Do You Have a Roadmap for EU

GDPR Compliance?

David Morris,

Thought Leader

and Pioneer in

Cybersecurity

United States

Ian West,

Specialist in

GDPR, Data

Governance,

Data Privacy &

Security

United Kingdom

Ulf Mattsson,

CTO Security

Solutions

Atlantic BT,

United States

Khizar A. Sheikh,

Chair, Privacy,

Cybersecurity, and

Data Law,

Mandelbaum

Salsburg

United States

GDPR Action Plan

A Members Owned Not-for-Profit Organisation

GDPR = Trust

ENTERPRISE wide Trust

© 2017 - The GDPR Institute - All Rights Reserved

Impact

Do you control or process personal data about ANY EU Citizens?

If so you have to be GDPR compliant by 25th May 2018 or manage the implications of the fines and the

reputational damage of any and every Data Breach

– including Customers Employees Suppliers

© 2017 - The GDPR Institute - All Rights Reserved

The Institutes’ Purpose

Create a community of Data Privacy, Data Security and Data Governance experts to assist Large, Medium and Small Organisations address the

challenge and maximise the opportunity created by the General Data Protection Regulation

GDPR Challenge

Or

GDPR Opportunity© 2017 - The GDPR Institute - All Rights Reserved

The Institutes’ Community

CorporateClients

61 MillionGlobalExperts

GDPRConsultingProviders

GDPRTechnologySolutions

GDPRAudit

Services

GDPRLegal

Advisors

GDPRTraining

ProvidersGDPR

RecruitmentServices

© 2017 - The GDPR Institute - All Rights Reserved

Bringing Together to Solve GDPR

GDPRDefensible

Position

GDPRConsultingProviders

GDPRTechnologySolutions

GDPRLegal

Advisors GDPRRecruitment

Services

GDPRTraining

Providers

GDPRAudit

Services

61 MillionGlobalExperts

© 2017 - The GDPR Institute - All Rights Reserved

Opportunity or Challenge?

1. Fines2. Loss of Customers

3. Reputational Damage

COST of

Compliance

© 2017 - The GDPR Institute - All Rights Reserved

Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change

GDPR = Enterprisewide Change Management

Post Room Board Room

People Process Technology Information

© 2017 - The GDPR Institute - All Rights Reserved

Key Questions

1. What Personal Data do you hold – Customer, Employee, Supplier, Contractor, Sub-Contractor, Citizen, Patient etc

2. Where is that Data Located? PC hard drive, Remote Storage or Backup Device, On Premise Database or Content Server, or in The Cloud

3. How are you using that Data?

4. Do you have Explicit or Implied Permission to use

the data in the way you are using it?

© 2017 - The GDPR Institute - All Rights Reserved

Immediate Action Plan

1. Seek Legal Advice

2. Conduct a Privacy Impact Assessment

3. Complete a Readiness Assessment to address the key questions

4. Secure Executive Sponsorship and a meaningful budget

5. Develop a Consent Management Strategy

6. Build a Data Subject Access Request process before you get swamped

7. Ensure you have all your Breach Detection technology in place –Database, Content Repositories, Network Traffic, Dark Web

8. Prepare for the worst, and breathe a sigh of relief if it doesn’t happen

© 2017 - The GDPR Institute - All Rights Reserved

The GDPR Institute

Helping you resolve YOUR GDPR Challenge& Maximise the GDPR Opportunity

A Members Owned Not-for-Profit Organisation

www.gdpr.institute

General

• The EU General Data Protection Regulation (GDPR) was adopted on April 8, 2016 and will take effect on May 25, 2018.

• The GDPR will replace the current the current Data Protection Directive 95/46/EC and will be directly applicable in all Member States without the need for implementing national legislation.

• The Article 29 Working Party (WP29) first guidelines on data protection officers, one-stop-shop, and the new right to data portability were adopted on April 5, 2017.

