EU General Data Protection Regulation (GDPR)

Similar documents
IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

Fabrizio Patriarca. Come creare valore dalla GDPR

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

IBM services and technology solutions for supporting GDPR program

Data Management and Security in the GDPR Era

How to Secure Your Cloud with...a Cloud?

EU General Data Protection Regulation (GDPR) Achieving compliance

General Data Protection Regulation (GDPR)

GDPR: An Opportunity to Transform Your Security Operations

IBM Security. Endpoint Manager- BigFix. Daniel Joksch Security Sales IBM Corporation

IBM Compliance Offerings For Verse and S1 Cloud. 01 June 2017 Presented by: Chuck Stauber

Cybersecurity Considerations for GDPR

GDPR How to Comply in an HPE NonStop Environment. Steve Tcherchian GTUG Mai 2018

SCHOOL SUPPLIERS. What schools should be asking!

GDPR: A QUICK OVERVIEW

Google Cloud & the General Data Protection Regulation (GDPR)

Predators are lurking in the Dark Web - is your network vulnerable?

What You Need to Know About Addressing GDPR Data Subject Rights in Pivot

Data Protection Policy

Accelerate GDPR compliance with the Microsoft Cloud

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Data Privacy and Protection GDPR Compliance for Databases

This guide is for informational purposes only. Please do not treat it as a substitute of a professional legal

Motorola Mobility Binding Corporate Rules (BCRs)

HPE DATA PRIVACY AND SECURITY

GENERAL DATA PROTECTION REGULATION (GDPR)

Getting ready for GDPR. Philipp Hobler EMEA Field CTO Global Technology Office Dell EMC Data Protection Solutions

IBM Application Security on Cloud

How the GDPR will impact your software delivery processes

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

The Role of the Data Protection Officer

IBM Security Network Protection Solutions

G DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

The McGill University Health Centre (MUHC)

Technical Requirements of the GDPR

Integrated, Intelligence driven Cyber Threat Hunting

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

General Data Protection Regulation (GDPR) The impact of doing business in Asia

DATA PROCESSING TERMS

IBM Security Guardium Analyzer

WHITE PAPER. Meeting GDPR Challenges with Delphix. KuppingerCole Report

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

Teradata and Protegrity High-Value Protection for High-Value Data

1. Right of access. Last Approval Date: May 2018

MSS VSOC Portal Single Sign-On Using IBM id IBM Corporation

Overview. Business value

Charting the Course to GDPR: Setting Sail

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

Data Processing Agreement

ngenius Products in a GDPR Compliant Environment

May the (IBM) X-Force Be With You

Altitude Software. Data Protection Heading 2018

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

Oracle Data Cloud ( ODC ) Inbound Security Policies

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

DATA PROCESSING AGREEMENT

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

All you need to know and do to comply with the EU General Data Protection Regulation

Baseline Information Security and Privacy Requirements for Suppliers

Staying GDPR Ready with MaaS360. Ankur Acharya Offering Manager, IBM MaaS360

GDPR and the Privacy Shield

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

ISO27001 Preparing your business with Snare

Privacy Policy of

OCTOSHAPE SDK AND CLIENT LICENSE AGREEMENT (SCLA)

Open Mic Webcast. IBM Sametime Media Manager Troubleshooting Tips and Tricks. Tony Payne Sr. Software Engineer May 20, 2015

HF Markets SA (Pty) Ltd Protection of Personal Information Policy

General Data Protection Regulation (GDPR) Key Facts & FAQ s

General Data Protection Regulation. May 25, 2018 DON T PANIC! PLAN!

Combatting advanced threats with endpoint security intelligence

IBM Resilient Incident Response Platform On Cloud

WORKSHARE SECURITY OVERVIEW

Workday s Robust Privacy Program

Sword vs. Shield: Using Forensics Pre-Breach in a GDPR World. September 20, 2017

ARBOR DDoS PRODUCTS IN A GDPR COMPLIANT ENVIRONMENT. Guidelines and Frequently Asked Questions

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

IBM Security QRadar Version 7 Release 3. Community Edition IBM

Emergency Compliance DG Special Case DAMA INDIANA

1 About GfK and the Survey What are personal data? Use of personal data How we share personal data... 3

Startup Genome LLC and its affiliates ( Startup Genome, we or us ) are committed to protecting the privacy of all individuals who ( you ):

