GDPR. Lessons Learned
|
|
- Merilyn Morton
- 5 years ago
- Views:
Transcription
1 GDPR Lessons Learned
2 Introduction 01
3 Privacy is a hot topic Privacy and Data Protection is increasingly in the spotlight and undergoing a paradigm shift in light of the new General Data Protection Regulation (GDPR) and uncertainty post Brexit Personal Information (PI) is a valuable asset through intelligence and monetisation opportunities Privacy awareness of the public has increased significantly, exacerbated by frequent personal data breaches catching media attention Demonstrating good privacy governance and practices will be considered by the FCA and other regulators GDPR Lessons Learned Slide: 3
4 GDPR coming into force in May 2018 and organizations need to act now The volume of people, process and technology change required by the 25 May 2018 deadline of the GDPR should not be underestimated Many organisations are compliant, on paper, with existing legislation, but are yet to face the challenge of implementing the requirements through the entire personal data lifecycle As business models have been digitised, the volume of data held by organisations has increased significantly, resulting in organisations not understanding how much PI they hold, why they retain it and how it is being used GDPR Timeline January April May 2018 European Commission (EC) proposed GDPR March 2014 EU Parliament adopt compromise text Dec 2015 GDPR agreed GDPR formally adopted by member states Transition period of 2 years GDPR takes effect GDPR Lessons Learned Slide: 4
5 GDPR key changes (1/2) Expanded scope Applies to all data controllers and processors established in the EU and organizations that target EU citizens Consent Consumer consent to process data must be freely given and for specific purposes Customers must be informed of their right to withdraw their consent Consent must be explicit in the case of sensitive personal data or trans border dataflow New rights The right to be forgotten the right to ask data controllers to erase all personal data without undue delay in certain circumstances The right to data portability where individuals have provided personal data to a service provider, they can require the provider to port the data to another provider, provided this is technically feasible The right to object to profiling the right not to be subject to a decision based solely on automated processing Privacy Impact Assessments Organizations must undertake Privacy Impact Assessments when conducting risky or large scale processing of personal data Privacy by Design Organizations should design data protection into the development of business processes and new systems GDPR Lessons Learned Slide: 5
6 GDPR key changes (2/2) Data Protection Officers (DPOs) DPOs must be appointed if an organization conducts large scale systematic monitoring or processes large amounts of sensitive personal data Organization must prove they are accountable by: Accountability Establishing a culture of monitoring, reviewing and assessing data processing procedures Minimizing data processing and retention of data Building in safeguards to data processing activities Documenting data processing policies, procedures and operations that must be made available to the data protection supervisory authority on request Obligations on processors New obligations on data processors processors become an officially regulated entity Mandatory breach notification Organizations must notify supervisory authority of data breaches without undue delay or within 72 hours, unless the breach is unlikely to be a risk to individuals If there is a high risk to individuals, those individuals must be informed as well Fines of up to 4% of annual worldwide turnover Fines for a breach of the GDPR are substantial. Regulators can impose fines of up to 4% of total annual worldwide turnover or 20,000,000, whichever is greater GDPR Lessons Learned Slide: 6
7 The importance of privacy moving beyond compliance Moving beyond Compliance Business Incentives Compliance Incentives Need to comply with laws, regulations, contracts and other agreements Increasing pressure from regulators Rising fines and penalties Minimise reputational damage Significant costs associated with recovery from breaches and potential lawsuits from those affected Move beyond compliance to build trusting relationships with stakeholders that drive loyalty and retention Privacy is a competitive differentiator in a data- and technology-driven world Enhance brand and reputation Satisfy stakeholders expectations, especially in light of increasing public awareness of and concern about data privacy Proactively prevent loss of customers and market share as a result of data breaches Data protection as moral responsibility towards customer and part of CSR profile Prevent data breaches and avoid associated remediation costs Protect future revenue sources and create new ones through from data with customer consent GDPR Lessons Learned Slide: 7
8 GDPR can frustrate or support the digital proposition Companies nowadays collect a high amount of data, which might lead to the collection and / or creation of personal identifiable information Internet of Things Digital marketing, sales and service Partner and ecosystem More and more Internet of Things devices are introduced and generate large volumes of data which can be used by organizations to support their market and client insights and improve digital proposition. For example mobiles, connected cars and wearables. Organization are transformation their business into digital propositions. These propositions are build on technology and data. Precondition is the reuse of data. Organization are more and more connected with partners in an ecosystem. To utilize the advantages data need to be shared across the ecosystem, while supporting privacy regulations. Organisations need to identify which is the minimum amount of personal identifiable information they need in order to perform their data analysis, or perform anonymization or pseudonymization. GDPR Lessons Learned Slide: 8
9 Transformation approach 02
10 Data Protection and Privacy Transformation approach EY s unique approach Comprehensive in reach through its four phases: understand, assess, design and implement Multi-disciplinary by integrating the legal, IT, risk and business perspectives of privacy Close cooperation with EY Law to translate legal requirements into a risk-based, customised approach Identification of high risks and focus on becoming compliant with current legislation, while keeping sight of the organisation s GDPR readiness Proven success in roll-out in various countries GDPR Lessons Learned Slide: 10