• More guidelines are expected for 2017.

Expanded Territorial Reach

• The GDPR regulates data controllers and processors outside the EU whose processing activities relate to the offering of goods or services (even if for free) to, or monitoring the behavior of, data subjects in the EU.

• “Offering goods or services” is more than mere access to a website or email address, but could be triggered by use of language or currency generally used in one or more Member States with the possibility of ordering goods/services there and/or mentioning customers or users who are in EU.

• “Monitoring of behavior” will occur, e.g., where individuals are tracked on the internet by techniques which apply a profile to enable decisions to be made/predict personal preferences, etc.

• This means that a company outside the EU which is targeting consumers in the EU will be subject to the GDPR.

Role of Data Processors

• Data processors have direct obligations for the first time. These include an obligation to:

• maintain a written record of processing activities carried out on behalf of each controller;

• designate a data protection officer where required;

• appoint a representative (when not established in the EU) in certain circumstances; and

• notify the controller on becoming aware of a personal data breach without undue delay.

• Provisions on cross border transfers also apply to processors, and Binding Corporate Rules for processors are formally recognized.

• New status of data processors will impact how data protection matters are addressed in supply and other commercial agreements.

Notice /Consent

• Data controllers must continue to provide transparent information to data subjects at the time personal data is obtained.

• Existing forms of fair processing notices and consents will have to be re-examined as GDPR requirements are more detailed.

• Consent must be freely given, specific, informed, and unambiguous, and must be as easy to withdraw as to give.

• Consent is not freely given if the data subject has no genuine and free choice or is unable to withdraw or refuse consent without detriment.

• Consent must be “explicit” for sensitive data.

• The data controller is required to be able to demonstrate that consent was given.

Notice / Consent Issues• Contracts:

• Requests for consent should be separate from other terms, and be in clear and plain language.

• Does consent provides a valid legal ground for processing where there is a significant imbalance between the data subject and data controller?

• Whether consent has been freely given depends on, e.g., whether the performance of a contract is made conditional on the consent to processing data that is not necessary to perform that contract (may affect e-commerce services, among others).

• Employment:

• Member States may provide more specific rules for use of consent in employment context.

• Marketing:

• Where personal data is processed for direct marketing the data subject will have a right to object.

• This right must be explicitly brought to their attention.

• Children / Parents:

• Member States can lower the age from whom data can be collected from 16 to 13 (lack of harmonization).

• Data Transformation:

• When is data no longer the data subjects’ personal information?

Penalties

• The GDPR establishes a tiered approach to penalties.

• Enables the DPAs to impose fines for some breaches of the greater of 4% of annual worldwide revenues or 20 million euros (e.g., breach of requirements relating to international transfers or the basic principles for processing, such as conditions for consent).

• Other specified breaches would be subject to a fine of the greater of 2% of annual worldwide revenues or 10 million euros .

• A list of considerations when imposing fines (such as the nature, gravity and duration of the breach) is included.

Which Authority?

• The mechanism is complicated as it distinguishes between cross-border and domestic processing.

• There are complex cooperation and coordination procedures for DPAs.

• To have their cases dealt with locally, the GDPR contains a detailed regime with a Lead Authority and Concerned Supervisory Authorities working together.

• The WP29 has provided guidance on how to identify a Lead Supervisory Authority.

• It remains to be seen how it will work in practice and whether it can work without forum shopping.

GDPR Already a Reality

Source: Cordery Legal Compliance, UK, 2017 20

GDPR Rules Requires Data Protection Technology

Source: Imperva, 2017 21

GDPR Case Studies

Source: EU GDPR Report, Crowd Research Partners, 2017 22

1.US and Spain – customer data

2.Italy, Germany and more –financial data

3.Germany – outsourcing4.Sweden – PII data

• US and Spain – customer data• Italy, Germany and more – financial data • Germany – outsourcing• Sweden – PII data

Preparing for GDPR

23