GDPR – Data Security and Breaches 10 December 2019 Newcastle | Leeds | Manchester
2 What we will look at today • Technical and Organisational Security • Handling data breaches • Case law Newcastle | Leeds | Manchester
3 Data security? Elizabeth Denham (Information Commissioner) "cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under the law, but because they have a duty to their customers”. Newcastle | Leeds | Manchester
4 Why does data protection matter? • Legal obligations • Reputation and goodwill • Fines and enforcement • Other data protection liabilities • Compensation • Criminal penalties • Vicarious liability Newcastle | Leeds | Manchester
5 Reported Personal Data Breaches in 2018 Newcastle | Leeds | Manchester
6 Newcastle | Leeds | Manchester
7 Types of Cyber Security Breach Newcastle | Leeds | Manchester
Data Security Newcastle | Leeds | Manchester
9 What do we mean by the term data security? • GDPR obligation • Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality) • Security should be appropriate to likelihood and severity of risks • Failure to keep data secure leads to personal data breaches Newcastle | Leeds | Manchester
10 The requirement to use technical and organisational measures…. • GDPR requires;- • Controllers to ensure a level of security appropriate to risk • Risk analysis • Proportionality test Newcastle | Leeds | Manchester
11 What is risk? • Confidentiality/Integrity/Availability • Confidentiality • Processed by those authorised to do so (and act within that authority) • Integrity • Accurate and complete • Availability • Accessible and usable Newcastle | Leeds | Manchester
12 Security Aims (ICO and NCSC) • Analyse risk by looking at your security aims: • Managing security risk • Protecting personal data (against cyber attack) • Detecting security events • Minimising the impact Newcastle | Leeds | Manchester
13 Identify Key Risks • GDPR encourages a risk based approach to compliance • Need to identify high risks • Classify information from risk perspective • Identify and locate sensitive data and mark it • Develop and maintain a risk register • Describe/rate risks • Risk management Newcastle | Leeds | Manchester
14 Identify Key Risks 5 4 Impact of risk 3 2 1 0 1 2 3 4 5 Likelihood of risk Newcastle | Leeds | Manchester
15 Rate the risks – HR Team • You are aware individuals are conducting work business on private email accounts • You have premises with swipe card access but are aware cabinets containing HR records are not locked • HR have received only standard GDPR training • HR data stored in bespoke software system which IT department maintains itself • HR holiday and sickness forms are still manual (i.e. paper based) Newcastle | Leeds | Manchester
16 Identify Key Risks • What are the biggest risks in your organisation? Newcastle | Leeds | Manchester
17 What are appropriate measures? • What does appropriate mean? • What measures are appropriate? • What factors should take into account? • Record measures you take Newcastle | Leeds | Manchester
18 Appropriate measures • Appropriate to achieve the intended purpose • Appropriateness linked to effectiveness • i.e. measure is appropriate to implement data security effectively • Ensure any safeguards operate through the project lifecycle Newcastle | Leeds | Manchester
19 Appropriate measures: Factors to take into account • Take into account • State of the art • Cost • Nature, scope, context and purposes of processing • Likelihood and severity of risks Newcastle | Leeds | Manchester
20 What do we mean by “organisational security”? Newcastle | Leeds | Manchester
21 What do we mean by “organisational security”? • Governance • Contracts and data sharing • Training and awareness Newcastle | Leeds | Manchester
22 What is “Governance”? • Management structures • Policies, procedures and documentation • Compliance and assurance • Identify and manage risks • Use of data protection impact assessments • Data protection by design and default Newcastle | Leeds | Manchester
23 Management Structures • Appointment of senior officer/director • Executive level • Responsibility for reporting data protection issues to executive • DPO/senior data protection manager • Supporting roles • IAO/DP Champions etc • Information security/information governance group • Accountability • Ensure evidence exists of roles and responsibilities Newcastle | Leeds | Manchester
24 Policies, Procedures and Documentation • Art 24 GDPR • Obligation to implement appropriate measures to ensure and demonstrate compliance (accountability) • Includes implementation of appropriate data protection policies • Ensure clear endorsement of policies by board/ executive • Policies should indicate how risks assessed and escalated Newcastle | Leeds | Manchester
25 Policies and Procedures • What policies do you have? Newcastle | Leeds | Manchester
26 Policies and Procedures • What policies do you have? • Do you have:- • A complaint policy? • A data security policy? • A security breach policy/protocol? • A training and awareness policy? • IT Use Policy/BYOD policy? • Physical security policy • Remote working policy? • Data retention policy Newcastle | Leeds | Manchester
27 Documentation (1) • You need to keep a full set of documentation to demonstrate your commitment to accountability • Processing record (Article 30) • Date breach log (Article 33(5)) • Fair processing record (Article 5(1)(a) and 5 (1)(b)) • Date protection impact assessments (Article 35) • Contracts (Article 28) • Record of data sharing agreements • Record of consent (Article 7(1)) • Risk register Newcastle | Leeds | Manchester
28 Documentation (2) • Information required for processing special category or criminal conviction and offence data • Policies and procedures • General obligation to have a data protection policy (Article 24(2)) • Data minimisation policy (Article 5(1)(c)) • Data accuracy policy (Article 5(1)(d)) • Data retention policy (Article 5(1)(e)) • Data security policy (Article 5(1)(f)) • Ability to demonstrate compliance Newcastle | Leeds | Manchester
29 Compliance and Assurance • Data protection audit – mapping, document analysis and risk identification • Part of compliance with Art 24 but also:- • Deal with changes to processing presented by GDPR • Ensure accountability principle is satisfied • Reduce risk of data protection breaches occurring • Minimise consequences of data breaches • Reduce risk of being fined if breach occurs and restrict the amount of fine if one is levied • Rate your risks Newcastle | Leeds | Manchester
30 Organisational security – data protection by design and default • Part of accountability principle • General obligation to show you have considered and integrated data protection considerations into processing activities from the start • Benefits • Identify and address privacy problems at an early stage (save cost) • Raise awareness of privacy and data protection • More likely to meet and exceed legal obligations/less likely to breach GDPR • Actions less likely to be privacy intrusive Newcastle | Leeds | Manchester
31 Organisational security – Data protection by design • Take into account • Cost • Nature, scope, context and purposes of processing • Likelihood and severity of risks arising from processing • Implement appropriate technical and organisational measures to implement the data protection principles • Integrate safeguards into processing/throughout project lifecycle • Privacy embedded • Privacy integral to design without diminished functionality Newcastle | Leeds | Manchester
32 Organisational security - Data protection by default • Implement appropriate technical and organisational measures by default • Only personal data processed when necessary for a specific purpose • Data protection by default to be considered • When collect personal data • Extent of processing • Period of storage • Accessibility Newcastle | Leeds | Manchester
33 Organisational security - Data protection impact assessments • An assessment of processing operations to identify privacy impacts and implications • Review processing operations • Analyse purpose of processing • Assess risk • Find ways to minimise risk • Mandatory for high risk projects that started after 25 May 2018 • Consult with ICO/supervisory authority where DPIA identifies risk cannot be managed and remains high Newcastle | Leeds | Manchester
Recommend
More recommend