EU Data Privacy: What US Orgs Need to Do Now to Prepare for the GDPR PRV-T11 EU Data Privacy: What US Orgs Need to Do Now to Prepare for the GDPR Chris Zoladz Founder Navigate LLC @CZ_Navigate Notes included in this version of the slides are not the full speaker notes but are included for the reviewer’s benefit for slides that are not intuitive without the voice over.
Significant fines that are up to 4% of global revenue ! $1,000,000,000 Significant fines that are up to 4% of global revenue ! Attention Grabber: This is the maximum amount of a fine that could be levied against Facebook, for example, for violating GDPR.
Other Important Reasons the GDPR Matters Requires new IT/security capabilities Risk of not being able to “transfer” personal data from the EU Would your business suffer if you could not transfer data cross border? Non-compliance may be subject to individual law suits Investigations are disruptive to the business Adverse media Reputational damage
What is Your Interest in the GDPR? You are: responsible for Security a Security Consultant in-house or external Legal Counsel responsible for Privacy bored and had nothing better to do
Looking Back to Look Forward Privacy = Fundamental Human Right It is important to understand why the EU regulators feel so strongly about data protection/privacy. There are deep roots back to WWII and the personal consequences for individuals based on religion, political affiliations, health status, etc. [This slide will be described via a story] The photo is from Yad Vashem.
99 EUDPD HOWEVER GDPR At-a-Glance 99 articles - Effective May 25, 2018 Replaces the EU Data Protection Directive in place since 1995 – many of the same core requirements remain in place HOWEVER
GDPR At-a-Glance TERRITORIAL EXPLICIT SCOPE CONSENT AGE BREACH GATE INDIVIDUAL RIGHTS BREACH NOTICE HOWEVER There are significant changes in requirements, such as . . . Applies to EU citizen personal data regardless of where it resides (“territorial scope”) “Opt-Out” no longer permissible – only explicit consent Individuals under the age of 16 cannot give consent Expanded individual rights (e.g., right to be forgotten, data portability) Data breach notification requirements to regulators (within 72 hours) and perhaps individuals
What Does the GDPR Mean to Security & IT? 1 Requirement to correct, delete or transfer personal data everywhere it is stored 2 Breach notification requirements 3 Security requirements are not overly proscriptive Risk-based approach Basic CIA and resilience Encryption or pseudonymisation of personal data 4 Data Protection Impact Assessments (PbD) 5 Periodic testing of controls
Right to be Forgotten 600,000 Requests Do you know how you will meet these requests?
Apply: What You Need To Do Understand all personal data flows, including shadow IT Determine if EU citizen personal data is distinguishable from all others Identify systems to be developed or changed for opt-in, data access, correction and deletion requests, and age-gating requirements Assess the adequacy of security measures Develop (or refine) and then implement: encryption or pseudonymisation of personal data processes and capabilities to handle personal data access, correction, deletion and portability requests a Data Protection Impact Assessment process a data breach response plan
Achieving Compliance For some organizations achieving GDPR compliance with seem monumental and for others it will not be as much work. It all depends on the current state (e.g., Is the organization currently compliant with the EU Data Protection Directive that the GDPR is replacing? Does the organization have the commitment, resources and “will” to achieve compliance by May 2018?) Note: A countdown clock to May 25, 2018 will be added to the slide.
How Does Your Company Compare? Data Source: Hunton Williams & AvePoint
Questions and Discussion Thank you ! Chris Zoladz chris@navigatellc.net 240-475-3640
Appendix – Helpful Resources
Know the Requirements: Article 32 – Security of Processing “1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
Key Definitions in the GDPR Personal Data means “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” Pseudonymisation means “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”
Where to Find the GDPR and Other Helpful Resources The full GDPR text – http://eur-lex.europa.eu/legal- content/EN/TXT/?uri=OJ:L:2016:119:TOC (pages 32-88 contain the specific requirements requirements). Top 10 operational impacts of the GDPR by the International Association of Privacy Professionals (IAPP) - https://iapp.org/resources/article/top-10- operational-impacts-of-the-gdpr/ CipherCloud Global and Regional Guides to Data Protection Laws - http://pages.ciphercloud.com/global-guide-to-data-protection-laws-landing- page.html
Resources (cont’d) Hunton Williams and AvePoint GDPR Readiness Survey - https://www.huntonprivacyblog.com/2016/11/10/cipl-avepoint- release-global-gdpr-readiness-report/