GDPR Privacy Webinar Prioritizing Your Path towards GDPR Compliance Annika Sponselee and Nicole Vreeman 28 February 2018
Prioritizing Your Path to GDPR Compliance Presented by
Half-Day Workshops Online Webinar Series OneTrust Certification Training PRIVACYCONNECT.COM
A short introduction Who are we? Annika Sponselee Partner at Deloitte Risk Advisory and head of Privacy Team Nicole Vreeman Manager at Deloitte Risk Advisor asponselee@deloitte.nl nvreeman@deloitte.nl 2018 Deloitte The Netherlands 3
Privacy / personal data protection in Europe The development of personal data protection within the EU Rapid technological changes endangered our privacy Equal level of personal data protection in all EU Member States 1950 European Convention on Human Rights 1995 Need for rules on EU-level: European Data Protection Directive (95/46/EC) 1998 Creation of Google 2001 National laws adapt: Wet bescherming persoonsgegevens (NL) 2004-2006 Creation Facebook and Twitter 2012 Proposal for a new EU Regulation 2016 General Data Protection Regulation adopted Harmonization of the rules concerning privacy and personal data protection throughout the EU 2018 Deloitte The Netherlands 4
The Big Picture Key elements of the GDPR FINES UP TO 4% OF GLOBAL TURNOVER Previously fines were limited in size and impact. GDPR fines will apply to both controllers and processors. INCREASED TERRITORIAL SCOPE GDPR will apply to all companies processing the personal data of data subjects residing in the EU, regardless of the company s location. EXPLICIT AND RETRACTABLE CONSENT Must be provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. DATA SUBJECT RIGHTS Data subjects can request confirmation whether or not their personal data is being processed, where and for what purpose. Additionally, data subjects can request to be forgotten, which entails the removal of all the data related to the data subject. 72 hr???? BREACH NOTIFICATION WITHIN 72 HOURS Security breaches involving personal data may need to be reported to the authorities within 72 hours after detection and possibly be reported to individuals as well. PRIVACY BY DESIGN Now a legal requirement for the inclusion of data protection from the onset of the designing of systems, rather than a retrospective addition. DATA INVENTORY Organizations must maintain a record of processing activities under its responsibility or, in short, they must keep an inventory of all personal data processed. The inventory must include the multiple types of information, such as the purpose of the processing. MANDATORY DATA PROTECTION OFFICERS Appointed in certain cases to facilitate the need to demonstrate compliance to the GDPR and to compensate for no longer requiring bureaucratic submission of data processing activities or transfers based on Model Contract Clauses. 5 2018 Deloitte The Netherlands Deloitte Risk Advisory NWE GDPR Brochure
Privacy Transformation Program A holistic enterprise privacy program Strategy Organization and Accountability Data Management Policies & procedures Data Transfers Communication, Training & Awareness Audit en compliance Audit and Certification Privacy Impact Assessment Privacy by Design Processing Inventory 2018 Deloitte The Netherlands 6
Privacy Transformation Program A phased approach 1. Define 2. Design 3. Implement 4. Operate Mobilize stakeholders Create buy-in Collect baseline information Define (key) stakeholders Define scope, objectives, stakeholders, timeline and [insert company name] involvement for design phase Define business requirements (Re)design, optimize or harmonize draft deliverables (Re)design roles & responsibilities Develop implementation plan Complete relevant review cycles Gather necessary approvals Execute implementation plan Piloting new solutions Optimize and harmonize solutions Implement organizational changes Roll out new processes, roles & responsibilities Starting daily operations in newly designed way Support of managers and staff to ensure that the new situation is operationalized Ensure continuous improvement by using the Plan-Do-Check-Act cycle Ensuring hand over to business Collect and assess existing documentation Train in the use of new processes and solutions Create commitment within organization Gather necessary approvals 2018 Deloitte The Netherlands 7
Deloitte s vision on privacy GDPR: turn the headache into opportunity Growth opportunity Regulatory pressure 2018 Deloitte The Netherlands 8
