GDPR: A QUICK OVERVIEW

Similar documents
Plan a Pragmatic Approach to the new EU Data Privacy Regulation

The GDPR Are you ready?

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

G DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

Developing your GDPR response for competitive advantage. EU General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR) Key Facts & FAQ s

WEB ANALYTICS. An Overview

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

General Data Protection Regulation (GDPR) and the Implications for IT Service Management

EY s data privacy service offering

EY s data privacy service offering. How to transform your data privacy capabilities for an EU General Data Protection Regulation (GDPR) world

EU General Data Protection Regulation (GDPR) Achieving compliance

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

General Data Protection Regulation (GDPR) The impact of doing business in Asia

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

Accelerate GDPR compliance with the Microsoft Cloud

GDPR is coming in less than 2 months Are you ready?

The Role of the Data Protection Officer

GDPR - Are you ready?

GDPR: A technical perspective from Arkivum

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

EY s Data Privacy Services. January 2019

BHBIA New Data Protection Rules. Pharma Company Perspective. Guy Murray Director, Market Research & Analytics, GC&BI MR Operations and Compliance, MSD

Islam21c.com Data Protection and Privacy Policy

GENERAL DATA PROTECTION REGULATION (GDPR)

BHConsulting. Your trusted cybersecurity partner

General Data Protection Regulation (GDPR) NEW RULES

Data Processing Clauses

NEWSFLASH GDPR N 8 - New Data Protection Obligations

General Data Protection Regulation (GDPR)

Cybersecurity Considerations for GDPR

Blue Alligator Company Privacy Notice (Last updated 21 May 2018)

THE NEW EU DATA PROTECTION REGULATION: WHAT IS IT AND WHAT DO WE NEED TO DO? KALLIOPI SPYRIDAKI CHIEF PRIVACY STRATEGIST, EUROPE

DATA PROTECTION LAWS OF THE WORLD. Bahrain

Getting ready for GDPR. Philipp Hobler EMEA Field CTO Global Technology Office Dell EMC Data Protection Solutions

Privacy Policy of

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

CEM Benchmarking Privacy Policy

EU data security and privacy trends

Big data privacy in Australia

Our Privacy Statement

Technical Requirements of the GDPR

SOC for cybersecurity

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

DATA PROCESSING TERMS

EU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations. For private circulation only.

Data Protection and GDPR

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

PRIVACY POLICY. What personal data we collect and why we collect it IN ORDER TO: (Date of last update: 1 st January 2019)

MOBILE.NET PRIVACY POLICY

Changing times in Swiss Data Privacy: new opportunities? Microsoft Security Day 27 April 2017 Clara-Ann Gordon

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

PROTECT YOUR DATA AND PREPARE FOR THE EUROPEAN GENERAL DATA PROTECTION REGULATION

This article will explain how your club can lawfully process personal data and show steps you can take to ensure that your club is GDPR compliant.

IT MANAGEMENT AND THE GDPR: THE VMWARE PERSPECTIVE

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Motorola Mobility Binding Corporate Rules (BCRs)

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

GDPR compliance: some basics & practical to do list

Version 1/2018. GDPR Processor Security Controls

GDPR Compliant. Privacy Policy. Updated 24/05/2018

enter into application on 25 May 2018

GDPR How to Comply in an HPE NonStop Environment. Steve Tcherchian GTUG Mai 2018

How the GDPR will impact your software delivery processes

Helping you understand the impact of GDPR.

Data Leak Protection legal framework and managing the challenges of a security breach

Data Management and Security in the GDPR Era

GDPR Workflow White Paper

DATA PROTECTION BY DESIGN

HPE DATA PRIVACY AND SECURITY

Google Cloud & the General Data Protection Regulation (GDPR)

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

Data Protection Policy

GDPR and the Privacy Shield

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

Demonstrating data privacy for GDPR and beyond

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

Sword vs. Shield: Using Forensics Pre-Breach in a GDPR World. September 20, 2017

ATHLETICS WORLD CUP PRIVACY NOTICE

1 About GfK and the Survey What are personal data? Use of personal data How we share personal data... 3

What is GDPR? Editorial: The Guardian: August 7th, EU Charter of Fundamental Rights, 2000

Online Ad-hoc Privacy Notice

Adkin s Privacy Information Notice for Clients, Contractors, Suppliers and Business Contacts

Arkadin Data protection & privacy white paper. Version May 2018

Data Breach Notification: what EU law means for your information security strategy

GDPR: An Opportunity to Transform Your Security Operations

Data Processing Agreement

DATA PRIVACY & PROTECTION POLICY POLICY INFORMATION WE COLLECT AND RECEIVE. Quality Management System

GDPR. Lessons Learned

A practical guide to using ScheduleOnce in a GDPR compliant manner

Privacy and Cookies Policy

Transcription:

GDPR: A QUICK OVERVIEW 2018 Get ready now. 29 June 2017

Presenters Charles Barley Director, Risk Advisory Services Charles Barley, Jr. is responsible for the delivery of governance, risk and compliance (GRC) services. He has over 15 years of consulting experience and has served several multinational financial services and public sector organizations. Alain Marcuse Director, Risk Advisory Services Alain Marcuse provides security and privacy consulting to clients in a broad spectrum of domains, including security assessments, risk management, penetration testing, compliance frameworks and strategic advisory services. 2 Steven Snaith Partner, Technology Risk Assurance Steven Snaith has 15 years of experience in technology risk audit and has been responsible for a wide range of clients within the private and public sectors.