11 A phased approach combining Overall GDPR maturity assessment and PIAs on high risk data flows Phase 1 Phase 2 Phase 3 Key activities Framework Overall maturity assessment Customize Privacy Impact assessment (PIA) Implementation plan Privacy framework policy and standards Data governance (including DPO position) Update implementation plan Accountability Privacy by Design Monitoring and incident response Notifications Metrics, reports and dashboard Dataflow Assessment data flows using PIA based on risk based approach Fixing reported gaps based on priority setting Fixing reported gaps based on priority setting Continue dataflow assessments Continue dataflow assessments Vendor Vendor risk management framework Vendor risk assessment and update contracts Vendor risk assessment and update contracts Awareness Awareness Awareness Awareness GDPR Lessons Learned Slide: 11
12 Risk based approach to assess data flows based on a well established PIA process Dataflow inventory Risk assessment dataflow Defining risk appetite Prioritize dataflows Perform PIA Define actions In order to fully assess privacy and compliance risks, organizations will need to understand how (customer and employee) data are used. Therefore, the first step of our PIA process consists of making an inventory of the dataflows, which includes i.a. a complete overview of data sources (systems and files), where data are stored, how it is processed, who it is shared with and how long it is retained. The dataflows will be inventoried during a (+/- 2hour) workshop with internal stakeholders. Our dataflow tooling can be used to validate the outcome of such workshop. The second step of our PIA process consists of categorizing the dataflows by the associated risks (high/medium/low risk). Such risk assessment which consists of a (brief) questionnaire enhances organizations to prioritize dataflows, establish whether a PIA would be obligated based on the GDPR and creates an audit trail in this respect. Subjects of the risk assessment include i.a.: Personal data Special data Volume of data Sensitivity of process Using the gathered insights on the dataflows, the risk appetite will be defined to support expected GDPR changes, prioritize dataflows and define actions. EY will support in both (i) developing a qualitative statement to articulate privacy risk and (ii) defining a clear appetite statement that can be measured and aligns to your strategy and (iii) identify metrics from your Privacy Risk Control Framework that speak to your risk appetite and align where possible to strategic objectives Based on both the defined risk appetite of the organization and the established risk(s) per dataflow, it will be established on what dataflows the PIAs will be performed and the order in which they will be carried out. The dataflows with risks that would impact the organization most given its risk appetite will be performed first. EY has developed an in-depth Excel based questionnaire to gather the insights necessary to assess the impact of the dataflows on the natural persons involved. This questionnaire covers most subjects of the GDPR (more comprehensive than the risk assessment) and contains guidelines and primarily closedended questions (yes/no, multiple choice, rating scale, etc.), making the PIA user-friendly for the business. If so desired, the PIA questionnaire can be modified or integrated with existing risk assessments (e.g. BIA or ISRA). Further to perform the PIA, actions will be defined to mitigate the risks on the natural persons identified during the PIA. Subsequently, this list of actions will be divided based on the risk appetite of the organizations, mitigating the highest risks first. GDPR Lessons Learned Slide: 12
13 Lessons learned Privacy governance Privacy is no longer exclusively situated within the legal realm but has evolved into a multi-disciplinary issue Organisations are struggling to establish a comprehensive model to lead privacy transformation A new, collaborative model is needed to unite the multiple dimensions of privacy within the organisation Many organisations are unaware of their data flows and have launched ambitious data flow mapping initiatives Data flow mapping Data flow mapping exercises are all too often performed in manner that is too detailed and resource consuming A more limited scope is sufficient to facilitate the creation of a privacy register Data discovery tooling can be used to further detect structured and unstructured data Legacy Privacy impact assessments (PIA) need to be performed for the organisation s data flows and a risk-based approach should be adopted to focus on high impact data flows Through data flow mapping, non-compliances with the GDPR s requirements such as the right to be forgotten and data retention are identified A targeted approach allows for prioritisation of actions and the identification of those which can be pursued centrally to facilitate integration with the entire organisational data governance (including Privacy by Design) GDPR Lessons Learned Slide: 13
14 Lessons learned Rightful usage The concept of rightful usage (legitimate use or explicitly obtained consent) forms an integral part of the privacy impact assessment (PIA) related to the mapping and discovery of organisational data flows Organisations too often adopt an isolated approach focused on a singular data flow In contrast, an overarching approach forms a starting point for additional activities requiring the basis of legitimate use or consent as it centralises the overview of rightful usage of data Right to be forgotten The majority of applications are not currently supporting the key changes brought by the GDPR around the right to be forgotten, data portability and data retention In particular, many organisations struggle with supporting the right to be forgotten due to the complexity and wide distribution of data across different databases, backups etc. The use of big data analytics has attracted widespread attention and has proven to provide added business value Big data analytics Challenges around privacy arise due to the lack of consent amongst data subjects In essence, these challenges are not new, and thus lend themselves to the established response of pseudonomisation or anonymization of data to ensure the preservation of privacy, while still leveraging the strategic value of data. GDPR Lessons Learned Slide: 14
