Underwri(enby:

#AIIMInforma(onIsYourMostImportantAsset.LearntheSkillstoManageIt

ThinkBrexitSavesYoufromEUDataRegula(ons?ThinkAgain!

6StepstoPreparefortheDataProtec(onRevolu(on

Presented22ndSeptember,2016

6StepstoPreparefortheDataProtec(onRevolu(on

AnAIIMWebinarPresented22ndSeptember,2016

Underwri(enby:

Sco(SammonsCIPP/E,AMIRMS@PrivacyMinion

DominicJohnstoneHeadofInforma5onManagementServicesCrownRecordsManagement

Host:TheresaResekDirectorAIIM

Today’sSpeakers

Content

•  Brexit and the General Data Protection Regulation (GDPR)

•  What the GDPR says

•  Immediate areas of focus & making the business case

•  How information & records management can help you including

•  Information Audits

•  IG Frameworks

Brexit and the GDPR

•  Approved by MEPs (Parliament) and Member States (Council) after 4 years of negotiation

•  Brexit doesn’t affect it

•  UK has a new Information Commissioner who took office in July 2016

•  Current ICO guidance is to focus on 12 main areas, further guidance to come

Will become enforceable law in the UK & Ireland (and member states) on the 24th May 2018

What the GDPR says

05

The new principles

The new principles are that information is:

01 04

02

06 03

07

Processed fairly, lawfully & in a transparent manner

Collected for specific, explicit and legitimate purposes

Adequate, relevant and limited to what is necessary to meet the purpose

Accurate and up to date

Must not be kept for longer than is necessary

Kept secure to maintain integrity and confidentiality

Processed by controllers and processors able to demonstrate compliance

Name and

contact details

The envisaged

time limits for erasure data

Technical and organisational

security measures

Categories: - Data subjects - Personal data

Purposes of

processes

To whom personal data was disclosed

Transfers of personal

data

Each controller must maintain a record of

processing activities. That record must contain of the

following information:

Demonstrate compliance

GDPR Requirements

Governance & policy

Data inventory

Third party mgmt.

Information security

Risk mgmt.

Incident & breach

management Procedures & controls

- Marketing & Data collection (incl.Consent management) - Complaints & Data Subject’s Rights - Automated decision making & Risk profiling - Employment processing

Assurance

Data Subject’s

Rights

Fines

Inadequate processing of child data

Processing which does not require identification

Inadequate Data Protection by Design

Inadequate controller & processor management

Inadequate security controls

Non notification of breaches

Inadequate Data Protection Officer appointment

Breaches of Codes of Conduct and/or Certifications

Each supervisory authority shall have the power to issue administrative fines of up to 10 million euros for breaches of;

Fines

Breaches of the basic principles for processing including conditions for consent

Inadequate compliance with Data Subject rights

Inappropriate transfers outside of the EEA

Breaches of relevant member state law

Non-compliance with an order from the Supervisory Authority

Each supervisory authority shall have the power to issue administrative fines of up to 20 million euros for breaches of;

Good IRM could save your skin!

It assists with compliance requirements, making some elements of the GDPR less

burdensome (even add additional efficiency benefits

to the organisation)

By keeping accurate and robust records on your processing

activities and controls you can defend your position better with

a regulator or a data subject

It makes it easier to risk manage your

estate & infrastructure & investigate incidents

faster

Immediate areas of focus

What you have

Where it is

Where you are sending to

Why you have it

What form it is in

How long you need to keep it

Ultimately you need to know

How can you achieve this?

Understand what information you have and what you need: •  Information lifecycle •  Information management

platform •  Policies and procedures

Begin with an information audit

We will create a score card to identify high risk areas

RAG Status

Asset Policy Governance

Process Efficiency

Business Critically

Issue Summary

C1 – Electronic documents

3 3 3 Document creation outside of the controlled document management system environment increases the risk of the development of large silos of unstructured data

C2 – Paper 3 2 3 The information audit has identified inefficient processes relating to both email and electronic documents that are increasing levels of paper creation. These processes are directly linked to the firm-wide practice of maintaining a paper matter file as the primary source of information

C3 – Incoming Email

4 1 2 The current process of printing emails to paper is costly and inefficient, whilst also eradicating the search and retrieval advantages that electronic information supports. Email folders are being used to store some electronic documents received by email

Create a remediation programme to deliver compliance with GDPR

For more information about GDPR please visit www.crownrms.com/gdpr

Contact

+44 (0)20 8443 6016 sales.uk@crownrms.com

Underwri(enby:

#AIIMInforma(onIsYourMostImportantAsset.LearntheSkillstoManageIt

TakeyourskillstothenextlevelbylearninghowtocreateaninformaEonaccountabilityframeworkthatreducescosts,managesrisk,andopEmizesvaluewithAIIM’sInforma(onGovernancetrainingcourse.

Visit:AIIM.org/InfoGovTraining

Underwri(enby:

AIIMistheCommunityforInforma(onProfessionals

AIIMbelievesthatinforma(onisyourmostimportantasset.Learntheskillstomanageit.

OurmissionistoimproveorganizaEonal

performancebyempoweringacommunityofleaderscommi(edto

informaEon-driveninnovaEon.

Learnmoreatwww.aiim.org