gdpr data security and breaches
play

GDPR Data Security and Breaches 10 December 2019 Newcastle | Leeds - PowerPoint PPT Presentation

GDPR Data Security and Breaches 10 December 2019 Newcastle | Leeds | Manchester 2 What we will look at today Technical and Organisational Security Handling data breaches Case law Newcastle | Leeds | Manchester 3 Data


  1. GDPR – Data Security and Breaches 10 December 2019 Newcastle | Leeds | Manchester

  2. 2 What we will look at today • Technical and Organisational Security • Handling data breaches • Case law Newcastle | Leeds | Manchester

  3. 3 Data security? Elizabeth Denham (Information Commissioner) "cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under the law, but because they have a duty to their customers”. Newcastle | Leeds | Manchester

  4. 4 Why does data protection matter? • Legal obligations • Reputation and goodwill • Fines and enforcement • Other data protection liabilities • Compensation • Criminal penalties • Vicarious liability Newcastle | Leeds | Manchester

  5. 5 Reported Personal Data Breaches in 2018 Newcastle | Leeds | Manchester

  6. 6 Newcastle | Leeds | Manchester

  7. 7 Types of Cyber Security Breach Newcastle | Leeds | Manchester

  8. Data Security Newcastle | Leeds | Manchester

  9. 9 What do we mean by the term data security? • GDPR obligation • Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality) • Security should be appropriate to likelihood and severity of risks • Failure to keep data secure leads to personal data breaches Newcastle | Leeds | Manchester

  10. 10 The requirement to use technical and organisational measures…. • GDPR requires;- • Controllers to ensure a level of security appropriate to risk • Risk analysis • Proportionality test Newcastle | Leeds | Manchester

  11. 11 What is risk? • Confidentiality/Integrity/Availability • Confidentiality • Processed by those authorised to do so (and act within that authority) • Integrity • Accurate and complete • Availability • Accessible and usable Newcastle | Leeds | Manchester

  12. 12 Security Aims (ICO and NCSC) • Analyse risk by looking at your security aims: • Managing security risk • Protecting personal data (against cyber attack) • Detecting security events • Minimising the impact Newcastle | Leeds | Manchester

  13. 13 Identify Key Risks • GDPR encourages a risk based approach to compliance • Need to identify high risks • Classify information from risk perspective • Identify and locate sensitive data and mark it • Develop and maintain a risk register • Describe/rate risks • Risk management Newcastle | Leeds | Manchester

  14. 14 Identify Key Risks 5 4 Impact of risk 3 2 1 0 1 2 3 4 5 Likelihood of risk Newcastle | Leeds | Manchester

  15. 15 Rate the risks – HR Team • You are aware individuals are conducting work business on private email accounts • You have premises with swipe card access but are aware cabinets containing HR records are not locked • HR have received only standard GDPR training • HR data stored in bespoke software system which IT department maintains itself • HR holiday and sickness forms are still manual (i.e. paper based) Newcastle | Leeds | Manchester

  16. 16 Identify Key Risks • What are the biggest risks in your organisation? Newcastle | Leeds | Manchester

  17. 17 What are appropriate measures? • What does appropriate mean? • What measures are appropriate? • What factors should take into account? • Record measures you take Newcastle | Leeds | Manchester

  18. 18 Appropriate measures • Appropriate to achieve the intended purpose • Appropriateness linked to effectiveness • i.e. measure is appropriate to implement data security effectively • Ensure any safeguards operate through the project lifecycle Newcastle | Leeds | Manchester

  19. 19 Appropriate measures: Factors to take into account • Take into account • State of the art • Cost • Nature, scope, context and purposes of processing • Likelihood and severity of risks Newcastle | Leeds | Manchester

  20. 20 What do we mean by “organisational security”? Newcastle | Leeds | Manchester

  21. 21 What do we mean by “organisational security”? • Governance • Contracts and data sharing • Training and awareness Newcastle | Leeds | Manchester

  22. 22 What is “Governance”? • Management structures • Policies, procedures and documentation • Compliance and assurance • Identify and manage risks • Use of data protection impact assessments • Data protection by design and default Newcastle | Leeds | Manchester

  23. 23 Management Structures • Appointment of senior officer/director • Executive level • Responsibility for reporting data protection issues to executive • DPO/senior data protection manager • Supporting roles • IAO/DP Champions etc • Information security/information governance group • Accountability • Ensure evidence exists of roles and responsibilities Newcastle | Leeds | Manchester

  24. 24 Policies, Procedures and Documentation • Art 24 GDPR • Obligation to implement appropriate measures to ensure and demonstrate compliance (accountability) • Includes implementation of appropriate data protection policies • Ensure clear endorsement of policies by board/ executive • Policies should indicate how risks assessed and escalated Newcastle | Leeds | Manchester

  25. 25 Policies and Procedures • What policies do you have? Newcastle | Leeds | Manchester

  26. 26 Policies and Procedures • What policies do you have? • Do you have:- • A complaint policy? • A data security policy? • A security breach policy/protocol? • A training and awareness policy? • IT Use Policy/BYOD policy? • Physical security policy • Remote working policy? • Data retention policy Newcastle | Leeds | Manchester

  27. 27 Documentation (1) • You need to keep a full set of documentation to demonstrate your commitment to accountability • Processing record (Article 30) • Date breach log (Article 33(5)) • Fair processing record (Article 5(1)(a) and 5 (1)(b)) • Date protection impact assessments (Article 35) • Contracts (Article 28) • Record of data sharing agreements • Record of consent (Article 7(1)) • Risk register Newcastle | Leeds | Manchester

  28. 28 Documentation (2) • Information required for processing special category or criminal conviction and offence data • Policies and procedures • General obligation to have a data protection policy (Article 24(2)) • Data minimisation policy (Article 5(1)(c)) • Data accuracy policy (Article 5(1)(d)) • Data retention policy (Article 5(1)(e)) • Data security policy (Article 5(1)(f)) • Ability to demonstrate compliance Newcastle | Leeds | Manchester

  29. 29 Compliance and Assurance • Data protection audit – mapping, document analysis and risk identification • Part of compliance with Art 24 but also:- • Deal with changes to processing presented by GDPR • Ensure accountability principle is satisfied • Reduce risk of data protection breaches occurring • Minimise consequences of data breaches • Reduce risk of being fined if breach occurs and restrict the amount of fine if one is levied • Rate your risks Newcastle | Leeds | Manchester

  30. 30 Organisational security – data protection by design and default • Part of accountability principle • General obligation to show you have considered and integrated data protection considerations into processing activities from the start • Benefits • Identify and address privacy problems at an early stage (save cost) • Raise awareness of privacy and data protection • More likely to meet and exceed legal obligations/less likely to breach GDPR • Actions less likely to be privacy intrusive Newcastle | Leeds | Manchester

  31. 31 Organisational security – Data protection by design • Take into account • Cost • Nature, scope, context and purposes of processing • Likelihood and severity of risks arising from processing • Implement appropriate technical and organisational measures to implement the data protection principles • Integrate safeguards into processing/throughout project lifecycle • Privacy embedded • Privacy integral to design without diminished functionality Newcastle | Leeds | Manchester

  32. 32 Organisational security - Data protection by default • Implement appropriate technical and organisational measures by default • Only personal data processed when necessary for a specific purpose • Data protection by default to be considered • When collect personal data • Extent of processing • Period of storage • Accessibility Newcastle | Leeds | Manchester

  33. 33 Organisational security - Data protection impact assessments • An assessment of processing operations to identify privacy impacts and implications • Review processing operations • Analyse purpose of processing • Assess risk • Find ways to minimise risk • Mandatory for high risk projects that started after 25 May 2018 • Consult with ICO/supervisory authority where DPIA identifies risk cannot be managed and remains high Newcastle | Leeds | Manchester

Recommend


More recommend