The conference will contextualise the changing regulatory landscape, considering the business impact of the GDPR and DPA (2018) and how it is changing policy and process in practice. When GDPR came into force in May it significantly raised the bar of obligation and accountability, ensuring that all organisations who handle personal data adhere to strict regulations around privacy, security and consent. 6 months on from implementation, the conference will consider how data protection procedure has moved on, with insight from frontline practitioners reflecting on how practices within their organisation have changed. The event will also provide an update from the regulator; exploring regulatory action policy, decision making for fines and penalties, and clarifying some of the most prominent areas of misconception and non-compliance. Core conference topics include: • Key legal issues and obligations • Data security and encryption • Privacy Impact Assessments • Databases, data mapping and classification • Privacy by design • Practical strategy implementation

1. Welcome to
GDPR Scotland
#gdprscot

2. Mark Stephen
BBC Scotland
@bbcscotland
#gdprscot

3. Ray Bugg
DIGIT
@digitfyi
#gdprscot

5. Ken Macdonald
ICO
@ICOnews
#gdprscot

6. Regulation in the GDPR Era
5 December 2018
Ken Macdonald
Head of ICO Regions

7. Why do we regulate?

8. When do we regulate?

9. How do we regulate?
• Sets out the ICO’s powers for clarity
and consistency about when and
how we use them;
• Ensures fair, proportionate and
timely regulatory action to protect
individuals’ information rights;
• Ensures regulatory action is
targeted, proportionate and
effective; and
• Assists in the delivery of Information
Rights Strategic Plan.

10. Our Regulatory Activity
• conducting assessments of compliance;
• issuing information notices;
• issuing assessment notices;
• producing codes of practice;
• issuing a warning;
• issuing a reprimand;
• issuing enforcement notices;
• administering fines;
• administering fixed penalties; and
• prosecuting criminal offences before the courts (not in Scotland!)

11. Our Regulatory Objectives
1. To respond swiftly and effectively to breaches;
2. To be effective, proportionate, dissuasive and consistent in our application of
sanctions;
3. In line with legislative provisions, promote compliance with the law;
4. To be proactive in identifying and mitigating new or emerging risks; and
5. To work with other regulators and interested parties constructively.

12. We will consider…
• the nature and seriousness of the breach;
• the categories of personal data;
• the number of individuals affected;
• whether the issue raises new or repeated issues;
• the gravity and duration of a breach;
• whether the organisation or individual involved is representative of a sector or
group;
• the cost of measures to mitigate any risk;
• the public interest in regulatory action being taken;
• any other regulator’s action; and
• any expressed opinions of the EDPB.

13. Aggravating factors:
• the attitude and conduct of the individual or organisation;
• whether relevant advice or warnings has not been followed;
• whether the DC failed to follow an approved or statutory code of conduct;
• the prior regulatory history;
• the vulnerability of the individuals affected;
• any protective or preventative measures and technology available, including by
design;
• the manner in which the breach or issue became known to the ICO; and
• any financial (including budgetary) benefits gained or financial losses avoided.

14. When is a CMP likely?
• a number of individuals have been affected;
• there has been a degree of damage or harm;
• sensitive personal data has been involved;
• there has been a failure to comply with an information notice, an assessment
notice or an enforcement notice;
• there has been a repeated breach of obligations or a failure to rectify a
previously identified problem or follow previous recommendations.;
• wilful action is a feature of the case;
• there has been a failure to apply reasonable measures to mitigate any breach;
and
• there has been a failure to implement the accountability provisions of the GDPR.

15. Determining the amount:
1. An ‘initial element’ removing any financial gain from the breach.
2. Adding in an element to censure the breach based on its scale and severity.
3. Adding in an element to reflect any aggravating factors.
4. Adding in an amount for deterrent effect to others.
5. Reducing the amount to reflect any mitigating factors, including ability to pay.

16. Fixed Penalties:
Tier 1: £400;
Tier 2: £600;
Tier 3: £4,000;
up to a statutory maximum of
£4,350.
DPA 2018 s155

18. Civil Monetary Penalties:
Tier 1: €10 million/2% global turnover;
Tier 2: €20 million/4% global turnover.

20. The investigation has become
the largest investigation of its
type by any Data Protection
Authority - involving online
social media platforms, data
brokers, analytics firms,
academic institutions, political
parties and campaign groups.

21. Summary of
regulatory action
CMPs:
• Facebook - £500,000 CMP;
• Emma’s Diary - £140,000 CMP;
• Eldon Insurance (trading as Go
Skippy) – £60,000 NoI; and
• Leave.EU - £60,000 & £15,000 NoI.
Enforcement Notices:
• SCLE Elections
• AiQ
• Eldon Insurance Ltd
Criminal Proceedings:
• SCLE Elections Ltd
Other Regulatory Action:
• 11 Warning Letters
• 2 Audits
• 6 Assessment Notices
• Referrals to other Regulators/ Police

22. @iconews
Keep in touch
Subscribe to our e-newsletter at www.ico.org.uk
Email: scotland@ico.org.uk

23. Claire Winn
Wood
@WoodPLC
#gdprscot

24. Making the complicated simple
Claire Winn
Programme Manager Data Privacy/ protection / GDPR

25. Our Journey
To action for May 18
and beyond
From words
GDPR
Strategy

26. About Us
26

27. Framework
1. Our GDPR Readiness state
2. Identified our Business Strategy
3. Reviewed, Improved & Shaped Data Protection
and Privacy Compliance Programme
4. Programme Implementation
5. Review & Transition to BAU
1
2
34
5

28. People
• Buy in - we started at the top and had our highest
level of management behind us all the way
• Reward and promote the right behaviour
• Understand what your employees need to know
and how you can help guide them through the
changes
• Awareness - Drive the culture change and
mind-set around Data privacy & Data
protection
• Data Protection Ambassadors

29. ay
People - Training
• Global layered training principle
• Different levels for different roles
• Entire business base layer data privacy and data
protection training 2017 & 2018
• Took a central role in Woods new Code of
Conduct
• Targeted training for teams that have access and
manage high volumes of personal data – Contract
teams, HR, Occupational Health, IT,
Communications & Marketing, Business Dev
• Make your people your strongest asset not the
weakest

30. Policies and procedures – the new challenges
• We have reviewed and updated our
policies/procedures and in particular focused
on Subject Access Requests and our Breach
Response procedure
• To help ensure that we meet the new
timeframes we developed templates/tracking
tools that helped respond to SARs and
Breaches
• Training and awareness was key
• The OODA loop - Observe, Orientate, Decide
and Act

