GDPR Snake Oil – Busting the myths

GDPR Snake Oil – Busting the myths

Gary Hibberd, Managing Direct Agenci
ghibberd@theagenci.com
AG_G_2016a-1024x1024.jpg
Link to slides – LINK

No such thing as a ‘GDPR Expert’

Best bet is an "Information security expert that has read the documentation"

No such thing as compliant

You have to ‘evidence your company as in line with GDPR’
Fines already happening
Up to 2% Turnover
For offences related to:
  • Child consent
  • Transparency
  • Data breach reporting
Up to 4% Turnover
For offences related to:
  • Data Processing (Data sovereignty, EU OK)
  • Consent
  • Transfer of data to third party

Prospective

Talk Talk
Fined under the Data Protection Act – £400K
If it was finded under GDPR, it would have been £73 Million!
Read – GDPR article 5
https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/principles/

Data Protection act had 8 principles but only 6 in GDPR

“Principles relating to processing of personal data”
Personal Data shall be;

  • Processed lawfully, fairly and in a transparent manner
  • Collected for specified, explicit and legitimate purposes
  • Adequate, relevant and limited to what is necessary
  • Accurate and, where necessary, kept up to date
  • Retained only for as long as necessary
  • Processed in an appropriate manner to maintain security
GDPR – Key is Accountable person (Must have evidence of this happening)

3 V’s of unstructured data

3vs.png
Volume, Variety and Velocity of Data

‘Data on paper is included within the GDPR remit’

Top 10 treats
10haz-(1).jpg

Top 5 myths

ONE
Controllers don’t need data processing agreements with processors because the GDPR imposes direct obligations
TWO
“I don’t have to ask for permission to use their data”
– CONSENT IS EVERYTHING
THREE
“Encryption is mandatory under GDPR”
– You should consider the state of the options to protect data.
FOUR
“This is an EU law. When BREXIT happens, it won’t apply any longer.”
– UK will create own very version using the same standard
FIVE
“It doesn’t apply to my business.”
– Applies to every individual upwards
– Have to demonstrate evidence that GDPR was considered

7 Step plan

  1. Raise Awareness (Think about privacy by design as default)
  2. Create a Plan
  3. Conduct a Data Protection Audit
  4. Create a Data Inventory
  5. Create a Data Flow Model
  6. Develop a ‘Data Breach Process’
  7. Appoint a DPO*

Data Protection Officer must have professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests.

Conclusion

  • Comes into force immediately on the 25th May 2018
  • Applies to every organisation, irrespective of size or sector
  • Six principals focused on ‘accountability’
  • Penalties of up to 4% of global turnover (or £17m, whichever is the greater)
  • Breaches need to be notified to the ICO within 72hrs
  • Companies will need to assign a Data Protection Officer
  • Data subjects have additional rights which include ‘right to be forgotten’
  • Charges for ‘Subject Access Requests’ (SARs) have been removed
  • ‘Privacy by design and default’ is a core principal
  • ‘Data protection impact assessments’ need to be conducted

Q&A

Right to be forgotten – Can ask person to pay ‘justifiable costs’ to remove data
“Data is the new oil”

Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>