SlideShare a Scribd company logo

12th July GDPR event slides

Download as PPTX, PDF
Exponential_e
Exponential_e

The document outlines the GDPR compliance event agenda held at the Hilton hotel, focusing on key topics such as the implications of GDPR, data security, and compliance strategies. It emphasizes the importance of transparency in handling personal data and introduces regulatory changes, including significant penalties for non-compliance. The document also includes a detailed checklist for preparing for GDPR, highlighting the need for awareness, data discovery, and the appointment of Data Protection Officers.

Business
1 of 71
Downloaded 31 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#GDPREXPO WELCOME TO THE HILTON HOTEL ARE YOU READY FOR THE CHALLENGE OF GDPR?
AGENDA 11:30 - 12:00 Arrival & Registrations. 12:00 - 12:20 Welcome & Introduction to Exponential-e: Lee Wade - CEO & Founder, Exponential-e. 12:20 - 13:00 Are you ready for GDPR? Neil May - Director of Technology Risk Management, Newable. 13:00 - 13:15 Break. 13:15 - 13:45 GDPR: Gap Analysis & Remediation Plans: Neil May - Director of Technology Risk Management, Newable. 13:45 - 14:15 GDPR and Data Security: Jeff Finch - Head of Security Services, Exponential-e. 14:15 - 14:40 QA & Panel Discussion. 14:40 - 15:00 Lunch and Networking.
#GDPREXPO ARE YOU READY FOR THE CHALLENGE OF GDPR? LEE WADE CEO & FOUNDER, EXPONENTIAL-E.
www.exponential-e.com GDPR OVERVIEW GDPR Overview • GDPR is a long-overdue upgrade to the existing Data Protection Act 1998 • Fundamentally, businesses need to be more transparent about the personal data they hold; why they captured it and what they intend to do with it • The concept is simple: if I have given you my data, then I should be able to retrieve it or even transfer it to someone else • Companies who do not handle this data in line with the new rules could be faced with a hefty fine of up to 4% of its global annual turnover, or €20,000,000, whichever is more . . . • And that’s not all. Businesses that don’t comply risk legal action from the individuals whose personal data they are using, since GDPR gives EU residents direct rights to obtain court orders and compensation
www.exponential-e.com CONNECTIVITY SERVICES 10GigE Business Internet, SD-WAN, Bandwith Management, Cloud Connect, Superconnected Cities, Software Defined Networking CLOUD SERVICES Cloud for Enterprise, Cloud-Network solutions, Desktop-as-a-Service, DaaS GPU, Workplace Recovery, IaaS (VDC), Server Replication, Online Backup, Enhanced Analytics & Big Data, Object & HDFS Storage VOICE & UNIFIED COMMUNICATIONS Hosted PBX, Smart Audio Conferencing, Inbound Call Management, SIP Trunking, Call Recording. DATA CENTRE SERVICES Enterprise-class Colocation, Managed Colocation, Shared Colocation, Smart Hands SERVICE PORTFOLIO MANAGED IT & PROFESSIONAL SERVICES Professional Services, Managed Services, Digital Transformation, AWS/Azure Management, Network Monitoring, Windows Server 2003 SECURITY SERVICES CyberSecurity & consultancy, PEN Testing, SSL VPN , Firewall design
www.exponential-e.com A SELECTION OF CLIENTS
www.exponential-e.com GDPR OVERVIEW GDPR Overview This morning, we will cover off many questions about GDPR Compliance such as: • Understanding the implications of GDPR • Understanding the new obligations to achieve compliance. • Preparing for GDPR: Discovery and Remediation plans • What exactly is ‘explicit consent’? • What are the implications for my data stored in my CRM system? • What is the ‘right to be forgotten’ and what does this mean for my data? • What does ‘pseudonymisation’ mean for all my encrypted data files? • Will the auditors sign off my 2018 accounts if we are not GDPR compliant next year? • Do we ALL now really need a Data Protection Officer?
www.exponential-e.com GDPR OVERVIEW GDPR Overview • The General Data Protection Regulation (GDPR) is the European’s view on what the baseline expectations are for processing personal information of EU citizens as we continue through the digital revolution • The GDPR introduces a raft of onerous and complex requirements and regulations • Importantly, for the first time we will have a single set of privacy rules across EU member states, and this harmonization goes even further as the GDPR has cross-territorial implications • It comes into force in the UK in May 25th, 2018 – And we all have a lot of work to do! We have 317 days left to prepare for GDPR
www.exponential-e.com GDPR OVERVIEW GDPR transforms a number of existing requirements and introduces a raft of new ones. GDPR Coalition
www.exponential-e.com GDPR OVERVIEW – SIMPLE GAME PLAN 2 DO AN ASSESSMENT Undertake a broad Data Protection Assessment of your organisation 3 DO A GAP ANALYSIS Compliance: Where you are vs Where you need to be for GDPR 6 DECIDE IF A DPO IS REQUIRED Become aware and take action! 1 TAKE ACTION Roll out training across your organisation Create a detailed Compliance Roadmap with clear timelines 4 TRAIN YOUR STAFF 5 CREATE A ROADMAP If you need to appoint a qualified Data Protection Officer
www.exponential-e.com GDPR OVERVIEW COMPREHENSIVE GAME PLAN
www.exponential-e.com GDPR – WHY NOW? GDPR – Why Now? The interdependence between data sharing and data privacy • Companies know more about their customers than ever before. In the last 24 hours, your company probably amassed more information about customers than was conceivable a decade ago • As consumers, we benefit from this closeness. The fitness apps that tracks our steps, the messaging apps we use to send pictures from the beach, or the telematics technology in our cars that lowers our insurance premiums • When we use our iPads and smart phones there is often an assumed understanding: we’ll give you our data/information in exchange for that excellent service or product that makes our lives easier, richer and sometimes cheaper. This is the trade-off at the heart of the digital economy • But there are limits to this trade-off. People are increasingly aware that companies are collecting, using, retaining and sharing their information - including buying and selling it! And they are growing uneasy . . .
www.exponential-e.com GDPR OVERVIEW THE DRIVE TOWARDS DATA PRIVACY The interdependence between data sharing and data privacy • But our willingness to share our personal information varies dramatically according to gender, age, wealth, nationality and education . . . • More than 50% are willing to share information about gender, ethnicity & education whilst less than 20% are willing to share their income, location, medical records or address. • Surveys reveal that 43% of people are uneasy about smart meters in their homes • Many people in all countries are concerned about wi-fi data analytics and web-browser spying • In spite of our ‘uneasiness’ in the way corporates are utilizing our data, personal data is the fuel of the digital future and the enabler of disruptive technologies
www.exponential-e.com The interdependence between data sharing and data privacy • Hence, GDPR marks a fundamental shift towards the view that PRIVACY must be at the forefront of organizations’ minds when dealing with our personal data • It is the most comprehensive attempt to define a coherent regulatory framework for privacy. Governments around the world are sharpening their focus on the issue and introducing legislation to offer greater protection to consumers — and far harsher penalties for violations • Hence, companies need to consider a new attitude to privacy—and they need to do it quickly to minimize the risks to their balance sheet and their reputation • GDPR CATAPULTS PRIVACY towards the top of organizations’ risk radars GDPR OVERVIEW THE DRIVE TOWARDS DATA PRIVACY
www.exponential-e.com PREPARING FOR GDPR ICO CHECKLIST SUMMARY 1. Awareness (Raising awareness throughout the organisation) 7. Explicit consent (Needs your urgent attention now) You should review NOW how you seek, record and manage consent and whether you need to make any changes. 2. Review the information you hold – (Data Discovery) 8. Children (Extra measures if you process child personal data) 3. Review the current privacy notices you send 9. Data breaches (Must be reported within 72 hours) 4. Individual Rights 10. Data Protection by Design – (Promotes Privacy & Data Protection) Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide 11. Data Protection Officer (Do you need one?) data electronically and in a commonly used format. 12. International – Cross – border trading checks The main rights for individuals under the GDPR will be: • the right to be informed; • the right of access; • the right to rectification; • the right to erasure; • the right to restrict processing; • the right to data portability; • the right to object; and • the right not to be subject to automated decision-making including profiling. 5. Subject Data Requests (Will be 30 days) 6. Lawful basis for processing personal data
www.exponential-e.com PREPARING FOR GDPR ICO CHECKLIST SUMMARY ICO: GDPR Preparation Recommendations – 12 Point Checklist Available at: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
www.exponential-e.com GDPR COMPLIANCE GDPR Compliance • Although we only have 317 days - DON’T PANIC! • The burden of compliance may be less onerous if you are ISO 27001/9001 or FCA accredited. Processes may already exist for data privacy, disclosure, retention and management • Many companies already employ Data Protection or compliance personnel • Finally, Exponential-e & Newable can help guide you through the entire GDPR compliance process starting with your Data Discovery and Remediation plans that Mark Childs will detail later on . . .
#GDPREXPO ARE YOU READY FOR GDPR? NEIL MAY DIRECTOR OF TECHNOLOGY RISK MANAGEMENT, NEWABLE.
Building business confidence
Are You Ready For GDPR? Neil May – Director of Technology Risk Management 12 July 2017
Before we start BREXIT We are not off the GDPR hook. In fact, the UK will have to try extra-hard to prove Adequacy. 4 July 2017PRIVATE AND CONFIDENTIAL3
Timetable ― EU directive formally adopted 25 May 2016 ― 2 year implementation period ― Becomes law on the 25th May 2018 – everyone must be compliant by then. ― DCMS is still working on the UK legislation! PRIVATE AND CONFIDENTIAL4 4 July 2017
The ‘New Y2K’ ― An immovable deadline ― A technical deliverable ― A skills shortage ― Cue – PANIC in the boardroom ― Beware the snake oil salesmen PRIVATE AND CONFIDENTIAL5 4 July 2017
Beware ― No quick fixes ― If it seems to good to be true….. ― It is not possible to be ‘compliant’ yet – you can at best be ‘ready’ ― Over 50 Articles yet to be fully defined PRIVATE AND CONFIDENTIAL6 4 July 2017
But – good news for IT! ― GDPR – the business finally has to accept ownership of its data ― It is no longer “IT’s problem” PRIVATE AND CONFIDENTIAL7 4 July 2017
General Data Protection Regulation ― Establish a single, pan-European law to replace the current inconsistent patchwork of national laws ― Modernize the principles enshrined in the 1995 Data Protection Directive ― Immature internet ― No “cloud” ― No Facebook, Twitter, etc. ― No smartphones ― But, new principles much the same as the old ones PRIVATE AND CONFIDENTIAL26 4 July 2017
Benefits of the new Regulation ― Benefits for organisations ― One EU market, one law ― One-stop-shop – a single supervisory authority ― Same rules for all organisations ― Even those outside the EU ― Benefits for EU citizens ― Better data security ― Putting people in control PRIVATE AND CONFIDENTIAL9 4 July 2017
Some definitions ― More personal data covered (e.g. IP addresses; URLs) ― 'Pseudonymised data' is personal data ― Sensitive personal data extended (genetic, biometric, sexual orientation) ― Manual records extended (structured or unstructured) ― Main establishment and one stop shop: likely to involve a "concerned supervisory authority" ― Issues resolved at the European Data Protection Board PRIVATE AND CONFIDENTIAL28 4 July 2017
Data processing activities ― No requirement to notify ICO ― Data Controllers and Data Processors must keep a record of their processing activities ― Must make available to the ICO on request PRIVATE AND CONFIDENTIAL29 4 July 2017
Impact assessments ― Requirement to perform privacy impact assessments ― Specifically where the processing of personal data is ‘likely to result in a high risk for the rights and freedoms of individuals’ ― Eg when processing personal data through new technologies or when engaging in people profiling PRIVATE AND CONFIDENTIAL30 4 July 2017
Impact assessments ― If assessment reveals that processing of personal data would result in a high risk (eg due to the absence of mitigating controls), data controllers will be required to consult with the ICO ― If the ICO believes that any processing of personal data would be non-compliant with the Regulation then: ― Advise data controller on how to proceed ― Require an organisation to undergo a data protection audit PRIVATE AND CONFIDENTIAL31 4 July 2017
Consent ― Consent given by data subjects must be “unambiguous” for all processing of personal data ― Requires a “clear affirmative action” ― Consent has to be “explicit” for sensitive data ― Silence, pre-ticked boxes or inactivity does not constitute consent ― Must have an audit trail ― List brokers? PRIVATE AND CONFIDENTIAL32 4 July 2017
Right to be forgotten ― Data subject has the right to have his or her personal data erased where the retention of data breaches the regulation ― The right to erasure does not provide an absolute right to be forgotten ― Data Controller and Processors have an obligation to ensure that any third party with whom data is shared also erase the personal data unless it is impossible or involves disproportionate effort to do so 13 July 2017PRIVATE AND CONFIDENTIAL33 Data Subject
Liability ― Data controllers and data processors have shared liability ― Even more important to have proper contractual arrangements in place ― Processors as well as controllers must provide a security level “appropriate” to the processing risks ― Risk assessments for each customer ― Varying standards of data security for different types of processing PRIVATE AND CONFIDENTIAL34 4 July 2017
Data Protection Officer ― Mandatory appointment of a DPO for ― Public authority or body ― Those who monitor data subjects on a large scale ― Core activities process sensitive personal data ― ICO says so! ― Can be outsourced ― Must be… ― involved in all issues which relate to the protection of personal data ― provided with necessary resources to perform their required tasks PRIVATE AND CONFIDENTIAL35 4 July 2017
Data Protection Officer tasks ― To inform and advise the data controller, data processor and their employees of their regulatory obligations ― To monitor compliance with the Regulation. Including… ― Policies ― Assignment of responsibilities ― Raising awareness and training of staff ― To provide advice, related to data protection impact assessments and to monitor impact assessment performance ― To cooperate with the ICO ― To act as the contact point for data subjects and the ICO PRIVATE AND CONFIDENTIAL36 4 July 2017
Data Protection Officer position ― The Data Protection Officer must not receive any instructions regarding the exercise of these tasks ― Independent, whether or not an employee ― They shall not be dismissed or penalised for performing their tasks ― The Data Protection Officer shall directly report to the highest management level of the controller or the processor PRIVATE AND CONFIDENTIAL37 4 July 2017
Data breaches ― ICO must be notified within 72 hours of becoming aware of the breach ― Where this cannot be achieved within 72 hours, an explanation of the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay ― The notification must at least… ― Describe the nature of the breach ― Communicate the name and contact details of the Data Protection Officer or other contact point where more information can be obtained PRIVATE AND CONFIDENTIAL38 4 July 2017
Data breaches ― Fines for unprotected data breaches will range up to €20 million or 4% of annual global turnover (whichever is higher!) ― If you suffer a breach and can show that the personal data can't be accessed by unauthorized people (e.g. it was encrypted): ― The likelihood of being fined should be very greatly reduced ― You won't need to notify affected data subjects of the breach PRIVATE AND CONFIDENTIAL39 4 July 2017
Data portability ― Where processing of personal data is carried out by automated means, the data subject should be allowed to receive their personal data in a structured, commonly used, machine-readable and interoperable format and transmit it to another controller. ― The data subject has the right to request that the data is transmitted directly from controller to controller where technically feasible. PRIVATE AND CONFIDENTIAL40 4 July 2017
Contacts Data protection by design ― Data protection must not be treated as an afterthought or ignored altogether ― Consider when… ― Building new IT systems for storing or accessing personal data ― Developing policy or strategies that have privacy implications ― Embarking on a data sharing initiative ― Using data for new purposes PRIVATE AND CONFIDENTIAL41 Portfolio Service 4 July 2017
Contacts Data protection by design ― Potential problems are identified at an early stage, when addressing them will often be simpler and less costly ― Increased awareness of privacy and data protection across an organisation ― Organisations are more likely to meet their legal obligations ― Actions are less likely to be privacy intrusive and have a negative impact on individuals PRIVATE AND CONFIDENTIAL42 Portfolio Service 4 July 2017
Codes of practice ― Codes of practice (or "codes of conduct" to use the correct Regulation-speak) become more important ― If one DP authority produces a code of practice it can be more or less adopted in other countries ― European Data Protection Board has a role PRIVATE AND CONFIDENTIAL43 4 July 2017
Codes of practice ― In the UK there are already Codes of Practice in areas such as Marketing, CCTV, Human Resources, Direct Marketing, Subject Access, Privacy Impact Assessments, Personal Information Online and Data Sharing ― Aligning data protection procedures now with the content of ICO Codes of Practice should get you ahead of the field PRIVATE AND CONFIDENTIAL44 4 July 2017
Suggested Codes of Conduct ― Processing in the data controller's legitimate interests ― Consumer rights & dispute resolution procedures ― Fair data collection and transparency re data processing ― Pseudonymisation of personal data ― Exercise of their rights of data subjects ― Protection of children ― Security of processing and data loss ― Transfers of data to other countries PRIVATE AND CONFIDENTIAL45 4 July 2017
What to do now? ― Be compliant with the DPA 1998! ― Know what personal data you process ― Data permeation maps ― Where does the data come from? ― What do we do with it? ― Where does it go? ― Information asset inventory PRIVATE AND CONFIDENTIAL46 4 July 2017
What to do now? ― Ensure policies and procedures are up to date and relevant ― Review information security arrangements ― In processing personal data, be ― Fair ― Transparent ― Understand your basis of data processing! PRIVATE AND CONFIDENTIAL47 4 July 2017
#GDPREXPO GDPR: GAP ANALYSIS & REMEDIATION PLANS: NEIL MAY DIRECTOR OF TECHNOLOGY RISK MANAGEMENT, NEWABLE.
Building business confidence
Gap Analysis and Remediation Plans Neil May – Director of Technology Risk Management 12 July 2017
Why do you need a Gap Analysis ― The GDPR contains 99 articles ― Article “a separate clause or paragraph of a legal document or agreement, typically one outlining a single rule or regulation” ― The GDPR contains 173 recitals ― Recital “the part of a legal document that explains its purpose and gives other factual information” ― Do you think you have the capability to successfully interpret all of these on your own? 4 July 2017PRIVATE AND CONFIDENTIAL51
There is a lot of rubbish talked about GDPR! ― If somebody tells you they can make you GDPR compliant they simply aren’t credible!! ― The GDPR will be enforced from May 2018 and is now well into the implementation period ― EU member states are able to vary aspects of the GDPR even though it is a Regulation, designed to harmonise data protection law. These parts that can be varied are known as derogations ― The Department of Culture, Media and Sport (DCMS) who run the consultation said: “The UK pressed hard throughout negotiations to ensure that the GDPR does not place unnecessary burdens on business. There are also derogations (exemptions) within the GDPR where the UK can exercise discretion over how certain provisions will apply.” ― An example of a derogation in the GDPR is the age of consent for children, which can be set between 13-16 years old. It is up to a member state to decide and this consultation will address these questions PRIVATE AND CONFIDENTIAL52 4 July 2017
NO YOU WON’T!!!!! So where does that leave us? ― There are still 50 articles that the DCMS needs to ratify. ― Well on the basis I’ll wait then….. PRIVATE AND CONFIDENTIAL53 4 July 2017
The Act comes into force May 2018!! ― All countries in the EEA will need to be fully complaint with all of the requirements at this time ― Failure to do so and you are risking considerable fines and reputational damage to your business ― The current fines regime is set at €20 million or 4% of your annual global turnover, whichever is the higher ― Countries who process European Subjects data are not exempt ― For example, if you have offices in the Middle East and process European Subject Data you are “in-scope” PRIVATE AND CONFIDENTIAL54 4 July 2017
So what does a Gap Analysis look like? ― There is no such thing as a “typical gap analysis” ― All organisations are different so the duration required to perform one ranges from days to weeks to months depending on size, complexity etc. ― So where do you start? ― Do you understand your “Data Estate”? ― Are you able to evidence this? ― Do you have an Information Asset Inventory? ― Are you able to evidence this? ― Do you have a record of all of your 3rd Parties who process personal data on your behalf? ― Are you able to evidence this? PRIVATE AND CONFIDENTIAL55 4 July 2017
So what does a Gap Analysis look like? ― So where do you start? ― Have all of your staff including contractors, part-time, volunteers etc. received Data Protection Awareness Training and do they receive this on a regular basis? ― Are you able to evidence this? ― Have you received unambiguous Positive Consent from all of your Staff, Clients etc.as to how you intend to process their data? ― Are you able to evidence this? ― Have you received unambiguous Positive Consent from all of your clients held on your current CRM system(s) as to how you intend to process their data? ― Are you able to evidence this? PRIVATE AND CONFIDENTIAL56 4 July 2017
Should I be concerned? ― If you aren’t then you should be!! ― GDPR is probably the single most ground breaking piece of legislation that has come into force in the past 20yrs ― The Gap Analysis is just the start of it. This will: ― Identify as to where you are and aren’t complaint with the proposed GDPR ― It will provide you with a set of Data Permeation Maps, which map your respective personal data flows in the business; this will include both Logical and Physical data namely your Data Estate ― It will provide you with an indication of the effort required to bring yourself to being GDPR ready ― So what's next? PRIVATE AND CONFIDENTIAL57 4 July 2017
Remediation plans ― Please don’t underestimate the time you will require for remediation ― GDPR came into force in May 2016 and you have until May 2018 to be compliant ― 2 years is probably a reasonable estimate as to how long it would take the average business to perform a gap analysis and put in place controls and measures, to demonstrate that they were GDPR ready ― No matter what the size or complexity of your organisation GDPR will have an impact on how you do business ― Unfortunately most businesses have significantly underestimated the impact of GDPR or are simply in denial! PRIVATE AND CONFIDENTIAL58 4 July 2017
Remediation plans ― Lets start with some good advice. As a minimum you will need to consider: ― Data Permeation Maps ― Data Inventory ― Data Protection Officer ― Data Protection Training and Awareness ― Data Protection Policies and Procedures ― Third Party Assurance Programme ― Third Party Contracts ― Penetration Testing and Vulnerability Analysis PRIVATE AND CONFIDENTIAL59 4 July 2017
Remediation plans ― Lets start with some good advice. As a minimum you will need to consider: ― The Right To Be Forgotten ― Subject Access Requests ― Privacy by Design ― Privacy Impact Assessments ― Positive Consent ― CRM Systems ― CCTV ― Data Portability ― Cross Border Transfers PRIVATE AND CONFIDENTIAL60 4 July 2017
What to do now? ― There is no time like the present: ― Get yourself a copy of the GDPR ― Perform a Gap Analysis ― Produce a Remediation Plan - You have less than a year to get yourself GDPR ready ― Do not underestimate the time and effort required - YES it is going to cost ££s so budget for it. ― Ignore it at your peril!!! Compliance is not an option – this is the law! PRIVATE AND CONFIDENTIAL61 4 July 2017
#GDPREXPO GDPR & CYBER SECURITY JEFF FINCH HEAD OF SECURITY SERVICES
www.exponential-e.com #GDPREXPO CYBER SECURITY BY DESIGN • GDPR, Articles 25, 32, 33,34, and 35 contain details on securing data • The Top Five • Discover the weaknesses • Privacy by Design = Security By Design • Security Appropriate to Risk • The Principle of Least Privilege • Better Control of Customer Data • How can we support you?
www.exponential-e.com #GDPREXPO DISCOVER THE WEAKNESSES • The world of self denial! • Your own audit will not find it! • Independent assessment of where you are. • Exponential-e provide access to trusted renowned partners in this field. • Pen Test Partners LLP. • We facilitate! Its the customers report! • And they are accredited.
www.exponential-e.com #GDPREXPO PRIVACY BY DESIGN SECURITY BY DESIGN We take Security Seriously: • All our Solutions Engineers are trained to High Standards. • Platinum Partner with Fortinet. • MSP Partner Palo Alto. • Gold Partner for Gemalto / Safenet. • Senior Partner for Foresite. • Only MSP Partner for Sentinel One. • We design based on the solution you need. • Our Partners ensure we are well trained.
www.exponential-e.com #GDPREXPO SECURITY APPROPRIATE TO RISK. THE PRINCIPLE OF LEAST PRIVILEGE. • How do you judge these two? • Evaluate the risk and impose the security! • How often do you review users privileges? • Advanced Security Monitoring • Log collection and correlation from any device under one pane of glass! • Generates reports • Has 24 x 7 Analyst support • Alerts and advice on remediation
www.exponential-e.com #GDPREXPO BETTER CONTROL OF CUSTOMER DATA Where’s The Cloud for Exponential-e ? • Cloud Storage is located within UK Borders. • We Provide encryption. • Structured Storage offering dedicated arrays. • Which means that customers can store in a structured, searchable, encrypted platform their essential data which is already GDPR ready! What does The Exponential-e Cloud provide to our Customers ? • Information Governance. • Configurable to meet regulatory and compliance standards. • Provides a Data classification application • On Structured and unstructured data • Regardless of where data resides (premises or Cloud). • Data ownership, Data retention periods, Data Sensitivity.
www.exponential-e.com #GDPREXPO A Unified Platform Use a single platform for data governance and policy management, and extend data governance and control to cloud-based data.
www.exponential-e.com #GDPREXPO A UNIFIED PLATFORM • By knowing exactly where personal data lives across your organization, you can: o Identify the presence of personal data in all data locations. o Automate special handling of information with standard data policies (i.e., access control, security, encryption, retention). o Support the export and erasure of personal data from all data sources. o Detect and delete unneeded copies of personal data. o Maintain an auditable chain of custody on an individual's personal data. o Understand data leakage risk and speed up data breach analysis.
#EXPO-GDPR THE SECURITY PRODUCT PORTFOLIO Customer Applications Internet Customer Perimeter Customer VPN / Network Ransomware Protection Email & Content Filter Next Gen UTM Pen Test & IT Health Check DDoS Mitigation GRC Consultancy Advanced Firewall Monitoring Multi Factor Authentication Next Gen Firewall Web & URL
#EXPO-GDPR QUESTIONS?

