © 2017 Veritas Technologies LLC.42 www.veritas.com/RiskAnalyzer www.veritas.com/gdpr In Summary bit.ly/infomaptrial
  • 236. Thank you! Copyright© 2017 VeritasTechnologiesLLC. All rights reserved.Veritas and the VeritasLogo are trademarksor registered trademarksof VeritasTechnologies LLC or its affiliatesin the U.S. and other countries.Other names may be trademarksof their respective owners. This document is provided for informationalpurposes only and is not intended as advertising. All warrantiesrelatingto the information in this document,either express or implied, are disclaimedto the maximum extent allowed by law. The informationin this document is subjectto change withoutnotice. Glenn Martin glenn.martin@veritas.com
  • 237. Marketing under the GDPR Janine Paterson, Solicitor & legal manager, DMA Group
  • 238. A watershed moment to transform your approach to privacy
  • 239. GDPR: an opportunity to progress
  • 240. In the words of the ICO It’s evolution not revolution. And it’s an opportunity. Those organisations which thrive in the changing environment will be the ones that look at the handling of personal information with a mindset that appreciates what citizens and consumers want and expect. That means moving away from looking at data protection as a tick box compliance exercise, to making a commitment to manage data sensitively and ethically. When you commit, compliance will follow. Source: Elizabeth Denham, Information Commissioner at the Institute of Directors Digital Summit, 17th October 2017
  • 241. Privacy by Design • 7 Foundational Principles • Proactive not reactive; preventative not remedial: anticipates and prevents privacy invasive events before they happen • Privacy as the default setting: maximum degree of privacy as standard – individual need not do anything. • Privacy embedded into design: privacy is integral to the system not a bolt on after the fact • Full functionality – positive sum not zero sum: you can have both privacy and security – one does not have to suffer at the hands of the other.
  • 242. Privacy by Design • End to end security – full lifecycle protection: privacy having been there at the birth extends through the whole lifecycle of the data. • Visibility and transparency – keep it open: everything is visible so individuals can see compliance with the rules • Respect for user privacy – keep it user-centric: put the individual first – strong privacy defaults, appropriate notice and empowering user friendly options.
  • 244. Only 20% of UK public have trust and confidence in companies and organisations storing their personal information Source: ICO Survey July 2017
  • 245. ICO Survey • UK citizens more likely trust public bodies than private companies or organisations • 61% have trust/confidence in NHS/GP using and storing their data • 53% police • 49% national government departments • 12% social messaging platforms • 8% have good understanding how personal data made available third parties • Older people more likely say have little trust and confidence.
  • 246. ICO Survey • “As personal information becomes the currency by which society does business, organisations need to start making people’s data protection rights a priority. Putting data protection at the centre of digital businesses strategies is the key to improving trust and digital growth. ” • “Changes to data protection legislation, which include the introduction of the GDPR, offer organisations an opportunity to re-engage with their customers about data. The new laws require organisations to be more accountable for data protection and this is a real commitment to putting the consumer at the heart of business.” Steve Wood, Deputy Commissioner
  • 247. GDPR Legal grounds • Need a legal ground for processing personal information under GDPR plus compliance with the GDPR principles • GDPR Principles very similar to Data Protection Act Principles • 6 legal grounds available under GDPR • No hierarchy of legal grounds – all are equally valid • Direct marketing activities – two most likely to use are consent and legitimate interests • Consent could be problematic • Legitimate interests • Others grounds are 1) performance of a contract, 2) necessary for compliance with a legal obligation, 3) protect vital interest of an individual. 4) necessary for public interest/official authority task
  • 248. Marketing under GDPR: consent or legitimate interests
  • 249. What is GDPR consent? Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. • Pre-ticked boxes will not be valid consent • An end to conditional (tied-in) consent • Must be collected in an ‘intelligible and easily accessible form, using clear and plain language’ • Must be as easy to withdraw as to give consent
  • 250. Why choose consent? Consent? Legitimate Interests?
  • 251. I would rather opt in than opt out. Opting out is a sneaky way of doing business I distrust companies who expect you to opt out, rather than invite their customers to opt in. This may lead to smaller numbers of customers, but they will be much more positive about your company. Too many options to tick. This sort of thing should be kept as simple as possible so people are not confused. They should ask if you want to opt in not out.
  • 252. Opt in boxes are so much more customer friendly Brilliant. Leaves you in total control whether you want further information This positive answer is much better. Clearer and less ambiguous. It feels less like the company is trying to trick you into saying yes!
  • 253. At xxxxx, we have exciting offers and news about our products and services that we hope you’d like to hear about. We will treat your data with respect and you can find the details of our Contact Promise here. I’d like to receive updates by email from xxxx based on my details You can stop receiving our updates at any time and if you prefer that we do not use your information to predict what you might be interested in let us know here.
  • 264. Not a new concept.
  • 265. What is it? Article 6 (1) (f): Processing will be lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal data, in particular where the data subject is a child
  • 266. Use for direct marketing? • Direct marketing recognised as a legitimate interest in text of Regulation • Cannot use it where fundamental rights and freedoms of individuals override rights of organisations - Need for balancing test • Provision of unsubscribe/.opt-out normally satisfies test • Cannot use it for processing personal data about children • Processing must be necessary for purpose of legitimate interest pursued • Requires a connection between the processing and the interests pursued • Need to consider if other less privacy intrusive methods are available to achieve legitimate interests • DPN legitimate Interests guidance
  • 267. Affect on data subject’s rights
  • 268. Examples of legitimate interests – recitals 47 - 50 • where the data subject is in the service of the controller • where the data subject is a client of the controller • Intra-group transfers for internal admin purposes • fraud prevention • network and information security • Direct marketing (maybe)
  • 269. Further practical examples • evidential purposes • suppression lists • bona fide service messages to customers • analytics • employee relations
  • 270. Legitimate Interests – in practice Where a Controller wishes to rely on Legitimate Interests as the legal basis for a processing operation, it will need to be able to demonstrate to a Supervisory Authority and/or an individual, when challenged, that Legitimate Interests is an appropriate legal basis for that processing activity and be in a position to defend the reasoning behind its decision to proceed with processing. • There are several factors to consider when making a decision regarding whether an individual’s rights would override a business Legitimate Interest. These include: • the nature of the interests; • the impact of processing; • any safeguards which are or could be put in place.
  • 271. Legitimate Interest Assessments (LIAs) Whether a Legitimate Interest exists Whether the processing is necessary Balancing Test
  • 272. Information rights • Regardless of your ground for processing personal data you do need to provide the enhanced information rights in your privacy policy.
  • 273. Transparency – Information Requirements • Who is the Data Controller? • Their contact details • What are the legal bases and purposes of processing? • Are Legitimate Interests being relied upon by you or third parties? • Who the recipients of the data may be • If the data will be transferred outside the EU and how this is protected • How long will it be stored? • How to exercise rights • The right to withdraw consent • The right to complain to the Supervisory Authority • Whether data is required for contractual purposes and the consequences of refusing • Whether profiling with legal effect exists (also other profiling)
  • 274. You will need to give some thought to how best to tailor your consent requests and methods to ensure clear and comprehensive information without confusing people or disrupting the user experience – for example, by developing user-friendly layered information and just- in-time consents. ICO Draft Consent Guidance
  • 275. Example privacy policy wording Privacy policy We process personal information for certain legitimate business purposes, which include some or all of the following: • where the processing enables us to enhance, modify, personalise or otherwise improve our services / communications for the benefit of our customers • to identify and prevent fraud • to enhance the security of our network and information systems • to better understand how people interact with our websites • to provide postal communications which we think will be of interest to you • to determine the effectiveness of promotional campaigns and advertising. Whenever we process data for these purposes we will ensure that we always keep your Personal Data rights in high regard and take account of these rights. You have the right to object to this processing if you wish, and if you wish to do so please click here. Please bear in mind that if you object this may affect our ability to carry out tasks above for your benefit.
  • 276. Data collection statements You will need to update you data statements wherever they appear, offline and online to be clearer and more transparent. We may process your personal information for carefully considered and specific purposes which are in our interests and enable us to enhance the services we provide, but which we believe also benefit our customers. Click here to learn more about these interests and when we may process your information in this way.
  • 278. • Bringing your customer database up to the standard required for whatever legal ground you are using under the GDPR • Updating your privacy policy with the information requirements. • Updating data collection notices to be clear and transparent about the use of data. Raising the bar to GDPR standards
  • 279. • Consent under GDPR is a much higher standard than consent under Data Protection Act and Privacy and Electronic Communications Regulations • ICO draft GDPR Consent Guidance published for consultation Spring 2017. Final version will not be published until December 2017 because of European level work. • Consent must be: • Unbundled • Positive opt-in • Granular • Named • Documented • Easy to withdraw • No imbalance in the relationship Bringing data up to GDPR consent
  • 280. • Easier task than bringing data up to consent standards • Legitimate interests can be used for all marketing channels which operate currently on an unsubscribe/opt-out basis • Postal mail, live voice call telemarketing, email and SMS marketing if using existing customer/ soft opt- in exemption • DMA view – cannot use legitimate interests • 1) where law requires you to use subscribe/opt-in consent such as charities sending email marketing to donors/supporters • 2) Where organisation is already using a subscribe/opt-in . Bringing data up to legitimate interests