The document discusses preparations for the General Data Protection Regulation (GDPR) which takes effect in May 2018. It provides an overview of key GDPR requirements such as conducting privacy impact assessments, obtaining explicit consent, data breach notification, and appointing a Data Protection Officer. The presentation recommends organizations undertake a data discovery and gap analysis to assess compliance needs. Penalties for non-compliance under GDPR are also highlighted.
6. www.exponential-e.com
GDPR OVERVIEW
But how can GDPR add value to my business as a VAR?
Your clients have been caught on the hop with GDPR …As have all of us…
The majority of companies are ill-prepared, but now understand the serious ramifications of non-compliance
And they need help…
• Help in preparing for GDPR: Discovery and Remediation plans
• Many are looking to simplify their data structures & IT systems (Transition to Cloud)
• Consultancy & Professional Services – Exponential-e & Newable can help you in these areas
• GDPR is becoming high-profile. It is opening many doors to many opportunities
7. www.exponential-e.com
GDPR OVERVIEW
GDPR Overview
This morning, we will cover off many questions about GDPR Compliance such as:
• Understanding the implications of GDPR
• Understanding the new obligations to achieve compliance.
• Preparing for GDPR: Discovery and Remediation plans
• What exactly is ‘explicit consent’?
• What are the implications for my data stored in my CRM system?
• What is the ‘right to be forgotten’ and what does this mean for my data?
• What does ‘pseudonymisation’ mean for all my encrypted data files?
• Will the auditors sign off my 2018 accounts if we are not GDPR compliant next year?
• Do we ALL now really need a Data Protection Officer?
8. www.exponential-e.com
GDPR OVERVIEW
GDPR Overview
• The General Data Protection Regulation (GDPR) is the European’s view on what the baseline expectations are
for processing personal information of EU citizens as we continue through the digital revolution
• The GDPR introduces a raft of onerous and complex requirements and regulations
• Importantly, for the first time we will have a single set of privacy rules across EU member states, and this
harmonization goes even further as the GDPR has cross-territorial implications
• It comes into force in the UK in May 25th, 2018 – And we all have a lot of work to do!
We have 325 days left to prepare for GDPR
10. www.exponential-e.com
GDPR OVERVIEW – SIMPLE GAME PLAN
2
DO AN
ASSESSMENT
Undertake a broad
Data Protection
Assessment of your
organisation
3
DO A GAP
ANALYSIS
Compliance: Where
you are vs Where you
need to be for GDPR
6
DECIDE IF
A DPO IS
REQUIRED
Become aware
and take action! 1
TAKE ACTION
Roll out training across
your organisation
Create a detailed Compliance
Roadmap with clear timelines
4
TRAIN YOUR
STAFF
5
CREATE A
ROADMAP
If you need to appoint a qualified
Data Protection Officer
12. www.exponential-e.com
GDPR OVERVIEW
THE DRIVE TOWARDS DATA PRIVACY
The interdependence between data sharing and data privacy
• Companies know more about their customers than ever before. In the last 24 hours, your company probably
amassed more information about customers than was conceivable a decade ago
• As consumers, we benefit from this closeness. The fitness apps that tracks our steps, the messaging apps we
use to send pictures from the beach, or the telematics technology in our cars that lowers our insurance
premiums
• When we use our iPads and smart phones there is often an assumed understanding: we’ll give you our
information in exchange for the service or product that makes our lives easier, richer and sometimes cheaper.
This is the trade-off at the heart of the data economy
• But there are limits to this trade-off. People are increasingly aware that companies are collecting, using,
retaining and sharing their information - including buying and selling it! And they are growing uneasy . . .
13. www.exponential-e.com
GDPR OVERVIEW
THE DRIVE TOWARDS DATA PRIVACY
The interdependence between data sharing and data privacy
• But our willingness to share our personal information varies dramatically
according to gender, age, wealth, nationality and education . . .
• More than 50% are willing to share information about gender, ethnicity & education whilst
less than 20% are willing to share their income, location, medical records or address.
• Surveys reveal that 43% of people are uneasy about smart meters in their homes
• Many people in all countries are concerned about wi-fi data analytics and
web-browser spying
• In spite of our ‘uneasiness’ in the way corporates are utilizing our data, personal data is
the fuel of the digital future and the enabler of disruptive technologies
14. www.exponential-e.com
The interdependence between data sharing and data privacy
• Hence, GDPR marks a fundamental shift towards the view that PRIVACY must be at the
forefront of organizations’ minds when dealing with our personal data
• It is the most comprehensive attempt to define a coherent regulatory framework for privacy.
Governments around the world are sharpening their focus on the issue and introducing
legislation to offer greater protection to consumers — and far harsher penalties for
violations
• Hence, companies need to consider a new attitude to privacy—and they need to do it
quickly to minimize the risks to their balance sheet and their reputation
• GDPR CATAPULTS PRIVACY towards the top of organizations’ risk radars
GDPR OVERVIEW
THE DRIVE TOWARDS DATA PRIVACY
15. www.exponential-e.com
PREPARING FOR GDPR
ICO CHECKLIST SUMMARY
1. Awareness (Raising awareness throughout the organisation) 7. Explicit consent (Most important implications)
2. Review the information you hold – (Data Discovery) 8. Children (Extra measures if you process child personal data)
3. Review the current privacy notices you send 9. Data breaches (Must be reported within 72 hours)
4. Individual Rights 10. Data Protection by Design – (Promotes Privacy & Data Protection)
Check your procedures to ensure they cover all the rights
individuals have, including how you would delete personal data or provide 11. Data Protection Officer (Do you need one?)
data electronically and in a commonly used format. 12. International – Cross – border trading checks
The main rights for individuals under the GDPR will be:
• subject access
• to have inaccuracies corrected
• to have information erased (The right to be forgotten)
• to prevent direct marketing (Compromises your CRM system)
• to prevent automated decision-making and profiling
• data portability
5. Subject Data Requests (Will be 30 days)
6. Legal basis for processing personal data
* https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
ICO: GDPR Preparation Recommendations – 12 Point Checklist*
16. www.exponential-e.com
GDPR COMPLIANCE
GDPR Compliance
• Although we only have 325 days – DON’T PANIC!
• The burden of compliance may be less onerous if you are ISO 27001/9001 or FCA accredited.
Processes may already exist for data privacy, disclosure, retention and management
• Many companies already employ Data Protection or compliance personnel
• Finally, Exponential-e & Newable can help guide you through the entire GDPR compliance process
starting with your Data Discovery and Remediation plans that Mark Childs will detail later on . . .
20. Before we start
BREXIT
We are not off the GDPR hook. In fact, the UK will have to try extra-hard to prove
Adequacy.
4 July 2017PRIVATE AND CONFIDENTIAL3
21. Timetable
― EU directive formally adopted 25 May 2016
― 2 year implementation period
― Becomes law on the 25th May 2018 – everyone must be compliant by then.
― DCMS is still working on the UK legislation!
PRIVATE AND CONFIDENTIAL4 4 July 2017
22. The ‘New Y2K’
― An immovable deadline
― A technical deliverable
― A skills shortage
― Cue – PANIC in the boardroom
― Beware the snake oil salesmen
PRIVATE AND CONFIDENTIAL5 4 July 2017
23. Beware
― No quick fixes
― If it seems to good to be true…..
― It is not possible to be ‘compliant’ yet – you can at best be ‘ready’
― Over 50 Articles yet to be fully defined
PRIVATE AND CONFIDENTIAL6 4 July 2017
24. But – good news for IT!
― GDPR – the business finally has to accept ownership of its data
― It is no longer “IT’s problem”
PRIVATE AND CONFIDENTIAL7 4 July 2017
25. General Data Protection Regulation
― Establish a single, pan-European law to replace the current inconsistent
patchwork of national laws
― Modernize the principles enshrined in the 1995 Data Protection Directive
― Immature internet
― No “cloud”
― No Facebook, Twitter, etc.
