General Data Protection Regulations What is it Why is it important Ravi Narsipur PMP, CISSP PMI Westchester Chapter Quality COP Meeting April 9th 2019

What is the General Data Protection Regulation (GDPR)? . What is the General Data Protection Regulation (GDPR)? European Union regulation Designed to: Provide individuals with rights and protections over their personal data that is collected or created by business or government entities Unify data protection regulations across the EU Comprehensive regulation –intentionally non-technical–technology evolves over time Provides a mechanism for enforcement of the regulation 7 What are the GDPR Data Protection Principles Processed lawfully, fairly and in a transparent manner Collected for specified, explicit and legitimate purposes Adequate, relevant and limited to what is necessary Accurate, and where necessary, kept up to date Retained for as long as necessary Processed in an manner that ensures appropriate security Accountability, including ability to demonstrate compliance with the Data Protection Principles 8

New EU data rules Who Does GDPR Impact? Data protection by design and default Data Protection Impact Assessments (aka PIAs) Suppliers outside EU in scope Toughened (local not centralised) enforcement bodies -audits & dawn raids Breach reporting in 72 hours Distinction between processor and controller diminishes Data Protection Officers Cross-border data transfers -Binding Corporate Rules (BCRs) Stronger individual control over data -right to be forgotten, data portability, object to processing) Consent less of an option Who Does GDPR Impact? Applies to any organization collects or processes personal dataoriginating in the EU, regardless of whether that organization is located in the EU or not

When Does GDPR Enforcement Begin? May 25th 2018 GDPR is in effect now, but… Organizations have an implementation grace period that ends You have a little over 1 year before enforcement begin Additional Consequences for GDPR Violations Increased liability & compensation (material or non-material damage) Greater reputational risk Shared investigations across the EU Shareholder/investor engagement More to do for controllers and processors GDPR is not a checklist Risk-based approach GDPR takes into account Evolving ”state of the art” technology and threats Varying size and sophistication of organizations Cost of implementation Nature and amount of data processed The level of risk to the data determines the appropriate controls, effort and technology 2

Key Data Protection Requirements: GDPR is Expansive General Provisions Principals Rights of the Data Subjects Controller & Processor Transfer of Personal Data to third Countries or International Organizations Independent Supervisory Authorities Cooperation & Consistency Remedies, Liability & Penalties Provisions Relating to Specific Processing Situations Delegated Acts & Implementing Acts Data Security Data Transfer High Risk Obligation

Five GDPR Data Security Use Cases Data Protection by Design and Default By Design Data protection can no longer be an afterthought Proactive, not reactive Fundamental component in design and maintenance of information systems must be considered throughout the data lifecycle By Default Minimize the amount and type of data collected and processed Only process what is necessary for the intended purpose Reduce the number of people, entities or technology that can access data Limit retention and storage of data 5 Five GDPR Data Security Use Cases Data Discovery and Classification Data Masking and Pseudonymization Monitoring Breach Detection Vulnerability Assessment6

GDPR practical pointers and tips Develop Build a sustainable and defensible privacy program Maintain internal privacy policies and external notices Develop standards & procedures (with BUs) to operationalize privacy policies Evaluate and document use cases for privacy risk Enhance privacy training and awareness Involve Privacy Office Legal Develop and maintain data transfer mechanisms Define data controllers and processors for products/services Manage contract process and third party agreements Identify and support regional/local DPO requirements Assess current data subject access request readiness Security Maintain data protection throughout the data lifecycle Assist with data breach notification Partner with privacy incident response to identify, evaluate, and respond to breaches of personal data confidentiality IT Maintain a data inventory and cross-border flow mapping Support the execution of data subject requests for access, erasure, access, restriction, and data portability Support the capture, tracking, flagging, and dissemination of consent choice indicators across the enterprise and to third parties Business & HR Assist with the evaluation of privacy impact risk for consumer and employee use cases and third party relationships Assist privacy office in developing standards & procedures to operationalize privacy policies Develop new initiatives following Privacy by Design leading practices Respect data minimization, data quality, limited data access, and consent

