Download presentation
Presentation is loading. Please wait.
1
General Data Protection Regulation (GDPR
Regine Bonneau - RB Advisory LLC August 3, 2017
2
Agenda What is it? Deadline Why GDPR? & Scope General Accountability
Controllers Processors Governance Part 1 Part 2 Part 3 GDPR Individual Rights Key Consideration for Security Professionals Reporting Data Breaches Checklist Data protection by design Penalties Questions Quickly explain Agenda and ask if anyone they have questions (maybe) If no-one has questions, explain you will be open to questions after the presentation
3
General Data Protection Regulation (GDPR)
What is it? The General Data Protection Regulation (GDPR) will harmonize data protection laws in the EU to help bring better transparency for support of individuals’ rights It consists of 99 Articles with sub definitions Deadline It was revised from its 1995 form to keep up with technology of today and the way information is being obtained, processed, shared and retained. Adopted on April 27, 2016 and will become law on May 25, Very short window to start complying.
4
Why GDPR? & Scope The General Data Protection Regulation will help with: The checks and balances of the massive global exchange of personal data. Unifying each country’s laws to endorse the free cross-border of data sharing, including non-EU territories. Forcing a far-reaching consideration of privacy rights The significant shift of the international privacy landscape SCOPE Covers data processors (organizations) and data subjects (individuals) within the EU GDPR applies to any organization processing the details of EU individuals If you do business in the EU or EU individuals, or a company that does business with the EU, you are subject to the GDPR
5
GDPR Accountability Accountability is one of the centerpiece concepts found in the new framework It will be expected of both Data controllers and processors to draft formal policies to document an organization’s data privacy and protection posture and how it addresses the precepts of the GDPR Policies will need to be created based on the following: The nature, scope, context, and purposes of processing personal data And outline foreseeable risks to the rights of individuals
6
GDPR Accountability - Controllers
Detail must be kept at high standards: The name and contact information of the controller and Data Protection Officer Purposes of processing personal data Categories of data subjects, data, and recipients International data transfers and related safeguards for those transfers Data retention periods, and Data security measures employed
7
GDPR Accountability - Processors
Have to formally keep similar materials that outline as the Controller: The name and contact details of the processor and all engaged controllers Categories of processing for each controller International data transfers and related safeguards for those transfers, and Data security measures employed
8
Governance Article 28 Chapter 4 of the GDPR (one of the most important provisions) is mainly the section that outlines the responsibilities of controllers when engaging processors Part 1 Controllers looking to delegate service involving personal data processing must only work with vendors who will comply with the GDPR obligations Part 2 Controllers must formally authorize and approve processors leveraging processors
9
Governance – Part 3 The following must be stipulated in processor contracts: The nature of the relationship with the processor The length of the contract What the processor will actually be doing as part of their service or product The types of personal data that will be handled by the processor What general or specific GDPR requirements will be inherited by the processor
10
GDPR Individual Rights
The GDPR grants all users the rights over their personal data, which are presented in legal text Those rights are: Portability Individual can request the transfer of personal data to another controller Erasure Referred to as the “right to be forgotten Data subject has the right to request a complete deletion of their personal data when the following are evident: Consent is withdrawn Personal data is no longer needed for the purpose it was originally collected Personal data was unlawfully collected
11
Key Points for Security Professionals
Article 4, definition 12 –defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed” Articles 33 – “as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it…”
12
Reporting Data Breaches
Article 4, definition 12 and Articles 33 - requires a controller to notify the personal data breach to the supervisory authority without undue delay Data breaches must be reported within 72 hours of being detected Data processors are liable for any breaches
13
Reporting data breaches checklist:
The GDPR will require companies to develop or update internal breach notification procedures to meet the 72-hour reporting requirement: Timely detection of breaches Reporting and alarms Mitigation through automation Investigation capabilities (case management and forensics)
14
Data protection by design
The GDPR requires data protection and processing safeguards to become part of all systems and processes. Data protection by design is based on 7 foundational principles Proactive not reactive Privacy as the ‘default’ setting Privacy embedded into design Full functionality: positive sum, not zero sum End-to-End security: full lifecycle protection Visibility and transparency : keep it open Respect for user privacy: keep it user-centric
15
Data Protection by Design checklist:
The GDPR is making companies rethink how data protection and privacy are met and managed by the organization: Analyze the gap between current and mandated position Assign required budget and resources Assign a data protection officer if criteria met Align with best-practice mandates Review and update data-handling procedures Develop a workplace education program
16
Penalties Penalties are calculated on Global Annual Revenue
This could mean bankruptcy for some companies A maximum of $21 million or four percent of global annual revenue – whichever is greater 2% allocated for a Notification breach 4% data subject information breach
17
Resources http://www.eugdpr.org
18
Questions Contact: Regine Bonneau RB Advisory LLC
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.