SlideShare ist ein Scribd-Unternehmen logo

GDPR for Dummies

Als PPTX, PDF herunterladen
Atif Ghauri
Atif Ghauri

Agenda - What is GDPR? - What are clients Struggling With? - How to solve?

Technologie
1 von 23
Pennsylvania Institute of Certified Public Accountants • www.picpa.org Data Privacy – Now a Human Right in Europe Atif Ghauri, Managing Partner at Mazars Atif.Ghauri@mazarsusa.com | 267-254-8040
Pennsylvania Institute of Certified Public Accountants • www.picpa.org Agenda What is the GDPR? OK I care, what do I do? I’m American, why do I care?
Pennsylvania Institute of Certified Public Accountants • www.picpa.org What is GDPR? • BODY COPY should go in this box. • Adjust the copy size and box position if necessary. • Use this slide to presented content lists in a different way. • Continued … • Continued … • Continued … The GDPR is the regulation that guarantees individuals that use of digital (and other) data concerning them is processed, used, disseminated and kept in a transparent manner, and that the entities processing this data will not perform any actions without the individuals concerned having first agreed or been notified of the processing applied to their data.
Pennsylvania Institute of Certified Public Accountants • www.picpa.org Privacy Directive Updated and became a Privacy Regulation Came into effect 25th May 2018 99 Articles Increased Territorial Scope to Global Scope More individual rights for Customers Increased Obligations for Data Controllers More Power for Data Protection Authorities General Data Protection Regulation
Pennsylvania Institute of Certified Public Accountants • www.picpa.org Why so much noise on GDPR? Penalties for Non-Compliance • 4% of Annual Global Revenue OR €20M (whichever is greater) • Processing can be forced to stop Went into effect May 25, 2018 • Impacts the company and its 3rd parties • Examples to be made!
Pennsylvania Institute of Certified Public Accountants • www.picpa.org What’s the Scope? Applies to any company where EU private data is processed • All EU resident data whether or not processed in the EU “Processed”  you touch it you processed it • E.g., collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, disclosure, dissemination, destruction Example Data Types • Basic Identity (Name, Address) • Web Data (Geo-Location, IP Address, Cookie, RFID) • Health And Genetic Data • Biometric Data • Racial Or Ethnic Data • Political Opinions • Sexual Orientation
Pennsylvania Institute of Certified Public Accountants • www.picpa.org Top Issues Mazars Clients Face 1. Right to be Forgotten 2. Consent, Consent, Consent 3. Proof of Compliance
Pennsylvania Institute of Certified Public Accountants • www.picpa.org 1 – Right to be Forgotten Solution  Data classification based on business impact assessment  Identify system and process owners  Establish a Record of Processing (RoP) GDPR Requirements Applicable  Article 6: Lawfulness of processing  Article 9: Processing special categories of personal data  Article 10: Processing personal data related to criminal convictions and offenses  Article 13: Information to be provided where personal data are collected  Article 14: Information to data subject when personal data has not been obtained  Article 15: Right of access by the data subject  Article 16: Right to rectification  Article 17: Right to be forgotten  Article 18: Right to restriction of processing  Article 19: Notification obligation rectification or erasure of personal data  Article 20: Right to data portability  Article 35: Data protection impact assessment “We don’t know if we can delete all the customers information because we aren’t sure where else in the system we are using it, it’s everywhere!”
Pennsylvania Institute of Certified Public Accountants • www.picpa.org 2 – Consent, Consent, Consent Solution  Validate Explicit Consent  Capture and document electronically with notification  Tweak User Interface and Process to Support GDPR Requirements Applicable  Article 6: Lawfulness of processing  Article 7: Conditions for Consent  Article 8: Conditions applicable to child’s consent  Article 13: Information to be provided from the data subject  Article 14: Information to data subject when data not from data subject  Article 18: Right to restriction of processing  Article 20: Right to data portability  Article 21: Right to Object  Article 22: Automated individual decision-making, including profiling  Article 41: Monitoring of approved codes of conduct  Article 49: Derogations for specific situations “The customer said it’s ok but not electronically and we aren’t sure if they remember they did”
Pennsylvania Institute of Certified Public Accountants • www.picpa.org 3 – Proof of Compliance Solution  Initiate a GDPR Impact Assessment  Address People, Process, Technology Gaps  Incorporate Privacy by Design in future iterations GDPR Requirements Applicable  Article 4: Definitions  Article 5: Principles relating to processing of personal data  Article 7: Conditions for Consent  Article 11: Processing which does not require identification  Article 12: Transparent information, communications, and modalities  Article 21: Right to Object  Article 24: Responsibility of the Controller  Article 25: Data protection by design and by default  Article 28: Processor  Article 32: Security of processing  Article 35: Data protection impact assessment “We have no formal plan to respond to an audit. We are decentralized and don’t have a holistic perspective on enterprise organization, systems, and processes.”
Pennsylvania Institute of Certified Public Accountants • www.picpa.org DPO – Data Privacy Officer Compliance Monitoring and Advising Privacy By Default Privacy By Design Safety of Data Breach 72hours Responsible for Sub Contractors Processing of Sensitive Data Anonymisation/Pseudonymisation Cheat Sheet on 99 Articles
Pennsylvania Institute of Certified Public Accountants • www.picpa.org2 - I’m American, Why Do I Care?
Pennsylvania Institute of Certified Public Accountants • www.picpa.org Yes, GDPR affects U.S. Companies Impacts anyone who touches Europe • Any organization that uses personal data of persons residing in the EU to provide services, sell goods, or monitor their behavior, will be impacted • Must comply even if they do not have a business presence within the EU Will cost millions of $$$ • 68% of US companies will spend $1-$10M, with 10% over $10M It’s Actually an Opportunity for International Companies! • Transform and improve current approach to data privacy • Leverage the value of data by improving action to track, collect, store, and use • Ensure that organizations aren’t left behind in today’s global digital economy
Pennsylvania Institute of Certified Public Accountants • www.picpa.org In the EU, privacy is a right, while in the US it is a mixture of local and federal regulations with no centralized governance for enforcement  Privacy laws change with each administration.  Individuals have little ownership of their online data, which allows large businesses can monetize consumer behavior and habits.  Privacy laws are often a combination of public regulation, private self- regulation and legislation which varies by state.  Enforcement of privacy laws is carried out state by state  Numerous privacy organizations exist to provide legal framework for digital privacy such as American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF).  Companies can keep data indefinitely, depending on their own Terms of Service.  Privacy laws have less turnover when administrations change because most EU member states aren’t as polarized as the US.  EU laws respect “private and family life” and allow citizens to delete their data.  Privacy laws are generally more comprehensive and geared towards consumers.  Enforcement of privacy laws is carried out by one authority, equal for all 28 member states.  Due to the nature of EU rights, fewer privacy organizations exist but there are : The European Digital Rights (EDRi) and The European Privacy Association (EPA).  EU citizens have the “Right to be forgotten”, meaning that search results can be removed if they are irrelevant or inadequate. https://www.clickz.com/gdpr-us-businesses-preparing/203180/ https://www.marketplace.org/2017/04/20/tech/make-me-smart-kai-and-molly/blog-main-differences-between-internet-privacy-us-and-eu EU vs US Privacy Laws EU US Consistency Citizens Accountable Stronger Laws Centralized Enforcement Can’t Live Forever
Pennsylvania Institute of Certified Public Accountants • www.picpa.org What are global orgs doing to comply? 3 - What needs to be done?
Pennsylvania Institute of Certified Public Accountants • www.picpa.org What should companies do? Short Answer …  Know where your private data is  Know who your sharing to and receiving private data from  Encrypt private data  Hire or contract a qualified DPO  Train staff on privacy  Ensure privacy is part of data classification  Establish a privacy impact assessment program  Ensure policies are established to address privacy  Establish a compliance program  Use technology to help
Pennsylvania Institute of Certified Public Accountants • www.picpa.org Map and Document Process Operations of Personal Data Identify Gaps and Prioritize Necessary Corrective Actions Perform a Status Evaluation Appoint a DPO Integrate GDPR Compliance requirements within the Internal Control Processes of the Organization Prepare a Formal Documentation of Key Topics Anticipate and Assign Resources to Meet the Identified GDPR Requirements Integrate GDPR Requirements in the Planning Phase of all Initiatives and Monitor Risks Phase 2 – Get Specific Phase 3 – Privacy by Design Phase 1 – Audit GDPR Roadmap Longer Answer … but in 3 Steps GDPR
Pennsylvania Institute of Certified Public Accountants • www.picpa.org Map and Document Process Operations of Personal Data Identify Gaps and Prioritize Necessary Corrective Actions Perform a Status Evaluation Appoint a DPO Integrate GDPR Compliance requirements within the Internal Control Processes of the Organization Prepare a Formal Documentation of Key Topics Anticipate and Assign Resources to Meet the Identified GDPR Requirements Integrate GDPR Requirements in the Planning Phase of all Initiatives and Monitor Risks Phase 2 – Get Specific Phase 3 – Privacy by Design GDPR Roadmap GDPR Phase 1 - Audit
Pennsylvania Institute of Certified Public Accountants • www.picpa.org Map and Document Process Operations of Personal Data Identify Gaps and Prioritize Necessary Corrective Actions Perform a Status Evaluation Appoint a DPO Integrate GDPR Compliance requirements within the Internal Control Processes of the Organization Prepare a Formal Documentation of Key Topics Anticipate and Assign Resources to Meet the Identified GDPR Requirements Integrate GDPR Requirements in the Planning Phase of all Initiatives and Monitor RisksPhase 3 – Privacy by Design GDPR Roadmap GDPR Phase 2 – Get Specific
Pennsylvania Institute of Certified Public Accountants • www.picpa.org Map and Document Process Operations of Personal Data Identify Gaps and Prioritize Necessary Corrective Actions Perform a Status Evaluation Appoint a DPO Integrate GDPR Compliance requirements within the Internal Control Processes of the Organization Prepare a Formal Documentation of Key Topics Anticipate and Assign Resources to Meet the Identified GDPR Requirements Integrate GDPR Requirements in the Planning Phase of all Initiatives and Monitor Risks GDPR Roadmap GDPR Phase 3 – Privacy by Design
Pennsylvania Institute of Certified Public Accountants • www.picpa.org Map and Document Process Operations of Personal Data Identify Gaps and Prioritize Necessary Corrective Actions Perform a Status Evaluation Appoint a DPO Integrate GDPR Compliance requirements within the Internal Control Processes of the Organization Prepare a Formal Documentation of Key Topics Anticipate and Assign Resources to Meet the Identified GDPR Requirements Integrate GDPR Requirements in the Planning Phase of all Initiatives and Monitor Risks Compliance with GDPR is an involved and complex process which requires time and resources GDPR GDPR Roadmap GDPR
Pennsylvania Institute of Certified Public Accountants • www.picpa.org Real World Example – Mazars Customer
Connect With Us www.picpa.org www.picpa.org/facebook www.picpa.org/youtube www.picpa.org/twitter www.picpa.org/linkedin @PA_CPAs cpanow.picpa.org

