The European Union has agreed the EU General Data Protection Regulation. It’s due to be implemented in 2018 and applies to every company that has EU citizens as customers.

1. Preparing for the
EU Data Protection Regulation
(GDPR)
www.oyster-ims.com
April 2016
20 April 2016 Preparing for the EU GDPR

2. On April 14 2016, the European Union adopted the General Data
Protection Regulation (GDPR) after four years of negotiation
It will come into force in April 2018 - there are two components to the
new law:
The General Data Protection Regulation (GDPR) which is
designed to give EU citizens better control of their personal data
Data Protection Directive which covers how personal data is used
by police in the EU
Preparing for the EU GDPR – What is it?
20 April 2016 Preparing for the EU GDPR

3. Under the new rules:
Individuals will have more information on (and control over) how
their personal data is processed - data protection must be "by
default" and "by design" for products and services and include
adequate “affirmative consent”
Personal data will be portable, so that it can be moved more
easily between different organisations
The so-called "right to be forgotten“ is clarified under the GDPR
Preparing for the EU GDPR – What’s new?
20 April 2016 Preparing for the EU GDPR

4. Also:
Companies and organisations will have a greater level of
accountability including the obligation to inform national
supervisory bodies of serious data breaches so that appropriate
remediation measures can be taken
The new rules will be backed up by much stronger enforcement:
data protection authorities will be able to fine companies that do
not comply up to 4 percent of global annual turnover
Preparing for the EU GDPR – What’s new?
20 April 2016 Preparing for the EU GDPR

5. In order to be ready for the new regulations you first need to
understand what personal data you have, how you use personal data,
where and how personal data is stored and how personal data is
transferred internally and externally including cross-border transfers
There are three main locations for personal data:
Paper: local, on-site and off-site repositories
Structured Data: line of business systems and other database
applications
Unstructured Data: file share, email systems, document repositories
Preparing for the EU GDPR – Where to Start
20 April 2016 Preparing for the EU GDPR

6. In order to get an accurate picture you need to carry out a data
protection audit which should consist of:
Creation of a custom personal data classification scheme for the
organisation
A review of the organisation’s data protection landscape including
the policies, procedures and controls currently in place
A business engagement, prioritised using a risk-based approach, to
understand all interactions with personal data
A review of all locations, supported by file analytics software, to
discover personal data and bring it under appropriate management
Data Protection Audit
20 April 2016 Preparing for the EU GDPR

7. The data protection audit will deliver:
Personal data “data map” showing locations of personal data and
identifying high risk areas
Fully documented personal data flows showing movement of
personal data
Remediation programme to deliver compliance with GDPR
Audit Outcomes and Compliance
20 April 2016 Preparing for the EU GDPR

8. Data Protection Audit Case Study
20 April 2016 Preparing for the EU GDPR
The Client
A global insurer and reinsurer
Japanese owned with European
headquarters in Switzerland
Japanese parent has c.$85 billion
assets
Underwrites a diversified portfolio of
specialty lines business from its
operations at Lloyd's and globally
Significant growth over the last twelve
years through a mix of organic
expansion and acquisition and is one of
the top 10 insurers in the Lloyd's
insurance market, writing premiums in
excess of £1 billion
The Project
Personal data analysis and remediation
as part of a full Information Governance
Programme
Three levels of personal data defined –
Sensitive (Type A); Core (B); Contact
and Organisational (C)
Oyster IMS carried out Global Data
Protection and Privacy Audit to report on
creation, capture, storage, management
and transfer of type A and B personal
data
Automated file analysis tool to search
for content across 50Tb of data equating
to 30 million files
The Results
> 250,000 files identified
containing personal data from
defined categories
Split between personal data
found in locations identified by
business during audit and
elsewhere
74%
26%
Type A Personal Data
Found in Expected
Found Elsewhere

9. For more information contact:
info@oyster-ims.com
0207 199 0620
www.oyster-ims.com
Preparing for the EU GDPR20 April 2016