31. 2019 & GDPR
31
• Wood has one SAR and one data procedure
globally
• 6 months in and Wood is continually reviewing
our programme, which is aided with the
guidance from the ICO, other sources and open
source external experiences
• We have kept our Sponsors and our Steering
Group in place for our programme – we are
ensuring that senior management are
continually involved
• We are now formulating our objectives for 2019
with our DPO

32. Ivana Bartoletti
Gemserv
@ivanabartoletti
#gdprscot

33. Privacy and Ethics in the era of Big Data and AI
Ivana Bartoletti – Head of Privacy & Data Protection

34. Structure
 The increasing importance of Big Data.
 Decisions by Autonomous Systems (AI): definitions, law and challenges.
 Privacy and ethics by design.
 Design for values: where are we with AI?
 Deploying algorithms: practical steps for machine – human cooperation.
Gemserv 34

35. The importance of Big Data
 Organisations are increasingly looking
towards data analytics to make more
informed and efficient decisions.
 Data analytics allows companies to make
sense of data and develop patterns and
predictions.
Gemserv 35
Examples
A children’s doll, My Friend Cayla, uses a
microphone, location data and information
collected via an App to personalise messages
and interactions with children.
Online Advertising Systems characterise
individuals into social and demographic
categories on the basis of tracking their online
behavioural interests.
Smart Homes monitor residents’ and
homeowners’ use of appliances at home and
behavioural habits, in order to reduce water
and energy use.
This allows such organisations to reduce
costs, improve efficiencies and produce
more tailored customer experiences and
service offers.

36. Decisions by Autonomous Systems (AI): Background
 Artificial Intelligence (AI) can also play a role where such
systems are self-learning, allowing for evolving analysis,
predictive functions and even decisions.
 Autonomous Systems are increasingly involved in taking
decisions that replicate, or even replace, human decision-
making. Within this process, an AI System analyses.
 AI systems or programs can be particularly concerning from a
data security and data protection perspective due to the lack of
transparency of their effects on individuals.
Gemserv 36
However….

37. Big Data and Artificial Intelligence
Do we need regulation?

38. Decisions by Autonomous Systems (AI): Concepts
Definition
 Article 13 of the GDPR requires meaningful information about the logic, significance and the
envisaged consequences of automated decision-making for the data subject.
 Article 22 of the GDPR limits “decision[s] based solely on automated processing” that
similarly significantly affect data subjects.
Regulation
 Several regulatory authorities, including the Information Commissioner’s Office and
Norwegian Data Protection Authority (Datatilsynet), have issued opinions around using
algorithms.
 Industries bodies such as the Alan Turing Institute, AI Now Institute and Institute of Electrical
and Electronics Engineers (IEEE) have also issued guidance about assessing AI and Big Data
systems for their technological and legal compliance, and many organisations are focusing
on the ethics of AI.
Gemserv 38

39. Decisions by Autonomous Systems (AI): Challenges
Gemserv 39
The key challenges for data processing and autonomous systems centre around compliance with three
principles:
Responsibility involves imbuing systems
and processes with ethical values and
considerations and ensuring that
algorithms complete, rather than
replace, human decisions.
Fairness involves protecting individuals
from the adverse effects of automation,
and ensuring profiling is not carried out
in a fair and non-biased way.
Transparency involves giving data
subjects and, where possible, the
public, an explanation of processes
and procedures involved in
algorithmic decisions or profiling.

40. Privacy and Ethics by Design

41. Are procedures for
testing data accuracy in
place?
Are the uses of
data/profiling made
clear to data subjects?
Are mechanisms for
collecting consent in
place?
Privacy and Ethics by Design
Gemserv 41
Organisations should consider privacy and ethical principles throughout the design of systems:
Have you carried out a
DPIA and/or
Algorithmic Impact
Assessment on
automated decisions?
Have you received
apportioned liability
between third
parties?
Have decision-makers
for the system been
selected?
Are appropriate access
controls in place?
Have APIs and user-
facing features been
designed with privacy
and transparency in
mind?
Do you keep track of
requests or
complaints received?
Do you have a
procedure for
ascertaining effects of
automated decisions?

42. Design for Values: Where are we with AI?
Gemserv 42
Systems need to be embedded with…
…Values chosen by the organisation
Training and testing of autonomous systems…
…Needs to identify if any biased results emerge
Algorithmic functions need to be constrained…
…To avoid weighting characteristics that could lead to bias
Developers and deployers need to agree…
…An apportionment of liability if automated decisions go
wrong
Example
Self-driving vehicles are an
example of how values
needed to be embedded
into automated systems.
Different values may
present a ‘trolley problem’
where, faced with a
potential accident, the car
must decide whose life to
prioritise.

43. Deploying Algorithms: Practical Steps
Gemserv 43
 Human intervention may be necessary for GDPR
compliance if decisions have legal or similarly
significant effects.
 Human intervention also may be necessary to allow
decisions to be explained to individuals.
Other steps can include:
 At the design stage, humans should set the values
for AI systems.
 Humans should have control over system outputs.
 Strict roles and responsibilities should constraint
which humans can access AI systems.

44. Any Questions?
Ivana Bartoletti
ivana.bartoletti@gemserv.com

45. Questions &
Discussion
#gdprscot

46. Refreshments,
Exhibition &
Networking
#gdprscot

47. www.rgdp.co.uk
Paul Motion: Accredited Specialist in Data Protection and FoI Law, BTO Solicitors LLP
Mark Chynoweth: General Manager, RGDP LLP
5th December 2018
GDPR Scotland Summit 2018
GDPR – after the hype, how is the Data
Protection Officer’s role working in practice?

48. www.rgdp.co.uk
OR
Based on the experience of RGDP’s DPOs…
Some Top Tips for GDPR Compliance

49. www.rgdp.co.uk
Agenda
 Data Protection Principles
 Audit of personal data
 Reasons and Legal bases for processing personal data
 Privacy policies and Cookies notices
 Data protection policies
 Controller / processor / data sharing relationships
 Record of Processing
 Security of the personal data
 Direct marketing
 Cross border transfers
 Training
 DPO or Data Protection lead

50. www.rgdp.co.uk
Principles
 Under the overarching principle of Accountability, you are required to
demonstrate compliance with the following data protection principles:
 Lawfulness, Fairness and Transparency
 Purpose Limitation
 Data Minimisation
 Accuracy
 Storage Limitation
 Integrity and Confidentiality

51. www.rgdp.co.uk
Audit of Personal Data
 Conduct this audit as the first step – it will inform much of what is to come
 Identify:
 Where personal data is collected
 what personal data is collected
 what you use the data for
 who it may be shared with
 how long you need to keep the data
 Document all this information in an asset register
 Establish a process for keeping the audit or asset register up to date

52. www.rgdp.co.uk
Reasons and Legal Bases
 Know why you need to hold / process personal data – be sure that you
have a valid reason
 Identify the legal basis for processing each type of data you hold:
 Consent
 Contract
 Legal Obligation
 Vital Interests
 Public Interest
 Legitimate Interest
 If you hold special category data you will also need to identify additional
reasons for processing

53. www.rgdp.co.uk
Privacy Notices
 Also known as Fair Processing Notices.
 GDPR specifies that information such as the purpose and legal basis for
processing must be given to data subjects when you are collecting their
personal data.
 This information must be provided in a concise, transparent, intelligible
and easily accessible form, using clear and plain language, especially if
you are processing the data of a child or vulnerable person.
 Separate and individually bespoke privacy or fair processing notices are
required for different categories of data subjects.
 Cookies policies on websites.

