General Data Protection Regulation (GDPR) for CEO s Quick overview & impact

Transcription

1 General Data Prtectin Regulatin (GDPR) fr CEO s Quick verview & impact ISSE, Nvember 14th 2017 Erik Luysterbrg EMEA Data Prtectin & Privacy Leader

2 Why is GDPR n the agenda? Cllectin, analysis and internatinal sharing f persnal data is becming fundamental fr research, develpment and marketing prducts and services, including ptimizatin f the wrkfrce. Technlgy tday allws cmpanies t gain imprtant cmpetitive advantages thrugh crss-brder and inter-departmental sharing and use f (persnal) data. The EU General Data Prtectin Regulatin (GDPR) aims t strengthen the legal framewrk fr the prtectin f persnal data. The bjective is t increase individuals cntrl ver their data, while ensuring that cmpanies take privacy int accunt thrughut their rganisatin. The GDPR intrduces new challenges fr rganizatins: New peratinal requirements and bligatins will require effective infrmatin management and gvernance, especially regarding third parties; Stricter requirements and extended rights fr individuals culd impact persnal data prcessing activities, as well as underlying IT systems; Increased enfrcement and audit pwers fr Data Prtectin Authrities, with administrative fines amunting t maximum 4% f glbal annual turnver; Reputatinal risk due t increased public attentin fr privacy and individuals expectatins regarding transparent, respnsible use f their data. But GDPR als creates pprtunities fr better infrmatin management and gvernance: Impetus t get cntrl ver data and enable effective analytics and infrmatin management Gain the trust and cnfidence frm custmers, emplyees, and partners 2017 Delitte Belgium Create a stable legal envirnment fr enhanced technlgy adptin (e.g. clud, big data, etc.)

3 Scpe f GDPR and main changes What will change against the frmer 1995 EU Data Prtectin Directive? General Data Prtectin Regulatin Brader territrial scpe Enfrcement Accuntability Expanded definitins Data subjects rights Cnsent Data breach ntificatin One-stp shp Internatinal data transfers Applies t players nt established in the EU but whse activities cnsist f targeting data subjects in the EU Data Prtectin Authrities will be entitled t impse fines ranging between 2 t 4% f annual turnver and increased pwers Explicit bligatin n cntrller AND prcessr t demnstrate their effective GDPR cmpliance (eg data prtectin fficer, privacy impact assessments (PIA), Privacy by Design, Data inventry, enhanced security) Persnal data nw explicitly includes lcatin data, IP addresses, nline and technlgy identifiers Reinfrced rights: Access, rectificatin, restrictin, erasure, bjectin t prcessing; n autmated prcessing and prfiling, data prtability Spelled ut mre clearly and fcus n ability f individuals t distinguish a cnsent. Need fr affirmative actin Reprt a persnal data breach t the Data Prtectin Authrity (eg. within 72h ) and pssibly the individuals cncerned Data Prtectin Authrities (DPA) f main establishment can act as lead DPA, supervising prcessing activities thrughut the EU Binding Crprate Rules as tls fr data transfers utside the EU and EEA are nw embedded in law 2017 Delitte Belgium 3

4 Need fr hlistic and pragmatic apprach GDPR is nt nly abut legal aspects f data prtectin GDPR is nt nly abut technical aspects f data prtectin GDPR calls fr a cmbined apprach embedded in a new infrmatin gvernance apprach Unclear privacy statement Right t be frgtten Legal Data exfiltratin Publicatin withut purpse Lgical applicatin errrs Unclassified infrmatin Authenticatin bypass Technlgy Business & Organisatin Outdated data inventry Legacy data in strage GDPR Cmpliance 2017 Delitte Belgium -- DRAFT -- Fr discussin purpses nly -- 4

5 GDPR implementatin in practice (with 6 mnths t g): sme bservatins 1. Need fr embedding Data Prtectin and Privacy by design Increase business (data) wnership by prviding insights in its sensitive (crwn jewel) data and assign clear wnership Install asap a GDPR adapted gvernance structure with clear mandate is a must-have executive spnsr, data, and applicatin level 2. Installing Risk Aware Culture is crucial awareness campaign, educatin human element 3. Need fr transitinal cmpliance measures nw - (eg infrmatin ntice/cnsent cannt wait but als technical changes (deletin, data prtability etc.).) and effective plicy/gvernance in peratins 4. Secure by Design Accuntability Build security rather than blt it n : internal technical and rganizatinal measures need t be upgraded and earlier invlvement in all prjects, level f security adapted t data in scpe, risk based security services and create glbal security tl inventry 5. (External) Third Party Management - List and risk rank them, check what and hw they ensure GDPR cmpliance and if needed, train them and actually start defining scpe f risk assessments and audits 6. Ensure detectin capabilities are adequate - cntinuus mnitring f data, cntent and behavir 7. Incident Respnse - tied t Crisis Management (Asset Prtectin, Lss Preventin) 2017 Delitte Belgium

6 Sme cnclusive remarks Cntinued fcus needed n cnvergence and chabitatin between data privacy, data security and data gvernance (quality) : Data Privacy: Raise awareness and knw-hw in business and supprt functins Start develpment and implementatin f privacy by design in practice nw (requires new apprach) Establish clear data gvernance structures and priritze GDPR readiness in cnsistent manner Pr-active apprach will be required (better t avid then t explain), als twards regulatrs Data Security: Cntinue t drive a risk aware culture (change security mindset in rganizatin and increase business wnership (incl. fr security) Secure by design and structural crdinatin with cybersecurity initiatives will becme crucial Data Gvernance (quality) : Need t frmally appint data wners and spnsrs with clear mandate Implement permanent data quality maintenance prcess, KPI s and jb descriptins as well as data quality strategy where prgress is tracked (eg data quality testing n all critical data attributes) Strike right balance between (GDPR) data challenges and (data analytics) pprtunities (eg Clud pwered envirnments) and establish clear risk tlerance criteria 2017 Delitte Belgium