General Data Protection Regulation

MWLUG 2017
Moving Collaboration Forward
General Data Protection Regulation.
Ignoring this = Paying Fines!
Tim Clark
Stephanie Heit
BCC Ltd.

MWLUG 2017
Our Amazing Sponsors

MWLUG 2017
Agenda
• BCC, Stephanie & Tim
• What is GDPR
• Who it affects
• What you have to do
• Penalties
• Summary
• Where to find more information

MWLUG 2017
Presenters
• Tim Clark
• Director Services &
Support
• IBM Champion 13-17
• Stephanie Heit
• Director, BCC Ltd
• 17 years with Notes &
Domino

MWLUG 2017
About BCC
• Founded in 1996
• IBM Business Partner
• Locations: Frankfurt
(HQ), London, Boston
• 800+ customers

MWLUG 2017
BCC Solutions

MWLUG 2017
• Europe
– Personal self
determination
– Personal Data Protection
– Laws, not directives
• USA
– Consumer focused
– Treated fairly
– Not Protected
– Directives, not laws
Cultural Differences

MWLUG 2017
What is GDPR
• General Data Protection Regulations
– Regulation
• (EU) 2016/679 (88 pages)
– Directives
• (EU) 2016/680 (43pages)
• (EU) 2016/681 (18 pages)
• Now the boring stuff is out of the way…..

MWLUG 2017
What is it really to do with?
• Single set of legislation across Europe that
gives individuals get better control of their
personal data
• Became effective law in 2016
• 2 year grace period to get ready

MWLUG 2017
Why worry about it now?
“The GDPR is causing great concern for
businesses, with 50 percent of global
companies saying they will struggle to
meet the rules set out by Europe unless
they make significant changes to how they
operate.”
James Walker, UK MD, JAW Consulting UK
https://www.scmagazineuk.com/preparing-for-the-eu-gdpr-what-you-need-to-know/article/531492/
Must be ready by Friday, May 25th 2018

MWLUG 2017
Legal Glossary
• Personal Data
• Controllers & Processors
• Data Protection Officers
• Profiling
• Breach & Notification
• Data Subject Access Requests

MWLUG 2017
Definition of ‘Personal Data’
“Any information relating to an person who can
be identified, directly or indirectly, in particular
by reference to an identifier such as a name, an
identification number, location data, online
identifier or to one or more factors specific to
the physical, physiological, genetic, mental,
economic, cultural or social identity of that
person.”
A Summary of the EU General Data Protection Regulation: Peter Galdies DataIQ. 14th January 2016.
www.dataiq.co.uk/blog/summary-eu-general-data-protection-regulation

MWLUG 2017
Controllers & Processors
• Controllers
– Owners of the data
– Responsible for data security
– Make sure Processors are compliant
• Processors
– Work with the data
– Must take responsible actions with the data
• The relationship between Controllers and
Processor must be documented

MWLUG 2017
Legal Glossary (cont.)
• Data Protection Officers
– Public Authorities, Large scale processing of special types
of personal data
– Expert knowledge of DP laws
– Can be made tighter by EU Member States
• Profiling
– Any automated processing of personal data to determine
certain criteria about a person.
“In particular to analyse or predict aspects concerning that
natural person’s performance at work, economic situation,
health, personal preferences, interests, reliability,
behaviour, location or movements”.

MWLUG 2017
Legal Glossary (cont.)
– “a breach of security leading to the accidental or
unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, personal
data transmitted, stored or otherwise processed”
• Data Subject Access Request
– The right of the individual to understand what is
stored and how it is used

MWLUG 2017
Brief Summary
• If you collect any personal data of an EU
citizen, you need to comply
• Data subjects can
– ask for data
• There are Penalties for non-compliance

MWLUG 2017
Who it affects
• ANYONE who collects data about any EU
citizen that is identifiable to them
• Anywhere in the world
• No boundaries

MWLUG 2017
Privacy Management
• Data protection safeguards to be ‘built in’ to
systems. Data by Design
• Privacy-friendly – pseudonymisation
• Record keeping has increased emphasis
– Answering auditors
– Data Subject Access Requests
• The right to be forgotten

MWLUG 2017
Consent
• Consent to collect the data has to be given
– Does not have to be explicit
– Purpose for data collection has to be explicit
– Has to be demonstrable, how and when
• Withdrawing consent has to be possible
– Should be as easy as giving consent

MWLUG 2017
Breaches & Notification
– “a breach of security leading to the accidental or
unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, personal
data transmitted, stored or otherwise processed”
• 72 hours to notify supervisory authority
• May have to notify data subjects too

MWLUG 2017
WARNING!!!
• The next slide may make you sit up sharply in
your seat.
• You have been warned.

MWLUG 2017
Penalties
• Greater of €10 million or 2% of entity’s global
gross revenue
– Violation of record keeping, security, breach
notifications & privacy impact assessment
• Greater of €20 million or 4% of entity’s global
gross revenue
– Violations of legal justification for processing
(consent), data subject rights and cross-border
data transfers

MWLUG 2017
Please be ready

MWLUG 2017
Suggested minimum technical steps
• Firewalls
• User access control management functionality in Windows
• Unique passwords of sufficient complexity and regular (but not too
frequent) expiry on all devices
• Regular software updates
• Timely decommissioning and secure wiping of old software and hardware
• Real-time protection anti-virus, anti-malware and anti-spyware software
• Encryption of all portable devices ensuring appropriate protection of the
key
• Encryption of personal data in transit by using suitable encryption
solutions
• Implement secure configuration on all devices (including mobile phones)
• Put in place intrusion detection and prevention
• Data backup

MWLUG 2017
What can you do now?
1. Make key departments aware
2. Work out what you have
3. Get you minimum technical steps in progress
4. Revise existing privacy notices
5. Review procedures for new rights
6. Plan how to handle requests
7. Document your legal basis for your use of data
8. Review how you get consent and record it
9. Procedures for data breaches and checks
10. Appoint a Data Protection Officer

MWLUG 2017
Sources
• EU General Data Protection Regulation ratified: KPMG 2016
assets.kpmg.com/content/dam/kpmg/pdf/2016/05/EU-General-Data-Protection-Regulation-ratified-18-04-2016.pdf
• Guidance: what to expect and when: Information Commissioner’s Office.
ico.org.uk/for-organisations/data-protection-reform/guidance-what-to-expect-and-when/
• Overview of the General Data Protection Regulation (GDPR): Information Commissioner’s Office
ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
• Preparing for the EU GDPR: What You Need To Know: James Walker. SC Media 4th March 2016.
www.scmagazineuk.com/preparing-for-the-eu-gdpr-what-you-need-to-know/article/531492/
• A Summary of the EU General Data Protection Regulation: Peter Galdies DataIQ. 14th January 2016.
www.dataiq.co.uk/blog/summary-eu-general-data-protection-regulation
• EU Official Journal issue L 119
eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L:2016:119:FULL&from=EN
• Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now. Information Commissioner’s Office 14th
March 2016.
ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
• IBM – Little Bee books - How it works – GDPR
http://littlebeelibrary.com/pdfs/GDPR.pdf

MWLUG 2017
Questions
• Tim Clark
• tim_clark@bcc.biz
• TimsterC (Skype)
• Stephanie Heit
• stephanie_heit@bcc.biz
• Stephanie Heit (Skype)
http://bcchub.com

General Data Protection Regulation

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à General Data Protection Regulation

Similaire à General Data Protection Regulation (20)

Plus de BCC - Solutions for IBM Collaboration Software

Plus de BCC - Solutions for IBM Collaboration Software (20)

Dernier

Dernier (20)

General Data Protection Regulation

Notes de l'éditeur