54. www.rgdp.co.uk
Policies and Procedures
 In addition to Privacy Notices, you should have an overarching data
protection policy and policies covering:
 Data Protection Impact Assessments
 Breach Management procedures (including breach register)
 Data Subject Rights (Subject Access Requests)
 Retention
 Security of Processing
 Cross border data transfers
 Training
 Other policies, e.g. HR, Social Media, Remote Working etc should be
checked to ensure that they are GDPR compliant – this can be done in
slower time during routine policy updates.

55. www.rgdp.co.uk
Data Sharing
 You should establish whether you are a Data Controller or Processor for
each category of personal data being processed:
 Data Controller
 Data Processor
 Joint Controller
 A Data Controller must carry out due diligence in relation to any Data
Processor it employs and monitor compliance.
 Contracts between Data Controllers and Processors should be updated
with GDPR compliant Data Protection clauses.
 It is good practice to maintain a register of all contracts with the date
when data sharing agreements or data protection clauses are agreed.

56. www.rgdp.co.uk
Record of Processing
 Organisations with over 250 employees.
 Organisations with less than 250 employees
 The Record of Processing must contain the following information:
 name and contact details of the controller, joint controller, controller’s representative and the DPO
 the purposes of the processing
 a description of the categories of data subjects and of the categories of personal data;
 the categories of recipients to whom the personal data has been or will be disclosed including recipients
in third countries or international organisations;
 transfers of personal data to a third country or international organisation
 time limits for erasure of the different categories of data;
 a description of the security measures in place to protect the personal data.

57. www.rgdp.co.uk
Security of Personal Data
 GDPR insists on integrity and confidentiality of personal data.
 Organisations must have technical and organisational measures in place
to prevent unauthorised or unlawful processing and to guard against
accidental loss, destruction or damage. Measures include:
 Pseudonymisation
 Anonymisation
 Encryption
 Security Standards
 Back-ups
 Vulnerability Scans and Penetration Testing
 Access Controls

58. www.rgdp.co.uk
Direct Marketing
 Direct marketing includes sending out campaign messages and information as well as
selling. Rules in relation to direct marketing are contained in the Privacy and Electronic
Communication Regulations (PECR):
 Post
 Phone Calls
 Emails and Text Message
 Business to Business (B2B) Marketing
 Soft Opt-In
 You must always offer an opt-out option.

59. www.rgdp.co.uk
Cross Border Transfers
 Under GDPR, you cannot transfer personal data to a country outside the EU unless:
 The country provides adequate protection confirmed by an EU Commission “adequacy
decision”
 An appropriate safeguard has been put in place between the data exporter and importer
 The data transfer is exempt from the requirements of the GDPR.
 Appropriate safeguards
 If no “adequacy decision” has been issued and it is not possible to use one of the
appropriate safeguards then as a last resort you may be able to rely on an exemption,
e.g. consent, conclusion of a contract, if it is in the data subject’s interest, in the public
interest, for legal claims, for vital interest or for legitimate interest.

60. www.rgdp.co.uk
Other Requirements
 Embed a culture of data protection throughout your organisation
 Train your staff - induction and annual refresher training
 Staff should know:
 Who to go to for help and advice - DPO or DP Lead
 What and where the policies are held
 What to do if they become aware of a breach
 What to do if they get a data subject request

61. www.rgdp.co.uk
So, in summary…

62. www.rgdp.co.uk
Top Tips for GDPR Compliance
 Bearing in mind the data protection principles:
 Conduct an audit of personal data – know what personal data you hold and where
 Understand the reasons why you need to hold / process it
 Establish the appropriate legal basis for each of type of personal data you process
 Get your privacy notices and cookie notices right
 Get appropriate data protection policies and procedures in place – ensure staff know about them
 Understand your controller / processor / data sharing relationships and actively monitor third
parties
 Produce a Record of Processing
 Ensure the security of the personal data you store / process – electronic and paper
 Understand the rules for direct marketing (if relevant)
 Understand the rules for cross border transfers of personal data (if relevant)
 Embed the culture – embrace the data protection principles and train your staff
 Appoint a DPO or Data Protection lead (consider outsourcing!)

63. www.rgdp.co.uk
Paul Motion: Accredited Specialist in Data Protection and FoI Law, BTO Solicitors LLP
Mark Chynoweth: General Manager, RGDP LLP
5th December 2018
QUESTIONS?

64. www.rgdp.co.uk
Creating a human intrusion detection system
Technology: Human & Augmented intelligence
Individual training plans
Gamified training
Passwords and the dark web
GDPR: Staff awareness & education

65. www.rgdp.co.uk
What do we mean?
An individual who is able to identify malicious
activity and/or policy violations.
GDPR: Human Intrusion Detection
Collectively, a group of individuals who are
able to identify malicious activity and/or
policy violations.

66. www.rgdp.co.uk
What do we mean?
GDPR: Technology, human &
augmented intelligence
Popular visions of artificial intelligence often focus
on robots and the dystopian future they will create
for humanity, but to understand the true impact of
AI, its skeptics and detractors should look at the
future of cybersecurity.
The reason is simple: If we have any hope of
winning the war on cybercrime, we have no choice
but to rely on AI to supplement our human skills
and experience.
Source: Joanne Chen, Foundation Capital. © Jan. 2017

67. www.rgdp.co.uk
Use machine learning at mailbox level
Assess each employees ability to recognise threats
Each user automatically graded
Personalised training based on this ability
Users progress as knowledge increases
GDPR: Individual training plans

68. www.rgdp.co.uk
Categorise users into different groups
Deliver interactive, micro learning methods
Training delivered individually, supported by
over 50 gamified videos and 1,000 HTML scenarios
Memorable and fun
GDPR: Gamified training

69. www.rgdp.co.uk
Database of over 500 million breached passwords
Adding to at circa 10,000 each day
How do you know that your credentials are secure?
GDPR: Passwords & the dark web

70. www.rgdp.co.uk
Compliance is a journey.
There is no silver bullet and everyone is compliant…
until they aren’t.
Education and awareness takes many forms, but
again, is a journey.
Technology aids awareness, builds knowledge and
mitigates risk.
To find out more about CyberWhite, IronScales and
Authlogics can assist, please visit our stand.
Summary

71. www.rgdp.co.uk
Thank you
www.cyberwhite.co.uk
CyberWhite Ltd
@cyberwhiteltd
@CyberWhiteLtd
CyberWhite Ltd
@TheRealDaveHorn

72. GDPR Scotland
Handling DSARs Post GDPR
Helena Brown, Partner & Head of Data, Addleshaw Goddard LLP

73. 73
Increased Public
Scrutiny
Court Cases –
Class Actions
Enforcement
Notices
Life Post GDPR

74. Data Protection Law in 2018 – Quick Reminder
74
General Data Protection Regulation (“GDPR”)
Provides the general framework for handling personal data in Europe.
Data Protection Act 2018
Applies the GDPR in the UK and provides exemptions from certain rules e.g. subject access requests.
Should be read in conjunction with the GDPR.
Note that the Data Protection (Charges and Information) Regulation 2018
requires certain organisations to register with the ICO in the UK (in addition to Article 30 Register)
Privacy & Electronic Communications Regulations
Specific legislation for electronic marketing including email, cookies and online behavioural advertising.
This is undergoing review currently by the European authorities.

75. What will we cover?
75
▶ The DSAR landscape post GDPR
▶ Managing Requests
▶ What needs to be disclosed?

76. The DSAR landscape post GDPR

77. DSARS – the landscape post GDPR
77
▶Disproportionately high volume of complaints to the ICO are about DSARs
▶Most organisations are experiencing some increase in rights requests
▶Easier now that requests can be made verbally but identification is an
issue
▶Increase in requests for erasure
▶Some requests for rectification
…increase in awareness of rights – customers and employees

78. Identifying a DSAR
78
Can be made in any format and even verbally (consider identification issues.)
Keep an eye on social media accounts.
Valid if received by ANYONE in your organisation – think about training.

79. What personal data needs to be
disclosed?

80. 80
Individual
must be
directly
identifiable
from the data
But can also
be data
identifiable
from other
data held
Can include
opinions made
about an
individual by
another
Decisions &
decision
making
process may
also be caught
Must
“concern” the
individual.
Electronic
records and
relevant filing
systems.
Personal data checklist…

81. Some Examples
81
► Common Examples: Name, address, date of birth, national insurance number,
passport number, salary information, performance information
► Correspondence (emails, IMs)
► Opinions expressed about an individual
► Information from monitoring: Phone calls; CCTV footage
Remember: right is to information, not documents: it is acceptable to extract
information provided context is retained

82. What needs to be provided?
A copy of the personal data requested AND individuals also ‘have the right to obtain’:
▶confirmation as to whether personal data are processed
▶a copy of the personal data
▶purposes of processing
▶categories of personal data
▶to whom data has been disclosed (in particular if overseas)
▶how long data will be stored for
▶the right to lodge a complaint with the ICO
▶where the personal data was obtained from
▶whether any automated decision making has taken place

83. Managing the response

84. DSAR Response StepsStep 1: Recognise / Verify DSAR
▶ Identify the request as a DSAR
▶ Identify the individual
▶ Check what Personal Data is covered ; is there enough information to locate
the personal data?
Step 2: Locate the relevant data Use the search parameters given – can include:
▶ all e-mails and documents that relate to that individual;
▶ all hard-copy files that are structured by reference to the individual;
▶ voice recordings, photographs or CCTV images
▶ information processed by data processors

85. DSAR Response Steps (cont.)
Step 3: Assess what should be disclosed
▶ is it personal data?
▶ does it meet the parameters of the request (remove anything outside timescale or scope)
▶ consider exemptions
Step 4: Respond
▶ Securely provide the information requested, within 1 calendar month of request
Step 5: Record
▶ Keep a record of searches done, information returned and redactions and exemptions applied: you will be asked
for these if the ICO investigates

86. Focusing scope of request

87. THE STARTING POINT IS THAT WE MUST
PROVIDE ALL PERSONAL DATA….

88. Managing a DSAR
response
Exemptions
(DPA 2018
and GDPR)
Redactions
Remove non
“personal
data”
Focus
request:
subject /
timescale

89. Excessive Requests?
89
▶If request is “manifestly unfounded or excessive”:
▶A ‘reasonable fee’ to cover administrative costs can be charged OR
▶The request can be refused
▶What is “manifestly unfounded or excessive” will be a high bar....disproportionate
effort cases under old DPA 1998 may be relevant

90. Is it actually personal data?
90
▶Information must ‘relate to’ the identifiable individual to be personal data.
▶This means that it does more than simply identifying them – it must
concern the individual in some way.
▶To decide whether or not data relates to an individual, you may need to
consider:
▶the content of the data – is it directly about the individual or their
activities?;
▶the purpose you will process the data for; and
▶the results of or effects on the individual from processing the data

91. Some recent developments…
91
▶Lonsdale v NatWest Bank (Sep 2018)
▶Suspicious activity report – individual had accounts closed, made a claim
and a DSAR
▶On application to High Court to strike out DPA claim, held that personal
data included:
▶Business decisions made by the bank;
▶Information relating to suspicious activity reports and reasons for closing
accounts;
▶Data used to inform actions / decisions

92. The Main Exemptions
92
Third party
information
Management
Planning /
Forecasting
Legal
Professional
Privilege
Negotiations
with
Requestor
References
(given and
received)

93. 93
Third Party Information Checklist
 Has the individual consented?
 Is it reasonable to comply without that consent? Remember you
are not obliged to ask for consent.
 Factors to consider include:
 type of information
 duty of confidentiality owed
 steps taken to seek consent
 capability of giving consent
 express refusal of consent

94. Any questions?

95. We’d love to hear from you…
HELENA BROWN
Partner, Head of Data
+44 (0)131 222 9544
+44 (0)740 773 5118
helena.brown@addleshawgoddard.com
ROSS MCKENZIE
Partner
+44 (0)1224 965 418
+44 (0)791 876 7330
ross.mckenzie@addleshawgoddard.com
JOANNE SNEDDEN
Managing Associate
+44 (0)131 222 9541
+44 (0)7501 463230
joanne.snedden@addleshawgoddard.com