Empfohlen

Gdpr in a nutshell
Gdpr in a nutshellGdpr in a nutshell
Gdpr in a nutshell
Matthew Butler
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data Security
WilmerHale
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
Smart Data Module 5 d drive_legislation
Smart Data Module 5 d drive_legislationSmart Data Module 5 d drive_legislation
Smart Data Module 5 d drive_legislation
caniceconsulting
 
Charity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of ChangeCharity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of Change
IBB Law
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analytics
shekharkanodia
 
GDPR Is Coming – Are Search Marketers Ready?
GDPR Is Coming – Are Search Marketers Ready?GDPR Is Coming – Are Search Marketers Ready?
GDPR Is Coming – Are Search Marketers Ready?
MediaPost
 
Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy Introduction
G Prachi
 

Empfohlen

Gdpr in a nutshell
Gdpr in a nutshellGdpr in a nutshell
Gdpr in a nutshell
Matthew Butler
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data Security
WilmerHale
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
Smart Data Module 5 d drive_legislation
Smart Data Module 5 d drive_legislationSmart Data Module 5 d drive_legislation
Smart Data Module 5 d drive_legislation
caniceconsulting
 
Charity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of ChangeCharity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of Change
IBB Law
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analytics
shekharkanodia
 
GDPR Is Coming – Are Search Marketers Ready?
GDPR Is Coming – Are Search Marketers Ready?GDPR Is Coming – Are Search Marketers Ready?
GDPR Is Coming – Are Search Marketers Ready?
MediaPost
 
Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy Introduction
G Prachi
 
Challenge Academy June 2018 - Digital Marketing, Web Traffic and Ecommerce
Challenge Academy June 2018 - Digital Marketing, Web Traffic and Ecommerce Challenge Academy June 2018 - Digital Marketing, Web Traffic and Ecommerce
Challenge Academy June 2018 - Digital Marketing, Web Traffic and Ecommerce
OutserveWeb
 
California Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to ComplianceCalifornia Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to Compliance
Tinuiti
 
Big data privacy security regulation
Big data privacy security regulation Big data privacy security regulation
Big data privacy security regulation
cjw119
 
[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...
[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...
[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...
Kenneth Riley
 
GDPR Is Coming – Are Emailers Ready?
GDPR Is Coming – Are Emailers Ready?GDPR Is Coming – Are Emailers Ready?
GDPR Is Coming – Are Emailers Ready?
MediaPost
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in India
Home
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
Home
 
Data Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethicsData Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethics
AT Internet
 
*Webinar* CCPA: Get Your Business Ready
*Webinar* CCPA: Get Your Business Ready*Webinar* CCPA: Get Your Business Ready
*Webinar* CCPA: Get Your Business Ready
MoEngage Inc.
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliant
Siddharth Ram Dinesh
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
Naomi Holmes
 
Social Media & Legal Risk
Social Media & Legal Risk Social Media & Legal Risk
Social Media & Legal Risk
Endcode_org
 
GDPR Practicalities - The Data Shed
GDPR Practicalities - The Data ShedGDPR Practicalities - The Data Shed
GDPR Practicalities - The Data Shed
Stewart Norriss
 
India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law
Priyanka Aash
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
Trish McGinity, CCSK
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017
isc2-hellenic
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
Data Protection & Risk Management
Data Protection & Risk Management Data Protection & Risk Management
Data Protection & Risk Management
Endcode_org
 
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Burton Lee
 
GDPR-Overview
GDPR-OverviewGDPR-Overview
GDPR-Overview
Erica Walker
 
GDPR for your Payroll Bureau
GDPR for your Payroll BureauGDPR for your Payroll Bureau
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 
GDPR: The Regulator's Perspective, Peter Brown, ICO
GDPR: The Regulator's Perspective, Peter Brown, ICOGDPR: The Regulator's Perspective, Peter Brown, ICO
GDPR: The Regulator's Perspective, Peter Brown, ICO
BCS Data Management Specialist Group
 

Weitere ähnliche Inhalte

Was ist angesagt?

[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...
[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...
[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...
Kenneth Riley
 

Was ist angesagt? (20)

Challenge Academy June 2018 - Digital Marketing, Web Traffic and Ecommerce
Challenge Academy June 2018 - Digital Marketing, Web Traffic and Ecommerce Challenge Academy June 2018 - Digital Marketing, Web Traffic and Ecommerce
Challenge Academy June 2018 - Digital Marketing, Web Traffic and Ecommerce
 
California Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to ComplianceCalifornia Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to Compliance
 
Big data privacy security regulation
Big data privacy security regulation Big data privacy security regulation
Big data privacy security regulation
 
[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...
[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...
[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...
 
GDPR Is Coming – Are Emailers Ready?
GDPR Is Coming – Are Emailers Ready?GDPR Is Coming – Are Emailers Ready?
GDPR Is Coming – Are Emailers Ready?
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in India
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
 
Data Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethicsData Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethics
 
*Webinar* CCPA: Get Your Business Ready
*Webinar* CCPA: Get Your Business Ready*Webinar* CCPA: Get Your Business Ready
*Webinar* CCPA: Get Your Business Ready
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliant
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
 
Social Media & Legal Risk
Social Media & Legal Risk Social Media & Legal Risk
Social Media & Legal Risk
 
GDPR Practicalities - The Data Shed
GDPR Practicalities - The Data ShedGDPR Practicalities - The Data Shed
GDPR Practicalities - The Data Shed
 
India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
Data Protection & Risk Management
Data Protection & Risk Management Data Protection & Risk Management
Data Protection & Risk Management
 
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
 
GDPR-Overview
GDPR-OverviewGDPR-Overview
GDPR-Overview
 

Ähnlich wie GDPR for Dummies

GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
SecurityScorecard
 
What is the GDPR & What does it mean for YOUR business?
What is the GDPR & What does it mean for YOUR business?What is the GDPR & What does it mean for YOUR business?
What is the GDPR & What does it mean for YOUR business?
Nexsen Pruet
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Dr. Donald Macfarlane
 

Ähnlich wie GDPR for Dummies (20)

GDPR for your Payroll Bureau
GDPR for your Payroll BureauGDPR for your Payroll Bureau
GDPR for your Payroll Bureau
 
GDPR: The Regulator's Perspective, Peter Brown, ICO
GDPR: The Regulator's Perspective, Peter Brown, ICOGDPR: The Regulator's Perspective, Peter Brown, ICO
GDPR: The Regulator's Perspective, Peter Brown, ICO
 
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
What is the GDPR & What does it mean for YOUR business?
What is the GDPR & What does it mean for YOUR business?What is the GDPR & What does it mean for YOUR business?
What is the GDPR & What does it mean for YOUR business?
 
When Big Data is Personal Data - Data Analytics in The Age of Privacy Laws
When Big Data is Personal Data - Data Analytics in The Age of Privacy LawsWhen Big Data is Personal Data - Data Analytics in The Age of Privacy Laws
When Big Data is Personal Data - Data Analytics in The Age of Privacy Laws
 
GDPR in the Healthcare Industry
GDPR in the Healthcare IndustryGDPR in the Healthcare Industry
GDPR in the Healthcare Industry
 
A Global Marketer's Guide to Privacy
A Global Marketer's Guide to PrivacyA Global Marketer's Guide to Privacy
A Global Marketer's Guide to Privacy
 
GDPR is Coming, Five Things You Can Do Now To Prepare
GDPR is Coming, Five Things You Can Do Now To PrepareGDPR is Coming, Five Things You Can Do Now To Prepare
GDPR is Coming, Five Things You Can Do Now To Prepare
 
Web Analytics and Privacy
Web Analytics and Privacy Web Analytics and Privacy
Web Analytics and Privacy
 
Bridging the Gap Between Privacy and Retention
Bridging the Gap Between Privacy and RetentionBridging the Gap Between Privacy and Retention
Bridging the Gap Between Privacy and Retention
 
Gdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationGdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulation
 
