Everyone’s talking about GDPR, but what's it got to do with me? CIPS Chester and North Wales Branch Event 23 rd January 2018 Cathryn MacKinlay MCIPS Paul Sandiford WWW.IVANASSOCIATES.COM
Everyone’s talking about GDPR, but
what's it got to do with me?
CIPS Chester and North Wales Branch Event
23rd January 2018
Cathryn MacKinlay MCIPS
Paul Sandiford
WWW.IVANASSOCIATES.COM
CIPS Branch Event 23.1.18
Everyone’s talking about GDPR but what’s it
got to do with me?
GDPR- In brief
GDPR- Why should buyers care? (and isn’t it I.T.’s problem?)
What should I be doing now? – some practical advice
Where can I get help?
CIPS Branch Event 23.1.18
The GDPR In Brief
What is it?
• EU Regulation effective 25th May 18
• Update for the digital age
• New requirements for controllers and
processors
• New rights for data subject
• Increased powers for supervisory
authorities
CIPS Branch Event 23.1.18
The GDPR In Brief
Why is it important?
• To you (data subjects)
• To organisations and supply chains
CIPS Branch Event 23.1.18
• Key definitions: personal data, processing,
controller, processor
• Key principles of processing personal data
• Lawfulness of processing
• The conditions for consent
• Data Subjects rights
• Data controller and Data processor obligations
What do I need to know?
The GDPR In Brief
CIPS Branch Event 23.1.18
A few reasons...
1. GDPR places new obligations on
buyers
2. I.T. won’t do it for you
3. It presents opportunities
Why should buyers care? (and isn’t it I.T.’s problem?)
CIPS Branch Event 23.1.18
Why should buyers care? (and isn’t it I.T.’s problem?)
All stages of the sourcing cycle present
both risk and opportunity for GDPR
compliance and cyber security
Buyers are the first line defence against
attempts to compromise data security in a
supply chain
Buyers will play a vital role in protecting
the rights of data subjects
Reason 1: GDPR places new obligations on buyers
CIPS Branch Event 23.1.18
Contract specification
3
Article 25 – Data Protection
by Design and by Default
“the controller shall implement
appropriate technical and
organisational measures...to meet
the requirements of the regulation
and protect the rights of data
subjects”
Data protection by design and by default
Reason 1: GDPR places new
obligations on buyers
CIPS Branch Event 23.1.18
Leverage the opportunity
•KPIs: measure and monitor
•Standards and assurances
•Vehicle for demonstrating your accountability
Specify recognised techniques in Design and
Default
• Minimisation
• Encryption
• Pseudonymisation
• Anonymisation
• Differential privacy
• Authorisation and physical security
Contract specification
Data protection by design and by default
Reason 1: GDPR places new
obligations on buyers 3
Contract specification
Data protection by design and by default
Reason 1: GDPR places new
obligations on buyers
Get it right...
Demonstrate accountability and steps toward
compliance – taken into account by supervisory
authority in the event of a breach
Claw back from your processor to the extent that
you can show it was not your fault!
Processor remains liable in their own right
Get it wrong...
ICO levy fine up to £20m Euros (4%) you
(controller) and supplier (processor)
Compensation claim from data subject for you
(controller) and your supplier (processor)
Additional costs in supply chain of compliance,
liabilities and indemnities
Reduce the risk of breaches occurring
Reduce the scale of the fine in the event of a breach
Eliminate GDPR risk from your supplier relationship
Direct cost savings
Reduced supply chain costs
CIPS Branch Event 23.1.18
Supplier selection
Sufficient guarantees
Article 28
“you must only use
processors that can
provide sufficient
guarantees that the rights
of data subjects will be
protected”
4 Reason 1: GDPR places new
obligations on buyers
CIPS Branch Event 23.1.18
Controller has responsibilities and liabilities in
choosing a processor
• Consider nature of processing and risk to
data subjects
• Competence
• Sufficient guarantees in terms of resources
and expertise
How can a buyer achieve this?
• Evaluations models
• Regularly review the threat landscape
• Commission deep reaching system checks
Supplier selection
Sufficient guarantees
Reason 1: GDPR places new
obligations on buyers 4
Reason 1: GDPR places new
obligations on buyers
Supplier selection
Sufficient guarantees
Get it wrong...
You will be fully liable for :
•Corrective actions issues
•Fines (up to 10m Euros or 2%)
•Compensation claims from data subject
Get it right...