15 Impact on IT and Security 03
16 Impact IT and Security (1/2) An overview of impact and solutions GDPR Impact Solutions Data Protection Policy and data classification Privacy Risk and Controls Classify Personal identifiable information (PII) Ensure necessary and proportionate use only Enforce policies and standards Integrate privacy controls and assessment into the existing control framework and risk assessments Perform risk assessments on processes and data flows (in stead of systems/applications) Draft, review and update existing data protection policies and standards Use specific tooling to classify your PII Use specific tooling to enforce data protection policy and standards Update existing risk framework and assessments Integrate privacy controls in the existing tools and controls testing Data Lifecycle Management Define data flows Document conditions for processing (i.e. legal ground, data minimization, information provision, purpose limitation) Implement and maintain privacy register Integrate GDPR in data governance and management Implement or enhance (existing) tooling to support data flow mapping and document data attributes Implement privacy register based on tooling Data subject rights Privacy by design and architecture Support rights of data subjects i.a. to access, modify and erase their PII, transfer PII to another organization (data portability) and object to the processing. Take into data protection of PII in [existing design and build procedures] Enhance existing security architecture to support privacy by design including libraries of tools to support [design and build procedures] Implement procedure/functionality for data subjects to submit requests and provide transparency on data subjects rights Implement procedure to assess the requests of data subjects to exercise rights Tooling for providing access on user request Tooling for transferring data to another organization (data portability) Tooling for erasure by ways of disposal, pseudonomization/anonymization Implement procedure for assessing risk of data flows Perform PIA's (privacy impact assessments) on new and current processes Redesign design and build procedures by including data protection principles GDPR Lessons Learned Slide: 16
17 Impact IT and Security (2/2) An overview of impact and solutions GDPR Impact Solutions Data security Technical security measures to protect PII in line Describe procedures in information security policy and standards on data with policies and procedures protection and implement such procedures Implement encryption (rest, use motion) Implement tooling to encrypt data on different technology layers, i.a. network, Align identity access management with appropriate end-user, server, database, application, and unstructured documents use in line with GDPR Update roles and authorizations in existing identity access management Data retention and disposal Identify retention periods for each category PII Dispose or anonymize PII after retention period Create a data retention and disposal policy. Describe the retention periods per record (using the mandatory privacy register); Implement the retention periods in applications or implement specific tooling in combination with archiving system Monitoring Implement monitoring to ensure that PII is used in Implement data discovery tooling to ensure that all data is recorded and line with policies, standards and GDPR accounted for as part of the privacy register Detect deviations, i.a. unauthorized disclosures Use specific monitoring tooling to record the deviations of policies, disclosures and data flows, privacy data analytics Incident response and Breach notification Vendor management Data analytics and profiling Include data breaches in existing incident response procedures Mandatory notifications of data breaches to authority/data subjects Having an up-to-date overview of all vendors that process PII Ensure vendors only process PII in line with policies, standards and GDPR (e.g. monitoring vendors and performing audits) Ensure profling/analytics is performed in line with strict conditions Data subjects right to object to profiling/analytics Update existing incident procedure Keep internal register on data breaches Implement or update procedure and tooling for assessing data breaches and notifying to authority/data subjects Implement vendor management framework, including controls vendors should comply with. Implement procedures and tooling for monitoring vendors Bind vendors to data protection principles by concluding processing agreement Implement procedures to ensure conditions for profiling/analytics are met, including alternatives (pseudonimization/anonymization) Implement functionality to exclude individuals from profiling/analytics GDPR Lessons Learned Slide: 17
18 Role of the DPO 04
19 Roles and responbilities GDPR Lessons Learned Slide: 19
20 Credentials 05
21 Credentials (1/2) 1 Large Credit Services Company Credit service company 4 GDPR assessment & data flow mapping Financial institution (UK) We performed an audit on the internal controls of the client and assessed whether they comply with the Dutch privacy laws. Our opinion was based on a public framework and resulted in a report comparable to ISAE We performed a GDPR assessment, including a gap analysis of various business units (BUs) and systems. World largest search engine 2 3 Privacy and compliance assessment International information provider We identified non-compliance gaps and improvement opportunities for our client. We created a high level roadmap that illustrates the activities which should to be performed to comply with the GDPR. Privacy and compliance scan Insurance company We performed a privacy compliance scan to identify gaps based on the Dutch Data Protection Act and the GDPR. 6 We advised on the data retention periods, under UK financial services regulatory regimes, for the world s largest search engine operator which also owns and operates a UK payment services and e- wallet provider.. EY Data Privacy Workshops performed at multiple financial services organisations We provided a workshop to create awareness within the company of the client. By using cases, simulations and interactive break-out sessions, we assessed privacy from different angles to allow the client to understand the impact of privacy on its organization. We performed workshops to raise awareness and knowledge and drafted a roadmap to implement the necessary actions identified during the assessments and workshops. GDPR Lessons Learned Slide: 21