GDPR – what does it mean for charities and what you need to consider - Iain P...
GDPR – what does it mean for charities and what you need to consider - Iain P...GDPR – what does it mean for charities and what you need to consider - Iain P...
GDPR – what does it mean for charities and what you need to consider - Iain P...
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway Group
 
eu-market-access-gdpr-fundamentals-by-risk-associates
eu-market-access-gdpr-fundamentals-by-risk-associateseu-market-access-gdpr-fundamentals-by-risk-associates
eu-market-access-gdpr-fundamentals-by-risk-associates
 
Balancing Privacy and Digitization
Balancing Privacy and DigitizationBalancing Privacy and Digitization
Balancing Privacy and Digitization
 
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalData protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-final
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
 

Kürzlich hochgeladen

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Kürzlich hochgeladen (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

GDPR for Dummies

  • 1. Pennsylvania Institute of Certified Public Accountants • www.picpa.org Data Privacy – Now a Human Right in Europe Atif Ghauri, Managing Partner at Mazars Atif.Ghauri@mazarsusa.com | 267-254-8040
  • 2. Pennsylvania Institute of Certified Public Accountants • www.picpa.org Agenda What is the GDPR? OK I care, what do I do? I’m American, why do I care?
  • 3. Pennsylvania Institute of Certified Public Accountants • www.picpa.org What is GDPR? • BODY COPY should go in this box. • Adjust the copy size and box position if necessary. • Use this slide to presented content lists in a different way. • Continued … • Continued … • Continued … The GDPR is the regulation that guarantees individuals that use of digital (and other) data concerning them is processed, used, disseminated and kept in a transparent manner, and that the entities processing this data will not perform any actions without the individuals concerned having first agreed or been notified of the processing applied to their data.
  • 4. Pennsylvania Institute of Certified Public Accountants • www.picpa.org Privacy Directive Updated and became a Privacy Regulation Came into effect 25th May 2018 99 Articles Increased Territorial Scope to Global Scope More individual rights for Customers Increased Obligations for Data Controllers More Power for Data Protection Authorities General Data Protection Regulation
  • 5. Pennsylvania Institute of Certified Public Accountants • www.picpa.org Why so much noise on GDPR? Penalties for Non-Compliance • 4% of Annual Global Revenue OR €20M (whichever is greater) • Processing can be forced to stop Went into effect May 25, 2018 • Impacts the company and its 3rd parties • Examples to be made!
  • 6. Pennsylvania Institute of Certified Public Accountants • www.picpa.org What’s the Scope? Applies to any company where EU private data is processed • All EU resident data whether or not processed in the EU “Processed”  you touch it you processed it • E.g., collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, disclosure, dissemination, destruction Example Data Types • Basic Identity (Name, Address) • Web Data (Geo-Location, IP Address, Cookie, RFID) • Health And Genetic Data • Biometric Data • Racial Or Ethnic Data • Political Opinions • Sexual Orientation
  • 7. Pennsylvania Institute of Certified Public Accountants • www.picpa.org Top Issues Mazars Clients Face 1. Right to be Forgotten 2. Consent, Consent, Consent 3. Proof of Compliance
  • 8. Pennsylvania Institute of Certified Public Accountants • www.picpa.org 1 – Right to be Forgotten Solution  Data classification based on business impact assessment  Identify system and process owners  Establish a Record of Processing (RoP) GDPR Requirements Applicable  Article 6: Lawfulness of processing  Article 9: Processing special categories of personal data  Article 10: Processing personal data related to criminal convictions and offenses  Article 13: Information to be provided where personal data are collected  Article 14: Information to data subject when personal data has not been obtained  Article 15: Right of access by the data subject  Article 16: Right to rectification  Article 17: Right to be forgotten  Article 18: Right to restriction of processing  Article 19: Notification obligation rectification or erasure of personal data  Article 20: Right to data portability  Article 35: Data protection impact assessment “We don’t know if we can delete all the customers information because we aren’t sure where else in the system we are using it, it’s everywhere!”
