The six steps for complying with GDPR are:
1. Know your data - Conduct an audit to understand what personal data is collected and where it is stored.
2. Classify the data - Determine if the data is personal, sensitive or confidential.
3. Justify the data - Establish the lawful basis and purpose for collecting and processing the data.
4. Plan how the data will be handled - Outline the full data lifecycle and retention periods.
5. Control access to the data - Implement security measures and restrict access to authorized personnel only.
6. Be prepared for a data breach - Have response plans in place and know when to report breaches to
2. What is the General Data Protection Regulation (GDPR)?
• EU-GDPR established to protect the rights and freedoms of EU citizens
(data subjects)
• The Data Protection Act 2018 included all the clauses from the EU-
GDPR
• Data Protection, Privacy and Electronic Communication Regulations
• UK-GDPR 2021
3. General Principles of the UK-GDPR
Data shall be:
• Processed lawfully
• Collected for specified, explicit and legitimate purposes
• Adequate relevant and limited
• Accurate
• Kept in identifiable form for no longer than is necessary
• Processed in a manner so as to ensure security
4. What are the six steps?
• Step 1: Know your data
• Step 2: Classify it
• Step 3: Justify it
• Step 4: Plan it
• Step 5: Control it
• Step 6: Be breach ready
6. Know your data - Discussion
• Whose data do you hold?
• What personal data do you collect?
• Where does your data live?
• How many copies of data sets do you have?
• Which members of the team have their own
data?
7.
8. Where is your data currently kept? - Discussion
- Spreadsheets
- Databases
- Server/NAS Drives
- Cloud
- Laptops
- Backups
Where should it be kept?
- Mobile phones
- USB Sticks
- Websites
- CRM Software
- Email marketing contacts
9. What about the data you are sharing?
Do you share data with:
• Subcontractors?
• Suppliers?
• Temp staff?
• Associates?
Data is an asset…
But it can also be a liability!
You don’t want old and out of date information hanging around anymore. Think about
old systems you may have previously used. Is there still data on them? If so, consider
deleting it!
10. Be aware of data fragmentation
• Naturally as an organisation with a number of employees, it is easy for
data to become fragmented.
• As we utilise more software and devices, that data can become more
and more fragmented.
• Complete a bit of an audit to help you understand where your data
sits.
11. Is it time to move to a CRM?
To manage customer data all in one place rather than having it
fragmented across multiple areas.
- Is it GDPR compliant?
- Can you store all your data?
- Does it integrate with emails, calendars, phone systems, etc.?
- Who needs access? Staff? Volunteers? External orgs? And at what
levels?
12. Share don’t attach
To reduce data fragmentation, reduce the number of duplicate
documents across the organisation by getting into the habit of sharing
documents rather than attaching them to emails.
Microsoft 365, Google Workspace and Google Drive enable us to quickly
and easily share access to docs, files and folders
14. What is personal data?
“Personal data” means any information relating to an identified or
identifiable natural person.
• A name
• An identification number
• Location data
• An online identifier
• Or to one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that natural
person.
15. What is personal data?
We also have “Sensitive Personal Data” which consists of the following:
• Personal data revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs
• Trade-union membership
• Genetic data, biometric data
• Health related data
• Data concerning a persons sex life or sexual orientation
16. What is confidential data?
We also have “Confidential” business information which refers to information
whose disclosure may harm the business. Such as:
• Trade secrets
• Sales and marketing plans
• New product plans
• Notes associated with patentable inventions
• Customer and supplier information
• Financial data
• Account information
• Passwords
Not a classification, but you may want to classify this yourself
17. How do we classify data?
Data set Fields Classification?
