The afternoon session kicked off with a panel discussion on employee rights under GDPR. The panel included Jordan Jones, Sola Consulting, Alison Deighton, TLT Solicitors, Sarah Thompson, McGuire Woods LLP, and Gert Beeckmans, Sdworx.
Some of the key challenges HR professionals include employee Subject Access Requests. Gert Beeckmans stressed that organisations to be prepared for SAR’s as they are likely to increase. If you monitor employees with CCTV, this data must also be included. However, Alison explained that if 3rd party data is disclosed, images should be blurred of other identifiable people if disclosing images or CCTV.
Applications forms are another area that HR professionals must pay attention to; the minimum amount of information needed for the suitability of the person and no more information than needed. For example, other motoring offenses criminal conviction only for specific to the role otherwise you can’t ask, Gert said: “You need to ask why I need the data and what I’m using it for if it is not justified then you must leave off form.
Alison also pointed out that checks on social accounts should also be transparent to employees “You need to be upfront about what you are doing, how you have sourced the information and how you will use it.”
In the Road to Compliance room, Microsoft’s James Hoggett and Andrew Butler touched on the solutions that help organisations comply to GDPR. They stressed that we need to start thinking differently about security. One of the tools that can be used to secure data is privileged identity management.
Next up was Ken Linscott of CSC Global explained that organisations need to become more secure: “Select your vendors wisely”. He explained that “Every brand should expect a DDoS attack, it is just a matter of when.” Domain jacking and phishing are so common that using a username and password is not enough anymore.
We then heard from Mariana from Dark Trace. She spoke about using AI to detect early stage threats before a breach occurs. Earlier this year, ‘the fishtank hack’ showed the vulnerabiliy of IoT devices. Once the hacker got into the fish tank, they were then able to move around into other areas of the network and sent out data. It resulted in 10 GB of data were sent out to a device in Finland. Phishing attacks are becoming increasingly more sophisticated and we need to make an effort to prevent this from happening.
Next was Darine Fayed from Mailjet who discussed how GDPR impacts upon digital marketing “Privacy policies must be revamped.” In addition, all communications must be clear and concise and if you are using automated profiling and tracking you must also make this clear.
The final talk of the early afternoon session was from Jon Allen from Opus, who focused on the deletion of data. Often we find that if that if data is deleted, it’s not actually deleted and this approach will not work anymore. If you can undo a deletion, then you haven’t deleted it properly.
“The last thing you want if you have a data breach is that data was not deleted that you intended to.”
In the final session we’ll hear from speakers from Carbon Black and Trust hub.
The inaugural Data Protection World Forum (DPWF) will be held on November 20th & 21st 2018 at the ExCeL London which will provide a broader focus across the data protection and privacy space amidst the progressive tightening of global data protection laws.
Ahead of the end of year event, DPWF has launched a series of intensive workshops.
Further information on the DPWF and workshop details are available at: https://www.dataprotectionworldforum.com/