• Robust supplier selection process and due
diligence
• Demonstrate you “are not in any way
responsible”
• Enable claw-back of any fines or compensation
from your processor
Enable claw back
Preserve some credibility and reputation
Maintain trust in supply chain with regard to data
protection and cyber security
CIPS Branch Event 23.1.18
Prepare contract document
GDPR Contract terms
5
Article 28.3
“Processing by a processor
shall be governed by a
contract or other legal act
under Union or Member
State law, that is binding on
the processor with regard to
the controller”
Reason 1: GDPR places new
obligations on buyers
CIPS Branch Event 23.1.18
Contract must set out:
• Subject matter and duration of processing
• Nature and purpose of the processing
• Type and categories of personal data
• Obligations and rights of the controller
Minimum terms
• Process on written instruction
• Duty of confidence
• Appropriate security measures
• Using sub-processors
• Data subjects rights
• Assisting the controller
• End of contract provisions
• Audits and inspections
Prepare contract document
GDPR Contract terms
Reason 1: GDPR places new
obligations on buyers 5
Reason 1: GDPR places new
obligations on buyers
Prepare contract document
GDPR Contract terms
Get it wrong...
If you fail to have a written contract in place
governing the processing
•Fines (up to 10m Euros or 2%)
•Compensation claims from data subject
Get it right...
• Avoid fines and compensation claims
• Controller and Processor understand their
obligations, responsibilities sand liabilities
• Helps everyone comply
• Provide clarity of scope of processing
• Controllers can demonstrate their compliance
• Increase trust in supply chain
Improves compliance
Improve clarity of responsibilities
Minimise your risk
CIPS Branch Event 23.1.18
Reason 2: IT are not going to solve all your problems
Why should buyers care? (and isn’t it I.T.’s problem?)
• An extended supply chain extends the
concept of insider threat, the greatest risk
to system security
• You are best placed and have the skills to
manage supply chain risk…
…and IT will not always have your back!
Thousands of Healthcare Workers Data Stolen in Hack
Names, dates of birth,
radiation doses, and National
Insurance numbers of staff
who work with X-rays were
copied as hackers accessed
Landauer’s system.
What Happened?
Thousands of Healthcare Workers Data Stolen in Hack
Impact:
• The details of over 3,400 NHS staff and over 1,300 non-NHS staff were accessed
• Welsh cabinet office directly intervened, mandating changes to procurement procedures
• Significant extra costs to deal with breach
• Significant fine post May 2018
Lessons for IT:
• IT at top supply chain (dentists, NHS trusts, vet) not involved at all
• IT in middle (Velindre) should challenge buyers as to whether personal data should be shared at all
Lessons for Supply Chain:
• Consider specifications that avoid the risk entirely through Minimisation and/or Anonymisation
• “have contractual controls in place relating to information governance and information security for third
party suppliers”
• Ensure processor is competent
Impact and Lessons
Google and Facebook - $100m Payment Scam
Criminal impersonated Asian
component supplier (Quanta
Computer) in order to
fraudulently obtain $100
million payments from
Google and Facebook.
What Happened?
Google and Facebook - $100m Payment Scam
Impact:
• $100 million loss (temporarily)
• Many millions remain unrecovered
• Supply chain interruption for months
• Reputational damage
• Supply chain personal “tainted” with criminal suspicion
Lessons for IT:
• Apply anti-phishing measures (eg: forged email detection, email sigs)
Lessons for Supply Chain:
• Cyber security training for all staff, especially anti-phishing
• Avoid email entirely for trust-critical applications
• Build supplier relationships - Computers can’t emulate a good relationship, yet…
• Consider e-procurement, electronic documents, and e-signatures
• Consider block chain technology to remove counterparty risk and reduce fraud
Impact and Lessons
CIPS Branch Event 23.1.18
Why should buyers care? (and isn’t it I.T.’s problem?)
Reason 3: It presents opportunities
• Protect and enhance your reputation
• Protect the trust in supply chains
• Understand supply chain risk and data flows
• Supplier development
• Focus minds on supply chain cyber security
• Be leaders in safeguarding your organisation
• Build cyber security and data protection
capability in your procurement team
• Add value and achieve cost savings
CIPS Branch Event 23.1.18
What should I be doing now?
Some practical advice
No personal data?
Some personal data?
Moderate cyber security risk?
Lots of personal data
Significant cyber security risk?
Review your portfolio
Basic housekeeping
Data inventory
Review work processes
Comply with company policy
Use common sense
Be vigilant
Raise awareness
Talk to your DPO – DPIA needed?
Review all contracts against GDPR
Review contract specifications
Carry out data flow mapping
Rate key suppliers’ system security
Supply base risk analysis
Review 3rd party access to systems
Carry out DPIAs
Build cyber security and data
protection into sourcing strategies
Build GDPR and cyber security in your
evaluation models and specifications
Add GDPR and cyber security KPIs
onto risk registers
Leverage technology to reduce costs
of compliance
CIPS Branch Event 23.1.18
Sources of help and support
Help is at hand
• Information Commissioners Office (ICO) www.ico.org.uk
• National Cyber Security Centre (NCSC) www.ncsc.gov.uk
• Ivan Associates Ltd www.ivanassociates.com
Contact us (We love talking about supply chain cyber security)
Thank you for listening