Download presentation
Presentation is loading. Please wait.
Published byTyler McCoy Modified over 6 years ago
1
The Rise of Privacy: Complying with GDPR in the United States
Gene Geiger President of A-LIGN
2
Presenter Leads A-LIGN’s service delivery
Areas of concentration include PCI DSS, ISO 27001, FedRAMP, FISMA, HIPAA/HITECH and HITRUST Holds the following designations: CPA QSA CCSK ISO LA CISSP HITRUST Practitioner PCIP Gene Geiger President of A-LIGN | ©2018
3
Agenda Privacy Landscape Overview of GDPR Impact of GDPR
Steps to Prepare Appendices | ©2018
4
Privacy & Data Protection Environment
Source: International Association of Privacy Professionals | ©2018
5
General Data Protection Regulation
Adopted April 27, 2016, replaces the Data Protection Directive Protects personal data of EU citizens Expands citizen control over personal data Unifies existing privacy regulations Full implementation by May 25, 2018 | ©2018
6
Why Is GDPR Important? Penalties of noncompliance
Fines up to 4% of global revenue or $20 million EU Commission-directed data protection audits Individual lawsuits Restricted access to data Loss of organizational certifications Damaged reputation | ©2018
7
Why is GDPR Challenging?
Source: CIPL and AvePoint Release Global GDPR Readiness Report | ©2018
8
6 Main Principles Lawfulness, fairness, and transparency
Purpose limitation Data minimization Accuracy Storage limitation Integrity and confidentiality | ©2018
9
What is Personal Data? Identifies a real person by: Name
Photos Banking Info Social Media Medical Info IP Address Indirect & Direct Identifiers Biometric & Genetic Data Identifies a real person by: Name Identification number Location data Online identifier One or more factors specific to the … identity of that person Difference between personal data in US and EU PII is a term that is used by US – Coined by NIST PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Non PII information according to US: Device IDs, IP addresses, Cookies Personal Data is a term used by EU ‘personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity; An “identification number” does include an IP address or cookie string Personal Data according to the GDPR Regulation and its actual definition: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; | ©2018
10
Comprehensive Requirements
Breach Notification Consent Privacy Notice Accountability Territorial Scope Security Obligations Pseudonymisation Data Protection Officer Privacy by Design Penalties Breach Notification - 72 hours to notify data subjects and supervisory authority Consent – to justify processing personal data, and consent can be withdrawable Privacy notice - this is a letter that contains information telling people what you are doing with their data Accountability –how you comply with the regulation by deploying and demonstrating both of policies and principles regarding the regulation Territorial Scope – any entity that processes personal information of EU citizens ( in the EU ) is applicable to the Regulation Security Obligations – to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services Pseudonymisation –encrypting personal data and keeping it secured Data Protection Officer – to monitor the compliance with the GDPR Privacy by design – to manage and minimize access to confidential data Penalties | ©2018
11
Expanded Privacy Rights
Right to be informed when data is collected Right to object to data collection Right to access collected data Right to challenge and change data Right to transfer data easily between any processors Right to be forgotten (erase data) | ©2018
12
Required Consent Unambiguous Consent For non-sensitive information
Social media, business telephone numbers, etc. Explicit Consent For sensitive information Medical records, social security numbers, etc. Different levels of sensitivity – According to regulation "Sensitive Personal Data" are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Data relating to criminal offences and convictions are addressed separately (as criminal law lies outside the EU's legislative competence). Non-sensitive information is all other personal data. | ©2018
13
Does GDPR Impact You? GDPR applies to any organization in and outside the EU that collects/processes EU citizens’ personal data Organizations that collect EU residents’ data Controllers Organizations that process data on behalf of controllers Processors | ©2018
14
How Will GDPR Affect U.S. Organizations?
Changing operational policies for a comprehensive privacy management program Contracting third-party processors and controllers Strategizing data security and breach notification Appropriately using personal data | ©2018
15
GDPR Implementation Challenges
Privacy program implementation and management Data identification and location Relationship with data processors (service providers) Breach notification requirements Data security Resources | ©2018
16
GDPR Misconceptions 4% or $20,000,000 fine
GDPR applies equality to all types of data GDPR certification is required Every company must have a Data Protection Officer Encryption of data removes GDPR requirements Privacy Shield compliance is enough for GDPR | ©2018
17
Steps for Compliance Data mapping exercise
Gap assessment against GDPR requirements Engage outside resources as needed Develop privacy management system | ©2018
18
Steps for Compliance Discover risk areas within the business
Identify risk mitigation recommendations for improved security Implement solutions within the business Start by asking yourself these questions: Does my organization implement safeguards to ensure the confidentiality, integrity and availability of data? Are safeguards periodically reviewed to ensure they are working as expected? Is data processing sufficiently monitored to detect and alert malicious activity? Should a data breach occur, are procedures in place to limit unauthorized disclosure of data? Are employees properly trained to protect data according to their roles and responsibilities? | ©2018
19
Best Practices Implement protection solutions for processing activities Apply encryption keys to all data Limited access to data Regularly audit of protection solutions Train personnel on requirements and mechanisms | ©2018
20
GDPR Recap Mandated adoption May 25, 2018 10 key GDPR requirements
Non-compliant fines up to 4% of global revenue Enhances individual rights Demonstrates responsibility and accountability Improves organization through trust and effectiveness | ©2018
21
Appendices Information Commissioners Office GDPR Questionnaires
Controller Processor Guide to the GDPR GDPR Guide | ©2018
22
Appendices ISACA – Data Protection Impact Assessment
Data Protection Impact Assessment Template | ©2018
23
Questions? 888.702.5446 | www.A-LIGN.com | info@a-lign.com
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.