Transition to GDPR compliance

Transcript

1. Transition to GDPR Compliance James Stewart - 30th May 2017

   @jystewart

2. 25th May 2018

3. 25th May 2018 T - 360 days

4. “we will bring forward a new data protection law, fit

   for our new data age, to ensure the very best standards for the safe, flexible and dynamic use of data and enshrining our global leadership in the ethical and proportionate regulation of data” Conservative and Unionist Party Manifesto 2017

5. @jystewart If compliance is our goal we’ll always be playing

   catch-up

6. @jystewart Regulation isn’t aspiration

7. GDS @jystewart

8. GDS

9. GDS @jystewart

10. @jystewart 1. Understand user needs 2. Do ongoing user research

    3. Have a multidisciplinary team 4. Use agile methods 5. Iterate and improve frequently 6. Evaluate tools and systems 7. Understand security and privacy issues 8. Make all new source code open 9. Use open standards and common platforms 10. Test the end-to-end service 11. Make a plan for being offline 12. Make sure users succeed first time 13. Make the user experience consistent with GOV.UK 14. Encourage everyone to use the digital service 15. Collect performance data 16. Identify performance indicators 17. Report performance data on the Performance Platform 18. Test with the minister https://www.gov.uk/service-manual/service-standard

11. 360 days

12. https://www.gov.uk/design-principles / https://www.flickr.com/photos/psd/9120523574/

13. @jystewart The right… 1. To be informed 2. Of access

    3. To rectification 4. To erasure 5. To restrict processing 6. To data portability 7. To object 8. In relation to automated decision making and profiling. The principle of: 1. Lawfulness, fairness and transparency 2. Purpose limitation 3. Data minimisation 4. Accuracy 5. Storage limitation 6. Integrity and confidentiality 7. Accountability

14. @jystewart GDPR puts the focus on users. We should all

    be doing that already.

15. @jystewart Data protection should be a conversation with our users

16. @jystewart Can we explain our purpose in "plain English”?

17. We need to engage with this as a design challenge

    https://newdigitalrights.projectsbyif.com/

18. @jystewart Understand the purpose and goals of our business

19. @jystewart Engage everyone to meet those goals

20. @jystewart This is a chance to build strong feedback loops

21. @jystewart This is an opportunity to build better cultures

22. @jystewart This is an opportunity to build better cultures, focused

    on users

23. @jystewart This is an opportunity to build better cultures, focused

    on users, with strong feedback loops

24. @jystewart This is an opportunity to build better cultures, focused

    on users, with strong feedback loops; to make our organisations more resilient

25. @jystewart This is an opportunity to build better cultures, focused

    on users, with strong feedback loops; to make our organisations more resilient, and to win our users’ trust and loyalty

26. What about security?

27. @jystewart Too many organisations don't know what we have

28. @jystewart Too many organisations don't know what we have, we

    hoard data

29. @jystewart Too many organisations don't know what we have. We

    hoard data and we don’t build a culture of stewardship.

30. @jystewart Data is a volatile asset

31. @jystewart Data is a volatile asset, the most valuable thing

    we have and maybe the riskiest

32. @jystewart “If security doesn't work for people, it doesn't work”

    - Emma W from NCSC https://www.ncsc.gov.uk/blog-post/cyberuk-2017-people-strongest- link

33. @jystewart By engaging the team, we can think about security

    as design, not just compliance

34. @jystewart We need a service- focused culture that helps people

    use data responsibly

35. @jystewart That means great tools and strong feedback loops

36. @jystewart So we know what we have, where it is,

    and how to protect it

37. @jystewart No security measures are ever perfect

38. @jystewart "the controller and the processor shall implement appropriate technical

    and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.” - GDPR 32.1d

39. @jystewart Regulation is not aspiration

40. @jystewart If compliance is our goal we’ll always be playing

    catch-up

41. @jystewart Build organisations that understand users and test assumptions

42. @jystewart Clearly express purpose and goals internally and externally

43. @jystewart Build nimble, iterative services and clear feedback loops

44. @jystewart Bring everyone together around the real design challenges

45. 25th May 2018

46. Any questions? James Stewart @jystewart