Norfolk Chamber delivered a morning conference based around the European General Data Protection Regulation (GDPR), which will come into force on May 25 2018. Delegates heared from a variety of GDPR expert speakers from legal, marketing, IT and Data Protection perspectives.
3. Agenda
09:30 Welcome
09:40 Alex Saunders, Leathes Prior
Tom Parsley, Selesti
John Gostling, Breakwater IT
10:30 Refreshment Break & Exhibition
Darren Chapman, CyberScale
Panel Q&A
11:45 Host close
12.00 Free networking, light refreshments & speaker drop-in
12.15 Optional workshops
13.00 Event close
4. No fire drills – Exits are marked
Toilets outside this room
Phones on silent
Feel free to tweet
House keeping
@norfolkchamber #NorfolkGDPR
WIFI: The Space Password: 5pac3002
8. GDPR Overview
Replaces the existing Data Protection Act 1998
Due to come into force on 25 May 2018
Most fundamental change to data protection law in almost 20 years?
Covers the use of “personal data” – any information that can identify a living individual
Introduces various key new concepts and expands on existing concepts
Applies to:
Organisations operating within EU
Non-EU organisations offering goods/services within the EU
Enforced in UK by Information Commissioner’s Office (“ICO”)
Impact of Brexit?
10. Principles Continuity
DPA 1998
Fair and lawful processing
Specific purposes
Adequate, relevant and not excessive
Accuracy
Retain only as long as necessary
Respect data subjects’ rights
Security
Transfers outside EEA
GDPR
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
(See lawfulness above)
11. Lawful Processing Basis for processing
CONSENT: you can process personal data where the subject has
given consent to the processing for one or more specified purpose
CONTRACT WITH INDIVIDUAL: you can process personal data,
without consent, where required under a contract with the data
subject
E.g. employment contract, contract for sale of goods or services
VITAL INTERESTS: you can process personal data, without consent,
if it’s necessary to protect someone’s life
12. Lawful Processing Basis for processing (cont…)
PUBLIC TASK: you can process personal data, without consent, to
carry out your official functions or a task in the public interest – and
where you have a legal basis for the processing under UK law
If public authority, likely to apply to most of your processing activities
LEGITIMATE INTEREST: you can process personal data, without
consent, if you have a genuine and legitimate reason to do so
Legitimate interest can be for commercial benefit
GDPR recitals – direct marketing could be a legitimate interest
BUT exception if your interests are outweighed by harm to the individual’s
rights and interests
13. Lawful Processing Is “consent” always necessary?
MYTH: Consent is always necessary to process personal data
FACT: Consent is one way to comply with the GDPR, not the only way
“Consent” is only one of six lawful basis for processing personal data
Organisations will need to identify on which ground they are processing personal data
Will only be appropriate to use consent where other grounds do not apply
14. Consent under GDPR When is consent appropriate?
Consent may be required if you are…
Direct marketing
Using or sharing personal data in a way that is
potentially intrusive or unusual – e.g. selling database
Transferring personal data outside the EEA
Consent will not be appropriate if…
You are in a position of power over the individual (employer)
Consent is a pre-condition of using the service
You would still process personal data using a different basis
even if consent was withdrawn
15. Consent under GDPR Key changes?
DPA 1998
“any freely given specific and informed
indication of his wishes by which the data
subject signifies his agreement to personal
data relating to him being processed”
GDPR
“any freely given, specific, informed and
unambiguous indication of the data subject's
wishes by which he or she, by a statement or
by a clear affirmative action, signifies
agreement to the processing of personal data
relating to him or her”
Guidance: “Silence, pre-ticked boxes or inactivity should therefore not constitute consent”
GDPR sets a higher standard for obtaining consent
16. Consent Practical Changes
DON’T
Identify basis of processing
Ensure consent is the most appropriate basis for the processing. Any other grounds?
Clear and plain language
Use language that is easy to understand when obtaining consent. Avoid legal jargon!
Third parties
Give details of any third parties who will be relying on the consent.
Keep records
Who gave consent? When and how was consent given? Review consents regularly.
Withdrawal
Make withdrawal of consent straightforward and simple. Same method as given.
DO
17. X Don’t bundle consent
Keep separate from other terms. Don’t make it a pre-condition of signing up to a service.
X Blanket consent
Get separate consent for separate things where possible. Do not rely on a blanket consent
X Don’t use pre-ticked boxes
It should be an active opt-in. Don’t rely on implied consent.
X Penalising withdrawal
Do not penalise individuals who withdraw their consent.
X Public authorities
Take extra care to show consent has been freely given. Avoid over-reliance on consent.
Consent Practical Changes
DON’T
18. Action Points What now?
Undertake a review of the personal data held by your organisation
If not, consider whether consent meets the GDPR standard. Do you need to obtain
fresh GDPR-compliant consent?
Identify what data is being processed on the basis of consent. Are there any other
lawful basis for processing?
Ensure that there are proper procedures in place for recording consent and giving
customers the right to withdraw
19. THANK YOU
Please feel free to get in touch with any questions:
E: asaunders@leathesprior.co.uk
T: 01603 281141
41. INTRODUCTION
About me;
• Worked in IT since 1998
• Nearly 20 years!
• Worked at Breakwater since 2012
• Regularly see different hacks, breaches and attempts at fraud
42. PERSONAL DATA BREACH
• What is a breach?
“A personal data breach means a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
data. This includes breaches that are the result of both accidental and deliberate causes. It
also means that a breach is more than just about losing personal data.”
43. PERSONAL DATA BREACH
• What is a breach?
“A personal data breach means a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
data. This includes breaches that are the result of both accidental and deliberate causes. It
also means that a breach is more than just about losing personal data.”
44. PERSONAL DATA BREACH
• What is a breach?
“A personal data breach means a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
data. This includes breaches that are the result of both accidental and deliberate causes. It
also means that a breach is more than just about losing personal data.”
45. BREACH EXAMPLES
• Carphone Warehouse
• Fined £400,000 in January
• Records for approximately 3,348,869 customers of a number of mobile phone providers
• Records for 389 customers across two other companies
• Historic transaction details for the period March 2010 – April 2010
• Records of approx. 100 employees
46. BREACH EXAMPLES
• What is a vulnerability?
A vulnerability is a weakness which allows an attacker to reduce a system's information
assurance. Vulnerabilities are the intersection of three elements: a system susceptibility or
flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a
vulnerability, an attacker must have at least one applicable tool or technique that can
connect to a system weakness. In this frame, vulnerability is also known as the attack
surface.
49. BREACH EXAMPLES
• Uber
• Details of 2.7 million UK drivers and riders
• Details of 57 million people worldwide
• Email addresses and phone numbers
• US Driver license numbers
50. BREACH EXAMPLES
• Uber - How did they get in?
• Password stored on Github
• What is Github?
• Cover up!
• ICO Response
51. BREACH EXAMPLES
• Uber – ICO Response
“Uber has confirmed its data breach in October 2016 affected approximately 2.7million user accounts in the UK. Uber
has said the breach involved names, mobile phone numbers and email addresses.
On its own this information is unlikely to pose a direct threat to citizens. However, its use may make other scams, such
as bogus emails or calls appear more credible. People should continue to be vigilant and follow the advice from the
NCSC.”
52. BREACH EXAMPLES
• Leicester County Council
• Email sent to 27 different taxi firms
• Accidentally included a large spreadsheet
• The spreadsheet contained personal data of thousands of children
53. PREVENT A BREACH
• Vulnerability testing & Penetration testing
• Password Management
• Risk assess
• Two Factor Authentication
• Utilise DLP features on key documents
• Data Protection training
54. USEFUL LINKS
• Elizabeth Denham Blog - http://bit.ly/2tcP5uA
• Carphone Warehouse Monetary Penalty Notice -
http://bit.ly/2oR86xs
• ICO Statement on Uber Breach - http://bit.ly/2juR7y4
• BBC Article on Leicester City Council - http://bbc.in/2D3V8C9
57. GDPR & Cyber Security
GDPR Conference 13th March, 2018
Darren Chapman
Director & Principal Security Consultant
Pragmatic IT Security
58. (Why) Does Cyber Security Matter?
“Cyber security and data protection are inextricably linked“
CBI Cyber Security Conference, 13 September, 2017
59. “Processing” Personal Data
“Processing” means any operation or set of operations which is performed on
personal data or on sets of personal data, whether or not by automated means,
such as collection, recording, organisation, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission, dissemination
or otherwise making available, alignment or combination, restriction, erasure or
destruction;
60. Cyber Security – GDPR Regulations
“the controller and the processor shall
implement appropriate technical and
organisational measures to ensure a level of
security appropriate to the risk”
…Article 32, GDPR
61. Cyber Security – GDPR in practice
“A personal data breach can be broadly
defined as a security incident that has
affected the confidentiality, integrity or
availability of personal data”
ICO Website – Personal Data Breaches
62. Cyber Security Fundamentals
• For DATA, we use C.I.A.
▫ Confidentiality
▫ Integrity
▫ Availability
• Risk based approach
▫ Understand what is critical to your business
▫ Understand the vulnerabilities and threats
▫ Assess the risks and impacts
▫ Apply controls to reduce or mitigate
• For reducing risks, we consider
▫ People, Process & Technology
64. Data – What are the threats?
Malware Ransomware Viruses Worms Trojans Phishing Smishing
Fire Theft Flood
Hardware
failure
Human error DOS Attack RAT’s
Backdoors Corruption Insider threats
Zero day
attacks
Fileless
Malware
Man in the
middle attacks
Credential
stealing
Keyloggers SQL Injection XSS Bluejacking
Spear
Phishing
Whaling
“.. accidental or unlawful destruction, loss, alteration, unauthorised disclosure of,
or access to personal data transmitted, stored or otherwise processed”
..Article 32, GDPR
66. Cyber Security Personal Data Security
“.. the ability to ensure the ongoing
confidentiality, integrity, availability and
resilience of processing systems and services”
…Article 32, GDPR
Cyber Security Personal Data Security (GDPR)
CIA CIA
Risk Based Approach - DATA Risk based Approach – PERSONAL DATA
No formal requirement Demonstrable
Incident Response Plan Breach Response Plan
69. Common Gaps
Checking backups AV coverage Copies of data Cloud Security Policies
Contracts & SLA’s Staff training
Password
Management
Multi Factor
Authentication
Encryption (All
Devices)
BYOD Management
Individual User
Accounts
Monitoring &
Auditing
Updating
Applications
Least Privilege
DOCUMENTATION!
Incident Response
Plan
70. If things do go wrong….
Under the GDPR there is a
requirement for organisations to
report a personal data breach that
affects people’s rights and freedoms,
without undue delay and, where
feasible, not later than 72 hours after
having become aware of it
74. Workshops
Workshop A -
A Practical Marketing Approach
to GDPR
Workshop B – Appointing a
Data Protection
@norfolkchamber #NorfolkGDPR
www.slido.com #GDPR