Data Protection and Confidentiality · 1995 EU Directive In the UK the GDPR replaced the Data Protection Act 1998 –after Brexit the Data Protection Act 2018 will replace the GDPR

Data Protection and ConfidentialityDirectory of Social Change

06 June 2019

2 COMMERCIAL IN CONFIDENCE

Introduction to Data Protection LawHistory of Data Protection and Cyber Crime

The Industry RegulatorKey requirements for businesses The Information Commissioners OfficeData protection and Brexit

Data Sharing Across BordersLegal frameworks

Data Processing RelationshipsReview of your personal data processing

BREAK Terminology Explained

Principles and rights under GDPRDefinitions

What this means in practiceMapping Processes

Lawful bases for processing

AGENDALUNCHRisk Assessment

Legitimate Interests AssessmentsData Protection Impact Assessments (DPIAs)Checklists

Cyber SecurityData Breach StatisticsThe price of ‘human error’

BREAKData Breach Reporting

How to keep breach registersData breach response plan

Data Subject Access Requests (DSARs)Data Subject Rights and DSAR proceduresDSAR response plan

Steps to GDPR ComplianceQuestions & AnswersSESSION CLOSE

INTRODUCTION TO DATA

PROTECTION LAW


1995 EU Directive

In the UK the GDPR replaced the Data Protection Act 1998 – after

Brexit the Data Protection Act 2018 will replace the GDPR (aka UK GDPR)

2016 EU Regulation

The new legislation applies to all 28 Member States in the EU, and was

enforced on the same date.

Limited local derogations apply.

New data protection legislation

On 25th May 2018 the General Data Protection Regulation (GDPR) (EU)

2016/679 replaced various data protection laws in place across the

European Union

Data Protection Act 2018

General Data Protection

Regulation


1970s

Limited personal data sharing, mainly processed by various Government depts

1970: first data protection law passed in Hessen

1971: world’s first ever ‘email’ is sent

1975: first mass produced digital watches

1977: Voyagers 1 & 2 launch

Mainframe

1980s

1980: OECD Council releases guidelines on privacy protection for transborder flows of personal data

1983: German court issues first verdict ‘Right of Information Self-Determination’

Ability to record and share personal data increases with new tech in leisure and consumer markets

PC

1990s

1995: EU Parliament introduces Data Protection Directive for Member States

First macro virus (Concept) designed to attack MS Word

Many US big tech co’s launch in a dot com boom

Google relaunches twice in the same decade, as Y2K fever hits companies worldwide

Market evolves for personal & consumer users of new tech especially via online platforms

www

2000: The US Safe Harbour framework is introduced

2001: Sept 11th attacks

2001: Wonderland Club arrests, first reports of large scale internet crimes

2005-2009: series of high profile personal data breaches

2009: UK tightens national data protection laws in response to high profile data abuse cases

2000 - 2010

Blogging becomes popular

2010: Apple suffers A-list email data breaches on new 3G iPad

2011: NotW closes due to phone hacking, Disney given $3m COPPA fine

2012: EC begins drafting the GDPR, ‘smart’ TVs and home appliances arrive

2013: Snowden leaks top secret docs on US Govm’t mass global surveillance, Yahoo breach loses 1bn user profiles

2014: Amazon launches Alexa, and Morrison’s breach sees an internal auditor attempt to sell staff salary data

2011 - 2018

Global and regional hacking and data breaches reach new heights

2015: EU declares US Safe Harbour programme invalid, major breaches at Pentagon and Kaspersky, Russia is proven to have hacked Obama’s emails

27th April 2016: EC approves final version of GDPR, with a 2 year period to enforcement date of 25th May 2018

2018: Carphone Warehouse fined £400k for 2015 attack, Cambridge Analytica’s data breach wipes £120bn off Facebook’s market value – both co’sinvestigated and fined. Cyber crime now a major undertaking & state sponsored

THE INDUSTRY REGULATOR


Register with the ICO

Understand how the law applies to your

business operations

This includes internal data processing

Record of processing activities (ROPA)

Identify lawful bases for processing

Data controller or data processor?

