SlideShare a Scribd company logo

Software impact of gdpr

IRIS, profile picture
IRIS

This document provides an overview and summary of key aspects of the General Data Protection Regulation (GDPR) which takes effect on May 25, 2018. It discusses the major requirements organizations need to comply with including demonstrating accountability, implementing appropriate technical and organizational security measures, addressing new individual rights to personal data, and potential penalties for non-compliance. The document emphasizes the need for organizations to audit their data holdings, document their data management practices, and develop a GDPR compliance action plan. It also provides contact information for additional GDPR resources and updates.

Economy & Finance
1 of 21
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Software:The impact ofGDPR Judgement Day: 25 May 2018 DavidClarkeFBCSCITP March 2018 ©TheTrust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone (0) 7768 962 480 GDPRThe Rise of the Data Subject.
David Clarke FBCS CTO The TrustBridge Founder of Linkedin GDPR Technology group 12036 + Members https://www.linkedin.c om/groups/1201767 @1davidclarke •Board Advisor to Regtech Startups and GRC Consultancies. •Multiple Global ISO27001 for $Billion Dollar Contracts. •PCI-DSS for a UK Credit Card Transmission Service. •CPNI Member 10+ years (Centre for the Protection of National Infrastructure (CPNI) is the United Kingdom government authority which provides protective security advice to businesses) •Creation of Global Infrastructure for Worlds Largest private trading Network, Trading $ 3 Trillion a day. •Management of Multiple Global Security Operations Centres. •CERT, Leading Edge Technological deployments and architectures. •GDPR Technology Forum – Founder LinkedIn Forum •Recognized as one of the top 10 influencers by Thompson Reuter top 30 most influential thought-leaders and thinkers on social media, in risk management, compliance and regtech in the UK. March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480
“data must be processed fairly and lawfully” Elizabeth Denham, ICO Commissioner GDPR High Level Action Plan What is Expected ….. March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 Desired Outcomes Minimise Risk Reduce the Overhead and fines of an ICO GDPR Audit Reduce risk of Data Breach Increase ability to do business Demonstrate Accountability
March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 • Food • Cars • Planes • Buildings • Finance • Healthcare Bringing IT to the 21st Century…is it Safe? We’ve had frustration too, with directors ducking away from fines by putting their company into liquidation. Liquidation isn’t a get out of jail free card – our work with insolvency practitioners saw one director disqualified for six years for trying to take this route – but we believe the public want to see stronger action Denham ICO Commissioner
March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 DataProtectionisamatter for the boardroom. Farmingout aspectsofit to the IT department or fundraisingarmwill not work. Youare accountable. Youhave the power to set the standardsfor your organisation DenhamICOCommissioner
GDPR: Controller or Processor March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 • To be a fair stand-up boxing match in a 24-foot ring, or as near that size as practicable. • No wrestling or hugging allowed. • The rounds to be of three minutes' duration, and one minute's time between rounds. • If either man falls through weakness or otherwise, he must get up unassisted, 10 seconds to be allowed him to do so, the other man meanwhile to return to his corner, and when the fallen man is on his legs the round is to be resumed and continued until the three minutes have expired. If one man fails to come to the scratch in the 10 seconds allowed, it shall be in the power of the referee to give his award in favour of the other man. • A man hanging on the ropes in a helpless state, with his toes off the ground, shall be considered down. • No seconds or any other person to be allowed in the ring during the rounds. • Should the contest be stopped by any unavoidable interference, the referee to name the time and place as soon as possible for finishing the contest; so that the match must be won and lost, unless the backers of both men agree to draw the stakes. • The gloves to be fair-sized boxing gloves of the best quality and new. • Should a glove burst, or come off, it must be replaced to the referee's satisfaction. • A man on one knee is considered down and if struck is entitled to the stakes. • That no shoes or boots with spikes or springs be allowed. • The contest in all other respects to be governed by revised London Prize Ring Rules. Following Rules for alignment............ Queensbury Rules
March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 Ifabusinesscan’t show that gooddataprotectionisacornerstone oftheir practices,they’re leaving themselvesopento afine or other enforcementactionthatcoulddamagebankbalance or business reputation, Elizabeth DenhamICO Commissioner • Breach less Liability • Data Audit without Breach • 72 Hour Breach Notification • New 6 New Privacy Rights • Demonstration of Accountability is required • Class Action is Easier • Customer Contact Points can Highlight Non Compliance • Charities, Government, Multinationals are easy targets • Heavy Fines up to 4% of global revenue. • Appropriate Technical and Organisational Measures. • Existing Client Data Unusable after May 2018. • Internal data may be at risk of non compliance. • Complex data landscape • Comprehensive data governance program required • Liability beyond data controllers • Criminalisation, Anonymisation, SARS Tampering. • Directors and Officers “Neglect” Liabilities. • Business 2 Business contractual obligations. • Accountability • Systems not designed for GDPR 20 New Risks
March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 The Benefits of GDPR • Processes and policies need to be reviewed and, to ensure readiness. • Under the GDPR data subjects have Eight new rights to their data, help you to improve overall customer satisfaction. • Data is the heart of the GDPR. the process undertaken to review and clean your data estate and remove out of date/un-unused data will leave the organisation with high quality data that you can rely on for decision making. • Greater transparency is going to the key to the success build trust with both your staff and customers. Consumer litigation and class actions will quickly follow once this regulation goes live, as has happened in the US’ – PAT MORAN