96. GDPR: Managing 3rd and 4th
Party Vendor Risk

97. Agenda
1 | Introduction
3 | Vendor Risk Management Today
2 | Vendor Risk Under the GDPR
4 | A Better Approach to Vendor Risk Management

101. Vendor Risk Under the GDPR

102. Vendor-Related Data Breaches
on the Rise in 2018
Regulatory Liability
Has Shifted
“Controllers are liable for their compliance with
the GDPR and must only appoint processors
who can provide ‘sufficient guarantees’ that
the requirements of the GDPR will be met and
the rights of data subjects protected.”
5
million
150
million
92
million
Credit & debit cards details exposed
Health data records exposed
DNA site customer details exposed
Breaches and Regulations Make Vendor Risk a Priority

103. Terminology & Concepts
Controller
Processor
‘Controller’ means the natural legal person, public
authority, agency or other body which, alone or jointly
with others, determines the purposes and means of
the processing of personal data.
Reference: GDPR Article 4(7)
Copyright © 2018 OneTrust LLC. All rights reserved. Proprietary & Confidential.

104. Terminology & Concepts
Controller
Processor
‘Processor’ means a natural or legal person, public
authority, agency or other body which processes
personal data on behalf of the controller.
Reference: GDPR Article 4(8)
Copyright © 2018 OneTrust LLC. All rights reserved. Proprietary & Confidential.

105. GDPR Context
Responsibility of
the Controller
Article 24
Recitals 74-77, 83
Processor
Article 28
Recital 81
Processing under
a Controller or
Processor
Article 29
Transfer Subject
to Appropriate
Safeguards
Chapter V (Articles 44-50),
Recitals 101-116
Controllers are responsible
for not only their own data
protection measures, but
also those of their
processors.
Copyright © 2018 OneTrust LLC. All rights reserved. Proprietary & Confidential.

106. GDPR Responsibilities of Controllers & Processors
Summary
• Controllers shall only use processors
providing sufficient guarantees to
implement appropriate technical and
organisational measures
• Processors shall not engage another
processor without prior specific or general
written authorisation of the controller.
• Processors shall engage other processors
only under the same data protection
obligations
• May not process personal data except on
instructions from the controller
Articles. 24, 28, 29
Scope
All processing of personal data by a
processor as instructed by a
controller
Other Requirements
• Take into account nature of
processing and risks (likelihood
and severity)
• Demonstrate compliance
• Implementation of data
protection policies
Copyright © 2018 OneTrust LLC. All rights reserved. Proprietary & Confidential.

107. Transfers Subject to Appropriate Safeguards
Summary
• Controllers
• Transfers of personal data to third
countries may take place only if one of
three conditions are met (in order):
• Adequacy decision
• Appropriate safeguards
• Derogation
Articles. 44-50
Scope
Transfer of data to third country or
international organisation
Other Requirements
• Appropriate safeguards:
• Legally binding and enforceable
instrument between public
authorities/bodies
• BCRS
• “Model clauses”
• Approved code of conduct
• Approved certification mechanism
Copyright © 2018 OneTrust LLC. All rights reserved. Proprietary & Confidential.

108. Vendor Risk Management Today

109. The “Excel Hell”

110. Disjointed Processes 3rd, 4th, 5th Party Risks
Contract AgreementsGlobal Compliance
No Automation
=
Time-Intensive &
Costly Work
Outdated Spreadsheets,
Data In Multiple Tools
Limited Visibility,
Limited Mitigation
Frequent
Subprocessor Changes
Complex
Cross-Team Effort
Many Vendor Variations,
Lack of Accountability
Difficult Documents to Sift
Through
Diverse Laws
Create Complexity
Cross-Border Data Transfers,
Breach Notification, etc.
No Central
Platform
=
Outdated
Information &
Lack of Risk
Tracking

111. Are You Able to Ask the Right Questions?
Are you assessing
vendors on an ongoing
basis?
Are your vendor data
flows keeping your
central data map &
ROPA evergreen?
Are you assessing 4th
party vendors?
Can you search all
vendor contracts to
know what data
processing agreements
are in place?
Are you dependent on
manual questionnaires
or can you
pre-populate
or scan data?
Do you need to
manually review the
results of
questionnaires?
When risks are
identified, do you have
a central way of
assigning ownership
and tracking
remediation?
Can you easily
demonstrate
compliance and
accountability if
audited?
When a vendor is
offboarded do you have
evidence of data
destruction and
honored confidentiality?
Do you have central
way of detecting,
tracking, approving
sub-processor changes?

112. A Better Approach to Vendor Risk
Management

113. The Better Approach to Vendor Risk Management
Proactive
Monitoring,
Detection
Automated
Workflows
Pre-Defined
Databases of
Information
Self-Service &
Intelligent
Assessments
Copyright © 2018 OneTrust LLC. All rights reserved. Proprietary & Confidential.

114. Steps to Better Vendor Risk Management
Automate Self-
Service Assessments
Utilize pre-built
industry or
customized templates
Automated Risk
Flagging
SIG & Lite
SIG
Onboard
Vendors
Triage &
Assess Risks
Document &
Demonstrate
Monitor
Vendors
Offboard
Dashboards &
Reporting
Feed Into
Article 30
Records
Contract
& DPA
Management
Automated Vendor
Privacy Scanning
4th Party &
Sub-Processor Auto
Detection
Pre-Scheduled
Re-Assessments
Self Service Portal
Procurement
Integration
Bulk Import
Off-boarding
Checklist
Business, Legal
and Vendor
Confirmations
Attach Evidence
on Steps Taken to
Offboard Vendors

115. Step 1: Onboard
IDENTIFY
VENDORS
BULK
REVIEW
CONTROLLER
VS.
PROCESSOR
CHECKLIST &
AGREEMENTS
LEVERAGE
GUIDANCE
Prioritise not just risk, but expected longterm relationship with vendor

116. Build checklists relevant and specific to your business/type of vendors
Get basic information1
What data is processed?2
How is data processed?3
Prioritise by risk4
Send questionairres5
Step 2: Triage & Assess

117. Step 2: Triage & Assess
SIG & Lite SIG
Assessment Frameworks Available
By Default within Tech Solutions
Combine & Customize or Create Your
Own Assessment from Scratch
Automatic Risk Flagging
and Rules Engine
Copyright © 2018 OneTrust LLC. All rights reserved. Proprietary & Confidential.

