Upload
ulf-mattsson
View
769
Download
0
Embed Size (px)
Citation preview
Do You Have a Roadmap for EU
GDPR Compliance?
David Morris,
Thought Leader
and Pioneer in
Cybersecurity
United States
Ian West,
Specialist in
GDPR, Data
Governance,
Data Privacy &
Security
United Kingdom
Ulf Mattsson,
CTO Security
Solutions
Atlantic BT,
United States
Khizar A. Sheikh,
Chair, Privacy,
Cybersecurity, and
Data Law,
Mandelbaum
Salsburg
United States
Impact
Do you control or process personal data about ANY EU Citizens?
If so you have to be GDPR compliant by 25th May 2018 or manage the implications of the fines and the
reputational damage of any and every Data Breach
– including Customers Employees Suppliers
© 2017 - The GDPR Institute - All Rights Reserved
The Institutes’ Purpose
Create a community of Data Privacy, Data Security and Data Governance experts to assist Large, Medium and Small Organisations address the
challenge and maximise the opportunity created by the General Data Protection Regulation
GDPR Challenge
Or
GDPR Opportunity© 2017 - The GDPR Institute - All Rights Reserved
The Institutes’ Community
CorporateClients
61 MillionGlobalExperts
GDPRConsultingProviders
GDPRTechnologySolutions
GDPRAudit
Services
GDPRLegal
Advisors
GDPRTraining
ProvidersGDPR
RecruitmentServices
© 2017 - The GDPR Institute - All Rights Reserved
Bringing Together to Solve GDPR
GDPRDefensible
Position
GDPRConsultingProviders
GDPRTechnologySolutions
GDPRLegal
Advisors GDPRRecruitment
Services
GDPRTraining
Providers
GDPRAudit
Services
61 MillionGlobalExperts
© 2017 - The GDPR Institute - All Rights Reserved
Opportunity or Challenge?
1. Fines2. Loss of Customers
3. Reputational Damage
COST of
Compliance
© 2017 - The GDPR Institute - All Rights Reserved
Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change
GDPR = Enterprisewide Change Management
Post Room Board Room
People Process Technology Information
© 2017 - The GDPR Institute - All Rights Reserved
Key Questions
1. What Personal Data do you hold – Customer, Employee, Supplier, Contractor, Sub-Contractor, Citizen, Patient etc
2. Where is that Data Located? PC hard drive, Remote Storage or Backup Device, On Premise Database or Content Server, or in The Cloud
3. How are you using that Data?
4. Do you have Explicit or Implied Permission to use
the data in the way you are using it?
© 2017 - The GDPR Institute - All Rights Reserved
Immediate Action Plan
1. Seek Legal Advice
2. Conduct a Privacy Impact Assessment
3. Complete a Readiness Assessment to address the key questions
4. Secure Executive Sponsorship and a meaningful budget
5. Develop a Consent Management Strategy
6. Build a Data Subject Access Request process before you get swamped
7. Ensure you have all your Breach Detection technology in place –Database, Content Repositories, Network Traffic, Dark Web
8. Prepare for the worst, and breathe a sigh of relief if it doesn’t happen
© 2017 - The GDPR Institute - All Rights Reserved
The GDPR Institute
Helping you resolve YOUR GDPR Challenge& Maximise the GDPR Opportunity
A Members Owned Not-for-Profit Organisation
www.gdpr.institute
General
• The EU General Data Protection Regulation (GDPR) was adopted on April 8, 2016 and will take effect on May 25, 2018.
• The GDPR will replace the current the current Data Protection Directive 95/46/EC and will be directly applicable in all Member States without the need for implementing national legislation.
• The Article 29 Working Party (WP29) first guidelines on data protection officers, one-stop-shop, and the new right to data portability were adopted on April 5, 2017.
• More guidelines are expected for 2017.
Expanded Territorial Reach
• The GDPR regulates data controllers and processors outside the EU whose processing activities relate to the offering of goods or services (even if for free) to, or monitoring the behavior of, data subjects in the EU.
• “Offering goods or services” is more than mere access to a website or email address, but could be triggered by use of language or currency generally used in one or more Member States with the possibility of ordering goods/services there and/or mentioning customers or users who are in EU.
• “Monitoring of behavior” will occur, e.g., where individuals are tracked on the internet by techniques which apply a profile to enable decisions to be made/predict personal preferences, etc.
• This means that a company outside the EU which is targeting consumers in the EU will be subject to the GDPR.
Role of Data Processors
• Data processors have direct obligations for the first time. These include an obligation to:
• maintain a written record of processing activities carried out on behalf of each controller;
• designate a data protection officer where required;
• appoint a representative (when not established in the EU) in certain circumstances; and
• notify the controller on becoming aware of a personal data breach without undue delay.
• Provisions on cross border transfers also apply to processors, and Binding Corporate Rules for processors are formally recognized.
• New status of data processors will impact how data protection matters are addressed in supply and other commercial agreements.
Notice /Consent
• Data controllers must continue to provide transparent information to data subjects at the time personal data is obtained.
• Existing forms of fair processing notices and consents will have to be re-examined as GDPR requirements are more detailed.
• Consent must be freely given, specific, informed, and unambiguous, and must be as easy to withdraw as to give.
• Consent is not freely given if the data subject has no genuine and free choice or is unable to withdraw or refuse consent without detriment.
• Consent must be “explicit” for sensitive data.
• The data controller is required to be able to demonstrate that consent was given.
Notice / Consent Issues• Contracts:
• Requests for consent should be separate from other terms, and be in clear and plain language.
• Does consent provides a valid legal ground for processing where there is a significant imbalance between the data subject and data controller?
• Whether consent has been freely given depends on, e.g., whether the performance of a contract is made conditional on the consent to processing data that is not necessary to perform that contract (may affect e-commerce services, among others).
• Employment:
• Member States may provide more specific rules for use of consent in employment context.
• Marketing:
• Where personal data is processed for direct marketing the data subject will have a right to object.
• This right must be explicitly brought to their attention.
• Children / Parents:
• Member States can lower the age from whom data can be collected from 16 to 13 (lack of harmonization).
• Data Transformation:
• When is data no longer the data subjects’ personal information?
Penalties
• The GDPR establishes a tiered approach to penalties.
• Enables the DPAs to impose fines for some breaches of the greater of 4% of annual worldwide revenues or 20 million euros (e.g., breach of requirements relating to international transfers or the basic principles for processing, such as conditions for consent).
• Other specified breaches would be subject to a fine of the greater of 2% of annual worldwide revenues or 10 million euros .
• A list of considerations when imposing fines (such as the nature, gravity and duration of the breach) is included.
Which Authority?
• The mechanism is complicated as it distinguishes between cross-border and domestic processing.
• There are complex cooperation and coordination procedures for DPAs.
• To have their cases dealt with locally, the GDPR contains a detailed regime with a Lead Authority and Concerned Supervisory Authorities working together.
• The WP29 has provided guidance on how to identify a Lead Supervisory Authority.
• It remains to be seen how it will work in practice and whether it can work without forum shopping.
GDPR Case Studies
Source: EU GDPR Report, Crowd Research Partners, 2017 22
1.US and Spain – customer data
2.Italy, Germany and more –financial data
3.Germany – outsourcing4.Sweden – PII data
• US and Spain – customer data• Italy, Germany and more – financial data • Germany – outsourcing• Sweden – PII data