Marketing data Name
Postcode
Email
Customer data Name
Address
Email
Bank details
Staff data Name
Postcode
Email
Religion
Health records
19. What is the purpose of the data? What is the lawful basis for holding it?
Contract: for example, to be able to supply goods or services that
they have requested, or to fulfil your obligations under an employment
contract. This also includes steps taken at their request before entering
into a contract
Legal obligation: the processing is necessary for you to comply with
the law (not including contractual obligations)
Consent: the individual has given clear consent for you to process their
personal data for a specific purpose
There needs to be a lawful basis for collecting the information:
20. Levels of consent
*Signed can mean signature, a checked box or agree button
Level 1 Verbal consent
Level 2 *Signed consent
Level 3 *Signed by both parties
21. Best practices for consent
• Active opt-in: a binary choice given equal prominence
• Granular: Give consent separately for different processing
• Named: Name your organisation and any third parties who will be
relying on consent
• Easy to withdraw: the right to withdraw their consent at any time
22. Best practices for consent – A consent template
Make your consent request prominent, concise, separate from other
terms and conditions, and easy to understand
• the name of your organisation
• the name of any third-party controllers
• why you want the data
• what you will do with it
• that individuals can withdraw consent at any time
25. What is the process that your data goes through?
• Collection
• Storage
• Processing
• Deletion
26. How long should I keep it for?
Are there any requirements for the retention of any particular data. For
example:
• Trade law;
• Tax law;
• EU Contracts
• Employment law;
• Administrative law;
• Regulations regarding certain professions, e.g. medical.
27. How long should I keep it for?
In the absence of any legal requirements, personal data may only be retained
if necessary for the purpose of processing and must be deleted when:
• the data subject has withdrawn consent
• a contract has been performed or cannot be performed anymore
• the data is no longer up to date
• the data subject requests the erasure of data
• the retention is no longer necessary
• Exceptions may apply for historical, statistical or scientific purposes
28. Privacy Policies vs Notices
• Full privacy policy is a very detailed document – very often a separate
page entirely and contains all the detail for the whole organization.
• A privacy notice is an abbreviated version of the policy for the
purposes of a sign-up form. This is also where you would have the
consent form (checkboxes, etc.)
31. Privacy notices
● Describe all the privacy information that you collect about an
individual, make available or provide
● Need to be a blended approach, using a number of techniques to
present privacy information
● Demonstrates that you are using personal data fairly and
transparently
● Include a ‘request’ for consent
If the average person read every privacy policy for every website they
visited in a year, that reading time would amount to some 244 hours
32. Privacy Policy checklist
● Who are we?
● How do we collect information about you?
● How your information is used
● Third party service providers
● Your rights
● Security precautions
● Cookies
● Changes to this Privacy Policy
What does your Privacy Policy look like on the website?
33. Where should notices go?
● Orally - face to face or on the telephone (it’s a good idea to
document this)
● In writing - printed media; printed adverts; forms, such as financial
applications or job application forms
● Through signage - an information poster in a public area
● Electronically - in text messages, websites, emails and mobile apps.
36. How do we keep data safe?
• Who has access? Do the right people have access?
• How secure is it through its lifecycle?
• Where is it held?
• How do you process individuals rights?
• How long is it retained for and how is it deleted?
• Who do you see as Third Parties?
37. Are you ready for Cyber Essentials?
• Cyber Essentials is a simple but effective, Government backed scheme
that will help you to protect your organisation, whatever its size,
against a whole range of the most common cyber attacks.
• Cyber attacks come in many shapes and sizes, but the vast majority
are very basic in nature, carried out by relatively unskilled individuals.
They’re the digital equivalent of a thief trying your front door to see if
it’s unlocked. Our advice is designed to prevent these attacks.
About Cyber Essentials - NCSC.GOV.UK
39. Phishing emails
• Phishing is a type of email attack often used to steal user data,
including login credentials and credit card numbers. It occurs when an
attacker, masquerading as a trusted entity, dupes a victim into
opening an email
40.
41.
42.
43. Can you recognise a phishing attempt?
https://www.independentage.org/information/money/scams/scams-quiz#main-
content
44. Phishing emails – What must I do?
• Check the email address of the sender
• Hover over and check any links before clicking onto them
• Does the email address you directly?
• Look out for spelling and grammar issues
• If any doubt, then delete it!
• Inform others about suspicious emails, as they may have the same
• If you click a link or open a file from an email that seems suspicious, do
not try to hide it, make sure to tell someone.
45. Spear phishing / CEO fraud
• Spear phishing is a more targeted attempt to
reach a specific and well researched recipient
while pretending to be a trusted sender.
• These emails often claim to be the CEO of
your company, or an organisation you do
business with and trick you into gaining
sensitive information or financial gain.
• Never believe these emails – Always call or
double check first.
46.
47. Have I been ‘pwned’?
Have I Been Pwned: Check if your email has been compromised
in a data breach
48. Malware: Viruses, Worms & Trojans
• Malware is software that is specifically designed
to disrupt, damage, or gain unauthorised
access to a computer system.
• Viruses are self replicating programs that attach
themselves to other programs or files
• Worms don’t need another file or program to
replicate, it is self sustaining
• Trojan horse attack looks legitimate but
performs unknown and unwanted activities like
keyboard loggers or a backdoor for hackers to
access and control your system
49. Ransomware
Malicious software that sneaks onto your
computer, encrypts your data so you can’t
access it and demands payment for
unlocking the information
• Nearly 50% of organisations have been
hit with ransomware
• The average ransom demand is £1020
• Less than half of ransomware victims
fully recover their data, even with backup
50. What should I do?
• Pull out the network lead or switch off Wi-Fi and switch off the
computer
• DO NOT restart the computer or connect/reconnect to the network
• Pass it over to your IT team who will delete, reformat and restore the
system from an uninfected local, offsite or cloud backup
51. How should we better protect ourselves from breaches?
Update, update, update!
Allow PC and software updates to download as and when they become
available. If there are any that pop up that you are unsure of, then make
sure to confirm it’s safe with someone else first.
52. Use complex passwords
All passwords must be:
• Unique for each account that you use
• 8+ characters long
• Include upper- and lower-case letters
• Include a number
• Include a special character
Don’t use the same passwords for work and home
Don’t share logins and passwords
Don’t save your passwords into Word or Excel docs
Don’t have documents named “passwords”
Don’t use the word “password” in Emails
55. How secure is your password? How Secure Is My Password?
56. Creating Password’s and Activity
Take three words
Creating a Strong Password in 3 Steps:
1. Choose three random words phoneglassesbowl
2. Change the letter of each word to a capital PhoneGlassesBowl
3. Add some numbers and/or Symbols PhoneGlassesBowl18!
Want to use it for more sites? Add the site as an identifier
• Amazon - AnPhoneGlassesBowl18!
• Ebay - EyPhoneGlassesBowl18!
• Google – GePhoneGlassesBowl18!
If you want to make it more complex
• Use five words
• Add more numbers
• Add a dash-between-each-word
57. Creating Password’s and Activity
• Using the initial letters of a favourite song or phrase:
• e.g. Life is like a box of chocolates
• Lilaboc
• Include capital letters and lower case letters:
• LiLaBoC
• Include a memorable number or date:
• LiLaBoC19
• Include a symbol:
• LiLaBoC*19
58. Protect your data
Ensure organisation’s data is only stored on organisation’s devices
● Always lock devices when unattended - (WIndows + L)
● Encryption- are all laptops encrypted?
● Don’t copy or export data without consent?
Mobile device policies
● Protected from unauthorised access by at least a 6-digit PIN or a passphrase;
● Configured to ensure they automatically lock after a period of inactivity;
● Configured in such a way that they can be remotely wiped in the event of loss;
● Data is encrypted at rest;
● Only have trusted applications from reputable sources installed and antivirus installed if
using an Android device
● Receive automatic software updates from the manufacturer and other 3rd parties; and
● Receive software updates for security patches within a reasonable timeframe.
