UK GDPR readiness survey - International Data Corporation (IDC) % April 2017 Believe they already comply Don’t Know where to start Awaiting Guidance % Have a solid plan Planning to start the journey % 0 5 10 15 20 25 30 35 40 1
GDPR Headlines Elizabeth Denholm (Head of UK ICO) said in a recent talk… “The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation” • New regulations concerning Personal Data - May 2018 • Any identifiable personal data - cookies, telematic data, IP address, bio- metric data, CCTV • Fines of up to 4% of gross annual turnover or €20m, whichever is greater • Additional fines of 2% or €10m for failure to report data breaches within 72 hours 2
More than 200 prosecutions – Under the existing Data Protection Act A4E Theft of unencrypted laptop containing personal data Hertfordshire County Council Fax error - leading to disclosure of personal data London Borough of Ealing Theft of unencrypted laptop containing personal data. London Borough of Hounslow Theft of unencrypted laptop containing personal data. Andrew Jonathan Crossley (ACS Law) Personal data exposed following inadequate web-hosting London Borough of Croydon Personal data stolen from a public house Cheshire East Council Disclosure of personal data via email to unintended recipients Brighton & Sussex Hospitals NHS Trust Insecure disposal of hard drives containing personal data Prudential Inaccuracy of customer records Sony Infiltration of online network Nursing and Midwifery Council DVDs containing personal data lost DM Design Bedrooms Ltd Making unsolicited marketing calls Nationwide Energy Services Ltd Making unsolicited marketing calls Bank of Scotland Multiple faxes containing personal data sent to incorrect recipient Jala Transport Theft of unencrypted portable hard drive First Financial (UK) Limited Sending unsolicited direct marketing texts British Pregnancy Advice Service Hacker threatened to publish thousands of names of people Think W3 Limited Hacker obtained large number of credit & debit card details Direct Assist Ltd Making direct marketing calls to people without their consent The Money Shop The theft and loss of servers containing customer data. Pharmacy 2U Limited Sold details of more than 20,000 customers TalkTalk Telecom Group PLC SQL injection attack Royal & Sun Alliance Insurance PLC The theft of a hard drive containing customer data 3
The broad terms of reference (GDPR principles) Consent to Collect and use of Data - auditability and traceability Demonstrable control, Right Of Access to security and processes the Data and showing evidence of Electronic Data Portability between governance and compliance Data Controllers Data transferability Right To Be Forgotten restrictions between – retention and organisations and deletion external Data Processors Right to Rectification – Obfuscation of Non- amendment/correction Operational Data (non production/analytical environments) 4
GDPR is just the spotlight to address a series of interconnected problems Insecure and undefined access No organisation wants to collect is by itself a time bomb ticking personalised data that has not away within your organisation… been derived without the consent of the individual Security & Trust & Integrity Control The proliferation of personal data across your organisation has major implications for your Access, IT department Collecting, managing and 90 % of data breaches occur Auditability Retention analysing erroneous, outdated in the “shadow data” personal data has major environment . implications Risk and Liabilities Risk & Where the data is held and by Liabilities whom and by what, in addition to the jurisdiction and possible remedial action 20 million pending civil cases in the Indian judicial system 5
3 Distinct phases of activity Interpretation - of the Creation - of Policy Execution - applying Regulations policy and process and Process • • This will be dictated by your Privacy Notices & Consent DPIA - Impact Assessment • • appetite for risk & desire to Subject Access Requests Creation & maintenance • mitigate that risk of your Breach Notification • • • The complexity of your Commercial and 3 Party Information Asset Register - organisation interests MDM • • • The type of data you hold & Big Data & Analytics Erasure & Purging/Obfuscation • • how you hold it IS27001 - Cyber Lawful Processing • • Legitimate Interest & Essentials/Encryption Direct marketing • Data Retention/Erasure 6
GDPR: What’s your next step? 7
In Discovery – we will begin to baseline your ‘As - is’ across the 6 dimensions of GDPR compliance We will isolate the key elements - policies, processes, technology, roles, responsibilities and more importantly- the context, complexity of what data you have and why you hold that personal data and what use you make of it. Dimensions Dimensions Governance & Policy 4 3 Process & Security 2 Procedure 1 0 People & Data Culture Technology 8
In Analysis - we will work with you to conduct a systematic and thorough review of personal information processing and storage, within your organisation and operations Leveraging the Capita GDPR intellectual property; we will review your governance, policy and procedures that are associated with GDPR compliance: • GDPR Information & Security Policy • Information & Data Asset Register • Products / Services Assessment • Privacy Notices • Subject Access Requests • Breach Notification & Incident Management • Data Retention & Erasure Commercial (3 rd parties) • 9
In Recommendations we will: • Produce a baseline of the current state, any known changes and identification of any discovered gaps assisting you in achieving compliance • Highlight areas of concern from the Analysis phase • Create a roadmap for your compliance journey • Develop, Document and populate your compliance/risk management environment using our GDPR Management Compliance Portal Example GDPR implementation plan Identify DPIA & DPO Awareness consent training mechanism Build a Assess Build consensus & SAR plan Storage limitation readiness JAN MAR JUN SEP NOV DEC JAN FEB APR 2018 2017 DEADLINE Right to be Security data Define a plan Address data forgotten data breach plan data flow transfer & sub- portability mapping contracting Gap Data inventory assessment 10
In summary we can accelerate your GDPR compliance programme ‘GDPR ready’ – Discovery Analysis Support and Consultancy to help prepare for and maintain & Recommendations compliance to GDPR GDPR Compliance Policy Templates and Portal to manage your GDPR risk and assessment data ISO27001 and light- Consultancy to better manage weight ProSec2 your Data Assets and improve Cyber-Security and Risk framework Management Technology Solutions to fill IT capability gaps and systems issues 11
CONTACT Graham Clarke Sales Director Data and Delivery +44 (0) 7860 814949 graham.clarke@capita.co.uk
Recommend
More recommend