Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

GDPR Scotland 2018

730 vues

Publié le

The conference will contextualise the changing regulatory landscape, considering the business impact of the GDPR and DPA (2018) and how it is changing policy and process in practice.

When GDPR came into force in May it significantly raised the bar of obligation and accountability, ensuring that all organisations who handle personal data adhere to strict regulations around privacy, security and consent. 6 months on from implementation, the conference will consider how data protection procedure has moved on, with insight from frontline practitioners reflecting on how practices within their organisation have changed.
The event will also provide an update from the regulator; exploring regulatory action policy, decision making for fines and penalties, and clarifying some of the most prominent areas of misconception and non-compliance.

Core conference topics include:

• Key legal issues and obligations
• Data security and encryption
• Privacy Impact Assessments
• Databases, data mapping and classification
• Privacy by design
• Practical strategy implementation

Publié dans : Technologie
  • Soyez le premier à commenter

GDPR Scotland 2018

  1. 1. Welcome to GDPR Scotland #gdprscot
  2. 2. Mark Stephen BBC Scotland @bbcscotland #gdprscot
  3. 3. Ray Bugg DIGIT @digitfyi #gdprscot
  4. 4. Ken Macdonald ICO @ICOnews #gdprscot
  5. 5. Regulation in the GDPR Era 5 December 2018 Ken Macdonald Head of ICO Regions
  6. 6. Why do we regulate?
  7. 7. When do we regulate?
  8. 8. How do we regulate? • Sets out the ICO’s powers for clarity and consistency about when and how we use them; • Ensures fair, proportionate and timely regulatory action to protect individuals’ information rights; • Ensures regulatory action is targeted, proportionate and effective; and • Assists in the delivery of Information Rights Strategic Plan.
  9. 9. Our Regulatory Activity • conducting assessments of compliance; • issuing information notices; • issuing assessment notices; • producing codes of practice; • issuing a warning; • issuing a reprimand; • issuing enforcement notices; • administering fines; • administering fixed penalties; and • prosecuting criminal offences before the courts (not in Scotland!)
  10. 10. Our Regulatory Objectives 1. To respond swiftly and effectively to breaches; 2. To be effective, proportionate, dissuasive and consistent in our application of sanctions; 3. In line with legislative provisions, promote compliance with the law; 4. To be proactive in identifying and mitigating new or emerging risks; and 5. To work with other regulators and interested parties constructively.
  11. 11. We will consider… • the nature and seriousness of the breach; • the categories of personal data; • the number of individuals affected; • whether the issue raises new or repeated issues; • the gravity and duration of a breach; • whether the organisation or individual involved is representative of a sector or group; • the cost of measures to mitigate any risk; • the public interest in regulatory action being taken; • any other regulator’s action; and • any expressed opinions of the EDPB.
  12. 12. Aggravating factors: • the attitude and conduct of the individual or organisation; • whether relevant advice or warnings has not been followed; • whether the DC failed to follow an approved or statutory code of conduct; • the prior regulatory history; • the vulnerability of the individuals affected; • any protective or preventative measures and technology available, including by design; • the manner in which the breach or issue became known to the ICO; and • any financial (including budgetary) benefits gained or financial losses avoided.
  13. 13. When is a CMP likely? • a number of individuals have been affected; • there has been a degree of damage or harm; • sensitive personal data has been involved; • there has been a failure to comply with an information notice, an assessment notice or an enforcement notice; • there has been a repeated breach of obligations or a failure to rectify a previously identified problem or follow previous recommendations.; • wilful action is a feature of the case; • there has been a failure to apply reasonable measures to mitigate any breach; and • there has been a failure to implement the accountability provisions of the GDPR.
  14. 14. Determining the amount: 1. An ‘initial element’ removing any financial gain from the breach. 2. Adding in an element to censure the breach based on its scale and severity. 3. Adding in an element to reflect any aggravating factors. 4. Adding in an amount for deterrent effect to others. 5. Reducing the amount to reflect any mitigating factors, including ability to pay.
  15. 15. Fixed Penalties: Tier 1: £400; Tier 2: £600; Tier 3: £4,000; up to a statutory maximum of £4,350. DPA 2018 s155
  16. 16. Civil Monetary Penalties: Tier 1: €10 million/2% global turnover; Tier 2: €20 million/4% global turnover.
  17. 17. The investigation has become the largest investigation of its type by any Data Protection Authority - involving online social media platforms, data brokers, analytics firms, academic institutions, political parties and campaign groups.
  18. 18. Summary of regulatory action CMPs: • Facebook - £500,000 CMP; • Emma’s Diary - £140,000 CMP; • Eldon Insurance (trading as Go Skippy) – £60,000 NoI; and • Leave.EU - £60,000 & £15,000 NoI. Enforcement Notices: • SCLE Elections • AiQ • Eldon Insurance Ltd Criminal Proceedings: • SCLE Elections Ltd Other Regulatory Action: • 11 Warning Letters • 2 Audits • 6 Assessment Notices • Referrals to other Regulators/ Police
  19. 19. @iconews Keep in touch Subscribe to our e-newsletter at www.ico.org.uk Email: scotland@ico.org.uk
  20. 20. Claire Winn Wood @WoodPLC #gdprscot
  21. 21. Making the complicated simple Claire Winn Programme Manager Data Privacy/ protection / GDPR
  22. 22. Our Journey To action for May 18 and beyond From words GDPR Strategy
  23. 23. About Us 26
  24. 24. Framework 1. Our GDPR Readiness state 2. Identified our Business Strategy 3. Reviewed, Improved & Shaped Data Protection and Privacy Compliance Programme 4. Programme Implementation 5. Review & Transition to BAU 1 2 34 5
  25. 25. People • Buy in - we started at the top and had our highest level of management behind us all the way • Reward and promote the right behaviour • Understand what your employees need to know and how you can help guide them through the changes • Awareness - Drive the culture change and mind-set around Data privacy & Data protection • Data Protection Ambassadors
  26. 26. ay People - Training • Global layered training principle • Different levels for different roles • Entire business base layer data privacy and data protection training 2017 & 2018 • Took a central role in Woods new Code of Conduct • Targeted training for teams that have access and manage high volumes of personal data – Contract teams, HR, Occupational Health, IT, Communications & Marketing, Business Dev • Make your people your strongest asset not the weakest
  27. 27. Policies and procedures – the new challenges • We have reviewed and updated our policies/procedures and in particular focused on Subject Access Requests and our Breach Response procedure • To help ensure that we meet the new timeframes we developed templates/tracking tools that helped respond to SARs and Breaches • Training and awareness was key • The OODA loop - Observe, Orientate, Decide and Act
  28. 28. 2019 & GDPR 31 • Wood has one SAR and one data procedure globally • 6 months in and Wood is continually reviewing our programme, which is aided with the guidance from the ICO, other sources and open source external experiences • We have kept our Sponsors and our Steering Group in place for our programme – we are ensuring that senior management are continually involved • We are now formulating our objectives for 2019 with our DPO
  29. 29. Ivana Bartoletti Gemserv @ivanabartoletti #gdprscot
  30. 30. Privacy and Ethics in the era of Big Data and AI Ivana Bartoletti – Head of Privacy & Data Protection
  31. 31. Structure  The increasing importance of Big Data.  Decisions by Autonomous Systems (AI): definitions, law and challenges.  Privacy and ethics by design.  Design for values: where are we with AI?  Deploying algorithms: practical steps for machine – human cooperation. Gemserv 34
  32. 32. The importance of Big Data  Organisations are increasingly looking towards data analytics to make more informed and efficient decisions.  Data analytics allows companies to make sense of data and develop patterns and predictions. Gemserv 35 Examples A children’s doll, My Friend Cayla, uses a microphone, location data and information collected via an App to personalise messages and interactions with children. Online Advertising Systems characterise individuals into social and demographic categories on the basis of tracking their online behavioural interests. Smart Homes monitor residents’ and homeowners’ use of appliances at home and behavioural habits, in order to reduce water and energy use. This allows such organisations to reduce costs, improve efficiencies and produce more tailored customer experiences and service offers.
  33. 33. Decisions by Autonomous Systems (AI): Background  Artificial Intelligence (AI) can also play a role where such systems are self-learning, allowing for evolving analysis, predictive functions and even decisions.  Autonomous Systems are increasingly involved in taking decisions that replicate, or even replace, human decision- making. Within this process, an AI System analyses.  AI systems or programs can be particularly concerning from a data security and data protection perspective due to the lack of transparency of their effects on individuals. Gemserv 36 However….
  34. 34. Big Data and Artificial Intelligence Do we need regulation?
  35. 35. Decisions by Autonomous Systems (AI): Concepts Definition  Article 13 of the GDPR requires meaningful information about the logic, significance and the envisaged consequences of automated decision-making for the data subject.  Article 22 of the GDPR limits “decision[s] based solely on automated processing” that similarly significantly affect data subjects. Regulation  Several regulatory authorities, including the Information Commissioner’s Office and Norwegian Data Protection Authority (Datatilsynet), have issued opinions around using algorithms.  Industries bodies such as the Alan Turing Institute, AI Now Institute and Institute of Electrical and Electronics Engineers (IEEE) have also issued guidance about assessing AI and Big Data systems for their technological and legal compliance, and many organisations are focusing on the ethics of AI. Gemserv 38
  36. 36. Decisions by Autonomous Systems (AI): Challenges Gemserv 39 The key challenges for data processing and autonomous systems centre around compliance with three principles: Responsibility involves imbuing systems and processes with ethical values and considerations and ensuring that algorithms complete, rather than replace, human decisions. Fairness involves protecting individuals from the adverse effects of automation, and ensuring profiling is not carried out in a fair and non-biased way. Transparency involves giving data subjects and, where possible, the public, an explanation of processes and procedures involved in algorithmic decisions or profiling.
  37. 37. Privacy and Ethics by Design
  38. 38. Are procedures for testing data accuracy in place? Are the uses of data/profiling made clear to data subjects? Are mechanisms for collecting consent in place? Privacy and Ethics by Design Gemserv 41 Organisations should consider privacy and ethical principles throughout the design of systems: Have you carried out a DPIA and/or Algorithmic Impact Assessment on automated decisions? Have you received apportioned liability between third parties? Have decision-makers for the system been selected? Are appropriate access controls in place? Have APIs and user- facing features been designed with privacy and transparency in mind? Do you keep track of requests or complaints received? Do you have a procedure for ascertaining effects of automated decisions?
  39. 39. Design for Values: Where are we with AI? Gemserv 42 Systems need to be embedded with… …Values chosen by the organisation Training and testing of autonomous systems… …Needs to identify if any biased results emerge Algorithmic functions need to be constrained… …To avoid weighting characteristics that could lead to bias Developers and deployers need to agree… …An apportionment of liability if automated decisions go wrong Example Self-driving vehicles are an example of how values needed to be embedded into automated systems. Different values may present a ‘trolley problem’ where, faced with a potential accident, the car must decide whose life to prioritise.
  40. 40. Deploying Algorithms: Practical Steps Gemserv 43  Human intervention may be necessary for GDPR compliance if decisions have legal or similarly significant effects.  Human intervention also may be necessary to allow decisions to be explained to individuals. Other steps can include:  At the design stage, humans should set the values for AI systems.  Humans should have control over system outputs.  Strict roles and responsibilities should constraint which humans can access AI systems.
  41. 41. Any Questions? Ivana Bartoletti ivana.bartoletti@gemserv.com
  42. 42. Questions & Discussion #gdprscot
  43. 43. Refreshments, Exhibition & Networking #gdprscot
  44. 44. www.rgdp.co.uk Paul Motion: Accredited Specialist in Data Protection and FoI Law, BTO Solicitors LLP Mark Chynoweth: General Manager, RGDP LLP 5th December 2018 GDPR Scotland Summit 2018 GDPR – after the hype, how is the Data Protection Officer’s role working in practice?
  45. 45. www.rgdp.co.uk OR Based on the experience of RGDP’s DPOs… Some Top Tips for GDPR Compliance
  46. 46. www.rgdp.co.uk Agenda  Data Protection Principles  Audit of personal data  Reasons and Legal bases for processing personal data  Privacy policies and Cookies notices  Data protection policies  Controller / processor / data sharing relationships  Record of Processing  Security of the personal data  Direct marketing  Cross border transfers  Training  DPO or Data Protection lead
  47. 47. www.rgdp.co.uk Principles  Under the overarching principle of Accountability, you are required to demonstrate compliance with the following data protection principles:  Lawfulness, Fairness and Transparency  Purpose Limitation  Data Minimisation  Accuracy  Storage Limitation  Integrity and Confidentiality
  48. 48. www.rgdp.co.uk Audit of Personal Data  Conduct this audit as the first step – it will inform much of what is to come  Identify:  Where personal data is collected  what personal data is collected  what you use the data for  who it may be shared with  how long you need to keep the data  Document all this information in an asset register  Establish a process for keeping the audit or asset register up to date
  49. 49. www.rgdp.co.uk Reasons and Legal Bases  Know why you need to hold / process personal data – be sure that you have a valid reason  Identify the legal basis for processing each type of data you hold:  Consent  Contract  Legal Obligation  Vital Interests  Public Interest  Legitimate Interest  If you hold special category data you will also need to identify additional reasons for processing
  50. 50. www.rgdp.co.uk Privacy Notices  Also known as Fair Processing Notices.  GDPR specifies that information such as the purpose and legal basis for processing must be given to data subjects when you are collecting their personal data.  This information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language, especially if you are processing the data of a child or vulnerable person.  Separate and individually bespoke privacy or fair processing notices are required for different categories of data subjects.  Cookies policies on websites.
  51. 51. www.rgdp.co.uk Policies and Procedures  In addition to Privacy Notices, you should have an overarching data protection policy and policies covering:  Data Protection Impact Assessments  Breach Management procedures (including breach register)  Data Subject Rights (Subject Access Requests)  Retention  Security of Processing  Cross border data transfers  Training  Other policies, e.g. HR, Social Media, Remote Working etc should be checked to ensure that they are GDPR compliant – this can be done in slower time during routine policy updates.
  52. 52. www.rgdp.co.uk Data Sharing  You should establish whether you are a Data Controller or Processor for each category of personal data being processed:  Data Controller  Data Processor  Joint Controller  A Data Controller must carry out due diligence in relation to any Data Processor it employs and monitor compliance.  Contracts between Data Controllers and Processors should be updated with GDPR compliant Data Protection clauses.  It is good practice to maintain a register of all contracts with the date when data sharing agreements or data protection clauses are agreed.
  53. 53. www.rgdp.co.uk Record of Processing  Organisations with over 250 employees.  Organisations with less than 250 employees  The Record of Processing must contain the following information:  name and contact details of the controller, joint controller, controller’s representative and the DPO  the purposes of the processing  a description of the categories of data subjects and of the categories of personal data;  the categories of recipients to whom the personal data has been or will be disclosed including recipients in third countries or international organisations;  transfers of personal data to a third country or international organisation  time limits for erasure of the different categories of data;  a description of the security measures in place to protect the personal data.
  54. 54. www.rgdp.co.uk Security of Personal Data  GDPR insists on integrity and confidentiality of personal data.  Organisations must have technical and organisational measures in place to prevent unauthorised or unlawful processing and to guard against accidental loss, destruction or damage. Measures include:  Pseudonymisation  Anonymisation  Encryption  Security Standards  Back-ups  Vulnerability Scans and Penetration Testing  Access Controls
  55. 55. www.rgdp.co.uk Direct Marketing  Direct marketing includes sending out campaign messages and information as well as selling. Rules in relation to direct marketing are contained in the Privacy and Electronic Communication Regulations (PECR):  Post  Phone Calls  Emails and Text Message  Business to Business (B2B) Marketing  Soft Opt-In  You must always offer an opt-out option.
  56. 56. www.rgdp.co.uk Cross Border Transfers  Under GDPR, you cannot transfer personal data to a country outside the EU unless:  The country provides adequate protection confirmed by an EU Commission “adequacy decision”  An appropriate safeguard has been put in place between the data exporter and importer  The data transfer is exempt from the requirements of the GDPR.  Appropriate safeguards  If no “adequacy decision” has been issued and it is not possible to use one of the appropriate safeguards then as a last resort you may be able to rely on an exemption, e.g. consent, conclusion of a contract, if it is in the data subject’s interest, in the public interest, for legal claims, for vital interest or for legitimate interest.
  57. 57. www.rgdp.co.uk Other Requirements  Embed a culture of data protection throughout your organisation  Train your staff - induction and annual refresher training  Staff should know:  Who to go to for help and advice - DPO or DP Lead  What and where the policies are held  What to do if they become aware of a breach  What to do if they get a data subject request
  58. 58. www.rgdp.co.uk So, in summary…
  59. 59. www.rgdp.co.uk Top Tips for GDPR Compliance  Bearing in mind the data protection principles:  Conduct an audit of personal data – know what personal data you hold and where  Understand the reasons why you need to hold / process it  Establish the appropriate legal basis for each of type of personal data you process  Get your privacy notices and cookie notices right  Get appropriate data protection policies and procedures in place – ensure staff know about them  Understand your controller / processor / data sharing relationships and actively monitor third parties  Produce a Record of Processing  Ensure the security of the personal data you store / process – electronic and paper  Understand the rules for direct marketing (if relevant)  Understand the rules for cross border transfers of personal data (if relevant)  Embed the culture – embrace the data protection principles and train your staff  Appoint a DPO or Data Protection lead (consider outsourcing!)
  60. 60. www.rgdp.co.uk Paul Motion: Accredited Specialist in Data Protection and FoI Law, BTO Solicitors LLP Mark Chynoweth: General Manager, RGDP LLP 5th December 2018 QUESTIONS?
  61. 61. www.rgdp.co.uk Creating a human intrusion detection system Technology: Human & Augmented intelligence Individual training plans Gamified training Passwords and the dark web GDPR: Staff awareness & education
  62. 62. www.rgdp.co.uk What do we mean? An individual who is able to identify malicious activity and/or policy violations. GDPR: Human Intrusion Detection Collectively, a group of individuals who are able to identify malicious activity and/or policy violations.
  63. 63. www.rgdp.co.uk What do we mean? GDPR: Technology, human & augmented intelligence Popular visions of artificial intelligence often focus on robots and the dystopian future they will create for humanity, but to understand the true impact of AI, its skeptics and detractors should look at the future of cybersecurity. The reason is simple: If we have any hope of winning the war on cybercrime, we have no choice but to rely on AI to supplement our human skills and experience. Source: Joanne Chen, Foundation Capital. © Jan. 2017
  64. 64. www.rgdp.co.uk Use machine learning at mailbox level Assess each employees ability to recognise threats Each user automatically graded Personalised training based on this ability Users progress as knowledge increases GDPR: Individual training plans
  65. 65. www.rgdp.co.uk Categorise users into different groups Deliver interactive, micro learning methods Training delivered individually, supported by over 50 gamified videos and 1,000 HTML scenarios Memorable and fun GDPR: Gamified training
  66. 66. www.rgdp.co.uk Database of over 500 million breached passwords Adding to at circa 10,000 each day How do you know that your credentials are secure? GDPR: Passwords & the dark web
  67. 67. www.rgdp.co.uk Compliance is a journey. There is no silver bullet and everyone is compliant… until they aren’t. Education and awareness takes many forms, but again, is a journey. Technology aids awareness, builds knowledge and mitigates risk. To find out more about CyberWhite, IronScales and Authlogics can assist, please visit our stand. Summary
  68. 68. www.rgdp.co.uk Thank you www.cyberwhite.co.uk CyberWhite Ltd @cyberwhiteltd @CyberWhiteLtd CyberWhite Ltd @TheRealDaveHorn
  69. 69. GDPR Scotland Handling DSARs Post GDPR Helena Brown, Partner & Head of Data, Addleshaw Goddard LLP
  70. 70. 73 Increased Public Scrutiny Court Cases – Class Actions Enforcement Notices Life Post GDPR
  71. 71. Data Protection Law in 2018 – Quick Reminder 74 General Data Protection Regulation (“GDPR”) Provides the general framework for handling personal data in Europe. Data Protection Act 2018 Applies the GDPR in the UK and provides exemptions from certain rules e.g. subject access requests. Should be read in conjunction with the GDPR. Note that the Data Protection (Charges and Information) Regulation 2018 requires certain organisations to register with the ICO in the UK (in addition to Article 30 Register) Privacy & Electronic Communications Regulations Specific legislation for electronic marketing including email, cookies and online behavioural advertising. This is undergoing review currently by the European authorities.
  72. 72. What will we cover? 75 ▶ The DSAR landscape post GDPR ▶ Managing Requests ▶ What needs to be disclosed?
  73. 73. The DSAR landscape post GDPR
  74. 74. DSARS – the landscape post GDPR 77 ▶Disproportionately high volume of complaints to the ICO are about DSARs ▶Most organisations are experiencing some increase in rights requests ▶Easier now that requests can be made verbally but identification is an issue ▶Increase in requests for erasure ▶Some requests for rectification …increase in awareness of rights – customers and employees
  75. 75. Identifying a DSAR 78 Can be made in any format and even verbally (consider identification issues.) Keep an eye on social media accounts. Valid if received by ANYONE in your organisation – think about training.
  76. 76. What personal data needs to be disclosed?
  77. 77. 80 Individual must be directly identifiable from the data But can also be data identifiable from other data held Can include opinions made about an individual by another Decisions & decision making process may also be caught Must “concern” the individual. Electronic records and relevant filing systems. Personal data checklist…
  78. 78. Some Examples 81 ► Common Examples: Name, address, date of birth, national insurance number, passport number, salary information, performance information ► Correspondence (emails, IMs) ► Opinions expressed about an individual ► Information from monitoring: Phone calls; CCTV footage Remember: right is to information, not documents: it is acceptable to extract information provided context is retained
  79. 79. What needs to be provided? A copy of the personal data requested AND individuals also ‘have the right to obtain’: ▶confirmation as to whether personal data are processed ▶a copy of the personal data ▶purposes of processing ▶categories of personal data ▶to whom data has been disclosed (in particular if overseas) ▶how long data will be stored for ▶the right to lodge a complaint with the ICO ▶where the personal data was obtained from ▶whether any automated decision making has taken place
  80. 80. Managing the response
  81. 81. DSAR Response StepsStep 1: Recognise / Verify DSAR ▶ Identify the request as a DSAR ▶ Identify the individual ▶ Check what Personal Data is covered ; is there enough information to locate the personal data? Step 2: Locate the relevant data Use the search parameters given – can include: ▶ all e-mails and documents that relate to that individual; ▶ all hard-copy files that are structured by reference to the individual; ▶ voice recordings, photographs or CCTV images ▶ information processed by data processors
  82. 82. DSAR Response Steps (cont.) Step 3: Assess what should be disclosed ▶ is it personal data? ▶ does it meet the parameters of the request (remove anything outside timescale or scope) ▶ consider exemptions Step 4: Respond ▶ Securely provide the information requested, within 1 calendar month of request Step 5: Record ▶ Keep a record of searches done, information returned and redactions and exemptions applied: you will be asked for these if the ICO investigates
  83. 83. Focusing scope of request
  85. 85. Managing a DSAR response Exemptions (DPA 2018 and GDPR) Redactions Remove non “personal data” Focus request: subject / timescale
  86. 86. Excessive Requests? 89 ▶If request is “manifestly unfounded or excessive”: ▶A ‘reasonable fee’ to cover administrative costs can be charged OR ▶The request can be refused ▶What is “manifestly unfounded or excessive” will be a high bar....disproportionate effort cases under old DPA 1998 may be relevant
  87. 87. Is it actually personal data? 90 ▶Information must ‘relate to’ the identifiable individual to be personal data. ▶This means that it does more than simply identifying them – it must concern the individual in some way. ▶To decide whether or not data relates to an individual, you may need to consider: ▶the content of the data – is it directly about the individual or their activities?; ▶the purpose you will process the data for; and ▶the results of or effects on the individual from processing the data
  88. 88. Some recent developments… 91 ▶Lonsdale v NatWest Bank (Sep 2018) ▶Suspicious activity report – individual had accounts closed, made a claim and a DSAR ▶On application to High Court to strike out DPA claim, held that personal data included: ▶Business decisions made by the bank; ▶Information relating to suspicious activity reports and reasons for closing accounts; ▶Data used to inform actions / decisions
  89. 89. The Main Exemptions 92 Third party information Management Planning / Forecasting Legal Professional Privilege Negotiations with Requestor References (given and received)
  90. 90. 93 Third Party Information Checklist  Has the individual consented?  Is it reasonable to comply without that consent? Remember you are not obliged to ask for consent.  Factors to consider include:  type of information  duty of confidentiality owed  steps taken to seek consent  capability of giving consent  express refusal of consent
  91. 91. Any questions?
  92. 92. We’d love to hear from you… HELENA BROWN Partner, Head of Data +44 (0)131 222 9544 +44 (0)740 773 5118 helena.brown@addleshawgoddard.com ROSS MCKENZIE Partner +44 (0)1224 965 418 +44 (0)791 876 7330 ross.mckenzie@addleshawgoddard.com JOANNE SNEDDEN Managing Associate +44 (0)131 222 9541 +44 (0)7501 463230 joanne.snedden@addleshawgoddard.com
  93. 93. GDPR: Managing 3rd and 4th Party Vendor Risk
  94. 94. Agenda 1 | Introduction 3 | Vendor Risk Management Today 2 | Vendor Risk Under the GDPR 4 | A Better Approach to Vendor Risk Management
  95. 95. Vendor Risk Under the GDPR
  96. 96. Vendor-Related Data Breaches on the Rise in 2018 Regulatory Liability Has Shifted “Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.” 5 million 150 million 92 million Credit & debit cards details exposed Health data records exposed DNA site customer details exposed Breaches and Regulations Make Vendor Risk a Priority
  97. 97. Terminology & Concepts Controller Processor ‘Controller’ means the natural legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Reference: GDPR Article 4(7) Copyright © 2018 OneTrust LLC. All rights reserved. Proprietary & Confidential.
  98. 98. Terminology & Concepts Controller Processor ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Reference: GDPR Article 4(8) Copyright © 2018 OneTrust LLC. All rights reserved. Proprietary & Confidential.
  99. 99. GDPR Context Responsibility of the Controller Article 24 Recitals 74-77, 83 Processor Article 28 Recital 81 Processing under a Controller or Processor Article 29 Transfer Subject to Appropriate Safeguards Chapter V (Articles 44-50), Recitals 101-116 Controllers are responsible for not only their own data protection measures, but also those of their processors. Copyright © 2018 OneTrust LLC. All rights reserved. Proprietary & Confidential.
  100. 100. GDPR Responsibilities of Controllers & Processors Summary • Controllers shall only use processors providing sufficient guarantees to implement appropriate technical and organisational measures • Processors shall not engage another processor without prior specific or general written authorisation of the controller. • Processors shall engage other processors only under the same data protection obligations • May not process personal data except on instructions from the controller Articles. 24, 28, 29 Scope All processing of personal data by a processor as instructed by a controller Other Requirements • Take into account nature of processing and risks (likelihood and severity) • Demonstrate compliance • Implementation of data protection policies Copyright © 2018 OneTrust LLC. All rights reserved. Proprietary & Confidential.
  101. 101. Transfers Subject to Appropriate Safeguards Summary • Controllers • Transfers of personal data to third countries may take place only if one of three conditions are met (in order): • Adequacy decision • Appropriate safeguards • Derogation Articles. 44-50 Scope Transfer of data to third country or international organisation Other Requirements • Appropriate safeguards: • Legally binding and enforceable instrument between public authorities/bodies • BCRS • “Model clauses” • Approved code of conduct • Approved certification mechanism Copyright © 2018 OneTrust LLC. All rights reserved. Proprietary & Confidential.
  102. 102. Vendor Risk Management Today
  103. 103. The “Excel Hell”
  104. 104. Disjointed Processes 3rd, 4th, 5th Party Risks Contract AgreementsGlobal Compliance No Automation = Time-Intensive & Costly Work Outdated Spreadsheets, Data In Multiple Tools Limited Visibility, Limited Mitigation Frequent Subprocessor Changes Complex Cross-Team Effort Many Vendor Variations, Lack of Accountability Difficult Documents to Sift Through Diverse Laws Create Complexity Cross-Border Data Transfers, Breach Notification, etc. No Central Platform = Outdated Information & Lack of Risk Tracking
  105. 105. Are You Able to Ask the Right Questions? Are you assessing vendors on an ongoing basis? Are your vendor data flows keeping your central data map & ROPA evergreen? Are you assessing 4th party vendors? Can you search all vendor contracts to know what data processing agreements are in place? Are you dependent on manual questionnaires or can you pre-populate or scan data? Do you need to manually review the results of questionnaires? When risks are identified, do you have a central way of assigning ownership and tracking remediation? Can you easily demonstrate compliance and accountability if audited? When a vendor is offboarded do you have evidence of data destruction and honored confidentiality? Do you have central way of detecting, tracking, approving sub-processor changes?
  106. 106. A Better Approach to Vendor Risk Management
  107. 107. The Better Approach to Vendor Risk Management Proactive Monitoring, Detection Automated Workflows Pre-Defined Databases of Information Self-Service & Intelligent Assessments Copyright © 2018 OneTrust LLC. All rights reserved. Proprietary & Confidential.
  108. 108. Steps to Better Vendor Risk Management Automate Self- Service Assessments Utilize pre-built industry or customized templates Automated Risk Flagging SIG & Lite SIG Onboard Vendors Triage & Assess Risks Document & Demonstrate Monitor Vendors Offboard Dashboards & Reporting Feed Into Article 30 Records Contract & DPA Management Automated Vendor Privacy Scanning 4th Party & Sub-Processor Auto Detection Pre-Scheduled Re-Assessments Self Service Portal Procurement Integration Bulk Import Off-boarding Checklist Business, Legal and Vendor Confirmations Attach Evidence on Steps Taken to Offboard Vendors
  109. 109. Step 1: Onboard IDENTIFY VENDORS BULK REVIEW CONTROLLER VS. PROCESSOR CHECKLIST & AGREEMENTS LEVERAGE GUIDANCE Prioritise not just risk, but expected longterm relationship with vendor
  110. 110. Build checklists relevant and specific to your business/type of vendors Get basic information1 What data is processed?2 How is data processed?3 Prioritise by risk4 Send questionairres5 Step 2: Triage & Assess
  111. 111. Step 2: Triage & Assess SIG & Lite SIG Assessment Frameworks Available By Default within Tech Solutions Combine & Customize or Create Your Own Assessment from Scratch Automatic Risk Flagging and Rules Engine Copyright © 2018 OneTrust LLC. All rights reserved. Proprietary & Confidential.
  112. 112. Step 3: Document & Demonstrate RISKS: What do you do with the risks identified? AGREEMENTS: Do you centrally store contract/data processor agreements? ARTICLE 30 : How do you keep records up to date? 1 2 3
  113. 113. Step 4: Monitor Vendors Sub-Processor List RSS Feed Website or Knowledgebase Article Contract or Data Processor Agreement (DPA) Auto-Send Risk Assessments to Sub- Processor
  114. 114. Your Organization 3rd Party Vendor 3rd Party Vendor 3rd Party Vendor 4th Party Vendor 4th Party Vendor 4th Party Vendor 4th Party Vendor 4th Party Vendor 4th Party Vendor You can be held accountable for the vendors you work with. That includes the vendors your vendors work with. Monitor 4th Party Vendor Changes Copyright © 2018 OneTrust LLC. All rights reserved. Proprietary & Confidential. Step 4: Monitor Vendors
  115. 115. Step 5: Offboarding Management • Monitor expiration dates • Ensure vendors are following proper confidentiality agreements Roles & Responsibilities • Whose job is it to manage offboarding? Privacy team? Vendors? • Make sure this is clear in contracts Backups • Ensure backups are properly handled • Vendor backups • Internal business backups
  116. 116. Operationalize Process with Integrations 123Copyright © 2018 OneTrust LLC. All rights reserved. Proprietary & Confidential. Operational Impact: IT/Consulting Resources for scaling Vendor Risk Management Asset Inventory/CMDB Project ManagementGRCProcurement / Contract
  117. 117. The #1 Most Widely Used Privacy Management Platform PIA | DPIA | PbD | InfoSec Assessment Automation Privacy Program Management Vendor Risk ManagementIncident and Breach Response Marketing Consent, Preferences, & Subject Rights Data Protection by Design and Default (PbD) Data Inventory, Mapping, Records of Processing Global Readiness and Accountability Tracker Privacy and Security Incident Intake Incident Risk Assessment Automation Global Data Breach Law Engine Notification and Reporting Obligations 3rd Party Privacy & Security Risk Assessments 4th Party Sub-Processor Auto-Detection Vendor Compliance Scanning Contract & DPA Management Cookie Consent and Website Scanning Enterprise Preference Center Universal Consent Management Data Subject Rights Portal
  118. 118. Free GDPR Workshops 4.5 IAPP CPE Credit Hours OneTrust Certification Program in Select Cities Monthly GDPR Webinar Series Hosted by Top Tier Law Firms & Consultancies RSVP TODAY PrivacyConnect.com 2018 WORKSHOP SCHEDULE Amsterdam Dublin Düsseldorf Warsaw Vienna Manchester Geneva London Zürich Paris Lisbon Helsinki Madrid Tallinn Bucharest Copenhagen Seattle Portland Chicago Vancouver Toronto New York Atlanta Houston Denver San Francisco Los Angeles Rome Stockholm Brussels Berlin Munich Oslo Prague Barcelona Budapest Hamburg Belfast Milan Athens ”This was the best GDPR-focused conference I have ever been to. This was not just a high-level look into requirements, but an in-depth educational experience for myself and my colleagues.” Boston Washington Austin Charlotte Phoenix Sydney Singapore Melbourne Hong Kong Auckland Tel Aviv Dubai Abu Dhabi Doha
  119. 119. Visit Our Booth Product Demos Full Text GDPR Books Free Tools & Templates GDPR Workshops Let’s connect @OneTrust!
  120. 120. Authentication mechanisms and the GDPR Jon Langley Senior Technology Officer (Technology Policy) GDPR Scotland Summit Dynamic Earth, Edinburgh 5 December 2018
  121. 121. What do we mean by authentication?
  122. 122. Types of authentication Something you know Something you are Something you have Password, PIN etc Biometrics Certificate, key, card etc
  123. 123. What’s the problem with authentication?
  124. 124. People
  125. 125. Policies and procedures? The password used was the individual’s username with 01 after it. So it met the purely technical standard [that the organisation had in place], but was easily guessable and very definitely not in line with best practice or the advice we give to staff. “ ”
  126. 126. Technical solutions?
  127. 127. What does the GDPR say about authentication?
  128. 128. Nothing?
  129. 129. Article 32 - security ‘Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’
  130. 130. What practical considerations can we make?
  131. 131. Consider the situation What personal data are you protecting? Who is using the system? What are the possible threats to the system?
  132. 132. Plain text and hashing algorithms
  133. 133. Click to edit Master title styleSome specifics Let people use them Password managers Blacklisting How to stop your users having bad passwords Credential stuffing Can you defend against it Should we still do this? Regular changes Admin accounts Consider higher levels of protection Reset process Make sure it’s secure
  134. 134. What will authentication look like in the future?
  135. 135. Guidance
  136. 136. Passwords in online services
  137. 137. Other guidance
  138. 138. Summary • Authentication is potentially difficult − People will always take the route of least resistance, we have to allow for this • The GDPR requires you to take account of all the circumstances − Your authentication mechanisms must be tailored to specific circumstances
  139. 139. Keep in touch @iconews/iconews /icocomms /company/information -commissioner’s-office Subscribe to our e-newsletter at ico.org.uk, or find us on… Jonathan.langley@ico.org.uk
  140. 140. Best GDPR practice from the Marketing frontline Dr Simone Kurtzke, Programme Leader, MSc Digital Marketing, Robert Gordon University Jason Stewart, E-Commerce and Digital Manager, Aberdeen International Airport
  141. 141. • Brief history of permission-based marketing • Research: Consumer trust in data security • Compliant and fun: GDPR as opportunity • Case study: AGS Airports - Marketing after GDPR • Priority checklist for SME GDPR marketing What we’ll cover today
  142. 142. Permission-based marketing Permission marketing is an approach to selling goods and services in which a prospect explicitly agrees in advance to receive marketing information. Seth Godin, 1999
  143. 143. Consumer consent in UK law • 1998 Data Protection covers data stored on computers but doesn’t define ‘consent’ • 2003 Privacy & Electronic Communications Regulations requires opt-in consent for marketing messages – illegal to send unsolicited email • 2012 EU ‘Cookie Law’ – consent required to serve non-essential website cookies (e.g. for advertising and tracking)
  144. 144. Permission as Privilege – Consumer research • Data security is first driver of trust in brands – but 50% of consumers do not want personal data used at all (Kantar TNS 2018) • 72% of consumers think businesses, not government, are best equipped to protect them (pwc Protect Me 2017) • 60% of 16-18 year olds trust a machine over humans (40%) to protect their data / privacy (Edelman Trust Barometer 2018)
  145. 145. Implications for Brands • Provide data security reassurance – be explicit and comply (to reduce worry) • Be transparent – clearly communicate what data is used for (to generate trust) • Use consumer data to provide value / add utility (convenience / customer experience)
  146. 146. GDPR: Opportunity to build trust & be useful • Traditional lead gen activities – prize draws, ‘free’ Wi-Fi with pre-ticked e-newsletter sign-ups no longer possible • Data trust = competitive advantage • ‘Transparency in the intent’ – sceptical, informed consumers trust truthful brands offering tangible benefits • What is the VALUE of my CHOOSING to share my data with you?
  147. 147. GDPR Examples - Repermission
  148. 148. GDPR Examples - Repermission
  149. 149. GDPR Examples - Repermission
  150. 150. SuperOffice free trial sign-up GDPR Examples – Software Trial https://www.superoffice.com/
  151. 151. GDPR Examples – Enews opt-in (compliant) Sainsbury’s online account registration https://www.sainsburys.co.uk/
  152. 152. GDPR Examples – Enews opt-in (non-compliant) Sainsbury’s magazine newsletter (date checked: 3/12/18) https://www.sainsburysmagaz ine.co.uk/newsletter
  153. 153. VisitScotland Enewsletter sign-up https://www.visitscotland.com/newsletter/ GDPR Examples – Enews opt-in (compliant)
  154. 154. Case study: AGS Airports - Marketing after GDPR
  155. 155. • We’re the second biggest airport group in the UK, comprising of Aberdeen, Glasgow and Southampton Airports • Combined we look after 15 million passengers every year • The AGS Digital team is a stand-alone team working across the group • Pre-GDPR, we undertook a 2 year project to get ready for the legislation changes About AGS Airports
  156. 156. A big brand, with a big audience 1.92m 10.01m 251k Collective number of social media followers for AGS. Emails sent to AGS customers YTD 2018. The number of customer records held on the collective AGS customer CRM database.
  157. 157. Using big data to personalise communications • Richer data = more targeted and contextual communications to our customers • The more we know about our customers, the more we can tailor their online experience
  158. 158. • Very little! At AGS we aim to exceed legislative requirements for data security • Appointment of full time DPO • Data security by design – procurement, IT, DPIAs, data audits, policy reviews etc. • Automated, encrypted and anonymized marketing data/transfers • No sharing of marketing data • More explicit and defined opt-in procedures • Redefined data retention policy • Higher degree of segmentation for marketing communications • “Hard” unsubscribes – opt-out from one, opt-out from all. GDPR – what’s changed for AGS?
  159. 159. GDPR – what’s changed for AGS? • Established, loyal customer database • Average <0.5% unsubscribes • Open rates exceed 20% • Opt-out opportunities sent pre-GDPR • Links to unsubscribe and refreshed privacy policy • Unsubscribe rate just 1.2% • Key to establish already-engaged customer lists, and only communicate to engaged customers
  160. 160. Marketing data – what’s next for AGS? • Utilising consensually-provided data to personalise and improve the AGS passenger journey • API-driven data collection to CRM database • Real-time user segmentation and omnichannel, personalised communications • Examples: – Ability to provide ancillary products and services based on travel plans – Live real-time communications based on tracked flights – Send communications to people in the airport at this moment – Exclude customer segments from communications they are unlikely to be interested in using real-time data segmentation
  161. 161. Mobile app – launching Q2 2019 • Utilising real-time API customer data • Push notifications based on tracked flight • Ability to easily book and manage airport products such as lounge passes • Geo-fencing within the terminal environs to enable in-terminal push notifications Marketing data – what’s next for AGS?
  162. 162. Post purchase journey Using customer data to serve products and services that are relevant to their destination. Providing a service that is useful and easy to use for passengers. Marketing data – what’s next for AGS?
  163. 163. Making things easier… • Creating a “single-sign-in” across the website and booking systems • Allowing users to save and manage all of their flights, as well as their products booked. • Using PCI DSS compliant services to store and use customer data • Data powers “one click ordering” a world-first for airports. Signed-in user experience Marketing data – what’s next for AGS?
  164. 164. Signed-in user experience
  165. 165. Priority checklist for SME GDPR marketing
  166. 166. GDPR Marketing Priorities for SMEs 1. Review & audit opt-in status of existing database contacts 2. Create process & workflow for current & new data collection activity (incl. website and all marcomms collateral) 3. Gather opt-in consent from valuable existing contacts 4. Train sales team on compliant leads management
  167. 167. 5. Create process to handle data information requests 6. Create process for GDPR breaches (incl. crisis comms) 7. Review external partners / third party suppliers for compliance (incl. digital tools e.g. WordPress plug-ins, scheduling tools) 8. Update your privacy page 9. Create process for ongoing ‘best practice’ database management (for clean, compliant data) GDPR Marketing Priorities for SMEs
  168. 168. GDPR Marketing for SMEs – Key resources • Download and review marketing specific checklists (e.g. BusinessBrew, DMA) • ICO direct marketing checklist & Code of Practice (to be updated, currently in consultation) • ICO data protection self-assessment toolkit (includes direct marketing, data sharing & records management checklists)
  169. 169. Final words – The Benefits of GDPR • Higher quality leads • More accurate data • Better customer experience • Stronger relationships with customers • More effective Marketing
  170. 170. Questions?