Agenda What is the GDPR? Who does GDPR apply to? Learn from the European experience Develop a road map for compliance 3

What is GDPR? European Union General Data Protection Regulation EU GDPR New data protection law adopted by the EU in April 2016, intended to bolster data privacy protections for EU residents. Companies, government agencies, and non-profits interacting with EU residents have until May 2018 to comply. 4

Who does GDPR protect? The European Union. Consisting of 28 member states: Spain, UK, Ireland, France, Germany, Italy, and Sweden, among others Some island nations such as the Canary Islands, Azores, and others Organizations storing, transmitting or processing data for individuals residing in any of these countries 5

Who does GDPR apply to? To determine if GDPR affects your organization, you need to ask questions such as: Do you offer goods and services to EU residents? Do you rely on third parties that store or transmit data to/from the EU? Do you collect, transmit, or process data pertaining to EU residents? It does not matter whether the services are free It does not matter whether your company operates in the EU 6

7 core principles 1. Lawfulness, fairness and transparency 2. Purpose limitation 3. Data minimization 4. Accuracy 5. Storage limitation 6. Integrity and confidentiality 7. Accountability A few implications follow... 7

Accountability Organizations must demonstrate privacy protection by design and by default. Must appoint Data Protection Officer (DPO) if the: Organization processes data of more than 5,000 individuals a year OR Is active in regular and systematic monitoring of individuals OR Processes data which is sensitive Sanctions (more on that later) 8

Consent Burden of consent now states that: Organizations must now prove genuine, explicit consent for data gathered Consent must be purpose-limited Must allow withdrawal of consent at any time In some instances, consent must be down to business process level In some instances (or countries), must gather consent for individuals as young as age 13 (through their parents) 9

Right to be forgotten Mandatory right to erasure organizations must give individuals the right to request erasure of their data if: Individual withdraws consent Data is no longer needed to achieve the purpose it was collected for Data in question was obtained through unlawful processing 10

Data portability Individuals have the right to transport all of their personal data to another organization (even a competitor): Organizations must provide individuals with their data in a machine-readable format Where feasible, the organization must facilitate electronic transfer of personal data 11

Breach notification Organizations are now under legal obligation to notify local authorities within 72 hours if EU resident data is lost Only exception is if the data was encrypted Organizations have to inform individuals if adverse impact is determined from the breach Service providers (data processors) now have obligations to data controllers 12

Penalties for non-compliance If organizations do not comply, they face a maximum fine of: 4% of their global revenue OR 20million whichever is higher 13

The European perspective: Evolving legislative landscape 1995 Data Protection Directive General Data Protection Regulation Different rules apply in different countries Organizations had to work with authorities in different countries Only EU companies had to comply Consent for collection and processing of data is assumed Applies only if person can be directly identified from data Directive = need member states to legislate; not automatic enforcement Mostly, a single-set of rules applies across the EU Organisations work with one central authority in chosen country fixed upon their main base Some non-eu companies will have to comply if offering services to EU residents Consent for collection and processing of data must be explicitly given Applies if person can be indirectly identified Regulation = immediately enforceable across all member states as national law 14

European perspective key issues we are seeing Carry out an information audit (data held how long for, why, where, how is it shared, and is it still needed) and data flow mapping exercise Update all policies and procedures to reflect changes Update or create information asset register Form a data governance group Implement / review breach notification procedures and incident management plans Review impact of data retention e.g. on archiving Review IT development and purchase procedures privacy by design Consider the position of the existing DPO within the management structure Consider and record lawful bases for processing Service provider / thirdparty contracts are changes required to current agreements with data processors Check accountability in this area is clear and precise Check how consent is obtained? Are changes to this process required? Retain records of consent 15

Roadmap: How do I manage the GDPR puzzle? 16

How should I think about data privacy? Privacy is a business issue Privacy is enabled by information security Privacy is more than a compliance activity

What tactical items should I consider? To understand the risk associated with data protection, organizations must first begin by agreeing that data privacy is a multi-faceted business issue regarding the collection, use and disclosure of personally identifiable information. Tactical considerations People Process Technology Who are the key process and control owners and what are their organizational roles? What information flows from one person to another? How are people trained to maintain adequately execute within the processes? What processes govern the flow of information? Do processes govern the disclosure of data to third parties? Has the organization established a data privacy impact assessment program? Which internal and external systems maintain personal information? Has the organization deployed a data loss prevention solution? Has the organization developed a data consent mechanism? Governance Privacy officer Privacy policies Awareness program Administration Privacy risk assessments Data protection framework Data erasure Management Data protection requirements Incident response plan 72hr breach notification

How do I get my house in order? Privacy is a business issue Identify Diagnose Implement Conduct an enterprise privacy assessment Develop a data inventory Identify the flow of data (e.g., systems) Categorize the location and storage of data Review the information protection framework (e.g., policies, procedures, etc.) Analyze the organization s data retention strategy Review the third party data sharing practices Assess the vendor management posture Implement a governance structure and privacy officer Design / enhance privacy policies and information handling procedures Develop a process / mechanism to obtain and manage consent Implement a data breach notification and incident response program Establish an ongoing data privacy impact assessment program Launch a privacy awareness and training program

Wrap-up While GDPR represents an important step forward for individual privacy rights, it will require potentially vast changes and significant investments by organizations around the world to comply RSM s IT privacy methodology can be leveraged to assess those gaps and provide guidance on the GDPR roadmap 20

RSM US LLP 1861 International Drive, Suite 400 McLean, VA 703-336-6575 +1 800 274 3978 www.rsmus.com This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. Internal Revenue Service rules require us to inform you that this communication may be deemed a solicitation to provide tax services. This communication is being sent to individuals who have subscribed to receive it or who we believe would have an interest in the topics discussed. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. RSM and the RSM logo are registered trademarks of RSM International Association. The power of being understood is a registered trademark of RSM US LLP. 2017 RSM US LLP. All Rights Reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback