General Data Protection Regulation

MWLUG 2017Moving Collaboration Forward

General Data Protection Regulation.Ignoring this = Paying Fines!

Tim Clark

Stephanie Heit

BCC Ltd.


Our Amazing Sponsors


Agenda

• BCC, Stephanie & Tim

• What is GDPR

• Who it affects

• What you have to do

• Penalties

• Summary

• Where to find more information


Presenters

• Tim Clark

• Director Services & Support

• IBM Champion 13-17

• Stephanie Heit

• Director, BCC Ltd

• 17 years with Notes & Domino


About BCC

• Founded in 1996

• IBM Business Partner

• Locations: Frankfurt

(HQ), London, Boston

• 800+ customers


BCC Solutions


• Europe

– Personal self determination

– Personal Data Protection

– Laws, not directives

• USA

– Consumer focused

– Treated fairly

– Not Protected

– Directives, not laws

Cultural Differences


What is GDPR

• General Data Protection Regulations

– Regulation

• (EU) 2016/679 (88 pages)

– Directives

• (EU) 2016/680 (43pages)

• (EU) 2016/681 (18 pages)

• Now the boring stuff is out of the way…..


What is it really to do with?

• Single set of legislation across Europe that gives individuals get better control of their personal data

• Became effective law in 2016

• 2 year grace period to get ready


Why worry about it now?

“The GDPR is causing great concern for businesses, with 50 percent of global companies saying they will struggle to meet the rules set out by Europe unless they make significant changes to how they operate.”James Walker, UK MD, JAW Consulting UKhttps://www.scmagazineuk.com/preparing-for-the-eu-gdpr-what-you-need-to-know/article/531492/

Must be ready by Friday, May 25th 2018

https://www.scmagazineuk.com/preparing-for-the-eu-gdpr-what-you-need-to-know/article/531492/


Legal Glossary

• Personal Data

• Controllers & Processors

• Data Protection Officers

• Profiling

• Breach & Notification

• Data Subject Access Requests


Definition of ‘Personal Data’

“Any information relating to an person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”A Summary of the EU General Data Protection Regulation: Peter Galdies DataIQ. 14th January 2016.www.dataiq.co.uk/blog/summary-eu-general-data-protection-regulation


Controllers & Processors

• Controllers– Owners of the data– Responsible for data security– Make sure Processors are compliant

• Processors– Work with the data– Must take responsible actions with the data

• The relationship between Controllers and Processor must be documented


Legal Glossary (cont.)

• Data Protection Officers– Public Authorities, Large scale processing of special types

of personal data– Expert knowledge of DP laws– Can be made tighter by EU Member States

• Profiling– Any automated processing of personal data to determine

certain criteria about a person.“In particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.


Legal Glossary (cont.)


– “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”

• Data Subject Access Request

– The right of the individual to understand what is stored and how it is used


Brief Summary

• If you collect any personal data of an EU citizen, you need to comply

• Data subjects can

– ask for data

• There are Penalties for non-compliance


Who it affects

• ANYONE who collects data about any EU citizen that is identifiable to them

• Anywhere in the world

• No boundaries


Privacy Management

• Data protection safeguards to be ‘built in’ to systems. Data by Design

• Privacy-friendly – pseudonymisation

• Record keeping has increased emphasis

– Answering auditors

– Data Subject Access Requests

• The right to be forgotten


Consent

• Consent to collect the data has to be given

– Does not have to be explicit

– Purpose for data collection has to be explicit

– Has to be demonstrable, how and when

• Withdrawing consent has to be possible

– Should be as easy as giving consent


Breaches & Notification


– “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”

• 72 hours to notify supervisory authority

• May have to notify data subjects too


WARNING!!!

• The next slide may make you sit up sharply in your seat.

• You have been warned.


Penalties

• Greater of €10 million or 2% of entity’s global gross revenue

– Violation of record keeping, security, breach notifications & privacy impact assessment

• Greater of €20 million or 4% of entity’s global gross revenue

– Violations of legal justification for processing (consent), data subject rights and cross-border data transfers


Please be ready


Suggested minimum technical steps

• Firewalls• User access control management functionality in Windows• Unique passwords of sufficient complexity and regular (but not too

frequent) expiry on all devices• Regular software updates• Timely decommissioning and secure wiping of old software and hardware• Real-time protection anti-virus, anti-malware and anti-spyware software• Encryption of all portable devices ensuring appropriate protection of the

key• Encryption of personal data in transit by using suitable encryption

solutions• Implement secure configuration on all devices (including mobile phones)• Put in place intrusion detection and prevention• Data backup


What can you do now?

1. Make key departments aware2. Work out what you have3. Get you minimum technical steps in progress4. Revise existing privacy notices5. Review procedures for new rights6. Plan how to handle requests7. Document your legal basis for your use of data8. Review how you get consent and record it9. Procedures for data breaches and checks10. Appoint a Data Protection Officer


Sources

• EU General Data Protection Regulation ratified: KPMG 2016assets.kpmg.com/content/dam/kpmg/pdf/2016/05/EU-General-Data-Protection-Regulation-ratified-18-04-2016.pdf

• Guidance: what to expect and when: Information Commissioner’s Office.ico.org.uk/for-organisations/data-protection-reform/guidance-what-to-expect-and-when/

• Overview of the General Data Protection Regulation (GDPR): Information Commissioner’s Officeico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

• Preparing for the EU GDPR: What You Need To Know: James Walker. SC Media 4th March 2016.www.scmagazineuk.com/preparing-for-the-eu-gdpr-what-you-need-to-know/article/531492/

• A Summary of the EU General Data Protection Regulation: Peter Galdies DataIQ. 14th January 2016.www.dataiq.co.uk/blog/summary-eu-general-data-protection-regulation

• EU Official Journal issue L 119eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L:2016:119:FULL&from=EN

• Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now. Information Commissioner’s Office 14th March 2016.ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

• IBM – Little Bee books - How it works – GDPRhttp://littlebeelibrary.com/pdfs/GDPR.pdf


Our Amazing Sponsors


Questions

• Tim Clark

• [email protected]

• TimsterC (Skype)

• Stephanie Heit

• [email protected]

• Stephanie Heit (Skype)

http://bcchub.com

Technology

General Data Protection Regulation