1.
www.eduserv.org.uk
GDPR Demystified
Making sense of the regulation
James Mulhern

2.
Agenda
• An Introduction
• What it really means
• What you’ve got to do about it
• But first …
• Where are you now?
• What do you already know?

3.
What is GDPR?
• General Data Protection Regulation
• Supersedes current EU Directive enacted in the DPA
• Law since May 2016
• Covers all data on living individuals
• Extends existing obligations
• Stricter requirements
• Substantial consequences
• Requires expert DPO
• Enforcement effective May 2018
Transparency
Compliance
Enforcement

4.
Can it really be demystified?
0
20
40
60
80
100
120
140
160
180
Articles Recitals Pages
How does GDPR compare to the DPA?
DPA GDPR
*Substantial proportion is for “Lead Supervisory Authority”

5.
FUD
It will:
• Not apply to us
because of
Brexit …
• be a damp squib
– “cookie law”
• cost you millions
to implement
and isn’t
financially
viable…
• End up being
GDPR-lite …
Its incompatible
with
• Cloud …
• Marketing …
• with business …
It doesn’t apply
to:
• Using the Cloud
• Marketing
• Data processors
• Corporate
Information
• Universities and
public bodies
You need:
• explicit consent
for everything
…
• to encrypt all
data …
You’re no longer
permitted to
• share or store
data overseas
• Performing
profiling
• Collect, store,
process or
share sensitive
data or data on
children
• Retained data
for more than 12
months
Any breach will
lead to a:
• fine of 20 million
Euros or more…
• prison sentence
….
Compliance is unachievable?

6.
Why it’s relevant post BREXIT
1. Regulation not a directive
2. The regulation is law now, the UK expected to be in EU
for next few years
3. For the UK to trade with EU we need to comply
4. Information Commissioner & DCMS reiterated “GDPR
will be implemented”
5. ~40K EU legal acts – likely to be adopted wholesale and
then reformed subsequently

7.
8 DPA Principles for Data Controllers

8.
What’s driving GDPR
• Harmonising legislation
• Part European Digital Single Market:
– ePrivacy Directive
– NIS Directive
• Promoting free movement of personal
data within EU
• Data Explosion
– Est 5.7TB of data per person to be
collected every year by 2020
• Enhancing and protecting the rights of
EU Citizens
• Strong message to global business.
Headlines
• “Countries continue
moving toward the EU
standard for data
protection”.
• “The GDPR has already
begun to raise the
legislative tide within the
EU and abroad”.
• “Attempts to strengthen
surveillance undermine
data protection laws”.
Forrester’s Data Privacy Heatmap

9.
Enforcement is not working
0
5
10
15
20
25
30
35
Enforcements

10.
How do we know it’s not working?
Courtesy of:
www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

11.
GDPR Sanctions
• Supervisory powers to:
• Investigate
• Correct
• Authorise & advise
• Fines
• up to the higher of €20 million or 4% global turnover for major breaches
• up to the higher of €10 million or 2% global turnover for failing to comply
• Individual Right
• to claim compensation for distress (no need to prove harm or loss)
• to judicial remedy in home state
• No need to demonstrate material damage
• Possibility of class action
• Talk of prison sentences for CEOs for wilful, deliberate mass breaches

12.
So
https://www.linkedin.com/pulse/can-you-spot-difference-between-dpa-1998-gdpr-ardi-kolah

13.
First the key players …
Data
subjects
Controllers
Co-Controllers
Processor
Sub-processors
ICO (LSA)
European
Data
Protection
Board
Process on behalf of
Parental Guardian

14.
What is personal information now?
• Any information from which a living person can be identified, directly or indirectly
• a name, an identification number, location data, online identifier or factors specific
to the individual.
• Online identifiers IP address, cookies and so forth are personal data if they can
be linked back to the data subject without undue effort
• no distinction between personal data about private, public or work roles
• Processed wholly or in part by automated means i.e. not incidental data
• Held in a filing system. i.e. structured
Enhanced requirements
• Sensitive personal information relates to protected attributes, race, beliefs, health,
genetics etc.
• Profiling – automated decisions and predictions

15.
Enhanced Subject rights
Wider rights of
access and
information
• Confirmation
whether data
being processed
• Information
equivalent to that
provided on
collection
• Details of the
source of
information
Right to be
forgotten
• Where no longer
necessary
• Where consent
withdrawn
• Where data
unlawfully
processed
Right for
inaccuracies to
be rectified
without delay
Right to
restrict
processing
• Where accuracy
contested or
unlawful
Right to “data
portability”
• Move data to
another controller
Right to object
to
• Processing based
on “legitimate
interest”
• Decision based
upon profiling
• Decision based
on explicit
consent

