KEMBAR78
GDPR Presentation slides | PPTX
NH
Uploaded byNaomi Holmes
17,345 views

GDPR Presentation slides

The document outlines the details of the GDPR conference held on March 13, 2018, including the agenda, speakers, and topics discussed, such as the importance of GDPR, consent management, personal data breaches, and cyber security. It emphasizes the necessity for organizations to comply with GDPR regulations and implement appropriate measures for data protection. Key takeaways include the clarification that consent is not always required for processing personal data and the need for organizations to have proper procedures in place to record and manage consent.

GDPR Conference 2018 WIFI: The Space Password: 5pac3002
Welcome Chris Sargisson Norfolk Chamber @Chris_NorfolkCC
Agenda 09:30 Welcome 09:40 Alex Saunders, Leathes Prior Tom Parsley, Selesti John Gostling, Breakwater IT 10:30 Refreshment Break & Exhibition Darren Chapman, CyberScale Panel Q&A 11:45 Host close 12.00 Free networking, light refreshments & speaker drop-in 12.15 Optional workshops 13.00 Event close
No fire drills – Exits are marked Toilets outside this room Phones on silent Feel free to tweet House keeping @norfolkchamber #NorfolkGDPR WIFI: The Space Password: 5pac3002
www.slido.com #GDPR
Alex Saunders Leathes Prior @leathesprior @norfolkchamber #NorfolkGDPR www.slido.com #GDPR
GDPR & THE “CONSENT” MYTH WITH ALEX SAUNDERS
GDPR Overview  Replaces the existing Data Protection Act 1998  Due to come into force on 25 May 2018  Most fundamental change to data protection law in almost 20 years?  Covers the use of “personal data” – any information that can identify a living individual  Introduces various key new concepts and expands on existing concepts  Applies to:  Organisations operating within EU  Non-EU organisations offering goods/services within the EU  Enforced in UK by Information Commissioner’s Office (“ICO”)  Impact of Brexit?
GDPR Why is it important?
Principles Continuity DPA 1998 Fair and lawful processing Specific purposes Adequate, relevant and not excessive Accuracy Retain only as long as necessary Respect data subjects’ rights Security Transfers outside EEA GDPR Lawfulness, fairness and transparency Purpose limitation Data minimisation Accuracy Storage limitation Integrity and confidentiality (See lawfulness above)
Lawful Processing Basis for processing CONSENT: you can process personal data where the subject has given consent to the processing for one or more specified purpose CONTRACT WITH INDIVIDUAL: you can process personal data, without consent, where required under a contract with the data subject  E.g. employment contract, contract for sale of goods or services VITAL INTERESTS: you can process personal data, without consent, if it’s necessary to protect someone’s life
Lawful Processing Basis for processing (cont…) PUBLIC TASK: you can process personal data, without consent, to carry out your official functions or a task in the public interest – and where you have a legal basis for the processing under UK law  If public authority, likely to apply to most of your processing activities LEGITIMATE INTEREST: you can process personal data, without consent, if you have a genuine and legitimate reason to do so  Legitimate interest can be for commercial benefit  GDPR recitals – direct marketing could be a legitimate interest  BUT exception if your interests are outweighed by harm to the individual’s rights and interests
Lawful Processing Is “consent” always necessary? MYTH: Consent is always necessary to process personal data FACT: Consent is one way to comply with the GDPR, not the only way  “Consent” is only one of six lawful basis for processing personal data  Organisations will need to identify on which ground they are processing personal data Will only be appropriate to use consent where other grounds do not apply
Consent under GDPR When is consent appropriate? Consent may be required if you are…  Direct marketing  Using or sharing personal data in a way that is potentially intrusive or unusual – e.g. selling database  Transferring personal data outside the EEA Consent will not be appropriate if…  You are in a position of power over the individual (employer)  Consent is a pre-condition of using the service  You would still process personal data using a different basis even if consent was withdrawn
