This document provides an overview of the EU General Data Protection Regulation (GDPR) which takes effect on May 25, 2018. It discusses the issues with how organizations currently manage data and how GDPR aims to better protect consumer data. Key points include expanded definitions of personal data, increased rights for data subjects, higher fines for non-compliance, and new requirements for consent, transparency, accountability, and breach notification. It outlines four steps businesses need to take, including reviewing policies, establishing a legal basis for processing, demonstrating compliance, and considering appointing a data protection officer.

1. Why GDPR?
 The issues with how organisations manage data at
present
 What is GDPR and how will help protect
consumers?
 What do businesses need to know?
 4 steps to be GDPR compliant
Preparing for 25th May 2018

2. THE WORLD HAS CHANGED
Over 3 million
data records are lost or stolen
every day
Existing EU Directives are not enough to protect European Citizens

3. Data
Risks
Cloud-apps
Prospect
Data
Customer
Data
Marketing
Automation
Internal /
Employee
Records
Increased
Visibility /
Accessibility
Mobile
Workforce
Hackers
IoT
Suppliers
NEW RISKS
In 63% of all data breaches, third parties were implicated
 DropBox, SharePoint or Google Docs? -
 98% of cloud apps aren’t GDPR-ready
 IoT only complicates GDPR further
Source: http://www.jdsupra.com/legalnews/third-party-data-breaches-weakest-link-98330/

4. OVERVIEW OF EU GENERAL DATA PROTECTION
REGULATION
 General Data Protection Regulation – enforced by EU
 Expands on some parts of DPA/existing Directive;
creates other new requirements
 Determines how personal data should be processed
and used
 Comes into effect on 25 May 2018, regardless of
Brexit
What is GDPR?

5. SO WHAT?
 Impacts every data controller and processor dealing
with data on subjects in Europe
 79 times higher than previous fines
Potential fines of up to 4% of your organisation’s annual turnover or €20,000,000 – Whichever
is higher
Who? Means:
Data subject Any EU citizen who has entrusted a controller with
their personal data.
Customers, service users, employees
Data
controller
Who the data subject entrusts with their data.
Responsible for deciding how the data is handled.
Data
processor
Any entity that handles personal data on the data
controller's behalf.

6. What do businesses need to know?

7. What’s new?
 Expanded definition of “personal data”
 Transparency and consent
 Enhanced rights for data subjects
 Accountability
 Data protection by design
 Notifying subjects of data breaches
New rights you need to know
Rights
to
Be informed
Access
Rectification
Erasure
Restrict
Processsing
Data
Portability
Object

8. Personal data
Any form of automated data processing to analyse or predict:
 Performance at work
 Economic situation
 Health
 Personal preferences
 Reliability
 Behaviour
 Location
 Movements
Are you keeping, or planning to keep:
Personal or sensitive data such as
cookies, IP addresses, biometric data,
genetic data?

9. 4 Requirements for Your Data Protection Policy
1) Legal basis for processing
2) Legitimate interests (if any)
3) Right to lodge complaint
4) How long data will be retained
Clear, concise and accessible

10. Consent
 Freely given, specific, informed and unambiguous
 Clear affirmative action
 Provided separately from other written agreements
 Verifiable
 As easily withdrawn as given
Hint!
Large and complex structured
organisations benefit from an
EQMS to manage policies and
procedures, approval workflows
and monitor compliance
activity.
Make employees accountable:
http://quality.eqms.co.uk/eqms
-datasheets-download
Get your policies and processes in order

11. Poor Passwords
Weak remote access
Unpatched flaws
Misconfigurations
Malicious Insider
http://www.computerworlduk.com/security/most-data-breaches-still-discovered-by-third-parties-3615783/
The average time between breach
and discovery is
188 DAYS
DATA BREACHES ARE USUALLY PREVENTABLE
Protect your reputation with proactive policies, employee training & robust systems

12. Notification of data breaches
Destroyed, lost, altered, disclosed to or accessed by
unauthorised people
Reported to:
 Supervisory authority
 Discrimination, reputational damage, financial loss,
confidentiality
 Individual(s) affected
 Same, but high risk
Report within 72 hours of breach
Accountability is key
Hint!
EQMS Workflow Manager
assigns responsibility and
manages incidents such as a
data breach through to
completion. Everyone knows
what they are doing, when.
Make employees accountable:
http://quality.eqms.co.uk/eqms
-software-demonstration

13. Accountability – Data protection by design
Must demonstrate compliance with GDPR - How?
 Policies and procedures (audits, HR policies)
 Staff training
 Pseudonymisation
 Data protection impact assessments
 Appointing data protection officer
Robust systems to protect employees and customers
Hint!
EQMS provides a robust
framework for managing
business processes. Manage
policies, assign responsibility
and use the audit trail function
to demonstrate compliance
activity.
Read more:
http://quality.eqms.co.uk/eqms
-software-demonstration

14. Enhanced rights for data subjects
Right to:
 Confirmation that data is being processed
 Receive data
 Rectify any inaccurate or incomplete data
 ‘Be forgotten’
 Restrict processing of data
 Obtain and re-use data for own purposes
Accountability is key

15. Example Timeline for GDPR Compliance Training
 Workshop with high interest / high power stakeholders:
 What data do we have?
 What data are we planning to have?
 How can we minimise risk? E.g. pseudonymisation.
 Make department managers accountable for the data they capture:
 Has each department manager completed a data protection impact assessment? (Use EQMS Audit
Manager & assign audit to be completed by each department manager.)
 Are the policies sufficient?
 Are controls in place to demonstrate opt-in?
 Do we need to get permission to continue using this data?
 Do we need a Data Protection Officer?
 Roll out training Train employees on the new GDPR requirements - EQMS Training Record Manager
 Employees aware & engaged with their GDPR requirements. (Use EQMS Training Manager training
matrix to easily manage which employees have outstanding training requriements)
Steps to getting GDPR-ready

16. ISO 27001 PROVIDES A FRAMEWORK FOR
GDPR COMPLIANCE

17. What might your business need to do?

18. Steps to compliance
 Review data protection policies
 Establish legal basis for processing
 Identify how to demonstrate compliance
 Consider whether to appoint DPO

19. 1) Review policies
 Individuals told about right to object, at first communication
 Understanding of what constitutes “data breach” – more than loss of data
 Procedures for detecting, investigating and reporting breaches
 Insurance coverage in case of breach

20. 2) Establish legal basis for processing
Be clear on grounds for lawful processing
If consent:
 Obtained correctly, as mentioned earlier
 Subjects informed of right to withdraw at any time, and given
simple methods to do so

21. 3) Demonstrate compliance
New policies – data protection by design
Regular audits
Staff training
Pseudonymisation
Review and update existing information notices

22. 4) Consider a data protection officer
Informs and advises on obligations
Monitors compliance – manages internal activities and audits, trains staff
First point of contact for supervisory authorities and data subjects
Compulsory that DPO:
 Reports to board/directors
 Independent, and not penalised for performing job
 Has resources to meet obligations
Can be existing employee as long as compatible and no conflict of interest
No qualifications, but should have professional experience and knowledge of law

23. 25 May 2018

24. DOWNLOAD GDPR TOOLKIT
Q U A L I T Y . E Q M S . C O . U K / G D P R - G E N E R A L - D A T A - P R O T E C T I O N - R E G U L A T I O N - E U - T O O L K I T