16.
Subject Requests
• Covering:
• Subject Access Requests
• R2BF
• Rectification
• Legitimate requests MUST now be processed within 1
month
• No longer allowed to charge for requests
• MUST be fully documented
• SHOULD be online

17.
The new principles
Lawful
• processed lawfully, fairly and transparently.
Specific and Legitimate purpose
• collected for specified, explicit and legitimate purposes
and not further processed in a manner that is
incompatible with those purposes
Adequate, relevant and limited
• to what is necessary in relation to the purposes for
which they are processed
Accurate and current
• every reasonable step must be taken to ensure that
personal data that are inaccurate, having regard to the
purposes for which they are processed, are erased or
rectified without delay
Retained for no longer than necessary
• kept in a form which permits identification of data
subjects for no longer than is necessary for the
purposes for which the personal data are processed
Protected
• processed in a manner that ensures appropriate
security to prevent unauthorised or unlawful processing,
accidental loss, destruction or damage, using
appropriate technical or organisational measures.
Demonstrable Compliance
• the controller shall be responsible for, and be able to
demonstrate, compliance with the principles.

18.
What about principle 8 Data overseas?
• Still exists effectively:
• Applies to controllers and processors handling EU
citizen’s data wherever they process the data.
• Non-EU controller must have a representative in EU.
• US/EU privacy shield and EU model clauses still
relevant

19.
What is lawful processing?
Unambiguous
Data Subject consent
e.g. delivery address for receipt of goods
Performance of a contract
with the data subject
(only)
e.g. preventing fraud, ensuring security
Legitimate interest of
controller (or 3rd party)
i.e. where you are otherwise required to collect, store or retain data
Compliance with legal
obligation
e.g protection of life – monitoring epidemics
Protect vital interests of
data subject
e.g. national security, scientific research
Perform task in public
interest or official authority

20.
Transparency: Freely given, specific, informed
(unambiguous Consent)
Data subject can’t be
disadvantaged
• fulfilment can’t be conditional on consent
No consent bundling • Each “processing operation” requires distinct consents
No hiding it away
• clearly distinguishable as consent
• Based on affirmative action (not opt out)
• intelligible and readily accessible
Clear, concise and plain
language explaining:
• What data
• Why it is being collected and processing
• Measures taken to protect data
• How long the data is retained
• With who and how it will shared and used by others
Consent can be withdrawn
at any time
• data subject must be advised upfront how to do this
• as easy to withdraw as to give
Verifiable • Clear records must be retained as evidence

21.
Data Collection: Information you need to provide
The subject is entitled to be informed of the following:
• Controller details – legal entity and contacts
• Purpose and legal basis
• Legitimate interests
• Other recipients
• Cross-border transfers
• Retention duration and reasons
• The Subject’s rights
• Automated decision making (profiling)
• Right to complain to ICO
• Whether it is a contractual or legal requirement to supply the data.

22.
Even if you don’t collect the data directly
• You still need to notify the data subject (as before)
promptly
• also detailing:
• Source of the data
• Categories of data

23.
Breach Notification
• When you have a breach (i.e. accidental or unlawful
destruction, loss, access, alteration or disclosure of
personal data)
• You must:
• Report to ICO within 72 hours
• Notify affected people
• Document impact and remediation

24.
Cyber resilience maturity
• Incidents are inevitable so it’s important that you respond effectively.
• Ask yourselves the following critical questions:
• Are you confident that you have identified all priority business data
assets and their location?
• Who are your adversaries and are you able to defend the
organisation from a motivated adversary?
• Do you have the tools and techniques to respond to a targeted
attack?
• Do you know what your adversary is really after?
• How do these attacks affect your business?
• Do you have the right alignment, structure, team members and
other resources to execute your cybersecurity mission?

25.
Ensuring your processing is compliant
GRC Regime: Appropriate
technical and organisational
measures to demonstrate
compliance
• Policies
• Audits and Reviews
• Monitoring
• DPO needs to be independent and
unfettered
Privacy and Security by design
• Require systematic, proportionate
Privacy Impact Assessments & Risk
Assessments
• Sets privacy and security requirements
• GDPR makes specific reference to
“pseudonymisation” and encryption
• Expectation of measures to ensure CIA
• Expectation of timely recovery
• Expectation of regular security testing
• Restricted only to the data and the
individuals required (views & access
control)
Record keeping (both controller
& processor)
• Processing activities (purposes,
recipients, transfers, retention periods,
controls in place)
• By you and 3rd parties
• Available for ICO upon request

26.
Controllers and Processors
Both can be liable so greater regulation
Controller SHOULD
• Perform supplier due diligence
• Binding contracts setting out
• Nature of data
• Purpose of processing
• Obligations on each other
• Provide precise instructions
• Monitor processor on ongoing basis
Processors MUST
• Follow provided processing
instructions
• but notify if instructions are unlawful
• Impose confidentiality and ensure
security
• Request consent to subcontract
• Assist with requests and consultations
• Provide evidence of compliance

27.
What’s involved in becoming compliant?
• Time is of the essence – you have 18 months.
• If you’re truly compliant with the DPA then it’s an
upgrade: Strengthen policies, processes, functions and
contracts in readiness
• If you don’t and you’re starting from scratch and don’t
manage your data then it’s a much bigger undertaking.
• You should manage it as a project
(or programme if appropriate).

28.
Breaking it down
Discovery
Gap
Analysis
Define Implement Assess

29.
Practices to adopt
• Adopt a risk based approach prioritising:
• most obvious,
• most sensitive,
• most substantial personal data
• Align data processing closely to your business
processes
• Incorporate Privacy Impact Assessment and Security
Requirements to all significant initiatives.
• Refresh consent on a rolling 12 months basis.

30.
What’s critical to success?
• Getting board level commitment
• Empowering Data Owners to be responsible
• Plan for ongoing compliance not just May 2018
• Review carefully whether there is a justifiable business
need
• Employing a strategy of Reduce, Consolidate, Record
and Protect
• Building a register of Data sources, linked to business
processes and owners
• Engage a 3rd party to assist and validate

31.
Issues to be wary of
• Getting caught in the weeds
• Focussing on edge cases
• Shadow IT
• Data retention because it “might be useful one day”.
• Data inaccuracy

32.
Using a Cloud Service you should
1. Know the location of where the service is processing and or
storing data.
2. Consider additional steps to protect data from loss, alteration,
or unauthorised processing.
3. Set out a data processing agreement and monitor
4. Don’t allow the service to use personal data for other
purposes.
5. Ensure that you can erase the data when you stop using the
service.

33.
Further guidance on the Cloud?
• Advises on risks and
procurement
• Poses security
questions for
prospective providers
ENISA Cloud
security guide for
SMEs
• A code of practice that
focuses on protection
of personal data in the
cloud builds on
ISO27002
ISO 27018
• Emerging framework
• Prohibits the reuse of
customers’ data
• Ensures processing
and storage exclusively
in the EU
The CISPE Code
of Conduct

34.
Where’s Public Cloud now?
• Employ a “Shared Responsibility Model”
• Both Amazon and Microsoft adopted the Model Clauses and
are registered with Privacy Shield
• Both AWS and Azure have EU regions
• Azure has already has a UK region and AWS UK region launch
is imminent.
• Both have comprehensive material in their compliance portals
• Both emphasize SOC2/3 regimes
• Both comply with ISO27018

35.
What does the future hold …
• ICO income from registration will dry up
• Gov’t will look for ICO to be self funding from enforcement
• Supply chains will look to limit their liability
• Cloud Providers will be more interested in your data and making you attest
• Likely certification schemes and badges will be developed
• ICO likely to target gross offenders when it comes to breaches
• Bodies of good practice will be adopted e.g. ISO27018, CISPE.cloud
• SOC2 and SOC3 will continue to be pushed by US firms
• Likely there will be some “ambulance chaser” industry
• Prospect of custodial sentences either through the regulation itself or
associated regulation

36.
Useful resources
Available now
• ICO’s GDPR Overview
https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
• ICO’s Preparing for GDPR:
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
• Lots of material online from vendors, legal firms, suppliers.
What’s coming soon
• Article 29 Working Party https://secure.edps.europa.eu/EDPSWEB/edps/site/mySite/Art29
• First regulatory guidance expected before end of 2016 addressing :
• the role of the Data Protection Officer,
• the new right to data portability
• Also developing guidance for publication in February 2017:
• regarding the concept of risk under the GDPR
• and carrying out Data Privacy Impact Assessments
• And working on guidance regarding certifications under the GDPR
• ICO https://ico.org.uk
• Revised guidance on Big Data expected by the end of 2016
• Also guidance on consent and profiling expected by the end of January 2017.