SME walk through of GDPR with a 7 step guide & recommendations for Gap Analysis / Encryption services. Useful links to ICO & NCSC.

1. GDPR Compliance 2018
Gary Dodson
28th February 2018

2. 30 minute GDPR Agenda
• Who are Greenlight Computers? (1 slide)
• GDPR Introduction & Facts (3 slides)
• 7 Steps to Compliance (6 slides)
– Data Architecture
– Data Protection Officer
– Privacy Impact Assessment
• Wider Cyber Security (1 slide)
• Useful tools & links (1 slide)
• Practical Actions (3 slides)

3. Greenlight Services 2018
Greenlight
Computers
Single Point of
Service Desk
Product Supply
Practice
IT Infrastructure
Practice
Cloud Solutions
Practice
Digital Marketing
Practice
Cyber Security
Practice
NEW 2018
Unified
Communications
IT Strategy &
Outsourcing
Consultancy
People &
Resourcing
Centre
Hardware
Software
Networking
Peripherals
Audio Visual
Leasing
Refurbished
Broadband
Networking/WIFI
Cabling
Servers
Virtualisation
User Computing
Storage/Backup
O365
Sharepoint
CRM
Intranet
Extranet
Collaboration
App develop
Backup/DR
Instant Messaging
VOIP Telephony
WIFI
CCTV
Video Conference
Digital Signage
Data Protection
GDPR
Data Recovery
Disaster Recovery
Pen Testing
Security Audit
IT Governance
Policy & Procedure
SEO
Google Manager
Digital Benchmark
Web Development
Hosting
Social Media
Email Marketing
Lead Generation
Locations
Alderley Park
Manchester (HQ)
University of Manchester
Stevenage Bioscience
Catalyst
About Us
Established 2006
18 Staff
200 ish clients
Always learning

4. GDPR Introduction & Facts
On 25 May 2018 most processing of personal data by organisations will
have to comply with the General Data Protection Regulation.
Information Commissioners Office (ICO) website front page statement
• GDPR has been adopted by UK despite BREXIT
• GDPR non-compliance fine 4% of Turnover
• GDPR is not just an IT thing
• If you hold and process personal information about your clients,
employees or suppliers, you are legally obliged to protect that
information.

5. GDPR is not just an IT thing
• HR - will need to check that your terms of employment
comply with GDPR & allow you to access the users
company data
• Finance – will need to ensure personal financial data is
only retained as per internal procedure & GDPR
• Management – will need to ensure your Data Protection
policy is up to date & complies with GDPR
• CCTV – is deemed as potentially sensitive data & if used
should be included in policies
• Paper Data – needs to be protected, not just digital

6. GDPR - controller V processor
• “data controller” means a person who (either alone or jointly)
determines the purposes for which and the manner in which any
personal data are to be processed
• “data processor”, in relation to personal data, means any person (other
than an employee of the data controller) who processes the data on
behalf of the data controller.
• “processing”, in relation to information or data means obtaining,
recording or holding the information or data or carrying out any
operation or set of operations on the information or data, including:
a) organisation, adaptation or alteration of the information or data
b) retrieval, consultation or use of the information or data
c) disclosure of the information or data by transmission
dissemination or otherwise making available
d) alignment, combination, blocking, erasure or destruction of the
information or data

7. 7 Steps to GDPR Compliance
0. Read the ICO GDPR rules & registration
1. Complete a Data Audit (or have it done for you)
2. Review your Data Architecture
3. Review Responsibilities & Procedures
4. Data Protection Officer & Risk Register
5. Staff Training
6. Privacy Impact Assessments
7. Cyber Security

8. Data Architecture
All 21st century Directors need to be familiar with this term
Firewall
Router
Shared data
Non-sensitive
Sensitive
Selective secure access
Need to know access
All staff access
3rd Party
Supplier/Partner/
Customer/Contractor
Ideally, should not have access
to sensitive data. It makes
protection much harder.
Treat Personal Data as securely as IP Data
Segregated Filing
Don’t hold personal sensitive data
locally. It presents your biggest risk
of a breach.

9. Common Sense?
An easy way to look at Data Protection is your Possessions
Spare Change
Wallet of Cash
Valuable Jewellery
Selective secure access
Lock in a cupboard
All family access
Treat Personal Data as securely as Possessions
In the Safe
Its probably risky to carry your
£10,000 necklace in your handbag!!
So why hold sensitive data on your
laptop??
You wouldn’t send your bank
statement or house deeds as a paper
aeroplane!! But do you send salary
details to payroll unencrypted??
You outsource the responsibility for
your Gold to the experts at the bank.
Get the experts to protect your
sensitive data securely in the Cloud??

