How does the General Data Protection Regulation (GDPR) affect … does GDPR affect your...
Transcript of How does the General Data Protection Regulation (GDPR) affect … does GDPR affect your...
How does the General Data ProtectionRegulation (GDPR) affect your business?
Christoforos ChristoforouRisk and Strategic Planning Manager
ƒ Introduction to the General Data Protection Regulation (GDPR )
ƒ Data protection: Why all the fuss?
ƒ How does GDPR affect your business?
AgendaHow does the GDPR affect your business?
http://www.paulhelmick.com
Introduction to the GDPR
How much control over theinformation you provide online doyou feel you have?
15% complete control
50% partial control
31% no control
Introduction to GDPRHarmonization Hurdles
Eurobarometer 431: 2015
Almost all Europeans saythey would want to beinformed if their data hasbeen lost or stolen.
Eurobarometer 431: 2015
Introduction to GDPRHarmonization Hurdles
Introduction to GDPRHarmonization Hurdles
• GDPR is intended to harmonizedata protection law across theEU
• GDPR is not a directive. It willsupersede national laws
• It is already implemented but itcomes into force on 25 May2018
Introduction to GDPR
Data ProtectionWhy all the fuss?
How is data regulation changing?
• Updated personal data definitions• Territorial scope• Well defined penalties for violations• Greater control of data, on behalf of the
EU citizen:• Right to be forgotten• Consent• Data portability
• Data protection officer appointment• Data breach notification
GDPR HighlightsPersonal Data Definition(s)
• Personal data is any informationrelating to an identified or identifiablenatural person ("data subject")
• Sensitive Personal Data are personaldata characterizing the identifiednatural person
• Data related to criminal offenses• Pseudonymous data
GDPR HighlightsTerritorial ScopeScenario 1:Processing personal data as an establishment of a data controller or a data processor inthe EU, regardless of whether the processing takes place in the EU or not.Scenario 2:Any organisation which is not established in the EU but is processing personal dataabout data subjects who are in the EU
GDPR HighlightsRight to be forgotten
Individuals have a right to have personal data erased and to preventprocessing in specific circumstances:• Personal data no longer necessary in relation to the purpose for which it was
originally collected/processed.
• When the individual withdraws consent.
• The personal data was unlawfully processed
• Legal obligation (e.g. court order)
GDPR HighlightsPortability
The right to data portability applies:• to personal data an individual has provided to a
controller;• where the processing is based on the individual’s
consent or for the performance of a contract;• when processing is carried out by automated means.
Now think about this…• Are you confident that when an individual demands full
personal data portability you can allocate the data andtransfer it without the risk of leaving something behind?
• Can you confirm that one’s personal data is not sitting inan email archive, on azure backup or as a completed KYCpaper form somewhere in compliance?
GDPR HighlightsPortability
GDPR HighlightsThe Data Protection Officer
• The requirement to appoint aData Protection Officer (DPO) ismandatory in the GDPR.
• Guidelines on DPO’s published on05 April 2017 (16/EN - WP 243rev.01)
Data Breaches…
Data Breaches…
Does the GDPR apply to me?
How to prepare for GDPR?
GDPR compliance is not a quick fix andData breach management not the onlystep to compliance.
Privacy by designChange in culture
How to prepare for GDPR?Privacy by Design
• C-Suite attention• Openness and transparency• Restructuring of information/data
governance systems• Re-appraisal of information security
systems• and serious levels of staff training.
Documents & Records
• Registers and Data Attributes• Data Protection Impact Assessments (DPIA)• Applications and System Management• Data Subject's rights• Incident Management• Trainings• Vendor Management (Controller/Processor)• Data Transfers and Portability• Risk Management• Validations & Audits• Notifications Management• Obligatory Reporting (e.g. data breach)• Right to be forgotten
Integrations
Roles
Processes
How to prepare for GDPR?Interactions
How to prepare for GDPR?Process Flow
1. Begin with an Information audit2. Decide what data to keep3. Securely destroy unnecessary data4. Assign a Data Protection Officer5. Begin staff training6. Review your information/data
governance framework7. Put a clear and effective reporting
process in place
GDPR: Data Governance
• CCTV recordings• Security Access records• Cookies, web browsing history• GPS records• Criminal record• Gene sequence, dna• Training certificates• Race, religion, political beliefs etc.
GDPR: Don’t forget about paper.
• Paper and data privacy relationis easy to ignore.
• 15-20 years ago paper would bethe focus – Paper, however, isstill there.
• The longer paper sits withoutany plan, the bigger risk itbecomes.
Data Governance policies will fail ifpaper is ignored!
• Paper is as important in the data privacyconversation - precisely because it’s nowso easy to ignore.
• Nearly every organization still uses paperin some format.
• Paper also poses a risk in that it can bequite difficult to find once misplaced.
GDPR: Don’t forget about paper.
Where is thedata?
How is thedata stored?
Why do we keepthat data?
Who is in chargefor the data?
When do I haveto request consent?
What does thedata consist of?
GDPR: Are you ready?
GDPR & Records ManagementGetting GDPR-ready
GDPR: Records Management
GDPR as an opportunityData Governance - Digital Transformation - Business Reform
GDPR: Records Management
• Physical and Digital Data marriage• Intelligent Content Management• Systems Integration (ERP, CRM, etc.)• Business Process Analysis and Management• Retention Policies• Secure Destruction (physical and digital)
GDPR: Records ManagementSolutions
• Scale Economies• Shared responsibility• Industry know-how• Compliance• Efficiency• Audited processes• SLA monitored performance• Risk Mitigation
GDPR: Records ManagementBenefits
You can notrandomly collectpersonal data?
But, it’s just alist of who was
naughty andwho was nice!
Thank You!
Contact DetailsChristoforos ChristoforouRisk and Strategic Planning Manager at FilemindersEmail: [email protected]: +357 22445526