General Data Protection Regulation (GDPR) The impact of doing business in Asia

Similar documents
Plan a Pragmatic Approach to the new EU Data Privacy Regulation

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

Cybersecurity Considerations for GDPR

Data Protection and GDPR

Data Protection Policy

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

General Data Protection Regulation (GDPR)

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

A Homeopath Registered Homeopath

GDPR: A QUICK OVERVIEW

Accelerate GDPR compliance with the Microsoft Cloud

Google Cloud & the General Data Protection Regulation (GDPR)

Privacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016

Motorola Mobility Binding Corporate Rules (BCRs)

General Data Protection Regulation (GDPR) Key Facts & FAQ s

DATA PROTECTION POLICY THE HOLST GROUP

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Eco Web Hosting Security and Data Processing Agreement

Islam21c.com Data Protection and Privacy Policy

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

GDPR: A GUIDE TO READINESS

General Data Protection Regulation (GDPR)

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Data Management and Security in the GDPR Era

Technical Requirements of the GDPR

The Role of the Data Protection Officer

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

EU General Data Protection Regulation (GDPR) Achieving compliance

How the GDPR will impact your software delivery processes

Getting ready for GDPR. Philipp Hobler EMEA Field CTO Global Technology Office Dell EMC Data Protection Solutions

Changing times in Swiss Data Privacy: new opportunities? Microsoft Security Day 27 April 2017 Clara-Ann Gordon

Prohire Software Systems Limited ("Prohire")

PS Mailing Services Ltd Data Protection Policy May 2018

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

The isalon GDPR Guide Helping you understand and prepare for the legislation

WHITE PAPER. Meeting GDPR Challenges with Delphix. KuppingerCole Report

General Data. Protection Regulations MAY Martin Chapman Head of Ops & Sales Microminder. Presentation Micro Minder Ltd 2017

EU data security and privacy trends

Introductory guide to data sharing. lewissilkin.com

Breach Notification in the GDPR Era. Speakers: Sam Pfeifle, IAPP Dennis Holmes, PwC

Implementing the new GDPR: what does it mean for Universities?

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

Privacy Policy. You may exercise your rights by sending a registered mail to the Privacy Data Controller.

General Data Protection Regulation (GDPR) and the Implications for IT Service Management

What is GDPR? Editorial: The Guardian: August 7th, EU Charter of Fundamental Rights, 2000

DATA PROCESSING AGREEMENT

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

You will see lots of references in the Checklist to the GDPR Pack if you would like to purchase this, go to

GDPR COMPLIANCE REPORT

UWTSD Group Data Protection Policy

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

Martijn Loderus. Merritt Maxim. Principal Analyst Forrester. Director & Global Practice Partner for Advisory Consulting Janrain

Data Processing Agreement for Oracle Cloud Services

EY s data privacy service offering. How to transform your data privacy capabilities for an EU General Data Protection Regulation (GDPR) world

GDPR: An Opportunity to Transform Your Security Operations

Cisco Spark and GDPR. Thomas Flambeaux. Collaboration Consulting Solution Engineer, Security and Compliance. Cisco Connect 2018 Copenhagen April 12th

SCHOOL SUPPLIERS. What schools should be asking!

Data Processing Clauses

DATA PROTECTION LAWS OF THE WORLD. Bahrain

Royal Mail Consultation: Changes to Postal Schemes to reflect new data protection legislation

GDPR: A technical perspective from Arkivum

THE NEW EU DATA PROTECTION REGULATION: WHAT IS IT AND WHAT DO WE NEED TO DO? KALLIOPI SPYRIDAKI CHIEF PRIVACY STRATEGIST, EUROPE

The GDPR data just got personal

Site Builder Privacy and Data Protection Policy

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

BHBIA New Data Protection Rules. Pharma Company Perspective. Guy Murray Director, Market Research & Analytics, GC&BI MR Operations and Compliance, MSD

Made In Hackney Data Protection Policy Last Updated:

DATA PROCESSING TERMS

Requirements for a Managed System

Five Ways that Privacy Shield is Different from Safe Harbor and Five Simple Steps Companies Can Take to Prepare for Certification

Our agenda. The basics

NetApp Private Storage for Cloud: Solving the issues of cloud data privacy and data sovereignty

Data Protection Policy

Data Processing Agreement

Data Breaches and the EU GDPR

Privacy Breach Policy

EY s data privacy service offering

ARE YOU READY FOR GDPR?

