Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
2017 10 26 webinar - gdpr final
1. General Data Protection Regulation
October 26, 2017
Brian Matteson, Manager
Sarah Ackerman, Managing Director
2. Introductions
Sarah Ackerman, CISSP, CISA
Managing Director, Cincinnati
Expertise in IT, Security, IT Audit, Risk, and
Compliance
Oversight of all Cincinnati projects
2
Brian Matteson, CISSP, CISA
Manager, Columbus
Extensive IT operations, Security, and IT
Management knowledge
Assists private and public businesses and
federal entities
4. What is the General Data
Protection Regulation?
5. Purpose
GDPR was created to…
Set rules for the processing of information
on “natural persons”
Protect the privacy of “natural persons”
Ensure the free movement of personal
data is not restricted within the Union
“The protection of natural persons in relation
to the processing of personal data is a
fundamental right.” – European Parliament
5
6. Organization of the Law
Legislative Acts & Regulation
Source: Official Journal of the European Union
6
7. Organization of the Law (cont.)
Regulation
10 Chapters
99 Articles
Unlike US law GDPR is very
descriptive on the supporting structure
7
8. Organization of the Law (cont.)
(37) A group of undertakings should
cover a controlling undertaking and its
controlled undertakings, whereby the
controlling undertaking should be the
undertaking which can exert a dominant
influence over the other undertakings …
Source: Official Journal of the European Union
8
9. Organization of the Law (cont.)
Chapter II – Principles Relating to Processing
of Personal Data
Chapter III – Rights of the Data Subject
Chapter IV – Controller and Processor
Chapter V – Transfers of Personal Data to
Third Countries or International Organisations
9
10. Who Manages GDPR
Supervisory Authority
Appointed by each member State
Ensures the Law is applied equally and fairly
Enforces the Law within their State
European Data Protection Board
Composed of one representative of each
Supervisory Authority
Handles dispute resolution and overall governance
US Regulators
FTC
Department of Commerce
10
12. Categories of Business
Entities operating in member States
Any business formed and operating in the Union
State and local government agencies of EU countries
International businesses with EU entities
Any international business with a legal entity operating
in a member State
International “catch-all” clause
Any global business offering goods or services to
citizens of the European Union
– As enforceable by international law
12
13. Covered Activities
Data Controllers
..the natural or legal person, public authority, agency or other body
which, alone or jointly with others, determines the purposes and means
of the processing of personal data…
Data Processors
…a natural or legal person, public authority, agency or other body
which processes personal data on behalf of the controller…
Data Recipients
…a natural or legal person, public authority, agency or another body,
to which the personal data are disclosed, whether a third party or not.
Source: Official Journal of the European Union
13
14. Entities Outside the EU
Two methods for transferring data outside the
EU…
Adequacy decision (article 45)
Essentially reciprocity
Appropriate safeguards (article 46)
The entity receiving the data can prove that it
has controls in place to meet the GDPR
standards for privacy
14
16. Changes from Previous Privacy Directives
Increased territorial scope
– Including the “cloud”
Penalties
Consent
Breach notification
Right to access
Right to be forgotten
Data portability
Privacy by design
Data Protection Officers
16
17. Overlap
Not a total re-write of existing program
Some overlap with:
– NIST 800-53 Security and Privacy Controls
– ISO 29100 IT Security Techniques – Privacy
Framework
– AICPA’s Generally Accepted Privacy Principles
(GAPP)
– OCC’s Privacy Laws and Regulations
17
18. Common Challenges
Underestimating scope – have you started?
How to interpret
What additional measures needed?
Building/maintaining inventory of data
processing
Lack of capabilities
– For example, who to be Privacy rep in EU?
18
21. Privacy Shield & GDPR
Privacy Shield addresses privacy protections
of GDPR
– Part of framework accommodates aspects of
GDPR
– Covers methods of data transfer
21
22. Privacy Shield – Overview
22
Who does it apply to? US companies transferring data related to
EU & Swiss individuals
What does it cover? Provides mechanism to comply with data
protection requirements (e.g., GDPR)
When does it take effect? Now l– as soon as you self-certify
Where is it administered? Administered: International Trade
Administration (ITA)
Enforced: US Department of Commerce
(part of Federal Trade Commission)
Also: Data Protection Authorities (DPA) –
European Commission
Why was it created? Replace Safe Harbor
23. Privacy Shield vs. Safe Harbor
Safe Harbor no longer recognized by EU
Privacy Shield provides “adequate”
protection
Joining Privacy Shield will automatically
withdraw from Privacy Shield
As of September 2017: 2,400 organizations
have joined Privacy Shield
23
24. Privacy Shield – Principles
Privacy Shield contains:
– Principles
What you should focus on
– Letters
Describes how FTC will run program and enforce
23 total Principles
– 7 commonly recognized privacy principles
– 16 supplemental principles
Explain and augment first 7
Requirements cover:
– Use and treatment of personal data received from EU
– Access and recourse mechanisms
24
25. Privacy Shield – Privacy Principles
1. Notice
2. Choice
3. Accountability for Onward Transfer
4. Security
5. Data Integrity and Purpose Limitation
6. Access
7. Recourse, Enforcement and Liability
25
26. Privacy Shield – Supplemental Principles
1. Sensitive Data
2. Journalistic Exceptions
3. Secondary Liability
4. Performing Due Diligence
and Conducting Audits
5. The Role of the Data
Protection Authorities
6. Self-Certification
7. Verification
8. Access
9. Human Resources Data
10. Obligatory Contracts for
Onward Transfers
11. Dispute Resolution and
Enforcement
12. Choice – Timing of Opt
Out
13. Travel Information
14. Pharmaceutical and
Medical Products
15. Public Record and Publicly
Available Information
16. Access Requests by Public
Authorities
26
27. Privacy Shield vs. Safe Harbor – What’s New?
New privacy protections
– Notice requirements
– Accountability for onward transfer
– Purpose limitation and data retention
Enhanced complaint resolution
– Response time
– Free dispute resolution
– Binding arbitration
Ongoing requirements if withdraw and maintain data
Improved cooperation and transparency
27
28. Privacy Shield – Subsidiaries
Must identify all entities, subsidiaries
All subs must inform individuals about
adhering to Principles
28
29. Privacy Shield – How to Join
1. Confirm eligibility
2. Develop a compliant privacy policy
3. Establish Independent Recourse Mechanism
(IRM)
4. Ensure verification mechanism is in place
5. Identify your point of contact
6. Self-certify
7. Reaffirm self-certification annually
8. Reply to inquiries
29
30. Privacy Shield – Verification
Self-assessment or third party
– Assess published privacy policy
– Periodic objective reviews of compliance
Audit, random reviews, or technology tools
Signed statement verifying self-assessment
or outside compliance review
30
31. Privacy Shield – Impact
Increased regulatory focus
Stronger obligations for data transfers
Increased risk from third parties
Respond to disputes faster
Document and maintain records, compliance
reports
31
32. Privacy Shield – Self-Certification
Supports administration, supervision, related
services
Annual fee to participate
Annual fee if retain data after withdrawal: $200
32
Annual Revenue
Single
Framework
Both
Frameworks
$0 – $5M $250 $375
$5M – $25M $650 $975
$25M – $500M $1000 $1500
$500M – $5B $2500 $3750
Over $5B $3250 $4875