General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

Transcription

1 General Data Protection Regulation April 3, 2018 Sarah Ackerman, Managing Director Ross Patz, Consultant

2 Introductions Sarah Ackerman, CISSP, CISA Managing Director, Cincinnati Responsible for overall engagement quality of services provided to clients Areas of expertise include information security, risk management, IT audit, and other related services Ross Patz Consultant, Cincinnati Areas of expertise include information technology management, disaster recovery, IT infrastructure engineering, information security, IT audit, and other related services 2

3 Today s Agenda What is GDPR? Who s covered? GDPR Key takeaways Privacy Shield 3

4 What is the General Data Protection Regulation?

5 What is GDPR? European Union s General Data Protection Regulation May 25, 2018 Comprehensive, uniform data privacy and security

6 Purpose GDPR was created to Set rules for processing of information Protect privacy Ensure free movement of personal data The protection of natural persons in relation to the processing of personal data is a fundamental right. European Parliament 6

7 Penalties Fines for non-compliance: 20M 4% of worldwide revenue Whichever is higher 7

8 Who s covered under GDPR?

9 Categories of Business Entities operating in member States International businesses with EU entities International catch-all clause 9

10 Covered Activities Data Controllers..the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data Data Processors a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller Data Recipients a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. Source: Official Journal of the European Union 10

11 Entities Outside the EU Two methods for transferring data outside the EU Adequacy decision Essentially reciprocity Appropriate safeguards The entity receiving the data can prove that it has controls in place to meet the GDPR standards for privacy 11

12 Organization of the Law

13 Organization of the Law Legislative Acts & Regulation Source: Official Journal of the European Union 13

14 Organization of the Law (cont.) Regulation 10 Chapters 99 Articles Very descriptive! 14

15 Organization of the Law (cont.) (37) A group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling undertaking should be the undertaking which can exert a dominant influence over the other undertakings Source: Official Journal of the European Union 15

16 Organization of the Law (cont.) Chapter II Principles Relating to Processing of Personal Data Chapter III Rights of the Data Subject Chapter IV Controller and Processor Chapter V Transfers of Personal Data to Third Countries or International Organizations 16

17 Who Manages GDPR Supervisory Authority Appointed by each member State Ensures Law is applied equally and fairly Enforces Law within their State European Data Protection Board One representative of each Supervisory Authority Handles dispute resolution and overall governance US Regulators FTC Department of Commerce 17

18 GDPR: Key Takeaways

19 Changes from Previous Privacy Directives Increased territorial scope Including the cloud Consent Breach notification Right to access Right to correct; Right to be forgotten Data portability Privacy by design Data Protection Officers 19

20 Overlap Not a total re-write of existing program Some overlap with: NIST Security and Privacy Controls ISO IT Security Techniques Privacy Framework AICPA s Generally Accepted Privacy Principles (GAPP) OCC s Privacy Laws and Regulations 20

21 To Do List Internal business analysis Create/update documentation: Decisions related to data processing Privacy and security policies (e.g., data storage) Data breach notification procedures Informed consent Review contracts (controllers/processors) Determine Data Protection Officer Education and awareness 21

22 Common Challenges Underestimating scope have you started? How to interpret What additional measures needed? Building/maintaining inventory of data processing Lack of capabilities For example, who to be Privacy rep in EU? 22

23 Future of Compliance Legislation in US Congress? Brexit similar to Switzerland? 23

24 Privacy Shield

25 Privacy Shield & GDPR Privacy Shield addresses privacy protections of GDPR Part of framework accommodates aspects of GDPR Covers methods of data transfer 25

26 Privacy Shield Overview Who does it apply to? US companies transferring data related to EU & Swiss individuals What does it cover? Provides mechanism to comply with data protection requirements (e.g., GDPR) When does it take effect? Now as soon as you self-certify Where is it administered? Why was it created? Administered: International Trade Administration (ITA) Enforced: US Department of Commerce (part of Federal Trade Commission) Also: Data Protection Authorities (DPA) European Commission Replace Safe Harbor 26

27 Privacy Shield vs. Safe Harbor Safe Harbor no longer recognized by EU Privacy Shield provides adequate protection Joining Privacy Shield will automatically withdraw from Safe Harbor As of September 2017: 2,400 organizations have joined Privacy Shield 27

28 Privacy Shield Principles Privacy Shield contains: Principles What you should focus on Letters Describes how FTC will run program and enforce 23 total Principles 7 commonly recognized privacy principles 16 supplemental principles Explain and augment first 7 Requirements cover: Use and treatment of personal data received from EU Access and recourse mechanisms 28

29 Privacy Shield Privacy Principles 1. Notice 2. Choice 3. Accountability for Onward Transfer 4. Security 5. Data Integrity and Purpose Limitation 6. Access 7. Recourse, Enforcement and Liability 29

30 Privacy Shield Supplemental Principles 1. Sensitive Data 2. Journalistic Exceptions 3. Secondary Liability 4. Performing Due Diligence and Conducting Audits 5. The Role of the Data Protection Authorities 6. Self-Certification 7. Verification 8. Access 9. Human Resources Data 10. Obligatory Contracts for Onward Transfers 11. Dispute Resolution and Enforcement 12. Choice Timing of Opt Out 13. Travel Information 14. Pharmaceutical and Medical Products 15. Public Record and Publicly Available Information 16. Access Requests by Public Authorities 30

31 Privacy Shield vs. Safe Harbor What s New? New privacy protections Notice requirements Accountability for onward transfer Purpose limitation and data retention Enhanced complaint resolution Response time Free dispute resolution Binding arbitration Ongoing requirements if withdraw and maintain data Improved cooperation and transparency 31

32 Privacy Shield Subsidiaries Must identify all entities, subsidiaries All subs must inform individuals about adhering to Principles 32

33 Privacy Shield How to Join 1. Confirm eligibility 2. Develop a compliant privacy policy 3. Establish Independent Recourse Mechanism (IRM) 4. Ensure verification mechanism is in place 5. Identify your point of contact 6. Self-certify 7. Reaffirm self-certification annually 8. Reply to inquiries 33

34 Privacy Shield Verification Self-assessment or third party Assess published privacy policy Periodic objective reviews of compliance Audit, random reviews, or technology tools Signed statement verifying self-assessment or outside compliance review 34

35 Privacy Shield Impact Increased regulatory focus Stronger obligations for data transfers Increased risk from third parties Respond to disputes faster Document and maintain records, compliance reports 35

36 Privacy Shield Self-Certification Supports administration, supervision, related services Annual fee to participate Annual Revenue Single Framework $0 $5M $250 $375 $5M $25M $650 $975 $25M $500M $1000 $1500 $500M $5B $2500 $3750 Over $5B $3250 $4875 Both Frameworks Annual fee if retain data after withdrawal: $200 36

37 Questions? If you wish to discuss any aspect of this presentation in more detail, please feel free to contact us: (513)