KEY REQUIREMENTS

Due diligence on data sharing relationships

Review data security

Transparent user-friendly privacy notices

Keep data breach registers and report

serious breaches

Allow individuals to exercise rights

Obey e-marketing rules


28 Lead Data Protection Supervisory Authorities

Up to c.700 staff (>500 now, across Wilmslow, Belfast, Edinburgh and Cardiff)

Increased powers to investigate independently and impose sanctions and penalties

GDPR fines here to stay

Will continue to liaise with the European Data Protection Supervisory Authorities regarding breach investigations post-Brexit

UK Data Protection Act 2018

THE ICO


Latest news

Nuisance call reporting

Public information

How to contact companies

Report issues

Register of data controllers

Tools, checklists and guidelines


CHANGES TO ICO REGISTRATION

It costs £40 per year for micro businesses:

£35 if paid by direct debit

Defined by no more than 10 staff, OR

By max annual turnover £632,000

It will cost £60 per year for SMEs:

Defined by no more than 250 employees, OR

By max annual turnover of £36m

For large organisations it will cost £2,900 per year


NOT-FOR-PROFIT EXEMPTIONS

Organisation established for non-profit making purposes - any profits are for the organisation’s own purposes and do not enrich others

You only process information necessary to establish or maintain membership or support

You only process information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it

You only hold information about individuals whose data you need to process for the exempt purpose

The personal data you process is restricted to personal information that is necessary for the exempt purpose


PECR HIGHLIGHTSElectronic Marketing Service Communications

Any communication not specifically requested

Solicited marketing still requires full disclosure

Opting in to future marketing doesn’t mean ‘solicited’

Contracted 3rd parties equally responsible

Opting in requires clear, informed and active consent

Beware of indirect or 3rd party consent!

Check local country rules for international campaigns

Any advertising or promotional material

Includes aims, ideals, charitable or political activities

Phone, fax, email, text, SMS, or other electronic means

Stricter rules for targeting individuals than companies

Different rules for different methods - check TPS:

E.g. live vs automated calls, or electronic text vs email

Non-essential cookies or tracking technologies require fully informed consent, even for anonymous data:

Covert tracking and surveillance is against the law

Implied consent insufficient for sensitive personal data

Apps that gain access to user content or mobile device info also require informed user consent before installation

Mailshots via post fall under direct marketing rules for MPS

Anything devoid of promotional, advertising or marketing approaches

Branding or logos for identification are fine

Genuine market research, including polls and surveys

Provided not accompanied by promotional material

Routine customer service or account information

Updates to software, services, elements of a contract or to overall Terms & Conditions

Alerts or advisory notices falling under legal or contractual requirement

Essential cookies for providing essential online content:

E.g. for login security, retaining shopping carts, etc., but full disclosure still required


PERSONAL & SPECIAL CATEGORY DATA EXERCISE

Example 2:

A local church group has a historical list of church members, collated over the years for volunteers,keyholders, event organisers and fundraising activities. The list includes a mix of home and mobile phonenumbers, addresses and email addresses. It is kept on the Secretary’s home PC, and is printed out fordisplay on the noticeboard of the local church hall.

Example 1:

A charity buys in a marketing list from a commercial data company, consisting of names, titles, companies,phone numbers and email addresses. They intend to send marketing emails to the entire list.

Would the people’s details on the list be considered personal data?

Does the new legislation apply to B2B (business-to-business) information?

Should the charity check to ensure the data company verified consent for this list before they start marketing to the people on the list?

Yes No

Personal Data

Special Category

Yes No

Should the secretary review the security of the spreadsheet on their PC?

Would the contents of this list be classed as personal data?

Is the display of this list in the church hall a security risk for those people on it?

DATA SHARING ACROSS BORDERS


Binding Corporate RulesIntra-organisational rules

Avoids need for EC approvalPersonal data to 3rd countries

Protect rights and freedomsLegally enforceable, applies to all

Alliances, franchises, partners

Standard Contract (Model) ClausesCross-border data transfers between EU and 3rd countries

Must clarify each party’s controller / processor statusFile with relevant Supervisory Authority for approval

Cannot be amended once approved

EU-U.S. Privacy Shield

Protects fundamental rightsEU data transferred to USObligations on US recipientsSafeguards against US Gov accessEffective protection and redressAnnual joint EU and US review Companies can choose to subscribe or notSubscribers self-certify to own definitionsNo US-side overview or scrutiny unless claims brought


Local serverbackup

EU

DA

TA

BO

RD

ER

EU

DA

TA

BO

RD

ER

EEA, or Country / Territories that meet EU adequacy rules on safeguarding personal data

EEA DATA BORDER

EE

A D

ATA

BO

RD

ER

Norway Iceland Lichtenstein

AndorraArgentinaCanadaFaeroe Islands

Third Countries (151 others)

Switzerland (EU-Swiss Privacy Shield)

GuernseyIsraelIsle of ManJapan

JerseyNew ZealandUruguayUSA (EU-U.S. Privacy Shield)

Model Clauses or

Binding Corporate

Rules

Head Office

28 EU Member States HRiS

(SaaS supplier overseas)

Payroll Services(SaaS supplier

overseas)

HRiSBackup

Payroll ServiceBackup


https://ico.org.uk/for-organisations/data-protection-and-brexit/ https://www.gov.uk/government/publications/data-protection-if-theres-no-brexit-deal/data-protection-if-theres-no-brexit-deal

DATA PROCESSING RELATIONSHIPS


Data Subject

The individual to whom the personal data or information relates

Data Controller

The “person”* that decides (alone, jointly, or in common) the purpose(s) and manner in which data is to be processed

Data Processor

Any “person”* (other than an employee of the Data Controller)

who processes the data on behalf of the Data Controller

*A “person” recognised in law as: An individual An organisation Other corporate or unincorporated bodies

It is possible to have joint or common controllers and sub-processors.

The key lies in the decisions regarding purpose of collecting and processing the data.

Under GDPR the Data Controller and Data Processor share joint responsibility and liability for data processing

compliance


Do you have a Data Sharing Agreement in place for this processing?

Yes No

Have you conducted any GDPR due diligence on this Data Sharing arrangement?

Yes No

Give an example of Personal Data sharing in your own department / business:

Identify the following parties: Data Subject(s): _________________________________________________________

Data Controller(s): ________________________________________________________

Data Processor(s): ________________________________________________________

Do you know the Categories of personal Data being shared? (e.g. Personal / Sensitive)

To your knowledge, is any of this personal data shared outside the EEA? (consider everyday systems and suppliers you use for email or accounting, where data is backed up / stored etc..)

What level of risk do you think there may be to the Data Subjects’ rights and freedoms in this data sharing arrangement?

Perceived Risk LevelLow

Medium

High

External data sharing relationships:

Suppliers Affiliates Partners Government Agencies Funding Partners Other 3rd parties

Data Subject

The individual to whom the personal

data, or information, relates

Data Controller

The “person” that decides (alone, jointly, or in common) the purpose(s) and manner in which data is to be processed

Data Processor

Any “person” (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller


What personal data do we process?

Why do we process it?

What are our lawful bases for processing?

Who do we share personal data with?

Are there any risks to the data subjects?

Is there a more secure way to do it?

PRIVACY NOTICES – KEY POINTS

TIME FOR A

QUICK BREAK…

TERMINOLOGY

EXPLAINED


1 2 3 4 5 6 7

GDPRPrinciples

Fair, lawful and transparentprocessing of personal data

Specified, explicit andinformed legitimate purpose

Adequate, relevant and limited to necessary purpose

Take all reasonable steps to keep data accurate and updated

Data not kept in identifying format beyond necessary use

Take all organisational or technical measures to comply with the law

Accountability

GDPRRights

The right to be informed

The right of access

The right to rectification

The right to erasure

The right to restrict processing

The right to data portability

The right to object

Extra rights re: automated processing and profiling that produce legal effects on data subjects

Extension of access right:• Personal data gathered

directly from data subject

• Automated processing• Consent or contract• Structured machine-

readable format• No adverse affect on

others

Erasure:• Erased / no longer processed• Consent withdrawn, if

applicable• Objection to Leg.Int processing• Consent based ISS services to

children• Unlawful processing• For legal compliance

Forgotten:• Delete public data• Inc. data made public by

Controller• Reasonable steps taken by

Controller to inform other controllers & 3rd parties

Temporary or Permanent:• Alternative to erasure• Put data on hold,

mark as limited, move to separate system or remove from website

• Store only• Use only for legal

requirements, protect others’ rights or in public interest

• Whilst processing objection is assessed

Objection:• Direct marketing• Public or legitimate

interest• Research or

statistical purposes


Any information…

Collected or meant to be collected

relating to…

Relationship by content (e.g. name, job title, address)

Purpose

Impact on someone’s privacy rights

an identified…

Name or singling out

Specific characteristics

or identifiable…

Indirect

Taking into account all means reasonably likely to be used

natural person

Someone alive (birth through to death)

This includes business information, such as job titles,

work contact details etc.