  171. 171. Furkan Sharif Legal & General @landg_uk #gdprscot
  172. 172. 181 Data Stewardship for Accountability and Ownership Furkan Sharif LLM (Information Management Consultant) 05/12/2018 Public
  173. 173. GDPR BAU GDPR Challenges • GDPR Programme post 25/05 … The work starts NOW!!! • Change Attitudes & Behaviours : first-line ownership - for PII… its not an “IT” Problem!! • Maintain a culture of Data Protection by Design and Default? • How can we manage PII Data lifecycle (structured & unstructured) ? • How do we accurately maintain the Records of Processing Activities? • Where is the guidance and support within 1st line i.e. accessible SME knowledge? • Stay abreast of privacy law with evolving of business !! • Are GDPR controls stifling business growth resulting in lost opportunities ? Public
  174. 174. 183 GDPR MISSION STATEMENT “Successful implementation of GDPR is not just about new processes, but equally about empowering the business to take a proactive approach to encourage the right behaviours in order to maintain a culture where privacy is a default position” Public
  175. 175. Why Data Stewardship? • Need for a Conduit between Legal, DPO and shop floor !! “speak the language with local knowledge” • 1st line DP SMEs “Human Interaction”: First point of call for data protection • Accountable:. Embed and Develop BAU compliance processes: SAR, Breach Notification Process, DPIA & LIA (HEALTHCHECKS) • Evidencing and documentation: “Maintenance” Records of Processing Activities (RPA), Privacy Notices, DPIA LIAs • Escalation: 1st line compliance coordination and escalation path to 2nd line DPOM • Management Information: “Process efficiency” Monitoring MI: Daily/ Weekly / Monthly MI reports to 2nd Line • Issue management : Undertaking investigations and taking remediation actions • 1st line Attestation with risk management framework evidencing • Communication and awareness: reinforcing key educational and training messages, promoting a proactive culture of data protection and information managementPublic
  176. 176. Public
  177. 177. Public Data Steward Accountabilities SME Understand local business processing and systems Day 2 Day Application of the Data Protection framework Communication Policy Compliance: local business leadership vs 2nd Line -facilitate two way communication Security: Liaison with IT Security when appropriate (TOM) and data governance activity Evidencing & Accountability Record of Processing Activities Art 30 Data Privacy Impact Assessment (DPIA) SARs/ Rights process MI and coordinate Data Breach Escalation Process / investigation Data Governance Provide local support and oversight in the delivery of the Data Protection Framework, Support for Data Classification Data Retention & Deletion Management Information (KPIs) Data Governance Framework performance reporting: Support of DPOM through the provision of needed management information. Production and reporting of data breaches related management information . Training & Awareness Provision of training in support of the Data Governance Framework Data Classification training of updates and new entrants. GDPR training of updates and new entrants, in line with dedicated Training Resource Support local business leadership and the DPOM in GDPR capability development.
  178. 178. Public
  179. 179. Data Steward Awareness Campaigns Public CLAP Campaign Classify, Label And Print • Posters & Large Banners (Communications / awareness) • Introduction of Data Stewards to BU • Posters notice boards, printing areas, communal areas • Animations “Tina the Trainer”, brand, and characters from GDPR programme • News letters from internal comms- • Data Stewards conduct training, presentation, emails,
  180. 180. Communication Public
  181. 181. Professional development of Data Stewards? Public Data Steward Handbook Training (professional certificate) DPO Support & encouragement Weekly Stand- ups (forums) Share knowledge
  182. 182. Success through the Stewardship Approach • Accountability and ownership driven approach • Documented and accurate RPA- transparency and ownership • Evolving processes fully embedded in 1st line: periodic reviews • Proactive approach and knowledge sharing through stewardship community • MI up-do-date with evidence to support compliance for executive attestation • Business understand privacy risks and accountable for mitigation actions • 2nd line SME oversight and support for 1st line Privacy SMEs Public
  183. 183. Mark Evans Athene Secure @AtheneSecure #gdprscot
  184. 184. AtheneSecure Mark Evans MBA B.Sc.(Hons) FIP The New Business Opportunity CIPP/E, CIPM, CISM, CISSP Director – Athene Secure Ltd Pragmatic Data Protection. Emphatic Cyber Security.
  185. 185. AtheneSecure PRAGMATIC DATA PROTECTION The New Business Opportunity
  186. 186. AtheneSecure Peak Snake Oil
  187. 187. AtheneSecure Peak Snake Oil There is no silver bullet
  188. 188. AtheneSecure The Doctrinaire counter to “Snake Oil”
  189. 189. AtheneSecure The Doctrinaire counter to “Snake Oil” Your own style, your own way, your own business
  190. 190. AtheneSecure Pragmatism
  191. 191. AtheneSecure Pragmatism Efficiency Engagement Loyalty Protection Introspection The Future
  192. 192. AtheneSecure Pragmatism Efficiency Wasteful “Just in case” is a dangerous luxury
  193. 193. AtheneSecure Pragmatism Efficiency Engagement Telling the world that you’re taking data protection seriously.
  194. 194. AtheneSecure Pragmatism Efficiency Engagement Loyalty The Data Subject must be central to business thinking.
  195. 195. AtheneSecure Pragmatism Efficiency Engagement Loyalty Protection Asking your supply chain those ‘awkward’ questions
  196. 196. AtheneSecure Pragmatism Efficiency Engagement Loyalty Protection Introspection Evaluating and improving
  197. 197. AtheneSecure Pragmatism Efficiency Engagement Loyalty Protection Introspection The Future
  198. 198. AtheneSecure Pragmatism Efficiency Engagement Loyalty Protection Introspection Your corporate DNA
  199. 199. AtheneSecure “A good plan violently executed now is better than a perfect plan executed next week.” George S. Patton
  200. 200. AtheneSecure Incremental steps to improvement
  201. 201. AtheneSecure It’s not all about “size”… (of budget)
  202. 202. AtheneSecure There’s money to be saved!
  203. 203. AtheneSecure Watch competitors stumble…
  204. 204. AtheneSecure When ‘bad publicity’ is…
  205. 205. AtheneSecure When ‘bad publicity’ is simply bad publicity…
  206. 206. AtheneSecure
  207. 207. AtheneSecure
  208. 208. AtheneSecure ICO - Interesting Coat Outfitters #interestingcoatoutfitters
  209. 209. AtheneSecure Watch competitors stumble… There’s money to be made!
  210. 210. AtheneSecure Put out fires for your competitors’ customers
  211. 211. AtheneSecure Clean up the mess your competitors have made for their data subjects
  212. 212. AtheneSecure Clean up the mess your competitors have made for your new customers
  213. 213. AtheneSecure Let your customers know that you love them. …and continue to prove it!
  214. 214. AtheneSecure Make the road as smooth as possible for: • your business • your team • your customers • the regulator - and enjoy the journey.
  215. 215. AtheneSecure Mark Evans MBA B.Sc.(Hons) FIP Thank you CIPP/E, CIPM, CISM, CISSP Director – Athene Secure Ltd Pragmatic Data Protection. Emphatic Cyber Security. @markxavierevans mark.evans@athenesecure.com
  216. 216. Panel Discussion Dr Simone Kurtze Claudia Pagliari Furkan Sharif Mark Evans Jonathan Langley #gdprscot
  217. 217. Questions & Discussion #gdprscot
  218. 218. Drinks and Networking #gdprscot