GDPR: Key Rights to data March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 1. The right to be informed 2. The right of access 3. The right to rectification 4. The right to erasure (RTBF) 5. The right to restrict processing 6. The right to data portability 7. The right to object 8. Rights in relation to automated decision making and profiling We’ve had frustration too, with directors ducking away from fines by putting their company into liquidation. Liquidation isn’t a get out of jail free card – our work with insolvency practitioners saw one director disqualified for six years for trying to take this route – but we believe the public want to see stronger action Denham ICO Commissioner
March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 • Accelerate your digital transformation programme • Improve your business processes and productivity: • Reduce inaccuracies and minimise errors • Empower employees and they’ll deliver an improved customer experience • Develop a Single Customer View • Improve your customer confidence: • Access to deep intelligence • Respond faster Benefits 2 The new legislationcreatesanonusoncompaniesto understandthe risksthattheycreate for others, andto mitigatethoserisks.It’saboutmovingawayfromseeingthelaw asaboxtickingexercise,and insteadpushesyouto buildaculture ofprivacythat pervadesyour entire organisation.It meanstaking proper considerationofwhat your customersexpect. Elizabeth DenhamICO Commissioner
March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 • Forecasting and risk management will improve: • Tighter control over third party contracts and liabilities • Improved working relationships with third parties and service providers • Improved IT processes and associated security • Market Advantage as others may not be ready in this industry • Better Child Protection • Class/Group Action is possible The Benefits 3 “Bothcompaniessentemailsaskingforconsenttofuturemarketing.Indoingsotheybrokethelaw.Sendingemailsto determinewhetherpeoplewanttoreceivemarketingwithouttherightconsent,isstillmarketinganditisagainstthe law.” “InFlybe’scase,thecompanydeliberatelycontactedpeoplewhohadalreadyoptedoutofemailsfromthem.” SteveEckersley,ICOHeadofEnforcement, “Businessesmustunderstandtheycan’tbreakonelawtogetready”
March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 What Compliance is Expected ….. If a way can be found to align the incentives, the processes and compliance will take care of themselves, “ Ron Baker How Do You Stop Sea Captains From Killing Their Passengers? David Kestenbaum
March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 What is Covered: looking after the Data Subjects Rights Where Social Interest Meets Self Interest Situation Appraisal Convict Ships Up To 33% Died on trip Australia Force the captains to bring a doctor along. Require them to bring lemons to prevent scurvy. Have inspections. Raise captains’ salaries. None of it worked. Incentives matter. Instead of paying for every prisoner that walked on the ship in Great Britain, the government only payed for each prisoner that walked off the ship in Australia. In 1793 this was adopted and implemented immediately: the survival rate shot to 99%.
Why is Data Protection so difficult, 20 years after becoming a legal requirement? Software Is not designed for Data Protection March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480
What do we need from our software systems. Security – The Ability to manage the 5 Categories of Breach – Access – Disclosure – Destruction – Loss – Alteration – Built in Encryption Management , – Identity Access and privilege Management March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 ICO Example A hospital could be responsible for a personal data breach if a patient’s health record is inappropriately accessed due to a lack of appropriate internal controls. Breach Management
What do we need from our software systems: Information Rights Management •The right to be informed •The right of access •The right to rectification •The right to erasure •The right to restrict processing •The right to data portability •The right to object •Rights related to automated decision making and profiling March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 You can cling to the belief that we’ve got the law wrong or that it doesn’t apply to your sector or that the regulatory burden is too great. Or you can commit to positive change. Change that, in my view, is not only achievable but will reap its own rewards. Denham ICO Commissioner Delivery of Data Subject Rights
What do we need from our software systems. GDPR Principles (Especially Retention Capability) March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 GDPR 6 Principles
GDPR: Best Practice Privacy by Design – GDPR also states that software which is used to handle Personal Data must follow the principles of Security by Design (SbD) and Privacy by Design (PbD) – Privacy by Design: The principle of the inclusion of data protection from the onset of the designing and planning of systems, rather than as a later addition March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480
Next Steps – Plan now! – Audit your data holdings and data management – Document what you hold, why and for how long – Create or refresh your Privacy Notices/Policy – Know what to do if there is a breach – Review your consent approach in your best interest – Consider a formal GDPR alignment project – Build an Action Plan January 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 803.348.0000
GDPR: Conclusion and Next Steps January 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 803.348.0000 Awareness DataDiscovery DataClassification DataMarking DataOwnership GDPRData Governance Demonstrate Accountabilit y FutureProofing
For up to date information March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 LinkedIn Group GDPR http://GetGDPR.at/Linkedin Daily GDPR News http://GetGDPR.at/News Follow me @1davidclarke 57k followers (access to a library of useful articles and Items)

More Related Content

PPTX
Cyber - it's all now a matter of time!
Gloucestershire Professionals
 
PPTX
10 reasons businesses fail!
Gloucestershire Professionals
 
PPTX
Exeter - Cyber Security Breakfast Briefing
PKF Francis Clark
 
PPTX
Charity Regulation Conference | NCVO
NCVO - National Council for Voluntary Organisations
 
PPTX
A5: Data protection: Your charity's biggest risk?
NCVO - National Council for Voluntary Organisations
 
PPTX
Small Entity Cyber Liability
HB Litigation Conferences
 
PDF
FTSE350 Cyber Governance - An insight into the issues of today and tomorrow
Leona Markham
 
PDF
BMR advisors - Risk & Advisory Services
Abhishek Bali
 
Cyber - it's all now a matter of time!
Gloucestershire Professionals
 
10 reasons businesses fail!
Gloucestershire Professionals
 
Exeter - Cyber Security Breakfast Briefing
PKF Francis Clark
 
Charity Regulation Conference | NCVO
NCVO - National Council for Voluntary Organisations
 
A5: Data protection: Your charity's biggest risk?
NCVO - National Council for Voluntary Organisations
 
Small Entity Cyber Liability
HB Litigation Conferences
 
FTSE350 Cyber Governance - An insight into the issues of today and tomorrow
Leona Markham
 
BMR advisors - Risk & Advisory Services
Abhishek Bali
 

What's hot (14)

PPTX
Security Analytics for Certified Fraud Examiners
The Lorenzi Group
 
PDF
Cyber Liability Insurance And Protecting SMEs
E Radar
 
PPTX
No More Snake Oil: Why InfoSec Needs Security Guarantees
Jeremiah Grossman
 
PDF
The European Union’s 
General Data Protection Regulation
David Sayce
 
PDF
Big Data Debate in Corporate Law - Inside Counsel - August 2015
Rayford Davis
 