PERSONAL DATA DEFINITION


An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier:

a name

an identification number

location data

an online identifier

a person’s age

also, by reference to one or more of the following factors specific to the individual:

- physical

- physiological

- genetic

- mental

- economic

- cultural identity

- social identity

TYPES OF PERSONAL

DATA


Special category (also known as sensitive personal data) reveals the following about, or can be used to uniquely identify, a natural person, either directly or indirectly:

racial or ethnic origin

political opinions

religious or philosophical beliefs

trade union membership

genetic data

biometric data

a person’s age (where a protected characteristic)

data concerning health

information relating to family life or circumstances

data concerning a natural person’s sex life or sexual orientation

Core business function = mandatory appointment of a DPO

(Data Protection Officer)

SPECIAL CATEGORY DATA


Processing, in relation to information or data, means obtaining, recording or simply holding it. It includes any operation(s) performed:

organising the data into any formal or semi-formal filing or reference system

adapting or altering the information

- e.g. pseudonymisation or encryption

retrieving, accessing, performing searches on, or looking up the data

disclosing the data in any way to other parties, either internal or external

- printing, copying, emailing, sharing snapshots and images of it etc.

repurposing, aligning or combining the information with other information or existing data

blocking, minimising, storing, archiving, deleting or destroying the information

DATA PROCESSING DEFINITION


Each Data Controller / Data Processor (including Joint Controllers and Sub-Processors) and their Representativesmust maintain a written /electronic record of the data processing under their responsibility, to include:

Name and contact details of Data Controllers, Joint Controllers and Representatives

- Data Processors and Sub-Processors must outline the full chain of Data Controllers

Contact details for the Data Protection Officer (DPO) as applicable

Purposes of the processing being carried out

Types and categories of data subjects and their personal data

Categories of recipients of the data, including international organisations and those in third countries

Retention and deletion schedules for the data

Where possible, a description of the technical and organisational security measures in place

Details to be submitted to a relevant Supervisory Authority on request

ARTICLE 30: RECORDS OF PROCESSING ACTIVITIES

Organisations <250 persons are exempt from the ROPA requirements, unless:

The processing carried out is likely to affect the rights and freedoms of the data subjects

The processing cannot be described as occasional

The processing includes special categories of data (per Article 9)

The processing relates to criminal convictions and offences (per Article 10)

WHAT THIS MEANS IN PRACTICE


To meet your transparency of processing obligations (the 1st GDPR Principle) and articulate your processing effectively in a Privacy Notice, you’ll need to first map what data you have in your business, where, why, who has access etc...

Boiling an egg simple version

…don’t assume you know this without first trying to map it all out. You may be surprised at how complex some of the simplest processes in your business really are!

Egg in pan of water

Bring to the boil

Lid onHeat off

Leave for 6 minutes

Egg out of pan

Eat and enjoy

Boiling an egg detailed version

No

YesEggs for Breakfast

Fill pan with water

Go to fridge 2 Eggs? Put 2 eggs in pan

Put pan on the cooker

Go to the

Shop

BuyEggs

Back to Kitchen

Turn on Heat

Wait for water to

boil

Turn off heat

Put lid on pan

Leave eggs for 6 mins

Remove eggs from

pan

2 pieces of bread in toaster

Toast BreadButter Toast

Serve Eggs and toast

Eat and enjoy!


MAPPING YOUR DATA PROCESSING

LAWFUL BASES FOR PROCESSING


Internal External


Consent through clear, informed affirmative action

This relates to the individual’s right to object

Clear, informed and EXPLICIT affirmative action

Unless reliance on consent is against the law

Personal Data Processing – Article 6:

Compliance with a legal obligation

Performance of public interest task, or exercising official controller authority

Protect vital interests

Special Category Data Processing – Article 9:

Employment, social security, social protection or collective agreement

For preventative or occupational medical reasons, or assessing fit to work

Protect vital interests (physically or legally incapable of giving consent)

Establish, exercise or defend legal claims or court proceedings

Performance of a contract, or to take steps to enter into a contract

Legitimate interests of controller or 3rd party (can’t override rights)

