Boost Fertility New Invention Ups Success Rates.pdf
GDPR for Dummies
1. Pennsylvania Institute of Certified Public Accountants • www.picpa.org
Data Privacy –
Now a Human Right in Europe
Atif Ghauri, Managing Partner at Mazars
Atif.Ghauri@mazarsusa.com | 267-254-8040
2. Pennsylvania Institute of Certified Public Accountants • www.picpa.org
Agenda
What is the GDPR?
OK I care, what do I do?
I’m American, why do I care?
3. Pennsylvania Institute of Certified Public Accountants • www.picpa.org
What is GDPR?
• BODY COPY should go in this box.
• Adjust the copy size and box position if
necessary.
• Use this slide to presented content lists in
a different way.
• Continued …
• Continued …
• Continued …
The GDPR is the regulation that guarantees individuals that use of digital
(and other) data concerning them is processed, used, disseminated and kept
in a transparent manner, and that the entities processing this data will not
perform any actions without the individuals concerned having first agreed or
been notified of the processing applied to their data.
4. Pennsylvania Institute of Certified Public Accountants • www.picpa.org
Privacy Directive
Updated and became a
Privacy Regulation
Came into effect
25th May 2018
99 Articles
Increased Territorial
Scope to Global Scope
More individual rights
for Customers
Increased Obligations
for
Data Controllers
More Power for Data
Protection Authorities
General Data Protection Regulation
5. Pennsylvania Institute of Certified Public Accountants • www.picpa.org
Why so much noise on GDPR?
Penalties for Non-Compliance
• 4% of Annual Global Revenue OR €20M (whichever is greater)
• Processing can be forced to stop
Went into effect May 25, 2018
• Impacts the company and its 3rd parties
• Examples to be made!
6. Pennsylvania Institute of Certified Public Accountants • www.picpa.org
What’s the Scope?
Applies to any company where EU private data is processed
• All EU resident data whether or not processed in the EU
“Processed” you touch it you processed it
• E.g., collection, recording, organization, structuring, storage, adaptation,
retrieval, consultation, disclosure, dissemination, destruction
Example Data Types
• Basic Identity (Name, Address)
• Web Data (Geo-Location, IP Address, Cookie, RFID)
• Health And Genetic Data
• Biometric Data
• Racial Or Ethnic Data
• Political Opinions
• Sexual Orientation
7. Pennsylvania Institute of Certified Public Accountants • www.picpa.org
Top Issues Mazars Clients Face
1. Right to be Forgotten
2. Consent, Consent, Consent
3. Proof of Compliance
8. Pennsylvania Institute of Certified Public Accountants • www.picpa.org
1 – Right to be Forgotten
Solution
Data classification based on business impact assessment
Identify system and process owners
Establish a Record of Processing (RoP)
GDPR Requirements Applicable
Article 6: Lawfulness of processing
Article 9: Processing special categories of personal data
Article 10: Processing personal data related to criminal convictions and offenses
Article 13: Information to be provided where personal data are collected
Article 14: Information to data subject when personal data has not been obtained
Article 15: Right of access by the data subject
Article 16: Right to rectification
Article 17: Right to be forgotten
Article 18: Right to restriction of processing
Article 19: Notification obligation rectification or erasure of personal data
Article 20: Right to data portability
Article 35: Data protection impact assessment
“We don’t know if we can delete all the customers information because we
aren’t sure where else in the system we are using it, it’s everywhere!”
9. Pennsylvania Institute of Certified Public Accountants • www.picpa.org
2 – Consent, Consent, Consent
Solution
Validate Explicit Consent
Capture and document electronically with notification
Tweak User Interface and Process to Support
GDPR Requirements Applicable
Article 6: Lawfulness of processing
Article 7: Conditions for Consent
Article 8: Conditions applicable to child’s consent
Article 13: Information to be provided from the data subject
Article 14: Information to data subject when data not from data subject
Article 18: Right to restriction of processing
Article 20: Right to data portability
Article 21: Right to Object
Article 22: Automated individual decision-making, including profiling
Article 41: Monitoring of approved codes of conduct
Article 49: Derogations for specific situations
“The customer said it’s ok but not electronically and we aren’t sure if they
remember they did”
10. Pennsylvania Institute of Certified Public Accountants • www.picpa.org
3 – Proof of Compliance
Solution
Initiate a GDPR Impact Assessment
Address People, Process, Technology Gaps
Incorporate Privacy by Design in future iterations
GDPR Requirements Applicable
Article 4: Definitions
Article 5: Principles relating to processing of personal data
Article 7: Conditions for Consent
Article 11: Processing which does not require identification
Article 12: Transparent information, communications, and modalities
Article 21: Right to Object
Article 24: Responsibility of the Controller
Article 25: Data protection by design and by default
Article 28: Processor
Article 32: Security of processing
Article 35: Data protection impact assessment
“We have no formal plan to respond to an audit. We are decentralized and don’t
have a holistic perspective on enterprise organization, systems, and processes.”
11. Pennsylvania Institute of Certified Public Accountants • www.picpa.org
DPO – Data Privacy Officer
Compliance Monitoring and Advising
Privacy
By
Default
Privacy
By
Design
Safety
of Data
Breach
72hours
Responsible
for Sub
Contractors
Processing of Sensitive Data
Anonymisation/Pseudonymisation
Cheat Sheet on 99 Articles
12. Pennsylvania Institute of Certified Public Accountants • www.picpa.org2 - I’m American, Why Do I Care?
13. Pennsylvania Institute of Certified Public Accountants • www.picpa.org
Yes, GDPR affects U.S. Companies
Impacts anyone who touches Europe
• Any organization that uses personal data of persons residing in the EU to
provide services, sell goods, or monitor their behavior, will be impacted
• Must comply even if they do not have a business presence within the EU
Will cost millions of $$$
• 68% of US companies will spend $1-$10M, with 10% over $10M
It’s Actually an Opportunity for International Companies!
• Transform and improve current approach to data privacy
• Leverage the value of data by improving action to track, collect, store,
and use
• Ensure that organizations aren’t left behind in today’s global digital economy
14. Pennsylvania Institute of Certified Public Accountants • www.picpa.org
In the EU, privacy is a right, while in the US it is a mixture of local and federal regulations with no centralized
governance for enforcement
Privacy laws change with each administration.
Individuals have little ownership of their online data, which allows large
businesses can monetize consumer behavior and habits.
Privacy laws are often a combination of public regulation, private self-
regulation and legislation which varies by state.
Enforcement of privacy laws is carried out state by state
Numerous privacy organizations exist to provide legal framework for digital
privacy such as American Civil Liberties Union (ACLU) and the Electronic
Frontier Foundation (EFF).
Companies can keep data indefinitely, depending on their own Terms of
Service.
Privacy laws have less turnover when administrations change because
most EU member states aren’t as polarized as the US.
EU laws respect “private and family life” and allow citizens to delete
their data.
Privacy laws are generally more comprehensive and geared towards
consumers.
Enforcement of privacy laws is carried out by one authority, equal for
all 28 member states.
Due to the nature of EU rights, fewer privacy organizations exist but
there are : The European Digital Rights (EDRi) and The European
Privacy Association (EPA).
EU citizens have the “Right to be forgotten”, meaning that search
results can be removed if they are irrelevant or inadequate.
https://www.clickz.com/gdpr-us-businesses-preparing/203180/
https://www.marketplace.org/2017/04/20/tech/make-me-smart-kai-and-molly/blog-main-differences-between-internet-privacy-us-and-eu
EU vs US Privacy Laws
EU US
Consistency
Citizens Accountable
Stronger Laws
Centralized Enforcement
Can’t Live Forever
15. Pennsylvania Institute of Certified Public Accountants • www.picpa.org
What are global orgs doing to comply?