2017 Deloitte The Netherlands Subjective Objective Strategy Governance Policies Training & Awareness Data Subject Rights Privacy by Design & Change management Privacy statement Inventory Data Retention DPIA/Risk Assessment x z y Necessary changes in process & technologies Security Data Processing Agreement (Internal) Audit - Controls Data Breach management Data transfer Sub-Data Processing Agreement
The General Data Protection Regulation Ten General Concepts Inventory Data Protection Impact Assessment (DPIA) Maintain an overview of processing activities Both controller and processor Contact details, purpose of processing, description of categories of data subjects, description of categories of recipients Make available to Authority upon request A means to identify risks for privacy rights of individuals Prior to the start of the processing activity Formulate appropriate security measures for the identified risks Security measures Agreements with third parties Measures must be taken to secure an appropriate level of security for the processing activity Link to risk assessment You may choose your own measures Controllers may only work with processors that provide sufficient guarantees regarding processing Guarantees concern technical and organization measures There must be a data processing agreement 10
The General Data Protection Regulation Ten General Concepts Data transfers Data retention & Data Minimization Within EU/EEA data may be transferred without major restrictions To countries that have an Adequacy Decision given by the European Commission To other countries: additional requirements apply Personal data may not be kept longer than necessary in relation to the purpose for which is was collected Legal obligation / business purpose Retention terms should be implemented Data deletion should be possible Privacy by Design & Privacy by Default Data subjects rights Privacy must be considered at the earliest possible stage in development And also when changes are implemented Default settings should be set to the most privacy friendly option Concerns rights such as access, rectification, deletion, data portability and the right to be forgotten The GDPR does not stipulate what the procedures concerning these rights should look like There are strict time lines for response 11
The General Data Protection Regulation Ten General Concepts Transparency Data Breach management Data subjects must be informed about how their data is processed This must be done in a concise, transparent, intelligible and easily accessible form, using clear and plan language Part of providing transparency is having a good privacy statement Organizations are obliged to report security or data breaches to the Data Protection Authority Sometimes it must also be reported to the individuals affected Timelines are tight, so having a clear data breach procedure is important 12
Questions? 2018 Deloitte The Netherlands Insert your footer here - confidential 13
Learn More About PrivacyConnect
2018 WORKSHOP SCHEDULE Free, Half-Day GDPR Workshops 4.5 IAPP CPE Credit Hours OneTrust Certification Program in Select Cities Monthly GDPR Webinar Series Hosted by Top Tier Law Firms & Consultancies RSVP TODAY: PrivacyConnect.com Washington DC Paris New York Amsterdam Frankfurt Seattle Dublin Denver Vienna Dubai Los Angeles Boston Berlin London Munich Toronto Warsaw Milan Madrid Rome Tallinn Atlanta Dallas Portland Budapest Phoenix Brussels San Francisco Chicago Geneva Helsinki Manchester Stockholm Tel Aviv Houston Columbus Prague Belfast This was the best GDPR-focused conference I have ever been to. This was not just a high-level look into requirements, but an in-depth educational experience for myself and my colleagues.
OneTrust Certification Program Become a OneTrust Certified Privacy Management Professional LEARN MORE AND REGISTER TODAY AT PrivacyConnect.com
Half-Day Workshops Online Webinar Series OneTrust Certification Training PRIVACYCONNECT.COM
Thank you for joining the OneTrust / Deloitte GDPR Privacy Webinar! Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see www.deloitte.nl/about to learn more about our global network of member firms. Deloitte provides audit & assurance, consulting, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500 companies through a globally connected network of member firms in more than 150 countries and territories bringing world-class capabilities, insights and service to address clients most complex business challenges. To learn more about how Deloitte s approximately 264,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte network ) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication. 2018 Deloitte The Netherlands