Non-profit body: political, trade union, religious, philosophical

Public interest for archiving, historic, scientific or statistical research

Data manifestly made public

Public health interest

Substantial public interest

Special category data processing must include one lawful basis from each list (Article 6) and (Article 9)

LAWFUL BASES FOR PROCESSING


The GDPR places a high bar on businesses considering consent as a basis for processing:

Genuine choice and control

Positive, affirmative and unambiguous action to indicate consent

- No pre-ticked boxes

- No assumed consent

- No blanket consent

- No open-ended consent

Clearly and specifically informed on all separate purposes

Split out different areas of processing consent

As easy to withdraw consent as it was to give it

Not a precondition of a service

No imbalance of power over the individual data subject

Consent must be separate to ordinary Terms & Conditions

Principles of transparency and accountability – keep records / audit trail

Don’t ask for consent if you don’t need it

If “consent” is difficult to justify, then look at another lawful or legitimate

basis for the data processing

A WORD ON ‘CONSENT’

Consent is not a valid ‘umbrella’ basis for your HR-related data processing


Lawful Basis Right to erasure

Right to data portability

Right to object

Additional information

Legal Obligation

Contract Legal effect of objecting to contractual processing means clause discussions or even contract void

Legitimate Interests

Reliance on legitimate interests means you’ll need more detail in your privacy notice to comply with the right to be informed

Vital Interests

Public Task

Consent No right to object, but has the right to withdraw consent

Individuals have the right to object to direct marketing no matter what lawful basis applies.

The right to be informed is a fundamental right, and ties in with the 1st Principle of transparency.

Other rights aren’t absolute and need to be looked at carefully in context and against requirements.

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/

HOW LAWFUL BASES IMPACT RIGHTS


Special Category

ContractEmployment / Social Security

Personal DataLegitimate Interests

Personal Data Contract

Special Cat. Legal Obligation Employ/Soc.Sec


Personal Data Contract Employ/Soc.SecSpecial Cat. Legal Obligation

Personal Data Legit. Interests

Special Cat.Legitimate Interests

Vital Interests

Special Cat. Vital Interests Employ/Soc.Sec

Personal Data Legal Obligation



DATA SHARING – CHARITY SECTOR

PublicShopsDept’sExecutive

Board of Trustees

Directors

Regional Managers

Retail Managers

Retail Teams

Volunteers

Fundraising

Fundraising Teams

Volunteers

Individual Data Subjects

Beneficiaries

Benefactors

Customers

Donors

(regular / one-off)

Suppliers

Service Providers

Partners

Affiliates

Third Parties

DATA SHARING DATA SHARINGDATA SHARING


ICO ACTION AGAINST VOLUNTARY & CHARITY ORGANISATIONSIn each example the breaches were a direct result of human errors:

poor decision making by managementpoor organisational behaviourpoor IT policies and practices

The ICO ruled that in each example the breaches were entirely avoidable and preventable.

TIME FOR LUNCH…

RISK ASSESSMENT


NECESSARY

Identify Legitimate Interests Necessity Test Balancing Test

Why do you want to process the data?

Who benefits from it?

Any wider / public benefits? Important?

Impact of not being able to proceed?

Unethical or unlawful?

Will processing help achieve aims?

Is it reasonable?

Any alternatives to achieve results?

Relationship with data subject(s)?

Sensitive or private data?

Children or vulnerable people?

Would people expect it?

Are you happy to explain it?

Some likely to object? Intrusive?

Impact on data subject(s)? Big?

Any safeguards you can adopt?

Can you offer an opt-out?Document your LIAs, to include all considerations


As a tool they help businesses to:

Identify and fix problems / issues early on, saving money

Demonstrate attempts to meet compliance obligations

Help meet processing transparency (GDPR 1st Principle)

Build trust with data subjects’ around data privacy

Reduce risk of breaches, complaints and penalties Source: www.termsfeed.com

Data Protection Impact Assessments (DPIAs) are a key aspect of Privacy By Design

PRIVACY BY DESIGN


Not all processing actions require a DPIA:

Those that are likely to result in a high risk to individual’s rights and freedoms

Potential gaps in procedures that could lead to breaches

A group of linked processing activities can be reviewed under one overall DPIA

It is important that you determine the company’s risk criteria BEFORE you begin your DPIAs

New databases or IT / software systems used

to store, access or consolidate personal

data

A data sharing or data pooling exercise,

especially with other organisations

Any new proposals to collect or process data about demographics or particular groups

Installing or using new or upgraded

surveillance or monitoring technology

in your business

Deciding to use existing data for new,

unexpected or potentially intrusive

purposes

Document your DPIAs, to include all considerations

DATA PROTECTION IMPACT ASSESSMENTS


This handy image explains what we mean by PROBABILITY and

IMPACT

You will need to be able to easily assess the

likelihood, or probability, of risk to the data subjects

and also the level, or impact, of risk posed.

