Weitere ähnliche Inhalte Ähnlich wie Understanding GDPR: Myths & Reality of Compliance (20) Kürzlich hochgeladen (20) Understanding GDPR: Myths & Reality of Compliance1. ©Veridium IP, Ltd. All Rights Reserved
Understanding GDPR
Myths & Reality of
Compliance
2. BEFORE WE BEGIN
Attendees have been muted
You may submit questions at any
time, but we will respond at the
conclusion of the presentation
during the Q&A session
©Veridium IP, Ltd. All Rights Reserved
3. Nick Eckert
Co-Founder
GDPR365
• Proven entrepreneur with 2 successful exits and
over 20 years experience in Internet technology
• Committed to simplifying GDPR compliance for
small to mid-sized companies
• Founder and CEO of GraphicMail and co-
founder of All-Hotels.com
©Veridium IP, Ltd. All Rights Reserved
BEFORE WE BEGIN
4. James
Stickland
Chief Executive Officer
Veridium
• Seasoned veteran with over seven years in the
fintech industry
• Drives business strategy, revenue, and
investment growth at Veridium.
• Previously Directory of Innovation and
Investments at HSBC, and Non-Executive
Directory at the fintech startup Red Deer
©Veridium IP, Ltd. All Rights Reserved
BEFORE WE BEGIN
5. • What is the GDPR and what does
it mean for businesses
• How to achieve compliance
• The role technology plays in
compliance
• How biometrics can help
companies achieve compliance,
and how to be compliant with
biometric data
AGENDA
6. A single set of rules on data
protection valid across the
European Union
Includes:
• Personal data that forms
part of a filing system
• Processing of personal data
wholy or partly by
automated means
The GDPR is more descriptive
than prescriptive.
• A regulation not a directive
• Enforceable by sanctions
• Its goal is to protect individuals
• Regulates personal data processing
• Defines individual’s rights
• Extra-territorial in reach
• Makes the organization accountable
• Goes into effect 25 May 2018
WHAT IS THE GDPR?
©Veridium IP, Ltd. All Rights Reserved
7. 1. Businesses established in the EU
2. Business outside the EU that offer goods and services to, or monitor,
individuals in the EU
3. Fines
1. Effective, proportionate and dissuasive
2. Up to 4% of annual worldwide turnover
4. Authorities can audit, issue warnings, and issue bans on personal
data processing
5. Individuals can sue for compensation to recover material and non-
material damage
1. Possibility of class action lawsuits
Businesses with no presence in the EU that have to comply have to
appoint a representative in the EU.
7
WHAT DOES COMPLIANCE MEAN?
©Veridium IP, Ltd. All Rights Reserved
8. High Risk
• Large scale data processing
• Regular and systematic
monitoring
• Transfering data to 3rd parties
• Unauthorized or unlawful
processing
• Accidental loss, destruction, or
damage
• Sensitive or child data
Impact on individuals: Physical or material damage; discrimination,
identity theft or fraud; financial loss; damage to reputation; revealing of
sensitive details such as political persuasion; or lack of access by
individuals’ to their personal data.
Risks
UNDERSTANDING THE RISKS
©Veridium IP, Ltd. All Rights Reserved
9. • Right to access their own personal data
• Right to rectify inaccurate personal data
• Right to challenge automated decision making
• Right to object to direct marketing
• Right “to be forgotten”
• Right to data portability
9
DATA SUBJECTS’ RIGHTS
©Veridium IP, Ltd. All Rights Reserved
10. PROCESSING IS ONLY LAWFUL IF:
• Data subject has given consent
• It’s necessary for the performance of a contract or to enter into a contract
• It’s a legal obligation to which the controller is subject
• It’s to protect vital interests of a person
• It’s necessary for public interest or official authority
• It’s for the legitimate interests of the controller
JOINT LIABILITY BETWEEN CONTROLLERS AND PROCESSORS
• Processors must act only on the instructions of controllers
LAWFULNESS OF PROCESSING
©Veridium IP, Ltd. All Rights Reserved
11. • Businesses must comply and be able to demonstrate compliance
with the six general principals.
1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimization
4. Accuracy
5. Retention
6. Integrity and confidentiality
• If you are carrying out “high risk” processing, you must conduct
privacy impact assessments and work with your supervisory
authority.
11
ACCOUNTABILITY
©Veridium IP, Ltd. All Rights Reserved
12. • Implementation of data protection policies
• Data protection by design and by default
• Record keeping obligations
• Cooperation with supervisory authorities
• Data protection impact assessments
• Prior consultation with data protection authorities in
high-risk cases
• Mandatory Data Protection Officers in some cases.
NEW RESPONSIBILITIES
©Veridium IP, Ltd. All Rights Reserved
13. • Acceptable and legal
• Legal mechanisms must be in place
• Access to a datacenter in the EU from a 3rd
country counts as a data transfer
TRANSFERS OUTSIDE EU
©Veridium IP, Ltd. All Rights Reserved
16. • What personal data do you collect?
• Do you have consent?
• Do you keep records of processing?
• Where physically do you hold the data?
• Is the personal data sensitive?
• How does it flow through the
organization?
• Why is it being processed and stored?
PERSONAL DATA MAPPING
READINESS ASSESSMENT
DATA CLASSIFICATION
DATA PROTECTION IMPACT
ASSESSMENTS
PERSONAL DATA ASSESSMENT
©Veridium IP, Ltd. All Rights Reserved
17. • Have you appointed a DPO or a GDPR
lead?
• Are your privacy notices and SLAs
compliant?
• Are your processor contracts and data
sharing agreements compliant and up
to date?
• Do you have an employee training
program in place?
• Do you have data retention periods
defined
CONTRACTUAL UPDATES
ORGANISATIONAL CONTROLS
TECHNICAL CONTROLS
UPDATED PRIVACY NOTICES AND SLAs
AUDITABILITY / TRACEABILITY OF
ACCESS AND DATA FLOWS
EMPLOYEE TRAINING
GOVERNANCE
©Veridium IP, Ltd. All Rights Reserved
18. • Are your consent forms freely given,
specific and unambiguous?
• Do you consider data protection at
the outset of any new innovation?
• Do you evaluate impact of technology
on the rights of individuals and
ensure protection?
• Do you have a method for individuals
to exercise their rights?
UPDATED CONSENT FORMS
SECURITY BY DESIGN
DATA PROTECTION IMPACT
ASSESSMENTS ON INNOVATION
FORMS FOR DATA ACCESS,
MODIFICATION, ERASURE
REQUESTS
PROCESS UPDATES
©Veridium IP, Ltd. All Rights Reserved
19. • What technologies are you using?
• Who has access to data?
• Do you understand when and where
data leaves your organization?
• How do you classify, monitor and
control personal data to limit
exposure?
AGILE ARCHITECTURE
SECURITY CONTROLS
24/7 SECURITY MONITORING
AUDIT AND PENETRATION TESTING
COMPLIANCE REPORTING
DATA PROTECTION
©Veridium IP, Ltd. All Rights Reserved
20. • Do you have an incident response team
in place?
• Do you have a process for notifying
authorities of breaches?
• Do you have a process for notifying
individuals, if necessary, of breaches?
• Have you tested your incident response
plans?
• Do you keep records of all data breaches?
INCIDENT MANAGEMENT
INCIDENT RESPONSE TEAM
DATA BREACH NOTIFICATION
PEOPLE, PROCESS AND
INFORMATION ALIGNMENT
PERSONAL DATA BREACH NOTIFICATION
©Veridium IP, Ltd. All Rights Reserved
22. • Data visability assessment
• Automation is essential
• Data loss prevention for real-time
classification
• Protection of data in transit
INFORMATION GOVERNANCE
MEETING SPECIFIC REQUIREMENTS
REVIEW STATE OF THE ART
TECHNOLOGY FRAMEWORK
©Veridium IP, Ltd. All Rights Reserved
23. • Data discovery, classification, and control
• Access control and identity management
• Privileged user management
• Encryption and psedonymization
• Auditing and forensics
• Breach detection and notification
INFORMATION GOVERNANCE
MEETING SPECIFIC REQUIREMENTS
REVIEW STATE OF THE ART
TECHNOLOGY FRAMEWORK
©Veridium IP, Ltd. All Rights Reserved
24. • Cost
• Risk
• Context
INFORMATION GOVERNANCE
MEETING SPECIFIC REQUIREMENTS
REVIEW STATE OF THE ART
TECHNOLOGY FRAMEWORK
©Veridium IP, Ltd. All Rights Reserved
25. • Data discovery
• Data classification and control
• GDPR Article 25: Data protection by
design and by default
TECHNOLOGY TOOLS
DATA LOSS PREVENTION
ACCESS CONTROL, IDENTITY
MANAGEMENT AND PRIVILEGED
USER MANAGEMENT
ENCRYPTION
©Veridium IP, Ltd. All Rights Reserved
26. • Unauthorized access
• Unauthorized processing
• Control of access to specific
systems and services that deal
with personal data
• Evidence of access attempts &
activity
• Monitoring abuse of privileged
access to system
• GDPR Article 30: Records of
Categories of Personal Data
Processing Activities
TECHNOLOGY TOOLS
DATA LOSS PREVENTION
ACCESS CONTROL, IDENTITY
MANAGEMENT AND PRIVILEGED
USER MANAGEMENT
ENCRYPTION
©Veridium IP, Ltd. All Rights Reserved
27. • Encryption key management
• Alternatives to public/private keys?
• GDPR Article 32: Security of Processing
DATA LOSS PREVENTION
ACCESS CONTROL, IDENTITY
MANAGEMENT AND PRIVILEGED
USER MANAGEMENT
ENCRYPTION
TECHNOLOGY TOOLS
©Veridium IP, Ltd. All Rights Reserved
28. 1. You must have a leader
2. Must be a cross functional task force
3. Understand your current situation
4. Technology will help with compliance
5. There will be impacts on organizational behavior and
corporate practices
6. There is no end date
MAIN TAKEAWAYS
©Veridium IP, Ltd. All Rights Reserved
29. Email: Info@VeridiumID.com
Phone: 1 877.301.0299
Web: www.VeridiumID.com
Twitter: @VeridiumID
LinkedIn: Veridium
QUESTIONS?
Email: support@gdpr365.com
Web: www.gdpr365.com