Jack Simons Ltd Digital Archive, Heritage Preservation and Personal - PowerPoint PPT Presentation

Jack Simons Ltd Digital Archive, Heritage Preservation and Personal Data Protection Advisors

Who are we? • Founded as File Flatners Ltd 2004 • John Munton bought other partners out Oct 2010 • Mark Povey joined Sept 2013 and began increasing the service offering • John bought Simons House 2014 • File Flatners moved to Simons House Sept 2015 • Re-Brand to Jack Simons completed July 2016 • July 10 th 2017 JS Data Protection Was formed to deliver GDPR services to existing and new clients

Mark Povey Technical Director • 11 Years in the British Army (Royal Signals) • Designed basic document management for the Regiment • Left the army and went in to selling EDMS (Egami) • Designed hybrid book scanning system • GDPR Practitioner trained (IISP Accredited) • Working with Queens College Cambridge on their GDPR project

• Goal for Today • Basic understanding of the GDPR • Identify some of the changes outlined within GDPR (new terms etc.) • Begin to understand the delegates internal processes and procedures • Start the work toward compliance with GDPR • Understand who the regulation applies to (clue: just about every business, charity or professional organisation that has 1 member of staff or more) • Debunk some of the myths around GDPR (there are many!!)

• General Data Protection Regulation Agenda • When it comes into effect, when you should start preparing • Key Tenet of the GDPR and what it means in real terms • What the penalties could be for a breach and the myths associated • What is the likelihood of a breach and how • Exercise: Identify probable breach areas • What are the key threats to you the delegates • Roll out planning • New terms used by the GDPR and simple definitions

• 25 th May 2018 • Should have started last year • Updates are coming out from the ICO regularly • Brexit will change nothing (apart from who breaches will be reported to)

• Privacy by design: This Means You!! • Data minimisation only process what is essential to you • Anonymisation of personal data (protect the Data Subject identity) • Data retention period (only store for as long as is necessary) • Right to erasure • The GDPR places the interests of the individual before the interests of the business • Privacy policies must be clear, unambiguous as easy to understand as a children's book. • Opt out should be as easy as opt in • Right to data portability

• Failure to comply with the GDPR could mean the following penalties could be imposed for personal data breaches: • Under the DPA (data protection act) the highest possible penalty was £500,000 • Until now the largest fine the ICO has imposed was Talk Talk (£400,000) • The new fines are £10 million or 2% of global revenue (for certain breach types) which ever is higher or: • £20 million or 4% of global revenue whichever is higher • Talk Talk would have been fined £10million + under the new regime • Big Corp Inc is not immune trade in Europe comply with Europe • The NHS are not exempt the new regulations if the data encrypted could not be restored each hospital or trust would face the harshest fines • The ICO has stated that they will not seek to shut down businesses for a breach

• The likelihood of a breach is a given!!! . • The GDPR recognises this and breaches will be investigated when reported with the following mitigating circumstances being considered • Robust data protection policy is in place and adhered to (regular staff training) • Cyber security fully up to date and regularly tested • Physical security of paper records maintained and followed, access controls are in place etc. • Systems are in place to protect digital data (encryption, anonymisation etc)

• The likelihood of a breach is a given Pt 2 . • The biggest breach area (according to Gartner) is still lost or stolen paper records. • Online hacking is a national pastime for certain states • Phishing attacks are still a major issue for most business • USB sticks and media are still openly used without adequate precautions, attacks are injected via this means • Social media accounts are routinely used to discuss “where I work” etc allowing evil actors to socially engineer attacks • Facebook and Google recently lost ca $100m to a phishing attack • Remember a breach can be physical or digital

• Exercise: Identify your business’ likely areas for a breach • Points to consider: • Who’s in charge of your data • Remote workers? • Training • Policy's • Procedures

• The Key threats (seen from afar): . • Paper based records stored off-site on-site haphazardly • Data retention plan? • No data plan informing responsible staff what why where etc • Records being stored in the clear, paper and digital • Compliance checks? • Temporary Staff collecting and processing personal data • Older marketing databases not being up to date

• New terms used with the GDPR . • Data Subject: a natural person (not an organisation) who’s data is being processed stored or otherwise by your organisation • Data Protection Officer: (DPO) the individual who is responsible for the protection of the data subjects, whilst ensuring full compliance with the GDPR (must be allowed to function freely of the business priority) • DSAR: data subject access request (supercedes SAR) must now be free • DPIA: data protection impact assessment, these must be carried out if certain activities are being fulfilled • PII: personally identifiable information anything which can be used to identify a data subject (credit card number, cctv image captured by a school etc) • Processing: now encompasses visual/aural review of data as well as entry in to databases etc. • EDPB: European Data Protection Board organisation with final authority on all matters relating to the GDPR

• ICO 12 steps to compliance 1. Awareness – decision makers and key people . 2. Information – document what you hold (data-map) 3. Communicating privacy information – review and amend privacy notices 4. Individuals’ rights – ensure you can deliver against data subject rights 5. Subject access requests – update procedures 6. Legal basis for processing – identify and document 7. Consent – review how you obtain and record consent 8. Children – review consent processes for minors 9. Data breaches – ensure you have processes for detecting and reporting 10. DP by design and DPIAs 11. DPOs – appoint one (can be out sourced) 12. International transfers – ensure you have an appropriate legal basis

In Summary Your route to compliance . • Unless you already have a comprehensive and effective DPA compliance regime in place, GDPR compliance is likely to be a major change programme. • It will need: – Top management attention; – Dedicated planning and implementation resource; – Financial support; – Significant culture change. • Many organizations are only starting to come to grips with the need to address cyber security; • Many more will have Brexit issues to address; • The time period to GDPR is shortening every day. • Is it actually possible to be fully compliant by 25 th May 2018? (ICO understands the difficulties facing business)

Jack Simons Services . • Initial board awareness training, essential for the project to be correctly funded and understood • Cyber security testing and implementation • Web site security and patching • Data map creation and storage advice, digital and physical • Staff GDPR compliance and awareness training • GDPR Implementation plan and conformance including virtual DPO • Compliance review and updates • DPIA when necessary As of now you have 238 days or 5,712 hours

Questions?