General Data Protection Regulation April 3, 2018 Sarah Ackerman, Managing Director Ross Patz, Consultant
Introductions Sarah Ackerman, CISSP, CISA Managing Director, Cincinnati Responsible for overall engagement quality of services provided to clients Areas of expertise include information security, risk management, IT audit, and other related services Ross Patz Consultant, Cincinnati Areas of expertise include information technology management, disaster recovery, IT infrastructure engineering, information security, IT audit, and other related services 2
Today s Agenda What is GDPR? Who s covered? GDPR Key takeaways Privacy Shield 3
What is the General Data Protection Regulation?
What is GDPR? European Union s General Data Protection Regulation May 25, 2018 Comprehensive, uniform data privacy and security
Purpose GDPR was created to Set rules for processing of information Protect privacy Ensure free movement of personal data The protection of natural persons in relation to the processing of personal data is a fundamental right. European Parliament 6
Penalties Fines for non-compliance: 20M 4% of worldwide revenue Whichever is higher 7
Who s covered under GDPR?
Categories of Business Entities operating in member States International businesses with EU entities International catch-all clause 9
Covered Activities Data Controllers..the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data Data Processors a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller Data Recipients a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. Source: Official Journal of the European Union 10
Entities Outside the EU Two methods for transferring data outside the EU Adequacy decision Essentially reciprocity Appropriate safeguards The entity receiving the data can prove that it has controls in place to meet the GDPR standards for privacy 11
Organization of the Law
Organization of the Law Legislative Acts & Regulation Source: Official Journal of the European Union 13
Organization of the Law (cont.) Regulation 10 Chapters 99 Articles Very descriptive! 14
Organization of the Law (cont.) (37) A group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling undertaking should be the undertaking which can exert a dominant influence over the other undertakings Source: Official Journal of the European Union 15
Organization of the Law (cont.) Chapter II Principles Relating to Processing of Personal Data Chapter III Rights of the Data Subject Chapter IV Controller and Processor Chapter V Transfers of Personal Data to Third Countries or International Organizations 16
Who Manages GDPR Supervisory Authority Appointed by each member State Ensures Law is applied equally and fairly Enforces Law within their State European Data Protection Board One representative of each Supervisory Authority Handles dispute resolution and overall governance US Regulators FTC Department of Commerce 17
GDPR: Key Takeaways
Changes from Previous Privacy Directives Increased territorial scope Including the cloud Consent Breach notification Right to access Right to correct; Right to be forgotten Data portability Privacy by design Data Protection Officers 19
Overlap Not a total re-write of existing program Some overlap with: NIST 800-53 Security and Privacy Controls ISO 29100 IT Security Techniques Privacy Framework AICPA s Generally Accepted Privacy Principles (GAPP) OCC s Privacy Laws and Regulations 20
To Do List Internal business analysis Create/update documentation: Decisions related to data processing Privacy and security policies (e.g., data storage) Data breach notification procedures Informed consent Review contracts (controllers/processors) Determine Data Protection Officer Education and awareness 21
Common Challenges Underestimating scope have you started? How to interpret What additional measures needed? Building/maintaining inventory of data processing Lack of capabilities For example, who to be Privacy rep in EU? 22
Future of Compliance Legislation in US Congress? Brexit similar to Switzerland? 23
Privacy Shield
Privacy Shield & GDPR Privacy Shield addresses privacy protections of GDPR Part of framework accommodates aspects of GDPR Covers methods of data transfer 25
Privacy Shield Overview Who does it apply to? US companies transferring data related to EU & Swiss individuals What does it cover? Provides mechanism to comply with data protection requirements (e.g., GDPR) When does it take effect? Now as soon as you self-certify Where is it administered? Why was it created? Administered: International Trade Administration (ITA) Enforced: US Department of Commerce (part of Federal Trade Commission) Also: Data Protection Authorities (DPA) European Commission Replace Safe Harbor 26
Privacy Shield vs. Safe Harbor Safe Harbor no longer recognized by EU Privacy Shield provides adequate protection Joining Privacy Shield will automatically withdraw from Safe Harbor As of September 2017: 2,400 organizations have joined Privacy Shield 27
Privacy Shield Principles Privacy Shield contains: Principles What you should focus on Letters Describes how FTC will run program and enforce 23 total Principles 7 commonly recognized privacy principles 16 supplemental principles Explain and augment first 7 Requirements cover: Use and treatment of personal data received from EU Access and recourse mechanisms 28
Privacy Shield Privacy Principles 1. Notice 2. Choice 3. Accountability for Onward Transfer 4. Security 5. Data Integrity and Purpose Limitation 6. Access 7. Recourse, Enforcement and Liability 29
Privacy Shield Supplemental Principles 1. Sensitive Data 2. Journalistic Exceptions 3. Secondary Liability 4. Performing Due Diligence and Conducting Audits 5. The Role of the Data Protection Authorities 6. Self-Certification 7. Verification 8. Access 9. Human Resources Data 10. Obligatory Contracts for Onward Transfers 11. Dispute Resolution and Enforcement 12. Choice Timing of Opt Out 13. Travel Information 14. Pharmaceutical and Medical Products 15. Public Record and Publicly Available Information 16. Access Requests by Public Authorities 30
Privacy Shield vs. Safe Harbor What s New? New privacy protections Notice requirements Accountability for onward transfer Purpose limitation and data retention Enhanced complaint resolution Response time Free dispute resolution Binding arbitration Ongoing requirements if withdraw and maintain data Improved cooperation and transparency 31
Privacy Shield Subsidiaries Must identify all entities, subsidiaries All subs must inform individuals about adhering to Principles 32
Privacy Shield How to Join 1. Confirm eligibility 2. Develop a compliant privacy policy 3. Establish Independent Recourse Mechanism (IRM) 4. Ensure verification mechanism is in place 5. Identify your point of contact 6. Self-certify 7. Reaffirm self-certification annually 8. Reply to inquiries 33
Privacy Shield Verification Self-assessment or third party Assess published privacy policy Periodic objective reviews of compliance Audit, random reviews, or technology tools Signed statement verifying self-assessment or outside compliance review 34
Privacy Shield Impact Increased regulatory focus Stronger obligations for data transfers Increased risk from third parties Respond to disputes faster Document and maintain records, compliance reports 35
Privacy Shield Self-Certification Supports administration, supervision, related services Annual fee to participate Annual Revenue Single Framework $0 $5M $250 $375 $5M $25M $650 $975 $25M $500M $1000 $1500 $500M $5B $2500 $3750 Over $5B $3250 $4875 Both Frameworks Annual fee if retain data after withdrawal: $200 36
Questions? If you wish to discuss any aspect of this presentation in more detail, please feel free to contact us: (513) 768-7100 sackerman@clarkschaefer.com rpatz@clarkschaefer.com www.clarkschaefer.com