59. Techniques to secure your data
1. Minimise - Reduce the amount of data you have
i. Delete – big audit
ii. Archive
iii. Build and enforce retention policies
2. Separate – separate personal information from daily tasks
i. Split database tables
ii. Spreadsheets separation
3. Anonymise or pseudonymise wherever possible –
i. in emails, texts, messages
ii. In other data sets
iii. In client reports
4. Access - Check your access rights
i. Who has access ? Is it at the right levels?
ii. Password protection
60. Set up two factor or multi factor authentication
If you are using Dropbox, Google Apps, Office 365 or any cloud-based software, set up
two factor authentication
Usually this means you need your mobile phone with you to approve your sign up. It’s
very simple, but it will alert you to any attempts to access your information.
Google two step authentication
61. Look for HTTPS before entering any personal or sensitive info
•When a website is asking you to input any personal or sensitive
information then make sure to look out for the ‘S’ at the end of
‘https’
•If it only says ‘http’ do not enter any info.
62. When out and about – be suspicious of public Wi-Fi
● Name that Wi-Fi - be suspicious of wireless networks on your device that show
up with names like "Free Wi-Fi" or "Free Hotel Wi-Fi."
● Avoid using passwords - better to avoid activities where you're using passwords
to log-in to your most sensitive or important accounts.
● Let your computer help out. Windows and Mac OS X (those computers'
operation systems) come with security features that can help protect you. Ensure
it’s on
● Look for the "s" for secure. Any time you're on a webpage, look at the address bar
(above the web page) and the website's name. If you see "https" right in front,
that website is encrypted, which means your data can't be read in transmission
64. Always report something suspicious or lost
• If you lose something - tell your manager, never try to hide it
• If you click on something – tell your manager, never hide it
• If you see someone else acting suspiciously – report it
65. What is a breach?
A breach is any loss or mismanagement of data
Examples of breaches:
• Hacking of your website
• Sending an email with an attachment to the wrong person (sensitive
info)
• Losing or theft of a laptop
• Loss of a mobile device or selling with data still on it
• Hacking of your emails
• Deleting a database by accident
66. When do individuals and ICO have to be notified?
• Where a breach is likely to result in a high risk to the rights and
freedoms of individuals, you must notify those concerned directly
• A ‘high risk’ means the threshold for notifying individuals is higher than
for notifying the relevant supervisory authority
67. How do I notify a breach?
A notifiable breach has to be reported to ICO within 72 hours of the
organisation becoming aware of it. The GDPR recognises that it will often be
impossible to investigate a breach fully within that time-period and allows you
to provide information in phases.
If the breach is sufficiently serious to warrant notification to the public, the
organisation responsible must do so without undue delay.
Failing to notify a breach when required to do so can result in a significant fine
up to 10 million Euros or 2 per cent of your global turnover.
68. Summary – Six Steps
• Step 1: Know your data
• Step 2: Classify it
• Step 3: Justify it
• Step 4: Plan it
• Step 5: Control it
• Step 6: Be breach ready
69. Thank you
Please complete the feedback form for this course using
the QR code or this link.
https://forms.office.com/r/6G0cgGKLA1
Notas del editor
EU-GDPR May 2018
DPA May 2018
DPPECR Oct 2020
UK-GDPR Jan 2021
https://uk-gdpr.org/chapter-2-article-5/
Highlight the 6 steps for GDPR above
Open up a discussion on the above questions?
Where does your data live? (Prompts)
Microsoft 365, Google Workspace
CRM systems – HubSpot, Capsule, etc.
Locally on devices? Laptops, tablets, smartphones
Accounting software? – Sage, QuikBooks, Xero
Email accounts? – Gmail, Outlook, AOL, Self hosted?
How many copies of data sets do you have?
Excel spreadsheets?
Copied across 365 & CRM? Accounting and Google Workspace?
Multiple revisions of client data?
Which members of staff have access to their own data?
Self employed?
Small org?
Freelancers?