22 Credentials (2/2) 7 US based IT provider 9 Privacy gap assessment and implementation Large pension fund We advised a US-based IT provider which specializes in providing IT back office support to banks on the interaction between regulatory retention periods, AML and data protection laws. For our client, we established risk management, compliance management and a function & governance structure. In addition, we carried out risk identification & assessment, drafted policies (privacy policy, IT policy), assisted in develop risk mitigation strategies, designed reporting templates and raised awareness within the company through workshops. 8 Global oil & gas company We provided support to the global privacy officer and global internal audit department, as a subject-matter expert regarding implementation of and compliance with the global privacy policy. 10 Large bank based in UK Recently, we drafted the data retention policy which included time periods for which different classes of data should be retained, methods for storing data and guidance on whether data should be erased or archived for a large UK based challenger bank. GDPR Lessons Learned Slide: 22
23 Contact us 06
24 More information and contacts EMEIA contacts Privacy offerings Tony de Bos Data Protection and Privacy leader EMEIA Executive Director Financial Services Advisory NL Saskia Vermeer de Jongh Privacy workshop GDPR key changes Senior manager and Attorney IP/IT and Privacy saskia.de.jongh@hvglaw.nl Bernadette Wesdorp Senior Advisor Data Privacy and Data Protection bernadette.wesdorp@nl.ey.com Wout Olieslagers Consultant and Attorney IP/IT and Privacy wout.olieslagers@hvglaw.nl GDPR Lessons Learned Slide: 24
25 EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization and may refer to one or more of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com EYGM Limited. All Rights Reserved. In line with EY s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content. This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice. ey.com
EY s data privacy service offering
EY s data privacy service offering How to transform your data privacy capabilities for an EU General Data Protection Regulation (GDPR) world Introduction Data privacy encompasses the rights and obligations
More informationDeveloping your GDPR response for competitive advantage. EU General Data Protection Regulation (GDPR)
Developing your GDPR response for competitive advantage EU General Data Protection Regulation (GDPR) Introduction In May 2018, the EU s new GDPR ushers in unprecedented levels of data protection for EU
More informationEY s data privacy service offering. How to transform your data privacy capabilities for an EU General Data Protection Regulation (GDPR) world
EY s data privacy service offering How to transform your data privacy capabilities for an EU General Data Protection Regulation (GDPR) world In May 2018, the European Union s new General Data Protection
More informationGDPR: A QUICK OVERVIEW
GDPR: A QUICK OVERVIEW 2018 Get ready now. 29 June 2017 Presenters Charles Barley Director, Risk Advisory Services Charles Barley, Jr. is responsible for the delivery of governance, risk and compliance
More informationPlan a Pragmatic Approach to the new EU Data Privacy Regulation
AmChamDenmark event: EU Compliant & Cyber Resistant Plan a Pragmatic Approach to the new EU Data Privacy Regulation Janus Friis Bindslev, Partner Cyber Risk Services, Deloitte 4 February 2016 Agenda General
More informationDemonstrating data privacy for GDPR and beyond
Demonstrating data privacy for GDPR and beyond EY data privacy assurance services Introduction The General Data Protection Regulation (GDPR) is ushering in a new era of data privacy in Europe. Organizations
More informationEY s Data Privacy Services. January 2019
EY s Data Privacy Services January 2019 Introduction Data privacy encompasses the rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention
More informationData Management and Security in the GDPR Era
Data Management and Security in the GDPR Era Franck Hourdin; Vice President, EMEA Security Russ Lowenthal; Director, Database Security Product Management Mike Turner; Chief Operating Officer, Capgemini
More informationProtecting your data. EY s approach to data privacy and information security
Protecting your data EY s approach to data privacy and information security Digital networks are a key enabler in the globalization of business. They dramatically enhance our ability to communicate, share
More informationIntroduction. When it comes to GDPR compliance, is OK for now enough? Minds made for protecting financial services
When it comes to GDPR compliance, is OK for now enough? EY CertifyPoint s GDPR certification process will help you achieve and demonstrate compliance. Minds made for protecting financial services Introduction
More informationManaging Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow
Managing Privacy Risk & Compliance in Financial Services Brett Hamilton Advisory Solutions Consultant ServiceNow 1 Speaker Introduction INSERT PHOTO Name: Brett Hamilton Title: Advisory Solutions Consultant
More informationThe GDPR Are you ready?
The GDPR Are you ready? kpmg.ie The GDPR - Overview The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) will come into force from 25th May 2018, replacing the existing data protection
More informationEU General Data Protection Regulation (GDPR) Achieving compliance
EU General Data Protection Regulation (GDPR) Achieving compliance GDPR enhancing data protection and privacy The new EU General Data Protection Regulation (GDPR) will apply across all EU member states,
More informationGeneral Data Protection Regulation (GDPR)
BCD Travel s Response to the EU General Data Protection Regulation (GDPR) November 2017 Page 1 Response to the EU GDPR Copyright 2017 by BCD Travel N.V. All rights reserved. November 2017 Copyright 2017
More informationDo you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?
European Union (EU) General Data Protection Regulation (GDPR) Do you handle EU residents personal data? The GDPR update is coming May 25, 2018. Are you ready? What do you need to do? Governance and Accountability
More informationCanada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?
