GDPR Privacy Webinar. Prioritizing Your Path towards GDPR Compliance Annika Sponselee and Nicole Vreeman 28 February 2018

Similar documents
Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Multi-factor authentication enrollment guide for Deloitte client or business partner user

MFA Enrollment Guide. Multi-Factor Authentication (MFA) Enrollment guide STAGE Environment

GDPR: A QUICK OVERVIEW

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

EY s data privacy service offering

Creating your own payment card Joost Kremers MSc CEH

The New Healthcare Economy is rising up

Adopting SSAE 18 for SOC 1 reports

EU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations. For private circulation only.

GDPR and digital advertising: Strategies and best practices for implementing GDPR compliance

Achieving effective risk management and continuous compliance with Deloitte and SAP

Cyber Security is it a boardroom issue?

Association of Corporate Counsel

General Data Protection Regulation (GDPR) NEW RULES

Customer Breach Support A Deloitte managed service. Notifying, supporting and protecting your customers through a data breach

General Data Protection Regulation (GDPR) The impact of doing business in Asia

General Data Protection Regulation (GDPR)

Implementing the new GDPR: what does it mean for Universities?

GDPR compliance: some basics & practical to do list

Developing your GDPR response for competitive advantage. EU General Data Protection Regulation (GDPR)

#DeloitteInnovation: In-Time Uncover the Potential of SAP HANA

The GDPR Are you ready?

EY s data privacy service offering. How to transform your data privacy capabilities for an EU General Data Protection Regulation (GDPR) world

HOT TOPICS IN DATA PRIVACY REGULATION IN RUSSIA

THE PLATFORM EQUINIX VISION

BHBIA New Data Protection Rules. Pharma Company Perspective. Guy Murray Director, Market Research & Analytics, GC&BI MR Operations and Compliance, MSD

Privacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016

EU General Data Protection Regulation (GDPR) Achieving compliance

Are we breached? Deloitte's Cyber Threat Hunting

Introduction. When it comes to GDPR compliance, is OK for now enough? Minds made for protecting financial services

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

The Role of the Data Protection Officer

Magento GDPR Frequently Asked Questions

Protection of clients information in the age of IT ECBA Spring Conference Prague 2017 Jan Balatka, Analytic & Forensic Technology

#DeloitteInnovation: In-Time How efficiently do you use your SAP HANA?

Risk Advisory Academy Training Brochure

GDPR is coming in less than 2 months Are you ready?

CIPP/E CIPT. Data Protection Technologist (DPT) Training Bundle Official IAPP Training and Certification

THE PLATFORM EQUINIX VISION

Impacts of the GDPR in Afnic - Registrar relations: FAQ

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

CFOs in a new global environment Sandy Cockrell, Deloitte

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

Achieving third-party reporting proficiency with SOC 2+

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Demonstrating data privacy for GDPR and beyond

General Data Protection Regulation (GDPR)

GDPR Impacts. SEV GDPR Workshop Athens Giles Watkins, UK Country Leader. Wednesday 7th February,

Spread your wings Professional qualifications and development at Deloitte. What impact will you make? careers.deloitte.com

General Data Protection Regulation (GDPR)

Privacy and Data Protection Draft Personal Data Protection Bill 2018: A Summary. For Private Circulation Only August 2018.

EXAM PREPARATION GUIDE

Design by Privacy: A holistic approach to privacy by design

Knowing and Implementing the GDPR Part 3

The Future of IT Internal Controls Automation: A Game Changer. January Risk Advisory

GDPR - Are you ready?

GDPR Compliance. Clauses

GDPR and the Privacy Shield

PROJECT BACKGROUND AND RATIONALE

Google Cloud & the General Data Protection Regulation (GDPR)

Emerging Technologies The risks they pose to your organisations

General Data Protection Regulation (GDPR)

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

Cyber Risk and Networked Medical Devices

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS

Protecting your data. EY s approach to data privacy and information security

SCCE ECEI 2014 EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS. Monica Salgado JANINE REGAN CIPP/E

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

Deloitte Audit and Assurance Tools

BUILT FOR THE STORM. AND THE NORM.

General Data Protection Regulation Preparing for a new era in Privacy

Embedding GDPR into the SDLC

Preface. Operations within the EU. Serving the EU customers. Third parties operating in the EU

2. Who we collect information (data) from & why we collect it

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

EY Cyber Response Services. Plan. React. Recover.

Data Management and Security in the GDPR Era

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

PREPARING FOR THE GDPR AT THE UNIVERSITY OF HELSINKI

Cloud Computing - Reaping the Benefits and Avoiding the Pitfalls. Stuart James & Delizia Diaz. Intellectual Property & Technology Webinar

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

Real estate predictions 2017 What changes lie ahead?

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

Cyber Espionage A proactive approach to cyber security

You will see lots of references in the Checklist to the GDPR Pack if you would like to purchase this, go to

PRIVACY NOTICE 1. Introduction

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Understand & Prepare for EU GDPR Requirements

Changing times in Swiss Data Privacy: new opportunities? Microsoft Security Day 27 April 2017 Clara-Ann Gordon

From Dabbling to Doing The Age of the Intuitive Enterprise

The NIS Directive and Cybersecurity in

2. Which personal data is processed by SF Studios and from which source does the personal data originate?

G DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know

AWS Webinar. Navigating GDPR Compliance on AWS. Christian Hesse Amazon Web Services

Deloitte Discovery Caribbean & Bermuda Countries Guide

ARTICLE 29 DATA PROTECTION WORKING PARTY

Transcription:

GDPR Privacy Webinar Prioritizing Your Path towards GDPR Compliance Annika Sponselee and Nicole Vreeman 28 February 2018

Prioritizing Your Path to GDPR Compliance Presented by

Half-Day Workshops Online Webinar Series OneTrust Certification Training PRIVACYCONNECT.COM

A short introduction Who are we? Annika Sponselee Partner at Deloitte Risk Advisory and head of Privacy Team Nicole Vreeman Manager at Deloitte Risk Advisor asponselee@deloitte.nl nvreeman@deloitte.nl 2018 Deloitte The Netherlands 3

Privacy / personal data protection in Europe The development of personal data protection within the EU Rapid technological changes endangered our privacy Equal level of personal data protection in all EU Member States 1950 European Convention on Human Rights 1995 Need for rules on EU-level: European Data Protection Directive (95/46/EC) 1998 Creation of Google 2001 National laws adapt: Wet bescherming persoonsgegevens (NL) 2004-2006 Creation Facebook and Twitter 2012 Proposal for a new EU Regulation 2016 General Data Protection Regulation adopted Harmonization of the rules concerning privacy and personal data protection throughout the EU 2018 Deloitte The Netherlands 4

The Big Picture Key elements of the GDPR FINES UP TO 4% OF GLOBAL TURNOVER Previously fines were limited in size and impact. GDPR fines will apply to both controllers and processors. INCREASED TERRITORIAL SCOPE GDPR will apply to all companies processing the personal data of data subjects residing in the EU, regardless of the company s location. EXPLICIT AND RETRACTABLE CONSENT Must be provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. DATA SUBJECT RIGHTS Data subjects can request confirmation whether or not their personal data is being processed, where and for what purpose. Additionally, data subjects can request to be forgotten, which entails the removal of all the data related to the data subject. 72 hr???? BREACH NOTIFICATION WITHIN 72 HOURS Security breaches involving personal data may need to be reported to the authorities within 72 hours after detection and possibly be reported to individuals as well. PRIVACY BY DESIGN Now a legal requirement for the inclusion of data protection from the onset of the designing of systems, rather than a retrospective addition. DATA INVENTORY Organizations must maintain a record of processing activities under its responsibility or, in short, they must keep an inventory of all personal data processed. The inventory must include the multiple types of information, such as the purpose of the processing. MANDATORY DATA PROTECTION OFFICERS Appointed in certain cases to facilitate the need to demonstrate compliance to the GDPR and to compensate for no longer requiring bureaucratic submission of data processing activities or transfers based on Model Contract Clauses. 5 2018 Deloitte The Netherlands Deloitte Risk Advisory NWE GDPR Brochure

Privacy Transformation Program A holistic enterprise privacy program Strategy Organization and Accountability Data Management Policies & procedures Data Transfers Communication, Training & Awareness Audit en compliance Audit and Certification Privacy Impact Assessment Privacy by Design Processing Inventory 2018 Deloitte The Netherlands 6

Privacy Transformation Program A phased approach 1. Define 2. Design 3. Implement 4. Operate Mobilize stakeholders Create buy-in Collect baseline information Define (key) stakeholders Define scope, objectives, stakeholders, timeline and [insert company name] involvement for design phase Define business requirements (Re)design, optimize or harmonize draft deliverables (Re)design roles & responsibilities Develop implementation plan Complete relevant review cycles Gather necessary approvals Execute implementation plan Piloting new solutions Optimize and harmonize solutions Implement organizational changes Roll out new processes, roles & responsibilities Starting daily operations in newly designed way Support of managers and staff to ensure that the new situation is operationalized Ensure continuous improvement by using the Plan-Do-Check-Act cycle Ensuring hand over to business Collect and assess existing documentation Train in the use of new processes and solutions Create commitment within organization Gather necessary approvals 2018 Deloitte The Netherlands 7

Deloitte s vision on privacy GDPR: turn the headache into opportunity Growth opportunity Regulatory pressure 2018 Deloitte The Netherlands 8

2017 Deloitte The Netherlands Subjective Objective Strategy Governance Policies Training & Awareness Data Subject Rights Privacy by Design & Change management Privacy statement Inventory Data Retention DPIA/Risk Assessment x z y Necessary changes in process & technologies Security Data Processing Agreement (Internal) Audit - Controls Data Breach management Data transfer Sub-Data Processing Agreement

The General Data Protection Regulation Ten General Concepts Inventory Data Protection Impact Assessment (DPIA) Maintain an overview of processing activities Both controller and processor Contact details, purpose of processing, description of categories of data subjects, description of categories of recipients Make available to Authority upon request A means to identify risks for privacy rights of individuals Prior to the start of the processing activity Formulate appropriate security measures for the identified risks Security measures Agreements with third parties Measures must be taken to secure an appropriate level of security for the processing activity Link to risk assessment You may choose your own measures Controllers may only work with processors that provide sufficient guarantees regarding processing Guarantees concern technical and organization measures There must be a data processing agreement 10

The General Data Protection Regulation Ten General Concepts Data transfers Data retention & Data Minimization Within EU/EEA data may be transferred without major restrictions To countries that have an Adequacy Decision given by the European Commission To other countries: additional requirements apply Personal data may not be kept longer than necessary in relation to the purpose for which is was collected Legal obligation / business purpose Retention terms should be implemented Data deletion should be possible Privacy by Design & Privacy by Default Data subjects rights Privacy must be considered at the earliest possible stage in development And also when changes are implemented Default settings should be set to the most privacy friendly option Concerns rights such as access, rectification, deletion, data portability and the right to be forgotten The GDPR does not stipulate what the procedures concerning these rights should look like There are strict time lines for response 11

The General Data Protection Regulation Ten General Concepts Transparency Data Breach management Data subjects must be informed about how their data is processed This must be done in a concise, transparent, intelligible and easily accessible form, using clear and plan language Part of providing transparency is having a good privacy statement Organizations are obliged to report security or data breaches to the Data Protection Authority Sometimes it must also be reported to the individuals affected Timelines are tight, so having a clear data breach procedure is important 12

Questions? 2018 Deloitte The Netherlands Insert your footer here - confidential 13

Learn More About PrivacyConnect

2018 WORKSHOP SCHEDULE Free, Half-Day GDPR Workshops 4.5 IAPP CPE Credit Hours OneTrust Certification Program in Select Cities Monthly GDPR Webinar Series Hosted by Top Tier Law Firms & Consultancies RSVP TODAY: PrivacyConnect.com Washington DC Paris New York Amsterdam Frankfurt Seattle Dublin Denver Vienna Dubai Los Angeles Boston Berlin London Munich Toronto Warsaw Milan Madrid Rome Tallinn Atlanta Dallas Portland Budapest Phoenix Brussels San Francisco Chicago Geneva Helsinki Manchester Stockholm Tel Aviv Houston Columbus Prague Belfast This was the best GDPR-focused conference I have ever been to. This was not just a high-level look into requirements, but an in-depth educational experience for myself and my colleagues.

OneTrust Certification Program Become a OneTrust Certified Privacy Management Professional LEARN MORE AND REGISTER TODAY AT PrivacyConnect.com

Half-Day Workshops Online Webinar Series OneTrust Certification Training PRIVACYCONNECT.COM

Thank you for joining the OneTrust / Deloitte GDPR Privacy Webinar! Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see www.deloitte.nl/about to learn more about our global network of member firms. Deloitte provides audit & assurance, consulting, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500 companies through a globally connected network of member firms in more than 150 countries and territories bringing world-class capabilities, insights and service to address clients most complex business challenges. To learn more about how Deloitte s approximately 264,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte network ) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication. 2018 Deloitte The Netherlands

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback