Welcome Chris Joberns- Managing Director at Strident
Experts With Practical Answers Beck Moran- ReMo, ISO and GDPR guru Becky will introduce GDPR and u highlight areas you need to address Darren Davies- ESET , Darren will demonstrate the very latest tools and u techniques Chris Joberns- Strident, I will conclude by explaining the 9 critical issues your u IT company must address
Becky Moran
“ It’s a horrific piece of legislation. It was designed for online retailers like Amazon, but it captures us. We have a lot of work to do to become compliant ” Chief Data Officer, Global Investment Bank
25 th May 2018
The six principles Personal Data shall be: Processed lawfully, fairly and in a transparent manner in relation to the data subject 1. Collected for specified, explicit and legitimate purposes and not further processed in 2. a manner that is incompatible with those purposes Adequate, relevant and limited to what is necessary in relation to the purposes for 3. which they are processed
The six principles 4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay 5. Retained only as long as necessary 6. Processed in an appropriate way to ensure it’s security
Why security? 2016 Tesco bank – fraudsters steal thousands resulting in online accounts being frozen u 2016 SWIFT banking system hacked 3 times in a single summer totalling $81M in losses u 2016 Ukrainian bank hacked – hackers make off with $10M by exploiting the messaging u system 2016 State bank of India (SBI.NS) suffered a breach where 3.2 million debit cards were u compromised and customers suffered fraudulent transactions on their accounts.
Why security? Cyber Security is not your only concern Bob Quick, Anti -Terror Officer: 2009 he was forced to resign after this blunder
How do we meet the six principles? Privacy by design (risk identification and treatment, setting of security objectives) u Encryption, anonymisation and pseudonymisation of personal data u Secure backup and disaster recovery u Network segregation u Know your data and it’s physical location u Plus MUCH more… u
Personal data- redefined Personal data definitions have changed….
Personal data- redefined “Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address”. European Commission (EC)
Personal data- redefined Data Personal Data Place of work or employer Special or name sensitive personal data Date of Criminal Birth record National School / Insurance Genetic Information college Number Race Passport Age Salary IP Address Information Twitter Handle Credit and Clicks Mother’s Gender debit card maiden information Biometric Data: name Voice Country, country, Finger prints postcode or town DNA of residence of Retinal scans Banking Browser / Religion origin Flight number Handwriting Information Web Cookie or last Personal email destination address Telephone number Political Driving license Medical Views Home address number Information Training and Tax education Information Profession
Special categories of personal data Processing of the following special personal data is prohibited: Political opinions Religion Race or ethnic origin Biometric data Trade union Philosophical membership views Sexual orientation or Health data information about a data subjects sex Genetic data life
Consent (legal vs consent, & children) The following conditions apply for consent: In order to process personal data, the controller must have a legal basis for processing u or gain consent from the data subjects When gaining consent, subject must be made aware of their rights u Consent age for Europeans is 16 u Member states can reduce this age but to no lower than 13 u The controller will make reasonable efforts to verify parental consent u
Secure the human – training and awareness for your employees Human risk = BIGGEST RISK! Include security stipulations within employment contracts u Where you are processing personal information, enter your staff into a Non – u Disclosure Agreement (NDA) Train your staff to be security aware, ensure the training is ongoing and it is tested u Control access to information – the minimum access needed to perform the duties of u a role Control mobile devices u Include all types of security threat in the training – cyber isn’t your only concern…. u
Breaches & reporting 72 hour reporting rule (ICO Reporting) u Must have a disaster recovery plan u Data subjects must be notified if their data is compromised u
Penalties October 2016 TalkTalk received a fine of £400K for failing to protect the personal data of over a million customers. They were later fined a further £100K for failing to report the breach. Under GDPR, the fines could have totalled over £32M!
Penalties The GDPR carries huge penalties: € 10,000,000 or 2% of global annual turnover for the infringement of requirements u (Lesser) € 20,000,000 or 4% of global annual turnover for the infringement of requirements u (Severe) The ICO estimates that small to medium sized business could face fines of up to u £60,000 under GDPR Sally Anne Poole, ICO Enforcement Manager said: “Regardless of your size, if you are a business that handles personal information then data protection laws apply to you”
UK data protection bill (REVIEW) Published on 14 th September 2017 u Aligns with requirements of GDPR with a few exemptions u
Next steps Know the GDPR basics u Understand data subject’s rights u Look at your business processes – understand where personal resides u Understand the risks posed to the personal data u Protect it in a way your business can afford u Document it u
Further information Information Commissioners Office provides a huge amount of information and guidance online for free . This includes help with writing your privacy notice, how to perform PIAs, the 12 steps to compliance plan + much more : https://ico.org.uk/ Free data security training: https://www.gov.uk/government/collections/cyber-security-training-for-business
Darren Davies
Encryption - General In 2015 the ‘Information and Security breaches Survey Technical Report’ 90% of Large Organisations 74% of Small to Medium Enterprises ………Have suffered some form of a data breach Cost of breaches Large organisations = £1.46m to £3.14m SME’s = £75k to £311k Typical breaches Malicious outsider Well meaning insider
New EU data protection reform for 2018 The European Commission plans to unify data protection within the EU with a single law, the General Data Protection Regulation (GDPR). One continent, one law • Non-European companies must comply with EU regulation • Compulsory data protection officer • Data breach notifications within 72 hours • Penalties to € 20,000,000 or 4% of worldwide revenue • Date: 25 May 2018, member states have had two years to comply •
GDPR- General Data Protection Regulation GDPR states organisations need to secure…… Any information relating to an identified or identifiable natural person hereinafter referred to as ‘data subject’ an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity Companies need to understand… What data they hold Where it is And to understand what is potentially under the radar
Ministry of Justice Fined £180,000 by the Information Commissioner's Office (ICO) The penalty follows the loss of a back-up hard drive at HMP Erlestoke prison in • Wiltshire The hard drive contained sensitive and confidential information about 2,935 • prisoners Including details of links to organised crime, health information, history of drug • misuse and material about victims and visitors. The device was not encrypted Stephen Eckersley, head of enforcement at the ICO, said: “The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it beggars belief.” “This is simply not good enough”
NHS Surrey Fined £200,000 by the Information Commissioner's Office (ICO) More than 3,000 patient records were found on a second hand computer • NHS Surrey was alerted to the problem by a member of the public • Further investigation found confidential sensitive personal data and HR records • Including patient records relating to approximately 900 adults and 2,000 children • on the device Stephen Eckersley, head of enforcement at the ICO, said: “The facts of this breach are truly shocking” “This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case”
Recommend
More recommend