Governance and Compliance Learning from the Private Sector. David Coverdale

Similar documents
EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

Data Protection and GDPR

General Data Protection Regulation (GDPR)

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Data Warehouse Risk Assessment (GDPR)

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

Data Protection Policy

General Data Protection Regulation (GDPR)

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

The Role of the Data Protection Officer

ADMA Briefing Summary March

General Data Protection Regulation (GDPR) The impact of doing business in Asia

Privacy Notice. General Information Protection Regulation ( GDPR )

Disruptive Technologies Legal and Regulatory Aspects. 16 May 2017 Investment Summit - Swiss Gobal Enterprise

Frequently Asked Questions

Data Protection Policy

Privacy Policy GENERAL

Eco Web Hosting Security and Data Processing Agreement

Version 1/2018. GDPR Processor Security Controls

Introductory guide to data sharing. lewissilkin.com

Data Processing Agreement DPA

GDPR - Are you ready?

This Privacy Policy applies if you're a customer, employee or use any of our services, visit our website, , call or write to us.

GDPR: A technical perspective from Arkivum

How WhereScape Data Automation Ensures You Are GDPR Compliant

Data Privacy Notice. Madsen Advisory Limited ("Madsen") is committed to protecting and respecting your privacy.

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

Data Protection Policy

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

UWTSD Group Data Protection Policy

Privacy Notice - General Data Protection Regulation ( GDPR )

Adkin s Privacy Information Notice for Clients, Contractors, Suppliers and Business Contacts

NIS, GDPR and Cyber Security: Convergence of Cyber Security and Compliance Risk

Data Protection Policy

PS Mailing Services Ltd Data Protection Policy May 2018

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

PRIVACY NOTICE VOLUNTEER INFORMATION. Liverpool Women s NHS Foundation Trust

How the GDPR will impact your software delivery processes

This procedure sets out the usage of mobile CCTV units within Arhag.

Breach Notification Form

Data Protection Policy

Islam21c.com Data Protection and Privacy Policy

Motorola Mobility Binding Corporate Rules (BCRs)

GDPR: A QUICK OVERVIEW

Data Breaches and the EU GDPR

UWC International Data Protection Policy

Case Study Vitality Justin Skinner Group Chief Risk Officer

General Data Protection Regulation (GDPR) Key Facts & FAQ s

You will see lots of references in the Checklist to the GDPR Pack if you would like to purchase this, go to

Wye Valley NHS Trust. Data protection audit report. Executive summary June 2017

Privacy Impact Assessment

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

Data Security Standards

The Australian Privacy Act An overview of the Australian Privacy Principles (APPs) Author: Paul Green

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

NWQ Capital Management Pty Ltd. Privacy Policy. March 2017 v2

Polemic is a business involved in the collection of personal data in the course of its business activities and on behalf of its clients.

The isalon GDPR Guide Helping you understand and prepare for the legislation

General Data Protection Regulation

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

DATA PROTECTION POLICY

Prohire Software Systems Limited ("Prohire")

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Requirements for a Managed System

Creative Funding Solutions Limited Data Protection Policy

EU General Data Protection Regulation (GDPR) Achieving compliance

SCHOOL SUPPLIERS. What schools should be asking!

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

Sword vs. Shield: Using Forensics Pre-Breach in a GDPR World. September 20, 2017

BHConsulting. Your trusted cybersecurity partner

UUEAS Privacy policy - Members

ma recycle GDPR Privacy Policy .com Rely and Comply... Policy Date: 24 May 2018

Jefferies EMEA Privacy Notice

Cyber Security Strategy

Bring Your Own Device (BYOD) Policy

Ambition Training. Privacy Policy

Brasenose College ICT Systems Privacy Notice (v1.2)

Digital Health Cyber Security Centre

Privacy and Data Protection Policy

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

SRM Service Guide. Smart Security. Smart Compliance. Service Guide

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

Xpress Super may collect and hold the following personal information about you: contact details including addresses and phone numbers;

This policy also applies to personal information about you that the Federation collects from any other third party.

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

Project Better Energy Limited s registered office is Witan Gate House, Witan Gate West, Milton Keynes, Buckinghamshire, MK9 1SH

Security Awareness Training Courses

1. Introduction and Overview 3

Manchester Metropolitan University Information Security Strategy

BHBIA New Data Protection Rules. Pharma Company Perspective. Guy Murray Director, Market Research & Analytics, GC&BI MR Operations and Compliance, MSD

Cloud Security Standards Supplier Survey. Version 1

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Information Security: the heart of the paperto-digital. 14 th September 2017

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

DATA PRIVACY & PROTECTION POLICY POLICY INFORMATION WE COLLECT AND RECEIVE. Quality Management System

MBNL Landlord Privacy Notice. This notice sets out how we handle landlord personal data as part of our General Data Protection policies (GDPR).

Retirement Investments Insurance Health. Helping you. understand. data governance

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Transcription:

Governance and Compliance Learning from the Private Sector David Coverdale

Governance Challenges The Patient Journey CQC Business Continuity Policy QoF Data GDPR LHA2 GRC Training Risk IG BIA Resilience Standards ISO20000 ISO27000 ISO33000 Evidence Audit Behaviour Learning Security Change Management Technology Funding Integration Digitisation Integration BYOD

Cyber risk ransomware System breaches GDPR failings on Policy Loss of data Data requests Biggest risks

General Data Protection Regulation (GDPR) High Level requirements Only retain the minimum of personal information Only use for purpose intended Deletion of records individual in control Policy, Procedure and Process Not identify the individual Date of birth Address Roles of one or two people National Insurance numbers

IG Requirements Information Governance Management Establishing personal responsibility for ongoing IG compliance by named individuals. Creating and maintaining a coherent, actionable policy for IG management. Ensuring all staff contracts are written to clearly indicate IG responsibilities Ensuring relevant, up-to-date staff training and education for IG requirements. The challenges here are not all that taxing if you routinely invest in training, and already have data governance and intellectual property protections baked into your contracts.

IG Requirements Confidentiality and Data Protection Strict adherence to the Data Protection Act (DPA), particularly in relation to obtaining consent from individuals before using or sharing their data. Ensuring that patient identifiable data continues to be treated under DPA and UK Department of Health rules even if the data is processed outside of the UK. Ensuring all access to confidential data is continuously monitored and audited. Developing and implementing any new processes, services, information systems, or other relevant information assets in a secure and structured manner. Ensuring all data transfers are secure and confidential. Perhaps the biggest challenge for organisations here is ensuring they innovate in line with IG compliance. This necessitates having fit-for-purpose policies in place for the development process to follow from initial scoping all the way to infrastructure management.

IG Requirements Software solutions IG compliant applies to in house. Information Security Maintaining a comprehensive information asset register. Creating and maintaining effective information security policy and procedures governing all ICT networks. Include mobile computing and teleworking provisions. Ensuring physical security measures are in place to guard against unauthorised access to data. Ensuring appropriate access control to operating systems and information assets, with managed access rights for all applicable users. Ensuring plans and procedures for successful business continuity in the event of power failure, system crash or any other disruption. Maintaining documented incident management reporting processes.

May 25 th 2018 20M fines Global implications Will definitely remain post Brexit USA, RoY and Private sector have plans in place GDPR - why it matters

Rationale Individual is at the centre of compliance The centre of data protection Affects staff and patients All supplier products must comply All databases must comply Consider how to achieve this with paper?

Unrequired data Basic identity information such as name, address and ID numbers Web data such as location, IP address, cookie data and RFID tags Health and genetic data Biometric data Racial or ethnic data Political opinions Sexual orientation

What might a program look like? Create awareness, knowledge and know the impacts. Document the personal data held. Check/change privacy notices. Can you manage/delete personal data in all formats? Set up procedures to handle new data access requests. Know the lawful basis for procuring data. Have clear process to seek, record, manage consents. Have a procedure to detect, report, investigate data breach. Understand the ICO code of practice. Implement Article 29. Assign data protection officers a key role. Establish a data risk register know your environment.

Why do this? NMC midwife lost 3 x DVDs 150k fine and personal cost of 850 Criminal record

More reasons May not be covered by Cyber insurance Fines have increase 79 times from ICO in 3 yrs. GOSH 11,000 Flybe 70,000 Pharmacy2U 130,000 GM Police 150,000 Basildon Council 150,000 CPS 200,000 Talk Talk 500,000

Egton program All products checked, updated and versioned. Register of risks to GDPR at board level. Funding allocated to implement mitigations. Bi-weekly report to executive. Individual must give explicit consent. Implied consent unlikely to survive. New granular level of consent in place.

Commercial Learnings Be prepared - invest in knowledge and training. Validate all databases and systems. Validate non-systems based data. Develop an early framework. Consider governance technology platform. Consider mobile device capabilities. Go Digital.

Egton Compliant Solutions Audit Risk Management MELVIS Incidents TheOneView Intradoc247 CQC Wi-Fi solutions Mobile Apps Secure hosting

Summary Identify information and process owners Consider the impact of data breach Develop a framework for compliance Develop a plan to achieve compliance Consider all data and software used Consider platforms to enable monitoring Put the individual at the heart of data

Thank you David Coverdale

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback