View
207
Download
3
Embed Size (px)
Citation preview
MWLUG 2017Moving Collaboration Forward
General Data Protection Regulation.Ignoring this = Paying Fines!
Tim Clark
Stephanie Heit
BCC Ltd.
MWLUG 2017Moving Collaboration Forward
Our Amazing Sponsors
MWLUG 2017Moving Collaboration Forward
Agenda
• BCC, Stephanie & Tim
• What is GDPR
• Who it affects
• What you have to do
• Penalties
• Summary
• Where to find more information
MWLUG 2017Moving Collaboration Forward
Presenters
• Tim Clark
• Director Services & Support
• IBM Champion 13-17
• Stephanie Heit
• Director, BCC Ltd
• 17 years with Notes & Domino
MWLUG 2017Moving Collaboration Forward
About BCC
• Founded in 1996
• IBM Business Partner
• Locations: Frankfurt
(HQ), London, Boston
• 800+ customers
MWLUG 2017Moving Collaboration Forward
BCC Solutions
MWLUG 2017Moving Collaboration Forward
• Europe
– Personal self determination
– Personal Data Protection
– Laws, not directives
• USA
– Consumer focused
– Treated fairly
– Not Protected
– Directives, not laws
Cultural Differences
MWLUG 2017Moving Collaboration Forward
What is GDPR
• General Data Protection Regulations
– Regulation
• (EU) 2016/679 (88 pages)
– Directives
• (EU) 2016/680 (43pages)
• (EU) 2016/681 (18 pages)
• Now the boring stuff is out of the way…..
MWLUG 2017Moving Collaboration Forward
What is it really to do with?
• Single set of legislation across Europe that gives individuals get better control of their personal data
• Became effective law in 2016
• 2 year grace period to get ready
MWLUG 2017Moving Collaboration Forward
Why worry about it now?
“The GDPR is causing great concern for businesses, with 50 percent of global companies saying they will struggle to meet the rules set out by Europe unless they make significant changes to how they operate.”James Walker, UK MD, JAW Consulting UKhttps://www.scmagazineuk.com/preparing-for-the-eu-gdpr-what-you-need-to-know/article/531492/
Must be ready by Friday, May 25th 2018
MWLUG 2017Moving Collaboration Forward
Legal Glossary
• Personal Data
• Controllers & Processors
• Data Protection Officers
• Profiling
• Breach & Notification
• Data Subject Access Requests
MWLUG 2017Moving Collaboration Forward
Definition of ‘Personal Data’
“Any information relating to an person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”A Summary of the EU General Data Protection Regulation: Peter Galdies DataIQ. 14th January 2016.www.dataiq.co.uk/blog/summary-eu-general-data-protection-regulation
MWLUG 2017Moving Collaboration Forward
Controllers & Processors
• Controllers– Owners of the data– Responsible for data security– Make sure Processors are compliant
• Processors– Work with the data– Must take responsible actions with the data
• The relationship between Controllers and Processor must be documented
MWLUG 2017Moving Collaboration Forward
Legal Glossary (cont.)
• Data Protection Officers– Public Authorities, Large scale processing of special types
of personal data– Expert knowledge of DP laws– Can be made tighter by EU Member States
• Profiling– Any automated processing of personal data to determine
certain criteria about a person.“In particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.
MWLUG 2017Moving Collaboration Forward
Legal Glossary (cont.)
• Breach & Notification
– “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
• Data Subject Access Request
– The right of the individual to understand what is stored and how it is used
MWLUG 2017Moving Collaboration Forward
Brief Summary
• If you collect any personal data of an EU citizen, you need to comply
• Data subjects can
– ask for data
• There are Penalties for non-compliance
MWLUG 2017Moving Collaboration Forward
Who it affects
• ANYONE who collects data about any EU citizen that is identifiable to them
• Anywhere in the world
• No boundaries
MWLUG 2017Moving Collaboration Forward
Privacy Management
• Data protection safeguards to be ‘built in’ to systems. Data by Design
• Privacy-friendly – pseudonymisation
• Record keeping has increased emphasis
– Answering auditors
– Data Subject Access Requests
• The right to be forgotten
MWLUG 2017Moving Collaboration Forward
Consent
• Consent to collect the data has to be given
– Does not have to be explicit
– Purpose for data collection has to be explicit
– Has to be demonstrable, how and when
• Withdrawing consent has to be possible
– Should be as easy as giving consent
MWLUG 2017Moving Collaboration Forward
Breaches & Notification
• Breach & Notification
– “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
• 72 hours to notify supervisory authority
• May have to notify data subjects too
MWLUG 2017Moving Collaboration Forward
WARNING!!!
• The next slide may make you sit up sharply in your seat.
• You have been warned.
MWLUG 2017Moving Collaboration Forward
Penalties
• Greater of €10 million or 2% of entity’s global gross revenue
– Violation of record keeping, security, breach notifications & privacy impact assessment
• Greater of €20 million or 4% of entity’s global gross revenue
– Violations of legal justification for processing (consent), data subject rights and cross-border data transfers
MWLUG 2017Moving Collaboration Forward
Please be ready
MWLUG 2017Moving Collaboration Forward
Suggested minimum technical steps
• Firewalls• User access control management functionality in Windows• Unique passwords of sufficient complexity and regular (but not too
frequent) expiry on all devices• Regular software updates• Timely decommissioning and secure wiping of old software and hardware• Real-time protection anti-virus, anti-malware and anti-spyware software• Encryption of all portable devices ensuring appropriate protection of the
key• Encryption of personal data in transit by using suitable encryption
solutions• Implement secure configuration on all devices (including mobile phones)• Put in place intrusion detection and prevention• Data backup
MWLUG 2017Moving Collaboration Forward
What can you do now?
1. Make key departments aware2. Work out what you have3. Get you minimum technical steps in progress4. Revise existing privacy notices5. Review procedures for new rights6. Plan how to handle requests7. Document your legal basis for your use of data8. Review how you get consent and record it9. Procedures for data breaches and checks10. Appoint a Data Protection Officer
MWLUG 2017Moving Collaboration Forward
Sources
• EU General Data Protection Regulation ratified: KPMG 2016assets.kpmg.com/content/dam/kpmg/pdf/2016/05/EU-General-Data-Protection-Regulation-ratified-18-04-2016.pdf
• Guidance: what to expect and when: Information Commissioner’s Office.ico.org.uk/for-organisations/data-protection-reform/guidance-what-to-expect-and-when/
• Overview of the General Data Protection Regulation (GDPR): Information Commissioner’s Officeico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
• Preparing for the EU GDPR: What You Need To Know: James Walker. SC Media 4th March 2016.www.scmagazineuk.com/preparing-for-the-eu-gdpr-what-you-need-to-know/article/531492/
• A Summary of the EU General Data Protection Regulation: Peter Galdies DataIQ. 14th January 2016.www.dataiq.co.uk/blog/summary-eu-general-data-protection-regulation
• EU Official Journal issue L 119eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L:2016:119:FULL&from=EN
• Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now. Information Commissioner’s Office 14th March 2016.ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
• IBM – Little Bee books - How it works – GDPRhttp://littlebeelibrary.com/pdfs/GDPR.pdf
MWLUG 2017Moving Collaboration Forward
Our Amazing Sponsors
MWLUG 2017Moving Collaboration Forward
Questions
• Tim Clark
• TimsterC (Skype)
• Stephanie Heit
• Stephanie Heit (Skype)
http://bcchub.com