ASSESSING RISK


Probability of breach

3 0 3 6 9

2 0 2 4 6

1 0 1 2 3

0 0 1 2 3

Severity of impact

HighLow

Low

Probability and Impact Matrix

Probability and Impact Table

Risk Level

From ToRisk

AssessmentDescription of Risk Level

High 6 9 High risk Risk exceeds the business’ risk appetite

Medium 3 5 Unacceptable risk Could exceed risk appetite in some instances

Low 1 2 Acceptable risk The risk is within acceptable boundaries

None 0 0 No risk No apparent risk

DPIA risk assessments must be approached from the

perspective of the data subjectnot from the perspective of the

business

RISK PROBABILITY / IMPACT MATRIX


A hospice organisation wants to create a new marketing database, combined of two separate lists: Gift Aid donors, and current newsletterrecipients. The company privacy notice doesn’t detail how marketing lists are compiled. Complete the LIA checklist to practice consideringthe impact from a data subject’s perspective, and then decide if you feel a Data Protection Impact Assessment (DPIA) may also be needed:

First Section: LIA Checklist

Questions to Consider Y N

1Does the activity involve collecting new information about people that you don’t already have?

2Might it compel people to give information to you about themselves?

3Will this info be shared with organisations or people who have not previously had routine access to the information?

4Will the personal information be used for new purposes, or in a way it is not currently being used?

5Does the activity involve using new technology which might be perceived as being privacy intrusive?

6Will the activity result in making decisions or taking action against individuals in ways which can have a significant impact on them?

7Is the personal information of a kind particularly likely to raise concerns or expectations about people’s privacy?

8Will the activity involve contact with people in ways which they may find intrusive?

Legitimate Interests Balancing Test

Why do you want to process this data? What’s your relationship with the data subject(s)?

Who benefits? Is the data sensitive or particularly private?

Are there wider or public benefits? If so, how important are they?

Does the data belong to children or vulnerable people?

What’s the impact of not being able to proceed?

Would people reasonably expect this processing of their data?

Is there anything unfair, unlawful or unethical about what you want to do?

Are you happy to explain it (transparency principle)?

Necessity TestAre any data subjects likely to object or find it intrusive?

Will this processing help you achieve your aims?

Is the processing likely to have an impact on them? If so, how big?

Is it reasonable? Are there any safeguards that you can, or must, put in place?

Are there any alternative ways to achieve results without doing it?

Are you able to offer ability to opt-into this processing (and therefore opt-out)?

Second Section: DPIA Checklist

CYBERSECURITY, MARKETING &

LIABILITIES


6 out of 10 people are fed up with passwords using a mix of numbers, symbols and capital letters

Of firms had formal policies covering cyber security risks in 2017

39%

Had formal cyber security incident management

processes in 2017

14%

Gave their staff cyber security training in 2017

25%

Of businesses have been affected by

fraudulent emails

Of cyber security policies are related to

remote or mobile working

Of organisations who suffered a breach have

taken no action to prevent another attack

The average the number of days for a business to discover

a data breach

120

Don’t know the source of the most disruptive cyber security breach or attack in the last 12

months

60%

Of businesses experienced cyber

security breaches in 2017

Of computers and mobile devices are vulnerable to

exploit kits

99%

The cost to UK businesses who experienced cyber

security breaches in 2016

£30bnapx


Source: https://ico.org.uk/action-weve-taken/data-security-incident-trends/

“HUMAN ERROR”

Source: https://iapp.org/news/a/data-indicates-human-error-prevailing-cause-of-breaches-incidents/

The statistics on human error contributing to data breaches are

quite concerning…

https://iapp.org/news/a/data-indicates-human-error-prevailing-cause-of-breaches-incidents/


THE PRICE OF ‘HUMAN ERROR’?