Understand & Prepare for EU GDPR Requirements

Legal notice and Privacy policy

IBM Resilient Incident Response Platform On Cloud

WHITE PAPER. The General Data Protection Regulation: What Title It Means and How SAS Data Management Can Help

Arkadin Data protection & privacy white paper. Version May 2018

What is GDPR? Editorial: The Guardian: August 7th, EU Charter of Fundamental Rights, 2000

Partitions. Make Administration on the Cloud more organized. Rajesh (Raj) Patil Girish Padmanabhan Rashmi Singh

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

ADIENT VENDOR SECURITY STANDARD

Embedding GDPR into the SDLC

Le sfide di oggi, l evoluzione e le nuove opportunità: il punto di vista e la strategia IBM per la Sicurezza

Recommendations on How to Tackle the D in GDPR. White Paper

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

MOBILE.NET PRIVACY POLICY

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

Martijn Loderus. Merritt Maxim. Principal Analyst Forrester. Director & Global Practice Partner for Advisory Consulting Janrain

Transcription:

EU General Data Protection Regulation (GDPR) An inspirational Overview Sven-Erik Vestergaard Security Architecht IBM Security svest@dk.ibm.com September 29, 2015

Legal notices and disclaimers Copyright 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. Any statements regarding IBM s future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. Other company, product, or service names may be trademarks or service marks of others. A current list of IBM trademarks is available at Copyright and trademark information www.ibm.com/legal/copytrade.shtml

Data Protection: Council agrees on a general approach A Regulation is a binding legal act that is applicable in its entirety across the EU. On 15 June 2015, the Council reached a general approach on the general data protection regulation that establishes rules adapted to the digital era. The twin aims of this regulation are to enhance the level of personal data protection for individuals and to increase business opportunities in the Digital Single Market. 3 Source: http://www.consilium.europa.eu/en/press/press-releases/2015/06/15-jha-data-protection 3

How does the data protection reform strengthen citizens rights? In the 17 years since the current data protection rules were adopted, new ways of communicating such as online social networks have profoundly changed the way people share personal information, while cloud computing means that more data is stored on remote servers instead of personal computers 250 millionpeople now use the internet daily in Europe. In this fast-changing environment, individuals must retain effective control over their personal data. This is a fundamental right for everyone in the EU and must be safeguarded. Source: http://ec.europa.eu/justice/data-protection 4 4

Key facts 63% of Europeans, disclosing personal information is a big issue 70% are concerned that companies may use the information for a different purpose than the one they collected it for only 26% of social media users and 18% of online shoppers feel in complete control of the information disclosed 90% of Europeans think it is important to have the same rights and protection in all EU countries Source http://www.consilium.europa.eu 5 5

What is the Commission proposing? The new rules will ensure that you receive clear and understandable information when your personal data is processed. Whenever your consent is required, it will have to be given explicitly before a company could process your personal data. The European Commission will also strengthen individuals right to be forgotten, which means that if you no longer want your data to be processed, and there is no legitimate reason for a company to keep it, the data shall be deleted Source: http://ec.europa.eu/justice/data-protection 6 6

Terms you need to know Binding corporate rules (BCR): Codes of practice based on European data protection standards, approved by at least one DataProtection Authority, which multi national organisations draw up and follow voluntarily to ensure adequate safeguards for transfers or categories of transfers of personal data between companies that are part of a same corporate group and that are bound by these corporate rules. Controller or Data controller: Natural or legal person, public authority, organisation, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Data Protection Authority (DPA): National supervisory authority, acting with complete independence, responsible for monitoring the application of data protection rules at national level (e.g. handling complaints from individuals, carrying out investigations and inspections of data controllers' activities, engage inlegal proceedings against violations of data protection rules). Source: http://ec.europa.eu/justice/data-protection/document/review2012/sec_2012_72_en.pdf 7

Terms you need to know Data Protection Impact Assessment (DPIA): A process whereby a conscious and systematic effort is made to assess privacy risks to individuals in the collection, use and disclosure of their personal data. DPIAs help identify privacy risks, foresee problems and bring forward solutions. Data Protection Officer (DPO): A person responsible within a data controller or a data Data subject: processor to supervise and monitor in an independent manner the internal application and therespect of data protection rules.the DPO can be either an internal employee or an externalconsultant. An identified or identifiable person to whom the "personal data" relate. Source: http://ec.europa.eu/justice/data-protection/document/review2012/sec_2012_72_en.pdf 8