PPTX
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Jeremiah Grossman
 
PPTX
15 Years of Web Security: The Rebellious Teenage Years
Jeremiah Grossman
 
PDF
Supply chain financial crime rates holding steady, but few tap blockchain to ...
Deloitte United States
 
PDF
Do I really need cyber liability insurance?
Crafted
 
PDF
SHRMreprintlayout23 (002)
Eric Oliver
 
PDF
37_116_legal-needs-of-small-business_0
Eric Hubbard, MBA
 
PDF
Legal Trends for Solo Business Growth Beyond COVID
Clio - Cloud-Based Legal Technology
 
PDF
SmallBusinessWhite Final
Stephen Jeske
 
PPT
Improve your security, minister tells major firms
John Davis
 
Security Analytics for Certified Fraud Examiners
The Lorenzi Group
 
Cyber Liability Insurance And Protecting SMEs
E Radar
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
Jeremiah Grossman
 
The European Union’s 
General Data Protection Regulation
David Sayce
 
Big Data Debate in Corporate Law - Inside Counsel - August 2015
Rayford Davis
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Jeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
Jeremiah Grossman
 
Supply chain financial crime rates holding steady, but few tap blockchain to ...
Deloitte United States
 
Do I really need cyber liability insurance?
Crafted
 
SHRMreprintlayout23 (002)
Eric Oliver
 
37_116_legal-needs-of-small-business_0
Eric Hubbard, MBA
 
Legal Trends for Solo Business Growth Beyond COVID
Clio - Cloud-Based Legal Technology
 
SmallBusinessWhite Final
Stephen Jeske
 
Improve your security, minister tells major firms
John Davis
 
Ad

Similar to Software impact of gdpr (20)

PDF
GDPR Ready Presentation - Marc Michaels
Post Media
 
PPTX
GDPR: A ticking time bomb is approaching - Another Millennium Bug or is this ...
Jessica Pattison
 
PDF
Game changing legislation
IRIS
 
PDF
GDPR Webinar - feb
Sophos Benelux
 
PDF
How will your business be affected and what you can do to stay ahead of the n...
Carrenza
 
PPTX
GDPR - Why it matters and how to make it Easy
Paul McQuillan
 
PPTX
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
Harrison Clark Rickerbys
 
PPTX
What does GDPR mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
PPTX
GDPR: Where should you be right now? - Dennis Slattery, EDM Works
BCS Data Management Specialist Group
 
PPTX
Cyber Security and GDPR
Jeremy Coates
 
PPTX
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
PPTX
GDPR: Your Journey to Compliance
Cobweb
 
PPTX
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Qualsys Ltd
 
PPTX
Preparing for GDPR
NICVA
 
PDF
GDPR: What does it mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
PPTX
CRMCS GDPR - Why it matters and how to make it Easy
Paul McQuillan
 
PDF
DAMA Ireland - GDPR
DAMA Ireland
 
PPTX
Ritz 4th-july-gdpr
Exponential_e
 
PPTX
Associates quick guide to gdpr v 1.0
Aaron Banham
 
PPTX
An Essential Guide to EU GDPR
Tripwire
 
GDPR Ready Presentation - Marc Michaels
Post Media
 
GDPR: A ticking time bomb is approaching - Another Millennium Bug or is this ...
Jessica Pattison
 
Game changing legislation
IRIS
 
GDPR Webinar - feb
Sophos Benelux
 
How will your business be affected and what you can do to stay ahead of the n...
Carrenza
 
GDPR - Why it matters and how to make it Easy
Paul McQuillan
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
Harrison Clark Rickerbys
 
What does GDPR mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
GDPR: Where should you be right now? - Dennis Slattery, EDM Works
BCS Data Management Specialist Group
 
