Venue: Data Protection People, Leeds
Yorkshire Cyber Security Cluster teamed up with Data Protection People to host a session on GDPR, the new EU Data Protection regulation which will be introduced in May 2018.
Presentation on the myths behind GDPR from Stuart Barker, CEO from The Agenci
Panel Session featuring representatives from The Agenci, Data Protection People and Info Security People
When asked around the room, the vast majority of people were aware of what GDPR was and how it would affect them which allowed for a more indepth discussion into the complexities of the regulation later on in the session.
Stuart Barker, CEO from The Agenci, delivered a presentation aiming the breaking down the misconceptions that people have about GDPR.
The presentation started with Stuart detailing what is GDPR and talking about the big differences between GDPR and Data Protection Act. Within this, Stuart compared the size of the fines that would be issued to the likes of TalkTalk and Tesco Bank. For example, under the Data Protection Act, the ICO (Information Commissioner’s Office) issued a £430,000 fine on TalkTalk after their 2015 data breach. If this was done under GDPR, the telecommunications firm would receive a fine of £73m.
Stuart talked about the changes in consent within GDPR. Gone are the days of using email address you acquire in your marketing list just because they handed you a business card. Now you must receive explicit consent from an individual to use their information in the manner you wish to you it.
This sparked a conversation among attendees regarding consent of information and how this affects exhibitions where information is being shared consistently between delegates and exhibitors.
Stuart then ran down his top 5 GDPR myths.
“Controllers don’t need data processing agreements with processors because the GDPR imposes direct obligations on processors.”
“I don’t have to ask for permission to use their data.”
“Encryption is mandatory under GDPR”
“This is an EU law. When BREXIT happens, it won’t apply any longer.”
“It doesn’t apply to my business.”
All of these myths are nothing more than myth.
Stuart gave delegates some advice that organisations can adopt to be prepared for GDPR before May 2017.
Create a plan
Conduct a Data Protection audit
Create a data flow model
Develop a ‘data breach process’
Following Stuart Barker’s presentation, he was joined by Data Protection People and Info Security People representatives for a panel session where delegates were able to ask questions on GDPR.
The debate on consent was raised again, but the example of Facebook was given with regards to the ability of ‘being forgotten’. Facebook will be able to argue that you do have the right to be forgotten, but there will be clauses in which they can not ‘forget’ all information.
Social Media will be grey area because companies such as Facebook, Twitter and Google will argue what information can be forgotten as it has been placed in the public domain.
This led onto the topic of exhibitions again – it becomes a sticking point and a potential hotbed for GDPR breaches. One suggestion that came about was the possibility of getting delegates to sign a form consenting their data to be used in a certain manner.
Another suggestion raised was that it could come down to the organiser having to gain permission on behalf of all exhibitors that they are able to use their information in a certain manner, prior to the event.
Personal Identifiable Information (PII) was brought up as a discussion point – it was pointed it out the legislation will primarily revolve around PII but it will need to be clearly defined so it is not confused with business data.
As a final discussion point, the awareness of GDPR was brought up with our panel as many believe the general public are deeply unprepared for the changes. There needs to be widespread awareness across the board of the effects that GDPR will have on business, but the general consensus is that it’ll be
too little too late.