Consent under GDPR Key changes? DPA 1998 “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed” GDPR “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” Guidance: “Silence, pre-ticked boxes or inactivity should therefore not constitute consent” GDPR sets a higher standard for obtaining consent
Consent Practical Changes DON’T  Identify basis of processing Ensure consent is the most appropriate basis for the processing. Any other grounds?  Clear and plain language Use language that is easy to understand when obtaining consent. Avoid legal jargon!  Third parties Give details of any third parties who will be relying on the consent.  Keep records Who gave consent? When and how was consent given? Review consents regularly.  Withdrawal Make withdrawal of consent straightforward and simple. Same method as given. DO
X Don’t bundle consent Keep separate from other terms. Don’t make it a pre-condition of signing up to a service. X Blanket consent Get separate consent for separate things where possible. Do not rely on a blanket consent X Don’t use pre-ticked boxes It should be an active opt-in. Don’t rely on implied consent. X Penalising withdrawal Do not penalise individuals who withdraw their consent. X Public authorities Take extra care to show consent has been freely given. Avoid over-reliance on consent. Consent Practical Changes DON’T
Action Points What now? Undertake a review of the personal data held by your organisation If not, consider whether consent meets the GDPR standard. Do you need to obtain fresh GDPR-compliant consent? Identify what data is being processed on the basis of consent. Are there any other lawful basis for processing? Ensure that there are proper procedures in place for recording consent and giving customers the right to withdraw
THANK YOU Please feel free to get in touch with any questions: E: asaunders@leathesprior.co.uk T: 01603 281141
Tom Parsley Selesti @Selesti @norfolkchamber #NorfolkGDPR www.slido.com #GDPR
GDPR & Marketing: opportunity or threat? Tom Parsley
With change comes new opportunities
STAND OUT
More personalised, human engagement
Improved focus
Through consent, you can gain insight into each individual’s interests to provide them with information that they want to receive.
FLYBE FINED
Personalised email GDPR and PECR apply Generic marketing email Only general marketing consent needed Dear Amber Your recommendations
Increased trust
93% of online shoppers cite the security of their personal data as a concern
If we can’t easily explain what we’re doing with personal data then we shouldn’t be doing it
COPYWRITING Avoid personal pronouns Active voice Write in plain English Highlight the benefits Make future opt-outs clear
Encourages creativity
THANK YOU for brands with ambition. Strategies, Technologies & Campaigns tom@selesti.com
John Gostling Breakwater IT @BreakwaterIT @norfolkchamber #NorfolkGDPR www.slido.com #GDPR
Personal Data Breaches WELCOME John Gostling Breakwater IT 13 March 2018
INTRODUCTION About me; • Worked in IT since 1998 • Nearly 20 years! • Worked at Breakwater since 2012 • Regularly see different hacks, breaches and attempts at fraud
PERSONAL DATA BREACH • What is a breach? “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.”
PERSONAL DATA BREACH • What is a breach? “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.”
PERSONAL DATA BREACH • What is a breach? “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.”
BREACH EXAMPLES • Carphone Warehouse • Fined £400,000 in January • Records for approximately 3,348,869 customers of a number of mobile phone providers • Records for 389 customers across two other companies • Historic transaction details for the period March 2010 – April 2010 • Records of approx. 100 employees
BREACH EXAMPLES • What is a vulnerability? A vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerabilities are the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.
BREACH EXAMPLES • Carphone Warehouse – How did they get in? • Vulnerability? • Password
BREACH EXAMPLES • Carphone Warehouse – How did they get in? • Vulnerability? • Password
BREACH EXAMPLES • Uber • Details of 2.7 million UK drivers and riders • Details of 57 million people worldwide • Email addresses and phone numbers • US Driver license numbers
BREACH EXAMPLES • Uber - How did they get in? • Password stored on Github • What is Github? • Cover up! • ICO Response
BREACH EXAMPLES • Uber – ICO Response “Uber has confirmed its data breach in October 2016 affected approximately 2.7million user accounts in the UK. Uber has said the breach involved names, mobile phone numbers and email addresses. On its own this information is unlikely to pose a direct threat to citizens. However, its use may make other scams, such as bogus emails or calls appear more credible. People should continue to be vigilant and follow the advice from the NCSC.”
BREACH EXAMPLES • Leicester County Council • Email sent to 27 different taxi firms • Accidentally included a large spreadsheet • The spreadsheet contained personal data of thousands of children
PREVENT A BREACH • Vulnerability testing & Penetration testing • Password Management • Risk assess • Two Factor Authentication • Utilise DLP features on key documents • Data Protection training
USEFUL LINKS • Elizabeth Denham Blog - http://bit.ly/2tcP5uA • Carphone Warehouse Monetary Penalty Notice - http://bit.ly/2oR86xs • ICO Statement on Uber Breach - http://bit.ly/2juR7y4 • BBC Article on Leicester City Council - http://bbc.in/2D3V8C9
Refreshment Break See you back in the Auditorium at 11.00 @norfolkchamber #NorfolkGDPR www.slido.com #GDPR
Darren Chapman CyberScale @cyberscaleuk @norfolkchamber #NorfolkGDPR www.slido.com #GDPR
GDPR & Cyber Security GDPR Conference 13th March, 2018 Darren Chapman Director & Principal Security Consultant Pragmatic IT Security
(Why) Does Cyber Security Matter? “Cyber security and data protection are inextricably linked“ CBI Cyber Security Conference, 13 September, 2017
“Processing” Personal Data “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Cyber Security – GDPR Regulations “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” …Article 32, GDPR
Cyber Security – GDPR in practice “A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data” ICO Website – Personal Data Breaches
Cyber Security Fundamentals • For DATA, we use C.I.A. ▫ Confidentiality ▫ Integrity ▫ Availability • Risk based approach ▫ Understand what is critical to your business ▫ Understand the vulnerabilities and threats ▫ Assess the risks and impacts ▫ Apply controls to reduce or mitigate • For reducing risks, we consider ▫ People, Process & Technology
Data - Where is it?
Data – What are the threats? Malware Ransomware Viruses Worms Trojans Phishing Smishing Fire Theft Flood Hardware failure Human error DOS Attack RAT’s Backdoors Corruption Insider threats Zero day attacks Fileless Malware Man in the middle attacks Credential stealing Keyloggers SQL Injection XSS Bluejacking Spear Phishing Whaling “.. accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed” ..Article 32, GDPR
Cyber Security Frameworks
Cyber Security Personal Data Security “.. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services” …Article 32, GDPR Cyber Security Personal Data Security (GDPR) CIA CIA Risk Based Approach - DATA Risk based Approach – PERSONAL DATA No formal requirement Demonstrable Incident Response Plan Breach Response Plan
Cyber Security – Where are you at?
Cyber Security is a journey…
Common Gaps Checking backups AV coverage Copies of data Cloud Security Policies Contracts & SLA’s Staff training Password Management Multi Factor Authentication Encryption (All Devices) BYOD Management Individual User Accounts Monitoring & Auditing Updating Applications Least Privilege DOCUMENTATION! Incident Response Plan
If things do go wrong…. Under the GDPR there is a requirement for organisations to report a personal data breach that affects people’s rights and freedoms, without undue delay and, where feasible, not later than 72 hours after having become aware of it
Key Actions & Take-aways
GDPR & Cyber Security GDPR Conference 13th March, 2018 Darren Chapman Director & Principal Security Consultant Pragmatic IT Security Thank You
Speaker Q+A @norfolkchamber #NorfolkGDPR www.slido.com #GDPR
Workshops Workshop A - A Practical Marketing Approach to GDPR Workshop B – Appointing a Data Protection @norfolkchamber #NorfolkGDPR www.slido.com #GDPR
@norfolkchamber #NorfolkGDPR www.slido.com #GDPR Please feel free to complete these cards which can be found in your Delegate folders, and hand them in at Reception.
Thank you #GDPRConf18

More Related Content

PPTX
GDPR: Training Materials by Qualsys
byQualsys Ltd
 
PPTX
skillcast-gdpr-training-presentation-q320.pptx
byRahulGarg294918
 
PDF
GDPR Basics - General Data Protection Regulation
byVicky Dallas
 
PPTX
Introduction to GDPR
byPriyab Satoshi
 
PPTX
General Data Protection Regulations (GDPR): Do you understand it and are you ...
byCvent
 
PPTX
GDPR Introduction and overview
byJane Lambert
 
PPTX
Presentation on GDPR
byDipanjanDey12
 
PDF
GDPR for Dummies
byCaroline Boscher
 
GDPR: Training Materials by Qualsys
byQualsys Ltd
 
skillcast-gdpr-training-presentation-q320.pptx
byRahulGarg294918
 
GDPR Basics - General Data Protection Regulation
byVicky Dallas
 
Introduction to GDPR
byPriyab Satoshi
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
byCvent
 
GDPR Introduction and overview
byJane Lambert
 
Presentation on GDPR
byDipanjanDey12
 
GDPR for Dummies
byCaroline Boscher
 

What's hot

PPTX
General Data Protection Regulation
byBCC - Solutions for IBM Collaboration Software
 
PPTX
Gdpr presentation
bySudarsan Reddy
 
PDF
What about GDPR?
byMartin Hawksey
 
PDF
GDPR and Security.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
GDPR Demystified
bySPIN Chennai
 
PPTX
General Data Protection Regulation (GDPR)
byExtentia Information Technology
 
PPTX
GDPR
byGopi PD
 
PPT
Data Protection (Download for slideshow)
byAndrew Sharpe
 
PDF
GDPR infographic
byMarketing Team at Crown Worldwide Group
 
PPTX
GDPR training
byASL
 
PPT
Data protection
byLewis Silkin
 
PPTX
EU GDPR (training)
byElizabeth Baker, JD, CRCMP
 
PDF
GDPR Overview
byTrish McGinity, CCSK
 
PDF
Privacy and Data Security
byWilmerHale
 
PPTX
Data protection
byRaviPrashant5
 
PPTX
General Data Protection Regulation (GDPR) | Privacy Law in India |
byBivas Chatterjee
 
PPTX
Training privacy by design
byTommy Vandepitte
 
PPT
Data Protection Presentation
byIBM Business Insight
 
PPTX
An Overview of GDPR
byThe Pathway Group
 
PDF
Gdpr presentation
byIain Wicks MCIPR
 
General Data Protection Regulation
byBCC - Solutions for IBM Collaboration Software
 
Gdpr presentation
bySudarsan Reddy
 
What about GDPR?
byMartin Hawksey
 
GDPR and Security.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
GDPR Demystified
bySPIN Chennai
 
General Data Protection Regulation (GDPR)
byExtentia Information Technology
 
GDPR
byGopi PD
 
Data Protection (Download for slideshow)
byAndrew Sharpe
 
GDPR infographic
byMarketing Team at Crown Worldwide Group
 
GDPR training
byASL
 
Data protection
byLewis Silkin
 
EU GDPR (training)
byElizabeth Baker, JD, CRCMP
 
GDPR Overview
byTrish McGinity, CCSK
 
Privacy and Data Security
byWilmerHale
 
Data protection
byRaviPrashant5
 
General Data Protection Regulation (GDPR) | Privacy Law in India |
byBivas Chatterjee
 
Training privacy by design
byTommy Vandepitte
 
Data Protection Presentation
byIBM Business Insight
 
An Overview of GDPR
byThe Pathway Group
 
Gdpr presentation
byIain Wicks MCIPR
 

Similar to GDPR Presentation slides

PDF
Gdpr for business full
byFionnuala Hendrick
 
PPTX
GDPR – what does it mean for charities and what you need to consider - Iain P...
bym-hance
 
PDF
GDPR for your Payroll Bureau
byBrightPay Payroll and Auto Enrolment Software
 
PPTX
GDPR Breakfast Briefing for Business Advisors
byHarrison Clark Rickerbys
 
PPTX
GDPR Practicalities - The Data Shed
byStewart Norriss
 
PPTX
GDPR in the Healthcare Industry
byEMMAIntl
 
PDF
GDPR Whitepaper
byRichard Goddard
 
PPTX
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
byHarrison Clark Rickerbys
 
PPTX
GDPR Breakfast Briefing for Business Advisors
byHarrison Clark Rickerbys
 
PPT
The Countdown is on: Key Things to Know About the GDPR
byCase IQ
 
PDF
UX & GDPR - Building Customer Trust with your Digital Experiences
byStephen Denning
 
PDF
UX & GDPR - Building Customer Trust with your Digital Experiences
byUser Vision
 
PDF
GDPR webinar for business leaders
byDeeson
 
PPTX
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
byHarrison Clark Rickerbys
 
PDF
GDPR Is Around the Corner - Don't Panic
byeZ Systems
 
PPT
GDPR webinar presentation | LawBite
byClive Rich
 
PDF
What's Next - General Data Protection Regulation (GDPR) Changes
byOgilvy Consulting
 
PPTX
GDPR General Awarness for employees and personal data types
byAbdullaFatiya3
 
