Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (14)
Similar to 2017 10 26 webinar - gdpr final
Similar to 2017 10 26 webinar - gdpr final (20)
Recently uploaded
Recently uploaded (20)
2017 10 26 webinar - gdpr final
- 1. General Data Protection Regulation October 26, 2017 Brian Matteson, Manager Sarah Ackerman, Managing Director
- 2. Introductions Sarah Ackerman, CISSP, CISA Managing Director, Cincinnati Expertise in IT, Security, IT Audit, Risk, and Compliance Oversight of all Cincinnati projects 2 Brian Matteson, CISSP, CISA Manager, Columbus Extensive IT operations, Security, and IT Management knowledge Assists private and public businesses and federal entities
- 3. Today’s Agenda What is GDPR? Who’s covered? GDPR – Key takeaways Privacy Shield 3
- 4. What is the General Data Protection Regulation?
- 5. Purpose GDPR was created to… Set rules for the processing of information on “natural persons” Protect the privacy of “natural persons” Ensure the free movement of personal data is not restricted within the Union “The protection of natural persons in relation to the processing of personal data is a fundamental right.” – European Parliament 5
- 6. Organization of the Law Legislative Acts & Regulation Source: Official Journal of the European Union 6
- 7. Organization of the Law (cont.) Regulation 10 Chapters 99 Articles Unlike US law GDPR is very descriptive on the supporting structure 7
- 8. Organization of the Law (cont.) (37) A group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling undertaking should be the undertaking which can exert a dominant influence over the other undertakings … Source: Official Journal of the European Union 8
- 9. Organization of the Law (cont.) Chapter II – Principles Relating to Processing of Personal Data Chapter III – Rights of the Data Subject Chapter IV – Controller and Processor Chapter V – Transfers of Personal Data to Third Countries or International Organisations 9
- 10. Who Manages GDPR Supervisory Authority Appointed by each member State Ensures the Law is applied equally and fairly Enforces the Law within their State European Data Protection Board Composed of one representative of each Supervisory Authority Handles dispute resolution and overall governance US Regulators FTC Department of Commerce 10
- 12. Categories of Business Entities operating in member States Any business formed and operating in the Union State and local government agencies of EU countries International businesses with EU entities Any international business with a legal entity operating in a member State International “catch-all” clause Any global business offering goods or services to citizens of the European Union – As enforceable by international law 12
- 13. Covered Activities Data Controllers ..the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data… Data Processors …a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller… Data Recipients …a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. Source: Official Journal of the European Union 13
- 14. Entities Outside the EU Two methods for transferring data outside the EU… Adequacy decision (article 45) Essentially reciprocity Appropriate safeguards (article 46) The entity receiving the data can prove that it has controls in place to meet the GDPR standards for privacy 14
- 16. Changes from Previous Privacy Directives Increased territorial scope – Including the “cloud” Penalties Consent Breach notification Right to access Right to be forgotten Data portability Privacy by design Data Protection Officers 16
- 17. Overlap Not a total re-write of existing program Some overlap with: – NIST 800-53 Security and Privacy Controls – ISO 29100 IT Security Techniques – Privacy Framework – AICPA’s Generally Accepted Privacy Principles (GAPP) – OCC’s Privacy Laws and Regulations 17
- 18. Common Challenges Underestimating scope – have you started? How to interpret What additional measures needed? Building/maintaining inventory of data processing Lack of capabilities – For example, who to be Privacy rep in EU? 18
- 19. Future of Compliance Legislation in US Congress? Brexit – similar to Switzerland? 19
- 20. Privacy Shield
- 21. Privacy Shield & GDPR Privacy Shield addresses privacy protections of GDPR – Part of framework accommodates aspects of GDPR – Covers methods of data transfer 21
- 22. Privacy Shield – Overview 22 Who does it apply to? US companies transferring data related to EU & Swiss individuals What does it cover? Provides mechanism to comply with data protection requirements (e.g., GDPR) When does it take effect? Now l– as soon as you self-certify Where is it administered? Administered: International Trade Administration (ITA) Enforced: US Department of Commerce (part of Federal Trade Commission) Also: Data Protection Authorities (DPA) – European Commission Why was it created? Replace Safe Harbor
- 23. Privacy Shield vs. Safe Harbor Safe Harbor no longer recognized by EU Privacy Shield provides “adequate” protection Joining Privacy Shield will automatically withdraw from Privacy Shield As of September 2017: 2,400 organizations have joined Privacy Shield 23
- 24. Privacy Shield – Principles Privacy Shield contains: – Principles What you should focus on – Letters Describes how FTC will run program and enforce 23 total Principles – 7 commonly recognized privacy principles – 16 supplemental principles Explain and augment first 7 Requirements cover: – Use and treatment of personal data received from EU – Access and recourse mechanisms 24
- 25. Privacy Shield – Privacy Principles 1. Notice 2. Choice 3. Accountability for Onward Transfer 4. Security 5. Data Integrity and Purpose Limitation 6. Access 7. Recourse, Enforcement and Liability 25
- 26. Privacy Shield – Supplemental Principles 1. Sensitive Data 2. Journalistic Exceptions 3. Secondary Liability 4. Performing Due Diligence and Conducting Audits 5. The Role of the Data Protection Authorities 6. Self-Certification 7. Verification 8. Access 9. Human Resources Data 10. Obligatory Contracts for Onward Transfers 11. Dispute Resolution and Enforcement 12. Choice – Timing of Opt Out 13. Travel Information 14. Pharmaceutical and Medical Products 15. Public Record and Publicly Available Information 16. Access Requests by Public Authorities 26
- 27. Privacy Shield vs. Safe Harbor – What’s New? New privacy protections – Notice requirements – Accountability for onward transfer – Purpose limitation and data retention Enhanced complaint resolution – Response time – Free dispute resolution – Binding arbitration Ongoing requirements if withdraw and maintain data Improved cooperation and transparency 27
- 28. Privacy Shield – Subsidiaries Must identify all entities, subsidiaries All subs must inform individuals about adhering to Principles 28
- 29. Privacy Shield – How to Join 1. Confirm eligibility 2. Develop a compliant privacy policy 3. Establish Independent Recourse Mechanism (IRM) 4. Ensure verification mechanism is in place 5. Identify your point of contact 6. Self-certify 7. Reaffirm self-certification annually 8. Reply to inquiries 29
- 30. Privacy Shield – Verification Self-assessment or third party – Assess published privacy policy – Periodic objective reviews of compliance Audit, random reviews, or technology tools Signed statement verifying self-assessment or outside compliance review 30
- 31. Privacy Shield – Impact Increased regulatory focus Stronger obligations for data transfers Increased risk from third parties Respond to disputes faster Document and maintain records, compliance reports 31
- 32. Privacy Shield – Self-Certification Supports administration, supervision, related services Annual fee to participate Annual fee if retain data after withdrawal: $200 32 Annual Revenue Single Framework Both Frameworks $0 – $5M $250 $375 $5M – $25M $650 $975 $25M – $500M $1000 $1500 $500M – $5B $2500 $3750 Over $5B $3250 $4875
- 33. Questions? (877) 671-7100 www.clarkschaefer.com Brian: bmatteson@clarkschaefer.com Sarah: sackerman@clarkschaefer.com If you wish to discuss any aspect of this presentation in more detail, please feel free to contact us: