GDPRPreparedness:HowtoEnsureYouAreReadyforMay2018

Presenter• DesignedmultipleactivedatacentersforSpringCM’s cloudapplication&webservicesplatform

• LaunchedacomplianceprogramfeaturingSSAE18,SOC2– AllPrinciples,&CSASTAR,TRUSTe,FedRAMP,HIPAA,ISO27001,PrivacyShield

Chris KingVP of Operations &

Co-Founder

Presenter

• Has provided IT audit consulting and compliance services for Fortune 500 companies in many industries

• Holds the following designations: • Certificate of Cloud Security

Knowledge (CCSK)• Certified Information Privacy

Technologist (CIPT)• Certified Information Systems

Auditor (CISA)

Petar BesalevDirector of Cyber Risk and Privacy

Agenda

• Why is GDPR important?• What is GDPR? • How does it impact your organization?• What are the ways to achieve GDPR

compliance?• What are the benefits of GDPR compliance?

Why Is GDPR Important?

Penalties of Noncompliance

Fines up to 4% of global revenue or $20 million

• A written warning • EU Commission-directed data protection audits• Individual lawsuits • Restricted access to data • Loss of organizational certifications• Damaged reputation

Readiness

48.94%

30.50% 22.70% 20.57%

16.31%

0%

10%

20%

30%

40%

50%

60%

Discussions regarding additional resources have begun, but no decisions have yet

been taken

No additional resources will be

available for GDPR compliance

Addtitional head count

Additional internal budget

Additional external counsel budget

Do you have a budget, headcount, or other resource increase planned in anticipation of the GDPR?

What Is GDPR?

General DataProtection Regulation• Adopted April 27, 2016, replaces the Data

Protection Directive (Directive 95/46/EC) • Protects personal data of EU citizens• Unifies existing privacy regulations• Expands citizen control over personal data• Full implementation by May 25, 2018

6 Main Principles

• Lawfulness, fairness, and transparency • Purpose limitation• Data minimization • Accuracy • Storage limitation • Integrity and confidentiality

Personal Data

• Examples of Personally Identifiable Information (PII)

Name

Photos

Email

BankingInfo

SocialMedia

MedicalInfo

IPAddress

Indirect&Direct

Identifiers

Biometric&Genetic

Data

Basic Rights

• Right to be informed when data is collected• Right to object to data collection• Right to access collected data• Right to challenge and change data• Right to transfer data easily between any

processors• Right to be forgotten (erase data)

Required Consent

Unambiguous Consent • For non-sensitive information • Social media, business telephone

numbers, etc.Explicit Consent • For sensitive information • Medical records, social security

numbers, etc.

Other Privacy Directives

• GDPR applies to all member states• Unifies the EU’s country-specific privacy directives and

laws for protecting personal data• GDPR operates above the level of all other directives

How Does GDPR Impact Your Organization?

Organizations Affected

• GDPR applies to any organizations in and outside the EU that collects/processes EU citizens’ personal data

• Organizations that collect EU citizens’ data

Controllers

• Organizations that process data on behalf of controllers

Processors

Impact

• Changing operational policies for a comprehensive privacy management program

• Contracting compliant third-party processors and controllers

• Strategizing data security strategy and breach notification

• Appropriately using personal data

Responsibility | Accountability

What Are the Ways to Achieve GDPR Compliance?

Key Requirements

Breach Notification Consent Privacy Notice Accountability

Territorial Scope

Security Obligations

Pseudonymization

Data Protection

Officer

Privacy by Design Penalties

Steps for Compliance

1. Evaluate overall readiness2. Discover risk areas within the business 3. Identify risk mitigation recommendations for improved

security4. Implement solutions within the business

Vendor Solutions

• Contracting a CSP (like SpringCM)– Metadata and workflow– Compliance management

• Easily take contracts with identified GDPR relevance and automate the creation and downstream process you may have for establishing Data Processing Addendum.

Assessments Solutions

• Before May 2018 - Gap Assessment – Assess compliance level within current data protection

and privacy environment• After May 2018 - Validation

– Certify compliance against GDPR standard by reviewing policies, procedures, and processes

Best Practices

• Create internal data protection policies • Implement protection solutions for processing activities• Regularly audit of protection solutions• Train personnel on requirements and mechanisms• Monitor personal data• Familiarize yourself with DPA templates and contracts

Best Practices Cont.

• Apply encryption keys to all data• Access to data must be limited and monitored• Report data breaches to controller within 72 hours,

and to citizens in a timely manner• Dispose data using approved sanitization methods

What Are the Benefits of GDPR Compliance?

Operational Effectiveness

• Reduced storage costs • Lower security risks • Timely customer interactions • Less wasteful marketing initiatives • Mitigated regulatory intervention

Value for Organizations

• Confidentiality, integrity, and availability• Enhanced customer relationships • Environment built on assurance and trust

• Increased overall data security• Improved reputation for the organization• Proof of commitment to security and privacy

Complianceleadsto:

Summary

Summary

• Mandated adoption May 25, 2018• 10 key GDPR requirements• Non-compliant fines up to 4% of global revenue• Enhanced individual rights• Demonstrated responsibility and accountability• Improves organization through trust and effectiveness

Questions?www.springcm.com |877.362.7273

www.A-LIGN.com |888.702.5446

Resources• EU’s Official GDPR Text

– http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf

• CIPL and AvePoint Release Global GDPR Readiness Report– https://www.huntonprivacyblog.com/wp-

content/uploads/sites/18/2016/11/cipl_avepoint_gdpr_readiness_survey_report_1107_final-c.pdf

• Top 10 Operational Impacts of GDPR – https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-1-

data-security-and-breach-notification/• GDPR Overview

– https://www.springcm.com/products/security/gdpr-overview