Focussing on where data is kept from before-
Open discussion on where it should be kept. i.e. remove multiple copies, use secure cloud systems, no “revisions”. (If 365 or Google let this do it for you through version history)
Avoid saving on local software if “unsecure”
Password protect devices (biometric, passcode, Password)
Password protect docs with sensitive data
If you have an email sent to 10 people. Use the multiple attachments example.
Refer to photo
Lamplight for charities and non profits
One of the alternatives here
(Google CRM name and GDPR, i.e. “HubSpot GDPR Compliant?”)
General Data Protection Regulation | HubSpot
E.g. client shares an idea for a project/business. Not personal, not sensitive, but confidential.
Bank details are personal, but not sensitive. Account number, etc.
Which of these is classed as sensitive data? (ONLY STAFF DATA) – Bank details not classed as sensitive data
Bank details, doesn’t fit into the classification of sensitive, but is highly confidential
Look back at classification list
Contract – if its about the service that you are offering. i.e. a job seeker that comes for advice. That is a contract
Legal – e.g. visitor book for fire safety/H&S, Risk assessment
Consent – Consent to market or pass data to third parties.
Data goes through a cycle.
EU Contracts – have to hold data for about 30 years.
Accounts only need to be kept for 7 years
EU Contracts – have to hold data for about 30 years.
Accounts only need to be kept for 7 years
Activity – Check the privacy policy on the Well Grounded website
Have I Been Pwned: Check if your email has been compromised in a data breachv
How Secure Is My Password? – ACTIVITY
Go to this website to test password strengths
Tutor to explain how to go about creating a password which will be secure to use,
Give learners 5 mins to come up with their own,
IF ISSUES ARE RAISED BY KEEPING PASSWORDS ON PAPER:
With regards to writing your passwords down on paper, almost all of the major security experts agree this is the safest, most secure way of password management providing that bit (or bits) of paper is kept safely. I would recommend reading this article to put your mind at ease - https://www.vox.com/2014/4/16/5614258/the-best-defense-against-hackers-writer-your-passwords-down-on-paper (one of the people mentioned in this article is Bruce Schneier, who is a hugely respected authority on digital security – his Wikipedia page can be found here: https://en.wikipedia.org/wiki/Bruce_Schneier)
In particular I will point out this paragraph within the above article – you may recall in particular I mentioned that if you go with the paper password method, you should keep a sheet of passwords completely separate to usernames:
“Don't leave the paper somewhere where people can copy it. It shouldn't be a Post-it note on your monitor or even under your keyboard. Store it in your wallet, or in an unmarked folder in your filing cabinet. You might want to consider keeping two different piece of paper: one at home that has every password, and a second one in your wallet that just has the passwords you need every day. That minimizes the damage if you happen to lose your wallet.”
Tutor to explain how to go about creating a password which will be secure to use,
Give learners 5 mins to come up with their own,
IF ISSUES ARE RAISED BY KEEPING PASSWORDS ON PAPER:
With regards to writing your passwords down on paper, almost all of the major security experts agree this is the safest, most secure way of password management providing that bit (or bits) of paper is kept safely. I would recommend reading this article to put your mind at ease - https://www.vox.com/2014/4/16/5614258/the-best-defense-against-hackers-writer-your-passwords-down-on-paper (one of the people mentioned in this article is Bruce Schneier, who is a hugely respected authority on digital security – his Wikipedia page can be found here: https://en.wikipedia.org/wiki/Bruce_Schneier)
In particular I will point out this paragraph within the above article – you may recall in particular I mentioned that if you go with the paper password method, you should keep a sheet of passwords completely separate to usernames:
“Don't leave the paper somewhere where people can copy it. It shouldn't be a Post-it note on your monitor or even under your keyboard. Store it in your wallet, or in an unmarked folder in your filing cabinet. You might want to consider keeping two different piece of paper: one at home that has every password, and a second one in your wallet that just has the passwords you need every day. That minimizes the damage if you happen to lose your wallet.”
Information Commissioners Office
i.e. a job club for alcololics. If that database was sent to someone by accident. They gave it to a journalist, and shared on the news that would be a breach of rights and freedoms