GDPR Preparedness: How to Ensure You Are Ready for May 2018
Transcript of GDPR Preparedness: How to Ensure You Are Ready for May 2018
GDPRPreparedness:HowtoEnsureYouAreReadyforMay2018
Presenter• DesignedmultipleactivedatacentersforSpringCM’s cloudapplication&webservicesplatform
• LaunchedacomplianceprogramfeaturingSSAE18,SOC2– AllPrinciples,&CSASTAR,TRUSTe,FedRAMP,HIPAA,ISO27001,PrivacyShield
Chris KingVP of Operations &
Co-Founder
Presenter
• Has provided IT audit consulting and compliance services for Fortune 500 companies in many industries
• Holds the following designations: • Certificate of Cloud Security
Knowledge (CCSK)• Certified Information Privacy
Technologist (CIPT)• Certified Information Systems
Auditor (CISA)
Petar BesalevDirector of Cyber Risk and Privacy
Agenda
• Why is GDPR important?• What is GDPR? • How does it impact your organization?• What are the ways to achieve GDPR
compliance?• What are the benefits of GDPR compliance?
Why Is GDPR Important?
Penalties of Noncompliance
Fines up to 4% of global revenue or $20 million
• A written warning • EU Commission-directed data protection audits• Individual lawsuits • Restricted access to data • Loss of organizational certifications• Damaged reputation
Readiness
48.94%
30.50% 22.70% 20.57%
16.31%
0%
10%
20%
30%
40%
50%
60%
Discussions regarding additional resources have begun, but no decisions have yet
been taken
No additional resources will be
available for GDPR compliance
Addtitional head count
Additional internal budget
Additional external counsel budget
Do you have a budget, headcount, or other resource increase planned in anticipation of the GDPR?
What Is GDPR?
General DataProtection Regulation• Adopted April 27, 2016, replaces the Data
Protection Directive (Directive 95/46/EC) • Protects personal data of EU citizens• Unifies existing privacy regulations• Expands citizen control over personal data• Full implementation by May 25, 2018
6 Main Principles
• Lawfulness, fairness, and transparency • Purpose limitation• Data minimization • Accuracy • Storage limitation • Integrity and confidentiality
Personal Data
• Examples of Personally Identifiable Information (PII)
Name
Photos
BankingInfo
SocialMedia
MedicalInfo
IPAddress
Indirect&Direct
Identifiers
Biometric&Genetic
Data
Basic Rights
• Right to be informed when data is collected• Right to object to data collection• Right to access collected data• Right to challenge and change data• Right to transfer data easily between any
processors• Right to be forgotten (erase data)
Required Consent
Unambiguous Consent • For non-sensitive information • Social media, business telephone
numbers, etc.Explicit Consent • For sensitive information • Medical records, social security
numbers, etc.
Other Privacy Directives
• GDPR applies to all member states• Unifies the EU’s country-specific privacy directives and
laws for protecting personal data• GDPR operates above the level of all other directives
How Does GDPR Impact Your Organization?
Organizations Affected
• GDPR applies to any organizations in and outside the EU that collects/processes EU citizens’ personal data
• Organizations that collect EU citizens’ data
Controllers
• Organizations that process data on behalf of controllers
Processors
Impact
• Changing operational policies for a comprehensive privacy management program
• Contracting compliant third-party processors and controllers
• Strategizing data security strategy and breach notification
• Appropriately using personal data
Responsibility | Accountability
What Are the Ways to Achieve GDPR Compliance?
Key Requirements
Breach Notification Consent Privacy Notice Accountability
Territorial Scope
Security Obligations
Pseudonymization
Data Protection
Officer
Privacy by Design Penalties
Steps for Compliance
1. Evaluate overall readiness2. Discover risk areas within the business 3. Identify risk mitigation recommendations for improved
security4. Implement solutions within the business
Vendor Solutions
• Contracting a CSP (like SpringCM)– Metadata and workflow– Compliance management
• Easily take contracts with identified GDPR relevance and automate the creation and downstream process you may have for establishing Data Processing Addendum.
Assessments Solutions
• Before May 2018 - Gap Assessment – Assess compliance level within current data protection
and privacy environment• After May 2018 - Validation
– Certify compliance against GDPR standard by reviewing policies, procedures, and processes
Best Practices
• Create internal data protection policies • Implement protection solutions for processing activities• Regularly audit of protection solutions• Train personnel on requirements and mechanisms• Monitor personal data• Familiarize yourself with DPA templates and contracts
Best Practices Cont.
• Apply encryption keys to all data• Access to data must be limited and monitored• Report data breaches to controller within 72 hours,
and to citizens in a timely manner• Dispose data using approved sanitization methods
What Are the Benefits of GDPR Compliance?
Operational Effectiveness
• Reduced storage costs • Lower security risks • Timely customer interactions • Less wasteful marketing initiatives • Mitigated regulatory intervention
Value for Organizations
• Confidentiality, integrity, and availability• Enhanced customer relationships • Environment built on assurance and trust
• Increased overall data security• Improved reputation for the organization• Proof of commitment to security and privacy
Complianceleadsto:
Summary
Summary
• Mandated adoption May 25, 2018• 10 key GDPR requirements• Non-compliant fines up to 4% of global revenue• Enhanced individual rights• Demonstrated responsibility and accountability• Improves organization through trust and effectiveness
Questions?www.springcm.com |877.362.7273
www.A-LIGN.com |888.702.5446
Resources• EU’s Official GDPR Text
– http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
• CIPL and AvePoint Release Global GDPR Readiness Report– https://www.huntonprivacyblog.com/wp-
content/uploads/sites/18/2016/11/cipl_avepoint_gdpr_readiness_survey_report_1107_final-c.pdf
• Top 10 Operational Impacts of GDPR – https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-1-
data-security-and-breach-notification/• GDPR Overview
– https://www.springcm.com/products/security/gdpr-overview