GDPR will Harmonize Data Protection Across EU Consolidate Data Protection Directive -1995 31 national laws Streamline laws Interpreted and enforced locally by Data Protection Authorities (DPAs) GDPR 1 law across EU and Norway, Iceland and Liechtenstein One Stop Shop principle Lead Supervisory Authority (SA) for cross-border operations EU co-operation procedure between SA EU Data Protection Board Replaces the Article 29 Working Party Translates the regulation into actionable guidelines Specific technology requirements First EU regulation with both data breach notification requirements and absolute mandate to enforce6

GDPR impacts much of the organization Organizational Appointing a Data Privacy Officer Enhancing consumer notice & transparency Enforcing Privacy by Design Conducting Privacy Impact Assessments IT Enacting data transfer mechanisms Defining data controllers & processors Managing contract process and model clauses Driving data breach notification HR Ensuring rights of access & remediation Permitting the right to be forgotten Fielding questions, inquiries, concerns CISO Enabling data portability Ensuring Rights of access, authentication Enhancing development lifecycle Managing consent indicators and logs Privacy Office Promoting security throughout the data lifecycle Assisting with data breach notification Driving incident response Business Impact Respecting consent Ensuring employee privacy Automating decision-making processes Training employees on privacy Limiting data access

How the market is approaching GDPR Lack executive buy-in for the data privacy program, and lack a cross-functional group for providing privacy/data use strategy and decision-making Do not have appropriate documentation related to personal data, processing, third party recipients, and data flows Are not fully prepared to comply with the new data subject rights introduced by GDPR Lack an adequate third party due diligence/auditing capability to meet the requirements of GDPR Lack adequate data privacy compliance monitoring or assurance to cover all aspects of GDPR compliance Lack a formal, repeatable policy/procedure for conducting Privacy Impact Assessments (PIAs) or Privacy & Security by Design Lack a formal process for evaluating enterprise privacy risk and lack a remediation process to close identified gaps Anchoring accountability for privacy at the senior executive level is critical. Executive buy-in for privacy enables the cross-functional coordination needed for a privacy program to operate effectively. Executive support is also a necessary element for driving the messages that promote a positive connotation for privacy within the broader company culture. “Tone from the top” is key. A consistent indicator of an effective privacy program was privacy investment and front-line responsibility within the business units.. Investment in privacy and accountability is clearly tied to business strategy, rather than just compliance. As data use practices encourage privacy programs to be more active within the business units as enablers, the CPO must maintain a strong foundation in compliance/risk management to ensure maximum buy-in. The role of the CPO had changed in significant ways, and we are seeing significant growth in investment, breadth of role, and staffing in support of data privacy operations. GDPR and other regulatory shifts are forcing companies to evaluate (and in some cases develop from scratch) the effectiveness of their privacy operations (e.g. Privacy Impact Assessment, DPO designation, localization, etc.).

Technical Data Lifecycle Considerations Storage Determine where data will be stored, both here and third parties, and if/how data should be segregated Ensure proper agreements are in place for internal and external storage Legitimate Purpose Informed Consent Usage Transfer Destroy /Aggregate Understand the legitimate purposes laid out in GDPR Determine which one applies to this data collection Capture the purpose and ensure it can be linked to the data Assess how the data will be used upon collection Store consent to know what consent was given and when, to direct usage Align data usage with the legitimate purpose and consent

A GDPR compliance journey 10 A GDPR compliance journey GDPR compliance will be a challenge for many businesses. Only the proactive will be prepared. Your compliance journey involves many considerations including harsh regulatory and litigation risks for non-compliance. Proactive businesses area assessing their current capabilities, designing their future state and operationalizing ongoing programs to allow for sustainable and demonstrable compliance. This 5 step approach can help assist in the process of transforming your privacy program. Risk analysis and data discovery Gap assessment and remediation roadmap Cross-functional oversight and planning Program implementation Ongoing program operation and monitoring Assess current capabilities Design the future state Operate and sustain