More Related Content

What's hot (20)

PDF
GDPR Scotland 2017
Ray Bugg
 
PDF
What's Next - General Data Protection Regulation (GDPR) Changes
Ogilvy Consulting
 
PPTX
GDPR From the Trenches - Real-world examples of how companies are approaching...
Ardoq
 
PDF
Splunk: How Machine Data Supports GDPR Compliance
MarketingArrowECS_CZ
 
PPTX
Do You Have a Roadmap for EU GDPR Compliance?
Ulf Mattsson
 
PPTX
Gdpr action plan
Ulf Mattsson
 
PPTX
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
PPTX
Ensuring GDPR Compliance - A Zymplify Guide
Zymplify
 
PDF
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
DATUM LLC
 
PDF
What about GDPR?
Martin Hawksey
 
PDF
Beginning your General Data Protection Regulation (GDPR) Journey
Microsoft Österreich
 
PPTX
The Practical Impact of the General Data Protection Regulation
Ghostery, Inc.
 
PPTX
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
Ardoq
 
PPTX
Data Privacy: What you need to know about privacy, from compliance to ethics
AT Internet
 
PPTX
EU GDPR - 12 Steps To Compliance
Tom Haynes
 
PDF
Privacy by design
Michelangelo van Dam
 
PPTX
Jisc GDPR conference
Jisc
 
PDF
GDPR for Dummies
Caroline Boscher
 
PPTX
Privacy issues in data analytics
shekharkanodia
 
PDF
GDPR (En) JM Tyszka
Jean-Michel Tyszka
 
GDPR Scotland 2017
Ray Bugg
 
What's Next - General Data Protection Regulation (GDPR) Changes
Ogilvy Consulting
 
GDPR From the Trenches - Real-world examples of how companies are approaching...
Ardoq
 
Splunk: How Machine Data Supports GDPR Compliance
MarketingArrowECS_CZ
 
Do You Have a Roadmap for EU GDPR Compliance?
Ulf Mattsson
 
Gdpr action plan
Ulf Mattsson
 
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
Ensuring GDPR Compliance - A Zymplify Guide
Zymplify
 
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
DATUM LLC
 
What about GDPR?
Martin Hawksey
 
Beginning your General Data Protection Regulation (GDPR) Journey
Microsoft Österreich
 
The Practical Impact of the General Data Protection Regulation
Ghostery, Inc.
 
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
Ardoq
 
Data Privacy: What you need to know about privacy, from compliance to ethics
AT Internet
 
EU GDPR - 12 Steps To Compliance
Tom Haynes
 
Privacy by design
Michelangelo van Dam
 
Jisc GDPR conference
Jisc
 
GDPR for Dummies
Caroline Boscher
 
Privacy issues in data analytics
shekharkanodia
 
GDPR (En) JM Tyszka
Jean-Michel Tyszka
 

Similar to 12th July GDPR event slides (20)

PDF
#HR and #GDPR: Preparing for 2018 Compliance
Dovetail Software
 
PPTX
GDPR: Are you Ready?
EngageHub
 
PPTX
GDPR in the Healthcare Industry
EMMAIntl
 
PDF
GDPR- The Buck Stops Here
Kellyn Pot'Vin-Gorman
 
PPTX
GDPR How to get started?
Peter Witsenburg
 
PPTX
CRMCS GDPR - Why it matters and how to make it Easy
Paul McQuillan
 
PPTX
GDPR - Why it matters and how to make it Easy
Paul McQuillan
 
PPT
GDPR webinar presentation | LawBite
Clive Rich
 
PDF
The Countdown to the GDPR Regulations
Elliot Reeman
 
PDF
Gdpr for business full
Fionnuala Hendrick
 
PPTX
Associates quick guide to gdpr v 1.0
Aaron Banham
 
PPTX
Keep Calm and Comply: 3 Keys to GDPR Success
Sirius
 
PPTX
DevOps vs GDPR: How to Comply and Stay Agile
Ben Saunders
 
PPTX
GDPR Workshop
Curt Lewis
 
PDF
GDPR - Sink or Swim
Guy Griffiths
 
PPTX
General Data Protection Regulation
Pete S
 
PPTX
GDPR How ready are you? The What, Why and How.
James Seville
 
PPTX
Taking the Fear Out of GDPR
Nate Stockard
 
PPTX
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
CIO Edge
 
PPTX
GDPR Privacy Introduction
NiclasGranqvist
 
#HR and #GDPR: Preparing for 2018 Compliance
Dovetail Software
 
GDPR: Are you Ready?
EngageHub
 
GDPR in the Healthcare Industry
EMMAIntl
 
GDPR- The Buck Stops Here
Kellyn Pot'Vin-Gorman
 
GDPR How to get started?
Peter Witsenburg
 
CRMCS GDPR - Why it matters and how to make it Easy
Paul McQuillan
 
GDPR - Why it matters and how to make it Easy
Paul McQuillan
 
GDPR webinar presentation | LawBite
Clive Rich
 
The Countdown to the GDPR Regulations
Elliot Reeman
 
Gdpr for business full
Fionnuala Hendrick
 
Associates quick guide to gdpr v 1.0
Aaron Banham
 
Keep Calm and Comply: 3 Keys to GDPR Success
Sirius
 
DevOps vs GDPR: How to Comply and Stay Agile
Ben Saunders
 
GDPR Workshop
Curt Lewis
 
GDPR - Sink or Swim
Guy Griffiths
 
General Data Protection Regulation
Pete S
 
GDPR How ready are you? The What, Why and How.
James Seville
 
Taking the Fear Out of GDPR
Nate Stockard
 
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
CIO Edge
 
GDPR Privacy Introduction
NiclasGranqvist
 
Ad

More from Exponential_e (14)

PPTX
The Secure Business in the Digital Age - 27th September 2017
Exponential_e
 
PPTX
Becoming your customer's security partner in the digital age
Exponential_e
 
PPSX
Exponential e-unified-communications-presentations
Exponential_e
 
PPTX
Unified Communications - Collaborative services that deliver greater busines...
Exponential_e
 
PPTX
Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014
Exponential_e
 
PPTX
Emc - Journey to the Cloud - Business Agility Seminar
Exponential_e
 
PPTX
Emc expoesymposium
Exponential_e
 
PPTX
Private Clouds - Business Agility Seminar
Exponential_e
 
PPTX
Cloud Connectivity Network Virtualisation - Business Agility Seminar
Exponential_e
 
PPTX
The mobile workforce – A real IT challenge
Exponential_e
 
PPTX
Building the silver lining seminar slides
Exponential_e
 
PPTX
Cloud Aggregation: Smart Access to a Smarter Cloud
Exponential_e
 
PPTX
Convered Voice and Data (tIPicall and Exponential-e)
Exponential_e
 
PPTX
Cloud Connectivity and Amazon Direct Connect
Exponential_e
 
The Secure Business in the Digital Age - 27th September 2017
Exponential_e
 
Becoming your customer's security partner in the digital age
Exponential_e
 
Exponential e-unified-communications-presentations
Exponential_e
 
Unified Communications - Collaborative services that deliver greater busines...
Exponential_e
 
Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014
Exponential_e
 
Emc - Journey to the Cloud - Business Agility Seminar
Exponential_e
 
Emc expoesymposium
Exponential_e
 
Private Clouds - Business Agility Seminar
Exponential_e
 
Cloud Connectivity Network Virtualisation - Business Agility Seminar
Exponential_e
 
The mobile workforce – A real IT challenge
Exponential_e
 
Building the silver lining seminar slides
Exponential_e
 
Cloud Aggregation: Smart Access to a Smarter Cloud
Exponential_e
 
Convered Voice and Data (tIPicall and Exponential-e)
Exponential_e
 
Cloud Connectivity and Amazon Direct Connect
Exponential_e
 
Ad

Recently uploaded (20)

PDF
How do we fix the Messed Up Corporation’s System diagram?
YukoSoma
 
PDF
Step-by-Step: Buying a Verified Cash App Accounts| PDF | Payments Service
https://pvabulkpro.com/
 
DOCX
TCP Communication Flag Txzczczxcxzzxypes.docx
esso24
 
PDF
Agriculture Machinery PartsAgriculture Machinery Parts
mizhanw168
 
PPTX
Top Oil and Gas Companies in India Fuelling the Nation’s Growth.pptx
Essar Group
 
PDF
Top Trends Redefining B2B Apparel Exporting in 2025
ananyaa2255
 
PPTX
Asia Pacific Tropical Fruit Puree Market Overview & Growth
chanderdeepseoexpert
 
PPTX
SYMCA LGP - Social Enterprise Exchange.pptx
Social Enterprise Exchange
 
PDF
2018 - Building a Culture By Design PPTX
Cheryl M
 
PDF
NewBase 03 July 2025 Energy News issue - 1799 by Khaled Al Awadi_compressed.pdf
Khaled Al Awadi
 
PDF
Buy Facebook Accounts Buy Facebook Accounts
darlaknowles49
 
DOCX
How to Build Digital Income From Scratch Without Tech Skills or Experience
legendarybook73
 
PPTX
Oil and Gas EPC Market Size & Share | Growth - 2034
Aman Bansal
 
PDF
Flexible Metal Hose & Custom Hose Assemblies
McGill Hose & Coupling Inc
 
PPTX
World First Cardiovascular & Thoracic CT Scanner
arineta37
 
PPTX
Technical Analysis of 1st Generation Biofuel Feedstocks - 25th June 2025
TOFPIK
 
PPTX
25 Future Mega Trends Reshaping the World in 2025 and Beyond
presentifyai
 
PDF
Pencil Box with Charmbox Gift Shop - CharmboxGift
Charm Box
 
PDF
"Complete Guide to the Partner Visa 2025
Zealand Immigration
 
PDF
_How Freshers Can Find the Best IT Companies in Jaipur with Salarite.pdf
SALARITE
 
How do we fix the Messed Up Corporation’s System diagram?
YukoSoma
 
Step-by-Step: Buying a Verified Cash App Accounts| PDF | Payments Service
https://pvabulkpro.com/
 
TCP Communication Flag Txzczczxcxzzxypes.docx
esso24
 
Agriculture Machinery PartsAgriculture Machinery Parts
mizhanw168
 
Top Oil and Gas Companies in India Fuelling the Nation’s Growth.pptx
Essar Group
 
Top Trends Redefining B2B Apparel Exporting in 2025
ananyaa2255
 
Asia Pacific Tropical Fruit Puree Market Overview & Growth
chanderdeepseoexpert
 
SYMCA LGP - Social Enterprise Exchange.pptx
Social Enterprise Exchange
 
2018 - Building a Culture By Design PPTX
Cheryl M
 
NewBase 03 July 2025 Energy News issue - 1799 by Khaled Al Awadi_compressed.pdf
Khaled Al Awadi
 
Buy Facebook Accounts Buy Facebook Accounts
darlaknowles49
 
How to Build Digital Income From Scratch Without Tech Skills or Experience
legendarybook73
 
Oil and Gas EPC Market Size & Share | Growth - 2034
Aman Bansal
 
Flexible Metal Hose & Custom Hose Assemblies
McGill Hose & Coupling Inc
 
World First Cardiovascular & Thoracic CT Scanner
arineta37
 
Technical Analysis of 1st Generation Biofuel Feedstocks - 25th June 2025
TOFPIK
 
25 Future Mega Trends Reshaping the World in 2025 and Beyond
presentifyai
 
Pencil Box with Charmbox Gift Shop - CharmboxGift
Charm Box
 
"Complete Guide to the Partner Visa 2025
Zealand Immigration
 
_How Freshers Can Find the Best IT Companies in Jaipur with Salarite.pdf
SALARITE
 

12th July GDPR event slides

  • 1. #GDPREXPO WELCOME TO THE HILTON HOTEL ARE YOU READY FOR THE CHALLENGE OF GDPR?
  • 2. AGENDA 11:30 - 12:00 Arrival & Registrations. 12:00 - 12:20 Welcome & Introduction to Exponential-e: Lee Wade - CEO & Founder, Exponential-e. 12:20 - 13:00 Are you ready for GDPR? Neil May - Director of Technology Risk Management, Newable. 13:00 - 13:15 Break. 13:15 - 13:45 GDPR: Gap Analysis & Remediation Plans: Neil May - Director of Technology Risk Management, Newable. 13:45 - 14:15 GDPR and Data Security: Jeff Finch - Head of Security Services, Exponential-e. 14:15 - 14:40 QA & Panel Discussion. 14:40 - 15:00 Lunch and Networking.
  • 3. #GDPREXPO ARE YOU READY FOR THE CHALLENGE OF GDPR? LEE WADE CEO & FOUNDER, EXPONENTIAL-E.
  • 4. www.exponential-e.com GDPR OVERVIEW GDPR Overview • GDPR is a long-overdue upgrade to the existing Data Protection Act 1998 • Fundamentally, businesses need to be more transparent about the personal data they hold; why they captured it and what they intend to do with it • The concept is simple: if I have given you my data, then I should be able to retrieve it or even transfer it to someone else • Companies who do not handle this data in line with the new rules could be faced with a hefty fine of up to 4% of its global annual turnover, or €20,000,000, whichever is more . . . • And that’s not all. Businesses that don’t comply risk legal action from the individuals whose personal data they are using, since GDPR gives EU residents direct rights to obtain court orders and compensation
  • 5. www.exponential-e.com CONNECTIVITY SERVICES 10GigE Business Internet, SD-WAN, Bandwith Management, Cloud Connect, Superconnected Cities, Software Defined Networking CLOUD SERVICES Cloud for Enterprise, Cloud-Network solutions, Desktop-as-a-Service, DaaS GPU, Workplace Recovery, IaaS (VDC), Server Replication, Online Backup, Enhanced Analytics & Big Data, Object & HDFS Storage VOICE & UNIFIED COMMUNICATIONS Hosted PBX, Smart Audio Conferencing, Inbound Call Management, SIP Trunking, Call Recording. DATA CENTRE SERVICES Enterprise-class Colocation, Managed Colocation, Shared Colocation, Smart Hands SERVICE PORTFOLIO MANAGED IT & PROFESSIONAL SERVICES Professional Services, Managed Services, Digital Transformation, AWS/Azure Management, Network Monitoring, Windows Server 2003 SECURITY SERVICES CyberSecurity & consultancy, PEN Testing, SSL VPN , Firewall design
  • 7. www.exponential-e.com GDPR OVERVIEW GDPR Overview This morning, we will cover off many questions about GDPR Compliance such as: • Understanding the implications of GDPR • Understanding the new obligations to achieve compliance. • Preparing for GDPR: Discovery and Remediation plans • What exactly is ‘explicit consent’? • What are the implications for my data stored in my CRM system? • What is the ‘right to be forgotten’ and what does this mean for my data? • What does ‘pseudonymisation’ mean for all my encrypted data files? • Will the auditors sign off my 2018 accounts if we are not GDPR compliant next year? • Do we ALL now really need a Data Protection Officer?
  • 8. www.exponential-e.com GDPR OVERVIEW GDPR Overview • The General Data Protection Regulation (GDPR) is the European’s view on what the baseline expectations are for processing personal information of EU citizens as we continue through the digital revolution • The GDPR introduces a raft of onerous and complex requirements and regulations • Importantly, for the first time we will have a single set of privacy rules across EU member states, and this harmonization goes even further as the GDPR has cross-territorial implications • It comes into force in the UK in May 25th, 2018 – And we all have a lot of work to do! We have 317 days left to prepare for GDPR
  • 9. www.exponential-e.com GDPR OVERVIEW GDPR transforms a number of existing requirements and introduces a raft of new ones. GDPR Coalition
  • 10. www.exponential-e.com GDPR OVERVIEW – SIMPLE GAME PLAN 2 DO AN ASSESSMENT Undertake a broad Data Protection Assessment of your organisation 3 DO A GAP ANALYSIS Compliance: Where you are vs Where you need to be for GDPR 6 DECIDE IF A DPO IS REQUIRED Become aware and take action! 1 TAKE ACTION Roll out training across your organisation Create a detailed Compliance Roadmap with clear timelines 4 TRAIN YOUR STAFF 5 CREATE A ROADMAP If you need to appoint a qualified Data Protection Officer
  • 12. www.exponential-e.com GDPR – WHY NOW? GDPR – Why Now? The interdependence between data sharing and data privacy • Companies know more about their customers than ever before. In the last 24 hours, your company probably amassed more information about customers than was conceivable a decade ago • As consumers, we benefit from this closeness. The fitness apps that tracks our steps, the messaging apps we use to send pictures from the beach, or the telematics technology in our cars that lowers our insurance premiums • When we use our iPads and smart phones there is often an assumed understanding: we’ll give you our data/information in exchange for that excellent service or product that makes our lives easier, richer and sometimes cheaper. This is the trade-off at the heart of the digital economy • But there are limits to this trade-off. People are increasingly aware that companies are collecting, using, retaining and sharing their information - including buying and selling it! And they are growing uneasy . . .
  • 13. www.exponential-e.com GDPR OVERVIEW THE DRIVE TOWARDS DATA PRIVACY The interdependence between data sharing and data privacy • But our willingness to share our personal information varies dramatically according to gender, age, wealth, nationality and education . . . • More than 50% are willing to share information about gender, ethnicity & education whilst less than 20% are willing to share their income, location, medical records or address. • Surveys reveal that 43% of people are uneasy about smart meters in their homes • Many people in all countries are concerned about wi-fi data analytics and web-browser spying • In spite of our ‘uneasiness’ in the way corporates are utilizing our data, personal data is the fuel of the digital future and the enabler of disruptive technologies
  • 14. www.exponential-e.com The interdependence between data sharing and data privacy • Hence, GDPR marks a fundamental shift towards the view that PRIVACY must be at the forefront of organizations’ minds when dealing with our personal data • It is the most comprehensive attempt to define a coherent regulatory framework for privacy. Governments around the world are sharpening their focus on the issue and introducing legislation to offer greater protection to consumers — and far harsher penalties for violations • Hence, companies need to consider a new attitude to privacy—and they need to do it quickly to minimize the risks to their balance sheet and their reputation • GDPR CATAPULTS PRIVACY towards the top of organizations’ risk radars GDPR OVERVIEW THE DRIVE TOWARDS DATA PRIVACY
  • 15. www.exponential-e.com PREPARING FOR GDPR ICO CHECKLIST SUMMARY 1. Awareness (Raising awareness throughout the organisation) 7. Explicit consent (Needs your urgent attention now) You should review NOW how you seek, record and manage consent and whether you need to make any changes. 2. Review the information you hold – (Data Discovery) 8. Children (Extra measures if you process child personal data) 3. Review the current privacy notices you send 9. Data breaches (Must be reported within 72 hours) 4. Individual Rights 10. Data Protection by Design – (Promotes Privacy & Data Protection) Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide 11. Data Protection Officer (Do you need one?) data electronically and in a commonly used format. 12. International – Cross – border trading checks The main rights for individuals under the GDPR will be: • the right to be informed; • the right of access; • the right to rectification; • the right to erasure; • the right to restrict processing; • the right to data portability; • the right to object; and • the right not to be subject to automated decision-making including profiling. 5. Subject Data Requests (Will be 30 days) 6. Lawful basis for processing personal data
  • 16. www.exponential-e.com PREPARING FOR GDPR ICO CHECKLIST SUMMARY ICO: GDPR Preparation Recommendations – 12 Point Checklist Available at: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
  • 17. www.exponential-e.com GDPR COMPLIANCE GDPR Compliance • Although we only have 317 days - DON’T PANIC! • The burden of compliance may be less onerous if you are ISO 27001/9001 or FCA accredited. Processes may already exist for data privacy, disclosure, retention and management • Many companies already employ Data Protection or compliance personnel • Finally, Exponential-e & Newable can help guide you through the entire GDPR compliance process starting with your Data Discovery and Remediation plans that Mark Childs will detail later on . . .
  • 18. #GDPREXPO ARE YOU READY FOR GDPR? NEIL MAY DIRECTOR OF TECHNOLOGY RISK MANAGEMENT, NEWABLE.
  • 20. Are You Ready For GDPR? Neil May – Director of Technology Risk Management 12 July 2017
  • 21. Before we start BREXIT We are not off the GDPR hook. In fact, the UK will have to try extra-hard to prove Adequacy. 4 July 2017PRIVATE AND CONFIDENTIAL3
  • 22. Timetable ― EU directive formally adopted 25 May 2016 ― 2 year implementation period ― Becomes law on the 25th May 2018 – everyone must be compliant by then. ― DCMS is still working on the UK legislation! PRIVATE AND CONFIDENTIAL4 4 July 2017
  • 23. The ‘New Y2K’ ― An immovable deadline ― A technical deliverable ― A skills shortage ― Cue – PANIC in the boardroom ― Beware the snake oil salesmen PRIVATE AND CONFIDENTIAL5 4 July 2017
  • 24. Beware ― No quick fixes ― If it seems to good to be true….. ― It is not possible to be ‘compliant’ yet – you can at best be ‘ready’ ― Over 50 Articles yet to be fully defined PRIVATE AND CONFIDENTIAL6 4 July 2017
