Norfolk Chamber delivered a morning conference based around the European General Data Protection Regulation (GDPR), which will come into force on May 25 2018. Delegates heared from a variety of GDPR expert speakers from legal, marketing, IT and Data Protection perspectives.

1. GDPR
Conference 2018
WIFI: The Space Password: 5pac3002

2. Welcome
Chris Sargisson
Norfolk Chamber
@Chris_NorfolkCC

3. Agenda
09:30 Welcome
09:40 Alex Saunders, Leathes Prior
Tom Parsley, Selesti
John Gostling, Breakwater IT
10:30 Refreshment Break & Exhibition
Darren Chapman, CyberScale
Panel Q&A
11:45 Host close
12.00 Free networking, light refreshments & speaker drop-in
12.15 Optional workshops
13.00 Event close

4. No fire drills – Exits are marked
Toilets outside this room
Phones on silent
Feel free to tweet
House keeping
@norfolkchamber #NorfolkGDPR
WIFI: The Space Password: 5pac3002

5. www.slido.com
#GDPR

6. Alex Saunders
Leathes Prior
@leathesprior
@norfolkchamber #NorfolkGDPR
www.slido.com #GDPR

7. GDPR & THE “CONSENT” MYTH
WITH
ALEX SAUNDERS

8. GDPR Overview
 Replaces the existing Data Protection Act 1998
 Due to come into force on 25 May 2018
 Most fundamental change to data protection law in almost 20 years?
 Covers the use of “personal data” – any information that can identify a living individual
 Introduces various key new concepts and expands on existing concepts
 Applies to:
 Organisations operating within EU
 Non-EU organisations offering goods/services within the EU
 Enforced in UK by Information Commissioner’s Office (“ICO”)
 Impact of Brexit?

9. GDPR Why is it important?

10. Principles Continuity
DPA 1998
Fair and lawful processing
Specific purposes
Adequate, relevant and not excessive
Accuracy
Retain only as long as necessary
Respect data subjects’ rights
Security
Transfers outside EEA
GDPR
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
(See lawfulness above)

11. Lawful Processing Basis for processing
CONSENT: you can process personal data where the subject has
given consent to the processing for one or more specified purpose
CONTRACT WITH INDIVIDUAL: you can process personal data,
without consent, where required under a contract with the data
subject
 E.g. employment contract, contract for sale of goods or services
VITAL INTERESTS: you can process personal data, without consent,
if it’s necessary to protect someone’s life

12. Lawful Processing Basis for processing (cont…)
PUBLIC TASK: you can process personal data, without consent, to
carry out your official functions or a task in the public interest – and
where you have a legal basis for the processing under UK law
 If public authority, likely to apply to most of your processing activities
LEGITIMATE INTEREST: you can process personal data, without
consent, if you have a genuine and legitimate reason to do so
 Legitimate interest can be for commercial benefit
 GDPR recitals – direct marketing could be a legitimate interest
 BUT exception if your interests are outweighed by harm to the individual’s
rights and interests

13. Lawful Processing Is “consent” always necessary?
MYTH: Consent is always necessary to process personal data
FACT: Consent is one way to comply with the GDPR, not the only way
 “Consent” is only one of six lawful basis for processing personal data
 Organisations will need to identify on which ground they are processing personal data
Will only be appropriate to use consent where other grounds do not apply

14. Consent under GDPR When is consent appropriate?
Consent may be required if you are…
 Direct marketing
 Using or sharing personal data in a way that is
potentially intrusive or unusual – e.g. selling database
 Transferring personal data outside the EEA
Consent will not be appropriate if…
 You are in a position of power over the individual (employer)
 Consent is a pre-condition of using the service
 You would still process personal data using a different basis
even if consent was withdrawn

15. Consent under GDPR Key changes?
DPA 1998
“any freely given specific and informed
indication of his wishes by which the data
subject signifies his agreement to personal
data relating to him being processed”
GDPR
“any freely given, specific, informed and
unambiguous indication of the data subject's
wishes by which he or she, by a statement or
by a clear affirmative action, signifies
agreement to the processing of personal data
relating to him or her”
Guidance: “Silence, pre-ticked boxes or inactivity should therefore not constitute consent”
GDPR sets a higher standard for obtaining consent

16. Consent Practical Changes
DON’T
 Identify basis of processing
Ensure consent is the most appropriate basis for the processing. Any other grounds?
 Clear and plain language
Use language that is easy to understand when obtaining consent. Avoid legal jargon!
 Third parties
Give details of any third parties who will be relying on the consent.
 Keep records
Who gave consent? When and how was consent given? Review consents regularly.
 Withdrawal
Make withdrawal of consent straightforward and simple. Same method as given.
DO