Canada Highlights Cybersecurity: Do you know which protective measures will make your company cyber resilient? 21 st Global Information Security Survey 2018 2019 1 Canada highlights According to the EY
More informationAon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary
Aon Client Data Privacy Summary Table of Contents Our Commitment to Data Privacy 3 Our Data Privacy Principles 4 Aon Client Data Privacy Summary 2 Our Commitment to Data Privacy Data Privacy Backdrop As
More informationBig data privacy in Australia
Five-article series Big data privacy in Australia Three actions you can take towards compliance Article 5 Big data and privacy Three actions you can take towards compliance There are three actions that
More informationNEWSFLASH GDPR N 8 - New Data Protection Obligations
GDPR N 8 May 2017 NEWSFLASH GDPR N 8 - New Data Protection Obligations Following the adoption of the new EU General Data Protection Regulation (GDPR) on 27 April 2016, most organisations began to re-examine
More informationPROTECT YOUR DATA AND PREPARE FOR THE EUROPEAN GENERAL DATA PROTECTION REGULATION
PROTECT YOUR DATA AND PREPARE FOR THE EUROPEAN GENERAL DATA PROTECTION REGULATION INSIGHTS The EU s new data protection regulation, known as the GDPR (General Data Protection Regulation), can impact your
More informationGuidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17
GUIDELINES ON SECURITY MEASURES FOR OPERATIONAL AND SECURITY RISKS UNDER EBA/GL/2017/17 12/01/2018 Guidelines on the security measures for operational and security risks of payment services under Directive
More informationCybersecurity Considerations for GDPR
Cybersecurity Considerations for GDPR What is the GDPR? The General Data Protection Regulation (GDPR) is a brand new legislation containing updated requirements for how personal data of European Union
More informationEU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know
EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know The General Data Protection Regulation (GDPR) The eprivacy Regulation (epr) The Network and Information Security Directive
More informationCustomer Breach Support A Deloitte managed service. Notifying, supporting and protecting your customers through a data breach
Customer Breach Support A Deloitte managed service Notifying, supporting and protecting your customers through a data breach Customer Breach Support Client challenges Protecting your customers, your brand
More informationGeneral Data Protection Regulation (GDPR) Key Facts & FAQ s
General Data Protection Regulation (GDPR) Key Facts & FAQ s GDPR comes into force on 25 May 2018 GDPR replaces the Data Protection Act 1998. The main principles are much the same as those in the current
More informationThis Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).
PRIVACY POLICY Data Protection Policy 1. Introduction This Data Protection Policy (this Policy ) sets out how Brital Foods Limited ( we, us, our ) handle the Personal Data we Process in the course of our
More informationGeneral Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant
General Data Protection Regulation: Knowing your data Title Prepared by: Paul Barks, Managing Consultant Table of Contents 1. Introduction... 3 2. The challenge... 4 3. Data mapping... 7 4. Conclusion...
More informationGDPR: Is it just another regulation or a great opportunity for operational excellence? Athens, February 2018
GDPR: Is it just another regulation or a great opportunity for operational excellence? Athens, February 2018 GDPR Roadmap Continuous Awareness Program Implement Privacy Solutions Intergrade Privacy into
More informationEU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS
EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS MEET THE EXPERTS DAVID O LEARY Director, Forsythe Security Solutions THOMAS ECK Director, Forsythe Security Solutions ALEX HANWAY Product
More informationACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION
ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION Document Control Owner: Distribution List: Data Protection Officer Relevant individuals who access, use, store or
More informationGoogle Cloud & the General Data Protection Regulation (GDPR)
Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to
More informationHow the GDPR will impact your software delivery processes
How the GDPR will impact your software delivery processes About Redgate 230 17 202,000 2m Redgaters and counting years old customers SQL Server Central and Simple Talk users 91% of the Fortune 100 use
More informationGeneral Data Protection Regulation (GDPR) The impact of doing business in Asia
SESSION ID: GPS-R09 General Data Protection Regulation (GDPR) The impact of doing business in Asia Ilias Chantzos Senior Director EMEA & APJ Government Affairs Symantec Corporation @ichantzos Typical Customer
More informationCOMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2
COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September 2018 Table of Contents 1. Scope, Purpose and Application to Employees 2 2. Reference Documents 2 3. Definitions 3 4. Data Protection Principles
More informationGeneral Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) Michael Eva, London Grid for Learning What is GDPR? General Data Protection Regulation (GDPR) protects the personal data of EU citizens regardless of where the
More informationHow icims Supports. Your Readiness for the European Union General Data Protection Regulation
How icims Supports Your Readiness for the European Union General Data Protection Regulation The GDPR is the EU s next generation of data protection law. Aiming to strengthen the security and protection
More informationGetting ready for GDPR. Philipp Hobler EMEA Field CTO Global Technology Office Dell EMC Data Protection Solutions
Getting ready for GDPR Philipp Hobler EMEA Field CTO Global Technology Office Dell EMC Data Protection Solutions GDPR Background Single EU-wide Regulation Harmonizes Global User Data Protection across
More information"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.