118. Step 3: Document & Demonstrate
RISKS: What do you do with the risks identified?
AGREEMENTS: Do you centrally store contract/data
processor agreements?
ARTICLE 30 : How do you keep records up to date?
1
2
3

119. Step 4: Monitor Vendors
Sub-Processor List RSS Feed
Website or Knowledgebase Article
Contract or Data Processor Agreement (DPA)
Auto-Send Risk Assessments to Sub-
Processor

120. Your Organization
3rd Party Vendor
3rd Party Vendor
3rd Party Vendor
4th Party Vendor
4th Party Vendor
4th Party Vendor
4th Party Vendor
4th Party Vendor
4th Party Vendor
You can be held accountable
for the vendors you work
with. That includes the
vendors your vendors work
with.
Monitor 4th Party Vendor Changes
Copyright © 2018 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Step 4: Monitor Vendors

121. Step 5: Offboarding
Management
• Monitor expiration
dates
• Ensure vendors are
following proper
confidentiality
agreements
Roles & Responsibilities
• Whose job is it to
manage offboarding?
Privacy team?
Vendors?
• Make sure this is clear
in contracts
Backups
• Ensure backups are
properly handled
• Vendor backups
• Internal business
backups

122. Operationalize Process with Integrations
123Copyright © 2018 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Operational Impact: IT/Consulting Resources for scaling Vendor Risk Management
Asset Inventory/CMDB Project ManagementGRCProcurement / Contract

123. The #1 Most Widely Used Privacy Management Platform
PIA | DPIA | PbD | InfoSec
Assessment Automation
Privacy Program Management
Vendor Risk ManagementIncident and Breach Response
Marketing Consent, Preferences, & Subject Rights
Data Protection by Design
and Default (PbD)
Data Inventory, Mapping,
Records of Processing
Global Readiness and
Accountability Tracker
Privacy and Security Incident
Intake
Incident Risk Assessment
Automation
Global Data Breach Law
Engine
Notification and Reporting
Obligations
3rd Party Privacy & Security
Risk Assessments
4th Party Sub-Processor
Auto-Detection
Vendor Compliance
Scanning
Contract & DPA
Management
Cookie Consent and Website
Scanning
Enterprise Preference Center
Universal Consent
Management
Data Subject Rights Portal

124. Free GDPR Workshops
4.5 IAPP CPE Credit Hours
OneTrust Certification Program in Select Cities
Monthly GDPR Webinar Series
Hosted by Top Tier Law Firms & Consultancies
RSVP TODAY
PrivacyConnect.com
2018 WORKSHOP SCHEDULE
Amsterdam
Dublin
Düsseldorf
Warsaw
Vienna
Manchester
Geneva
London
Zürich
Paris
Lisbon
Helsinki
Madrid
Tallinn
Bucharest
Copenhagen
Seattle
Portland
Chicago
Vancouver
Toronto
New York
Atlanta
Houston
Denver
San Francisco
Los Angeles
Rome
Stockholm
Brussels
Berlin
Munich
Oslo
Prague
Barcelona
Budapest
Hamburg
Belfast
Milan
Athens
”This was the best GDPR-focused conference I have ever been to. This
was not just a high-level look into requirements, but an in-depth
educational experience for myself and my colleagues.”
Boston
Washington
Austin
Charlotte
Phoenix
Sydney
Singapore
Melbourne
Hong Kong
Auckland
Tel Aviv
Dubai
Abu Dhabi
Doha

125. Visit Our Booth
Product Demos
Full Text GDPR Books
Free Tools & Templates
GDPR Workshops
Let’s connect @OneTrust!

126. Authentication mechanisms
and the GDPR
Jon Langley
Senior Technology Officer (Technology Policy)
GDPR Scotland Summit
Dynamic Earth, Edinburgh
5 December 2018

127. What do we mean by authentication?

128. Types of authentication
Something you know
Something you are
Something you have
Password, PIN etc
Biometrics
Certificate, key, card etc

129. What’s the problem with authentication?

130. People

131. Policies and procedures?
The password used was the
individual’s username with 01 after
it. So it met the purely technical
standard [that the organisation had
in place], but was easily guessable
and very definitely not in line with
best practice or the advice we give
to staff.
“
”

132. Technical solutions?

133. What does the GDPR say about
authentication?

134. Nothing?

135. Article 32 - security
‘Taking into account the state of the art,
the costs of implementation and the
nature, scope, context and purposes of
processing as well as the risk of varying
likelihood and severity for the rights and
freedoms of natural persons, the controller
and the processor shall implement
appropriate technical and organisational
measures to ensure a level of security
appropriate to the risk’

136. What practical considerations can we
make?

137. Consider the situation
What personal data are you
protecting?
Who is using the system?
What are the possible threats to the
system?

138. Plain text and hashing algorithms

139. Click to edit Master title styleSome specifics
Let people use
them
Password
managers Blacklisting
How to stop your
users having bad
passwords
Credential
stuffing
Can you defend
against it
Should we still do
this?
Regular changes Admin accounts
Consider higher
levels of protection
Reset
process
Make sure it’s
secure

140. What will authentication look
like in the future?

141. Guidance

142. Passwords in online services

143. Other guidance

144. Summary
• Authentication is
potentially difficult
− People will always take
the route of least
resistance, we have to
allow for this
• The GDPR requires you to
take account of all the
circumstances
− Your authentication
mechanisms must be
tailored to specific
circumstances

145. Keep in touch
@iconews/iconews /icocomms /company/information
-commissioner’s-office
Subscribe to our e-newsletter at ico.org.uk, or find us on…
Jonathan.langley@ico.org.uk

146. Best GDPR practice from the
Marketing frontline
Dr Simone Kurtzke, Programme Leader, MSc Digital Marketing, Robert Gordon University
Jason Stewart, E-Commerce and Digital Manager, Aberdeen International Airport

147. • Brief history of permission-based marketing
• Research: Consumer trust in data security
• Compliant and fun: GDPR as opportunity
• Case study: AGS Airports - Marketing after GDPR
• Priority checklist for SME GDPR marketing
What we’ll cover today

148. Permission-based marketing
Permission marketing is an
approach to selling goods and
services in which a prospect
explicitly agrees in advance to
receive marketing information.
Seth Godin, 1999

149. Consumer consent in UK law
• 1998 Data Protection covers data stored on
computers but doesn’t define ‘consent’
• 2003 Privacy & Electronic Communications
Regulations requires opt-in consent for
marketing messages – illegal to send
unsolicited email
• 2012 EU ‘Cookie Law’ – consent required to
serve non-essential website cookies (e.g. for
advertising and tracking)

150. Permission as Privilege – Consumer research
• Data security is first driver of trust in brands – but 50% of
consumers do not want personal data used at all
(Kantar TNS 2018)
• 72% of consumers think businesses, not government, are
best equipped to protect them (pwc Protect Me 2017)
• 60% of 16-18 year olds trust a machine over humans
(40%) to protect their data / privacy
(Edelman Trust Barometer 2018)

151. Implications for Brands
• Provide data security reassurance –
be explicit and comply (to reduce worry)
• Be transparent – clearly communicate what
data is used for (to generate trust)
• Use consumer data to provide value / add
utility (convenience / customer experience)

152. GDPR: Opportunity to build trust & be useful
• Traditional lead gen activities – prize draws, ‘free’ Wi-Fi
with pre-ticked e-newsletter sign-ups no longer possible
• Data trust = competitive advantage
• ‘Transparency in the intent’ – sceptical, informed
consumers trust truthful brands offering tangible benefits
• What is the VALUE of my CHOOSING to share my data with
you?

153. GDPR Examples - Repermission

154. GDPR Examples - Repermission

155. GDPR Examples - Repermission

156. SuperOffice free trial sign-up
GDPR Examples – Software Trial
https://www.superoffice.com/

157. GDPR Examples – Enews opt-in (compliant)
Sainsbury’s online account registration https://www.sainsburys.co.uk/

158. GDPR Examples – Enews opt-in (non-compliant)
Sainsbury’s magazine
newsletter (date checked:
3/12/18)
https://www.sainsburysmagaz
ine.co.uk/newsletter

159. VisitScotland Enewsletter sign-up
https://www.visitscotland.com/newsletter/
GDPR Examples – Enews opt-in (compliant)

160. Case study: AGS Airports
- Marketing after GDPR

161. • We’re the second biggest airport group in the UK, comprising of Aberdeen, Glasgow and
Southampton Airports
• Combined we look after 15 million passengers every year
• The AGS Digital team is a stand-alone team working across the group
• Pre-GDPR, we undertook a 2 year project to get ready for the legislation changes
About AGS Airports

164. A big brand, with a big audience
1.92m
10.01m
251k Collective number of social media followers for AGS.
Emails sent to AGS customers YTD 2018.
The number of customer records held on the
collective AGS customer CRM database.

165. Using big data to personalise communications
• Richer data = more targeted and contextual communications to our customers
• The more we know about our customers, the more we can tailor their online experience

166. • Very little! At AGS we aim to exceed legislative requirements for data security
• Appointment of full time DPO
• Data security by design – procurement, IT, DPIAs, data audits, policy reviews etc.
• Automated, encrypted and anonymized marketing data/transfers
• No sharing of marketing data
• More explicit and defined opt-in procedures
• Redefined data retention policy
• Higher degree of segmentation for marketing communications
• “Hard” unsubscribes – opt-out from one, opt-out from all.
GDPR – what’s changed for AGS?

167. GDPR – what’s changed for AGS?
• Established, loyal customer database
• Average <0.5% unsubscribes
• Open rates exceed 20%
• Opt-out opportunities sent pre-GDPR
• Links to unsubscribe and refreshed privacy
policy
• Unsubscribe rate just 1.2%
• Key to establish already-engaged customer
lists, and only communicate to engaged
customers

168. Marketing data – what’s next for AGS?
• Utilising consensually-provided data to personalise and improve the AGS passenger journey
• API-driven data collection to CRM database
• Real-time user segmentation and omnichannel, personalised communications
• Examples:
– Ability to provide ancillary products and services based on travel plans
– Live real-time communications based on tracked flights
– Send communications to people in the airport at this moment
– Exclude customer segments from communications they are unlikely to be interested in
using real-time data segmentation

169. Mobile app – launching Q2 2019
• Utilising real-time API customer data
• Push notifications based on tracked flight
• Ability to easily book and manage airport
products such as lounge passes
• Geo-fencing within the terminal environs to
enable in-terminal push notifications
Marketing data – what’s next for AGS?

170. Post purchase journey
Using customer data to serve
products and services that
are relevant to their
destination.
Providing a service that is
useful and easy to use for
passengers.
Marketing data – what’s next for AGS?

171. Making things easier…
• Creating a “single-sign-in” across the website and
booking systems
• Allowing users to save and manage all of their
flights, as well as their products booked.
• Using PCI DSS compliant services to store and use
customer data
• Data powers “one click ordering” a world-first for
airports.
Signed-in user experience
Marketing data – what’s next for AGS?

172. Signed-in user experience

173. Priority checklist for
SME GDPR marketing

174. GDPR Marketing Priorities for SMEs
1. Review & audit opt-in status of existing database
contacts
2. Create process & workflow for current & new data
collection activity (incl. website and all marcomms
collateral)
3. Gather opt-in consent from valuable existing
contacts
4. Train sales team on compliant leads management

175. 5. Create process to handle data information requests
6. Create process for GDPR breaches (incl. crisis comms)
7. Review external partners / third party suppliers for
compliance (incl. digital tools e.g. WordPress plug-ins,
scheduling tools)
8. Update your privacy page
9. Create process for ongoing ‘best practice’ database
management (for clean, compliant data)
GDPR Marketing Priorities for SMEs

176. GDPR Marketing for SMEs – Key resources
• Download and review marketing specific checklists
(e.g. BusinessBrew, DMA)
• ICO direct marketing checklist & Code of Practice (to
be updated, currently in consultation)
• ICO data protection self-assessment toolkit (includes
direct marketing, data sharing & records management
checklists)

177. Final words – The Benefits of GDPR
• Higher quality leads
• More accurate data
• Better customer experience
• Stronger relationships with
customers
• More effective Marketing

178. Questions?

179. Furkan Sharif
Legal & General
@landg_uk
#gdprscot

180. 181
Data Stewardship for
Accountability and Ownership
Furkan Sharif LLM
(Information Management Consultant)
05/12/2018
Public

181. GDPR BAU GDPR Challenges
• GDPR Programme post 25/05 … The work starts NOW!!!
• Change Attitudes & Behaviours : first-line ownership - for PII… its not an “IT”
Problem!!
• Maintain a culture of Data Protection by Design and Default?
• How can we manage PII Data lifecycle (structured & unstructured) ?
• How do we accurately maintain the Records of Processing Activities?
• Where is the guidance and support within 1st line i.e. accessible SME
knowledge?
• Stay abreast of privacy law with evolving of business !!
• Are GDPR controls stifling business growth resulting in lost opportunities ?
Public