PDF
Public sector breakfast club - October 2017, Exeter
byBrowne Jacobson LLP
 
PDF
GDPR Changing Mindset
byNetworkIQ
 
Gdpr for business full
byFionnuala Hendrick
 
GDPR – what does it mean for charities and what you need to consider - Iain P...
bym-hance
 
GDPR for your Payroll Bureau
byBrightPay Payroll and Auto Enrolment Software
 
GDPR Breakfast Briefing for Business Advisors
byHarrison Clark Rickerbys
 
GDPR Practicalities - The Data Shed
byStewart Norriss
 
GDPR in the Healthcare Industry
byEMMAIntl
 
GDPR Whitepaper
byRichard Goddard
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
byHarrison Clark Rickerbys
 
GDPR Breakfast Briefing for Business Advisors
byHarrison Clark Rickerbys
 
The Countdown is on: Key Things to Know About the GDPR
byCase IQ
 
UX & GDPR - Building Customer Trust with your Digital Experiences
byStephen Denning
 
UX & GDPR - Building Customer Trust with your Digital Experiences
byUser Vision
 
GDPR webinar for business leaders
byDeeson
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
byHarrison Clark Rickerbys
 
GDPR Is Around the Corner - Don't Panic
byeZ Systems
 
GDPR webinar presentation | LawBite
byClive Rich
 
What's Next - General Data Protection Regulation (GDPR) Changes
byOgilvy Consulting
 
GDPR General Awarness for employees and personal data types
byAbdullaFatiya3
 
Public sector breakfast club - October 2017, Exeter
byBrowne Jacobson LLP
 
GDPR Changing Mindset
byNetworkIQ
 

Recently uploaded

PDF
Cole Corey - A Dynamic Professional Journey
byCole Corey
 
PDF
mansionhousecompactprogressupdateoctober2025.pdf
byHenry Tapper
 
PDF
Buy Telegram Account with Crypto A Complete Guide.docx.pdf
byBuy Telegram Accounts
 
PDF
Laura Sergio - A Freelance Data Analyst
byLaura Sergio
 
PDF
Pensions-UK-2030-Ready-Jul-2025.pdf Conference
byHenry Tapper
 
DOCX
Top 33 Site to Buying, Verified Coinbase Accounts A Complete Guide .docx
byTinVejos
 
PDF
_How to Buy Verified PayPal Account and Start Transactions ....pdf
bypvatopservice6
 
PDF
Event Report - Dayforce Discover - New modules, new payroll strategy and a lo...
byHolger Mueller
 
PDF
Everything that you always wanted to know about Linear Regression for a Senio...
byluc faucheux
 
PDF
Quote by Top 8 Best sites to Buy Telegram Accounts (PVA ....docx.pdf
byBuy Telegram Accounts
 
PDF
What to Do When Banks Ask for Collateral You Don’t Have
byJake Thornhill
 
PDF
Obtaining an entrepreneurship, business, and leadership idea
byP&CO
 
PPTX
How Noida Became a Hub for the Rise space
byEtherea Coworks
 
PDF
How to Get a Business Loan for Your Travel Agency (Quick and Easy)
byJake Thornhill
 
PDF
Recepta do kampanii The Swedish Prescription
byagatadrynko
 
PDF
Finish Strong: Plan the Run to Christmas Close out 2025 and Set Up for a Powe...
byChristopherVicGamuya
 
PDF
The United States Healthcare Overhaul_ From Reactive Spending to Preventive C...
byStevenHeizmannCPA
 
PDF
11 Best Sites to Buy LinkedIn Accounts A Step-By-Step Guide.pdf
byweiryitzchok33
 
PDF
Options King - Dr. Paul Infante Monozca
byjoshua708658
 
PPTX
Natalia Renska: Ігри, в які ми граємо на роботі (UA)
byLviv Startup Club
 
Cole Corey - A Dynamic Professional Journey
byCole Corey
 
mansionhousecompactprogressupdateoctober2025.pdf
byHenry Tapper
 
Buy Telegram Account with Crypto A Complete Guide.docx.pdf
byBuy Telegram Accounts
 
Laura Sergio - A Freelance Data Analyst
byLaura Sergio
 
Pensions-UK-2030-Ready-Jul-2025.pdf Conference
byHenry Tapper
 
Top 33 Site to Buying, Verified Coinbase Accounts A Complete Guide .docx
byTinVejos
 
_How to Buy Verified PayPal Account and Start Transactions ....pdf
bypvatopservice6
 