10. Data Protection Officer (DPO)
The GDPR makes it a requirement that organisations appoint a data
protection officer (DPO) in some circumstances.
Under the GDPR, you must appoint a DPO if you:
• are a public authority (except for courts acting in their judicial capacity);
• carry out large scale systematic monitoring of individuals (for example, online
behaviour tracking); or
• carry out large scale processing of special categories of data or data relating to criminal
convictions and offences.
Any organisation is able to appoint a DPO. Regardless of whether the GDPR
obliges you to appoint a DPO, you must ensure that your organisation has
sufficient staff and skills to discharge your obligations under the GDPR.
Greenlight recommends our clients appoint a DPO.

11. Privacy Impact Assessments (PIA’s)
ICO definition
A PIA is a process which helps an organisation to identify and reduce the privacy risks of a
project. An effective PIA will be used throughout the development and implementation of
a project, using existing project management processes. A PIA enables an organisation to
systematically and thoroughly analyse how a particular project or system will affect the
privacy of the individuals involved.
In essence this means you need to look at worst case scenarios & then
plan to mitigate against them or stop the practice:
e.g. CEO retains staff personal records on laptop & loses laptop
e.g. 3rd party consultant is given access to your server but has no Anti-
virus and a virus penetrates your server
e.g. Disgruntled ex-employee asks to see their records & you find they
are spread around the business

12. GDPR – ICO Summary

13. Cyber Security
• GDPR compliance relies on Cyber Security discipline
• Cyber Security is about minimising risk
5 Key questions
• Do you have a Cyber Security Plan?
• Do you budget for an annual Cyber Security audit & actions
required?
• When was your last audit/spot check?
• Do you maintain a Cyber Security/GDPR risk register?
• Do you educate your team on staying Cyber Safe?
Your security is only as good as the weakest link
A topic for next time?

14. Useful links & tools
ICO key page for SME’s on GDPR
https://ico.org.uk/for-organisations/business/
National Cyber Security Centre
https://www.ncsc.gov.uk/guidance/10-steps-cyber-security
ISO27001 in user speak
https://www.itgovernance.co.uk/iso27001
BSI train & accredit Auditors for ISO27001/9001 etc
https://www.bsigroup.com/en-GB/Cyber-Security/
For a longer discussion or simple English
garydodson@greenlightcomputers.co.uk 0792 630 8824
kris@greenlightcomputers.co.uk 0161 883 1685

15. 1. GDPR Gap Analysis
GDPR Gap Analysis Audit
Start your GDPR compliance with benchmarking where you are now & what needs to change.
This is GDPR gap analysis process flow and areas that we would focus on during assessment
• GDPR scope, project resourcing and current DPA evaluation
• Data Protection Governance and Awareness
• Data Protection by Design
• Document Review – policies, procedures and practices
• Consent and Privacy Notice evaluation and compliance
• Critical asset identification and evaluation
• Personal Data identification and classification
• Lawful basis for processing Personal Data
• Information Management System and Personal Data flow
• Information Security Roles and Responsibilities
• Risk identifications, management and review
• Individual Rights and Data subjects request
• Data breach escalation and checklist
• Information Technology Security
• Information Communication Security - Network Security
• Physical Security
SME Audit packages start from £1500 for a GDPR Assessment Report, Risk Register & Action Recommendation
Led by Greenlight Computers Cyber Security / ISO Lead Auditor - Kris Bednarczyk

16. 2. GDPR User Risk View
Risk View (NEW TECHNOLOGY)
Audit tool to analyse data on your user devices
& report risks of GDPR/IP/PCI leakages
Using an agent on each device this tool:
• Analyses data of all types on the user computer
• Grades each item of data for non-compliance
• Identifies data breach risks on the device
• Creates a series of reports for the device
• Creates an aggregated report for all devices
• Provides a Risk dashboard
Potentially really useful in a BYOD environment
http://www.ddc-as.com/risk-view

17. 3. ESET Endpoint Encryption
ESET Endpoint Encryption
De-risk a data breach by adopting encryption across the business
https://www.eset.com/uk/business/endpoint-security/encryption/
Welcome Rob Fearnley from ESET, a Greenlight partner that spends all day
protecting SME’s against Cyber Crime