17. X Don’t bundle consent
Keep separate from other terms. Don’t make it a pre-condition of signing up to a service.
X Blanket consent
Get separate consent for separate things where possible. Do not rely on a blanket consent
X Don’t use pre-ticked boxes
It should be an active opt-in. Don’t rely on implied consent.
X Penalising withdrawal
Do not penalise individuals who withdraw their consent.
X Public authorities
Take extra care to show consent has been freely given. Avoid over-reliance on consent.
Consent Practical Changes
DON’T

18. Action Points What now?
Undertake a review of the personal data held by your organisation
If not, consider whether consent meets the GDPR standard. Do you need to obtain
fresh GDPR-compliant consent?
Identify what data is being processed on the basis of consent. Are there any other
lawful basis for processing?
Ensure that there are proper procedures in place for recording consent and giving
customers the right to withdraw

19. THANK YOU
Please feel free to get in touch with any questions:
E: asaunders@leathesprior.co.uk
T: 01603 281141

20. Tom Parsley
Selesti
@Selesti
@norfolkchamber #NorfolkGDPR
www.slido.com #GDPR

21. GDPR & Marketing: opportunity or threat?
Tom Parsley

24. With change comes new
opportunities

25. STAND
OUT

26. More personalised,
human engagement

28. Improved focus

29. Through consent, you can
gain insight into each
individual’s interests to provide
them with information that they
want to receive.

30. FLYBE
FINED

31. Personalised email
GDPR and PECR apply
Generic marketing
email
Only general marketing consent needed
Dear Amber
Your recommendations

32. Increased trust

33. 93% of online shoppers cite the security of their
personal data as a concern

34. If we can’t easily explain
what we’re doing with
personal data then
we shouldn’t be doing it

35. COPYWRITING
Avoid personal pronouns
Active voice
Write in plain English
Highlight the benefits
Make future opt-outs clear

36. Encourages creativity

38. THANK
YOU
for brands with ambition.
Strategies, Technologies & Campaigns
tom@selesti.com

39. John Gostling
Breakwater IT
@BreakwaterIT
@norfolkchamber #NorfolkGDPR
www.slido.com #GDPR

40. Personal Data
Breaches
WELCOME
John Gostling
Breakwater IT
13 March 2018

41. INTRODUCTION
About me;
• Worked in IT since 1998
• Nearly 20 years!
• Worked at Breakwater since 2012
• Regularly see different hacks, breaches and attempts at fraud

42. PERSONAL DATA BREACH
• What is a breach?
“A personal data breach means a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
data. This includes breaches that are the result of both accidental and deliberate causes. It
also means that a breach is more than just about losing personal data.”

43. PERSONAL DATA BREACH
• What is a breach?
“A personal data breach means a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
data. This includes breaches that are the result of both accidental and deliberate causes. It
also means that a breach is more than just about losing personal data.”

44. PERSONAL DATA BREACH
• What is a breach?
“A personal data breach means a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
data. This includes breaches that are the result of both accidental and deliberate causes. It
also means that a breach is more than just about losing personal data.”

45. BREACH EXAMPLES
• Carphone Warehouse
• Fined £400,000 in January
• Records for approximately 3,348,869 customers of a number of mobile phone providers
• Records for 389 customers across two other companies
• Historic transaction details for the period March 2010 – April 2010
• Records of approx. 100 employees

46. BREACH EXAMPLES
• What is a vulnerability?
A vulnerability is a weakness which allows an attacker to reduce a system's information
assurance. Vulnerabilities are the intersection of three elements: a system susceptibility or
flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a
vulnerability, an attacker must have at least one applicable tool or technique that can
connect to a system weakness. In this frame, vulnerability is also known as the attack
surface.

47. BREACH EXAMPLES
• Carphone Warehouse – How did they get in?
• Vulnerability?
• Password

48. BREACH EXAMPLES
• Carphone Warehouse – How did they get in?
• Vulnerability?
• Password

49. BREACH EXAMPLES
• Uber
• Details of 2.7 million UK drivers and riders
• Details of 57 million people worldwide
• Email addresses and phone numbers
• US Driver license numbers

50. BREACH EXAMPLES
• Uber - How did they get in?
• Password stored on Github
• What is Github?
• Cover up!
• ICO Response

51. BREACH EXAMPLES
• Uber – ICO Response
“Uber has confirmed its data breach in October 2016 affected approximately 2.7million user accounts in the UK. Uber
has said the breach involved names, mobile phone numbers and email addresses.
On its own this information is unlikely to pose a direct threat to citizens. However, its use may make other scams, such
as bogus emails or calls appear more credible. People should continue to be vigilant and follow the advice from the
NCSC.”