Event Report - Dayforce Discover - New modules, new payroll strategy and a lo...
byHolger Mueller
 
Everything that you always wanted to know about Linear Regression for a Senio...
byluc faucheux
 
Quote by Top 8 Best sites to Buy Telegram Accounts (PVA ....docx.pdf
byBuy Telegram Accounts
 
What to Do When Banks Ask for Collateral You Don’t Have
byJake Thornhill
 
Obtaining an entrepreneurship, business, and leadership idea
byP&CO
 
How Noida Became a Hub for the Rise space
byEtherea Coworks
 
How to Get a Business Loan for Your Travel Agency (Quick and Easy)
byJake Thornhill
 
Recepta do kampanii The Swedish Prescription
byagatadrynko
 
Finish Strong: Plan the Run to Christmas Close out 2025 and Set Up for a Powe...
byChristopherVicGamuya
 
The United States Healthcare Overhaul_ From Reactive Spending to Preventive C...
byStevenHeizmannCPA
 
11 Best Sites to Buy LinkedIn Accounts A Step-By-Step Guide.pdf
byweiryitzchok33
 
Options King - Dr. Paul Infante Monozca
byjoshua708658
 
Natalia Renska: Ігри, в які ми граємо на роботі (UA)
byLviv Startup Club
 

GDPR Presentation slides

  • 1.
    GDPR Conference 2018 WIFI: TheSpace Password: 5pac3002
  • 2.
  • 3.
    Agenda 09:30 Welcome 09:40 AlexSaunders, Leathes Prior Tom Parsley, Selesti John Gostling, Breakwater IT 10:30 Refreshment Break & Exhibition Darren Chapman, CyberScale Panel Q&A 11:45 Host close 12.00 Free networking, light refreshments & speaker drop-in 12.15 Optional workshops 13.00 Event close
  • 4.
    No fire drills– Exits are marked Toilets outside this room Phones on silent Feel free to tweet House keeping @norfolkchamber #NorfolkGDPR WIFI: The Space Password: 5pac3002
  • 5.
  • 6.
  • 7.
    GDPR & THE“CONSENT” MYTH WITH ALEX SAUNDERS
  • 8.
    GDPR Overview  Replacesthe existing Data Protection Act 1998  Due to come into force on 25 May 2018  Most fundamental change to data protection law in almost 20 years?  Covers the use of “personal data” – any information that can identify a living individual  Introduces various key new concepts and expands on existing concepts  Applies to:  Organisations operating within EU  Non-EU organisations offering goods/services within the EU  Enforced in UK by Information Commissioner’s Office (“ICO”)  Impact of Brexit?
  • 9.
    GDPR Why isit important?
  • 10.
    Principles Continuity DPA 1998 Fairand lawful processing Specific purposes Adequate, relevant and not excessive Accuracy Retain only as long as necessary Respect data subjects’ rights Security Transfers outside EEA GDPR Lawfulness, fairness and transparency Purpose limitation Data minimisation Accuracy Storage limitation Integrity and confidentiality (See lawfulness above)
  • 11.
    Lawful Processing Basisfor processing CONSENT: you can process personal data where the subject has given consent to the processing for one or more specified purpose CONTRACT WITH INDIVIDUAL: you can process personal data, without consent, where required under a contract with the data subject  E.g. employment contract, contract for sale of goods or services VITAL INTERESTS: you can process personal data, without consent, if it’s necessary to protect someone’s life
  • 12.
    Lawful Processing Basisfor processing (cont…) PUBLIC TASK: you can process personal data, without consent, to carry out your official functions or a task in the public interest – and where you have a legal basis for the processing under UK law  If public authority, likely to apply to most of your processing activities LEGITIMATE INTEREST: you can process personal data, without consent, if you have a genuine and legitimate reason to do so  Legitimate interest can be for commercial benefit  GDPR recitals – direct marketing could be a legitimate interest  BUT exception if your interests are outweighed by harm to the individual’s rights and interests
  • 13.
    Lawful Processing Is“consent” always necessary? MYTH: Consent is always necessary to process personal data FACT: Consent is one way to comply with the GDPR, not the only way  “Consent” is only one of six lawful basis for processing personal data  Organisations will need to identify on which ground they are processing personal data Will only be appropriate to use consent where other grounds do not apply
  • 14.
