GDPR Regulation

2. GDPR Regulation
• Comes in to force - 25th May 2018
• Legislation is now European law
• Breech's can see fines of up to 4% gross
turnover or €20m
• There are 6 data processing principles which
should followed.

3. The GDPR Lingo!
− Personal Data - information relating to an identified or identifiable natural person (‘Data Subject’);
− Process, Processed, Processing - collection, recording, organisation, structuring, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or
otherwise making available, alignment or combination, restriction, erasure or destruction;
− Data Processors - processes personal data on behalf of the controller;
− Controller - alone or jointly with others, determines the purposes and means of the processing of
personal data;
− Consent - signifies agreement to the processing of personal data relating to him or her;
− Third Party – Some body other than the data subject, controller, processor and persons who, under
the direct authority of the controller or processor, are authorised to process personal data.
− Special Categories or Sensitive Data

4. Personal Data – What is it?

5. Company details
Address without a name
A generic email address
such as info@company
Corporate accounts with
summary payroll data
Sensitive DataPersonal DataJust Data!
Name and address of a data
subject
Email address with
firstname.surname@company
Pay records with gender, age,
job title (even without a
name)
A web cookie
Racial or ethnic origin
Political Opinions
Religious beliefs
Sexual preferences
Biometric information

6. Objective, Subjective or Sensitive
Any information relating to an individual
can be classed as personal data when it
can identify the data subject!

7. Personal Data held by the company in
electronic format and manual records
which form part of a relevant filing system.

8. Examples of personal data?

9. − All employee/company data
−HR data
−Payroll
−IT data – IP, Cookie
−CCTV
−Mobile data
−Financial data
−Proof of Identification
−Pension
−Performance reviews
− Customer data
−Contact details
−Mobile data
−Pictures – (TT)
−Financial data (individual
contracts)
−Contracts (Consent)
−Call recordings

10. Business Business
You can rely on legitimate
interests if you can show the way
you use people’s data is
proportionate, has a minimal
privacy impact, and people would
not be surprised or likely to
object to what you are doing.
Note: You still need to be
compliant to Privacy and
Electronic Communications
Regulations (PECR).
Always include an Opt out – The
Right to object!
Who can/can't I contact - Marketing!
Be Mindful of B > C, Sole Traders and Partnerships
Existing Products
New Products
Events
Company Information

11. Business Consumer
• Consent must be freely given
• Consent should be obvious and
require a positive action to opt in.
Consent requests must be
prominent, unbundled from other
terms and conditions, concise and
easy to understand, and user-
friendly.
• Consent must specifically cover
the controller’s name, the
purposes of the processing and
the types of processing activity.
• You must make it easy for people
to withdraw consent at any time
they choose.
Who can/can't I contact - Marketing!
Can include Sole Traders and Partnerships
Consent

12. Consent doesn't always have to be written as long as it can be
evidenced

13. Who can/can’t I contact - Sales!
Business Business
Business Consumer

14. Who can/can’t I contact - Sales!
Business Business
Business Consumer
IMPORTANT!
If you asked to
stop then you
stop it!

15. What would
be a Data
Breach?

16. A Data Breach is a confirmed
incident in which sensitive,
confidential or otherwise
protected data has been
accessed and/or disclosed in
an unauthorized fashion.

17. All data breeches must be reported to
your companies DPO ASAP.

18. Prevention
Information Security

19. Everybody has a responsibility
towards protecting the
company's information.
It is essential for everyone to
follow Acceptable use
guidance's.
Hardware Software Paper Physical Security

20. Hardware &
Software
• Only hardware and software
authorised by your company
should be used in any
connection with the company
network.
• The business may be unable
to support any unauthorised
hardware or software.
• Use of unauthorised hardware
or software, which may expose
the business to the risk of
unauthorised access or virus
infection.

21. Company Owned Computers
• Use network/cloud
drives to create and
store documents.
• Passwords – Only
effective if kept secret !
• Think about what’s on
your screen and where
you are.
• Anti Virus is there for a
reason!

22. Mobile Phones
• Passwords
• Ability to wipe phones
• Data protection includes
mobiles! Think about what and
who you are messaging.

23. Email / Internet
• THINK - Who are you sending too? - What are you
sending ?
• Secure ISDX transfer
• Look at for attachments or requests from known &
unknown sources. – virus or malware
• Never use you personal email for work
• May monitor or block email traffic in certain
circumstances.
• Out of offices – Think before you type!

24. Paper
• Its not just our data
• Shred documents
• Clear desk policy
• Locked cabinets
• Templates have
disclaimers

25. Physical
security
• Secure buildings
• Report anomalies
• Don’t be afraid to
challenge
• Laptops should be
kept safe – travel,
person, home

26. Thank You for your time
For more information visit
www.intercity.technology/gpdr