IMPACT OF INTERNATIONAL PRIVACY REGULATIONS. Michelle Caswell, Coalfire Julia Jacobson, K&L Gates

Similar documents
This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Cybersecurity Considerations for GDPR

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

Islam21c.com Data Protection and Privacy Policy

City, University of London Institutional Repository. This version of the publication may differ from the final published version.

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

General Data Protection Regulation (GDPR) Key Facts & FAQ s

Technical Requirements of the GDPR

THE GDPR PCLOUD'S ROAD TO FULL COMPLIANCE

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

How the GDPR will impact your software delivery processes

Privacy Policy. In this data protection declaration, we use, inter alia, the following terms:

Getting ready for GDPR. Philipp Hobler EMEA Field CTO Global Technology Office Dell EMC Data Protection Solutions

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

Data Protection Policy

GDPR Privacy Policy. The data protection policy of AlphaMed Press is based on the terms found in the GDPR.

EU data security and privacy trends

Data Processing Clauses

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

Privacy Policy Hafliger Films SpA

GDPR How to Comply in an HPE NonStop Environment. Steve Tcherchian GTUG Mai 2018

General Data Protection Regulation (GDPR)

INFORMATIVE NOTICE ON PERSONAL DATA PROCESSING

the processing of personal data relating to him or her.

Emergency Compliance DG Special Case DAMA INDIANA

Key Customer Issues to Consider Before Entering into a Cloud Services Arrangement

Creative Funding Solutions Limited Data Protection Policy

The Role of the Data Protection Officer

This guide is for informational purposes only. Please do not treat it as a substitute of a professional legal

GDPR: A QUICK OVERVIEW

GDPR. What is GDPR? GDPR is extraterritorial, meaning it applies to any company, processing EU resident data, irrespective of their location.

Cisco Spark and GDPR. Thomas Flambeaux. Collaboration Consulting Solution Engineer, Security and Compliance. Cisco Connect 2018 Copenhagen April 12th

You will see lots of references in the Checklist to the GDPR Pack if you would like to purchase this, go to

1 About GfK and the Survey What are personal data? Use of personal data How we share personal data... 3

All you need to know and do to comply with the EU General Data Protection Regulation

Element Finance Solutions Ltd Data Protection Policy

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

Catalent Inc. Privacy Policy v.1 Effective Date: May 25, 2018 Page 1

GLOBAL DATA PROTECTION POLICY

PS Mailing Services Ltd Data Protection Policy May 2018

G DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know

Data processing policy

What You Need to Know About Addressing GDPR Data Subject Rights in Pivot

Arkadin Data protection & privacy white paper. Version May 2018

Privacy Policy CARGOWAYS Logistik & Transport GmbH

Data subject ( Customer or Data subject ): individual to whom personal data relates.

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Data Protection and Privacy Policy PORTOBAY GROUP Version I

Online Ad-hoc Privacy Notice

Data Processing Agreement for Oracle Cloud Services

Notification regarding the processing of personal data within ABOGAR SRL Hotel Lido

Sword vs. Shield: Using Forensics Pre-Breach in a GDPR World. September 20, 2017

A1 Information Security Supplier / Provider Requirements

GLOBAL DATA PROTECTION POLICY

Wonde may collect personal information directly from You when You:

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

Changing times in Swiss Data Privacy: new opportunities? Microsoft Security Day 27 April 2017 Clara-Ann Gordon

DATA PROTECTION POLICY THE HOLST GROUP

PRIVACY STATEMENT +41 (0) Rue du Rhone , Martigny, Switzerland.

Vanderbilt Video Surveillance. EU General Data Protection Regulation A Compliance Guide

General Data Protection Regulation (GDPR)

Privacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

Baseline Information Security and Privacy Requirements for Suppliers

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

PRIVACY NOTICE (TIER 4)

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

GDPR Data Protection Policy

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

Contract Services Europe

Data Privacy Notice. Madsen Advisory Limited ("Madsen") is committed to protecting and respecting your privacy.

Security Breach Notification Reflections on the U.S. Experience

Data Processing Agreement

Data Subject Requests Procedure

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

Data Protection Policy

ADIENT VENDOR SECURITY STANDARD

Requirements for a Managed System

Information leaflet about processing of personal data (

PRIVACY STATEMENT August 2018

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

Privacy Policy Identity Games

EU General Data Protection Regulation (GDPR) Achieving compliance

Privacy Policy Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH 1. Definitions

Altius IT Policy Collection Compliance and Standards Matrix

Mapping Cyber-Protections to Regulatory Requirements for Fintech

Our agenda. The basics

General Data. Protection Regulations MAY Martin Chapman Head of Ops & Sales Microminder. Presentation Micro Minder Ltd 2017

Beam Suntory Privacy Policy WEBSITE PRIVACY NOTICE

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

NOTICE OF PERSONAL DATA PROCESSING

General Data Protection Regulation (GDPR) The impact of doing business in Asia

Emsi Privacy Shield Policy

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

Our Data Privacy Statement Scope Responsibilities

Jefferies EMEA Privacy Notice

Transcription:

IMPACT OF INTERNATIONAL PRIVACY REGULATIONS Michelle Caswell, Coalfire Julia Jacobson, K&L Gates

Introduction to International Privacy Law General Data Protection Regulation 2 2018 HITRUST Alliance

What is General Data Protection Regulation (GDPR)? Intended to harmonize data protection laws among EU Member States BUT, EU Member States still can implement laws on certain data protection matters Requires a culture of compliance Adopted on 27 April 2016; In force as of 25 May 2018 3 2018 HITRUST Alliance

What is General Data Protection Regulation (GDPR)? Applies to any organization that: o o o has employees in the EU offers goods or services to EU residents (even if no payment is required) monitors behavior of an EU resident Applies to personal data of EU resident 4 2018 HITRUST Alliance

What is General Data Protection Regulation (GDPR)? Fines for non-compliance are hefty: up to greater of 2% of annual global revenue or 10m. or up to greater of 4% of annual global revenue or 20m. Can EU regulators reach a US-based company with no operations in EU? 5 2018 HITRUST Alliance

GDPR Lingo Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Controller means the person or entity that determines the purposes and means of the processing of personal data. Processor means a person or entity that processes personal data on behalf of a controller. Personal Data next slide 6 2018 HITRUST Alliance

What are GDPR s Key Differences for US Companies? US FTC: not yet linked to a particular consumer, computer, or device but that may reasonably become so CaCPA: identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. State Data Breach Law: first name or first initial with last name PLUS SSN, D.L./gov t ID card, bank account/ credit/debit card, or health insurance information. Some states: biometric data, health data. GDPR Personal data is data relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person 7 2018 HITRUST Alliance

What are GDPR s Key Differences for US Companies? Requires lawful basis for processing personal data Requires Data Protection Impact Assessment (DPIA) when high risk processing, e.g., when data is processed by new technology Requires Lead Supervisory Authority or Representative May require a Data Protection Officer (who has expert knowledge, directly reports to highest management level and no conflict of interest) and/or Record of Processing 8 2018 HITRUST Alliance

What are GDPR s Key Differences for US Companies? New and Enhanced Rights of Data Subjects Right to Erasure (a.k.a. Right to be Forgotten) - Right to request erasure of personal data without undue delay if the data is no longer needed, the data subject objects to the processing or the processing was unlawful. Data Portability - Right to receive personal data processed through automated means in a commonly used and machine-readable format Right of Access - Right to know what personal data is processed and why Right of Rectification Right to Restrict Processing Right to Object to Processing 9 2018 HITRUST Alliance

What are GDPR s Key Differences for US Companies? Personal Data Breach 10 2018 HITRUST Alliance

What are GDPR s Key Differences for US Companies? Personal Data Breach Involve legal team early to help determine whether an incident is a personal data breach; if yes, then must immediately assess whether an incident requires notification to supervisory authority ( risk ) and individuals ( high risk ). If a processor, understand and operationalize contractual notification obligations for response without undue delay. Be prepared for accountability - keep records of all personal data breaches and be ready to justify incident response plan to supervisory authorities. 11 2018 HITRUST Alliance

Other EU Laws eprivacy Directive (revisions in process for 2019) Cookie Directive - obtain consent to place and access data (like cookies) on a computer or other internet-connected device UK Data Protection Act 2018 - after BREXIT in April 2019 Germany s GDPR-implementing Law 12 2018 HITRUST Alliance

Introduction to International Privacy Law Other International Privacy Laws 13 2018 HITRUST Alliance

Countries with Laws like GDPR Countries with adequacy determinations (EU designation) o Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and U.S. (limited to the Privacy Shield framework) o Japan just announced Brazil NEW - applies to the personal data of Brazilians regardless of the location of the entity collecting the data India PROPOSED 14 2018 HITRUST Alliance

AsiaPac Countries with Data Protection Laws 15 2018 HITRUST Alliance

Introduction to International Privacy Law Security & International Privacy Laws 16 2018 HITRUST Alliance

GDPR s Security Requirements appropriate technical and organisational measures to ensure a level of security appropriate to the risk include: o o o o o Encryption Pseudonymization Business Continuity/Disaster Recovery Regularly testing, assessing and evaluating the effectiveness of technical and organisational measures Evaluating processors 17 2018 HITRUST Alliance

Security Requirements in Other Countries Canada PIPEDA Principle 4.7 requires that personal information be protected by safeguards appropriate to the sensitivity of the information; PIPEDA Principle 4.7.1 requires security safeguards to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. New data breach notification law effective November 1, 2018. China s Personal Information Security Specification a data controller must implement adequate technical and organizational measures to ensure data security. (Section 4) Singapore An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. (PDPA Section 24) 18 2018 HITRUST Alliance

What are Reasonable Security Requirements? Flexibility of approach: (1) Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. (2) In deciding which security measures to use, a covered entity or business associate must take into account the following factors: (i) The size, complexity, and capabilities of the covered entity or business associate. (ii) The covered entity's or the business associate's technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health information. 45 C.F.R. 164.306(b)(1)(2) 19 2018 HITRUST Alliance

Cybersecurity Frameworks HITRUST NIST ISO 27001/27002 COBIT CIS Critical Security Controls 20 2018 HITRUST Alliance

NIST Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy 1. Prepare Categorize (Overview provided next slides) 2. Select - (Overview provided next slides) 3. Implement 4. Assess 5. Authorize 6. Monitor - (Overview provided next slides) https://csrc.nist.gov/csrc/media/publications/sp/800-37/rev-2/draft/documents/sp800-37r2-draft-ipd.pdf 21 2018 HITRUST Alliance

Overview - Step 1 - Risk Management Organizational Risk Management Roles Risk Management Strategy Risk Assessment Organization-Wide Tailored Control Baselines and Profiles Common Control Identification 22 2018 HITRUST Alliance

Overview - Step 2 - Risk Management System Level Mission or Business Focus Organizational Stakeholders Asset Identification Authorization Boundary Information Types Information Life Cycle Risk Assessment (System) Enterprise Architecture System Registry 23 2018 HITRUST Alliance

Overview Step 6 - Monitor System and Environment Changes Ongoing Assessments Ongoing Risk Response Authorization Updates Security and Privacy Reporting Ongoing Authorization System Disposal 24 2018 HITRUST Alliance

Security Simplified Involve the right team members Know what data is flowing in and out of your organization Maintain inventory of your assets Develop your organization s risk appetite Understand your legal obligations Perform non-technical and technical evaluations Stay up-to-date on the latest technologies Get involved in information security and privacy groups 25 2018 HITRUST Alliance

Visit www.hitrustalliance.net for more information To view our latest documents, visit the Content Spotlight 26 2018 HITRUST Alliance

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback