MWLUG - 2017
Tim Clark & Stephanie Heit
Tim & Steph explain the basics of GDPR and give some recommendations about what you can do to be ready.
Data sources are in the final slides.
For more information about how BCC can help you get your Domino data ready for GDPR please contact us here.
http://bcchub.com/bcc-domino-protect/
3. MWLUG 2017
Moving Collaboration Forward
Agenda
• BCC, Stephanie & Tim
• What is GDPR
• Who it affects
• What you have to do
• Penalties
• Summary
• Where to find more information
4. MWLUG 2017
Moving Collaboration Forward
Presenters
• Tim Clark
• Director Services &
Support
• IBM Champion 13-17
• Stephanie Heit
• Director, BCC Ltd
• 17 years with Notes &
Domino
5. MWLUG 2017
Moving Collaboration Forward
About BCC
• Founded in 1996
• IBM Business Partner
• Locations: Frankfurt
(HQ), London, Boston
• 800+ customers
7. MWLUG 2017
Moving Collaboration Forward
• Europe
– Personal self
determination
– Personal Data Protection
– Laws, not directives
• USA
– Consumer focused
– Treated fairly
– Not Protected
– Directives, not laws
Cultural Differences
8. MWLUG 2017
Moving Collaboration Forward
What is GDPR
• General Data Protection Regulations
– Regulation
• (EU) 2016/679 (88 pages)
– Directives
• (EU) 2016/680 (43pages)
• (EU) 2016/681 (18 pages)
• Now the boring stuff is out of the way…..
9. MWLUG 2017
Moving Collaboration Forward
What is it really to do with?
• Single set of legislation across Europe that
gives individuals get better control of their
personal data
• Became effective law in 2016
• 2 year grace period to get ready
10. MWLUG 2017
Moving Collaboration Forward
Why worry about it now?
“The GDPR is causing great concern for
businesses, with 50 percent of global
companies saying they will struggle to
meet the rules set out by Europe unless
they make significant changes to how they
operate.”
James Walker, UK MD, JAW Consulting UK
https://www.scmagazineuk.com/preparing-for-the-eu-gdpr-what-you-need-to-know/article/531492/
Must be ready by Friday, May 25th 2018
11. MWLUG 2017
Moving Collaboration Forward
Legal Glossary
• Personal Data
• Controllers & Processors
• Data Protection Officers
• Profiling
• Breach & Notification
• Data Subject Access Requests
12. MWLUG 2017
Moving Collaboration Forward
Definition of ‘Personal Data’
“Any information relating to an person who can
be identified, directly or indirectly, in particular
by reference to an identifier such as a name, an
identification number, location data, online
identifier or to one or more factors specific to
the physical, physiological, genetic, mental,
economic, cultural or social identity of that
person.”
A Summary of the EU General Data Protection Regulation: Peter Galdies DataIQ. 14th January 2016.
www.dataiq.co.uk/blog/summary-eu-general-data-protection-regulation
13. MWLUG 2017
Moving Collaboration Forward
Controllers & Processors
• Controllers
– Owners of the data
– Responsible for data security
– Make sure Processors are compliant
• Processors
– Work with the data
– Must take responsible actions with the data
• The relationship between Controllers and
Processor must be documented
14. MWLUG 2017
Moving Collaboration Forward
Legal Glossary (cont.)
• Data Protection Officers
– Public Authorities, Large scale processing of special types
of personal data
– Expert knowledge of DP laws
– Can be made tighter by EU Member States
• Profiling
– Any automated processing of personal data to determine
certain criteria about a person.
“In particular to analyse or predict aspects concerning that
natural person’s performance at work, economic situation,
health, personal preferences, interests, reliability,
behaviour, location or movements”.
15. MWLUG 2017
Moving Collaboration Forward
Legal Glossary (cont.)
• Breach & Notification
– “a breach of security leading to the accidental or
unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, personal
data transmitted, stored or otherwise processed”
• Data Subject Access Request
– The right of the individual to understand what is
stored and how it is used
16. MWLUG 2017
Moving Collaboration Forward
Brief Summary
• If you collect any personal data of an EU
citizen, you need to comply
• Data subjects can
– ask for data
• There are Penalties for non-compliance
17. MWLUG 2017
Moving Collaboration Forward
Who it affects
• ANYONE who collects data about any EU
citizen that is identifiable to them
• Anywhere in the world
• No boundaries
18. MWLUG 2017
Moving Collaboration Forward
Privacy Management
• Data protection safeguards to be ‘built in’ to
systems. Data by Design
• Privacy-friendly – pseudonymisation
• Record keeping has increased emphasis
– Answering auditors
– Data Subject Access Requests
• The right to be forgotten
19. MWLUG 2017
Moving Collaboration Forward
Consent
• Consent to collect the data has to be given
– Does not have to be explicit
– Purpose for data collection has to be explicit
– Has to be demonstrable, how and when
• Withdrawing consent has to be possible
– Should be as easy as giving consent
20. MWLUG 2017
Moving Collaboration Forward
Breaches & Notification
• Breach & Notification
– “a breach of security leading to the accidental or
unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, personal
data transmitted, stored or otherwise processed”
• 72 hours to notify supervisory authority
• May have to notify data subjects too
21. MWLUG 2017
Moving Collaboration Forward
WARNING!!!
• The next slide may make you sit up sharply in
your seat.
• You have been warned.
22. MWLUG 2017
Moving Collaboration Forward
Penalties
• Greater of €10 million or 2% of entity’s global
gross revenue
– Violation of record keeping, security, breach
notifications & privacy impact assessment
• Greater of €20 million or 4% of entity’s global
gross revenue
– Violations of legal justification for processing
(consent), data subject rights and cross-border
data transfers
24. MWLUG 2017
Moving Collaboration Forward
Suggested minimum technical steps
• Firewalls
• User access control management functionality in Windows
• Unique passwords of sufficient complexity and regular (but not too
frequent) expiry on all devices
• Regular software updates
• Timely decommissioning and secure wiping of old software and hardware
• Real-time protection anti-virus, anti-malware and anti-spyware software
• Encryption of all portable devices ensuring appropriate protection of the
key
• Encryption of personal data in transit by using suitable encryption
solutions
• Implement secure configuration on all devices (including mobile phones)
• Put in place intrusion detection and prevention
• Data backup
25. MWLUG 2017
Moving Collaboration Forward
What can you do now?
1. Make key departments aware
2. Work out what you have
3. Get you minimum technical steps in progress
4. Revise existing privacy notices
5. Review procedures for new rights
6. Plan how to handle requests
7. Document your legal basis for your use of data
8. Review how you get consent and record it
9. Procedures for data breaches and checks
10. Appoint a Data Protection Officer
26. MWLUG 2017
Moving Collaboration Forward
Sources
• EU General Data Protection Regulation ratified: KPMG 2016
assets.kpmg.com/content/dam/kpmg/pdf/2016/05/EU-General-Data-Protection-Regulation-ratified-18-04-2016.pdf
• Guidance: what to expect and when: Information Commissioner’s Office.
ico.org.uk/for-organisations/data-protection-reform/guidance-what-to-expect-and-when/
• Overview of the General Data Protection Regulation (GDPR): Information Commissioner’s Office
ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
• Preparing for the EU GDPR: What You Need To Know: James Walker. SC Media 4th March 2016.
www.scmagazineuk.com/preparing-for-the-eu-gdpr-what-you-need-to-know/article/531492/
• A Summary of the EU General Data Protection Regulation: Peter Galdies DataIQ. 14th January 2016.
www.dataiq.co.uk/blog/summary-eu-general-data-protection-regulation
• EU Official Journal issue L 119
eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L:2016:119:FULL&from=EN
• Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now. Information Commissioner’s Office 14th
March 2016.
ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
• IBM – Little Bee books - How it works – GDPR
http://littlebeelibrary.com/pdfs/GDPR.pdf
So in many cases online identifiers including IP address, cookies and so forth will now be regarded as personal data if they can be (or are capable of being) without undue effort linked back to the data subject.
To be clear there is no distinction between personal data about individuals in their private, public or work roles – the person is the person.