GDPR

• EU General Data Protection Regulation• Effective from 25 May, 2018• Reinforced with a strict and

significant penalty regime• Affects any organization globally • Brexit has no effect• UK Information Commissioner will

insist on same standards

What is Personal Data?

• Anything associated with a name or digital footprint• Health, financial, criminal history,

travel history, etc.• Passport is personal data and is

stored for each of your clients• Photos, documents, videos, scans• Data stored on your system plus

that of data storage providers

Threats and Opportunities

• Financial threats from failure to implement - penalties• Prevent the endless escalation of

data storage• Implement better search facilities

for the business• Correct implementation adds to

corporate credibility• Your technology can’t support the

legislation

Privacy by Design & Default

• By Design• All systems should include privacy

requirements in design

• Encryption

• Pseudonymisation

• By Default • All data should automatically be stored

securely and privately

• Organizations are now held accountable for both

Eight Key Principles of GDPR

Personal Data shall be processed fairly and lawfully

Personal Data shall be obtained only for specified purposes and not used for other purposes

Personal Data shall be relevant and not excessive

Personal Data shall be accurate and kept up to date

Eight Key Principles of GDPR

Personal Data shall not be kept longer than necessary

Personal Data shall be processed in accordance with rights of data subjects

Appropriate security to prevent loss of data or unlawful access

Personal data cannot be transferred outside the EU without the same level of protection

Controller & Processor

• Controller• Business is the controller of client,

prospect and employee data

• Processor• Organization that or person who

processes the data

Data Subject Access Rights

• Right to Access • Right to Erasure • Right to Portability • Right to Rectification • Data Breach Notification • Right to request all data

Financial Penalties

• Level 1 – Up to 2% of revenues• Reputational cost on top of that• Not just for a data breach – lack of

documentation means you can be fined during an audit

• Level 2 – Up to 4% of revenue or 20,000,000 Euro• Only if negligent – as in you did

nothing to prepare for GDPR

•Must be signed off by business owner – no longer only an IT issue

Finding and Reporting Dark Data

• You must find ALL documents with an individual’s data • This is not just information in your

CRM – it’s documents as well• You must provide these documents

with relevant redaction• How do you find them? • Scanned documents? Emails?

Faxes?

• How do you provide them?• Collate documents, redact, report?

DocsCorp’s Focus

Next Steps

• Raise awareness• Carry out a GDPR Impact

Assessment • Develop a GDPR Compliance Plan

(GCP) • Assess all Cloud Service Provider

Contracts

Want to know more?