1 / 12

General Data Protection Regulations What is it Why is it important

Learn about the General Data Protection Regulation (GDPR), an important European Union regulation designed to provide individuals with rights and protections over their personal data. Understand the principles, requirements, and practical tips for compliance.

gertha
Télécharger la présentation

General Data Protection Regulations What is it Why is it important

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. General Data Protection RegulationsWhat is itWhy is it important Ravi Narsipur PMP, CISSP PMI Westchester Chapter Quality COP Meeting April 9th 2019

  2. . • What is the General Data Protection Regulation (GDPR)? • European Union regulation • Designed to: • Provide individuals with rights and protections over their personal data that is collected or created by business or government entities • Unify data protection regulations across the EU • Comprehensive regulation –intentionally non-technical–technology evolves over time • Provides a mechanism for enforcement of the regulation • 7 • What are the GDPR Data Protection Principles • Processed lawfully, fairly and in a transparent manner • Collected for specified, explicit and legitimate purposes • Adequate, relevant and limited to what is necessary • Accurate, and where necessary, kept up to date • Retained for as long as necessary • Processed in an manner that ensures appropriate security • Accountability, including ability to demonstrate compliance with the Data Protection Principles • 8

  3. New EU data rules • Data protection by design and default • Data Protection Impact Assessments (aka PIAs) • Suppliers outside EU in scope • Toughened (local not centralised) enforcement bodies -audits & dawn raids • Breach reporting in 72 hours • Distinction between processor and controller diminishes • Data Protection Officers • Cross-border data transfers -Binding Corporate Rules (BCRs) • Stronger individual control over data -right to be forgotten, data portability, object to processing) • Consent less of an option • Who Does GDPR Impact? • Applies to any organization collects or processes personal dataoriginating in the EU, regardless of whether that organization is located in the EU or not

  4. When Does GDPR Enforcement Begin? May 25th 2018 • GDPR is in effect now, but… • Organizations have an implementation grace period that ends • You have a little over 1 year before enforcement begin • Additional Consequences for GDPR Violations • Increased liability & compensation (material or non-material damage) • Greater reputational risk • Shared investigations across the EU • Shareholder/investor engagement • More to do for controllers and processors • GDPR is not a checklist • Risk-based approach • GDPR takes into account • Evolving ”state of the art” technology and threats • Varying size and sophistication of organizations • Cost of implementation • Nature and amount of data processed • The level of risk to the data determines the appropriate controls, effort and technology • 2

  5. Key Data Protection Requirements:GDPR is Expansive • General Provisions • PrincipalsRights ofthe DataSubjects • Controller & Processor • Transfer ofPersonal Datato thirdCountries orInternational Organizations • Independent Supervisory Authorities • Cooperation & Consistency • Remedies, Liability & Penalties • Provisions Relating to Specific Processing Situations • DelegatedActs & Implementing Acts • Data Security • Data Transfer • High Risk Obligation

  6. Data Protection by Design and Default • By Design • Data protection can no longer be an afterthought • Proactive, not reactive • Fundamental component in design and maintenance of information systems must be considered throughout the data lifecycle • By Default • Minimize the amount and type of data collected and processed • Only process what is necessary for the intended purpose • Reduce the number of people, entities or technology that can access data • Limit retention and storage of data • 5 • Five GDPR Data Security Use Cases • Data Discovery and Classification • Data Masking and Pseudonymization • Monitoring • Breach Detection • Vulnerability Assessment6

  7. GDPR practical pointers and tips • Security • Maintain data protection throughout the data lifecycle • Assist with data breach notification • Partner with privacy incident response to identify, evaluate, and respond to breaches of personal data confidentiality • IT • Maintain a data inventory and cross-border flow mapping • Support the execution of data subject requests for access, erasure, access, restriction, and data portability • Support the capture, tracking, flagging, and dissemination of consent choice indicators across the enterprise and to third parties • Business & HR • Assist with the evaluation of privacy impact risk for consumer and employee use cases and third party relationships • Assist privacy office in developing standards & procedures to operationalize privacy policies • Develop new initiatives following Privacy by Design leading practices • Respect data minimization, data quality, limited data access, and consent • Develop • Build a sustainable and defensible privacy program • Maintain internal privacy policies and external notices • Develop standards & procedures (with BUs) to operationalize privacy policies • Evaluate and document use cases for privacy risk • Enhance privacy training and awareness • Involve • Privacy Office • Legal • Develop and maintain data transfer mechanisms • Define data controllers and processors for products/services • Manage contract process and third party agreements • Identify and support regional/local DPO requirements • Assess current data subject access request readiness

  8. GDPR will Harmonize Data Protection Across EU • Consolidate • Data Protection Directive -1995 • 31 national laws • Streamline laws Interpreted and enforced locally by Data Protection Authorities (DPAs) • GDPR • 1 law across EU and Norway, Iceland and Liechtenstein • One Stop Shop principle • Lead Supervisory Authority (SA) for cross-border operations • EU co-operation procedure between SA • EU Data Protection Board • Replaces the Article 29 Working Party • Translates the regulation into actionable guidelines • Specific technology requirements • First EU regulation with both data breach notification requirements and absolute mandate to enforce6

  9. GDPR impacts much of the organization Organizational Appointing a Data Privacy Officer Enhancing consumer notice & transparency Enforcing Privacy by Design Conducting Privacy Impact Assessments IT Enacting data transfer mechanisms Defining data controllers & processors Managing contract process and model clauses Driving data breach notification HR Ensuring rights of access & remediation Permitting the right to be forgotten Fielding questions, inquiries, concerns CISO Enabling data portability Ensuring Rights of access, authentication Enhancing development lifecycle Managing consent indicators and logs PrivacyOffice Promoting security throughout the data lifecycle Assisting with data breach notification Driving incident response BusinessImpact Respecting consent Ensuring employee privacy Automating decision-making processes Training employees on privacy Limiting data access

  10. How the market is approaching GDPR • Lack executive buy-in for the data privacy program, and lack a cross-functional group for providing privacy/data use strategy and decision-making • Do not have appropriate documentation related to personal data, processing, third party recipients, and data flows • Are not fully prepared to comply with the new data subject rights introduced by GDPR • Lack an adequate third party due diligence/auditing capability to meet the requirements of GDPR • Lack adequate data privacy compliance monitoring or assurance to cover all aspects of GDPR compliance • Lack a formal, repeatable policy/procedure for conducting Privacy Impact Assessments (PIAs) or Privacy & Security by Design • Lack a formal process for evaluating enterprise privacy risk and lack a remediation process to close identified gaps • Anchoring accountability for privacy at the senior executive level is critical. Executive buy-in for privacy enables the cross-functional coordination needed for a privacy program to operate effectively. • Executive support is also a necessary element for driving the messages that promote a positive connotation for privacy within the broader company culture. “Tone from the top” is key. • A consistent indicator of an effective privacy program was privacy investment and front-line responsibility within the business units.. • Investment in privacy and accountability is clearly tied to business strategy, rather than just compliance. As data use practices encourage privacy programs to be more active within the business units as enablers, the CPO must maintain a strong foundation in compliance/risk management to ensure maximum buy-in. • The role of the CPO had changed in significant ways, and we are seeing significant growth in investment, breadth of role, and staffing in support of data privacy operations. • GDPR and other regulatory shifts are forcing companies to evaluate (and in some cases develop from scratch) the effectiveness of their privacy operations (e.g. Privacy Impact Assessment, DPO designation, localization, etc.).

  11. Technical Data Lifecycle Considerations • Storage • Determine where data will be stored, both here and third parties, and if/how data should be segregated • Ensure proper agreements are in place for internal and external storage • Legitimate Purpose • Informed Consent • Usage • Storage • Transfer • Destroy /Aggregate • Legitimate Purpose • Understand the legitimate purposes laid out in GDPR • Determine which one applies to this data collection • Capture the purpose and ensure it can be linked to the data • Informed Consent • Assess how the data will be used upon collection • Store consent to know what consent was given and when, to direct usage • Usage • Align data usage with the legitimate purpose and consent

  12. 10 • A GDPR compliance journey • GDPR compliance will be a challenge for many businesses. Only the proactive will be prepared. Your compliance journey involves many considerations including harsh regulatory and litigation risks for non-compliance. Proactive businesses area assessing their current capabilities, designing their future state and operationalizing ongoing programs to allow for sustainable and demonstrable compliance. This 5 step approach can help assist in the process of transforming your privacy program. • Risk analysis and data discovery • Gap assessment and remediation roadmap • Cross-functional oversight and planning • Program implementation • Ongoing program operation and monitoring • Assesscurrent capabilities • Design the future state • Operateand sustain

More Related