  • 9. Pennsylvania Institute of Certified Public Accountants • www.picpa.org 2 – Consent, Consent, Consent Solution  Validate Explicit Consent  Capture and document electronically with notification  Tweak User Interface and Process to Support GDPR Requirements Applicable  Article 6: Lawfulness of processing  Article 7: Conditions for Consent  Article 8: Conditions applicable to child’s consent  Article 13: Information to be provided from the data subject  Article 14: Information to data subject when data not from data subject  Article 18: Right to restriction of processing  Article 20: Right to data portability  Article 21: Right to Object  Article 22: Automated individual decision-making, including profiling  Article 41: Monitoring of approved codes of conduct  Article 49: Derogations for specific situations “The customer said it’s ok but not electronically and we aren’t sure if they remember they did”
  • 10. Pennsylvania Institute of Certified Public Accountants • www.picpa.org 3 – Proof of Compliance Solution  Initiate a GDPR Impact Assessment  Address People, Process, Technology Gaps  Incorporate Privacy by Design in future iterations GDPR Requirements Applicable  Article 4: Definitions  Article 5: Principles relating to processing of personal data  Article 7: Conditions for Consent  Article 11: Processing which does not require identification  Article 12: Transparent information, communications, and modalities  Article 21: Right to Object  Article 24: Responsibility of the Controller  Article 25: Data protection by design and by default  Article 28: Processor  Article 32: Security of processing  Article 35: Data protection impact assessment “We have no formal plan to respond to an audit. We are decentralized and don’t have a holistic perspective on enterprise organization, systems, and processes.”
  • 11. Pennsylvania Institute of Certified Public Accountants • www.picpa.org DPO – Data Privacy Officer Compliance Monitoring and Advising Privacy By Default Privacy By Design Safety of Data Breach 72hours Responsible for Sub Contractors Processing of Sensitive Data Anonymisation/Pseudonymisation Cheat Sheet on 99 Articles
  • 12. Pennsylvania Institute of Certified Public Accountants • www.picpa.org2 - I’m American, Why Do I Care?
  • 13. Pennsylvania Institute of Certified Public Accountants • www.picpa.org Yes, GDPR affects U.S. Companies Impacts anyone who touches Europe • Any organization that uses personal data of persons residing in the EU to provide services, sell goods, or monitor their behavior, will be impacted • Must comply even if they do not have a business presence within the EU Will cost millions of $$$ • 68% of US companies will spend $1-$10M, with 10% over $10M It’s Actually an Opportunity for International Companies! • Transform and improve current approach to data privacy • Leverage the value of data by improving action to track, collect, store, and use • Ensure that organizations aren’t left behind in today’s global digital economy
  • 14. Pennsylvania Institute of Certified Public Accountants • www.picpa.org In the EU, privacy is a right, while in the US it is a mixture of local and federal regulations with no centralized governance for enforcement  Privacy laws change with each administration.  Individuals have little ownership of their online data, which allows large businesses can monetize consumer behavior and habits.  Privacy laws are often a combination of public regulation, private self- regulation and legislation which varies by state.  Enforcement of privacy laws is carried out state by state  Numerous privacy organizations exist to provide legal framework for digital privacy such as American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF).  Companies can keep data indefinitely, depending on their own Terms of Service.  Privacy laws have less turnover when administrations change because most EU member states aren’t as polarized as the US.  EU laws respect “private and family life” and allow citizens to delete their data.  Privacy laws are generally more comprehensive and geared towards consumers.  Enforcement of privacy laws is carried out by one authority, equal for all 28 member states.  Due to the nature of EU rights, fewer privacy organizations exist but there are : The European Digital Rights (EDRi) and The European Privacy Association (EPA).  EU citizens have the “Right to be forgotten”, meaning that search results can be removed if they are irrelevant or inadequate. https://www.clickz.com/gdpr-us-businesses-preparing/203180/ https://www.marketplace.org/2017/04/20/tech/make-me-smart-kai-and-molly/blog-main-differences-between-internet-privacy-us-and-eu EU vs US Privacy Laws EU US Consistency Citizens Accountable Stronger Laws Centralized Enforcement Can’t Live Forever