  • 25. But – good news for IT! ― GDPR – the business finally has to accept ownership of its data ― It is no longer “IT’s problem” PRIVATE AND CONFIDENTIAL7 4 July 2017
  • 26. General Data Protection Regulation ― Establish a single, pan-European law to replace the current inconsistent patchwork of national laws ― Modernize the principles enshrined in the 1995 Data Protection Directive ― Immature internet ― No “cloud” ― No Facebook, Twitter, etc. ― No smartphones ― But, new principles much the same as the old ones PRIVATE AND CONFIDENTIAL26 4 July 2017
  • 27. Benefits of the new Regulation ― Benefits for organisations ― One EU market, one law ― One-stop-shop – a single supervisory authority ― Same rules for all organisations ― Even those outside the EU ― Benefits for EU citizens ― Better data security ― Putting people in control PRIVATE AND CONFIDENTIAL9 4 July 2017
  • 28. Some definitions ― More personal data covered (e.g. IP addresses; URLs) ― 'Pseudonymised data' is personal data ― Sensitive personal data extended (genetic, biometric, sexual orientation) ― Manual records extended (structured or unstructured) ― Main establishment and one stop shop: likely to involve a "concerned supervisory authority" ― Issues resolved at the European Data Protection Board PRIVATE AND CONFIDENTIAL28 4 July 2017
  • 29. Data processing activities ― No requirement to notify ICO ― Data Controllers and Data Processors must keep a record of their processing activities ― Must make available to the ICO on request PRIVATE AND CONFIDENTIAL29 4 July 2017
  • 30. Impact assessments ― Requirement to perform privacy impact assessments ― Specifically where the processing of personal data is ‘likely to result in a high risk for the rights and freedoms of individuals’ ― Eg when processing personal data through new technologies or when engaging in people profiling PRIVATE AND CONFIDENTIAL30 4 July 2017
  • 31. Impact assessments ― If assessment reveals that processing of personal data would result in a high risk (eg due to the absence of mitigating controls), data controllers will be required to consult with the ICO ― If the ICO believes that any processing of personal data would be non-compliant with the Regulation then: ― Advise data controller on how to proceed ― Require an organisation to undergo a data protection audit PRIVATE AND CONFIDENTIAL31 4 July 2017
  • 32. Consent ― Consent given by data subjects must be “unambiguous” for all processing of personal data ― Requires a “clear affirmative action” ― Consent has to be “explicit” for sensitive data ― Silence, pre-ticked boxes or inactivity does not constitute consent ― Must have an audit trail ― List brokers? PRIVATE AND CONFIDENTIAL32 4 July 2017
  • 33. Right to be forgotten ― Data subject has the right to have his or her personal data erased where the retention of data breaches the regulation ― The right to erasure does not provide an absolute right to be forgotten ― Data Controller and Processors have an obligation to ensure that any third party with whom data is shared also erase the personal data unless it is impossible or involves disproportionate effort to do so 13 July 2017PRIVATE AND CONFIDENTIAL33 Data Subject
  • 34. Liability ― Data controllers and data processors have shared liability ― Even more important to have proper contractual arrangements in place ― Processors as well as controllers must provide a security level “appropriate” to the processing risks ― Risk assessments for each customer ― Varying standards of data security for different types of processing PRIVATE AND CONFIDENTIAL34 4 July 2017
  • 35. Data Protection Officer ― Mandatory appointment of a DPO for ― Public authority or body ― Those who monitor data subjects on a large scale ― Core activities process sensitive personal data ― ICO says so! ― Can be outsourced ― Must be… ― involved in all issues which relate to the protection of personal data ― provided with necessary resources to perform their required tasks PRIVATE AND CONFIDENTIAL35 4 July 2017
  • 36. Data Protection Officer tasks ― To inform and advise the data controller, data processor and their employees of their regulatory obligations ― To monitor compliance with the Regulation. Including… ― Policies ― Assignment of responsibilities ― Raising awareness and training of staff ― To provide advice, related to data protection impact assessments and to monitor impact assessment performance ― To cooperate with the ICO ― To act as the contact point for data subjects and the ICO PRIVATE AND CONFIDENTIAL36 4 July 2017
  • 37. Data Protection Officer position ― The Data Protection Officer must not receive any instructions regarding the exercise of these tasks ― Independent, whether or not an employee ― They shall not be dismissed or penalised for performing their tasks ― The Data Protection Officer shall directly report to the highest management level of the controller or the processor PRIVATE AND CONFIDENTIAL37 4 July 2017
  • 38. Data breaches ― ICO must be notified within 72 hours of becoming aware of the breach ― Where this cannot be achieved within 72 hours, an explanation of the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay ― The notification must at least… ― Describe the nature of the breach ― Communicate the name and contact details of the Data Protection Officer or other contact point where more information can be obtained PRIVATE AND CONFIDENTIAL38 4 July 2017
  • 39. Data breaches ― Fines for unprotected data breaches will range up to €20 million or 4% of annual global turnover (whichever is higher!) ― If you suffer a breach and can show that the personal data can't be accessed by unauthorized people (e.g. it was encrypted): ― The likelihood of being fined should be very greatly reduced ― You won't need to notify affected data subjects of the breach PRIVATE AND CONFIDENTIAL39 4 July 2017
  • 40. Data portability ― Where processing of personal data is carried out by automated means, the data subject should be allowed to receive their personal data in a structured, commonly used, machine-readable and interoperable format and transmit it to another controller. ― The data subject has the right to request that the data is transmitted directly from controller to controller where technically feasible. PRIVATE AND CONFIDENTIAL40 4 July 2017
  • 41. Contacts Data protection by design ― Data protection must not be treated as an afterthought or ignored altogether ― Consider when… ― Building new IT systems for storing or accessing personal data ― Developing policy or strategies that have privacy implications ― Embarking on a data sharing initiative ― Using data for new purposes PRIVATE AND CONFIDENTIAL41 Portfolio Service 4 July 2017
  • 42. Contacts Data protection by design ― Potential problems are identified at an early stage, when addressing them will often be simpler and less costly ― Increased awareness of privacy and data protection across an organisation ― Organisations are more likely to meet their legal obligations ― Actions are less likely to be privacy intrusive and have a negative impact on individuals PRIVATE AND CONFIDENTIAL42 Portfolio Service 4 July 2017
  • 43. Codes of practice ― Codes of practice (or "codes of conduct" to use the correct Regulation-speak) become more important ― If one DP authority produces a code of practice it can be more or less adopted in other countries ― European Data Protection Board has a role PRIVATE AND CONFIDENTIAL43 4 July 2017
  • 44. Codes of practice ― In the UK there are already Codes of Practice in areas such as Marketing, CCTV, Human Resources, Direct Marketing, Subject Access, Privacy Impact Assessments, Personal Information Online and Data Sharing ― Aligning data protection procedures now with the content of ICO Codes of Practice should get you ahead of the field PRIVATE AND CONFIDENTIAL44 4 July 2017
  • 45. Suggested Codes of Conduct ― Processing in the data controller's legitimate interests ― Consumer rights & dispute resolution procedures ― Fair data collection and transparency re data processing ― Pseudonymisation of personal data ― Exercise of their rights of data subjects ― Protection of children ― Security of processing and data loss ― Transfers of data to other countries PRIVATE AND CONFIDENTIAL45 4 July 2017
  • 46. What to do now? ― Be compliant with the DPA 1998! ― Know what personal data you process ― Data permeation maps ― Where does the data come from? ― What do we do with it? ― Where does it go? ― Information asset inventory PRIVATE AND CONFIDENTIAL46 4 July 2017
  • 47. What to do now? ― Ensure policies and procedures are up to date and relevant ― Review information security arrangements ― In processing personal data, be ― Fair ― Transparent ― Understand your basis of data processing! PRIVATE AND CONFIDENTIAL47 4 July 2017
  • 48. #GDPREXPO GDPR: GAP ANALYSIS & REMEDIATION PLANS: NEIL MAY DIRECTOR OF TECHNOLOGY RISK MANAGEMENT, NEWABLE.
  • 50. Gap Analysis and Remediation Plans Neil May – Director of Technology Risk Management 12 July 2017
  • 51. Why do you need a Gap Analysis ― The GDPR contains 99 articles ― Article “a separate clause or paragraph of a legal document or agreement, typically one outlining a single rule or regulation” ― The GDPR contains 173 recitals ― Recital “the part of a legal document that explains its purpose and gives other factual information” ― Do you think you have the capability to successfully interpret all of these on your own? 4 July 2017PRIVATE AND CONFIDENTIAL51
  • 52. There is a lot of rubbish talked about GDPR! ― If somebody tells you they can make you GDPR compliant they simply aren’t credible!! ― The GDPR will be enforced from May 2018 and is now well into the implementation period ― EU member states are able to vary aspects of the GDPR even though it is a Regulation, designed to harmonise data protection law. These parts that can be varied are known as derogations ― The Department of Culture, Media and Sport (DCMS) who run the consultation said: “The UK pressed hard throughout negotiations to ensure that the GDPR does not place unnecessary burdens on business. There are also derogations (exemptions) within the GDPR where the UK can exercise discretion over how certain provisions will apply.” ― An example of a derogation in the GDPR is the age of consent for children, which can be set between 13-16 years old. It is up to a member state to decide and this consultation will address these questions PRIVATE AND CONFIDENTIAL52 4 July 2017
  • 53. NO YOU WON’T!!!!! So where does that leave us? ― There are still 50 articles that the DCMS needs to ratify. ― Well on the basis I’ll wait then….. PRIVATE AND CONFIDENTIAL53 4 July 2017
  • 54. The Act comes into force May 2018!! ― All countries in the EEA will need to be fully complaint with all of the requirements at this time ― Failure to do so and you are risking considerable fines and reputational damage to your business ― The current fines regime is set at €20 million or 4% of your annual global turnover, whichever is the higher ― Countries who process European Subjects data are not exempt ― For example, if you have offices in the Middle East and process European Subject Data you are “in-scope” PRIVATE AND CONFIDENTIAL54 4 July 2017
  • 55. So what does a Gap Analysis look like? ― There is no such thing as a “typical gap analysis” ― All organisations are different so the duration required to perform one ranges from days to weeks to months depending on size, complexity etc. ― So where do you start? ― Do you understand your “Data Estate”? ― Are you able to evidence this? ― Do you have an Information Asset Inventory? ― Are you able to evidence this? ― Do you have a record of all of your 3rd Parties who process personal data on your behalf? ― Are you able to evidence this? PRIVATE AND CONFIDENTIAL55 4 July 2017
  • 56. So what does a Gap Analysis look like? ― So where do you start? ― Have all of your staff including contractors, part-time, volunteers etc. received Data Protection Awareness Training and do they receive this on a regular basis? ― Are you able to evidence this? ― Have you received unambiguous Positive Consent from all of your Staff, Clients etc.as to how you intend to process their data? ― Are you able to evidence this? ― Have you received unambiguous Positive Consent from all of your clients held on your current CRM system(s) as to how you intend to process their data? ― Are you able to evidence this? PRIVATE AND CONFIDENTIAL56 4 July 2017
  • 57. Should I be concerned? ― If you aren’t then you should be!! ― GDPR is probably the single most ground breaking piece of legislation that has come into force in the past 20yrs ― The Gap Analysis is just the start of it. This will: ― Identify as to where you are and aren’t complaint with the proposed GDPR ― It will provide you with a set of Data Permeation Maps, which map your respective personal data flows in the business; this will include both Logical and Physical data namely your Data Estate ― It will provide you with an indication of the effort required to bring yourself to being GDPR ready ― So what's next? PRIVATE AND CONFIDENTIAL57 4 July 2017
  • 58. Remediation plans ― Please don’t underestimate the time you will require for remediation ― GDPR came into force in May 2016 and you have until May 2018 to be compliant ― 2 years is probably a reasonable estimate as to how long it would take the average business to perform a gap analysis and put in place controls and measures, to demonstrate that they were GDPR ready ― No matter what the size or complexity of your organisation GDPR will have an impact on how you do business ― Unfortunately most businesses have significantly underestimated the impact of GDPR or are simply in denial! PRIVATE AND CONFIDENTIAL58 4 July 2017
  • 59. Remediation plans ― Lets start with some good advice. As a minimum you will need to consider: ― Data Permeation Maps ― Data Inventory ― Data Protection Officer ― Data Protection Training and Awareness ― Data Protection Policies and Procedures ― Third Party Assurance Programme ― Third Party Contracts ― Penetration Testing and Vulnerability Analysis PRIVATE AND CONFIDENTIAL59 4 July 2017
  • 60. Remediation plans ― Lets start with some good advice. As a minimum you will need to consider: ― The Right To Be Forgotten ― Subject Access Requests ― Privacy by Design ― Privacy Impact Assessments ― Positive Consent ― CRM Systems ― CCTV ― Data Portability ― Cross Border Transfers PRIVATE AND CONFIDENTIAL60 4 July 2017
  • 61. What to do now? ― There is no time like the present: ― Get yourself a copy of the GDPR ― Perform a Gap Analysis ― Produce a Remediation Plan - You have less than a year to get yourself GDPR ready ― Do not underestimate the time and effort required - YES it is going to cost ££s so budget for it. ― Ignore it at your peril!!! Compliance is not an option – this is the law! PRIVATE AND CONFIDENTIAL61 4 July 2017
  • 62. #GDPREXPO GDPR & CYBER SECURITY JEFF FINCH HEAD OF SECURITY SERVICES
  • 63. www.exponential-e.com #GDPREXPO CYBER SECURITY BY DESIGN • GDPR, Articles 25, 32, 33,34, and 35 contain details on securing data • The Top Five • Discover the weaknesses • Privacy by Design = Security By Design • Security Appropriate to Risk • The Principle of Least Privilege • Better Control of Customer Data • How can we support you?
  • 64. www.exponential-e.com #GDPREXPO DISCOVER THE WEAKNESSES • The world of self denial! • Your own audit will not find it! • Independent assessment of where you are. • Exponential-e provide access to trusted renowned partners in this field. • Pen Test Partners LLP. • We facilitate! Its the customers report! • And they are accredited.
  • 65. www.exponential-e.com #GDPREXPO PRIVACY BY DESIGN SECURITY BY DESIGN We take Security Seriously: • All our Solutions Engineers are trained to High Standards. • Platinum Partner with Fortinet. • MSP Partner Palo Alto. • Gold Partner for Gemalto / Safenet. • Senior Partner for Foresite. • Only MSP Partner for Sentinel One. • We design based on the solution you need. • Our Partners ensure we are well trained.
  • 66. www.exponential-e.com #GDPREXPO SECURITY APPROPRIATE TO RISK. THE PRINCIPLE OF LEAST PRIVILEGE. • How do you judge these two? • Evaluate the risk and impose the security! • How often do you review users privileges? • Advanced Security Monitoring • Log collection and correlation from any device under one pane of glass! • Generates reports • Has 24 x 7 Analyst support • Alerts and advice on remediation
  • 67. www.exponential-e.com #GDPREXPO BETTER CONTROL OF CUSTOMER DATA Where’s The Cloud for Exponential-e ? • Cloud Storage is located within UK Borders. • We Provide encryption. • Structured Storage offering dedicated arrays. • Which means that customers can store in a structured, searchable, encrypted platform their essential data which is already GDPR ready! What does The Exponential-e Cloud provide to our Customers ? • Information Governance. • Configurable to meet regulatory and compliance standards. • Provides a Data classification application • On Structured and unstructured data • Regardless of where data resides (premises or Cloud). • Data ownership, Data retention periods, Data Sensitivity.
  • 68. www.exponential-e.com #GDPREXPO A Unified Platform Use a single platform for data governance and policy management, and extend data governance and control to cloud-based data.
  • 69. www.exponential-e.com #GDPREXPO A UNIFIED PLATFORM • By knowing exactly where personal data lives across your organization, you can: o Identify the presence of personal data in all data locations. o Automate special handling of information with standard data policies (i.e., access control, security, encryption, retention). o Support the export and erasure of personal data from all data sources. o Detect and delete unneeded copies of personal data. o Maintain an auditable chain of custody on an individual's personal data. o Understand data leakage risk and speed up data breach analysis.
  • 70. #EXPO-GDPR THE SECURITY PRODUCT PORTFOLIO Customer Applications Internet Customer Perimeter Customer VPN / Network Ransomware Protection Email & Content Filter Next Gen UTM Pen Test & IT Health Check DDoS Mitigation GRC Consultancy Advanced Firewall Monitoring Multi Factor Authentication Next Gen Firewall Web & URL

Editor's Notes

  • #6: HAVE REQUESTED FROM DAVID - PRODUCT Portfolio areas broken down in to 6 key areas (AS ABOVE) – Note underpinned by our security offering – From our infrastructure/VPLS technology, our multiple services and other security services Portfolio has been developed alongside our customers based on Innovation and bringing new services to market Our drive is to develop a portfolio and roadmap that meets all the needs of our customers Services and delivered in-house and as part of the Exponential-e team and delivered and supported by higher qualified, accredited and experienced team Our services come with industry leading SLA’s – end to end sla’s covering all services Our services are delivered on best of breed infrastructure – Cloud, UCC and state of the ART VPLS network Your xxx is only as good as your network
  • #15: GDPR is the strait-jacket of privacy being fitted to the good, the anarchic and the ugly exploiters of our personal assets
  • #40: 200,000 of these €500 notes!
  • #69: By eliminating the need for multiple point products to manage your data, Commvault software does more than just lay a foundation for GDPR compliance — it also helps you improve operational efficiency, gain business advantage and boost employee productivity.
  • #70: By eliminating the need for multiple point products to manage your data, Commvault software does more than just lay a foundation for GDPR compliance — it also helps you improve operational efficiency, gain business advantage and boost employee productivity.