Everyone’s talking about GDPR, but what's it got to do with me? Speaker... · 2018-03-01 · by Design and by Default ... • Commission deep reaching system checks Supplier selection

Everyone’s talking about GDPR, but

what's it got to do with me?

CIPS Chester and North Wales Branch Event

23rd January 2018

Cathryn MacKinlay MCIPS

Paul Sandiford

WWW.IVANASSOCIATES.COM

CIPS Branch Event 23.1.18


Everyone’s talking about GDPR but what’s it

got to do with me?

GDPR- In brief

GDPR- Why should buyers care? (and isn’t it I.T.’s problem?)

What should I be doing now? – some practical advice

Where can I get help?


The GDPR In Brief

What is it?

• EU Regulation effective 25th May 18

• Update for the digital age

• New requirements for controllers and

processors

• New rights for data subject

• Increased powers for supervisory

authorities


The GDPR In Brief

Why is it important?

• To you (data subjects)

• To organisations and supply chains


• Key definitions: personal data, processing,

controller, processor

• Key principles of processing personal data

• Lawfulness of processing

• The conditions for consent

• Data Subjects rights

• Data controller and Data processor obligations

What do I need to know?

The GDPR In Brief


A few reasons...

1. GDPR places new obligations on

buyers

2. I.T. won’t do it for you

3. It presents opportunities

Why should buyers care? (and isn’t it I.T.’s problem?)



All stages of the sourcing cycle present

both risk and opportunity for GDPR

compliance and cyber security

Buyers are the first line defence against

attempts to compromise data security in a

supply chain

Buyers will play a vital role in protecting

the rights of data subjects

Reason 1: GDPR places new obligations on buyers


Contract specification

3

Article 25 – Data Protection

by Design and by Default

“the controller shall implement

appropriate technical and

organisational measures...to meet

the requirements of the regulation

and protect the rights of data

subjects”

Data protection by design and by default

Reason 1: GDPR places new

obligations on buyers


Leverage the opportunity

•KPIs: measure and monitor

•Standards and assurances

•Vehicle for demonstrating your accountability

Specify recognised techniques in Design and

Default

• Minimisation

• Encryption

• Pseudonymisation

• Anonymisation

• Differential privacy

• Authorisation and physical security




obligations on buyers 3





Get it right...

Demonstrate accountability and steps toward

compliance – taken into account by supervisory

authority in the event of a breach

Claw back from your processor to the extent that

you can show it was not your fault!

Processor remains liable in their own right

Get it wrong...

ICO levy fine up to £20m Euros (4%) you

(controller) and supplier (processor)

Compensation claim from data subject for you

(controller) and your supplier (processor)

Additional costs in supply chain of compliance,

liabilities and indemnities

Reduce the risk of breaches occurring

Reduce the scale of the fine in the event of a breach

Eliminate GDPR risk from your supplier relationship

Direct cost savings

Reduced supply chain costs


Supplier selection

Sufficient guarantees

Article 28

“you must only use

processors that can

provide sufficient

guarantees that the rights

of data subjects will be

protected”

4 Reason 1: GDPR places new



Controller has responsibilities and liabilities in

choosing a processor

• Consider nature of processing and risk to

data subjects

• Competence

• Sufficient guarantees in terms of resources

and expertise

How can a buyer achieve this?

• Evaluations models

• Regularly review the threat landscape

• Commission deep reaching system checks

Supplier selection






Supplier selection


Get it wrong...

You will be fully liable for :

•Corrective actions issues

•Fines (up to 10m Euros or 2%)

•Compensation claims from data subject

Get it right...

• Robust supplier selection process and due

diligence

• Demonstrate you “are not in any way

responsible”

• Enable claw-back of any fines or compensation

from your processor

Enable claw back

Preserve some credibility and reputation

Maintain trust in supply chain with regard to data

protection and cyber security


Prepare contract document

GDPR Contract terms

5

Article 28.3

“Processing by a processor

shall be governed by a

contract or other legal act

under Union or Member

State law, that is binding on

the processor with regard to

the controller”




Contract must set out:

• Subject matter and duration of processing

• Nature and purpose of the processing

• Type and categories of personal data

• Obligations and rights of the controller

Minimum terms

• Process on written instruction

• Duty of confidence

• Appropriate security measures

• Using sub-processors

• Data subjects rights

• Assisting the controller

• End of contract provisions

• Audits and inspections


GDPR Contract terms






GDPR Contract terms

Get it wrong...

If you fail to have a written contract in place

governing the processing

•Fines (up to 10m Euros or 2%)

•Compensation claims from data subject

Get it right...

• Avoid fines and compensation claims

• Controller and Processor understand their

obligations, responsibilities sand liabilities

• Helps everyone comply

• Provide clarity of scope of processing

• Controllers can demonstrate their compliance

• Increase trust in supply chain

Improves compliance

Improve clarity of responsibilities

Minimise your risk


Reason 2: IT are not going to solve all your problems


• An extended supply chain extends the

concept of insider threat, the greatest risk

to system security

• You are best placed and have the skills to

manage supply chain risk…

…and IT will not always have your back!

Thousands of Healthcare Workers Data Stolen in Hack

Names, dates of birth,

radiation doses, and National

Insurance numbers of staff

who work with X-rays were

copied as hackers accessed

Landauer’s system.

What Happened?

Thousands of Healthcare Workers Data Stolen in Hack

Impact:

• The details of over 3,400 NHS staff and over 1,300 non-NHS staff were accessed

• Welsh cabinet office directly intervened, mandating changes to procurement procedures

• Significant extra costs to deal with breach

• Significant fine post May 2018

Lessons for IT:

• IT at top supply chain (dentists, NHS trusts, vet) not involved at all

• IT in middle (Velindre) should challenge buyers as to whether personal data should be shared at all

Lessons for Supply Chain:

• Consider specifications that avoid the risk entirely through Minimisation and/or Anonymisation

• “have contractual controls in place relating to information governance and information security for third

party suppliers”

• Ensure processor is competent

Impact and Lessons

Google and Facebook - $100m Payment Scam

Criminal impersonated Asian

component supplier (Quanta

Computer) in order to

fraudulently obtain $100

million payments from

Google and Facebook.

What Happened?

Google and Facebook - $100m Payment Scam

Impact:

• $100 million loss (temporarily)

• Many millions remain unrecovered

• Supply chain interruption for months

• Reputational damage

• Supply chain personal “tainted” with criminal suspicion

Lessons for IT:

• Apply anti-phishing measures (eg: forged email detection, email sigs)

Lessons for Supply Chain:

• Cyber security training for all staff, especially anti-phishing

• Avoid email entirely for trust-critical applications

• Build supplier relationships - Computers can’t emulate a good relationship, yet…

• Consider e-procurement, electronic documents, and e-signatures

• Consider block chain technology to remove counterparty risk and reduce fraud

Impact and Lessons



Reason 3: It presents opportunities

• Protect and enhance your reputation

• Protect the trust in supply chains

• Understand supply chain risk and data flows

• Supplier development

• Focus minds on supply chain cyber security

• Be leaders in safeguarding your organisation

• Build cyber security and data protection

capability in your procurement team

• Add value and achieve cost savings


What should I be doing now?

Some practical advice

No personal data?

Some personal data?

Moderate cyber security risk?

Lots of personal data

Significant cyber security risk?

Review your portfolio

Basic housekeeping

Data inventory

Review work processes

Comply with company policy

Use common sense

Be vigilant

Raise awareness

Talk to your DPO – DPIA needed?

Review all contracts against GDPR

Review contract specifications

Carry out data flow mapping

Rate key suppliers’ system security

Supply base risk analysis

Review 3rd party access to systems

Carry out DPIAs

Build cyber security and data

protection into sourcing strategies

Build GDPR and cyber security in your

evaluation models and specifications

Add GDPR and cyber security KPIs

onto risk registers

Leverage technology to reduce costs

of compliance


Sources of help and support

Help is at hand

• Information Commissioners Office (ICO) www.ico.org.uk

• National Cyber Security Centre (NCSC) www.ncsc.gov.uk

• Ivan Associates Ltd www.ivanassociates.com

Contact us (We love talking about supply chain cyber security)

[email protected]

[email protected]

Thank you for listening

http://www.ico.org.uk/

http://www.ncsc.gov.uk/

http://www.ivanassociates.com/

mailto:[email protected]

Everyone’s talking about GDPR, but what's it got to do with me? Speaker... · 2018-03-01 · by Design and by Default ... • Commission deep reaching system checks Supplier selection

Documents