Extracts of GDPR in Bullit Form (1) Under the directive, any data by which an individual can be identified was the sole responsibility of the data controller, ie the owner of this data. Under the new regulations, however, any company or individual that processes this data will also be held responsible for its protection, including third parties such as cloud providers. The right to be forgotten will help people better manage data-protection risks online. When they no longer want their data to be processed and there are no legitimate grounds for retaining it, the data will be deleted. Whenever consent is required for data processing, it will have to be given explicitly, rather than be assumed. When it comes to profiling data subjects have the right to object to any data profiling Easier access to one s own data and the right of data portability, i.e. easier transfer of personal datafrom one service provider to another. Companies and organisations will have to notify serious data breaches without undue delay, where feasible within 24/72 hours A single set of rules on data protection, valid across the EU. Souce: http://ec.europa.eu/justice/data-protection/document/review2012/factsheets/1_en.pdf 9 9

Extracts of GDPR in Bullit Form (2) Companies will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Individuals will have the right to refer all cases to their home national data protection authority, even when their personal data is processed outside their home country. EU rules will apply to companies not established in the EU, if they offer goods or services in the EU or monitor the online behaviour of citizens.unnecessary administrative burdens such as notification requirements for companies processing personal data will be removed National data protection authorities will be strengthened so they can better enforce the EU rules at home Non-compliance could lead to regular and periodic audits and/or a fine or 2% - 5% of annual worldwide turnover, whichever is greater Souce: http://ec.europa.eu/justice/data-protection/document/review2012/factsheets/1_en.pdf 1 10

How to start: Do not panic! But get Executive sponsorship. Good way to start is with a self assessment or maturity project: How do you collect personal data In what context do you use the data, and how do you store it Who owns the personal data in you organization. Might be several departments Do you ever clean up personal data? Is there any gap between the written processes and the actual daily operation when it comes to personal data? Use the Danish Data Protection law as a starting point and/or ISO 2700X 11 11

Prepare for the worst: Appoint a Data Protection Officer (DPO) if needed, or for smaller business a person with equal responsibilities. Have a plan for when breaches happens. Who should be informed? Internal and External Who should be in the response team Have clear definition of responsibilities for each individual in the response team Have a plan for when a Data Protection Impact Assessment (DPIA) hits you 12

How can IBM Help?

IBM Data Privacy Services helps provide sustainable solutions using these 4 key components IBM s Research 4 Key Components of Data Privacy IBM s Privacy Patents IBM s Data Privacy Services IBM s Privacy and Security experience IBM s Total Privacy Management (TPM) Framework 14

IBM has been working on data privacy issues since 2001 and has applied for numerous Data Privacy patents since, proving its position as a thought leader Example of selected IBM privacy patents which reflects our position as a privacy thought leader 2006-06-27 2011-02-15 2012-03-20 Using a rules model to improve handling of personally identifiable information This helps companies track client personally identifiable information in their systems by using a defined rules set. U.S. Patent 7069427 Method and system controlling access to data via a data-centric security model A method for controlling access to data though a data focused security model. U. S. Patent 7890530 Process and method for classifying structured data A system and method for classifying structured data by automatically suggesting classification labels. U.S. Patent 8140531 IBM s Data Privacy Services 2009-10-13 2011-06-14 2014-04-08 Using a privacy agreement framework to improve handling of personally identifiable information The invention illustrates how to identify opportunities to reduce privacy related risks. U. S. Patent 7603317 Using an object model to improve handling of personally identifiable information By using privacy objects (such as data subject and data user) companies can track their privacy actions in their systems. U.S. Patent 7962962 Data privacy engine How to translate different jurisdictional privacy regulations into rules that IT and Compliance professionals can understand when dealing with cross-border data flows. U.S. Patent 8,695,101 15

IBM s Privacy and Security experience allows us to implement more holistic solutions for our clients IBM is Most trusted for Privacy Privacy Vision IBM s Data Privacy Services For several years IBM has been recognized as the Most Trusted for Privacy in the technology industry in North America IBM s record in data protection and privacy is exemplary, stretching back over five decades when IBM was one of the first companies in the world to adopt a global privacy code. IBM works closely with regulators and standards bodies to develop privacy controls IBM holds multiple patents in the area of privacy innovation IBM s patented Privacy Architecture: IBM has developed a robust privacy architecture which helps organizations understand the data uses in their environment. This was developed in 2002 and has been consistently enhanced and refined since that time. Extensive Expertise In 2000, IBM hired one of the first Chief Privacy Officers in the US. We have been addressing global privacy issues for over 15 years and have more than 1200 dedicated risk professionals Over 30 dedicated professionals who address privacy issues, including a past Chief Privacy Officer from a Fortune 500 company Over 400 consultants who have worked on privacy projects IBM s expertise across Security Services and Security Products One Security IBM s wide range of security products Consulting teams ability to help provide an integrated, holistic solution Recognized Leader by multiple secondary sources such as Gartner and Forrester IBM has 75+ CIPP certified consultants 16

Sophisticated attacks require sophisticated defense, but ultimately, sensitive data should be protected with a layered approach. Sensitive Data Data servers Hacker (Rogue Sources) Auth server Web servers App server User Customer Business Partner Employee Contractor QRadar Web servers DoS Antispoofing Port Scanning Web Server Known Vulnerabilities Patternbased Attack Network servers IDS/IPS Security Cross Site Scripting Parameter Tampering Cookie Poisoning App server Privileged User (DBAs,developers) Guardium Data Servers Intranet DMZ Sensitive Data Unauthorized Access Suspicious Activity SQL Injection 17

Organizations are moving towards virtualization & cloud computing Build data protection in from the start IBM InfoSphere Guardium can help with: Automatic discovery and classification of cloud data Virtualized security Database activity monitoring, database vulnerability assessments, data redaction and data encryption Static and dynamic data masking to ensure a least privileged access model to cloud resources Automated compliance reports customized for different regulations to demonstrate compliance in the cloud 18 18

InfoSphere Data Security and Privacy Solutions Comprehensive data protection for cloud, virtual & physical infrastructures Discover Location of Sensitive Data Automating the detection of sensitive data and enterprise data relationships Strengths: Discover hidden data relationships to define business groupings of data Automate detection of sensitive data Reverse engineer transformation logic and prototype data consolidation rules InfoSphere Discovery & InfoSphere Guardium Mask data in nonproduction environments Protect sensitive structured data in non-production environments (for dev, testing, offshore dev) Strengths: Best practice for protecting sensitive data and supporting the testing process Mask information in 1 or many places using realistic values Reduce impact of internal and external data breaches InfoSphere Optim Data Masking Monitor databases, assess vulnerabilities, dynamic masking Provide essential safeguards to protect high value databases across heterogeneous environments Strengths: Continuous, realtime database access and activity monitoring Policy-based controls to detect unauthorized or suspicious activity Vulnerability assessment, change auditing & blocking InfoSphere Guardium DAM & VA Solution Satisfy compliance and regulatory mandates Encrypt files in database environments High performance data encryption Strengths: Encrypt files with no application, database or network impact Separation of duties for role efficiency DBA vs IT Security Unified policy and key management for central administration InfoSphere Guardium Encryption Expert Redact unstructured data in documents Protect standalone or embedded unstructured sensitive data in forms and documents Strengths: Support redaction of textual, graphical, and form based data Increase efficiency via automation and reduce cost of manual redaction Control the data viewed by each user with policy rules InfoSphere Guardium Data Redaction 19

Guardium database security Comprehensive data protection for virtual and cloud infrastructures Administer databases End User Access applications DBA Application Servers Virtual Servers Database Activity Monitor Database Vulnerability Assessment Data Encryption Data Redaction Dynamic Data Masking File Repository Manage security policies Security administrator 20

Test Data Management and Masking Solutions Automate creation of right size test data in private cloud Virtual Server Production Subset/ Compare Subset & Mask Subset/ Compare Test Dev Functional & Performance Testing Refresh test data Tester Unit Testing PeopleSoft / Any DB Refresh test data Developer 21

IBM QRadar Security Intelligence Platform Providing actionable intelligence INTELLIGENT Correlation, analysis and massive data reduction AUTOMATED Driving simplicity and accelerating time-tovalue IBM QRadar Security Intelligence Platform INTEGRATED Unified architecture delivered in a single console 22

Embedded intelligence offers automated offense identification INTELLIGENT Security devices Servers and mainframes Network and virtual activity Data activity Application activity Configuration information Vulnerabilities and threats Users and identities Global threat intelligence Automated Offense Identification Unlimited data collection, storage and analysis Built in data classification Automatic asset, service and user discovery and profiling Real-time correlation and threat intelligence Activity baselining and anomaly detection Detects incidents of the box Embedded Intelligence Prioritized Incidents Suspected Incidents 23

Expanding Audit Information collection for QRadar SIEM Challenge Integrate database and data source audit information with SIEM forensics Formatting information from heterogeneous data sources is tedious and requires expertise Solution Leverage Guardium unintrusive audit log collection for several data sources to feed QRadar with normalized audit logs Guardium side: Sending custom reports via syslog to QRadar SIEM with extra data to match SIEM format Custom audit reports have richer context than native audit logs QRadar SIEM side: Ensure correct format is mapped through template File Shares Big Data Normalized Enriched Audit Reports (syslog) Data Warehouse Databases Other * Sources Audit Logs 24

An integrated, unified architecture in a single web-based console INTEGRATED Log Management Security Intelligence Network Activity Monitoring Risk Management Vulnerability Management Network Forensics 25

Guardium & QRadar Security Intelligence QRadar target use case Complex threat detection Malicious activity identification User activity monitoring Compliance monitoring Fraud detection and data loss prevention Network and asset discovery InfoSphere Guardium complementary capabilities Alert on sensitive data access without affecting performance Identify DB infrastructure vulnerability level for asset classification Block and alert on suspicious data access Monitor all traffic to/from data repositories, including content and metadata Identify anomalous behavior from end-users, privileged users, system IDs Prevent malicious access to sensitive data Monitor privileged and regular end-user data access activity in real time Create policies that granularly restrict access Alert on suspicious behavior Centralized and normalized granular audit of all data activities without impact to resources Automation of audit report review process Report templates for major regulations Direct visibility into data traffic (metadata and content) Policies for detection of fraudulent data access activity Blocking and quarantining of users with suspicious data access patterns Automatically discover all databases, sensitive data, and its entitlements Classify data for policy enforcement and alert on findings Identify vulnerability posture for database infrastructure 26

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. www.ibm.com/security Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 27

Key Aspects of the Regulation The proposed legislation is a General Data Protection Regulation (GDPR) Unlike the existing 1995 Data Protection Directive (95/46/EC), the Regulation will create a unified data protection law for all 28 European Countries. It will also have international reach applying to organizations that handle personal data of any EU resident (data subjects) Formal approval and publication is expected by Spring 2016, with a two-year transitional period for compliance The objectives of the GDPR are twofold: To enhance the level of personal data protection for EU residents To modernize the law in line with existing and emerging technologies (e.g. social networks and cloud computing) and to clarify responsibility for the handling and storage of data, making it easier for organizations to comply and avoid fines. Non-compliance could lead to regular and periodic audits and/or a fine of up to 100 million or 2% of annual worldwide turnover, whichever is greater 9/29/201 28

Brief PowerPoint Guidance > Text Guidance The Regulation provides additional benefits and rights for data subjects Key definitions have been augmented to include online identifiers (e.g. IP addresses, cookies etc.) and new terms such as location data, biometric data and genetic data have been introduced Higher standard for obtaining consent from implied to express consent Easier access to data expands the set of information to be provided to individuals and removes the right for controllers to charge a fee for SARs Erasure of data data subjects have the right to request that all data held by controllers and processors be erased Portability controllers must enable the transfer of structured and/or raw data to another organisation through a commonly used electronic format if requested by the data subject 2 9/29/201 Profiling data subjects have the right to object to any data profiling 29

Brief PowerPoint Guidance > Text Guidance New and enhanced obligations on data controllers and processors have been imposed Controllers will be responsible for carrying out a Data Protection Impact Assessment (DPIA) and a risk analysis of the potential impact any intended processing could have on the rights or freedoms of data subjects Implementation by controllers and processors of appropriate technical and organizational security measures appropriate to the risks presented by the processing and the DPIA Building a Data Protection by Design and Default process enabling the review of the entire lifecycle management of personal data with particular focus on procedural safeguards regarding the accuracy, confidentiality, integrity, physical security and deletion of data. Breach notification requirements in the event of a data incident Increased rules on the transfer of data outside the EEA or to international organizations, including possible prior approval from the supervisory authority 3 9/29/201 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback