The Rise of Privacy: Complying with GDPR in the United States Gene Geiger President of A-LIGN
Presenter Leads A-LIGN’s service delivery Areas of concentration include PCI DSS, ISO 27001, FedRAMP, FISMA, HIPAA/HITECH and HITRUST Holds the following designations: CPA QSA CCSK ISO 27001 LA CISSP HITRUST Practitioner PCIP Gene Geiger President of A-LIGN WWW.A-LIGN.COM | ©2018
Agenda Privacy Landscape Overview of GDPR Impact of GDPR Steps to Prepare Appendices WWW.A-LIGN.COM | ©2018
Privacy & Data Protection Environment https://iapp.org/resources/article/a-brief-history-of-the-general-data-protection-regulation/ Source: International Association of Privacy Professionals WWW.A-LIGN.COM | ©2018
General Data Protection Regulation Adopted April 27, 2016, replaces the Data Protection Directive Protects personal data of EU citizens Expands citizen control over personal data Unifies existing privacy regulations Full implementation by May 25, 2018 WWW.A-LIGN.COM | ©2018
Why Is GDPR Important? Penalties of noncompliance Fines up to 4% of global revenue or $20 million EU Commission-directed data protection audits Individual lawsuits Restricted access to data Loss of organizational certifications Damaged reputation WWW.A-LIGN.COM | ©2018
Why is GDPR Challenging? Source: CIPL and AvePoint Release Global GDPR Readiness Report WWW.A-LIGN.COM | ©2018
6 Main Principles Lawfulness, fairness, and transparency Purpose limitation Data minimization Accuracy Storage limitation Integrity and confidentiality WWW.A-LIGN.COM | ©2018
What is Personal Data? Identifies a real person by: Name Photos Email Banking Info Social Media Medical Info IP Address Indirect & Direct Identifiers Biometric & Genetic Data Identifies a real person by: Name Identification number Location data Online identifier One or more factors specific to the … identity of that person Difference between personal data in US and EU PII is a term that is used by US – Coined by NIST PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Non PII information according to US: Device IDs, IP addresses, Cookies Personal Data is a term used by EU ‘personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity; An “identification number” does include an IP address or cookie string Personal Data according to the GDPR Regulation and its actual definition: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; WWW.A-LIGN.COM | ©2018
Comprehensive Requirements Breach Notification Consent Privacy Notice Accountability Territorial Scope Security Obligations Pseudonymisation Data Protection Officer Privacy by Design Penalties Breach Notification - 72 hours to notify data subjects and supervisory authority Consent – to justify processing personal data, and consent can be withdrawable Privacy notice - this is a letter that contains information telling people what you are doing with their data Accountability –how you comply with the regulation by deploying and demonstrating both of policies and principles regarding the regulation Territorial Scope – any entity that processes personal information of EU citizens ( in the EU ) is applicable to the Regulation Security Obligations – to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services Pseudonymisation –encrypting personal data and keeping it secured Data Protection Officer – to monitor the compliance with the GDPR Privacy by design – to manage and minimize access to confidential data Penalties WWW.A-LIGN.COM | ©2018
Expanded Privacy Rights Right to be informed when data is collected Right to object to data collection Right to access collected data Right to challenge and change data Right to transfer data easily between any processors Right to be forgotten (erase data) WWW.A-LIGN.COM | ©2018
Required Consent Unambiguous Consent For non-sensitive information Social media, business telephone numbers, etc. Explicit Consent For sensitive information Medical records, social security numbers, etc. Different levels of sensitivity – According to regulation "Sensitive Personal Data" are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Data relating to criminal offences and convictions are addressed separately (as criminal law lies outside the EU's legislative competence). Non-sensitive information is all other personal data. WWW.A-LIGN.COM | ©2018
Does GDPR Impact You? GDPR applies to any organization in and outside the EU that collects/processes EU citizens’ personal data Organizations that collect EU residents’ data Controllers Organizations that process data on behalf of controllers Processors WWW.A-LIGN.COM | ©2018
How Will GDPR Affect U.S. Organizations? Changing operational policies for a comprehensive privacy management program Contracting third-party processors and controllers Strategizing data security and breach notification Appropriately using personal data WWW.A-LIGN.COM | ©2018
GDPR Implementation Challenges Privacy program implementation and management Data identification and location Relationship with data processors (service providers) Breach notification requirements Data security Resources WWW.A-LIGN.COM | ©2018
GDPR Misconceptions 4% or $20,000,000 fine GDPR applies equality to all types of data GDPR certification is required Every company must have a Data Protection Officer Encryption of data removes GDPR requirements Privacy Shield compliance is enough for GDPR WWW.A-LIGN.COM | ©2018
Steps for Compliance Data mapping exercise Gap assessment against GDPR requirements Engage outside resources as needed Develop privacy management system WWW.A-LIGN.COM | ©2018
Steps for Compliance Discover risk areas within the business Identify risk mitigation recommendations for improved security Implement solutions within the business Start by asking yourself these questions: Does my organization implement safeguards to ensure the confidentiality, integrity and availability of data? Are safeguards periodically reviewed to ensure they are working as expected? Is data processing sufficiently monitored to detect and alert malicious activity? Should a data breach occur, are procedures in place to limit unauthorized disclosure of data? Are employees properly trained to protect data according to their roles and responsibilities? WWW.A-LIGN.COM | ©2018
Best Practices Implement protection solutions for processing activities Apply encryption keys to all data Limited access to data Regularly audit of protection solutions Train personnel on requirements and mechanisms WWW.A-LIGN.COM | ©2018
GDPR Recap Mandated adoption May 25, 2018 10 key GDPR requirements Non-compliant fines up to 4% of global revenue Enhances individual rights Demonstrates responsibility and accountability Improves organization through trust and effectiveness WWW.A-LIGN.COM | ©2018
Appendices Information Commissioners Office GDPR Questionnaires Controller Processor Guide to the GDPR GDPR Guide WWW.A-LIGN.COM | ©2018
Appendices ISACA – Data Protection Impact Assessment Data Protection Impact Assessment Template WWW.A-LIGN.COM | ©2018
Questions? 888.702.5446 | www.A-LIGN.com | info@a-lign.com