― No smartphones
― But, new principles much the same as the old ones
PRIVATE AND CONFIDENTIAL25 4 July 2017
26. Benefits of the new Regulation
― Benefits for organisations
― One EU market, one law
― One-stop-shop – a single supervisory authority
― Same rules for all organisations
― Even those outside the EU
― Benefits for EU citizens
― Better data security
― Putting people in control
PRIVATE AND CONFIDENTIAL9 4 July 2017
27. Some definitions
― More personal data covered (e.g. IP addresses; URLs)
― 'Pseudonymised data' is personal data
― Sensitive personal data extended (genetic, biometric, sexual orientation)
― Manual records extended (structured or unstructured)
― Main establishment and one stop shop: likely to involve a "concerned
supervisory authority"
― Issues resolved at the European Data
Protection Board
PRIVATE AND CONFIDENTIAL27 4 July 2017
28. Data processing activities
― No requirement to notify ICO
― Data Controllers and Data Processors must keep a record of their processing
activities
― Must make available to the ICO on request
PRIVATE AND CONFIDENTIAL28 4 July 2017
29. Impact assessments
― Requirement to perform privacy impact assessments
― Specifically where the processing of personal data is ‘likely to result in a high risk for the rights
and freedoms of individuals’
― Eg when processing personal data through new technologies or when engaging in people
profiling
PRIVATE AND CONFIDENTIAL29 4 July 2017
30. Impact assessments
― If assessment reveals that processing of personal data would result in a high risk
(eg due to the absence of mitigating controls), data controllers will be required to
consult with the ICO
― If the ICO believes that any processing of personal data would be non-compliant
with the Regulation then:
― Advise data controller on how to proceed
― Require an organisation to undergo a data protection audit
PRIVATE AND CONFIDENTIAL30 4 July 2017
31. Consent
― Consent given by data subjects must be “unambiguous” for all processing of
personal data
― Requires a “clear affirmative action”
― Consent has to be “explicit” for sensitive data
― Silence, pre-ticked boxes or inactivity does not constitute consent
― Must have an audit trail
― List brokers?
PRIVATE AND CONFIDENTIAL31 4 July 2017
32. Liability
― Data controllers and data processors have shared liability
― Even more important to have proper contractual arrangements in place
― Processors as well as controllers must provide a security level “appropriate” to
the processing risks
― Risk assessments for each customer
― Varying standards of data security for different
types of processing
PRIVATE AND CONFIDENTIAL32 4 July 2017
33. Data Protection Officer
― Mandatory appointment of a DPO for
― Public authority or body
― Those who monitor data subjects on a large scale
― Core activities process sensitive personal data
― ICO says so!
― Can be outsourced
― Must be…
― involved in all issues which relate to the protection of
personal data
― provided with necessary resources to perform their
required tasks
PRIVATE AND CONFIDENTIAL33 4 July 2017
34. Data Protection Officer tasks
― To inform and advise the data controller, data processor and their employees of
their regulatory obligations
― To monitor compliance with the Regulation. Including…
― Policies
― Assignment of responsibilities
― Raising awareness and training of staff
― To provide advice, related to data protection
impact assessments and to monitor impact
assessment performance
― To cooperate with the ICO
― To act as the contact point for data subjects and
the ICO
PRIVATE AND CONFIDENTIAL34 4 July 2017
35. Data Protection Officer position
― The Data Protection Officer must not receive any instructions regarding the
exercise of these tasks
― Independent, whether or not an employee
― They shall not be dismissed or penalised for performing
their tasks
― The Data Protection Officer shall directly report to the
highest management level of the controller or
the processor
PRIVATE AND CONFIDENTIAL35 4 July 2017
36. Data breaches
― ICO must be notified within 72 hours of becoming aware of the breach
― Where this cannot be achieved within 72 hours, an explanation of the reasons for the delay
should accompany the notification and information may be provided in phases without undue
further delay
― The notification must at least…
― Describe the nature of the breach
― Communicate the name and contact details
of the Data Protection Officer or other
contact point where more information can
be obtained
PRIVATE AND CONFIDENTIAL36 4 July 2017
37. Data breaches
― Fines for unprotected data breaches will range up to €20 million or 4% of annual
global turnover (whichever is higher!)
― If you suffer a breach and can show that the personal data can't be accessed by
unauthorized people (e.g. it was encrypted):
― The likelihood of being fined should be very greatly reduced
― You won't need to notify affected data subjects of the breach
PRIVATE AND CONFIDENTIAL37 4 July 2017
38. Data portability
― Where processing of personal data is carried out
by automated means, the data subject should be
allowed to receive their personal data in a
structured, commonly used, machine-readable
and interoperable format and transmit it to
another controller.
― The data subject has the right to request that the
data is transmitted directly from controller to
controller where technically
feasible.
PRIVATE AND CONFIDENTIAL38 4 July 2017
39. Contacts
Data protection by design
― Data protection must not be treated
as an afterthought or ignored
altogether
― Consider when…
― Building new IT systems for storing or
accessing personal data
― Developing policy or strategies that
have privacy implications
― Embarking on a
data sharing initiative
― Using data for new
purposes
PRIVATE AND CONFIDENTIAL39
Portfolio
Service
4 July 2017
40. Contacts
Data protection by design
― Potential problems are identified at
an early stage, when addressing
them will often be simpler and less
costly
― Increased awareness of privacy and
data protection across an
organisation
― Organisations are more likely to meet
their legal obligations
― Actions are less likely to be privacy
intrusive and have a
negative impact on
individuals
PRIVATE AND CONFIDENTIAL40
Portfolio
Service
4 July 2017
41. Codes of practice
― Codes of practice (or "codes of conduct" to use the correct Regulation-speak)
become more important
― If one DP authority produces a code of practice it can be more or less adopted in
other countries
― European Data Protection Board has a role
PRIVATE AND CONFIDENTIAL41 4 July 2017
42. Codes of practice
― In the UK there are already Codes of Practice in areas such as Marketing, CCTV,
Human Resources, Direct Marketing, Subject Access, Privacy Impact
Assessments, Personal Information Online and Data Sharing
― Aligning data protection procedures now with the content of ICO Codes of
Practice should get you ahead of the field
PRIVATE AND CONFIDENTIAL42 4 July 2017
43. Suggested Codes of Conduct
― Processing in the data controller's legitimate interests
― Consumer rights & dispute resolution procedures
― Fair data collection and transparency re data processing
― Pseudonymisation of personal data
― Exercise of their rights of data subjects
― Protection of children
― Security of processing and data loss
― Transfers of data to other countries
PRIVATE AND CONFIDENTIAL43 4 July 2017
44. What to do now?
― Be compliant with the DPA 1998!
― Know what personal data you process
― Data permeation maps
― Where does the data come from?
― What do we do with it?
― Where does it go?
― Information asset inventory
PRIVATE AND CONFIDENTIAL44 4 July 2017
45. What to do now?
― Ensure policies and procedures are up to date and relevant
― Review information security arrangements
― In processing personal data, be
― Fair
― Transparent
― Understand your basis of data processing!
PRIVATE AND CONFIDENTIAL45 4 July 2017
50. Why do you need a Gap Analysis
― The GDPR contains 99 articles
― Article “a separate clause or paragraph of a legal document or agreement, typically one outlining
a single rule or regulation”
― The GDPR contains 173 recitals
― Recital “the part of a legal document that explains its purpose and gives other factual information”
― Do you think you have the capability to successfully
interpret all of these on your own?
4 July 2017PRIVATE AND CONFIDENTIAL50
51. There is a lot of rubbish talked about GDPR!
― If somebody tells you they can make you GDPR compliant they simply aren’t
credible!!
― The GDPR will be enforced from May 2018 and is now well into the implementation period
― EU member states are able to vary aspects of the GDPR even though it is a Regulation, designed
to harmonise data protection law. These parts that can be varied are known as derogations
― The Department of Culture, Media and Sport (DCMS) who run the consultation said: “The UK
pressed hard throughout negotiations to ensure that the GDPR does not place unnecessary
burdens on business. There are also derogations (exemptions) within the GDPR where the UK
can exercise discretion over how certain provisions will apply.”
― An example of a derogation in the GDPR is the age of consent for children, which can be set
between 13-16 years old. It is up to a member state to decide and this consultation will address
these questions
PRIVATE AND CONFIDENTIAL51 4 July 2017
52. NO YOU WON’T!!!!!
So where does that leave us?
― There are still 50 articles that the DCMS needs to ratify.
― Well on the basis I’ll wait then…..
PRIVATE AND CONFIDENTIAL52 4 July 2017
53. The Act comes into force May 2018!!
― All countries in the EEA will need to be fully complaint with all of the requirements
at this time
― Failure to do so and you are risking considerable fines and reputational damage
to your business
― The current fines regime is set at €20 million or 4% of your annual global turnover, whichever is
the higher
― Countries who process European Subjects data are not exempt
― For example, if you have offices in the Middle
East and process European Subject Data you
are “in-scope”. Furthermore, you will require
an established business presence in the EEA
PRIVATE AND CONFIDENTIAL53 4 July 2017
54. So what does a Gap Analysis look like?
― There is no such thing as a “typical gap analysis”
― All organisations are different so the duration required to preform one ranges from
days to weeks to months depending on size, complexity etc.
― So where do you start?
― Do you understand your “Data Estate”?
― Are you able to evidence this?
― Do you have an Information Asset Inventory?
― Are you able to evidence this?
― Do you have a record of all of your 3rd Parties who process
personal data on your behalf?
― Are you able to evidence this?
PRIVATE AND CONFIDENTIAL54 4 July 2017
55. So what does a Gap Analysis look like?
― So where do you start?
― Have all of your staff including contractors, part-time, volunteers etc. received Data Protection
Awareness Training and do they receive this on a regular basis?
― Are you able to evidence this?
― Have you received unambiguous Positive Consent from all of your Staff, Clients etc.as to how
you intend to process their data?
― Are you able to evidence this?
― Have you received unambiguous Positive Consent from all
of your clients held on your current CRM system(s) as
to how you intend to process their data?
― Are you able to evidence this?
PRIVATE AND CONFIDENTIAL55 4 July 2017
56. Should I be concerned?
― If you aren’t then you should be!!
― GDPR is probably the single most ground breaking piece of legislation that has
come into force in the past 20yrs
― The Gap Analysis is just the start of it. This will:
― Identify as to where you are and aren’t complaint with the proposed GDPR
― It will provide you with a set of Data Permeation Maps,
which map your respective personal data flows in the
business; this will include both Logical and Physical
data namely your Data Estate
― It will provide you with an indication of the effort
required to bring yourself to being GDPR ready
― So what's next?
PRIVATE AND CONFIDENTIAL56 4 July 2017
57. Remediation plans
― Please don’t underestimate the time you will require for remediation
― GDPR came into force in May 2016 and you have until May 2018 to be compliant
― 2 years is probably a reasonable estimate as to how long it would take the
average business to perform a gap analysis and put in place controls and
measures, to demonstrate that they were GDPR ready
― No matter what the size or complexity of your organisation GDPR will have an
impact on how you do business
― Unfortunately most businesses have significantly underestimated the impact of
GDPR or are simply in denial!
PRIVATE AND CONFIDENTIAL57 4 July 2017
58. Remediation plans
― Lets start with some good advice. As a minimum you will need to consider:
― Data Permeation Maps
― Data Inventory
― Data Protection Officer
― Data Protection Training and Awareness
― Data Protection Policies and Procedures
― Third Party Assurance Programme
― Third Party Contracts
― Penetration Testing and Vulnerability Analysis
PRIVATE AND CONFIDENTIAL58 4 July 2017
59. Remediation plans
― Lets start with some good advice. As a minimum you will need to consider:
― The Right To Be Forgotten
― Subject Access Requests
― Privacy by Design
― Privacy Impact Assessments
― Positive Consent
― CRM Systems
― CCTV
― Data Portability
― Cross Border Transfers
PRIVATE AND CONFIDENTIAL59 4 July 2017
60. What to do now?
― There is no time like the present:
― Get yourself a copy of the GDPR
― Perform a Gap Analysis
― Produce a Remediation Plan - You have exactly 1 year to get yourself GDPR ready
― Do not underestimate the time and effort required - YES it is going to cost ££s so budget for it.
― Ignore it at your peril!!!
