Jack Simons Ltd Digital Archive, Heritage Preservation and Personal - - PowerPoint PPT Presentation

Jack Simons Ltd

Digital Archive, Heritage Preservation and Personal Data Protection Advisors

Who are we?

• Founded as File Flatners Ltd 2004
• John Munton bought other partners out Oct 2010
• Mark Povey joined Sept 2013 and began increasing the service
• ffering
• John bought Simons House 2014
• File Flatners moved to Simons House Sept 2015
• Re-Brand to Jack Simons completed July 2016
• July 10th 2017 JS Data Protection Was formed to deliver GDPR

services to existing and new clients

Mark Povey Technical Director

• 11 Years in the British Army (Royal Signals)
• Designed basic document management for the Regiment
• Left the army and went in to selling EDMS (Egami)
• Designed hybrid book scanning system
• GDPR Practitioner trained (IISP Accredited)
• Working with Queens College Cambridge on their GDPR

project

• Goal for Today
• Basic understanding of the GDPR
• Identify some of the changes outlined within GDPR (new

terms etc.)

• Begin to understand the delegates internal processes and

procedures

• Start the work toward compliance with GDPR
• Understand who the regulation applies to (clue: just about

every business, charity or professional organisation that has 1 member of staff or more)

• Debunk some of the myths around GDPR (there are many!!)

• General Data Protection Regulation

Agenda

• When it comes into effect, when you should start preparing
• Key Tenet of the GDPR and what it means in real terms
• What the penalties could be for a breach and the myths associated
• What is the likelihood of a breach and how
• Exercise: Identify probable breach areas
• What are the key threats to you the delegates
• Roll out planning
• New terms used by the GDPR and simple definitions

• 25th May 2018
• Should have started last year
• Updates are coming out from the ICO regularly
• Brexit will change nothing (apart from who breaches will be

reported to)

• Privacy by design: This Means You!!
• Data minimisation only process what is essential to you
• Anonymisation of personal data (protect the Data

Subject identity)

• Data retention period (only store for as long as is

necessary)

• Right to erasure
• The GDPR places the interests of the individual before

the interests of the business

• Privacy policies must be clear, unambiguous as easy to

understand as a children's book.

• Opt out should be as easy as opt in
• Right to data portability

• Failure to comply with the GDPR could mean the

following penalties could be imposed for personal data breaches:

• Under the DPA (data protection act) the highest possible penalty was

£500,000

• Until now the largest fine the ICO has imposed was Talk Talk (£400,000)
• The new fines are £10 million or 2% of global revenue (for certain breach

types) which ever is higher or:

• £20 million or 4% of global revenue whichever is higher
• Talk Talk would have been fined £10million + under the new regime
• Big Corp Inc is not immune trade in Europe comply with Europe
• The NHS are not exempt the new regulations if the data encrypted could

not be restored each hospital or trust would face the harshest fines

• The ICO has stated that they will not seek to shut down businesses for a

breach

• The likelihood of a breach is a given!!!
• The GDPR recognises this and breaches will be

investigated when reported with the following mitigating circumstances being considered

• Robust data protection policy is in place and adhered

to (regular staff training)

• Cyber security fully up to date and regularly tested
• Physical security of paper records maintained and

followed, access controls are in place etc.

• Systems are in place to protect digital data (encryption,

anonymisation etc)

.

• The likelihood of a breach is a given Pt 2
• The biggest breach area (according to Gartner) is still lost or stolen

paper records.

• Online hacking is a national pastime for certain states
• Phishing attacks are still a major issue for most business
• USB sticks and media are still openly used without adequate

precautions, attacks are injected via this means

• Social media accounts are routinely used to discuss “where I work”

etc allowing evil actors to socially engineer attacks

• Facebook and Google recently lost ca $100m to a phishing attack
• Remember a breach can be physical or digital

.

• Exercise: Identify your business’ likely

areas for a breach

• Points to consider:
• Who’s in charge of your data
• Remote workers?
• Training
• Policy's
• Procedures

• The Key threats (seen from afar):
• Paper based records stored off-site on-site haphazardly
• Data retention plan?
• No data plan informing responsible staff what why where etc
• Records being stored in the clear, paper and digital
• Compliance checks?
• Temporary Staff collecting and processing personal data
• Older marketing databases not being up to date

.

• New terms used with the GDPR
• Data Subject: a natural person (not an organisation) who’s data is being processed

stored or otherwise by your organisation

• Data Protection Officer: (DPO) the individual who is responsible for the protection of

the data subjects, whilst ensuring full compliance with the GDPR (must be allowed to function freely of the business priority)

• DSAR: data subject access request (supercedes SAR) must now be free
• DPIA: data protection impact assessment, these must be carried out if certain

activities are being fulfilled

• PII: personally identifiable information anything which can be used to identify a data

subject (credit card number, cctv image captured by a school etc)

• Processing: now encompasses visual/aural review of data as well as entry in to

databases etc.

• EDPB: European Data Protection Board organisation with final authority on all matters

relating to the GDPR

.

• ICO 12 steps to compliance

.

• 1. Awareness – decision makers and key people
• 2. Information – document what you hold (data-map)
• 3. Communicating privacy information – review and amend privacy

notices

• 4. Individuals’ rights – ensure you can deliver against data subject rights
• 5. Subject access requests – update procedures
• 6. Legal basis for processing – identify and document
• 7. Consent – review how you obtain and record consent
• 8. Children – review consent processes for minors
• 9. Data breaches – ensure you have processes for detecting and

reporting

• 10. DP by design and DPIAs
• 11. DPOs – appoint one (can be out sourced)
• 12. International transfers – ensure you have an appropriate legal basis

In Summary Your route to compliance

.

• Unless you already have a comprehensive and effective DPA

compliance regime in place, GDPR compliance is likely to be a major change programme.

• It will need:

– Top management attention; – Dedicated planning and implementation resource; – Financial support; – Significant culture change.

• Many organizations are only starting to come to grips with the need to address cyber security;
• Many more will have Brexit issues to address;
• The time period to GDPR is shortening every day.
• Is it actually possible to be fully compliant by 25th May 2018? (ICO understands the difficulties facing

business)

Jack Simons Services

.

• Initial board awareness training, essential for the project to be correctly funded and understood
• Cyber security testing and implementation
• Web site security and patching
• Data map creation and storage advice, digital and physical
• Staff GDPR compliance and awareness training
• GDPR Implementation plan and conformance including virtual DPO
• Compliance review and updates
• DPIA when necessary

As of now you have 238 days or 5,712 hours

Questions?