1. EU Data Privacy: What US Orgs Need to Do Now to Prepare for the GDPR
PRV-T11
EU Data Privacy: What US Orgs Need to Do Now to Prepare for the GDPR
Chris Zoladz
Founder
Navigate LLC
@CZ_Navigate
Notes included in this version of the slides are not the full speaker notes but are included for the reviewer’s benefit for slides that are not intuitive without the voice over.

2. Significant fines that are up to 4% of global revenue !
$1,000,000,000
Significant fines that are up to 4% of global revenue !
Attention Grabber: This is the maximum amount of a fine that could be levied against Facebook, for example, for violating GDPR.

3. Other Important Reasons the GDPR Matters
Requires new IT/security capabilities
Risk of not being able to “transfer” personal data from the EU
Would your business suffer if you could not transfer data cross border?
Non-compliance may be subject to individual law suits
Investigations are disruptive to the business
Adverse media
Reputational damage

4. What is Your Interest in the GDPR?
You are:
responsible for Security
a Security Consultant
in-house or external Legal Counsel
responsible for Privacy
bored and had nothing better to do

5. Looking Back to Look Forward
Privacy = Fundamental Human Right
It is important to understand why the EU regulators feel so strongly about data protection/privacy. There are deep roots back to WWII and the personal consequences for individuals based on religion, political affiliations, health status, etc.
[This slide will be described via a story]
The photo is from Yad Vashem.

6. 99 EUDPD HOWEVER GDPR At-a-Glance 99 articles - Effective May 25, 2018
Replaces the EU Data Protection Directive in place since 1995 – many of the same core requirements remain in place
HOWEVER

7. GDPR At-a-Glance TERRITORIAL EXPLICIT SCOPE CONSENT AGE BREACH
GATE
INDIVIDUAL
RIGHTS
BREACH
NOTICE
HOWEVER
There are significant changes in requirements, such as . . .
Applies to EU citizen personal data regardless of where it resides (“territorial scope”)
“Opt-Out” no longer permissible – only explicit consent
Individuals under the age of 16 cannot give consent
Expanded individual rights (e.g., right to be forgotten, data portability)
Data breach notification requirements to regulators (within 72 hours) and perhaps individuals

8. What Does the GDPR Mean to Security & IT?
1 Requirement to correct, delete or transfer personal data everywhere it is stored
2 Breach notification requirements
3 Security requirements are not overly proscriptive
Risk-based approach
Basic CIA and resilience
Encryption or pseudonymisation of personal data
4 Data Protection Impact Assessments (PbD)
5 Periodic testing of controls

9. Right to be Forgotten 600,000 Requests
Do you know how you will meet these requests?

10. Apply: What You Need To Do
Understand all personal data flows, including shadow IT
Determine if EU citizen personal data is distinguishable from all others
Identify systems to be developed or changed for opt-in, data access, correction and deletion requests, and age-gating requirements
Assess the adequacy of security measures
Develop (or refine) and then implement:
encryption or pseudonymisation of personal data
processes and capabilities to handle personal data access, correction, deletion and portability requests
a Data Protection Impact Assessment process
a data breach response plan

11. Achieving Compliance
For some organizations achieving GDPR compliance with seem monumental and for others it will not be as much work. It all depends on the current state (e.g., Is the organization currently compliant with the EU Data Protection Directive that the GDPR is replacing? Does the organization have the commitment, resources and “will” to achieve compliance by May 2018?)
Note: A countdown clock to May 25, 2018 will be added to the slide.

12. How Does Your Company Compare?
Data Source: Hunton Williams & AvePoint

13. Questions and Discussion
Thank you !
Chris Zoladz

14. Appendix – Helpful Resources

15. Know the Requirements: Article 32 – Security of Processing
“1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

16. Key Definitions in the GDPR
Personal Data means “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
Pseudonymisation means “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”

17. Where to Find the GDPR and Other Helpful Resources
The full GDPR text – content/EN/TXT/?uri=OJ:L:2016:119:TOC (pages contain the specific requirements requirements).
Top 10 operational impacts of the GDPR by the International Association of Privacy Professionals (IAPP) - operational-impacts-of-the-gdpr/
CipherCloud Global and Regional Guides to Data Protection Laws - page.html

18. Resources (cont’d)
Hunton Williams and AvePoint GDPR Readiness Survey - release-global-gdpr-readiness-report/