3 - What needs to be done?
16. Pennsylvania Institute of Certified Public Accountants • www.picpa.org
What should companies do?
Short Answer …
Know where your private data is
Know who your sharing to and receiving private data from
Encrypt private data
Hire or contract a qualified DPO
Train staff on privacy
Ensure privacy is part of data classification
Establish a privacy impact assessment program
Ensure policies are established to address privacy
Establish a compliance program
Use technology to help
17. Pennsylvania Institute of Certified Public Accountants • www.picpa.org
Map and Document
Process Operations of
Personal Data
Identify Gaps and
Prioritize Necessary
Corrective Actions
Perform a Status Evaluation
Appoint a DPO
Integrate GDPR Compliance requirements within the
Internal Control Processes of the Organization
Prepare a Formal Documentation of Key Topics
Anticipate and Assign Resources to
Meet the Identified GDPR Requirements
Integrate GDPR Requirements in the Planning Phase
of all Initiatives and Monitor Risks
Phase 2 – Get Specific
Phase 3 – Privacy by Design
Phase 1 – Audit
GDPR Roadmap
Longer Answer … but in 3 Steps
GDPR
18. Pennsylvania Institute of Certified Public Accountants • www.picpa.org
Map and Document
Process Operations of
Personal Data
Identify Gaps and
Prioritize Necessary
Corrective Actions
Perform a Status Evaluation
Appoint a DPO
Integrate GDPR Compliance requirements within the
Internal Control Processes of the Organization
Prepare a Formal Documentation of Key Topics
Anticipate and Assign Resources to
Meet the Identified GDPR Requirements
Integrate GDPR Requirements in the Planning Phase
of all Initiatives and Monitor Risks
Phase 2 – Get Specific
Phase 3 – Privacy by Design
GDPR Roadmap GDPR
Phase 1 - Audit
19. Pennsylvania Institute of Certified Public Accountants • www.picpa.org
Map and Document
Process Operations of
Personal Data
Identify Gaps and
Prioritize Necessary
Corrective Actions
Perform a Status Evaluation
Appoint a DPO
Integrate GDPR Compliance requirements within the
Internal Control Processes of the Organization
Prepare a Formal Documentation of Key Topics
Anticipate and Assign Resources to
Meet the Identified GDPR Requirements
Integrate GDPR Requirements in the Planning Phase
of all Initiatives and Monitor RisksPhase 3 – Privacy by Design
GDPR Roadmap GDPR
Phase 2 – Get Specific
20. Pennsylvania Institute of Certified Public Accountants • www.picpa.org
Map and Document
Process Operations of
Personal Data
Identify Gaps and
Prioritize Necessary
Corrective Actions
Perform a Status Evaluation
Appoint a DPO
Integrate GDPR Compliance requirements within the
Internal Control Processes of the Organization
Prepare a Formal Documentation of Key Topics
Anticipate and Assign Resources to
Meet the Identified GDPR Requirements
Integrate GDPR Requirements in the Planning Phase
of all Initiatives and Monitor Risks
GDPR Roadmap GDPR
Phase 3 – Privacy by Design
21. Pennsylvania Institute of Certified Public Accountants • www.picpa.org
Map and Document
Process Operations of
Personal Data
Identify Gaps and
Prioritize Necessary
Corrective Actions
Perform a Status Evaluation
Appoint a DPO
Integrate GDPR Compliance requirements within the
Internal Control Processes of the Organization
Prepare a Formal Documentation of Key Topics
Anticipate and Assign Resources to
Meet the Identified GDPR Requirements
Integrate GDPR Requirements in the Planning Phase
of all Initiatives and Monitor Risks
Compliance with GDPR is an involved and complex process
which requires time and resources
GDPR
GDPR Roadmap GDPR
22. Pennsylvania Institute of Certified Public Accountants • www.picpa.org
Real World Example – Mazars Customer