52. BREACH EXAMPLES
• Leicester County Council
• Email sent to 27 different taxi firms
• Accidentally included a large spreadsheet
• The spreadsheet contained personal data of thousands of children

53. PREVENT A BREACH
• Vulnerability testing & Penetration testing
• Password Management
• Risk assess
• Two Factor Authentication
• Utilise DLP features on key documents
• Data Protection training

54. USEFUL LINKS
• Elizabeth Denham Blog - http://bit.ly/2tcP5uA
• Carphone Warehouse Monetary Penalty Notice -
http://bit.ly/2oR86xs
• ICO Statement on Uber Breach - http://bit.ly/2juR7y4
• BBC Article on Leicester City Council - http://bbc.in/2D3V8C9

55. Refreshment
Break
See you back in the
Auditorium at 11.00
@norfolkchamber #NorfolkGDPR
www.slido.com #GDPR

56. Darren Chapman
CyberScale
@cyberscaleuk
@norfolkchamber #NorfolkGDPR
www.slido.com #GDPR

57. GDPR & Cyber Security
GDPR Conference 13th March, 2018
Darren Chapman
Director & Principal Security Consultant
Pragmatic IT Security

58. (Why) Does Cyber Security Matter?
“Cyber security and data protection are inextricably linked“
CBI Cyber Security Conference, 13 September, 2017

59. “Processing” Personal Data
“Processing” means any operation or set of operations which is performed on
personal data or on sets of personal data, whether or not by automated means,
such as collection, recording, organisation, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission, dissemination
or otherwise making available, alignment or combination, restriction, erasure or
destruction;

60. Cyber Security – GDPR Regulations
“the controller and the processor shall
implement appropriate technical and
organisational measures to ensure a level of
security appropriate to the risk”
…Article 32, GDPR

61. Cyber Security – GDPR in practice
“A personal data breach can be broadly
defined as a security incident that has
affected the confidentiality, integrity or
availability of personal data”
ICO Website – Personal Data Breaches

62. Cyber Security Fundamentals
• For DATA, we use C.I.A.
▫ Confidentiality
▫ Integrity
▫ Availability
• Risk based approach
▫ Understand what is critical to your business
▫ Understand the vulnerabilities and threats
▫ Assess the risks and impacts
▫ Apply controls to reduce or mitigate
• For reducing risks, we consider
▫ People, Process & Technology

63. Data - Where is it?

64. Data – What are the threats?
Malware Ransomware Viruses Worms Trojans Phishing Smishing
Fire Theft Flood
Hardware
failure
Human error DOS Attack RAT’s
Backdoors Corruption Insider threats
Zero day
attacks
Fileless
Malware
Man in the
middle attacks
Credential
stealing
Keyloggers SQL Injection XSS Bluejacking
Spear
Phishing
Whaling
“.. accidental or unlawful destruction, loss, alteration, unauthorised disclosure of,
or access to personal data transmitted, stored or otherwise processed”
..Article 32, GDPR

65. Cyber Security Frameworks

66. Cyber Security Personal Data Security
“.. the ability to ensure the ongoing
confidentiality, integrity, availability and
resilience of processing systems and services”
…Article 32, GDPR
Cyber Security Personal Data Security (GDPR)
CIA CIA
Risk Based Approach - DATA Risk based Approach – PERSONAL DATA
No formal requirement Demonstrable
Incident Response Plan Breach Response Plan

67. Cyber Security – Where are you at?

68. Cyber Security is a journey…

69. Common Gaps
Checking backups AV coverage Copies of data Cloud Security Policies
Contracts & SLA’s Staff training
Password
Management
Multi Factor
Authentication
Encryption (All
Devices)
BYOD Management
Individual User
Accounts
Monitoring &
Auditing
Updating
Applications
Least Privilege
DOCUMENTATION!
Incident Response
Plan

70. If things do go wrong….
Under the GDPR there is a
requirement for organisations to
report a personal data breach that
affects people’s rights and freedoms,
without undue delay and, where
feasible, not later than 72 hours after
having become aware of it

71. Key Actions & Take-aways

72. GDPR & Cyber Security
GDPR Conference 13th March, 2018
Darren Chapman
Director & Principal Security Consultant
Pragmatic IT Security
Thank You

73. Speaker Q+A
@norfolkchamber #NorfolkGDPR
www.slido.com #GDPR

74. Workshops
Workshop A -
A Practical Marketing Approach
to GDPR
Workshop B – Appointing a
Data Protection
@norfolkchamber #NorfolkGDPR
www.slido.com #GDPR

75. @norfolkchamber #NorfolkGDPR
www.slido.com #GDPR
Please feel free to complete these cards which
can be found in your Delegate folders, and hand
them in at Reception.

76. Thank you #GDPRConf18