Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
4/29/2020
1
Del
taN
et In
tern
atio
nal L
td
1
Workforce Privacy Training and Effective Controls to Prevent Inadvertent Data Breaches
Del
taN
et In
tern
atio
nal L
td
2
• Our panel
• Why should companies worry about Data Protection?
• What are ‘effective controls’?
• The role of training
• What makes ‘effective training’?
Agenda
1
2
4/29/2020
2
Del
taN
et In
tern
atio
nal L
td
3
Partner
Wedlake Bell
JamesCastro-Edwards
Partner
The Analyst
Kate Surala
Learning Design Director
DeltaNet International
Stacey Taylor
Del
taN
et In
tern
atio
nal L
td
4
Why should companies care about data protection?
Legal background
The use of 'personal data' is regulated in the UK by the General Data Protection Regulation (GDPR), which took effect in May 2018
In the UK, the GDPR is supplemented by the Data Protection Act 2018
Direct marketing sent electronically is regulated by the Privacy and Electronic Communications Regulations 2003 (PECR)
The GDPR, DPA 18 and PECR are enforced by the Information Commissioner's Office (ICO)
The ICO is an active regulator with around 800 staff
The GDPR will continue to apply until the end of 2020, when it looks likely to be replaced by a 'UK GDPR'
3
4
4/29/2020
3
Del
taN
et In
tern
atio
nal L
td
5
Why should companies care about data protection?
Requirements
The GDPR imposes obligations upon organisations that handle personal data
Essentially, organisations must use information in a way that is fair, lawful and transparent; they must also keep it secure
The GDPR also confers a number of rights upon individuals, such as the right of access and the right to be forgotten
Individuals are increasingly aware of their rights, following the publicity that surrounded the GDPR when it took effect
PECR regulates direct marketing by email, telephone and SMS, essentially requiring consent
The ICO regularly investigates and fines organisations that fail to comply with the GDPR and PECR
Individuals may bring a claim for compensation for damage or distress caused by misuse of their personal data
Del
taN
et In
tern
atio
nal L
td
6
Where things go wrong?The ICO is an active, and well-resourced regulator; it can and will investigate data breaches and data subjects' complaints, often requiring a detailed response (and will not be 'fobbed off’).
Individuals are increasingly aware of their data protection rights, such as the right of access and the right of erasure (right to be forgotten) and will complain to the ICO if they are not satisfied.
A right to compensation for damage or distress arising from the misuse of personal data has emerged under common law.
5
6
4/29/2020
4
Del
taN
et In
tern
atio
nal L
td
7
Where things go wrong?In practice this can lead to a 'double whammy', e.g.:
oBritish Airways suffered a personal data breach, for which the ICO announced its intention to issue a fine of £183,000,000
o In addition, 'entrepreneurial' lawyers launched a class action on behalf of affected BA customers:
seeking to recover £5,000 per person –
allegedly 500,000 people affected
£2.5BN claim.
Del
taN
et In
tern
atio
nal L
td
8
What are ‘effective controls’?
Where does data start and finish in your organisation?
Where might data be lost / vulnerable in your organisation?
What have you done to prevent a data breach?
7
8
4/29/2020
5
Del
taN
et In
tern
atio
nal L
td
9
Our controls at The Analyst• Identify the data subject and data controller in all contracts
• Review who has access to different types of data at least on annual basis
• Use encryption, watermarks, and pseudonymisation where possible
• Make GDPR a critical matter at a board level
• Plan for when things go wrong - have your incident response plan ready
• Schedule in mock trials
• Update your data risk assessments frequently
• Clear desks and screens - remote access rather than bring your own device
• Training is a key
Del
taN
et In
tern
atio
nal L
td
10
Effective training is…
Relatable
Immersive
Gamification
EngagingRelevant
CASE STUDY
Timely
9
10
4/29/2020
6
Del
taN
et In
tern
atio
nal L
td
11
Effective training is…Focussed on WHY not HOW
Business as usual
Part of the culture
Del
taN
et In
tern
atio
nal L
td
12
Our training journey at The Analyst
• Onboarding, face-to-face & online training
• Schedule regular follow up training - technology doesn’t stand still
• Include specific examples in your training related to different groups of your organisation
• Have a one-to-one drop-in session after the presentation
Image source: https://www.sessionlab.com/
11
12
4/29/2020
7
Del
taN
et In
tern
atio
nal L
td
13
Our training journey at The Analyst
The most challenging situation for The Analyst?
• COVID-19 work from home transition
• Update your systems and controls document
• Speak to your departments and better understand their requirements
• Summarise the CANs and CAN’Ts and follow up in writing with the team
Image source: https://www.sessionlab.com/
Del
taN
et In
tern
atio
nal L
td
14
When you get it right…
Staff can't all be data protection experts, but should be able to:
Spot potential issues (e.g. breaches / requests / complaints / risky activities);
Escalate to the appropriate channels;
Problems can be spotted and dealt with early;
Mitigating factor in the event of a breach.
13
14
4/29/2020
8
Del
taN
et In
tern
atio
nal L
td
15
Thank you for listeningany questions?
15