4/29/2020

1

Del

taN

et In

tern

atio

nal L

td

1

Workforce Privacy Training and Effective Controls to Prevent Inadvertent Data Breaches

Del

taN

et In

tern

atio

nal L

td

2

• Our panel

• Why should companies worry about Data Protection?

• What are ‘effective controls’?

• The role of training

• What makes ‘effective training’?

Agenda

1

2

4/29/2020

2

Del

taN

et In

tern

atio

nal L

td

3

Partner

Wedlake Bell

JamesCastro-Edwards

Partner

The Analyst

Kate Surala

Learning Design Director

DeltaNet International

Stacey Taylor

Del

taN

et In

tern

atio

nal L

td

4

Why should companies care about data protection?

Legal background

The use of 'personal data' is regulated in the UK by the General Data Protection Regulation (GDPR), which took effect in May 2018

In the UK, the GDPR is supplemented by the Data Protection Act 2018

Direct marketing sent electronically is regulated by the Privacy and Electronic Communications Regulations 2003 (PECR)

The GDPR, DPA 18 and PECR are enforced by the Information Commissioner's Office (ICO)

The ICO is an active regulator with around 800 staff

The GDPR will continue to apply until the end of 2020, when it looks likely to be replaced by a 'UK GDPR'

3

4

4/29/2020

3

Del

taN

et In

tern

atio

nal L

td

5

Why should companies care about data protection?

Requirements

The GDPR imposes obligations upon organisations that handle personal data

Essentially, organisations must use information in a way that is fair, lawful and transparent; they must also keep it secure

The GDPR also confers a number of rights upon individuals, such as the right of access and the right to be forgotten

Individuals are increasingly aware of their rights, following the publicity that surrounded the GDPR when it took effect

PECR regulates direct marketing by email, telephone and SMS, essentially requiring consent

The ICO regularly investigates and fines organisations that fail to comply with the GDPR and PECR

Individuals may bring a claim for compensation for damage or distress caused by misuse of their personal data

Del

taN

et In

tern

atio

nal L

td

6

Where things go wrong?The ICO is an active, and well-resourced regulator; it can and will investigate data breaches and data subjects' complaints, often requiring a detailed response (and will not be 'fobbed off’).

Individuals are increasingly aware of their data protection rights, such as the right of access and the right of erasure (right to be forgotten) and will complain to the ICO if they are not satisfied.

A right to compensation for damage or distress arising from the misuse of personal data has emerged under common law.

5

6

4/29/2020

4

Del

taN

et In

tern

atio

nal L

td

7

Where things go wrong?In practice this can lead to a 'double whammy', e.g.:

oBritish Airways suffered a personal data breach, for which the ICO announced its intention to issue a fine of £183,000,000

o In addition, 'entrepreneurial' lawyers launched a class action on behalf of affected BA customers:

seeking to recover £5,000 per person –

allegedly 500,000 people affected

£2.5BN claim.

Del

taN

et In

tern

atio

nal L

td

8

What are ‘effective controls’?

Where does data start and finish in your organisation?

Where might data be lost / vulnerable in your organisation?

What have you done to prevent a data breach?

7

8

4/29/2020

5

Del

taN

et In

tern

atio

nal L

td

9

Our controls at The Analyst• Identify the data subject and data controller in all contracts

• Review who has access to different types of data at least on annual basis

• Use encryption, watermarks, and pseudonymisation where possible

• Make GDPR a critical matter at a board level

• Plan for when things go wrong - have your incident response plan ready

• Schedule in mock trials

• Update your data risk assessments frequently

• Clear desks and screens - remote access rather than bring your own device

• Training is a key

Del

taN

et In

tern

atio

nal L

td

10

Effective training is…

Relatable

Immersive

Gamification

EngagingRelevant

CASE STUDY

Timely

9

10

4/29/2020

6

Del

taN

et In

tern

atio

nal L

td

11

Effective training is…Focussed on WHY not HOW

Business as usual

Part of the culture

Del

taN

et In

tern

atio

nal L

td

12

Our training journey at The Analyst

• Onboarding, face-to-face & online training

• Schedule regular follow up training - technology doesn’t stand still

• Include specific examples in your training related to different groups of your organisation

• Have a one-to-one drop-in session after the presentation

Image source: https://www.sessionlab.com/

11

12

4/29/2020

7

Del

taN

et In

tern

atio

nal L

td

13

Our training journey at The Analyst

The most challenging situation for The Analyst?

• COVID-19 work from home transition

• Update your systems and controls document

• Speak to your departments and better understand their requirements

• Summarise the CANs and CAN’Ts and follow up in writing with the team

Image source: https://www.sessionlab.com/

Del

taN

et In

tern

atio

nal L

td

14

When you get it right…

Staff can't all be data protection experts, but should be able to:

Spot potential issues (e.g. breaches / requests / complaints / risky activities);

Escalate to the appropriate channels;

Problems can be spotted and dealt with early;

Mitigating factor in the event of a breach.

13

14

4/29/2020

8

Del

taN

et In

tern

atio

nal L

td

15

Thank you for listeningany questions?

15