1. General Data Protection Regulations What is it Why is it important
Ravi Narsipur PMP, CISSP
PMI Westchester Chapter Quality COP Meeting
April 9th 2019

2. What is the General Data Protection Regulation (GDPR)?.
What is the General Data Protection Regulation (GDPR)?
European Union regulation
Designed to:
Provide individuals with rights and protections over their personal data that is collected or created by business or government entities
Unify data protection regulations across the EU
Comprehensive regulation –intentionally non-technical–technology evolves over time
Provides a mechanism for enforcement of the regulation 7
What are the GDPR Data Protection Principles
Processed lawfully, fairly and in a transparent manner
Collected for specified, explicit and legitimate purposes
Adequate, relevant and limited to what is necessary
Accurate, and where necessary, kept up to date
Retained for as long as necessary
Processed in an manner that ensures appropriate security
Accountability, including ability to demonstrate compliance with the Data Protection Principles 8

3. New EU data rules Who Does GDPR Impact?
Data protection by design and default
Data Protection Impact Assessments (aka PIAs)
Suppliers outside EU in scope
Toughened (local not centralised) enforcement bodies -audits & dawn raids
Breach reporting in 72 hours
Distinction between processor and controller diminishes
Data Protection Officers
Cross-border data transfers -Binding Corporate Rules (BCRs)
Stronger individual control over data -right to be forgotten, data portability, object to processing)
Consent less of an option
Who Does GDPR Impact?
Applies to any organization collects or processes personal dataoriginating in the EU, regardless of whether that organization is located in the EU or not

4. When Does GDPR Enforcement Begin? May 25th 2018
GDPR is in effect now, but…
Organizations have an implementation grace period that ends
You have a little over 1 year before enforcement begin
Additional Consequences for GDPR Violations
Increased liability & compensation (material or non-material damage)
Greater reputational risk
Shared investigations across the EU
Shareholder/investor engagement
More to do for controllers and processors
GDPR is not a checklist
Risk-based approach
GDPR takes into account
Evolving ”state of the art” technology and threats
Varying size and sophistication of organizations
Cost of implementation
Nature and amount of data processed
The level of risk to the data determines the appropriate controls, effort and technology 2

5. Key Data Protection Requirements: GDPR is Expansive
General Provisions
Principals Rights of the Data Subjects
Controller & Processor
Transfer of Personal Data to third Countries or International Organizations
Independent Supervisory Authorities
Cooperation & Consistency
Remedies, Liability & Penalties
Provisions Relating to Specific Processing Situations
Delegated Acts & Implementing Acts
Data Security
Data Transfer
High Risk Obligation

6. Five GDPR Data Security Use Cases
Data Protection by Design and Default
By Design
Data protection can no longer be an afterthought
Proactive, not reactive
Fundamental component in design and maintenance of information systems must be considered throughout the data lifecycle
By Default
Minimize the amount and type of data collected and processed
Only process what is necessary for the intended purpose
Reduce the number of people, entities or technology that can access data
Limit retention and storage of data 5
Five GDPR Data Security Use Cases
Data Discovery and Classification
Data Masking and Pseudonymization
Monitoring
Breach Detection
Vulnerability Assessment6

7. GDPR practical pointers and tips
Develop
Build a sustainable and defensible privacy program
Maintain internal privacy policies and external notices
Develop standards & procedures (with BUs) to operationalize privacy policies
Evaluate and document use cases for privacy risk
Enhance privacy training and awareness
Involve
Privacy Office
Legal
Develop and maintain data transfer mechanisms
Define data controllers and processors for products/services
Manage contract process and third party agreements
Identify and support regional/local DPO requirements
Assess current data subject access request readiness
Security
Maintain data protection throughout the data lifecycle
Assist with data breach notification
Partner with privacy incident response to identify, evaluate, and respond to breaches of personal data confidentiality IT
Maintain a data inventory and cross-border flow mapping
Support the execution of data subject requests for access, erasure, access, restriction, and data portability
Support the capture, tracking, flagging, and dissemination of consent choice indicators across the enterprise and to third parties
Business & HR
Assist with the evaluation of privacy impact risk for consumer and employee use cases and third party relationships
Assist privacy office in developing standards & procedures to operationalize privacy policies
Develop new initiatives following Privacy by Design leading practices
Respect data minimization, data quality, limited data access, and consent

8. GDPR will Harmonize Data Protection Across EU
Consolidate
Data Protection Directive -1995
31 national laws
Streamline laws Interpreted and enforced locally by Data Protection Authorities (DPAs)
GDPR
1 law across EU and Norway, Iceland and Liechtenstein
One Stop Shop principle
Lead Supervisory Authority (SA) for cross-border operations
EU co-operation procedure between SA
EU Data Protection Board
Replaces the Article 29 Working Party
Translates the regulation into actionable guidelines
Specific technology requirements
First EU regulation with both data breach notification requirements and absolute mandate to enforce6

9. GDPR impacts much of the organization
Organizational
Appointing a Data Privacy Officer
Enhancing consumer notice & transparency
Enforcing Privacy by Design
Conducting Privacy Impact Assessments IT
Enacting data transfer mechanisms
Defining data controllers & processors
Managing contract process and model clauses
Driving data breach notification HR
Ensuring rights of access & remediation
Permitting the right to be forgotten
Fielding questions, inquiries, concerns
CISO
Enabling data portability
Ensuring Rights of access, authentication
Enhancing development lifecycle
Managing consent indicators and logs
Privacy Office
Promoting security throughout the data lifecycle
Assisting with data breach notification
Driving incident response
Business Impact
Respecting consent
Ensuring employee privacy
Automating decision-making processes
Training employees on privacy
Limiting data access

10. How the market is approaching GDPR
Lack executive buy-in for the data privacy program, and lack a cross-functional group for providing privacy/data use strategy and decision-making
Do not have appropriate documentation related to personal data, processing, third party recipients, and data flows
Are not fully prepared to comply with the new data subject rights introduced by GDPR
Lack an adequate third party due diligence/auditing capability to meet the requirements of GDPR
Lack adequate data privacy compliance monitoring or assurance to cover all aspects of GDPR compliance
Lack a formal, repeatable policy/procedure for conducting Privacy Impact Assessments (PIAs) or Privacy & Security by Design
Lack a formal process for evaluating enterprise privacy risk and lack a remediation process to close identified gaps
Anchoring accountability for privacy at the senior executive level is critical. Executive buy-in for privacy enables the cross-functional coordination needed for a privacy program to operate effectively.
Executive support is also a necessary element for driving the messages that promote a positive connotation for privacy within the broader company culture. “Tone from the top” is key.
A consistent indicator of an effective privacy program was privacy investment and front-line responsibility within the business units..
Investment in privacy and accountability is clearly tied to business strategy, rather than just compliance. As data use practices encourage privacy programs to be more active within the business units as enablers, the CPO must maintain a strong foundation in compliance/risk management to ensure maximum buy-in.
The role of the CPO had changed in significant ways, and we are seeing significant growth in investment, breadth of role, and staffing in support of data privacy operations.
GDPR and other regulatory shifts are forcing companies to evaluate (and in some cases develop from scratch) the effectiveness of their privacy operations (e.g. Privacy Impact Assessment, DPO designation, localization, etc.).

11. Technical Data Lifecycle Considerations
Storage
Determine where data will be stored, both here and third parties, and if/how data should be segregated
Ensure proper agreements are in place for internal and external storage
Legitimate Purpose
Informed Consent
Usage
Transfer
Destroy /Aggregate
Understand the legitimate purposes laid out in GDPR
Determine which one applies to this data collection
Capture the purpose and ensure it can be linked to the data
Assess how the data will be used upon collection
Store consent to know what consent was given and when, to direct usage
Align data usage with the legitimate purpose and consent

12. A GDPR compliance journey10
A GDPR compliance journey
GDPR compliance will be a challenge for many businesses. Only the proactive will be prepared. Your compliance journey involves many considerations including harsh regulatory and litigation risks for non-compliance. Proactive businesses area assessing their current capabilities, designing their future state and operationalizing ongoing programs to allow for sustainable and demonstrable compliance. This 5 step approach can help assist in the process of transforming your privacy program.
Risk analysis and data discovery
Gap assessment and remediation roadmap
Cross-functional oversight and planning
Program implementation
Ongoing program operation and monitoring
Assess current capabilities
Design the future state
Operate and sustain