In this session, presented as a workshop outline, we will walk you through your GDPR responsibilities and how to assess your risk. We’ll give some recommendations on high priority but easy to fix issues and how to discover, secure and take ownership of existing data. At the end of the session we will share the workshop outline to help with your own planning.
Prepared for Social Connections 13 in Philadelphia April 2018
1. Philadelphia, April 26-27 2018
13
The Looming GDPR & You
Gabriella Davis
Technical Director, The Turtle Partnership
IBM Lifetime Champion for Social Business
gabriella@turtlepartnership.com
2. Gab Davis
• Admin of all things and especially quite complicated
things where the fun is
• Working with the design, deployment and security of
IBM technologies within global infrastructures
• working with the real world security and privacy
aspects of expanding data ecosystems
• Stubborn and relentless problem solver
• http://turtleblog.infohttps://
www.turtlepartnership.com
• IBM Lifetime Champion
4. Social Connections 13 Philadelphia, April 26-27 2018
13
Gab is not a lawyer
You will want to speak to one to get advice on
your legal exposure
5. Social Connections 13 Philadelphia, April 26-27 2018
• General Data Protection Regulation (GDPR) is a new
EU directive that comes into effect May 2018
regulating the processing of personal data
• Personal data is defined as any data that directly or
indirectly identifies a data subject
• Processing consists of any operation or set of
operations that are performed on personal data
6. Social Connections 13 Philadelphia, April 26-27 2018
• Individuals have more ownership
of information
• Corporations bear more
responsibility
• This is a process challenge first
and a technical one last
• Yet lots of companies are offering
technical GDPR solutions!
8. Social Connections 13 Philadelphia, April 26-27 2018
• I Know - It’s EXHAUSTING To Even Think About
• But There Are No Shortcuts
• You Can’t Just Hope You Are Too
Small To Matter
• A Possible Fine Of €20m or 4% of
Your Global Turnover Is At Stake
• Per Instance
9. Social Connections 13 Philadelphia, April 26-27 2018
Controllers and Processors
• Data responsibility differs depending on whether you are
considered a Controller or a Processor
• Controllers determine the purpose and means of processing
personal data
• Processors actually perform the data processing
• Your company may act in both guises but cannot avoid GDPR
responsibility by offloading the processing to another entity
• - you would still be considered the Controller
10. Social Connections 13 Philadelphia, April 26-27 2018
Controller Responsibilities
• Article 5 applies responsibility for compliance with the principles of
processing personal data including
• lawfulness
• fairness and transparency
• data minimisation
• storage limitation
• Article 24 makes you responsibility for implementing technical and
organisational processes to protect the information
• Data breach notification
11. Social Connections 13 Philadelphia, April 26-27 2018
Processors Responsibilities
• Article 28 makes the Controller responsible for ensuring the
chosen processor abides by the requirements of GDPR
• This includes ensuring organisational and technical processes
are in place to protect the data
12. Social Connections 13 Philadelphia, April 26-27 2018
But Hey I’m In The US!
• A company with a location in the EU must comply with GDPR if
they are processing any data for EU citizens or within the EU
regardless of where that processing occurs
• If goods or services are marketed / sold to any part of the EU
regardless of where the company is based, there is a
requirement for GDPR
• Any company gathering data on EU citizen behaviour
• this includes both physical tracking and online tracking
13. Social Connections 13 Philadelphia, April 26-27 2018
ADMINISTRATIVE
• Who is assigned the role of data protection officer and
where do they sit in the organisation.
• Who is the point of contact for the data protection
authority
• Privacy and consent agreements need to be reviewed and
updated
14. Social Connections 13 Philadelphia, April 26-27 2018
Assigning A Data Protection Officer
• Responsible for overall understanding and enforcing
of GDPR alignment
• Formal senior role within the organisational hierarchy
• Contact point and decision maker for both internal
policies and data requests
15. Social Connections 13 Philadelphia, April 26-27 2018
Data Protection Authority Contact
• GDPR escalations are directed to the declared Data
Protection Authority contact
• Any suspected breaches must be reported along with
a remediation plan
• In theory within 72hrs of the breach but more
likely within 72hrs of finding out about the breach
16. Social Connections 13 Philadelphia, April 26-27 2018
Review Existing Consent Agreements
• For customers
• For suppliers
• For employees
• For anyone whose data you process, consume or retain
• Consent going forward is easier than permission to
retain historical data
• How to convey to people the services that can be lost if
data isn’t maintained
17. Social Connections 13 Philadelphia, April 26-27 2018
PROCESSES
• for notifying authorities and affected customers in the case of a
breach
• for approving new data storage and handling
18. Social Connections 13 Philadelphia, April 26-27 2018
Process For User Requests
• Right to be forgotten
• Right to have incorrect data updated / changed
• Right to have visibility of data
• Finding and cleaning all the information
• What needs to be kept for internal reasons
19. Social Connections 13 Philadelphia, April 26-27 2018
Process For Accessing Information
• Auditable and traceable
• Who can access what to complete their work
• Granting and removing access
20. Social Connections 13 Philadelphia, April 26-27 2018
Process For Requesting Consent Going
Forward
• Gathering and retaining information is acceptable if
it’s necessary to provide the service / product /
relationship with the user
• However the user must agree to that happening
• It can be as simple as asking
21. Social Connections 13 Philadelphia, April 26-27 2018
DATA
• What data is held , where and why
• How is it secured
• For how long
• Who can access it
• What is its purpose
22. Social Connections 13 Philadelphia, April 26-27 2018
• No-one knows how this will work
• for that reason there’s huge potential for
exposure
• no technology will fix everything for you
• putting some processes in place and
having a plan shows understanding &
positive intent
23. Social Connections 13 Philadelphia, April 26-27 2018
Questions
• Remember once more: Gab is not a lawyer