  • 15. Pennsylvania Institute of Certified Public Accountants • www.picpa.org What are global orgs doing to comply? 3 - What needs to be done?
  • 16. Pennsylvania Institute of Certified Public Accountants • www.picpa.org What should companies do? Short Answer …  Know where your private data is  Know who your sharing to and receiving private data from  Encrypt private data  Hire or contract a qualified DPO  Train staff on privacy  Ensure privacy is part of data classification  Establish a privacy impact assessment program  Ensure policies are established to address privacy  Establish a compliance program  Use technology to help
  • 17. Pennsylvania Institute of Certified Public Accountants • www.picpa.org Map and Document Process Operations of Personal Data Identify Gaps and Prioritize Necessary Corrective Actions Perform a Status Evaluation Appoint a DPO Integrate GDPR Compliance requirements within the Internal Control Processes of the Organization Prepare a Formal Documentation of Key Topics Anticipate and Assign Resources to Meet the Identified GDPR Requirements Integrate GDPR Requirements in the Planning Phase of all Initiatives and Monitor Risks Phase 2 – Get Specific Phase 3 – Privacy by Design Phase 1 – Audit GDPR Roadmap Longer Answer … but in 3 Steps GDPR
  • 18. Pennsylvania Institute of Certified Public Accountants • www.picpa.org Map and Document Process Operations of Personal Data Identify Gaps and Prioritize Necessary Corrective Actions Perform a Status Evaluation Appoint a DPO Integrate GDPR Compliance requirements within the Internal Control Processes of the Organization Prepare a Formal Documentation of Key Topics Anticipate and Assign Resources to Meet the Identified GDPR Requirements Integrate GDPR Requirements in the Planning Phase of all Initiatives and Monitor Risks Phase 2 – Get Specific Phase 3 – Privacy by Design GDPR Roadmap GDPR Phase 1 - Audit
  • 19. Pennsylvania Institute of Certified Public Accountants • www.picpa.org Map and Document Process Operations of Personal Data Identify Gaps and Prioritize Necessary Corrective Actions Perform a Status Evaluation Appoint a DPO Integrate GDPR Compliance requirements within the Internal Control Processes of the Organization Prepare a Formal Documentation of Key Topics Anticipate and Assign Resources to Meet the Identified GDPR Requirements Integrate GDPR Requirements in the Planning Phase of all Initiatives and Monitor RisksPhase 3 – Privacy by Design GDPR Roadmap GDPR Phase 2 – Get Specific
  • 20. Pennsylvania Institute of Certified Public Accountants • www.picpa.org Map and Document Process Operations of Personal Data Identify Gaps and Prioritize Necessary Corrective Actions Perform a Status Evaluation Appoint a DPO Integrate GDPR Compliance requirements within the Internal Control Processes of the Organization Prepare a Formal Documentation of Key Topics Anticipate and Assign Resources to Meet the Identified GDPR Requirements Integrate GDPR Requirements in the Planning Phase of all Initiatives and Monitor Risks GDPR Roadmap GDPR Phase 3 – Privacy by Design
  • 21. Pennsylvania Institute of Certified Public Accountants • www.picpa.org Map and Document Process Operations of Personal Data Identify Gaps and Prioritize Necessary Corrective Actions Perform a Status Evaluation Appoint a DPO Integrate GDPR Compliance requirements within the Internal Control Processes of the Organization Prepare a Formal Documentation of Key Topics Anticipate and Assign Resources to Meet the Identified GDPR Requirements Integrate GDPR Requirements in the Planning Phase of all Initiatives and Monitor Risks Compliance with GDPR is an involved and complex process which requires time and resources GDPR GDPR Roadmap GDPR
  • 22. Pennsylvania Institute of Certified Public Accountants • www.picpa.org Real World Example – Mazars Customer