1. What YOUR ORGANIZATION CAN be doing to prepare
4/7/2019
EU General Data Protection Regulation (GDPR) for North American Companies
What YOUR ORGANIZATION CAN be doing to prepare
This is the IBM Security Default Template for both internal and external use. It’s aspect ratio is 16:10 and measures 10 x 6.25”. This template was created in Microsoft PowerPoint 365 Pro Plus 2016.
Template files (saved with the file extension .potx) contain slide designs and customized layouts and are stored in your Microsoft templates folder*
To save your new template as your default template for future use:
Click “File / Save as” and choose “PowerPoint template (.potx) from the pull down menu”
Rename file to, “Blank.potx” and click “Save” (file will then be stored to the default template location)
Themes provide a complete slide design that can be applied to your existing presentation, including background designs, font styles, colors, and layouts
To save your new template’s theme file; click “View / Slide Master / Themes”
On the Themes pull down menu, select, “Save Current Theme”
This new Theme file is how you apply the new template design to your existing presentations
For more information, visit: Office.com / PowerPoint / Support
Copy your existing source slides in slide sorter view
Paste special by right-clicking in slide sorter view of destination file or template
Select “Keep source formatting”
This helps to ensure your slides retain their existing styles
Each slide needs to be adjusted by doing the following in “Normal view”
Select body content except title and footer by (Control “A”; then select title and footers while holding shift key)
Cut remaining selected body content (Control “X”)
Reset slide layout using new template layouts
Paste slide content back onto slide (Control “V”)
Learn more about using templates, visit: Office.com / PowerPoint / Support
august 2017

2. Disclaimer
Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsibility for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract.
The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
No legal advice here!
None of the statements contained herein constitutes legal guidance – it is process advice only.

3. GDPR for North American Companies - Applicability
Should they be subject to the GDPR, non - EU based organizations will have the same GDPR conformance requirements as EU based organizations
If your organization is processing data of EU/EEA data subjects, GDPR is most likely applicable (note UK irrespective of Brexit). GDPR is viewed as extra-territorial - may apply regardless of where in the world the data is hosted or processed (doesn’t apply only to data in an EU resident data center).
Regulators seem to indicate that they are taking an expansive view of the regulation (ie. If there is a question around applicability, the GDPR most likely applies)
For further questions regarding scope, organizations should review both Article 2 (Material Scope) and Article 3 (Territorial Scope); Article 3 states:
This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behavior as far as their behavior takes place within the Union.
This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law
It is recommended that your organization consult with Legal Counsel regarding GDPR applicability

4. GDPR North American Companies – Potential Actions
Secure your budget. GDPR may fundamentally change the way your run your business. Make sure there is awareness of this among the Senior Executives. You will need a Program Plan to be ready from May onwards.
Evaluate your current data privacy activities. Will you need to complete any restructuring due to the requirements around processing personal data subject to the GDPR
Determine who your main supervisory authority will be in the EU. This could be in the country where most of your business is completed, but can be placed elsewhere based on business decisions and risk
If it is required, decide upon where you will place the Data Protection Officer (DPO) or where your designated representatives will sit.
Understand who are the Processors of your protected data
Be prepared to fully document all your processing activities and carry out Data Protection Impact Assessments (DPIA) as necessary (sometimes known as Privacy Impact Assessments (PIA))
Understand and update your legal data transfer mechanisms from the EU. (i.e. BCR, Privacy Shield, Model Clauses, Consent)
Remember: European Data Privacy is not just Data Security but is about the right of individuals to control the use of their own Personal Data (including having Personal Data processed in a secure way). Data Security is just one aspect of Data Privacy