TIME FOR A

QUICK BREAK…

DATA BREACH REPORTING


Records must be kept for all breaches, including minor and unreported ones

Report breaches to the ICO within 72 hours after discovery, unless the risk is low impact / unlikely to impact rights - document your rationale for not reporting

Advise data subjects without delay exactly what has happened

What categories / types of data involved, how many people/records affected

Likely consequences / impact of the breach for the data subjects

Describe measures taken / proposed to address or mitigate breach impact

Contact details for your DPO, or other contact point in the business

DATA BREACH REPORTING


Compare data protection breach recording and reporting with Health & Safety incident recording and reporting.

Why do we keep these records?

Penalties for non-compliance:

Criminal Offence

£20,000 fine (Magistrates Court)

Unlimited Fine (Crown Court)

Up to 2 years’ prison sentence

RIDDOR 2013

WHY REPORT BREACHES?


Details of the Breach Assess Impact on Data Subjects

Remedy and Lessons LearnedKeep details of breaches and any decisions made to report them to the ICO (or not), plus what you’ll do to prevent repeat occurrences.

Regular reviews will help spot areas in need of training or intervention.

Penalties for non-compliance:Up to 4% of global turnover or €20million (whichever is the higher figure)

BREACH REGISTER EXAMPLE


What should happen in each of the following types of breaches? Who should be involved in the investigation?:

Sending emails containing personal data to wrong / unauthorised recipient(s) (e.g. ‘Reply All’, ‘CC’, ‘BCC’)

A data breach occurring from a virus or hack in the company computer or email system?

The loss of a company mobile device or hard copy files/folders containing personal data?

A worker taking personal data from the company home (via personal email or mobile device)?

Do you understand what might constitute a ‘personal data breach’? Give some details:

Do you think your team members know how to recognise a personal data breach?

Do you have a response plan and an allocated person to deal with breaches?

Yes No

Yes No

DATA SUBJECT ACCESS REQUESTS


Acknowledge request promptly, verify identity

Outline their rights and how they can exercise them

What categories of personal data you process

The source of this data, especially if not from them

Explain why you process their data

Outline your lawful bases for processing

Who you share their personal data with and why

Safeguards in place for overseas transfers

Details of any automated decision making

How long you keep it, and your criteria for this

SUBJECT ACCESS REQUEST PROCEDURE


DPA 1998 GDPR / DPA 2018

Up to 40 days to respond

One calendar month to respond

Able to charge a small fee

Standard SARs are free

Provided in common electronic format

Could provide in various formats

Requests made in writing Requests in various formats


Do you think that you or your staff know how to recognise and respond to a written or verbal DSAR?

What process or procedure would you follow in order to respond to a DSAR within the 30 day period?

If faced with multiple DSARs, do you have the procedures, template forms, resources and staff to cope?

Are you sure you’ll be able to ‘find’ all the relevant data? Did your mapping consider all locations for unstructured data? (paper files, archives, digital storage, where details have been shared, email inboxes and folders)

Whom else would you need to liaise with (internally/externally) to source it?

Yes No

STEPS TO COMPLIANCE


Snake Oil

This Document Certifies

that you are now

GDPR Compliant


The right advice

The right plan

The right team


1. Map your business process flows

2. List and categorise personal data in the

flow mapping

3. Data controller or data processor?

4. Decide on your basis for processing

5. Review your 3rd

party processors

6. Conduct data protection impact

assessments

7. Define subject access request

procedures

8. Review security and training gaps

9. Implement staff awareness training

10. Publish updated privacy policies and

notices

Compliance is not a one-off activity

What data do you have?

What data do you need?

What data must you keep and what can you

delete?

How long must you keep it?

Who has access to the data?

Do you test your security?

Who do you share it with?

How secure is the data?How will you handle a complaint or breach?

Where is your data stored?

Do your staff know the law?

Are your processes transparent?

What’s your ongoing maintenance plan?

Do you need to appoint a DPO?

It requires ongoing

maintenance and review

Q&A


01727 375 078www.spherehr.co.uk

www.spheredataprotection.com

Document Toolkits Bespoke Training ConsultancySeminars

Documents

Data Protection and Confidentiality · 1995 EU Directive In the UK the GDPR replaced the Data Protection Act 1998 –after Brexit the Data Protection Act 2018 will replace the GDPR