Cyber Security and GDPR
Jeremy Coates
 
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
GDPR: Your Journey to Compliance
Cobweb
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Qualsys Ltd
 
Preparing for GDPR
NICVA
 
GDPR: What does it mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
CRMCS GDPR - Why it matters and how to make it Easy
Paul McQuillan
 
DAMA Ireland - GDPR
DAMA Ireland
 
Ritz 4th-july-gdpr
Exponential_e
 
Associates quick guide to gdpr v 1.0
Aaron Banham
 
An Essential Guide to EU GDPR
Tripwire
 
Ad

More from IRIS (9)

PPTX
IRIS World 2018 - Keynote 3 - Thrive in the Digital Economy
IRIS
 
PPTX
IRIS World 2018 - Keynote 4 - Thrive in the Digital Economy
IRIS
 
PPTX
IRIS World 2018 - Keynote 2 - Thrive in the Digital Economy
IRIS
 
PPTX
IRIS World 2018 - Keynote - Thrive in the Digital Economy
IRIS
 
PPTX
HMRC
IRIS
 
PDF
Opportunity or burden
IRIS
 
PDF
Don't panic - cyber security for the faint hearted
IRIS
 
PDF
Happy clients happy compliance
IRIS
 
PDF
Whos role is it anyway
IRIS
 
IRIS World 2018 - Keynote 3 - Thrive in the Digital Economy
IRIS
 
IRIS World 2018 - Keynote 4 - Thrive in the Digital Economy
IRIS
 
IRIS World 2018 - Keynote 2 - Thrive in the Digital Economy
IRIS
 
IRIS World 2018 - Keynote - Thrive in the Digital Economy
IRIS
 
HMRC
IRIS
 
Opportunity or burden
IRIS
 
Don't panic - cyber security for the faint hearted
IRIS
 
Happy clients happy compliance
IRIS
 
Whos role is it anyway
IRIS
 

Recently uploaded (20)

PDF
ECONOMICS AND ENTREPRENEURS LESSONSS AND
ClarenceKennethCasta2
 
PDF
NAPF_RESPONSE_TO_THE_PENSIONS_COMMISSION_8 _2_.pdf
Henry Tapper
 
PDF
Why Ignoring Passive Income for Retirees Could Cost You Big.pdf
Enterprise world
 
PPTX
The discussion on the Economic in transportation .pptx
awanganiqkmal191
 
PDF
Circular Flow of Income by Dr. S. Malini
MaliniHariraj
 
DOCX
marketing plan Elkhabiry............docx
ramadanantar44
 
PDF
Q2 2025 :Lundin Gold Conference Call Presentation_Final.pdf
Adnet Communications
 
PDF
final_dropping_the_baton_-_how_america_is_failing_to_use_russia_sanctions_and...
AnastosiyaGurin1
 
PPTX
Introduction to Customs (June 2025) v1.pptx
josepheric420
 
PDF
Topic Globalisation and Lifelines of National Economy.pdf
ridamten1423
 
PDF
caregiving tools.pdf...........................
cyrilbotor
 
PDF
financing insitute rbi nabard adb imf world bank insurance and credit gurantee
robertclive1690
 
PDF
ABriefOverviewComparisonUCP600_ISP8_URDG_758.pdf
AsifimranEmon
 
PPTX
Introduction to Managemeng Chapter 1..pptx
BettyMonizB
 
PPTX
Unilever_Financial_Analysis_Presentation.pptx
HarisKaimKhani
 
PPTX
Globalization-of-Religion. Contemporary World
JudyMhaeBustillos
 
PDF
Copia de Minimal 3D Technology Consulting Presentation.pdf
viccarlin12
 
PDF
Dr Tran Quoc Bao the first Vietnamese speaker at GITEX DigiHealth Conference ...
Gorman Bain Capital
 
PDF
Understanding University Research Expenditures (1)_compressed.pdf
Innovosource
 
PDF
discourse-2025-02-building-a-trillion-dollar-dream.pdf
Shujjat Ahmed
 
ECONOMICS AND ENTREPRENEURS LESSONSS AND
ClarenceKennethCasta2
 
NAPF_RESPONSE_TO_THE_PENSIONS_COMMISSION_8 _2_.pdf
Henry Tapper
 
Why Ignoring Passive Income for Retirees Could Cost You Big.pdf
Enterprise world
 
The discussion on the Economic in transportation .pptx
awanganiqkmal191
 
Circular Flow of Income by Dr. S. Malini
MaliniHariraj
 
marketing plan Elkhabiry............docx
ramadanantar44
 
Q2 2025 :Lundin Gold Conference Call Presentation_Final.pdf
Adnet Communications
 
final_dropping_the_baton_-_how_america_is_failing_to_use_russia_sanctions_and...
AnastosiyaGurin1
 
Introduction to Customs (June 2025) v1.pptx
josepheric420
 
Topic Globalisation and Lifelines of National Economy.pdf
ridamten1423
 
caregiving tools.pdf...........................
cyrilbotor
 
financing insitute rbi nabard adb imf world bank insurance and credit gurantee
robertclive1690
 
ABriefOverviewComparisonUCP600_ISP8_URDG_758.pdf
AsifimranEmon
 
Introduction to Managemeng Chapter 1..pptx
BettyMonizB
 
Unilever_Financial_Analysis_Presentation.pptx
HarisKaimKhani
 
Globalization-of-Religion. Contemporary World
JudyMhaeBustillos
 
Copia de Minimal 3D Technology Consulting Presentation.pdf
viccarlin12
 
Dr Tran Quoc Bao the first Vietnamese speaker at GITEX DigiHealth Conference ...
Gorman Bain Capital
 
Understanding University Research Expenditures (1)_compressed.pdf
Innovosource
 
discourse-2025-02-building-a-trillion-dollar-dream.pdf
Shujjat Ahmed
 

Software impact of gdpr

  • 1. Software:The impact ofGDPR Judgement Day: 25 May 2018 DavidClarkeFBCSCITP March 2018 ©TheTrust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone (0) 7768 962 480 GDPRThe Rise of the Data Subject.
  • 2. David Clarke FBCS CTO The TrustBridge Founder of Linkedin GDPR Technology group 12036 + Members https://www.linkedin.c om/groups/1201767 @1davidclarke •Board Advisor to Regtech Startups and GRC Consultancies. •Multiple Global ISO27001 for $Billion Dollar Contracts. •PCI-DSS for a UK Credit Card Transmission Service. •CPNI Member 10+ years (Centre for the Protection of National Infrastructure (CPNI) is the United Kingdom government authority which provides protective security advice to businesses) •Creation of Global Infrastructure for Worlds Largest private trading Network, Trading $ 3 Trillion a day. •Management of Multiple Global Security Operations Centres. •CERT, Leading Edge Technological deployments and architectures. •GDPR Technology Forum – Founder LinkedIn Forum •Recognized as one of the top 10 influencers by Thompson Reuter top 30 most influential thought-leaders and thinkers on social media, in risk management, compliance and regtech in the UK. March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480
  • 3. “data must be processed fairly and lawfully” Elizabeth Denham, ICO Commissioner GDPR High Level Action Plan What is Expected ….. March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 Desired Outcomes Minimise Risk Reduce the Overhead and fines of an ICO GDPR Audit Reduce risk of Data Breach Increase ability to do business Demonstrate Accountability
  • 4. March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 • Food • Cars • Planes • Buildings • Finance • Healthcare Bringing IT to the 21st Century…is it Safe? We’ve had frustration too, with directors ducking away from fines by putting their company into liquidation. Liquidation isn’t a get out of jail free card – our work with insolvency practitioners saw one director disqualified for six years for trying to take this route – but we believe the public want to see stronger action Denham ICO Commissioner
  • 5. March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 DataProtectionisamatter for the boardroom. Farmingout aspectsofit to the IT department or fundraisingarmwill not work. Youare accountable. Youhave the power to set the standardsfor your organisation DenhamICOCommissioner
  • 6. GDPR: Controller or Processor March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 • To be a fair stand-up boxing match in a 24-foot ring, or as near that size as practicable. • No wrestling or hugging allowed. • The rounds to be of three minutes' duration, and one minute's time between rounds. • If either man falls through weakness or otherwise, he must get up unassisted, 10 seconds to be allowed him to do so, the other man meanwhile to return to his corner, and when the fallen man is on his legs the round is to be resumed and continued until the three minutes have expired. If one man fails to come to the scratch in the 10 seconds allowed, it shall be in the power of the referee to give his award in favour of the other man. • A man hanging on the ropes in a helpless state, with his toes off the ground, shall be considered down. • No seconds or any other person to be allowed in the ring during the rounds. • Should the contest be stopped by any unavoidable interference, the referee to name the time and place as soon as possible for finishing the contest; so that the match must be won and lost, unless the backers of both men agree to draw the stakes. • The gloves to be fair-sized boxing gloves of the best quality and new. • Should a glove burst, or come off, it must be replaced to the referee's satisfaction. • A man on one knee is considered down and if struck is entitled to the stakes. • That no shoes or boots with spikes or springs be allowed. • The contest in all other respects to be governed by revised London Prize Ring Rules. Following Rules for alignment............ Queensbury Rules
  • 7. March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 Ifabusinesscan’t show that gooddataprotectionisacornerstone oftheir practices,they’re leaving themselvesopento afine or other enforcementactionthatcoulddamagebankbalance or business reputation, Elizabeth DenhamICO Commissioner • Breach less Liability • Data Audit without Breach • 72 Hour Breach Notification • New 6 New Privacy Rights • Demonstration of Accountability is required • Class Action is Easier • Customer Contact Points can Highlight Non Compliance • Charities, Government, Multinationals are easy targets • Heavy Fines up to 4% of global revenue. • Appropriate Technical and Organisational Measures. • Existing Client Data Unusable after May 2018. • Internal data may be at risk of non compliance. • Complex data landscape • Comprehensive data governance program required • Liability beyond data controllers • Criminalisation, Anonymisation, SARS Tampering. • Directors and Officers “Neglect” Liabilities. • Business 2 Business contractual obligations. • Accountability • Systems not designed for GDPR 20 New Risks
  • 8. March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 The Benefits of GDPR • Processes and policies need to be reviewed and, to ensure readiness. • Under the GDPR data subjects have Eight new rights to their data, help you to improve overall customer satisfaction. • Data is the heart of the GDPR. the process undertaken to review and clean your data estate and remove out of date/un-unused data will leave the organisation with high quality data that you can rely on for decision making. • Greater transparency is going to the key to the success build trust with both your staff and customers. Consumer litigation and class actions will quickly follow once this regulation goes live, as has happened in the US’ – PAT MORAN
  • 9. GDPR: Key Rights to data March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 1. The right to be informed 2. The right of access 3. The right to rectification 4. The right to erasure (RTBF) 5. The right to restrict processing 6. The right to data portability 7. The right to object 8. Rights in relation to automated decision making and profiling We’ve had frustration too, with directors ducking away from fines by putting their company into liquidation. Liquidation isn’t a get out of jail free card – our work with insolvency practitioners saw one director disqualified for six years for trying to take this route – but we believe the public want to see stronger action Denham ICO Commissioner
  • 10. March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 • Accelerate your digital transformation programme • Improve your business processes and productivity: • Reduce inaccuracies and minimise errors • Empower employees and they’ll deliver an improved customer experience • Develop a Single Customer View • Improve your customer confidence: • Access to deep intelligence • Respond faster Benefits 2 The new legislationcreatesanonusoncompaniesto understandthe risksthattheycreate for others, andto mitigatethoserisks.It’saboutmovingawayfromseeingthelaw asaboxtickingexercise,and insteadpushesyouto buildaculture ofprivacythat pervadesyour entire organisation.It meanstaking proper considerationofwhat your customersexpect. Elizabeth DenhamICO Commissioner
  • 11. March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 • Forecasting and risk management will improve: • Tighter control over third party contracts and liabilities • Improved working relationships with third parties and service providers • Improved IT processes and associated security • Market Advantage as others may not be ready in this industry • Better Child Protection • Class/Group Action is possible The Benefits 3 “Bothcompaniessentemailsaskingforconsenttofuturemarketing.Indoingsotheybrokethelaw.Sendingemailsto determinewhetherpeoplewanttoreceivemarketingwithouttherightconsent,isstillmarketinganditisagainstthe law.” “InFlybe’scase,thecompanydeliberatelycontactedpeoplewhohadalreadyoptedoutofemailsfromthem.” SteveEckersley,ICOHeadofEnforcement, “Businessesmustunderstandtheycan’tbreakonelawtogetready”
  • 12. March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 What Compliance is Expected ….. If a way can be found to align the incentives, the processes and compliance will take care of themselves, “ Ron Baker How Do You Stop Sea Captains From Killing Their Passengers? David Kestenbaum
  • 13. March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 What is Covered: looking after the Data Subjects Rights Where Social Interest Meets Self Interest Situation Appraisal Convict Ships Up To 33% Died on trip Australia Force the captains to bring a doctor along. Require them to bring lemons to prevent scurvy. Have inspections. Raise captains’ salaries. None of it worked. Incentives matter. Instead of paying for every prisoner that walked on the ship in Great Britain, the government only payed for each prisoner that walked off the ship in Australia. In 1793 this was adopted and implemented immediately: the survival rate shot to 99%.
  • 14. Why is Data Protection so difficult, 20 years after becoming a legal requirement? Software Is not designed for Data Protection March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480
  • 15. What do we need from our software systems. Security – The Ability to manage the 5 Categories of Breach – Access – Disclosure – Destruction – Loss – Alteration – Built in Encryption Management , – Identity Access and privilege Management March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 ICO Example A hospital could be responsible for a personal data breach if a patient’s health record is inappropriately accessed due to a lack of appropriate internal controls. Breach Management
  • 16. What do we need from our software systems: Information Rights Management •The right to be informed •The right of access •The right to rectification •The right to erasure •The right to restrict processing •The right to data portability •The right to object •Rights related to automated decision making and profiling March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 You can cling to the belief that we’ve got the law wrong or that it doesn’t apply to your sector or that the regulatory burden is too great. Or you can commit to positive change. Change that, in my view, is not only achievable but will reap its own rewards. Denham ICO Commissioner Delivery of Data Subject Rights
  • 17. What do we need from our software systems. GDPR Principles (Especially Retention Capability) March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 GDPR 6 Principles
  • 18. GDPR: Best Practice Privacy by Design – GDPR also states that software which is used to handle Personal Data must follow the principles of Security by Design (SbD) and Privacy by Design (PbD) – Privacy by Design: The principle of the inclusion of data protection from the onset of the designing and planning of systems, rather than as a later addition March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480
  • 19. Next Steps – Plan now! – Audit your data holdings and data management – Document what you hold, why and for how long – Create or refresh your Privacy Notices/Policy – Know what to do if there is a breach – Review your consent approach in your best interest – Consider a formal GDPR alignment project – Build an Action Plan January 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 803.348.0000
  • 20. GDPR: Conclusion and Next Steps January 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 803.348.0000 Awareness DataDiscovery DataClassification DataMarking DataOwnership GDPRData Governance Demonstrate Accountabilit y FutureProofing
  • 21. For up to date information March 2018 © The Trust Bridge www.thetrustbridge.com penny.heyes@thetrustbridge.com phone 07768 962 480 LinkedIn Group GDPR http://GetGDPR.at/Linkedin Daily GDPR News http://GetGDPR.at/News Follow me @1davidclarke 57k followers (access to a library of useful articles and Items)