Rushcliff Ltd Data Processing Agreement This Data Processing Agreement ( DPA ) forms part of the main terms of use of PPS, PPS Express, PPS Online booking, any other Rushcliff products or services and
More informationGDPR: A technical perspective from Arkivum
GDPR: A technical perspective from Arkivum Under the GDPR, you have a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection
More informationKnowing and Implementing the GDPR Part 3
Knowing and Implementing the GDPR Part 3 11 a.m. ET, 16:00 GMT March 29, 2017 Welcome & Introductions Panelists Your Host Dave Cohen IAPP Knowledge Manager Omer Tene Vice President Research & Education
More informationGDPR: An Opportunity to Transform Your Security Operations
GDPR: An Opportunity to Transform Your Security Operations McAfee SIEM solutions improve breach detection and response Is your security operations GDPR ready? General Data Protection Regulation (GDPR)
More informationThe Role of the Data Protection Officer
The Role of the Data Protection Officer Adrian Ross LLB (Hons), MBA GRC Consultant IT Governance Ltd 28 July 2016 www.itgovernance.co.uk Introduction Adrian Ross GRC consultant Infrastructure services
More informationRegulating Cyber: the UK s plans for the NIS Directive
Regulating Cyber: the UK s plans for the NIS Directive September 2017 If you are a digital service provider or operate an essential service then new security and breach notification obligations may soon
More informationISACA Cincinnati Chapter March Meeting
ISACA Cincinnati Chapter March Meeting Recent and Proposed Changes to SOC Reports Impacting Service and User Organizations. March 3, 2015 Presenters: Sayontan Basu-Mallick Lori Johnson Agenda SOCR Overview
More informationEU GDPR & ISO Integrated Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-iso integrated-documentation-toolkit
EU GDPR & https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit Note: The documentation should preferably be implemented in the order in which it is listed here. The order
More informationPS Mailing Services Ltd Data Protection Policy May 2018
PS Mailing Services Ltd Data Protection Policy May 2018 PS Mailing Services Limited is a registered data controller: ICO registration no. Z9106387 (www.ico.org.uk 1. Introduction 1.1. Background We collect
More informationGeneral Data Protection Regulation (GDPR) NEW RULES
General Data Protection Regulation (GDPR) NEW RULES AGENDA A. GDPR : general overview B. Sectorial topics and concerns GDPR GENERAL OVERVIEW 1. GDPR : WHAT IS IT AND WHY CARE? 27 April 2016 : Approval
More informationNEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?
NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:
More informationDATA PROTECTION POLICY THE HOLST GROUP
DATA PROTECTION POLICY THE HOLST GROUP INTRODUCTION The purpose of this document is to provide a concise policy regarding the data protection obligations of The Holst Group. The Holst Group is a data controller
More informationData Protection Policy
Data Protection Policy Data Protection Policy Version 3.00 May 2018 For more information, please contact: Technical Team T: 01903 228100 / 01903 550242 E: info@24x.com Page 1 The Data Protection Law...
More informationChanging times in Swiss Data Privacy: new opportunities? Microsoft Security Day 27 April 2017 Clara-Ann Gordon
Changing times in Swiss Data Privacy: new opportunities? Clara-Ann Gordon Which countries have Data Protection Laws? Source: https://www.taylorwessing.com/globaldatahub/risk_map.html Page 2 Different Data
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationGDPR How to Comply in an HPE NonStop Environment. Steve Tcherchian GTUG Mai 2018
GDPR How to Comply in an HPE NonStop Environment Steve Tcherchian GTUG Mai 2018 Agenda About XYPRO What is GDPR Data Definitions Addressing GDPR Compliance on the HPE NonStop Slide 2 About XYPRO Inc. Magazine
More informationEU data security and privacy trends
EU data security and privacy trends Top issues for HR and global mobility 26 29 October 2014 Disclaimer EY refers to the global organization, and may refer to one or more, of the member firms of Ernst
More informationMotorola Mobility Binding Corporate Rules (BCRs)
Motorola Mobility Binding Corporate Rules (BCRs) Introduction These Binding Privacy Rules ( Rules ) explain how the Motorola Mobility group ( Motorola Mobility ) respects the privacy rights of its customers,
More informationGENERAL DATA PROTECTION REGULATION (GDPR)
GENERAL DATA PROTECTION REGULATION (GDPR) Date: 01/02/17 Vendor Assessment Contents Introduction 2 Transparency 2 Collection and Purpose Limitation 4 Quality 4 Privacy Program Management 5 Security for
More informationWHITE PAPER. Meeting GDPR Challenges with Delphix. KuppingerCole Report
KuppingerCole Report WHITE PAPER by Mike Small December 2017 GDPR introduces stringent controls over the processing of PII relating to people resident in the EU with high penalties for non-compliance.
More informationThe GDPR and NIS Directive: Risk-based security measures and incident notification requirements
The GDPR and NIS Directive: Risk-based security measures and incident notification requirements Adrian Ross LLB (Hons), MBA GRC Consultant IT Governance Ltd 4 May 2017 Introduction Adrian Ross GRC consultant
More informationUSER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.
These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy. I. OBJECTIVE ebay s goal is to apply uniform, adequate and global data protection
More informationG DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know
G DATA Whitepaper The new EU General Data Protection Regulation - What businesses need to know G DATA Software AG September 2017 Introduction Guaranteeing the privacy of personal data requires more than
More informationAccelerate GDPR compliance with the Microsoft Cloud
Regional Forum on Cybersecurity in the Era of Emerging Technologies & the Second Meeting of the Successful Administrative Practices -2017 Cairo, Egypt 28-29 November 2017 Accelerate GDPR compliance with
More informationPrivacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016
Privacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016 Pēteris Zilgalvis, J.D., Head of Unit for Health and Well-Being, DG CONNECT Table of Contents 1. Context
More informationIslam21c.com Data Protection and Privacy Policy
Islam21c.com Data Protection and Privacy Policy Purpose of this policy The purpose of this policy is to communicate to staff, volunteers, donors, non-donors, supporters and clients of Islam21c the approach
More informationCreative Funding Solutions Limited Data Protection Policy
Creative Funding Solutions Limited Data Protection Policy CONTENTS Section Title 1 Introduction 2 Why this Policy Exists 3 Data Protection Law 4 Responsibilities 5 6 7 8 9 10 Data Protection Impact Assessments
More informationForensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services
Forensic Technology & Discovery Services Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services Forensic Technology & Discovery Services EY s Forensic
More informationMartijn Loderus. Merritt Maxim. Principal Analyst Forrester. Director & Global Practice Partner for Advisory Consulting Janrain
Merritt Maxim Principal Analyst Forrester Martijn Loderus Director & Global Practice Partner for Advisory Consulting Janrain Merritt and Martijn will share insights on Digital Transformation & Drivers
More informationElement Finance Solutions Ltd Data Protection Policy
Element Finance Solutions Ltd Data Protection Policy CONTENTS Section Title 1 Introduction 2 Why this Policy Exists 3 Data Protection Law 4 Responsibilities 5 6 7 8 9 10 Data Protection Impact Assessments
More informationIncentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO
White Paper Incentives for IoT Security May 2018 Author: Dr. Cédric LEVY-BENCHETON, CEO Table of Content Defining the IoT 5 Insecurity by design... 5 But why are IoT systems so vulnerable?... 5 Integrating
More informationData Sheet The PCI DSS
Data Sheet The PCI DSS Protect profits by managing payment card risk IT Governance is uniquely qualified to provide Payment Card Industry (PCI) services. Our leadership in cyber security and technical
More informationGeneral Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant
General Data Protection Regulation April 3, 2018 Sarah Ackerman, Managing Director Ross Patz, Consultant Introductions Sarah Ackerman, CISSP, CISA Managing Director, Cincinnati Responsible for overall
More informationENISA s Position on the NIS Directive
ENISA s Position on the NIS Directive 1 Introduction This note briefly summarises ENISA s position on the NIS Directive. It provides the background to the Directive, explains its significance, provides
More informationIMPACT OF INTERNATIONAL PRIVACY REGULATIONS. Michelle Caswell, Coalfire Julia Jacobson, K&L Gates
IMPACT OF INTERNATIONAL PRIVACY REGULATIONS Michelle Caswell, Coalfire Julia Jacobson, K&L Gates Introduction to International Privacy Law General Data Protection Regulation 2 2018 HITRUST Alliance What
More informationGDPR Compliance. Clauses
1 Clauses GDPR The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a privacy and data protection regulation in the European Union (EU). It became enforceable from May 25 2018. The
More informationVersion 1/2018. GDPR Processor Security Controls
Version 1/2018 GDPR Processor Security Controls Guidance Purpose of this document This document describes the information security controls that are in place by an organisation acting as a processor in
More informationGDPR is here to stay. How prepared are you?
GDPR is here to stay. How prepared are you? KEY TENETS What & Why GDPR? A BRIEF General Data Protection Regulation (GDPR) is the European Union s new law for individuals data privacy & protection that
More informationAll you need to know and do to comply with the EU General Data Protection Regulation
All you need to know and do to comply with the EU General Data Protection Regulation Table of contents Introduction... 3 Challenges, requirements, and action plans GDPR is borderless... Broadened personal
More informationIntroductory guide to data sharing. lewissilkin.com
Introductory guide to data sharing lewissilkin.com Executive Summary Most organisations carry out some form of data sharing, whether it be data sharing between organisations within the group or with external
More informationSOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE
HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE PREPARATION FOR GDPR IS ESSENTIAL The EU GDPR imposes interrelated obligations for organizations handling
More informationSword vs. Shield: Using Forensics Pre-Breach in a GDPR World. September 20, 2017
Sword vs. Shield: Using Forensics Pre-Breach in a GDPR World September 20, 2017 The information and opinions expressed by our panelists today are their own, and do not necessarily represent the views of
More informationA Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud
A Checklist for Compliance in the Cloud 1 A Checklist for Compliance in the Cloud A Checklist for Compliance in the Cloud 1 With the industrialization of hacking and the enormous impact of security breaches,
More informationTHE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon
THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES Forum financier du Brabant wallon 14.12.2017 Data Protection should be part of every company s or organisation s DNA Do you process
More informationImplementing the new GDPR: what does it mean for Universities?
Implementing the new GDPR: what does it mean for Universities? Case study Alumni Portal Cosimo Monda Director - European Centre on Privacy and Cybersecurity Maastricht University Twitter: @ecpcmaastricht
More informationIT MANAGEMENT AND THE GDPR: THE VMWARE PERSPECTIVE
TRANSFORM SECURITY DATA PROTECTION SOLUTION OVERVIEW IT MANAGEMENT AND THE GDPR: THE VMWARE PERSPECTIVE Introduction This Solution Overview is intended for IT personnel interested in the VMware perspective
More informationEXAM PREPARATION GUIDE
EXAM PREPARATION GUIDE PECB Certified Data Protection Officer The objective of the PECB Certified Data Protection Officer examination is to ensure that the candidate has acquired the knowledge and skills
More informationHIPAA Privacy, Security and Breach Notification
HIPAA Privacy, Security and Breach Notification HCCA East Central Regional Annual Conference October 2013 Disclaimer The information contained in this document is provided by KPMG LLP for general guidance
More informationGDPR Privacy Webinar. Prioritizing Your Path towards GDPR Compliance Annika Sponselee and Nicole Vreeman 28 February 2018
GDPR Privacy Webinar Prioritizing Your Path towards GDPR Compliance Annika Sponselee and Nicole Vreeman 28 February 2018 Prioritizing Your Path to GDPR Compliance Presented by Half-Day Workshops Online
More informationA SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS
A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS Introduction If you re a growing service organization, whether a technology provider, financial services corporation, healthcare company, or professional
More informationGDPR COMPLIANCE REPORT
2018 GDPR COMPLIANCE REPORT INTRODUCTION Effective as of May 25, 2018, the European Union General Data Protection Regulation (GDPR) represents the most sweeping change in data privacy regulation in decades.
More informationRobert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe
Respecting Privacy, Securing Data and Enabling Trust a view from Europe Robert Bond, Partner & Notary Public Robert Bond Robert Bond has nearly 40 years' experience in advising national and international
More informationEY Norwegian Cloud Maturity Survey Current and planned adoption of cloud services
EY Norwegian Cloud Maturity Survey 2019 Current and planned adoption of cloud services Contents 01 Cloud maturity 4 02 Drivers and challenges 6 03 Current usage 10 04 Future plans 16 05 About the survey
More informationEU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations. For private circulation only.
EU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations For private circulation only Cyber Risk Preface Does the EU GDPR impact organisations in India? Yes! This
More informationGDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10
GDPR AMC SAAS AND HOSTED MODULES UK version AMC Consult A/S June 26, 2018 Version 1.10 INDEX 1 Signatures...3 2 General...4 3 Definitions...5 4 Scoping...6 4.1 In scope...6 5 Responsibilities of the data
More informationTHE NEW EU DATA PROTECTION REGULATION: WHAT IS IT AND WHAT DO WE NEED TO DO? KALLIOPI SPYRIDAKI CHIEF PRIVACY STRATEGIST, EUROPE
THE NEW EU DATA PROTECTION REGULATION: WHAT IS IT AND WHAT DO WE NEED TO DO? KALLIOPI SPYRIDAKI CHIEF PRIVACY STRATEGIST, EUROPE EU DATA PROTECTION REGULATION Kalliopi Spyridaki Chief Privacy Strategist,
More informationDirective on security of network and information systems (NIS): State of Play
Directive on security of network and information systems (NIS): State of Play Svetlana Schuster Unit H1 Cybersecurity and Digital Privacy DG Communications Networks, Content and Technology, European Commission
More informationGeneral Data Protection Regulation Frequently Asked Questions (FAQ) General Questions
General Data Protection Regulation Frequently Asked Questions (FAQ) This document addresses some of the frequently asked questions regarding the General Data Protection Regulation (GDPR), which goes into
More informationAn Overview of ISO/IEC family of Information Security Management System Standards
What is ISO/IEC 27001? The ISO/IEC 27001 standard, published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), is known as Information
More informationThe Simple Guide to GDPR Data Protection: Considerations for and File Sharing
The Simple Guide to GDPR Data Protection: Considerations for Email and File Sharing The European Union s General Data Protection Regulation (GDPR) Uncovering Key Requirements and Methods for Compliance
More informationfalanx Cyber ISO 27001: How and why your organisation should get certified
falanx Cyber ISO 27001: How and why your organisation should get certified Contents What is ISO 27001? 3 What does it cover? 3 Why should your organisation get certified? 4 Cost-effective security management
More informationenter into application on 25 May 2018
General Data Protection Regulation What is GDPR? Is GDPR applicable for you? Which actions are required from you (and us)? Which rights do your clients have and which services can KBC Securities s provide
More informationGDPR - Are you ready?
GDPR - Are you ready? Anne-Marie Bohan and Michael Finn 24 March 2018 Matheson Ranked Ireland s Most Innovative Law Firm Financial Times 2017 International Firm in the Americas International Tax Review
More information