Presentation is loading. Please wait.

Presentation is loading. Please wait.

The General Data Protection Regulation: Are You Ready?

Published byChristal Marshall Modified over 5 years ago

Similar presentations

Presentation on theme: "The General Data Protection Regulation: Are You Ready?"— Presentation transcript:

1 The General Data Protection Regulation: Are You Ready?
Angela fares, rhia, crm, cisa, cism, cgeit, cRISC November 13, 2018

2 General Data Protection Regulation
Enacted May 25, 2018 Applies to personal information that identifies living people in specific ways and gives individuals greater control over their information Enforceable in all European Union countries and other countries doing business in the European Union

3 Main Requirements of GDPR
Transparency, fairness and lawfulness in the handling and use of personal data (including a lawful basis to process that data) must be demonstrated during its handling and use Limitation of the processing of personal data to specified, explicit, and legitimate purposes (data cannot be re-used or disclosed for purposes for which it was not originally collected) Collection and storage must be minimal and limited to only the information adequate for the intended purpose Data must be accurate and there must be a mechanism in place to erase, rectify or amend information Storage is limited to the amount of time necessary to accomplish the purpose for which it was collected (unless otherwise defined by law) Security, integrity and confidentiality must be ensured through technical and organizational security measures This Photo by Unknown Author is licensed under CC BY-NC This Photo by Unknown Author is licensed under CC BY

4 Personal Information Personal Information – Includes any data that relates to an identified or identifiable natural living person. Even personal data that has been pseudonymized can be personal data if the pseudonym can be linked to a particular individual Special Personal Information – Personal Information that includes data related to race, ethnic origin, health, sexual orientation, and geolocation

5 Definitions Controller: Person, organization or other body that, alone or jointly with others, determines the purposes and means of processing personal data Processor: Person, organization, or other body which processes personal data on behalf of the Controller Data Subject: Person that is the subject of the personal information being collected and processed Processing: Any operation or set of operations, physical or automated, which is performed on personal data Pseudonymization: Processing of personal data in such a manner that the data cannot be associated with a specific data subject without the use of additional information

6 Organizational Measure
GDPR doesn’t mandate exact security measures to use, but requires organizations to base the security on attributes of the personal data such as: Nature of the information Sensitivity Risks associated with handling/processing

7 Rights of Data Subjects
Right to access personal information about themselves Right to correct, amend, or erase information that is not correct Right be forgotten and have data deleted if it is no longer required to be kept by law Right to request that processing of personal data be stopped if consent is withdrawn Right to data portability Right to object to direct marketing

8 Privacy by “Design” and “Default”
Processes must be designed to incorporate privacy features and functionality into the products from the first time that they are designed Processes must, by default, implement measures to ensure that no more data is collected and processed than necessary, and is not retained any longer than necessary

9 GDPR Record-Keeping Requirements
Policies Procedures Classification Categorization Lifecycle Management Data Transfers/Disclosures Data Amendments Audits and Key Performance Indicators

10 Critical Timelines Data breaches require notice to regulators within 72 hours of the breach Requests by Data Subjects must be fulfilled or enabled within 30 days This Photo by Unknown Author is licensed under CC BY

11 Step 1 Discover and classify/categorize data Map data flows
Conduct a gap analysis

12 Step 2 Quantify resources for hiring/training people
Estimate costs for new products and services Account for professional services

13 Step 3 Deploy security controls Update processes
Review privacy notices and communication

14 Step 4 Ensure that the incident response plan is tested
Analyze your monitoring and audit mechanisms Consider new processes or methods of managing risk

15 Step 5 Set up training and awareness programs
Prepare to demonstrate compliance Develop key performance indicators to measure compliance

16 Summary Create a culture of security awareness Know where your data is
Doesn’t have to be complex Classification enhances the information security and information governance ecosystem Access / Processing / Encryption / Cloud Sharing / Archiving / Reporting Create a culture of security awareness Address the security gap that arises from human behavior

Download ppt "The General Data Protection Regulation: Are You Ready?"

Similar presentations

Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection Overview

Data Protection Overview
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.

Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.
Data Protection and research Rachael Maguire Records Manager.

Data Protection and research Rachael Maguire Records Manager.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Protection of Personal Information Act An Analysis on the impact.

Protection of Personal Information Act An Analysis on the impact.
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
GDPR 12 POINTS 679/2016 DATA LEX 2016.

GDPR 12 POINTS 679/2016 DATA LEX 2016.
HIPSSA Project PRESENTATION ON SADC DATA PROTECTION MODEL LAW

HIPSSA Project PRESENTATION ON SADC DATA PROTECTION MODEL LAW
Data Protection Officer’s Overview of the GDPR

Data Protection Officer’s Overview of the GDPR
Understanding EU GDPR from an Office 365 perspective

Understanding EU GDPR from an Office 365 perspective
Viewing the GDPR Through a De-Identification Lens

Viewing the GDPR Through a De-Identification Lens
Microsoft 365 Get help with regulatory compliance

Microsoft 365 Get help with regulatory compliance
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
General Data Protection Regulation (GDPR

General Data Protection Regulation (GDPR
General Data Protection Regulation

General Data Protection Regulation
GENERAL DATA PROTECTION REGULATION (GDPR) PANEL DISCUSSION

GENERAL DATA PROTECTION REGULATION (GDPR) PANEL DISCUSSION

Similar presentations

Ads by Google