182. 183
GDPR MISSION STATEMENT
“Successful implementation of GDPR is not just
about new processes, but equally about
empowering the business to take a
proactive approach to encourage the right
behaviours in order to maintain a culture where
privacy is a default position”
Public

183. Why Data Stewardship?
• Need for a Conduit between Legal, DPO and shop floor !! “speak the language with local
knowledge”
• 1st line DP SMEs “Human Interaction”: First point of call for data protection
• Accountable:. Embed and Develop BAU compliance processes: SAR, Breach Notification Process,
DPIA & LIA (HEALTHCHECKS)
• Evidencing and documentation: “Maintenance” Records of Processing Activities (RPA), Privacy
Notices, DPIA LIAs
• Escalation: 1st line compliance coordination and escalation path to 2nd line DPOM
• Management Information: “Process efficiency” Monitoring MI: Daily/ Weekly / Monthly MI
reports to 2nd Line
• Issue management : Undertaking investigations and taking remediation actions
• 1st line Attestation with risk management framework evidencing
• Communication and awareness: reinforcing key educational and training messages, promoting a
proactive culture of data protection and information managementPublic

184. Public

185. Public
Data Steward Accountabilities
SME Understand local business processing and systems
Day 2 Day Application of the Data Protection framework
Communication Policy Compliance: local business leadership vs 2nd Line -facilitate two way
communication
Security: Liaison with IT Security when appropriate (TOM) and data governance activity
Evidencing &
Accountability
Record of Processing Activities Art 30
Data Privacy Impact Assessment (DPIA)
SARs/ Rights process MI and coordinate
Data Breach Escalation Process / investigation
Data
Governance
Provide local support and oversight in the delivery of the Data Protection Framework,
Support for Data Classification Data Retention & Deletion
Management
Information (KPIs)
Data Governance Framework performance reporting:
Support of DPOM through the provision of needed management information.
Production and reporting of data breaches related management information .
Training &
Awareness
Provision of training in support of the Data Governance Framework
Data Classification training of updates and new entrants.
GDPR training of updates and new entrants, in line with dedicated Training Resource
Support local business leadership and the DPOM in GDPR capability development.

186. Public

187. Data Steward Awareness Campaigns
Public
CLAP Campaign Classify, Label And Print
• Posters & Large Banners (Communications /
awareness)
• Introduction of Data Stewards to BU
• Posters notice boards, printing areas, communal areas
• Animations “Tina the Trainer”, brand, and characters
from GDPR programme
• News letters from internal comms-
• Data Stewards conduct training, presentation, emails,

188. Communication
Public

189. Professional development of Data
Stewards?
Public
Data Steward
Handbook
Training
(professional
certificate)
DPO Support &
encouragement
Weekly Stand-
ups (forums)
Share
knowledge

190. Success through the Stewardship
Approach
• Accountability and ownership driven approach
• Documented and accurate RPA- transparency and ownership
• Evolving processes fully embedded in 1st line: periodic reviews
• Proactive approach and knowledge sharing through stewardship
community
• MI up-do-date with evidence to support compliance for executive
attestation
• Business understand privacy risks and accountable for mitigation
actions
• 2nd line SME oversight and support for 1st line Privacy SMEs
Public

191. Mark Evans
Athene Secure
@AtheneSecure
#gdprscot

192. AtheneSecure
Mark Evans MBA B.Sc.(Hons) FIP
The
New
Business
Opportunity
CIPP/E, CIPM, CISM, CISSP
Director – Athene Secure Ltd
Pragmatic Data Protection. Emphatic Cyber Security.

193. AtheneSecure
PRAGMATIC DATA PROTECTION
The
New
Business
Opportunity

194. AtheneSecure
Peak Snake Oil

195. AtheneSecure
Peak Snake Oil
There is no silver bullet

196. AtheneSecure
The Doctrinaire
counter to “Snake Oil”

197. AtheneSecure
The Doctrinaire
counter to “Snake Oil”
Your own style, your
own way, your own
business

198. AtheneSecure
Pragmatism

199. AtheneSecure
Pragmatism
Efficiency
Engagement
Loyalty
Protection
Introspection
The Future

200. AtheneSecure
Pragmatism
Efficiency
Wasteful “Just in case”
is a dangerous luxury

201. AtheneSecure
Pragmatism
Efficiency
Engagement
Telling the world that
you’re taking data
protection seriously.

202. AtheneSecure
Pragmatism
Efficiency
Engagement
Loyalty
The Data Subject must
be central to business
thinking.

203. AtheneSecure
Pragmatism
Efficiency
Engagement
Loyalty
Protection
Asking your supply chain
those ‘awkward’ questions

204. AtheneSecure
Pragmatism
Efficiency
Engagement
Loyalty
Protection
Introspection
Evaluating and improving

205. AtheneSecure
Pragmatism
Efficiency
Engagement
Loyalty
Protection
Introspection
The Future

206. AtheneSecure
Pragmatism
Efficiency
Engagement
Loyalty
Protection
Introspection
Your corporate DNA

207. AtheneSecure
“A good plan violently
executed now is better
than a perfect plan
executed next week.”
George S. Patton

208. AtheneSecure
Incremental steps to
improvement

209. AtheneSecure
It’s not all about “size”…
(of budget)

210. AtheneSecure
There’s money to be saved!

211. AtheneSecure
Watch competitors stumble…

212. AtheneSecure
When ‘bad publicity’ is…

213. AtheneSecure
When ‘bad publicity’ is
simply bad publicity…

214. AtheneSecure

215. AtheneSecure

216. AtheneSecure
ICO - Interesting Coat Outfitters
#interestingcoatoutfitters

217. AtheneSecure
Watch competitors stumble…
There’s money to be made!

218. AtheneSecure
Put out fires for your
competitors’ customers

219. AtheneSecure
Clean up the mess your
competitors have made for
their data subjects

220. AtheneSecure
Clean up the mess your
competitors have made for
your new customers

221. AtheneSecure
Let your customers
know that you love
them. …and continue to prove it!

222. AtheneSecure
Make the road as smooth
as possible for:
• your business
• your team
• your customers
• the regulator
- and enjoy the journey.

223. AtheneSecure
Mark Evans MBA B.Sc.(Hons) FIP
Thank you
CIPP/E, CIPM, CISM, CISSP
Director – Athene Secure Ltd
Pragmatic Data Protection. Emphatic Cyber Security.
@markxavierevans
mark.evans@athenesecure.com

224. Panel Discussion
Dr Simone Kurtze
Claudia Pagliari
Furkan Sharif
Mark Evans
Jonathan Langley
#gdprscot

225. Questions &
Discussion
#gdprscot

226. Drinks and
Networking
#gdprscot