PRIVATE AND CONFIDENTIAL60 4 July 2017
63. www.exponential-e.com
CYBER SECURITY BY DESIGN
• GDPR, Articles 25, 32, 33,34, and 35 contain details on securing data
• The Top Five
• Discover the weaknesses
• Privacy by Design = Security By Design
• Security Appropriate to Risk
• The Principle of Least Privilege
• Better Control of Customer Data
• How can we support you?
64. www.exponential-e.com
DISCOVER THE WEAKNESSES
• The world of self denial!
• Your own audit will not find it!
• Independent assessment of where you are.
• Exponential-e provide access to trusted renowned partners in this field.
• Pen Test Partners LLP.
• We facilitate! Its the customers report!
• And they are accredited.
65. www.exponential-e.com
PRIVACY BY DESIGN
SECURITY BY DESIGN
We take Security Seriously:
• All our Solutions Engineers are trained to High Standards.
• Platinum Partner with Fortinet.
• MSP Partner Palo Alto.
• Gold Partner for Gemalto / Safenet.
• Senior Partner for Foresite.
• Only MSP Partner for Sentinel One.
• We design based on the solution you need.
• Our Partners ensure we are well trained.
66. www.exponential-e.com
SECURITY APPROPRIATE TO RISK.
THE PRINCIPLE OF LEAST PRIVILEGE.
• How do you judge these two?
• Evaluate the risk and impose the security!
• How often do you review users privileges?
• Advanced Security Monitoring
• Log collection and correlation from any device under one pane of glass!
• Generates reports
• Has 24 x 7 Analyst support
• Alerts and advice on remediation
67. www.exponential-e.com
BETTER CONTROL OF CUSTOMER DATA
Where’s The Cloud for Exponential-e ?
• Cloud Storage is located within UK Borders.
• We Provide encryption.
• Structured Storage offering dedicated arrays.
• Which means that customers can store in a
structured, searchable, encrypted platform their
essential data which is already GDPR ready!
What does The Exponential-e Cloud provide to our
Customers ?
• Information Governance.
• Configurable to meet regulatory and compliance
standards.
• Provides a Data classification application
• On Structured and unstructured data
• Regardless of where data resides (premises or
Cloud).
• Data ownership, Data retention periods, Data
Sensitivity.
69. www.exponential-e.com
A UNIFIED PLATFORM
• By knowing exactly where personal data lives across your organization, you can:
o Identify the presence of personal data in all data locations.
o Automate special handling of information with standard data policies (i.e., access control, security,
encryption, retention).
o Support the export and erasure of personal data from all data sources.
o Detect and delete unneeded copies of personal data.
o Maintain an auditable chain of custody on an individual's personal data.
o Understand data leakage risk and speed up data breach analysis.
70. THE
SECURITY PRODUCT
PORTFOLIO
Customer Applications
Internet
Customer Perimeter
Customer VPN / Network
Ransomware Protection
Email & Content Filter
Next Gen UTM
Pen Test & IT Health Check
DDoS Mitigation
GRC Consultancy
Advanced Firewall Monitoring
Multi Factor Authentication
Next Gen Firewall
Web & URL
HAVE REQUESTED FROM DAVID - PRODUCT
Portfolio areas broken down in to 6 key areas (AS ABOVE) – Note underpinned by our security offering – From our infrastructure/VPLS technology, our multiple services and other security services
Portfolio has been developed alongside our customers based on Innovation and bringing new services to market
Our drive is to develop a portfolio and roadmap that meets all the needs of our customers
Services and delivered in-house and as part of the Exponential-e team and delivered and supported by higher qualified, accredited and experienced team
Our services come with industry leading SLA’s – end to end sla’s covering all services
Our services are delivered on best of breed infrastructure – Cloud, UCC and state of the ART VPLS network
Your xxx is only as good as your network
GDPR is the strait-jacket of privacy being fitted to the good, the anarchic and the ugly exploiters of our personal assets
200,000 of these €500 notes!
By eliminating the need for multiple point products to manage your data, Commvault software does more than just lay a foundation for GDPR compliance — it also helps you improve operational efficiency, gain business advantage and boost employee productivity.
By eliminating the need for multiple point products to manage your data, Commvault software does more than just lay a foundation for GDPR compliance — it also helps you improve operational efficiency, gain business advantage and boost employee productivity.