GDPR and Security go hand in hand but remember GDPR is not a one off.... It's a living process. This top level brief has been used to used to secure GDPR training sessions.
2. HOW MUCH IS
YOUR BUSINESS
WORTH?
Y o u r d a t a i s a t r i s k
Keep your WITS about you 2
3. CYBER ESSENTIALS
P r o t e c t i n g y o u r D a t a
The badges are not the answers
They just come with the results
Keep your WITS about you 3
4. GDPR
G e n e r a l D a t a P r o t e c t i o n R e g u l a t i o n
Keep your WITS about you 4
5. Keep your WITS about you 5
Lawful, fair &
transparent
Article 5(1)(a)
Expected by the
person whose data
it is
Article 5(1)(b)
Just enough data to
do what you’re
doing
Article (5)(1)(c)
Accurate
Article 5(1)(d)
Only kept as long as
necessary
Article 5(1)(e)
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful
processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and
confidentiality’)”
Article 5(1)(f)
“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)”
Article 5(2)
6. Keep your WITS about you 6
…know what’s
going to be done
with the data.
(Article 13)
…copies of all the
data being
processed
(Article 15)
…have incorrect
data corrected.
(Article 16)
…have the data
erased.
(Article 17)
…restrict
processing
(Article 18)
…data portability
(Article 20)
…object to the
data being
processed
(Article 21)
…not be subject to
automated
processing.
(Article 22)
At no charge
Within 1 month
(Article 12)
Under GDPR, Data Subjects have the right to…
7. Keep your WITS about you 7
…be accountable,
demonstrate
compliance
(Article 24)
…adopt privacy by
design
(Article 25)
…if not in the EU,
appoint a
representative.
(Article 27)
…take care when
using third parties
(Processors)
(Article 28)
…keep records of
processing
(Article 30)
…do security well
(Article 32)
…tell the regulator
if they have a
breach (72 hours)
(Article 33)
…tell Data Subjects
about some
breaches
(Article 34)
…do privacy impact
assessments
(Article 35, 36)
…appoint a Data
Protection Officer
where specified
(Article 37, 38, 39)
Data Controllers must…
8. ARTICLE 32
S E C U R I T Y
Taking into account the state of the art, the costs
of implementation and the nature, scope, context
and purpose of processing as well as the risk of
varying likelihood and severity for the rights and
freedoms of natural persons, the controller and
the processor shall implement appropriate
technical and organisational measures to ensure a
level of security appropriate to the risk…
Keep your WITS about you 8
9. Keep your WITS about you 9
CREATE RECORDS OF
PROCESSING
• GDPR is a living process
• New Records
• Changes to records
• Deletion of records
• Process Requests
10. Keep your WITS about you
WATCHMAN IT SECURITY
Security Training, GDPR Consultancy, Documentation, Support
10
PENALTIES
• Monetary penalty notices: Fines of up to £500,000 for serious breaches of the
DPA.
• Increased penalties under the GDPR
• When the EU General Data Protection Regulation (GDPR) is enforced from 25
May 2018, breached organisations will find the fines they face increasing
dramatically.
• From a theoretical maximum of £500,000 from the ICO, penalties will reach an
upper limit of €20 million or 4% or annual global turnover – whichever is higher.
• For many businesses, the threat of insolvency or even closure as a result of GDPR
penalties will soon be very real.