    Consent under GDPRWhen is consent appropriate? Consent may be required if you are…  Direct marketing  Using or sharing personal data in a way that is potentially intrusive or unusual – e.g. selling database  Transferring personal data outside the EEA Consent will not be appropriate if…  You are in a position of power over the individual (employer)  Consent is a pre-condition of using the service  You would still process personal data using a different basis even if consent was withdrawn
  • 15.
    Consent under GDPRKey changes? DPA 1998 “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed” GDPR “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” Guidance: “Silence, pre-ticked boxes or inactivity should therefore not constitute consent” GDPR sets a higher standard for obtaining consent
  • 16.
    Consent Practical Changes DON’T Identify basis of processing Ensure consent is the most appropriate basis for the processing. Any other grounds?  Clear and plain language Use language that is easy to understand when obtaining consent. Avoid legal jargon!  Third parties Give details of any third parties who will be relying on the consent.  Keep records Who gave consent? When and how was consent given? Review consents regularly.  Withdrawal Make withdrawal of consent straightforward and simple. Same method as given. DO
  • 17.
    X Don’t bundleconsent Keep separate from other terms. Don’t make it a pre-condition of signing up to a service. X Blanket consent Get separate consent for separate things where possible. Do not rely on a blanket consent X Don’t use pre-ticked boxes It should be an active opt-in. Don’t rely on implied consent. X Penalising withdrawal Do not penalise individuals who withdraw their consent. X Public authorities Take extra care to show consent has been freely given. Avoid over-reliance on consent. Consent Practical Changes DON’T
  • 18.
    Action Points Whatnow? Undertake a review of the personal data held by your organisation If not, consider whether consent meets the GDPR standard. Do you need to obtain fresh GDPR-compliant consent? Identify what data is being processed on the basis of consent. Are there any other lawful basis for processing? Ensure that there are proper procedures in place for recording consent and giving customers the right to withdraw
  • 19.
    THANK YOU Please feelfree to get in touch with any questions: E: asaunders@leathesprior.co.uk T: 01603 281141
  • 20.
  • 21.
    GDPR & Marketing:opportunity or threat? Tom Parsley
  • 24.
    With change comesnew opportunities
  • 25.
  • 26.
  • 28.
  • 29.
    Through consent, youcan gain insight into each individual’s interests to provide them with information that they want to receive.
  • 30.
  • 31.
    Personalised email GDPR andPECR apply Generic marketing email Only general marketing consent needed Dear Amber Your recommendations
  • 32.
  • 33.
    93% of onlineshoppers cite the security of their personal data as a concern
  • 34.
    If we can’teasily explain what we’re doing with personal data then we shouldn’t be doing it
  • 35.
    COPYWRITING Avoid personal pronouns Activevoice Write in plain English Highlight the benefits Make future opt-outs clear
  • 36.
  • 38.
    THANK YOU for brands withambition. Strategies, Technologies & Campaigns tom@selesti.com
  • 39.
  • 40.
  • 41.
    INTRODUCTION About me; • Workedin IT since 1998 • Nearly 20 years! • Worked at Breakwater since 2012 • Regularly see different hacks, breaches and attempts at fraud
  • 42.
    PERSONAL DATA BREACH •What is a breach? “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.”
  • 43.
    PERSONAL DATA BREACH •What is a breach? “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.”
  • 44.
    PERSONAL DATA BREACH •What is a breach? “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.”
  • 45.
    BREACH EXAMPLES • CarphoneWarehouse • Fined £400,000 in January • Records for approximately 3,348,869 customers of a number of mobile phone providers • Records for 389 customers across two other companies • Historic transaction details for the period March 2010 – April 2010 • Records of approx. 100 employees
  • 46.
    BREACH EXAMPLES • Whatis a vulnerability? A vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerabilities are the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.
  • 47.
    BREACH EXAMPLES • CarphoneWarehouse – How did they get in? • Vulnerability? • Password
  • 48.
    BREACH EXAMPLES • CarphoneWarehouse – How did they get in? • Vulnerability? • Password
  • 49.
    BREACH EXAMPLES • Uber •Details of 2.7 million UK drivers and riders • Details of 57 million people worldwide • Email addresses and phone numbers • US Driver license numbers
  • 50.
    BREACH EXAMPLES • Uber- How did they get in? • Password stored on Github • What is Github? • Cover up! • ICO Response
  • 51.
    BREACH EXAMPLES • Uber– ICO Response “Uber has confirmed its data breach in October 2016 affected approximately 2.7million user accounts in the UK. Uber has said the breach involved names, mobile phone numbers and email addresses. On its own this information is unlikely to pose a direct threat to citizens. However, its use may make other scams, such as bogus emails or calls appear more credible. People should continue to be vigilant and follow the advice from the NCSC.”
  • 52.
    BREACH EXAMPLES • LeicesterCounty Council • Email sent to 27 different taxi firms • Accidentally included a large spreadsheet • The spreadsheet contained personal data of thousands of children
  • 53.
    PREVENT A BREACH •Vulnerability testing & Penetration testing • Password Management • Risk assess • Two Factor Authentication • Utilise DLP features on key documents • Data Protection training
  • 54.
    USEFUL LINKS • ElizabethDenham Blog - http://bit.ly/2tcP5uA • Carphone Warehouse Monetary Penalty Notice - http://bit.ly/2oR86xs • ICO Statement on Uber Breach - http://bit.ly/2juR7y4 • BBC Article on Leicester City Council - http://bbc.in/2D3V8C9
  • 55.
    Refreshment Break See you backin the Auditorium at 11.00 @norfolkchamber #NorfolkGDPR www.slido.com #GDPR
  • 56.
  • 57.
    GDPR & CyberSecurity GDPR Conference 13th March, 2018 Darren Chapman Director & Principal Security Consultant Pragmatic IT Security
  • 58.
    (Why) Does CyberSecurity Matter? “Cyber security and data protection are inextricably linked“ CBI Cyber Security Conference, 13 September, 2017
  • 59.
    “Processing” Personal Data “Processing”means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • 60.
    Cyber Security –GDPR Regulations “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” …Article 32, GDPR
  • 61.
    Cyber Security –GDPR in practice “A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data” ICO Website – Personal Data Breaches
  • 62.
    Cyber Security Fundamentals •For DATA, we use C.I.A. ▫ Confidentiality ▫ Integrity ▫ Availability • Risk based approach ▫ Understand what is critical to your business ▫ Understand the vulnerabilities and threats ▫ Assess the risks and impacts ▫ Apply controls to reduce or mitigate • For reducing risks, we consider ▫ People, Process & Technology
  • 63.
  • 64.
    Data – Whatare the threats? Malware Ransomware Viruses Worms Trojans Phishing Smishing Fire Theft Flood Hardware failure Human error DOS Attack RAT’s Backdoors Corruption Insider threats Zero day attacks Fileless Malware Man in the middle attacks Credential stealing Keyloggers SQL Injection XSS Bluejacking Spear Phishing Whaling “.. accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed” ..Article 32, GDPR
  • 65.
  • 66.
    Cyber Security PersonalData Security “.. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services” …Article 32, GDPR Cyber Security Personal Data Security (GDPR) CIA CIA Risk Based Approach - DATA Risk based Approach – PERSONAL DATA No formal requirement Demonstrable Incident Response Plan Breach Response Plan
  • 67.
    Cyber Security –Where are you at?
  • 68.
    Cyber Security isa journey…
  • 69.
    Common Gaps Checking backupsAV coverage Copies of data Cloud Security Policies Contracts & SLA’s Staff training Password Management Multi Factor Authentication Encryption (All Devices) BYOD Management Individual User Accounts Monitoring & Auditing Updating Applications Least Privilege DOCUMENTATION! Incident Response Plan
  • 70.
    If things dogo wrong…. Under the GDPR there is a requirement for organisations to report a personal data breach that affects people’s rights and freedoms, without undue delay and, where feasible, not later than 72 hours after having become aware of it
  • 71.
    Key Actions &Take-aways
  • 72.
    GDPR & CyberSecurity GDPR Conference 13th March, 2018 Darren Chapman Director & Principal Security Consultant Pragmatic IT Security Thank You
  • 73.
  • 74.
    Workshops Workshop A - APractical Marketing Approach to GDPR Workshop B – Appointing a Data Protection @norfolkchamber #NorfolkGDPR www.slido.com #GDPR
  • 75.
    @norfolkchamber #NorfolkGDPR www.slido.com #GDPR Pleasefeel free to complete these cards which can be found in your Delegate folders, and hand them in at Reception.
  • 76.