Sword vs. Shield: Using Forensics Pre-Breach in a GDPR World. September 20, 2017

The Apple Store, Coombe Lodge, Blagdon BS40 7RG,

This Privacy Policy applies if you're a customer, employee or use any of our services, visit our website, , call or write to us.

PROJECT BACKGROUND AND RATIONALE

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

NEWSFLASH GDPR N 8 - New Data Protection Obligations

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

Element Finance Solutions Ltd Data Protection Policy

Latest version, please translate and adapt accordingly!

GDPR Compliance. Clauses

Unified Communications Phase 2 Presentation to IT Services Users Group

Transcription:

SESSION ID: GPS-R09 General Data Protection Regulation (GDPR) The impact of doing business in Asia Ilias Chantzos Senior Director EMEA & APJ Government Affairs Symantec Corporation @ichantzos

Typical Customer Timeline for the GDPR Awareness Phase What is it and does it really impact me? Thought Leadership Awareness Education Discovery & Planning What do I need to do and when by? 96% Do not fully understand GDPR Risk Assessments / Gap Analysis Advisory Services Information Governance Plans Budgeting / Hiring Key Staff Implementation Making Changes to Prepare Policy and Organisational Updates Addressing Technology Gaps Purchasing of Software and Technology 9 in 10 Have concerns about ability to become compliant 22% Consider compliance at top priority in the next two years 25 th May 2016 Formal EU Approval of GDPR 2H 2016 2017 2018 May 2017 25 th May 2018 GDPR comes into force across all EU states (including the UK)

Why does EU law matter for Asia?

The evolution of GDPR TODAY: 2018: 28 Interpretations of the Data Protection Directive One Data Protection Regulation Harmonized across all EU member states Right to be forgotten Extra-Territoriality Consent Access Fines to law and enforcement penalties Fines Accountability and penalties Joint Liability of Controllers and Processors Mandatory Breach Notification 4

Business Concerns With the GDPR Accountability Information Security Cloud and International Data Transfer Penalties for Breaking the Law

What is GDPR All About? Not Just Privacy. Principles of data collection Fairly and lawfully Receiving consent Relevance Proportionality Types of data Collect Process Permission applies to: Specific data Specific purpose Notify of changes Privacy Security Management of: Access Right to rectify data Data destruction policy Data transfers Applicable rules Manage Information Lifecycle Retain & Secure Retain Duration Types of data Secure People Process Technology Data loss

Privacy & Security Privacy = Strategy Outcomes Requirements How to process data Security = Operationalisation Capabilities Controls Practical implementation You can have security without privacy, but you can t have privacy without security

GDPR Eight Big Questions Can you determine what your risk profile is? What personal data is out there and where is it? Can we control what personal data is accessible and who can access it? Can we control where data resides? Can we use obfuscate data and enhance privacy? Can we detect unauthorised access or breaches of personal data? Can we quickly and thoroughly notify in the event of a breach? Can you continuously evaluate the effectiveness of your security?

What is the Difference Between On-Premise & Cloud? None in terms of the security requirements But do you have the same visibility and control over data in the cloud?

Understanding the Cloud Data Challenge 26% of Cloud Docs are Broadly Shared 1 New Challenges Proliferation of Cloud Apps DLP Enforce Management Server Shadow Data Problem Compromised Accounts On-premises DLP Detection

Data Transfers and Adequacy In most cases by definition cloud will involve some form of international data transfer To the US Standard model clauses Binding Corporate Rules (BCR) Privacy Shield The Safe Harbour story To third countries Standard model clauses Binding Corporate Rules (BCR) Certification/codes of conducts

What is accountability? Demonstrate Compliance Appropriate Policy, Process and Technology Data Protection Officers Privacy Impact Assessments Privacy by Design and by Default Effective, enforced & documented Policies Accountability cannot be transferred or outsourced

Shadow IT, Shadow Data: What Do We Mean? Shadow IT: Unsanctioned apps / services in use Shadow Data: Unmanaged content that users put into: Sanctioned apps / services not meant for that Unsanctioned apps / services In GDPR terms: Shadow IT = data processors in the wild Shadow Data in sanctioned apps / services may be processed out of policy Shadow Data in unsanctioned apps / services cannot be accounted for

Where Might GDPR Compliance Be Impacted? Purpose Limitation, Storage Limitation, Confidentiality and Integrity (Article 5) Transparency And Information To Data Subjects (Articles 12-14) Exercise Of Data Subject Rights (Articles 15-22) Privacy By Design and By Default (Article 25) Risk Of Joint Controllership (Article 26) Processor Obligations And Sub-Processing (Article 28) Controller-Processor Relationship (Article 29) Documentation Of Processing Operations (Article 30) Security Of Processing (Article 32) Data Breach Detection And Notification (Article 33 and 34) Risk Assessment, DPIA Accuracy, Prior Consultation (Articles 35-36) International Transfers (Chapter V) Compensation And Liability (Article 82) Overall Accountability (Articles 5 & 24) Sanctions (Article 83)

Information Security Improved Security Requirements Encryption and ID management Requirement to Secure Private Data Effective Detection and Response

The Regulatory Terms Of Reference Article 4 Paragraph 12: THE BREACH What can happen to data? a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed Recital 75: THE IMPACT What can happen to the data subject? The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage GDPR / DPA REQUIREMENT: Prevent, Detect, Log, Report, Remedy GDPR / DPA EXPECTATION: Anticipate, Avoid, Mitigate, Compensate

Penalties under GDPR Number of victims Territory 72 hours to notify of a breach once aware 2% or 10 mil 4% or 20mil Types of data What triggers investigation? RISK SURFACE Complaint by consumer, employee, competitor Own initiative Security incident Enforcement by national Data Protection Authorities

What about BREXIT? Any company that works with information relating to EU citizens will have to comply with the requirements of the GDPR, making it the first global data protection law.

Starting Questions for the GDPR How ready are you? Count your No answers! Do you know what personal data you process? Yes No Do you know where it is and how it flows in the organisation? Yes No Do you consider privacy at every level? Yes No Do you think user first in security? Yes No Have you reviewed your information risk management process for data Yes No privacy? Have you reviewed your security controls against privacy requirements? Yes No Do you have robust detection and monitoring processes? Yes No Have you tested and implemented your response plans including notification and external communication? Yes No

Recommendations Use this year wisely, implementation may take longer than you think Engage with your board, report on progress in addressing data privacy through your security program Explain the risk and treat it as an opportunity to build the business case and drive the investment you need to mitigate the risk Understand and tackle your big data privacy and security risks Document what personal data you hold and ensure lawful use Identify where technology can help you achieve compliance: PREPARE Understand IT (and data) environment and risks PROTECT DETECT RESPOND Secure Personal Data everywhere Breach monitoring and detection Incident Response planning

Apply what you have learned today Immediate Understand whether you process European data either because you are doing business in Europe or as part of the supply chain Try to answer for yourself the 8 GDPR questions Next 3 months Understand the level of maturity and awareness within your own organisation Talk to key stakeholders, there may be already a GDPR project in preparation Next 6 months Start or participate in a GDPR compliance program Understand the impact it will have to IT infrastructure and prepare for it Prepare an investment strategy for key technologies that will facilitate compliance 21

THANK YOU!!! Ilias_chantzos@symantec.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback